[gt-user] regarding proxy certificates
Hi all, I have reinstalled simpleCA by running the installation script and setup gsi-setup again with new subject name.I have configured and signed host certs and usercerts with new names. but further I have to configure proxy cert but it will give the following errors and various output regarding certificates are shown : (1) glo...@simar-laptop:~$ $GLOBUS_LOCATION/bin/grid-proxy-init -verify -debug User Cert File: /home/globus/.globus/usercert.pem User Key File: /home/globus/.globus/userkey.pem Trusted CA Cert Dir: /etc/grid-security/certificates Output File: /tmp/x509up_u1001 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-laptop/CN=root Enter GRID pass phrase for this identity: Creating proxy . ... Done Error: Couldn't verify the authenticity of the user's credential to generate a proxy from. grid_proxy_init.c:971: globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find trusted CA certificate with hash b2bc8b3f in /etc/grid-security/certificates (2) glo...@simar-laptop:~$ $GLOBUS_LOCATION/bin/grid-default-ca -list The available CA configurations installed on this host are: Directory: /etc/grid-security/certificates 1) 7a13c923 - /O=Grid/OU=GlobusTest/OU=simpleCA-cse.mtech.com/CN=Globus Simple CA Directory: /home/globus/globus-4.2.1/share/certificates 2) b2bc8b3f - /O=Grid/OU=GlobusTest/OU=simpleCA-simar-laptop/CN=Globus Simple CA The default CA is: /O=Grid/OU=GlobusTest/OU=simpleCA-cse.mtech.com/CN=Globus Simple CA Location: /etc/grid-security/certificates/7a13c923.0 (3) glo...@simar-laptop:~$ ls $HOME/.globus -l total 16 drwxr-xr-x 4 globus users 4096 2009-09-13 11:58 persisted drwx-- 6 globus globus 4096 2009-09-15 22:17 simpleCA -rw-r--r-- 1 globus globus 2641 2009-09-14 22:43 usercert.pem -rw--- 1 globus globus 963 2009-09-14 23:07 userkey.pem What should I do to set my new cert name for proxy as it is taking the old one. please help Regards Simar Virk
Re: [gt-user] regarding proxy certificates
simar gill wrote: Hi all, I have reinstalled simpleCA by running the installation script and setup gsi-setup again with new subject name.I have configured and signed host certs and usercerts with new names. but further I have to configure proxy cert but it will give the following errors and various output regarding certificates are shown : (1) glo...@simar-laptop:~$ $GLOBUS_LOCATION/bin/grid-proxy-init -verify -debug User Cert File: /home/globus/.globus/usercert.pem User Key File: /home/globus/.globus/userkey.pem Trusted CA Cert Dir: /etc/grid-security/certificates Output File: /tmp/x509up_u1001 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-laptop/CN=root Enter GRID pass phrase for this identity: Creating proxy . ... Done Error: Couldn't verify the authenticity of the user's credential to generate a proxy from. grid_proxy_init.c:971: globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find trusted CA certificate with hash b2bc8b3f in /etc/grid-security/certificates (2) glo...@simar-laptop:~$ $GLOBUS_LOCATION/bin/grid-default-ca -list The available CA configurations installed on this host are: Directory: /etc/grid-security/certificates 1) 7a13c923 - /O=Grid/OU=GlobusTest/OU=simpleCA-cse.mtech.com/CN=Globus Simple CA Directory: /home/globus/globus-4.2.1/share/certificates 2) b2bc8b3f - /O=Grid/OU=GlobusTest/OU=simpleCA-simar-laptop/CN=Globu Simple CA If you want to change the host name ... you must create new credentials : host , container , users. If you follow all the steps in the certificate setup ( http://www.globus.org/toolkit/docs/4.2/4.2.1/admin/install/#gtadmin-simpleca ) you should have no problems . I recommend that you delete or move the other certificates and keys (from /etc/grid-security and $USER_HOME/.globus/ and create new ones. This way you will know at which step you will get the error. Best Regards Stefan Mosoi
[gt-user] how to change old certificates to new simple ca for grid-proxy-init
Hi All I have installed new simpleCA and followed all the instructions gt4-admin-ca guide. when I going to configure grid-proxy-init then following errors: r...@simar-laptop:~# $GLOBUS_LOCATION/bin/grid-default-ca The available CA configurations installed on this host are: Directory: /etc/grid-security/certificates 1) 5fc40b1b - /O=Grid/OU=GlobusTest/OU=simpleCA-simar-.com/CN=Simar Simple CA The default CA is: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-.com/CN=Simar Simple CA Location: /etc/grid-security/certificates/5fc40b1b.0 Enter the index number of the CA to set as the default [q to quit]:1 setting the default CA to: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-.com/CN=Simar Simple CA linking /etc/grid-security/certificates/grid-security.conf.5fc40b1b to /etc/grid-security/grid-security.conf linking /etc/grid-security/certificates/globus-host-ssl.conf.5fc40b1b to /etc/grid-security/globus-host-ssl.conf linking /etc/grid-security/certificates/globus-user-ssl.conf.5fc40b1b to /etc/grid-security/globus-user-ssl.conf ...done. r...@simar-laptop:~# su globus glo...@simar-laptop:/home/simar$ cd glo...@simar-laptop:~$ export GLOBUS_LOCATION=/home/globus/globus-4.2.1 glo...@simar-laptop:~$ $GLOBUS_LOCATION/bin/grid-proxy-init -verify Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-laptop/CN=root Enter GRID pass phrase for this identity: Creating proxy . Done Error: Couldn't verify the authenticity of the user's credential to generate a proxy from. Use -debug for further information. glo...@simar-laptop:~$ please tell why this is so. regards simar virk
[gt-user] Question: File encryption and sharing
Hi Experts, Just a general question about encryption. Assuming a CA has issued 2 users (A and B) valid certificates. Can A encrypts a file and specifies that only B can read it? If yes, how could this be done? If no, any alternate way to do this? Also, what if A encrypts a file and want a group of users (have valid certificates from the same CA) to be able to read it? Thanks a lot! -Yushu +-+ | Yushu Yao | Ph:1-510-486-4690 | | Lawrence Berkeley National Lab | Mailstop 50B-6222 | 1 Cyclotron Road | Berkeley CA 94720-8147 - USA +-+
Re: [gt-user] GramJob Premature End Of File
Hi , Thank you for the code , i found the problem in my case. It seems that Gram doesn't accept NoAuthorization. It crashed only when i put NoAutohorization, but now works fine. I don't know if it is a bug or a feature :) . Thank you very much for the help, i would have gone mad :). Best Regards Stefan Mosoi Hm, can you please try the attached (simple) client and tell if it fails for you with the same error message, too? It works for me with GT 4.2.1. Replace HOST and PORT with appropriate values before you compile it. Build and run (bash): source $GLOBUS_LOCATION/etc/globus-devel-env.sh javac GramClient42.java grid-proxy-init java -DGLOBUS_LOCATION=$GLOBUS_LOCATION GramClient42 -Martin Mosoi Stefan wrote: Hello, I have a problem when trying to launch a gram job in Globus Toolkit 4.2.1 using the code: JobDescriptionType type = new JobDescriptionType(); type.setExecutable("/bin/echo"); type.setArgument(new String[]{"test"}); type.setDirectory("/tmp"); type.setStdout("/home/stefan/std.out"); type.setStderr("/home/stefan/std.err"); type.setJobType(JobTypeEnumeration.single); GramJob crtjob=new GramJob(type); this.crtJob.setCredentials(proxy); this.crtJob.addListener(this); this.crtJob.setAuthorization(NoAuthorization.getInstance()); this.crtJob.submit(factoryEPR, false, true, jobID); I get the following errors : AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: java.io.IOException: java.io.IOException: java.io.IOException: Non nillable element 'consumerReference' is null. faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:java.io.IOException: java.io.IOException: java.io.IOException: Non nillable element 'consumerReference' is null. at org.apache.axis.encoding.ser.BeanSerializer.serialize(BeanSerializer.java:288) at org.apache.axis.encoding.SerializationContext.serializeActual(SerializationContext.java:1518) at org.apache.axis.encoding.SerializationContext.serialize(SerializationContext.java:994) at org.apache.axis.encoding.SerializationContext.serialize(SerializationContext.java:815) at org.apache.axis.message.RPCParam.serialize(RPCParam.java:208) at org.apache.axis.message.RPCElement.outputImpl(RPCElement.java:433) at org.apache.axis.message.MessageElement.output(MessageElement.java:1208) at org.apache.axis.message.SOAPBody.outputImpl(SOAPBody.java:139) at org.apache.axis.message.SOAPEnvelope.outputImpl(SOAPEnvelope.java:478) at org.apache.axis.message.MessageElement.output(MessageElement.java:1208) at org.apache.axis.SOAPPart.writeTo(SOAPPart.java:314) at org.apache.axis.SOAPPart.writeTo(SOAPPart.java:268) at org.apache.axis.Message.writeTo(Message.java:539) at org.apache.axis.transport.http.CommonsHTTPSender$MessageRequestEntity.writeRequest(CommonsHTTPSender.java:878) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:495) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.axis.transport.http.CommonsHTTPSender.invoke(CommonsHTTPSender.java:224) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invokeTransport(AxisClient.java:150) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:289) at org.apache.axis.client.Call.invokeEngine(Call.java:2838) at org.apache.axis.client.Call.invoke(Call.java:2824) at org.apache.axis.client.Call.invoke(Call.java:2501) at org.apache.axis.client.Call.invoke(Call.java:2424) at org.apache.axis.client.Call.invoke(Call.java:1835) at org.globus.exec.generated.bindings.ManagedJobFactoryPortTypeSOAPBindingStub.createManagedJob(ManagedJobFactoryPortTypeSOAPBindingStub.java:1644) at org.globus.exec.client.GramJob.createJobEndpoint(GramJob.java:1565) at org.globus.exec.client.GramJob.submit(GramJob.java:495) at jobManagement.impl.JobManager.processCrtJob(JobManager.java:161) at jobManagement.impl.JobManager.run(JobManager.java:103) AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: org.xml.sax.SAXParseException: Premature end of file. faultActor: faultNode: faultDetail: {http://xml.apache.or
Re: [gt-user] Question: File encryption and sharing
Well, please let me rephrase my question. I need an access control like AFS, where a user can encrypt a file, put it on a public place (eg, http), and only the users/groups he specifies can decrpyt it. (without directly sending his public key to the receivers). I guess some trusted party (Authentication Server) needs to exist in the middle to handle this, and this party holds the identity of all the users (e.g. the CA who give all the users certificates). One possible procedure: when B sees a file online, it will ask the Authentication Server for the key to decrypt this file, the Authentication Server will see if A has let B to see this file, if yes, send B the key, if no deny it. Is there anything similar to this? Or is this idea totally idiot and this should be handled in some other way? Thanks a lot! -Yushu On Mon, Sep 21, 2009 at 8:03 PM, Yushu Yao wrote: > Hi Experts, > > Just a general question about encryption. > > Assuming a CA has issued 2 users (A and B) valid certificates. > > Can A encrypts a file and specifies that only B can read it? If yes, how > could this be done? If no, any alternate way to do this? > > Also, what if A encrypts a file and want a group of users (have valid > certificates from the same CA) to be able to read it? > > Thanks a lot! > > -Yushu > > > > > > +-+ > | Yushu Yao > | Ph:1-510-486-4690 > | > | Lawrence Berkeley National Lab > | Mailstop 50B-6222 > | 1 Cyclotron Road > | Berkeley CA 94720-8147 - USA > +-+ > > >
Re: [gt-user] Question: File encryption and sharing
Maybe this meets your needs: http://securestorage.sourceforge.net/ Yushu Yao wrote: > Well, please let me rephrase my question. > > I need an access control like AFS, where a user can encrypt a file, put it > on a public place (eg, http), and only the users/groups he specifies can > decrpyt it. (without directly sending his public key to the receivers). > > I guess some trusted party (Authentication Server) needs to exist in the > middle to handle this, and this party holds the identity of all the users > (e.g. the CA who give all the users certificates). > > One possible procedure: when B sees a file online, it will ask the > Authentication Server for the key to decrypt this file, the Authentication > Server will see if A has let B to see this file, if yes, send B the key, if > no deny it. > > Is there anything similar to this? Or is this idea totally idiot and this > should be handled in some other way? > > Thanks a lot! > > -Yushu > > > > > On Mon, Sep 21, 2009 at 8:03 PM, Yushu Yao wrote: > >> Hi Experts, >> >> Just a general question about encryption. >> >> Assuming a CA has issued 2 users (A and B) valid certificates. >> >> Can A encrypts a file and specifies that only B can read it? If yes, how >> could this be done? If no, any alternate way to do this? >> >> Also, what if A encrypts a file and want a group of users (have valid >> certificates from the same CA) to be able to read it? >> >> Thanks a lot! >> >> -Yushu >> >> >> >> >> >> +-+ >> | Yushu Yao >> | Ph:1-510-486-4690 >> | >> | Lawrence Berkeley National Lab >> | Mailstop 50B-6222 >> | 1 Cyclotron Road >> | Berkeley CA 94720-8147 - USA >> +-+ smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] how to change old certificates to new simple ca forgrid-proxy-init
Well, I guess you are aware how to generate a user certificate. Just generate a new user certificate using the new CA. Your problem ought to disappear. Regards, Prashanth Chengi National PARAM SuperComputing Facility System Administration and Networking Group C-DAC Pune -- I can't understand why you don't get any mail from me. Perhaps it's because I haven't been writing. -Groucho Marx On Mon, 21 Sep 2009, simar gill wrote: Hi All I have installed new simpleCA and followed all the instructions gt4-admin-ca guide. when I going to configure grid-proxy-init then following errors: r...@simar-laptop:~# $GLOBUS_LOCATION/bin/grid-default-ca The available CA configurations installed on this host are: Directory: /etc/grid-security/certificates 1) 5fc40b1b - /O=Grid/OU=GlobusTest/OU=simpleCA-simar-.com/CN=Simar Simple CA The default CA is: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-.com/CN=Simar Simple CA Location: /etc/grid-security/certificates/5fc40b1b.0 Enter the index number of the CA to set as the default [q to quit]:1 setting the default CA to: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-.com/CN=Simar Simple CA linking /etc/grid-security/certificates/grid-security.conf.5fc40b1b to /etc/grid-security/grid-security.conf linking /etc/grid-security/certificates/globus-host-ssl.conf.5fc40b1b to /etc/grid-security/globus-host-ssl.conf linking /etc/grid-security/certificates/globus-user-ssl.conf.5fc40b1b to /etc/grid-security/globus-user-ssl.conf ...done. r...@simar-laptop:~# su globus glo...@simar-laptop:/home/simar$ cd glo...@simar-laptop:~$ export GLOBUS_LOCATION=/home/globus/globus-4.2.1 glo...@simar-laptop:~$ $GLOBUS_LOCATION/bin/grid-proxy-init -verify Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-simar-laptop/CN=root Enter GRID pass phrase for this identity: Creating proxy . Done Error: Couldn't verify the authenticity of the user's credential to generate a proxy from. Use -debug for further information. glo...@simar-laptop:~$ please tell why this is so. regards simar virk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.