I think %HOME%\.globus\certificates is where certs would go, not just
under .globus itself. Then again, I would have expected $GL/share/
certificates to work. Does the version of grid-proxy-init you get
have a verification option? That should at least show you what it's
using for a Trusted CA directory. Also, if you have a .globus/
cog.properties file, it could be interfering with the ordinary search
order.
Charles
On Nov 18, 2008, at 8:59 AM, Sandra Jimenez Doval wrote:
Dear all,
I’m struggling to configure GT4 security in Windows. I am using
GT4.0.8 Java WS Core as standalone container, and I’d like to use
Message Level Security – GSI Secure Conversation in order to use
OGSA-DAI’s GridFTP activities.
I configured the trusted CA, puting the <CAhash>.0 and
<CAhast>.signing_policy files at %USERPROFILE%\.globus.
There are located as well my hostkey.pem and hostcert.pem, which was
signed by the CA.
I configured the grid-mapfile and created a proxy with grid-proxy-
init with the host certificate.
I’ve configured the global_security_descriptor.xml as well as the
different services security descriptor files following the OGSA-DAI
admin documentation.
I started the globus container with “globus-start-container -nosec”.
However, when I run my client I get the following exception:
[1227008425909:0] uk.org.ogsadai.client.tookit.RESOURCE_COMMS_ERROR
:http://localhost:8080/wsrf/services/dai/DataRequestExecutionService/DataRequestExecutionResource
; nested exception is:
org.globus.common.ChainedIOException: Authentication failed
[Caused by: Failure unspecified at GSS-API level [Caused by: Unknown
CA]]
Authentication failed [Caused by: Failure unspecified at GSS-API
level [Caused by: Unknown CA]]
Following the OGSA-DAI admin documentation, I’ve tried putting the
CA files at other locations (%GLOBUS_LOCATION%\share\certificates),
and to configure the X509_CERT_DIR environment variable.
What did I do wrong? I believe that the problem is more with GT4
security configuration than with OGSA-DAI configuration… What else
should I check? What else can I try?
Thanks a lot in advance for any hint, help or advice!
Best,
Sandra
------------------------------------------------------------------
This e-mail and the documents attached are confidential and intended
solely for the addressee; it may also be privileged. If you receive
this e-mail in error, please notify the sender immediately and
destroy it.
As its integrity cannot be secured on the Internet, the Atos Origin
group liability cannot be triggered for the message content. Although
the sender endeavours to maintain a computer virus-free network,
the sender does not warrant that this transmission is virus-free and
will not be liable for any damages resulting from any virus
transmitted.
Este mensaje y los ficheros adjuntos pueden contener informacion
confidencial
destinada solamente a la(s) persona(s) mencionadas anteriormente
pueden estar protegidos por secreto profesional.
Si usted recibe este correo electronico por error, gracias por
informar
inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red,
Atos Origin
no se hace responsable por su contenido. Su contenido no constituye
ningun
compromiso para el grupo Atos Origin, salvo ratificacion escrita por
ambas partes.
Aunque se esfuerza al maximo por mantener su red libre de virus, el
emisor
no puede garantizar nada al respecto y no sera responsable de
cualesquiera
danos que puedan resultar de una transmision de virus.
------------------------------------------------------------------
