Could this be a different OpenSSL version (1.0 vs 0.9.x) requiring a different CA hash? If so, there's a tool in GT5 to work around that.
See http://www.globus.org/toolkit/docs/5.0/5.0.4/security/gsic/pi/#id2578254 Joe On Dec 5, 2011, at 8:58 AM, Sebastian Czechowski wrote: > Hello, > > Does anyone has an answer to this one? > > Regards, > Sebastian > > -------- Original Message -------- > Subject: [gt-user] Old-style proxies support > Date: Mon, 14 Nov 2011 10:18:05 +0100 > From: Sebastian Czechowski <[email protected]> > To: [email protected] <[email protected]> > > > > Hello all, > > Dennis van Dok from IGE Project has sent a the following question: > > Will old-style proxies remain supported in current and upcoming Globus > products? Currently it seems that they aren't (see below). > ------------------------------------------------------------------------ > > There is a failure in the authentication layer of the client-server > interaction between a recent version of the globus client tools and a > recent version of the globus services, when using classic (globus) proxies. > > Example: voms classic proxy, globus-url-copy from globus-gass-copy-5.7-1 > on Ubuntu 11.04, with globus-gridftp-server-progs-3.28-3.el5 on CentOS 5. > > $ voms-proxy-info -all > subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok/CN=proxy > issuer : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok > identity : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok > type : proxy > strength : 1024 bits > path : /user/dennisvd/ige-voms-proxy-classic > timeleft : 11:47:33 > === VO ige-project.eu extension information === > VO : ige-project.eu > subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok > issuer : > /C=DE/O=GermanGrid/OU=TU-Dortmund/CN=host/vomrs01.grid.tu-dortmund.de > attribute : /ige-project.eu/Role=NULL/Capability=NULL > timeleft : 11:47:33 > uri : vomrs01.grid.tu-dortmund.de:15011 > > $ globus-url-copy gsiftp://ve.nikhef.nl/etc/grid-security/grid-mapfile > `pwd`/ > > error: globus_ftp_client: the server responded with an error > 530 530-globus_xio: Authentication Error > 530-OpenSSL Error: s3_srvr.c:2518: in library: SSL routines, function > SSL3_GET_CLIENT_CERTIFICATE: no certificate returned > 530-globus_gsi_callback_module: Could not verify credential > 530-globus_gsi_callback_module: Can't get the local trusted CA > certificate: Cannot find trusted CA certificate with hash 8d759796 in > /etc/grid-security/certificates > 530 End. > > Copying the same proxy file to a machine with a gLite 3.2.8 installation > (globus-url-copy -version says globus-url-copy: 3.23) and repeating the > command works. > > Initiating the voms proxy to use an RFC style proxy also works: > > $ voms-proxy-init --bits 1024 --rfc --voms ige-project.eu > > $ voms-proxy-info -all > subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok/CN=122854297 > issuer : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok > identity : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok > type : RFC compliant proxy > strength : 1024 bits > path : /private/home/dennis/src/globustest/ige-voms-proxy-rfc > timeleft : 11:43:07 > === VO ige-project.eu extension information === > VO : ige-project.eu > subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok > issuer : > /C=DE/O=GermanGrid/OU=TU-Dortmund/CN=host/vomrs01.grid.tu-dortmund.de > attribute : /ige-project.eu/Role=NULL/Capability=NULL > timeleft : 11:43:06 > uri : vomrs01.grid.tu-dortmund.de:15011 > > Best regards, > Sebastian Czechowski, IGE Project > > -- > Sebastian Czechowski [email protected] > IT Project Coordinator > GridwiseTech office/fax: +48 12 294 71 20 > > The Scalability Specialist www.gridwisetech.com > -------------------------------------------------------------------- > > >
