I forgot to mention that I also did upgrade following jars and problem
still exists
cog-jglobus-1.5.0.jar cog-url-1.5.0.jar cryptix32.jar
cryptix.jar jgss.jar log4j-1.2.15.jar
cog-jobmanager-1.5.0.jar commons-logging-1.1.jar cryptix-asn1.jar
jce-jdk13-131.jar junit.jar puretls.jar
cog-jglobus-1.5.0.jar is the one that has the "GssSocketFactory" class
that I believe is used to do the handshake
-Neha
On Aug 14, 2008, at 11:22 AM, Neha Sharma wrote:
Hi
I tried debugging this issue on client side, but no luck so far.
So, I decided to figure out the hang on Server Side (in Java)
This is what is happening on server side: (I have included relevant
code)
- once server receives request from client, it gets out of the
accept() method call and forks a client thread (passes the socket as
an argument)
server = new ServerSocket(port);
socket = server.accept();
sazInit=new SAZInit(socket,confObject);
SAZClientThread sazClientThread=new SAZClientThread(sazInit);
sazClientThread.start();
- within this client thread, the first thing it does is obtain an
ExtendedGSSContext (using the servers host cert and host key) and
passes it as an argument to another function "getGsiServerSocket " .
I have attached file called ANAM.java which contains these functions.
context
=
anamObject
.getGsiServerContext
(confObject.SAZ_SERVER_CERT,confObject.SAZ_SERVER_KEY);
clientSocket = anamObject.getGsiServerSocket(clientSocket,context);
I believe handshake is being done by function "getGsiClientSocket",
(Socket clientSocket =
GssSocketFactory.getDefault().createSocket(host, port, context);)
- then it tries to obtain a input and output stream using this
client socket. This is where it hangs...
the code which does this is :
rwSocket=new ReadWriteSocket(clientSocket);
and I have attached file called ReadWriteSocket.java.
Basically this is what the constructor is doing..
public ReadWriteSocket(Socket clientSocket){
this.clientSocket=clientSocket;
try{
in=clientSocket.getInputStream();
out=clientSocket.getOutputStream();
reader =new BufferedReader(new
InputStreamReader(in));
writer=new PrintStream(out);
din=new DataInputStream(in);
dout=new DataOutputStream(out);
}catch(IOException e){
System.out.println("Exception "+e);
}
}
The code hangs on the getInputStream() function...
I have also tested that if I just try to get input and output stream
from the socket object (when it gets created by server and is passed
to the thread before globus libraries are used), i can get them.
So obviously globus libraries are modifying the client socket in a
way that is causing the problem in case of proxy delegated 5 times
and above..
At this stage, I am not sure what else I can try at my end and am
looking forward for any support from the Globus folks..
If you need any other information, please let me know
-Neha
<ANAM.java><ReadWriteSocket.java>
On Jul 31, 2008, at 11:40 AM, Charles Bacon wrote:
Though the bug references just one commit, it was part of a larger
set of commits:
http://www.globus.org/mail_archive/csec-commit/2007/06/threads.html
You'll need all three - the first one just adds the constant, but
the next two are what actually pass the constant into the openssl
commands to set the verify depth.
Charles
On Jul 31, 2008, at 11:24 AM, Neha Sharma wrote:
Thanks Charles.
Looks like I should be able to test this fix by defining
#define GLOBUS_GSI_CALLBACK_VERIFY_DEPTH 100
in the globus_gsi_callback_constants.h file
and rebuilding globus
I will try it out and let you know how it goes..
-Neha
On Jul 31, 2008, at 10:26 AM, Charles Bacon wrote:
Openssl comes with a default "maximum depth" of a PKI chain it
supports. That includes the CA and RA (if applicable). I
suspect you might be hitting GT4.0.x's depth limit of 9. If
you're using a CA+RA+Usercert+5 proxy, you might not be allowed
to submit with delegation anymore because the delegation would
take you to the depth limit.
It's a compiled-in limit that you can change. I believe we had a
bug open about the max depth ... yep, it's http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4994
. It should be fixed in 4.2 to be 100 instead. You can probably
take that patch back to 4.0.x if you need the limit increased
there too.
Charles
On Jul 31, 2008, at 9:52 AM, Neha Sharma wrote:
Hi All
I am wondering if someone can provide me with some information
about the Globus function "globus_gss_assist_init_sec_context"
We have an authorization service and this globus function is
used for performing handshake between the service and the client.
We observed that as long as the proxy is delegated up to 4
times, so that the DN is of form :
subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/
CN=UID:neha
or
subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/
CN=UID:neha/CN=proxy
or
subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/
CN=UID:neha/CN=proxy/CN=proxy
or
subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/
CN=UID:neha/CN=proxy/CN=proxy/CN=proxy
or
subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/
CN=UID:neha/CN=proxy/CN=proxy/CN=proxy/CN=proxy
everything works fine.
However, if it is delegated 5th time and above, so that the DN
in the proxy now has an extra "CN=proxy" , the client hangs on
the handshake.
(The DN looks like:
subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/
CN=UID:neha/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy)
The complete handshake function that is being used is below.
As you can see, all it does is invoke the globus function
"lobus_gss_assist_init_sec_context"
So, I am wondering if there is some kind of limitation in this
globus function, such as maximum length of user proxy or DN
int handshake(gss_cred_id_t credential_handle){
OM_uint32 ret_flags=0;
major_status =
globus_gss_assist_init_sec_context(&minor_status,
credential_handle,
&global_context_handle,
"GSI-NO-
TARGET",
//
GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG,
GSS_C_MUTUAL_FLAG,
&ret_flags,
&token_status,
globus_gss_assist_token_get_fd,
(void *)
socket_in_out_file,
globus_gss_assist_token_send_fd,
(void *)
socket_in_out_file);
if(major_status != GSS_S_COMPLETE){
logerr("Handshake Failed... major_status !=
GSS_S_COMPLETE");
return(GSS_FAILED_HANDSHAKE);
}
return(GSS_SUCCESS);
}
Thanks
-Neha
