Ah, I thought you were saying you'd only have sudo on the test machines,
not the production machines.
sudo is effectively root -- if something is to be run as root, running
it with sudo (or sometimes sudo -E, to preserve environment) is almost
always sufficient.
Mike
On Tue 8/31/2010 2:49 PM, Hoot Thompson wrote:
I've been doing that as sudo.
-----Original Message-----
From: Michael Link [mailto:[email protected]]
Sent: Tuesday, August 31, 2010 3:44 PM
To: Hoot Thompson
Cc: Prakash Velayutham; [email protected]
Subject: Re: [gt-user] Stripe mode over multiple links between two servers
You would need root at some point to change the ownership of the files to
root and move them to the right place, but the actual request generation
doesn't need to be run as root.
Mike
On Tue 8/31/2010 2:34 PM, Hoot Thompson wrote:
Before redoing everything let me ask a more fundamental question. All
the documentation I've read so far says that grid-cert-request needs
to be run as root. Is that strictly the case? I only have sudo on
the test machines I'm using. I have been creating the *.pem files and
then moving them to /etc/grid-security.
Hoot
On 8/31/10 3:20 PM, "Michael Link"<[email protected]> wrote:
Is that with a different hostcert.pem and the original hostkey.pem?
If you recreate the cert you need to also copy the new key.
Mike
On Tue 8/31/2010 2:00 PM, Hoot Thompson wrote:
Well that got rid of that error message, on to the next one......
[h...@i7test3 ~]$ $GLOBUS_LOCATION/bin/globus-url-copy -vb
file:/i7raid/hoot/file_12GB
gsiftp://192.168.1.13/i7raid/hoot/file_12GB
Source: file:/i7raid/hoot/
Dest: gsiftp://192.168.1.13/i7raid/hoot/
file_12GB
error: globus_ftp_client: the server responded with an error 530
530-globus_xio: Server side credential failure
530-globus_gsi_gssapi: Error with gss credential handle
530-globus_gsi_gssapi: Error with openssl: Couldn't set the private
key to be used for the SSL context 530-OpenSSL Error:
x509_cmp.c:398: in library: x509 certificate routines, function
X509_check_private_key: key values mismatch 530 End.
-----Original Message-----
*From*: Michael Link<[email protected]
<mailto:michael%20link%20%[email protected]%3e>>
*To*: Hoot Thompson<[email protected]
<mailto:hoot%20thompson%20%[email protected]%3e>>
*Cc*: Prakash Velayutham<[email protected]
<mailto:prakash%20velayutham%20%[email protected]%3e>>,
[email protected]<mailto:[email protected]>
*Subject*: Re: [gt-user] Stripe mode over multiple links between two
servers
*Date*: Tue, 31 Aug 2010 13:54:53 -0500
Are you running the server as root? If not, it can't use the host
cert, and you'll see the error you're getting.
You'll also need to recreate the host cert with the the full hostname.
Mike
On Tue 8/31/2010 12:01 PM, Hoot Thompson wrote:
Here's what's in the hostcert_request.pem
Certificate Subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-i7test3.sci.gsfc.nasa.gov/CN=host
/i7test4-
10g
BTW, I can't run the grid-cert-request as root. Could that be causing
the confusion?
-----Original Message-----
*From*: Prakash Velayutham<[email protected]
<mailto:[email protected]>
<mailto:prakash%20velayutham%20%[email protected]%3e>>
*To*: Hoot Thompson<[email protected]<mailto:[email protected]>
<mailto:hoot%20thompson%20%[email protected]%3e>>
*Cc*: Michael Link<[email protected]<mailto:[email protected]>
<mailto:michael%20link%20%[email protected]%3e>>,
[email protected]<mailto:[email protected]>
<mailto:[email protected]>
*Subject*: Re: [gt-user] Stripe mode over multiple links between
two servers
*Date*: Tue, 31 Aug 2010 12:07:55 -0400
Hi,
Did you give the proper DNS name (or IP address) of the server when
you
generated its host key (Common Name)? If you thought it was asking or
your name instead of the server's name, then this will happen.
Prakash
On Aug 31, 2010, at 11:53 AM, Hoot Thompson wrote:
Back again....
This one has me really confused. I somehow ended up with my name as
the authenticated hostname and I can't figure out how. Looking at
the
pem files, all appears well but something is obviously amiss.
The expected name for the remote host
([email protected]
<mailto:[email protected]>
<mailto:[email protected]>) does not match the
authenticated name of the remote host (Hoot Thompson)
-----Original Message-----
*From*: Michael Link<[email protected]<mailto:[email protected]>
<mailto:michael%20link%20%[email protected]%3e>>
*To*: Hoot Thompson<[email protected]<mailto:[email protected]>
<mailto:hoot%20thompson%20%[email protected]%3e>>
*Cc*: Martin Feller<[email protected]<mailto:[email protected]>
<mailto:martin%20feller%20%[email protected]%3e>>,
[email protected]<mailto:[email protected]>
<mailto:[email protected]>
*Subject*: Re: [gt-user] Stripe mode over multiple links between two
servers
*Date*: Fri, 27 Aug 2010 13:56:20 -0500
On Fri 8/27/2010 7:27 AM, Hoot Thompson wrote:
Perhaps I'm making this too hard. I follow these
instructions.....
Chapter 2. Configuring
1. Configure SimpleCA for multiple machines
So far, you have a single machine configured with SimpleCA
certificates.
Recall that in Section 2.5,³Confirm generated
certificate² a CA setup package was created in
.globus/simpleCA/globus_simple_ca_HASH_setup-
0.17.tar.gz. If you want to use your certificates on another
machine,
you must install that CA setup package on
that machine.
To install it, copy that package to the second machine and run:
$GLOBUS_LOCATION/sbin/gpt-build
globus_simple_ca_HASH_setup-0.17.tar.gz
gcc32dbg
$GLOBUS_LOCATION/sbin/gpt-postinstall
Then you will have to perform setup-gsi -default from Section 2.6,
³Complete setup of GSI².
If you are going to run services on the second host, it will need
its
own host certificate (Section 3,³Host certificates²)
and grid-mapfile (as described in the basic configuration
instructions
in Section 3,³Add authorization²).
You may re-use your user certificates on the new host. You will
need to
copy the requests to the host where the Sim-
pleCA was first installed in order to sign them.
Everything goes well until I get to the part that says"If you are
going
to run services on the second host, it will need its own host
certificate (Section 3,³Host certificates²)
and grid-mapfile (as described in the basic configuration
instructions
in Section 3,³Add authorization²)." I can create the host
certificate
but I can't sign it due to the previously mentioned error. So your
comment says I should sign the second machine's certificate on the
first
machine and then bring it back. I'll give it a try. Bottom line is
all
I'm trying to do is get two machines trusted so I can try
striped transfers.
Hoot
Right, what Martin suggested should work. That package that you
installed on the second machine is simply the CA certificates that
enable the other machines to trust that CA and the certificates it
signs. The CA itself only lives on a single machine.
-----Original Message-----
*From*: Martin
Feller<[email protected]<mailto:[email protected]>
<mailto:[email protected]>
<mailto:martin%20feller%20%[email protected]%3e>>
*To*: Hoot Thompson<[email protected]<mailto:[email protected]>
<mailto:[email protected]>
<mailto:hoot%20thompson%20%[email protected]%3e>>
*Cc*:[email protected]<mailto:[email protected]>
<mailto:[email protected]>
<mailto:[email protected]>
*Subject*: Re: [gt-user] Stripe mode over multiple links
between two servers
*Date*: Fri, 27 Aug 2010 07:04:53 -0500
The CA itself should stay on one machine and should not be copied
to
multiple nodes in a grid. It's probably only located on the first
machine in your case.
Does it work if you copy the host certificate request from the
second
machine to the first machine, sign it there, and copy the
generated
certificate back to the second machine, where the corresponding
private
key of the host certificate lives?
Martin
