Hi All, This was an off-list thread that may be helpful or informative to others, so I am posting it here.
Scott's use case from his original email is: "Specifically, I am trying to transfer from Stampede to Blue Waters, using a community account certificate to authenticate to Stampede and my user cert to Blue Waters." -Stu Begin forwarded message: > From: Scott Callaghan <[email protected]> > Subject: RE: Using different source and destination certs > Date: December 4, 2013 3:19:16 PM CST > To: Michael Link <[email protected]>, Stuart Martin <[email protected]> > > Hi Mike, > > That worked! I used my user cert as -data-cred since both ends can handle > that one. Thanks for your help! > > -Scott > ________________________________________ > From: Michael Link <[email protected]> > Sent: Wednesday, December 4, 2013 3:10 PM > To: Scott Callaghan; Stuart Martin > Subject: Re: Using different source and destination certs > > Ah, sorry about that, auto may have been added in 5.0.5 or 5.2.x. You > can use either your src or dst cred for -data-cred as well -- it should > be packaged in a way that both servers can accept it. > > Mike > > On 12/4/2013 2:39 PM, Scott Callaghan wrote: >> Hi Mike, >> >> I tried that, but it seems like -data-cred is expecting a file as an >> argument: >> >> globus-url-copy -data-cred auto -dbg -vb -src-cred /tmp/x509up_u801878 >> -dst-cred /tmp/x509up_u33527 >> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt >> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt >> Error loading data channel credential: GSS Major Status: General failure >> globus_gsi_gssapi: Unable to read credential for import: Couldn't open the >> file: auto >> >> I'm running guc version 5.14, as part of GT 5.0.4, in case it's a version >> issue. Thanks for your help with this! >> >> -Scott >> ________________________________________ >> From: Michael Link <[email protected]> >> Sent: Wednesday, December 4, 2013 2:21 PM >> To: Scott Callaghan; Stuart Martin >> Subject: Re: Using different source and destination certs >> >> Hi Scott, >> >> I thought using both -src-cred and -dst-cred would automatically use >> DCSC, but you can force by adding '-data-cred auto' >> >> Mike >> >> On 12/4/2013 2:10 PM, Scott Callaghan wrote: >>> Hi Stu, >>> >>> I used the command: >>> >>> globus-url-copy -dbg -vb -src-cred /tmp/x509up_u801878 -dst-cred >>> /tmp/x509up_u33527 >>> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt >>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt >>> >>> /tmp/x509up_u801878 is the community account proxy, /tmp/x509up_u33527 is >>> the scottcal proxy. >>> >>> -Scott >>> ________________________________________ >>> From: Stuart Martin <[email protected]> >>> Sent: Wednesday, December 4, 2013 2:05 PM >>> To: Scott Callaghan; Mike Link >>> Cc: Stuart Martin >>> Subject: Re: Using different source and destination certs >>> >>> Hey Scott, >>> >>> You should be able to do this with guc. Can you reply with the specific >>> options you are using on the guc command? Here are the relevant options to >>> use. >>> -cred <path to credentials or proxy file> >>> -src-cred | -sc <path to credentials or proxy file> >>> -dst-cred | -dc <path to credentials or proxy file> >>> Set the credentials to use for source, destination, >>> or both ftp connections. >>> -data-cred <path to credentials or proxy file> >>> Set the credential to use for data connection. A value of 'auto' will >>> generate a temporary self-signed credential. This may be used with >>> any authentication method, but the server must support the DCSC >>> command. >>> >>> Also, Globus Transfer would do this for you after you activate each >>> endpoint with the credential. So, you could let Globus do the work for you >>> :-) >>> >>> including Mike for any additional followup. >>> >>> Cheers, >>> Stu >>> >>> On Dec 4, 2013, at Dec 4, 1:18 PM, Scott Callaghan <[email protected]> wrote: >>> >>>> Hi Stu, >>>> >>>> Good to see you at SC. >>>> >>>> I tried out using different certificates to authenticate to the source and >>>> destination, using a third-party transfer. It looks like the >>>> authentication goes fine, but then, as I understand it, both hosts also >>>> have to be able to authenticate to the other certificate, and I think >>>> that's where things are failing. >>>> >>>> Specifically, I am trying to transfer from Stampede to Blue Waters, using >>>> a community account certificate to authenticate to Stampede and my user >>>> cert to Blue Waters. It looks like Stampede is able to authenticate both >>>> certificates, but Blue Waters has an issue with the community account >>>> cert. I get the error: >>>> >>>> debug: response from >>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt: >>>> 500-Command failed. : callback failed. >>>> 500-OpenSSL Error: s3_srvr.c:2985: in library: SSL routines, function >>>> SSL3_GET_CLIENT_CERTIFICATE: no certificate returned >>>> 500-globus_gsi_callback_module: Could not verify credential >>>> 500-globus_gsi_callback_module: Can't get the local trusted CA >>>> certificate: Untrusted self-signed certificate in chain with hash d492aff2 >>>> 500 End. >>>> >>>> d492aff2 is the XSEDE MyProxy CA, who issues the community account >>>> certificate. >>>> >>>> From reading through the documentation, it looks like DCSC could help me >>>> resolve this, and both servers support DCSC. However, I'm not sure if >>>> this feature is exposed in globus-url-copy, or how to activate it. I >>>> apologize if you're not the right person to contact. Thanks for your help! >>>> >>>> -Scott >>>
