Ian, I too am trying to learn the GSI authentication, and started with the QuickStart. I was luckier than you in successfully setting up both a 1st machine (myproxy ticket server) and 2nd machine (generic node). Unfortunately, I have been balked at setting up a second myproxy ticket server (i.e 3rd machine).
Though not yet fully successful, I found “Installing GT 6.0: Basic Security Configuration” (http://toolkit.globus.org/toolkit/docs/latest-stable/admin/install/#gtadmin-basic-security) useful If you have unprivileged accounts on two ticket server nodes (i.e. QuickStart 1st machine with myproxy, gridftp, and gram) successfully transferring files, by gsiftp though a firewall, I would like to learn how you accomplished it. myproxy-logon -b -s cygnus Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization globus_gsi_gssapi: Unable to verify remote side's credentials globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_pkt.c:1259: in library: SSL routines, function SSL3_READ_BYTES: tlsv1 alert unknown ca SSL alert number 48 I interpret this as indication that your local box (unidentified) was able to receive a handshake reply, with public host key, from Cygnus, but was subsequently unable to validate the host key supplied by Cygnus[1]. Alert 48 is X509_V_ERR_EXCLUDED_VIOLATION and/or TLS1_AD_UNKNOWN_CA [2]. This ssl handshake is I believe a prerequisite (gssapi) that must be satisfied before gsi authentication (myproxy) begins. As something easy to check, I suggest that you first verify that your myproxy-server package successfully linked with openssl-1.0.1e or later. If you installed from rpm repository, you should have been warned if your openssl was too old, but I don’t know if the binary tarball or some of the other installation methods would give you notice [3]. More likely, I suspect that your local host is missing a certificate authority public key or other means to validate Cygnus. If this is the case, you should observe that a user’s first attempt to use ssh at the command line to login to Cygnus should fail, or request confirmation of Cygnus’ fingerprint. To add a certificate authority public key (or self-signed host key), append the key to /etc/ssh/ssh_host_rsa_key-cert.pub, or the file named by HostCertificate in /etc/ssh/sshd_config . See https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu for details. Though I know this is a not a complete solution, unless someone else provides a more complete answer, I hope this is helpful. [1] Imagine that someone came to your door, you asked to see id, and they presented a badge, but a badge from a company you were unfamiliar with. [2] See /usr/include/openssl/{tls2,x509_vfy}.h in package openssl-devel [3] Source tarball compiles and links without error with openssl-1.0.1, but globus-gridftp-server apparently dies immediately and without report on first communication attempt. Hopefully helpful, -- Bob Dr. Robert Meier Senior Application Specialist Fiat Chrysler Automotive _______ _/ I \____\, ()-------()) ---- ))
