Great, thanks you.
On 8/31/10 4:20 PM, "Michael Link" <[email protected]> wrote: > Ah, I thought you were saying you'd only have sudo on the test machines, > not the production machines. > > sudo is effectively root -- if something is to be run as root, running > it with sudo (or sometimes sudo -E, to preserve environment) is almost > always sufficient. > > Mike > > On Tue 8/31/2010 2:49 PM, Hoot Thompson wrote: >> I've been doing that as sudo. >> >> -----Original Message----- >> From: Michael Link [mailto:[email protected]] >> Sent: Tuesday, August 31, 2010 3:44 PM >> To: Hoot Thompson >> Cc: Prakash Velayutham; [email protected] >> Subject: Re: [gt-user] Stripe mode over multiple links between two servers >> >> You would need root at some point to change the ownership of the files to >> root and move them to the right place, but the actual request generation >> doesn't need to be run as root. >> >> Mike >> >> On Tue 8/31/2010 2:34 PM, Hoot Thompson wrote: >>> Before redoing everything let me ask a more fundamental question. All >>> the documentation I've read so far says that grid-cert-request needs >>> to be run as root. Is that strictly the case? I only have sudo on >>> the test machines I'm using. I have been creating the *.pem files and >>> then moving them to /etc/grid-security. >>> >>> Hoot >>> >>> >>> On 8/31/10 3:20 PM, "Michael Link"<[email protected]> wrote: >>> >>>> Is that with a different hostcert.pem and the original hostkey.pem? >>>> If you recreate the cert you need to also copy the new key. >>>> >>>> Mike >>>> >>>> On Tue 8/31/2010 2:00 PM, Hoot Thompson wrote: >>>>> Well that got rid of that error message, on to the next one...... >>>>> >>>>> >>>>> >>>>> [h...@i7test3 ~]$ $GLOBUS_LOCATION/bin/globus-url-copy -vb >>>>> file:/i7raid/hoot/file_12GB >>>>> gsiftp://192.168.1.13/i7raid/hoot/file_12GB >>>>> Source: file:/i7raid/hoot/ >>>>> Dest: gsiftp://192.168.1.13/i7raid/hoot/ >>>>> file_12GB >>>>> >>>>> >>>>> error: globus_ftp_client: the server responded with an error 530 >>>>> 530-globus_xio: Server side credential failure >>>>> 530-globus_gsi_gssapi: Error with gss credential handle >>>>> 530-globus_gsi_gssapi: Error with openssl: Couldn't set the private >>>>> key to be used for the SSL context 530-OpenSSL Error: >>>>> x509_cmp.c:398: in library: x509 certificate routines, function >>>>> X509_check_private_key: key values mismatch 530 End. >>>>> >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> *From*: Michael Link<[email protected] >>>>> <mailto:michael%20link%20%[email protected]%3e>> >>>>> *To*: Hoot Thompson<[email protected] >>>>> <mailto:hoot%20thompson%20%[email protected]%3e>> >>>>> *Cc*: Prakash Velayutham<[email protected] >>>>> <mailto:prakash%20velayutham%20%[email protected]%3e>>, >>>>> [email protected]<mailto:[email protected]> >>>>> *Subject*: Re: [gt-user] Stripe mode over multiple links between two >>>>> servers >>>>> *Date*: Tue, 31 Aug 2010 13:54:53 -0500 >>>>> >>>>> Are you running the server as root? If not, it can't use the host >>>>> cert, and you'll see the error you're getting. >>>>> >>>>> You'll also need to recreate the host cert with the the full hostname. >>>>> >>>>> Mike >>>>> >>>>> On Tue 8/31/2010 12:01 PM, Hoot Thompson wrote: >>>>>> Here's what's in the hostcert_request.pem >>>>>> >>>>>> Certificate Subject: >>>>>> >>>>>> >>>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-i7test3.sci.gsfc.nasa.gov/CN=host >>>>>> /i7test4- >>>>>> 10g >>>>>> >>>>>> BTW, I can't run the grid-cert-request as root. Could that be causing >>>>>> the confusion? >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> *From*: Prakash Velayutham<[email protected] >>>>>> <mailto:[email protected]> >>>>>> <mailto:prakash%20velayutham%20%[email protected]%3e>> >>>>>> *To*: Hoot Thompson<[email protected]<mailto:[email protected]> >>>>>> <mailto:hoot%20thompson%20%[email protected]%3e>> >>>>>> *Cc*: Michael Link<[email protected]<mailto:[email protected]> >>>>>> <mailto:michael%20link%20%[email protected]%3e>>, >>>>>> [email protected]<mailto:[email protected]> >>>>>> <mailto:[email protected]> >>>>>> *Subject*: Re: [gt-user] Stripe mode over multiple links between >>>>>> two servers >>>>>> *Date*: Tue, 31 Aug 2010 12:07:55 -0400 >>>>>> >>>>>> Hi, >>>>>> >>>>>> Did you give the proper DNS name (or IP address) of the server when >> you >>>>>> generated its host key (Common Name)? If you thought it was asking or >>>>>> your name instead of the server's name, then this will happen. >>>>>> >>>>>> Prakash >>>>>> On Aug 31, 2010, at 11:53 AM, Hoot Thompson wrote: >>>>>>> Back again.... >>>>>>> >>>>>>> This one has me really confused. I somehow ended up with my name as >>>>>>> the authenticated hostname and I can't figure out how. Looking at >> the >>>>>>> pem files, all appears well but something is obviously amiss. >>>>>>> >>>>>>> The expected name for the remote host >>>>>>> ([email protected] >>>>>>> <mailto:[email protected]> >>>>>>> <mailto:[email protected]>) does not match the >>>>>>> authenticated name of the remote host (Hoot Thompson) >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> *From*: Michael Link<[email protected]<mailto:[email protected]> >>>>>>> <mailto:michael%20link%20%[email protected]%3e>> >>>>>>> *To*: Hoot Thompson<[email protected]<mailto:[email protected]> >>>>>>> <mailto:hoot%20thompson%20%[email protected]%3e>> >>>>>>> *Cc*: Martin Feller<[email protected]<mailto:[email protected]> >>>>>>> <mailto:martin%20feller%20%[email protected]%3e>>, >>>>>>> [email protected]<mailto:[email protected]> >>>>>>> <mailto:[email protected]> >>>>>>> *Subject*: Re: [gt-user] Stripe mode over multiple links between two >>>>>>> servers >>>>>>> *Date*: Fri, 27 Aug 2010 13:56:20 -0500 >>>>>>> >>>>>>> On Fri 8/27/2010 7:27 AM, Hoot Thompson wrote: >>>>>>>> Perhaps I'm making this too hard. I follow these >> instructions..... >>>>>>>> >>>>>>>> Chapter 2. Configuring >>>>>>>> 1. Configure SimpleCA for multiple machines >>>>>>>> So far, you have a single machine configured with SimpleCA >> certificates. >>>>>>>> Recall that in Section 2.5,³Confirm generated >>>>>>>> certificate² a CA setup package was created in >>>>>>>> .globus/simpleCA/globus_simple_ca_HASH_setup- >>>>>>>> 0.17.tar.gz. If you want to use your certificates on another >> machine, >>>>>>>> you must install that CA setup package on >>>>>>>> that machine. >>>>>>>> To install it, copy that package to the second machine and run: >>>>>>>> $GLOBUS_LOCATION/sbin/gpt-build >> globus_simple_ca_HASH_setup-0.17.tar.gz >>>>>>>> gcc32dbg >>>>>>>> $GLOBUS_LOCATION/sbin/gpt-postinstall >>>>>>>> Then you will have to perform setup-gsi -default from Section 2.6, >>>>>>>> ³Complete setup of GSI². >>>>>>>> If you are going to run services on the second host, it will need >> its >>>>>>>> own host certificate (Section 3,³Host certificates²) >>>>>>>> and grid-mapfile (as described in the basic configuration >> instructions >>>>>>>> in Section 3,³Add authorization²). >>>>>>>> You may re-use your user certificates on the new host. You will >> need to >>>>>>>> copy the requests to the host where the Sim- >>>>>>>> pleCA was first installed in order to sign them. >>>>>>>> >>>>>>>> >>>>>>>> Everything goes well until I get to the part that says"If you are >> going >>>>>>>> to run services on the second host, it will need its own host >>>>>>>> certificate (Section 3,³Host certificates²) >>>>>>>> and grid-mapfile (as described in the basic configuration >> instructions >>>>>>>> in Section 3,³Add authorization²)." I can create the host >> certificate >>>>>>>> but I can't sign it due to the previously mentioned error. So your >>>>>>>> comment says I should sign the second machine's certificate on the >> first >>>>>>>> machine and then bring it back. I'll give it a try. Bottom line is >> all >>>>>>>> I'm trying to do is get two machines trusted so I can try >>>>>>>> striped transfers. >>>>>>>> >>>>>>>> Hoot >>>>>>>> >>>>>>> Right, what Martin suggested should work. That package that you >>>>>>> installed on the second machine is simply the CA certificates that >>>>>>> enable the other machines to trust that CA and the certificates it >>>>>>> signs. The CA itself only lives on a single machine. >>>>>>> >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> *From*: Martin >>>>>>>> Feller<[email protected]<mailto:[email protected]> >>>>>>>> <mailto:[email protected]> >>>>>>>> <mailto:martin%20feller%20%[email protected]%3e>> >>>>>>>> *To*: Hoot Thompson<[email protected]<mailto:[email protected]> >>>>>>>> <mailto:[email protected]> >>>>>>>> <mailto:hoot%20thompson%20%[email protected]%3e>> >>>>>>>> *Cc*:[email protected]<mailto:[email protected]> >>>>>>>> <mailto:[email protected]> >> <mailto:[email protected]> >>>>>>>> *Subject*: Re: [gt-user] Stripe mode over multiple links >>>>>>>> between two servers >>>>>>>> *Date*: Fri, 27 Aug 2010 07:04:53 -0500 >>>>>>>> >>>>>>>> The CA itself should stay on one machine and should not be copied >> to >>>>>>>> multiple nodes in a grid. It's probably only located on the first >>>>>>>> machine in your case. >>>>>>>> Does it work if you copy the host certificate request from the >> second >>>>>>>> machine to the first machine, sign it there, and copy the >> generated >>>>>>>> certificate back to the second machine, where the corresponding >> private >>>>>>>> key of the host certificate lives? >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>> >>
