Before redoing everything let me ask a more fundamental question. All the documentation I've read so far says that grid-cert-request needs to be run as root. Is that strictly the case? I only have sudo on the test machines I'm using. I have been creating the *.pem files and then moving them to /etc/grid-security.
Hoot On 8/31/10 3:20 PM, "Michael Link" <[email protected]> wrote: > Is that with a different hostcert.pem and the original hostkey.pem? If > you recreate the cert you need to also copy the new key. > > Mike > > On Tue 8/31/2010 2:00 PM, Hoot Thompson wrote: >> Well that got rid of that error message, on to the next one...... >> >> >> >> [h...@i7test3 ~]$ $GLOBUS_LOCATION/bin/globus-url-copy -vb >> file:/i7raid/hoot/file_12GB gsiftp://192.168.1.13/i7raid/hoot/file_12GB >> Source: file:/i7raid/hoot/ >> Dest: gsiftp://192.168.1.13/i7raid/hoot/ >> file_12GB >> >> >> error: globus_ftp_client: the server responded with an error >> 530 530-globus_xio: Server side credential failure >> 530-globus_gsi_gssapi: Error with gss credential handle >> 530-globus_gsi_gssapi: Error with openssl: Couldn't set the private key >> to be used for the SSL context >> 530-OpenSSL Error: x509_cmp.c:398: in library: x509 certificate >> routines, function X509_check_private_key: key values mismatch >> 530 End. >> >> >> >> >> -----Original Message----- >> *From*: Michael Link <[email protected] >> <mailto:michael%20link%20%[email protected]%3e>> >> *To*: Hoot Thompson <[email protected] >> <mailto:hoot%20thompson%20%[email protected]%3e>> >> *Cc*: Prakash Velayutham <[email protected] >> <mailto:prakash%20velayutham%20%[email protected]%3e>>, >> [email protected] <mailto:[email protected]> >> *Subject*: Re: [gt-user] Stripe mode over multiple links between two servers >> *Date*: Tue, 31 Aug 2010 13:54:53 -0500 >> >> Are you running the server as root? If not, it can't use the host cert, >> and you'll see the error you're getting. >> >> You'll also need to recreate the host cert with the the full hostname. >> >> Mike >> >> On Tue 8/31/2010 12:01 PM, Hoot Thompson wrote: >>> Here's what's in the hostcert_request.pem >>> >>> Certificate Subject: >>> >>> >>> /O=Grid/OU=GlobusTest/OU=simpleCA-i7test3.sci.gsfc.nasa.gov/CN=host/i7test4- >>> 10g >>> >>> BTW, I can't run the grid-cert-request as root. Could that be causing >>> the confusion? >>> >>> >>> >>> -----Original Message----- >>> *From*: Prakash Velayutham<[email protected] >>> <mailto:[email protected]> >>> <mailto:prakash%20velayutham%20%[email protected]%3e>> >>> *To*: Hoot Thompson<[email protected] <mailto:[email protected]> >>> <mailto:hoot%20thompson%20%[email protected]%3e>> >>> *Cc*: Michael Link<[email protected] <mailto:[email protected]> >>> <mailto:michael%20link%20%[email protected]%3e>>, >>> [email protected] <mailto:[email protected]> >>> <mailto:[email protected]> >>> *Subject*: Re: [gt-user] Stripe mode over multiple links between two >>> servers >>> *Date*: Tue, 31 Aug 2010 12:07:55 -0400 >>> >>> Hi, >>> >>> Did you give the proper DNS name (or IP address) of the server when you >>> generated its host key (Common Name)? If you thought it was asking or >>> your name instead of the server's name, then this will happen. >>> >>> Prakash >>> On Aug 31, 2010, at 11:53 AM, Hoot Thompson wrote: >>>> Back again.... >>>> >>>> This one has me really confused. I somehow ended up with my name as >>>> the authenticated hostname and I can't figure out how. Looking at the >>>> pem files, all appears well but something is obviously amiss. >>>> >>>> The expected name for the remote host >>>> ([email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected]>) does not match the >>>> authenticated name of the remote host (Hoot Thompson) >>>> >>>> >>>> -----Original Message----- >>>> *From*: Michael Link<[email protected] <mailto:[email protected]> >>>> <mailto:michael%20link%20%[email protected]%3e>> >>>> *To*: Hoot Thompson<[email protected] <mailto:[email protected]> >>>> <mailto:hoot%20thompson%20%[email protected]%3e>> >>>> *Cc*: Martin Feller<[email protected] <mailto:[email protected]> >>>> <mailto:martin%20feller%20%[email protected]%3e>>, >>>> [email protected] <mailto:[email protected]> >>>> <mailto:[email protected]> >>>> *Subject*: Re: [gt-user] Stripe mode over multiple links between two >>>> servers >>>> *Date*: Fri, 27 Aug 2010 13:56:20 -0500 >>>> >>>> On Fri 8/27/2010 7:27 AM, Hoot Thompson wrote: >>>>> Perhaps I'm making this too hard. I follow these instructions..... >>>>> >>>>> Chapter 2. Configuring >>>>> 1. Configure SimpleCA for multiple machines >>>>> So far, you have a single machine configured with SimpleCA certificates. >>>>> Recall that in Section 2.5,³Confirm generated >>>>> certificate² a CA setup package was created in >>>>> .globus/simpleCA/globus_simple_ca_HASH_setup- >>>>> 0.17.tar.gz. If you want to use your certificates on another machine, >>>>> you must install that CA setup package on >>>>> that machine. >>>>> To install it, copy that package to the second machine and run: >>>>> $GLOBUS_LOCATION/sbin/gpt-build globus_simple_ca_HASH_setup-0.17.tar.gz >>>>> gcc32dbg >>>>> $GLOBUS_LOCATION/sbin/gpt-postinstall >>>>> Then you will have to perform setup-gsi -default from Section 2.6, >>>>> ³Complete setup of GSI². >>>>> If you are going to run services on the second host, it will need its >>>>> own host certificate (Section 3,³Host certificates²) >>>>> and grid-mapfile (as described in the basic configuration instructions >>>>> in Section 3,³Add authorization²). >>>>> You may re-use your user certificates on the new host. You will need to >>>>> copy the requests to the host where the Sim- >>>>> pleCA was first installed in order to sign them. >>>>> >>>>> >>>>> Everything goes well until I get to the part that says"If you are going >>>>> to run services on the second host, it will need its own host >>>>> certificate (Section 3,³Host certificates²) >>>>> and grid-mapfile (as described in the basic configuration instructions >>>>> in Section 3,³Add authorization²)." I can create the host certificate >>>>> but I can't sign it due to the previously mentioned error. So your >>>>> comment says I should sign the second machine's certificate on the first >>>>> machine and then bring it back. I'll give it a try. Bottom line is all >>>>> I'm trying to do is get two machines trusted so I can try striped >>>>> transfers. >>>>> >>>>> Hoot >>>>> >>>> Right, what Martin suggested should work. That package that you >>>> installed on the second machine is simply the CA certificates that >>>> enable the other machines to trust that CA and the certificates it >>>> signs. The CA itself only lives on a single machine. >>>> >>>>> >>>>> -----Original Message----- >>>>> *From*: Martin Feller<[email protected] <mailto:[email protected]> >>>>> <mailto:[email protected]> >>>>> <mailto:martin%20feller%20%[email protected]%3e>> >>>>> *To*: Hoot Thompson<[email protected] <mailto:[email protected]> >>>>> <mailto:[email protected]> >>>>> <mailto:hoot%20thompson%20%[email protected]%3e>> >>>>> *Cc*:[email protected] <mailto:[email protected]> >>>>> <mailto:[email protected]> <mailto:[email protected]> >>>>> *Subject*: Re: [gt-user] Stripe mode over multiple links between two >>>>> servers >>>>> *Date*: Fri, 27 Aug 2010 07:04:53 -0500 >>>>> >>>>> The CA itself should stay on one machine and should not be copied to >>>>> multiple nodes in a grid. It's probably only located on the first >>>>> machine in your case. >>>>> Does it work if you copy the host certificate request from the second >>>>> machine to the first machine, sign it there, and copy the generated >>>>> certificate back to the second machine, where the corresponding private >>>>> key of the host certificate lives? >>>>> >>>>> Martin >>>>> >>>> >>>> >>> >>> >>> >> >>
