Yeah. Probably best in the gridftp user guide section, maybe here (even though this is not so "basic"): http://toolkit.globus.org/toolkit/docs/latest-stable/gridftp/user/#gridftp-user-basic
I'll discuss with Mike to get it added. On Dec 4, 2013, at Dec 4, 4:50 PM, Ian Foster <fos...@anl.gov> wrote: > Should this be in our FAQ? > > On Dec 4, 2013, at 3:53 PM, Stuart Martin <smar...@mcs.anl.gov> wrote: > >> Hi All, >> >> This was an off-list thread that may be helpful or informative to others, so >> I am posting it here. >> >> Scott's use case from his original email is: >> "Specifically, I am trying to transfer from Stampede to Blue Waters, using a >> community account certificate to authenticate to Stampede and my user cert >> to Blue Waters." >> >> -Stu >> >> Begin forwarded message: >> >>> From: Scott Callaghan <scott...@usc.edu> >>> Subject: RE: Using different source and destination certs >>> Date: December 4, 2013 3:19:16 PM CST >>> To: Michael Link <ml...@mcs.anl.gov>, Stuart Martin <smar...@mcs.anl.gov> >>> >>> Hi Mike, >>> >>> That worked! I used my user cert as -data-cred since both ends can handle >>> that one. Thanks for your help! >>> >>> -Scott >>> ________________________________________ >>> From: Michael Link <ml...@mcs.anl.gov> >>> Sent: Wednesday, December 4, 2013 3:10 PM >>> To: Scott Callaghan; Stuart Martin >>> Subject: Re: Using different source and destination certs >>> >>> Ah, sorry about that, auto may have been added in 5.0.5 or 5.2.x. You >>> can use either your src or dst cred for -data-cred as well -- it should >>> be packaged in a way that both servers can accept it. >>> >>> Mike >>> >>> On 12/4/2013 2:39 PM, Scott Callaghan wrote: >>>> Hi Mike, >>>> >>>> I tried that, but it seems like -data-cred is expecting a file as an >>>> argument: >>>> >>>> globus-url-copy -data-cred auto -dbg -vb -src-cred /tmp/x509up_u801878 >>>> -dst-cred /tmp/x509up_u33527 >>>> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt >>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt >>>> Error loading data channel credential: GSS Major Status: General failure >>>> globus_gsi_gssapi: Unable to read credential for import: Couldn't open the >>>> file: auto >>>> >>>> I'm running guc version 5.14, as part of GT 5.0.4, in case it's a version >>>> issue. Thanks for your help with this! >>>> >>>> -Scott >>>> ________________________________________ >>>> From: Michael Link <ml...@mcs.anl.gov> >>>> Sent: Wednesday, December 4, 2013 2:21 PM >>>> To: Scott Callaghan; Stuart Martin >>>> Subject: Re: Using different source and destination certs >>>> >>>> Hi Scott, >>>> >>>> I thought using both -src-cred and -dst-cred would automatically use >>>> DCSC, but you can force by adding '-data-cred auto' >>>> >>>> Mike >>>> >>>> On 12/4/2013 2:10 PM, Scott Callaghan wrote: >>>>> Hi Stu, >>>>> >>>>> I used the command: >>>>> >>>>> globus-url-copy -dbg -vb -src-cred /tmp/x509up_u801878 -dst-cred >>>>> /tmp/x509up_u33527 >>>>> gsiftp://gridftp.stampede.tacc.utexas.edu/home1/00940/tera3d/test.txt >>>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt >>>>> >>>>> /tmp/x509up_u801878 is the community account proxy, /tmp/x509up_u33527 is >>>>> the scottcal proxy. >>>>> >>>>> -Scott >>>>> ________________________________________ >>>>> From: Stuart Martin <smar...@mcs.anl.gov> >>>>> Sent: Wednesday, December 4, 2013 2:05 PM >>>>> To: Scott Callaghan; Mike Link >>>>> Cc: Stuart Martin >>>>> Subject: Re: Using different source and destination certs >>>>> >>>>> Hey Scott, >>>>> >>>>> You should be able to do this with guc. Can you reply with the specific >>>>> options you are using on the guc command? Here are the relevant options >>>>> to use. >>>>> -cred <path to credentials or proxy file> >>>>> -src-cred | -sc <path to credentials or proxy file> >>>>> -dst-cred | -dc <path to credentials or proxy file> >>>>> Set the credentials to use for source, destination, >>>>> or both ftp connections. >>>>> -data-cred <path to credentials or proxy file> >>>>> Set the credential to use for data connection. A value of 'auto' will >>>>> generate a temporary self-signed credential. This may be used with >>>>> any authentication method, but the server must support the DCSC >>>>> command. >>>>> >>>>> Also, Globus Transfer would do this for you after you activate each >>>>> endpoint with the credential. So, you could let Globus do the work for >>>>> you :-) >>>>> >>>>> including Mike for any additional followup. >>>>> >>>>> Cheers, >>>>> Stu >>>>> >>>>> On Dec 4, 2013, at Dec 4, 1:18 PM, Scott Callaghan <scott...@usc.edu> >>>>> wrote: >>>>> >>>>>> Hi Stu, >>>>>> >>>>>> Good to see you at SC. >>>>>> >>>>>> I tried out using different certificates to authenticate to the source >>>>>> and destination, using a third-party transfer. It looks like the >>>>>> authentication goes fine, but then, as I understand it, both hosts also >>>>>> have to be able to authenticate to the other certificate, and I think >>>>>> that's where things are failing. >>>>>> >>>>>> Specifically, I am trying to transfer from Stampede to Blue Waters, >>>>>> using a community account certificate to authenticate to Stampede and my >>>>>> user cert to Blue Waters. It looks like Stampede is able to >>>>>> authenticate both certificates, but Blue Waters has an issue with the >>>>>> community account cert. I get the error: >>>>>> >>>>>> debug: response from >>>>>> gsiftp://bw-gridftp.ncsa.illinois.edu/u/sciteam/scottcal/test.txt: >>>>>> 500-Command failed. : callback failed. >>>>>> 500-OpenSSL Error: s3_srvr.c:2985: in library: SSL routines, function >>>>>> SSL3_GET_CLIENT_CERTIFICATE: no certificate returned >>>>>> 500-globus_gsi_callback_module: Could not verify credential >>>>>> 500-globus_gsi_callback_module: Can't get the local trusted CA >>>>>> certificate: Untrusted self-signed certificate in chain with hash >>>>>> d492aff2 >>>>>> 500 End. >>>>>> >>>>>> d492aff2 is the XSEDE MyProxy CA, who issues the community account >>>>>> certificate. >>>>>> >>>>>> From reading through the documentation, it looks like DCSC could help me >>>>>> resolve this, and both servers support DCSC. However, I'm not sure if >>>>>> this feature is exposed in globus-url-copy, or how to activate it. I >>>>>> apologize if you're not the right person to contact. Thanks for your >>>>>> help! >>>>>> >>>>>> -Scott >>>>> >> >