Hi All,
While trying to develop a GridFTP server using Java I am stuck with a
GSSAPI/GSI related issue. I have the basic knowledge about the
Security and PKI concepts.
As per the RFC 2228, during the ADAT exchange, my GridFTP server code
is generating the following exception:
Defective credential detected.
Caused by org.globus.gsi.proxy.ProxyPathValidatorException:
"/O=Grid/OU=GlobusTest/OU=simpleCA-mydomain.internet/OU=internet/CN=Soyuz"
violates the signing policy defined for CA
"/O=Grid/OU=GlobusTest/OU=simpleCA-soyuz-laptop.mydomain.internet/CN=Globus
Simple CA" in file
"/usr/local/globus-4.2.1.1/share/certificates/577f8148.signing_policy"
Before providing the code snippets, let me present the setup/environment I have:
1. Everything (Server,Client) is hosted on a single box (Ubuntu Linux)
with no static IP. But I have configured the FQDN for the box (using
hosts) to be "soyuz-laptop.mydomin.internet (127.0.1.1)
2. Installed Globus Toolkit 4.2.1 as Globus user (as per Globus
documentation). Later I have realised that I could do away without
installing to whole globus.
3. Installed simpleCA: cn=Globus Simple CA,
ou=simpleCA-soyuz-laptop.mydomain.internet, ou=GlobusTest, o=Grid
GSI Security was configured successfully (Trusted Certs Dir:
/usr/local/globus-4.2.1.1//share/certificates/ )
Following certificates were issued, signed and installed:
Host certificate:
/O=Grid/OU=GlobusTest/OU=simpleCA-mydomain.internet/CN=host/soyuz-laptop.mydomain.internet
User certificate:
/O=Grid/OU=GlobusTest/OU=simpleCA-mydomain.internet/OU=internet/CN=Soyuz
Note that this is the user that I use to develop/run code.
4. Installed JGlobus with pointing to user certificate path for Soyuz
and CA cert path: /usr/local/globus-4.2.1.1//share/certificates/
Now, coming to the code snippets:
The GridFTP client I am using can be obtained from http://bi.offis.de/gridftp/
For the server: Using the guideline provided in Appendix I
(Specification under the GSSAPI) of RFC 2228
During the server initialisation I do the following:
GSSManager manager = new GlobusGSSManagerImpl();
ExtendedGSSContext context =
(ExtendedGSSContext)manager.createContext((GSSCredential)null);
_gssContext = context; //Save the context for later use
And, in my ADAT command handler, I have:
GSSContext gssCntx =
sessionObj.SecurityService().gsiContecxt();
byte[] replyToken = null;
try {
replyToken = gssCntx.acceptSecContext(adatData,
0, adatData.length);
//where adatData is token carried by ADAT command
(+
decoded from Base64 encoding)
} catch (Throwable e ){
System.out.println("Context Exception.");
e.printStackTrace();
}
While I need to move past the exception and see the context
established, I had thought that the server should be using the host
certificate (which has not been used in this scenario) as its
credential.
Finally, thanks for your patience!
Any help appreciated. I am in desperate need of a way forward.
Regards,
Mohammad
Mohammad Bhuyan
+61 4 13324850
