Joel, One recommended resource is the OGF Grid Certificate Profile: http://www.ogf.org/documents/GFD.125.pdf
The International Grid Trust Federation (http://www.gridpma.org/) also has profile documents and a community of CA operators whose experience may be helpful regarding grid CA configuration.
An EOFException on the client side indicates to me that the server aborted the connection, so I suggest trying to enable logging on the server side to diagnose the problem.
-Jim Joel Schneider wrote:
For its certificate authority (CA), our institution is using Microsoft Certificate Services (MSCS) in its production environment. Our intention is to use this CA to issue certificates for use with Globus. Microsoft Certificate Services uses "Certificate Templates" to define the attributes for certificate types. Below is a link to an article about Windows 2000 Certificate Services (hopefully still relevant) which covers the topic of Certificate Templates:http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_gfrr.mspxWith a client-side (user) certificate issued using the "Web Server" certificate template, I am able to establish a TLS based secure connection with a Globus service running under Java WS Core 4.0.5. However, it appears the TLS connection fails when attempting to connect with the same service running under Java WS Core 4.0.7. When this happens, the client-side error message looks like this (nothing is logged on the server side):AxisFaultfaultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userExceptionfaultSubcode: faultString: java.io.EOFException faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:java.io.EOFExceptionat org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56) at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60) at org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:110) at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140) at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2745) at org.apache.axis.client.Call.invoke(Call.java:2728) at org.apache.axis.client.Call.invoke(Call.java:2405) at org.apache.axis.client.Call.invoke(Call.java:2327) at org.apache.axis.client.Call.invoke(Call.java:1767)at net.agnis.grid.stubs.bindings.FormHandlerPortTypeSOAPBindingStub.ping(FormHandlerPortTypeSOAPBindingStub.java:1354) at net.agnis.grid.client.FormHandlerClient.ping(FormHandlerClient.java:396)at net.agnis.grid.client.PingClient.main(PingClient.java:84)...java.io.EOFException at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2745) at org.apache.axis.client.Call.invoke(Call.java:2728) at org.apache.axis.client.Call.invoke(Call.java:2405) at org.apache.axis.client.Call.invoke(Call.java:2327) at org.apache.axis.client.Call.invoke(Call.java:1767)at net.agnis.grid.stubs.bindings.FormHandlerPortTypeSOAPBindingStub.ping(FormHandlerPortTypeSOAPBindingStub.java:1354) at net.agnis.grid.client.FormHandlerClient.ping(FormHandlerClient.java:396)at net.agnis.grid.client.PingClient.main(PingClient.java:84) Caused by: java.io.EOFExceptionat org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56) at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60) at org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:110) at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140) at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)... 12 moreThe service is configured to use GSITransport, and to reject anonymous access:<auth-method> <GSITransport> <protection-level> <privacy /> </protection-level> </GSITransport> </auth-method><ns1:defaultCommunicationMechanism anonymousPermitted="false" xsi:type="ns1:CommunicationMechanism"> <ns1:GSITransport protectionLevel="privacy" xsi:type="ns1:GSITransport"/></ns1:defaultCommunicationMechanism>Questions: 1) Has something in Java WS Core (or cog-jglobus?) changed between 4.0.5 and 4.0.7 which would cause it to no longer accept the client-side ("Web Server" template) certificate we created using Microsoft Certificate Services? 2) Is there documentation available which I could show our MSCS administrators, to describe the certificate attributes required for interoperability with Globus? Maybe something like this (?):[ v3_req ] basicConstraints = critical,CA:falsekeyUsage = keyAgreement,dataEncipherment,keyEncipherment,digitalSignature extendedKeyUsage = serverAuth,clientAuth,codeSigning,emailProtection,timeStamping3) Is there any existing Microsoft Certificate Service "Certificate Template" available which can be used to create a user certificate compatible with Globus? (Template for host cert also needed?) Help with this problem would be much appreciated. Best regards, Joel
smime.p7s
Description: S/MIME Cryptographic Signature
