I remade the containercert and that fixed the problem. The DN now matches: >grid-cert-info -file ~/globus/grid-security/containercert.pem -subject /O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/CN=host/cammcc.proteowizrd.org
Thanks for the help. Roland On Wed, 2008-08-20 at 09:25 -0500, Charles Bacon wrote: > On Aug 19, 2008, at 5:10 PM, Roland Luethy wrote: > > > > >> grid-cert-info -subject > > /O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/ > > OU=proteowizrd.org/CN=Roland Luethy > > > >> grid-cert-info -file ~/globus/grid-security/containercert.pem - > >> subject > > /O=Grid/OU=Cedars-Sinai/OU=cammcc.proteowizrd.org/CN=host/ > > cammcc.proteowizrd.org > > What was the -issuer for the containercert? If it was signed by your > simpleCA, that's going to be the policy violation. The DN here does > not match the "cond_subjects" in the signing policy. > > > Charles > > >> grid-cert-info -file ~/globus/grid-security/containercert.pem -issuer > > /O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/CN=Globus > > Simple CA > > > >> cat ~/globus/grid-security/certificates/d71d2598.signing_policy | > >> tail > > -10 > > #--------------| > > ---------------|----------------------------------------- > > # EACL entry #1| > > > > access_id_CA X509 > > '/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/CN=Globus > > Simple CA' > > > > pos_rights globus CA:sign > > > > cond_subjects globus > > '"/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/*"' > > > > # end of EACL > > > > > > On Tue, 2008-08-19 at 16:56 -0500, Charles Bacon wrote: > >> For the client: grid-cert-info -subject > >> For the server: grid-cert-info -file /etc/grid-security/ > >> containercert.pem -subject > >> > >> -issuer will give you the name of the issuer. Then you can use grid- > >> cert-info -subject on the various .0 files in /etc/grid-security to > >> find the one that matches. Then the signing_policy file will have > >> some regexps of what the CA is allowed to sign. > >> > >> > >> Charles > >> > >> On Aug 19, 2008, at 4:47 PM, Roland Luethy wrote: > >> > >>> OK. I installed 4.0.8 and tried again. globusrun-ws still gives the > >>> same > >>> error message. The error in the server log is now: > >>> > >>> 2008-08-19 14:41:20,978 ERROR container.ServiceThread > >>> [ServiceThread-76,run:297] Unexpected error during request > >>> processing > >>> java.lang.NullPointerException > >>> at > >>> org > >>> .globus > >>> .wsrf.container.GSIServiceThread.process(GSIServiceThread.java:151) > >>> at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java: > >>> 291) > >>> > >>> How do I find the DN on the server and client sides? > >>> > >>> Thanks > >>> > >>> Roland > >>> > >>> On Tue, 2008-08-19 at 13:00 -0500, Charles Bacon wrote: > >>>> Is it possible to upgrade to 4.0.8? I believe the diagnostics > >>>> should > >>>> improve for the policy violation, or it should just be fixed. > >>>> > >>>> If you can't upgrade, it sounds like one of the signing policies in > >>>> use does not correspond to the subject name being presented. In > >>>> which > >>>> case, I'd be interested in the DN on the server and client sides, > >>>> as > >>>> well as the signing_policy of the corresponding CA. > >>>> > >>>> > >>>> Charles > >>>> > >>>> On Aug 19, 2008, at 12:24 PM, Roland Luethy wrote: > >>>> > >>>>> Hi all, > >>>>> > >>>>> we are trying to use globus for a project and are having problems > >>>>> with authorization when submitting jobs. There are several caveats > >>>>> with > >>>>> our installation: it is a nonroot installation, version 4.0.6, > >>>>> on a > >>>>> system with an older globus installation. We removed all > >>>>> environment > >>>>> variables referring to the older version and set the GLOBUS_PATH, > >>>>> GLOBUS_LOCATION, GRID_SECURITY_DIR, X509_CERT_DIR and GRIDMAP > >>>>> variables > >>>>> to point to our files. > >>>>> > >>>>> When submitting a job we get the following error: > >>>>> > >>>>>> globusrun-ws -submit -f gramtest -dbg > >>>>> Submitting job...Failed. > >>>>> globusrun-ws: Error submitting job > >>>>> globus_gsi_callback_module: Could not verify credential > >>>>> globus_gsi_callback_module: Error with signing policy > >>>>> globus_gsi_callback_module: Error in OLD GAA code: CA policy > >>>>> violation: > >>>>> <no reason given> > >>>>> > >>>>> The corresponding error from the globus server is this: > >>>>> > >>>>> 2008-08-19 10:19:23,495 ERROR container.GSIServiceThread > >>>>> [ServiceThread-20,process:147] Error processing request > >>>>> java.io.EOFException > >>>>> at > >>>>> org > >>>>> .globus > >>>>> .gsi > >>>>> .gssapi > >>>>> .net > >>>>> .impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java: > >>>>> 56) > >>>>> at > >>>>> org > >>>>> .globus > >>>>> .gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java: > >>>>> 60) > >>>>> at > >>>>> org > >>>>> .globus > >>>>> .gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java: > >>>>> 122) > >>>>> at > >>>>> org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java: > >>>>> 142) > >>>>> at > >>>>> org > >>>>> .globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java: > >>>>> 161) > >>>>> at > >>>>> org > >>>>> .globus > >>>>> .wsrf.container.GSIServiceThread.process(GSIServiceThread.java:99) > >>>>> at > >>>>> org.globus.wsrf.container.ServiceThread.run(ServiceThread.java: > >>>>> 291) > >>>>> > >>>>> > >>>>> Any help is highly appreciated. > >>>>> > >>>>> Thanks > >>>>> > >>>>> Roland Luethy > >>>>> > > > > > > IMPORTANT WARNING: This message is intended for the use of the > > person or entity to which it is addressed and may contain > > information that is privileged and confidential, the disclosure of > > which is governed by > > applicable law. If the reader of this message is not the intended > > recipient, or the employee or agent responsible for delivering it to > > the intended recipient, you are hereby notified that any > > dissemination, distribution or copying of this information is > > STRICTLY PROHIBITED. > > > > If you have received this message in error, please notify us > > immediately > > by calling (310) 423-6428 and destroy the related message. Thank > > You for your cooperation. > IMPORTANT WARNING: This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is STRICTLY PROHIBITED. If you have received this message in error, please notify us immediately by calling (310) 423-6428 and destroy the related message. Thank You for your cooperation.
