Should this be in our FAQ? On Dec 4, 2013, at 3:53 PM, Stuart Martin <smar...@mcs.anl.gov> wrote:
> Hi All, > > This was an off-list thread that may be helpful or informative to others, so > I am posting it here. > > Scott's use case from his original email is: > "Specifically, I am trying to transfer from Stampede to Blue Waters, using a > community account certificate to authenticate to Stampede and my user cert to > Blue Waters." > > -Stu > > Begin forwarded message: > >> From: Scott Callaghan <scott...@usc.edu> >> Subject: RE: Using different source and destination certs >> Date: December 4, 2013 3:19:16 PM CST >> To: Michael Link <ml...@mcs.anl.gov>, Stuart Martin <smar...@mcs.anl.gov> >> >> Hi Mike, >> >> That worked! I used my user cert as -data-cred since both ends can handle >> that one. Thanks for your help! >> >> -Scott >> ________________________________________ >> From: Michael Link <ml...@mcs.anl.gov> >> Sent: Wednesday, December 4, 2013 3:10 PM >> To: Scott Callaghan; Stuart Martin >> Subject: Re: Using different source and destination certs >> >> Ah, sorry about that, auto may have been added in 5.0.5 or 5.2.x. You >> can use either your src or dst cred for -data-cred as well -- it should >> be packaged in a way that both servers can accept it. >> >> Mike >> >> On 12/4/2013 2:39 PM, Scott Callaghan wrote: >>> Hi Mike, >>> >>> I tried that, but it seems like -data-cred is expecting a file as an >>> argument: >>> >>> globus-url-copy -data-cred auto -dbg -vb -src-cred /tmp/x509up_u801878 >>> -dst-cred /tmp/x509up_u33527 >>> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt >>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt >>> Error loading data channel credential: GSS Major Status: General failure >>> globus_gsi_gssapi: Unable to read credential for import: Couldn't open the >>> file: auto >>> >>> I'm running guc version 5.14, as part of GT 5.0.4, in case it's a version >>> issue. Thanks for your help with this! >>> >>> -Scott >>> ________________________________________ >>> From: Michael Link <ml...@mcs.anl.gov> >>> Sent: Wednesday, December 4, 2013 2:21 PM >>> To: Scott Callaghan; Stuart Martin >>> Subject: Re: Using different source and destination certs >>> >>> Hi Scott, >>> >>> I thought using both -src-cred and -dst-cred would automatically use >>> DCSC, but you can force by adding '-data-cred auto' >>> >>> Mike >>> >>> On 12/4/2013 2:10 PM, Scott Callaghan wrote: >>>> Hi Stu, >>>> >>>> I used the command: >>>> >>>> globus-url-copy -dbg -vb -src-cred /tmp/x509up_u801878 -dst-cred >>>> /tmp/x509up_u33527 >>>> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt >>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt >>>> >>>> /tmp/x509up_u801878 is the community account proxy, /tmp/x509up_u33527 is >>>> the scottcal proxy. >>>> >>>> -Scott >>>> ________________________________________ >>>> From: Stuart Martin <smar...@mcs.anl.gov> >>>> Sent: Wednesday, December 4, 2013 2:05 PM >>>> To: Scott Callaghan; Mike Link >>>> Cc: Stuart Martin >>>> Subject: Re: Using different source and destination certs >>>> >>>> Hey Scott, >>>> >>>> You should be able to do this with guc. Can you reply with the specific >>>> options you are using on the guc command? Here are the relevant options >>>> to use. >>>> -cred <path to credentials or proxy file> >>>> -src-cred | -sc <path to credentials or proxy file> >>>> -dst-cred | -dc <path to credentials or proxy file> >>>> Set the credentials to use for source, destination, >>>> or both ftp connections. >>>> -data-cred <path to credentials or proxy file> >>>> Set the credential to use for data connection. A value of 'auto' will >>>> generate a temporary self-signed credential. This may be used with >>>> any authentication method, but the server must support the DCSC >>>> command. >>>> >>>> Also, Globus Transfer would do this for you after you activate each >>>> endpoint with the credential. So, you could let Globus do the work for >>>> you :-) >>>> >>>> including Mike for any additional followup. >>>> >>>> Cheers, >>>> Stu >>>> >>>> On Dec 4, 2013, at Dec 4, 1:18 PM, Scott Callaghan <scott...@usc.edu> >>>> wrote: >>>> >>>>> Hi Stu, >>>>> >>>>> Good to see you at SC. >>>>> >>>>> I tried out using different certificates to authenticate to the source >>>>> and destination, using a third-party transfer. It looks like the >>>>> authentication goes fine, but then, as I understand it, both hosts also >>>>> have to be able to authenticate to the other certificate, and I think >>>>> that's where things are failing. >>>>> >>>>> Specifically, I am trying to transfer from Stampede to Blue Waters, using >>>>> a community account certificate to authenticate to Stampede and my user >>>>> cert to Blue Waters. It looks like Stampede is able to authenticate both >>>>> certificates, but Blue Waters has an issue with the community account >>>>> cert. I get the error: >>>>> >>>>> debug: response from >>>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt: >>>>> 500-Command failed. : callback failed. >>>>> 500-OpenSSL Error: s3_srvr.c:2985: in library: SSL routines, function >>>>> SSL3_GET_CLIENT_CERTIFICATE: no certificate returned >>>>> 500-globus_gsi_callback_module: Could not verify credential >>>>> 500-globus_gsi_callback_module: Can't get the local trusted CA >>>>> certificate: Untrusted self-signed certificate in chain with hash d492aff2 >>>>> 500 End. >>>>> >>>>> d492aff2 is the XSEDE MyProxy CA, who issues the community account >>>>> certificate. >>>>> >>>>> From reading through the documentation, it looks like DCSC could help me >>>>> resolve this, and both servers support DCSC. However, I'm not sure if >>>>> this feature is exposed in globus-url-copy, or how to activate it. I >>>>> apologize if you're not the right person to contact. Thanks for your >>>>> help! >>>>> >>>>> -Scott >>>> >