Looks like there is no way to see other cert attributes such as expiration daten right?
Since that sort of information has to be available to the ssl client, could we put in a feature request for globus-url-copy to have an option to display all the ssl x.509 information it can? JP Sent via BlackBerry from T-Mobile -----Original Message----- From: Eric Blau <[email protected]> Date: Mon, 5 Dec 2011 15:01:19 To: JP Navarro<[email protected]> Cc: Lukasz Lacinski<[email protected]>; Stu Martin<[email protected]>; <[email protected]>; Mike Link<[email protected]> Subject: Re: Is there a way to retrieve a GridFTP's x.509 certificate information I just chatted with Mike Link, and, while he didn't have an immediate full solution, he did mention a couple of ways to get some information. If a host does not have certificates in place for its gridftp server, it will give an error if you connect (with telnet or netcat) and issue "auth gssapi". If it does have a certificate, it will give a "334" response: [eblau@forge ~]$ telnet grid-forge.ncsa.xsede.org 2812 Trying 141.142.164.101... Connected to forge.ncsa.illinois.edu (141.142.164.101). Escape character is '^]'. 220 GridFTP Server 2.8 (gcc64, 1217607445-63) [Globus Toolkit 5.0.4] - Running in Non-Striped Mode. ready. auth gssapi 334 Using authentication type; ADAT must follow. I think that this method would issue an error if the certificate was invalid (expired). Also, you can get globus-url-copy to divulge the subject name of the gridftp server certificate by specifying a subject with -s that you know is incorrect, and watching the error message: [eblau@forge ~]$ globus-url-copy -v -s "/DC=org/DC=doegrids/OU=People/CN=Eric Blau 216112/CN=1981729001" gsiftp://grid-forge.ncsa.xsede.org:2812/etc/group ./foobar Source: gsiftp://grid-forge.ncsa.xsede.org:2812/etc/ Dest: file:///uf/ncsa/eblau/./ group -> foobar error: globus_ftp_control: gss_init_sec_context failed GSS Major Status: Unexpected Gatekeeper or Service Name globus_gsi_gssapi: Authorization denied: The name of the remote entity (/C=US/O=National Center for Supercomputing Applications/OU=Services/CN=forge.ncsa.illinois.edu), and the expected name for the remote entity (/DC=org/DC=doegrids/OU=People/CN=Eric Blau 216112/CN=1981729001) do not match Not sure if this solves the problem, but thought I'd pass the information along. Eric ----- Original Message ----- > XSEDE would like its monitoring system (Inca) to access information > about a GridFTP server's X.509 certificate. > > Is there a way to interact with a GridFTP server and retrieve server > certificate information? > > Thanks, > > JP > > Begin forwarded message: > > > From: "Smallen, Shava" <[email protected]> > > Subject: FW: Inca XSEDE Notification: > > gridftp-nonstriped-auth-dms-4.2.0 on tacc-ranger FAIL > > Date: December 5, 2011 11:55:38 AM CST > > To: David Carver <[email protected]> > > Cc: JP Navarro <[email protected]> > > > > Hey David, > > > > I'm not sure if there is a way to read the gridftp credentials > > remotely as > > you can with GRAM so we can warn ahead of time. We have some tests > > that > > execute: > > > > openssl s_client -connect host:port > > > > But I get a protocol error when I try to do that against gridftp > > servers. > > JP, do you know? > > > > Thanks, > > Shava > > > > On 12/5/11 9:48 AM, "Inca Inca" <[email protected]> wrote: > > > >> The following Inca test has FAILED: > >> > >> RAN AT: 2011-12-05T09:48:07.000-0800 > >> > >> RAN ON: login3.ranger.tacc.utexas.edu > >> > >> TEST: data.transfer.gridftp.unit.auth-dns > >> > >> INPUT PARAMETERS: -dest=gridftp.ranger.tacc.teragrid.org:2811 > >> -help=no > >> -log=0 -timeout=60 -verbose=1 -version=no > >> > >> ERROR MESSAGE: globus-url-copy -len 1280 file:///dev/zero > >> gsiftp://129.114.50.166:2811//dev/null failed: > >> error: globus_ftp_client: the server responded with an error > >> 530 530-globus_xio: Server side credential failure > >> 530-globus_gsi_gssapi: Error with GSI credential > >> 530-globus_gsi_gssapi: Error with gss credential handle > >> 530-globus_credential: Error with credential: The host credential: > >> /etc/grid-security/hostcert.pem > >> 530- with subject: > >> /C=US/O=UTAustin/OU=TACC/CN=gridftp2.ranger.tacc.utexas.edu > >> 530- has expired xx minutes ago. > >> 530- > >> 530 End. > >> > >> > >> > >> gridftp.ranger.tacc.teragrid.org mapped to the following ips: > >> 129.114.50.166 > >> > >> > >> > >> details at > >> http://inca.xsede.org/inca/jsp/instance.jsp?xsl=instance.xsl&nickname=grid > >> ftp-nonstriped-auth-dms-4.2.0&resource=tacc-ranger&collected=2011-12-05T09 > >> :48:07.000-08:00 > >> > >
