Yeah. Probably best in the gridftp user guide section, maybe here (even though
this is not so "basic"):
http://toolkit.globus.org/toolkit/docs/latest-stable/gridftp/user/#gridftp-user-basic
I'll discuss with Mike to get it added.
On Dec 4, 2013, at Dec 4, 4:50 PM, Ian Foster <[email protected]> wrote:
> Should this be in our FAQ?
>
> On Dec 4, 2013, at 3:53 PM, Stuart Martin <[email protected]> wrote:
>
>> Hi All,
>>
>> This was an off-list thread that may be helpful or informative to others, so
>> I am posting it here.
>>
>> Scott's use case from his original email is:
>> "Specifically, I am trying to transfer from Stampede to Blue Waters, using a
>> community account certificate to authenticate to Stampede and my user cert
>> to Blue Waters."
>>
>> -Stu
>>
>> Begin forwarded message:
>>
>>> From: Scott Callaghan <[email protected]>
>>> Subject: RE: Using different source and destination certs
>>> Date: December 4, 2013 3:19:16 PM CST
>>> To: Michael Link <[email protected]>, Stuart Martin <[email protected]>
>>>
>>> Hi Mike,
>>>
>>> That worked! I used my user cert as -data-cred since both ends can handle
>>> that one. Thanks for your help!
>>>
>>> -Scott
>>> ________________________________________
>>> From: Michael Link <[email protected]>
>>> Sent: Wednesday, December 4, 2013 3:10 PM
>>> To: Scott Callaghan; Stuart Martin
>>> Subject: Re: Using different source and destination certs
>>>
>>> Ah, sorry about that, auto may have been added in 5.0.5 or 5.2.x. You
>>> can use either your src or dst cred for -data-cred as well -- it should
>>> be packaged in a way that both servers can accept it.
>>>
>>> Mike
>>>
>>> On 12/4/2013 2:39 PM, Scott Callaghan wrote:
>>>> Hi Mike,
>>>>
>>>> I tried that, but it seems like -data-cred is expecting a file as an
>>>> argument:
>>>>
>>>> globus-url-copy -data-cred auto -dbg -vb -src-cred /tmp/x509up_u801878
>>>> -dst-cred /tmp/x509up_u33527
>>>> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt
>>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt
>>>> Error loading data channel credential: GSS Major Status: General failure
>>>> globus_gsi_gssapi: Unable to read credential for import: Couldn't open the
>>>> file: auto
>>>>
>>>> I'm running guc version 5.14, as part of GT 5.0.4, in case it's a version
>>>> issue. Thanks for your help with this!
>>>>
>>>> -Scott
>>>> ________________________________________
>>>> From: Michael Link <[email protected]>
>>>> Sent: Wednesday, December 4, 2013 2:21 PM
>>>> To: Scott Callaghan; Stuart Martin
>>>> Subject: Re: Using different source and destination certs
>>>>
>>>> Hi Scott,
>>>>
>>>> I thought using both -src-cred and -dst-cred would automatically use
>>>> DCSC, but you can force by adding '-data-cred auto'
>>>>
>>>> Mike
>>>>
>>>> On 12/4/2013 2:10 PM, Scott Callaghan wrote:
>>>>> Hi Stu,
>>>>>
>>>>> I used the command:
>>>>>
>>>>> globus-url-copy -dbg -vb -src-cred /tmp/x509up_u801878 -dst-cred
>>>>> /tmp/x509up_u33527
>>>>> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt
>>>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt
>>>>>
>>>>> /tmp/x509up_u801878 is the community account proxy, /tmp/x509up_u33527 is
>>>>> the scottcal proxy.
>>>>>
>>>>> -Scott
>>>>> ________________________________________
>>>>> From: Stuart Martin <[email protected]>
>>>>> Sent: Wednesday, December 4, 2013 2:05 PM
>>>>> To: Scott Callaghan; Mike Link
>>>>> Cc: Stuart Martin
>>>>> Subject: Re: Using different source and destination certs
>>>>>
>>>>> Hey Scott,
>>>>>
>>>>> You should be able to do this with guc. Can you reply with the specific
>>>>> options you are using on the guc command? Here are the relevant options
>>>>> to use.
>>>>> -cred <path to credentials or proxy file>
>>>>> -src-cred | -sc <path to credentials or proxy file>
>>>>> -dst-cred | -dc <path to credentials or proxy file>
>>>>> Set the credentials to use for source, destination,
>>>>> or both ftp connections.
>>>>> -data-cred <path to credentials or proxy file>
>>>>> Set the credential to use for data connection. A value of 'auto' will
>>>>> generate a temporary self-signed credential. This may be used with
>>>>> any authentication method, but the server must support the DCSC
>>>>> command.
>>>>>
>>>>> Also, Globus Transfer would do this for you after you activate each
>>>>> endpoint with the credential. So, you could let Globus do the work for
>>>>> you :-)
>>>>>
>>>>> including Mike for any additional followup.
>>>>>
>>>>> Cheers,
>>>>> Stu
>>>>>
>>>>> On Dec 4, 2013, at Dec 4, 1:18 PM, Scott Callaghan <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hi Stu,
>>>>>>
>>>>>> Good to see you at SC.
>>>>>>
>>>>>> I tried out using different certificates to authenticate to the source
>>>>>> and destination, using a third-party transfer. It looks like the
>>>>>> authentication goes fine, but then, as I understand it, both hosts also
>>>>>> have to be able to authenticate to the other certificate, and I think
>>>>>> that's where things are failing.
>>>>>>
>>>>>> Specifically, I am trying to transfer from Stampede to Blue Waters,
>>>>>> using a community account certificate to authenticate to Stampede and my
>>>>>> user cert to Blue Waters. It looks like Stampede is able to
>>>>>> authenticate both certificates, but Blue Waters has an issue with the
>>>>>> community account cert. I get the error:
>>>>>>
>>>>>> debug: response from
>>>>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt:
>>>>>> 500-Command failed. : callback failed.
>>>>>> 500-OpenSSL Error: s3_srvr.c:2985: in library: SSL routines, function
>>>>>> SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
>>>>>> 500-globus_gsi_callback_module: Could not verify credential
>>>>>> 500-globus_gsi_callback_module: Can't get the local trusted CA
>>>>>> certificate: Untrusted self-signed certificate in chain with hash
>>>>>> d492aff2
>>>>>> 500 End.
>>>>>>
>>>>>> d492aff2 is the XSEDE MyProxy CA, who issues the community account
>>>>>> certificate.
>>>>>>
>>>>>> From reading through the documentation, it looks like DCSC could help me
>>>>>> resolve this, and both servers support DCSC. However, I'm not sure if
>>>>>> this feature is exposed in globus-url-copy, or how to activate it. I
>>>>>> apologize if you're not the right person to contact. Thanks for your
>>>>>> help!
>>>>>>
>>>>>> -Scott
>>>>>
>>
>
