Re: [gt-user] host certificate request fails

[Eric Blau]

Can you please post the "several lines of errors that all relate to 
authentication errors"?
They might help us figure out what is going on.

Thanks,
Eric

----- Original Message -----
> Well, I've run into another brick wall, and need another clue or two.
> 
> After progressing through the SimpleCA instructions, the step 5
> verification succeeds (as globus user, gridtest):
> grid-proxy-init -debug -verify
> Which comes back with the successful output and asks for the pass
> phrase, so that is OK. I then create the rpm package as outlined in
> step 6:
> rpmbuild -ta ./globus_simple_ca_HASH.tar.gz
> I installed that on my client, but I can not transfer any files, and
> all attempts to do so result in authentication errors.
> 
> Steps I've taken:
> Copied /home/gridtest/.globus to machine2
> Started the grid-ftp service on machine1:
> sudo service globus-gridftp-server start
> Telnet to machine1 from machine2, and get the banner:
> telnet machine2 2811
> But trying
> globus-url-copy gsiftp://localhost/tmp/file1 file:///tmp/file2
> on machine1, or
> globus-url-copy -v gsiftp://machine1/tmp/file1 file:///tmp/file2
> from machine2 fails with several lines of errors that all relate to
> authentication errors.
> 
> So I guess my questions at this point are:
> What needs to be running on which machine
> What certificate files need to be on which machine
> How do I transfer a file from the client (machine2) to the server
> (machine1)?
> 
> Thanks,
> Melvin
> 
> 
> ----------------------------------------
> > From: gridftpu...@hotmail.com
> > To: john.sanab...@correounivalle.edu.co
> > Date: Wed, 17 Oct 2012 14:20:50 -0500
> > CC: gt-user@lists.globus.org
> > Subject: Re: [gt-user] host certificate request fails
> >
> >
> > Thanks John,
> >
> > Looks like we both had the same thought because that is what I've
> > been doing too.
> >
> > Your advice was right on and I'm making a bit of progress. This may
> > work yet. You'll notice this reply is not the same as the one I
> > accidentally sent to just you, because I found a few errors in that
> > line of thought. This reply includes those corrected steps.
> >
> > What I ended up doing:
> >
> >    sudo mkdir /etc/grid-security/
> >    sudo chown gridtest:gridtest /etc/grid-security/
> >
> >    mkdir /etc/grid-security/certificates
> >    /usr/bin/grid-ca-create
> >
> >    cp /home/gridtest/)/globus-host-ssl.conf /etc/grid-security
> >    cp /home/gridtest/.globus/simpleCA/globus-user-ssl.conf
> >    /etc/grid-security
> >    cp /home/gridtest/.globus/simpleCA/grid-security.conf
> >    /etc/grid-security
> >    cp /home/gridtest/.globus/simpleCA/signing-policy
> >    /etc/grid-security
> >    cp /home/gridtest/.globus/simpleCA/grid-ca-ssl.conf
> >    /etc/grid-security
> >
> > Then at step three, you and Joseph were correct about the FQDN:
> >    grid-cert-request -host 'gridftp.mydomain.com' -force
> >
> > After that, the documentation
> > (http://www.globus.org/toolkit/docs/5.2/5.2.2/admin/install/appendix.html#gtadmin-simpleca)
> > seems to be fairly accurate.
> >
> > (For the curious, in my original reply I had run grid-ca-create as
> > root, and that put the files into /var/lib/globus/simple_ca, not
> > ~/.globus/simpleCA. There were other location discrepancies as well)
> >
> > ________________________________
> > > Date: Wed, 17 Oct 2012 10:35:56 -0500
> > > Subject: Re: [gt-user] host certificate request fails
> > > From: john.sanab...@correounivalle.edu.co
> > > To: gridftpu...@hotmail.com
> > >
> > > Well,
> > >
> > > I worked around these issues doing some tricks. For instance, when
> > > grid-ca-create shows the warning [permissions] message, I ignored
> > > and
> > > copied the required files to the /etc/grid-security directory as I
> > > mentioned berfore. If /etc/grid-security does not exist, I created
> > > it
> > > as root user and then changed its ownership to the globus user. As
> > > a
> > > matter of fact, until you mentioned, I did not know that
> > > GLOBUS_LOCATION points to /usr/sbin directory so for the
> > > installation
> > > purposes, I think, is not relevant that variable at that time.
> > >
> > >
> > >
> > > On 17 October 2012 09:53, gridftp user
> > > <gridftpu...@hotmail.com<mailto:gridftpu...@hotmail.com>> wrote:
> > >
> > > Hi John,
> > >
> > > You are the second person to mention this, and this sounds like
> > > just
> > > what I need. I'll report back on my progress.
> > >
> > > You bring up an interesting point regarding the globus user.
> > > According
> > > to the Simple CA instructions, I should create a "...generic
> > > globus
> > > account, which will be used
> > > to perform administrative
> > > tasks.
> > > This user will also be in charge of
> > > managing the SimpleCA. To do this, make
> > > sure this account has read and write
> > > permissions in the
> > > $GLOBUS_LOCATION directory." I am
> > > trying to implement this on CentOS 6.2, and
> > > $GLOBUS_LOCATION is /usr/sbin, which is
> > > only writable by root. That makes it kind of difficult to create a
> > > generic, non-privileged user with the stated necessary write
> > > permissions. Can you tell me what needs to be written to so I can
> > > only
> > > allow that write access instead of full access to /usr/sbin?
> > >
> > > Thanks!
> > >
> > > ________________________________
> > > > Date: Wed, 17 Oct 2012 08:37:37 -0500
> > > > Subject: Re: [gt-user] host certificate request fails
> > > > From:
> > > john.sanab...@correounivalle.edu.co<mailto:john.sanab...@correounivalle.edu.co>
> > > > To: gridftpu...@hotmail.com<mailto:gridftpu...@hotmail.com>
> > > > CC: gt-user@lists.globus.org<mailto:gt-user@lists.globus.org>
> > > >
> > > > Hi Melvin,
> > > >
> > > > Days ago I experimented the same issue that you are facing now
> > > > and I
> > > > think that the problem is on the Globus Toolkit documentation.
> > > > Here is
> > > > how I fixed
> > > >
> > > > 1. Be sure to run the grid-ca-create command as globus user
> > > > 2. This command creates a directory in the globus's home
> > > > directory
> > > > (~/.globus/simpleCA) which contains a lot of files that you need
> > > > to
> > > > copy in the /etc/grid-security directory. Those files are:
> > > > globus-host-ssl.conf, globus-user-ssl.conf and
> > > > grid-security.conf. I
> > > > also copied signing-policy and grid-ca-ssl.conf but I am not
> > > > quite sure
> > > > if they have to be copied too.
> > > >
> > > > Run the hostname command be sure that it returns the FQDN for
> > > > the
> > > > machine where you are setting up the griftp service.
> > > >
> > > > The /etc/grid-security/certificates exists on that machine?
> > > >
> > > > On 17 October 2012 08:25, gridftp user
> > > >
> > > <gridftpu...@hotmail.com<mailto:gridftpu...@hotmail.com><mailto:gridftpu...@hotmail.com<mailto:gridftpu...@hotmail.com>>>
> > > wrote:
> > > >
> > > > According to the instructions for setting up the Simple CA
> > > >
> > > (http://globus.org/toolkit/docs/5.2/5.2.2/admin/install/appendix.html#gtadmin-simpleca),
> > > > I need to request a host certificate by running:
> > > > sudo grid-cert-request -host 'hostname'
> > > >
> > > > It would have been really nice if the next line explained what
> > > > value is
> > > > expected for 'hostname' but the author failed to see a need for
> > > > this.
> > > > Assuming it means my host, I entered:
> > > > sudo grid-cert-request -host
> > > >
> > > 'grid...@mydomain.com<mailto:grid...@mydomain.com><mailto:grid...@mydomain.com<mailto:grid...@mydomain.com>>'
> > > >
> > > > and got an immediate error:
> > > > line 917: /etc/grid-security/grid-security.conf: No such file or
> > > directory
> > > >
> > > > Searching for that file name on the Globus site, I found a
> > > > description
> > > > from the version 4.0 documentation
> > > > (http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch05.html):
> > > > grid-security.conf A base configuration file that contains the
> > > > name and email address for the CA.
> > > >
> > > > So I created that /etc/grid-security/grid-security.conf file:
> > > > root
> > > >
> > > r...@mydomain.com<mailto:r...@mydomain.com><mailto:r...@mydomain.com<mailto:r...@mydomain.com>>
> > > >
> > > > Now sudo grid-cert-request -host
> > > >
> > > 'grid...@mydomain.com<mailto:grid...@mydomain.com><mailto:grid...@mydomain.com<mailto:grid...@mydomain.com>>'
> > > gives another
> > > > error:
> > > > /etc/grid-security/grid-security.conf: line 1: root: command not
> > > > found
> > > > /etc/grid-security/grid-security.conf: line 2:
> > > >
> > > r...@mydomain.com<mailto:r...@mydomain.com><mailto:r...@mydomain.com<mailto:r...@mydomain.com>>:
> > > command not found
> > > > /usr/bin/grid-cert-request: line 442:
> > > > /etc/grid-security/globus-host-ssl.conf: No such file or
> > > > directory
> > > >
> > > > So obviously grid-security.conf is not a base configuration file
> > > > that
> > > > contains the name and email address for the CA. Is there any
> > > > chance
> > > > someone would be willing to take a minute to explain what that
> > > > file
> > > > should contain, as well an example of what should be in
> > > > /etc/grid-security/globus-host-ssl.conf? I would sure appreciate
> > > > it.
> > > >
> > > > Thanks,
> > > > Melvin
> > > >
> > > >
> > >
> > >
> >