Hi Dina, The issue is fixed in the 2.1.1 patch - see http://www.mygrid.org.uk/dev/issues/browse/T2-1094. It also checks for the empty string "" and the system property javax.net.ssl.trustStorePassword.
Hope everything will work now. Cheers, Alex Dinanath Sulakhe wrote: > Hi Alex, > > It looks like the recent Mac updates on Leopard (10.5) may have > changed the default Java truststore password also from changeit to > changme. So it is not just Snow Leopard I think. Look at > this: http://mattfleming.com/node/310 > > I verified in the debug mode that if I enter a changeme, > the loadedJavaTruststore is set to true. Looks like Apple changed the > dafault password in the recent updates. That explains why I didn't > have this problem before when I was testing CM masterpassword. > > Resetting the truststore password to changeit solved the problem for > now, but I am not sure what is the best approach for the workflow > service. Do you think changing the CM code to check the OS and use the > password accordingly makes sense? I am assuming that all Mac OS X are > going to use "changeme" as the default password going forward. May be > you should update the Jira issue to take care of OS X 10.5 as well > (not just 10.6). It looks like > > Thanks Alex, for pointing this out. > > Regards, -Dina > > > On Feb 7, 2010, at 5:05 PM, Alexandra Nenadic wrote: > >> >> Hi Dina, >> >> The first time Taverna is started, Credential Manager tries to copy >> all certificates from Java's truststore into Cred. Manager's >> truststore and it tries the standard Java trustore's password >> "changeit". If it does not work then it means that the user has >> changed their Java truststore's password and it pops up a dialog >> asking for it so it can perform the copying. Note there is an issue >> with Java 1.6 on Mac Show Leopard in that Apple changed the standard >> Java truststore's password from "changeit" to "changeme". But I do >> not think you are using Show Leopard, so you should not be affected, >> right? This is already raised in Jira (see >> http://www.mygrid.org.uk/dev/issues/browse/T2-1094) >> <http://www.mygrid.org.uk/dev/issues/browse/T2-1094%29> and should be >> fixed soon. Anyway, I wonder why it just does not silently work on >> your system without popping up the dialog - you are using "standard" >> Java settings on the Taverna Workflow Service server? >> >> There is no SPI for providing the password for the user's Java >> trustore. I suppose one way of going about it is to make sure you >> have the Java truststore in place in >> <JAVA_HOME>/lib/security/cacerts/ directory protected by the >> "standard" password "changeit" as Taverna should not pop up anything >> in that case. Alternative is always to make a branch of the >> credential manager module and change/comment out that bit of code. >> I'll raise an issue in Jira to make sure we do not pop up any dialogs >> there if Taverna is running headlessly. >> >> Let me know how you get on. I am really curious as to why you get >> that pop up dialog in the first place. It took us some time to >> discover the issue on Show Leopard. >> >> Regards, >> Alex >> >> >> Dinanath Sulakhe wrote: >>> Hi Alex, >>> >>> As you know we have been working on supporting secure workflows in >>> the Taverna Workflow Service, I have a question regarding "Loading >>> the Truststore" in credential manager. Currently, it pops up a >>> Dialog asking for MasterPassword (Line 467 in >>> CredentialManager.java in version 1.0 ) when it is executed for the >>> first time. Is it possible to provide the Master password >>> programatically instead of popping-up a UI. Something similar to how >>> we provided a masterpassword to the CM using SPI? >>> Currently this is the only GUI dialog prompt that is left to be >>> overridden in order to run it in a headless mode. Any suggestions >>> please? >>> >>> I am using 1.0 version of the CM. >>> Thanks, -Dina >>> >>> >>> On Nov 24, 2009, at 3:27 AM, Alexandra Nenadic wrote: >>> >>>> Dinanath Sulakhe wrote: >>>>> Hi Alex, >>>>> >>>>> Can I implement the MasterPasswordProviderSPI interface within my >>>>> own package, or say in cagrid-activity plugin >>>>> (net.sf.taverna.cagrid.activity.MyPasswordProvider) or does it >>>>> have to be inside Credential-Manager package >>>>> (net.sf.taverna.t2.security.credentialmanager.MyPasswordProvider)? >>>> >>>> Yes - you can put it anywhere as it is an SPI (you also need to put >>>> a file named >>>> net.sf.taverna.t2.security.credentialmanager.MasterPasswordProviderSPI >>>> that contains the full class name of your implementation in the >>>> /resources/META-INF/services of your package). >>>>> >>>>> public class MyPasswordProvider implements MasterPasswordProviderSPI { >>>>> public int canProvidePassword() { >>>>> return 1; } >>>>> public String getPassword(){ >>>>> return "somePassword"; >>>>> } >>>>> } >>>>> >>>>> Also, how can I set a higher priority on my implementation? Can >>>>> you send me some pointer on how to do that? >>>> >>>> Method canProvidePassword() provides a hint - the higher number you >>>> provide the sooner it would be checked if it can provide a password. >>>> >>>> Alex >>>>> >>>>> Thanks, >>>>> -Dina >>>>> >>>>> >>>>> On Nov 23, 2009, at 4:09 AM, Alexandra Nenadic wrote: >>>>> >>>>>> Hi Dina, >>>>>> >>>>>> The master provider SPI is in >>>>>> net.sf.taverna.t2.security.credentialmanager.MasterPasswordProviderSPI. >>>>>> >>>>>> Alex >>>>>> >>>>>> >>>>>> Dinanath Sulakhe wrote: >>>>>>> Hi Alex, >>>>>>> >>>>>>> I just noticed that in the CredentialManager class >>>>>>> CredentialManager.getInstance("password") can only be used from >>>>>>> the UI. (the comment on top of the method says that). Is it >>>>>>> possible to use it programmatically, for example from the >>>>>>> CaGridActivity class (in order to skip UI prompts for master >>>>>>> password when used in the workflow service). >>>>>>> >>>>>>> -Dina >>>>>>> >>>>>>> PS: forgot to CC Stian in my previous mail below :) Copying him now. >>>>>>> >>>>>>> >>>>>>> On Nov 20, 2009, at 6:50 AM, Dinanath Sulakhe wrote: >>>>>>> >>>>>>>> Hi Alex, >>>>>>>> Thanks for the info. I realized it after a little more of >>>>>>>> debugging. Initially we thought we could completely skip the CM >>>>>>>> parts, but I think we can't (rather shouldn't) , unless we want >>>>>>>> to write a new one (which we don't ). >>>>>>>> - Can we somehow overide the GUI prompts asking for (1) Master >>>>>>>> password for CA (2) asking for User's username/password for >>>>>>>> Dorian. Looking at the code, I think (2) could be done easily, >>>>>>>> but I am not sure about (1) >>>>>>>> >>>>>>>> Do you think the following logic would work: >>>>>>>> >>>>>>>> - I can check if Taverna is executing within Service or >>>>>>>> workbench by setting some Env. variable. >>>>>>>> - When running within Workflow Service, we want to avoid GUI >>>>>>>> Prompts. >>>>>>>> - Get/initialize CM instance without a UI prompt. >>>>>>>> - I thought I can, but >>>>>>>> CredentialManager.getInstance("password") isn't working in >>>>>>>> CaGridActivity.java. I can see that there is a getInstance >>>>>>>> method that takes master password as argument, but when I add >>>>>>>> it, I get an error saying the method doesn't take string >>>>>>>> argument !! >>>>>>>> - when it comes to getting the user's proxy from the CM or by >>>>>>>> prompting username/password (within getGSSCredential() on >>>>>>>> CaGridWSDLSOAPInvoker), I can get it from CDS or from a custom >>>>>>>> location on the filesystem. >>>>>>>> >>>>>>>> Do you seen any problems in this approach? >>>>>>>> >>>>>>>> Thanks for you help Alex, Cheers, -Dina >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Nov 20, 2009, at 5:00 AM, Alexandra Nenadic wrote: >>>>>>>> >>>>>>>>> Hi Dina, >>>>>>>>> >>>>>>>>> The error that you get is probably because you are trying to >>>>>>>>> access a caGrid service that is behind HTTPS and Taverna >>>>>>>>> cannot establish a connection to it as the service 'is not >>>>>>>>> trusted' in the sense that the certificate of the service >>>>>>>>> cannot be verified. That's what the >>>>>>>>> loadCaGridCAsCertificates() method is for - if will load all >>>>>>>>> caGrid CA's certificates (6 or 7 of them) into Cred. Manager's >>>>>>>>> truststore and then will set this truststore to be used by >>>>>>>>> Java to verify if a service is trusted when establishing HTTPS >>>>>>>>> connections. There is a trusted-certificate folder under >>>>>>>>> resources in cagrid-activity module where these certs are read >>>>>>>>> from and loaded into Cred. Manager's truststore. The bad thing >>>>>>>>> is that we do not update these certificates nor check for >>>>>>>>> their expiration or revocation. By setting them - all caGrid >>>>>>>>> services should be 'trusted' as their certificates will be >>>>>>>>> signed by one of the CAs whose certs we have loaded into the >>>>>>>>> truststore. We also had to do some tweaks with certificate's >>>>>>>>> hostname verification as some caGrid services had their common >>>>>>>>> name as "HOST/bla.bla.com" instead on "bla.bla.com" but you >>>>>>>>> should not have any problems as long as common name of your >>>>>>>>> service matches the server's name. >>>>>>>>> >>>>>>>>> Hope this helps. >>>>>>>>> Alex >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Dinanath Sulakhe wrote: >>>>>>>>>> >>>>>>>>>> On Nov 19, 2009, at 4:43 AM, Dinanath Sulakhe wrote: >>>>>>>>>> >>>>>>>>>>> Hi Alex, >>>>>>>>>>> >>>>>>>>>>> Thanks for the details you sent earlier. Now that I am >>>>>>>>>>> debugging them, it makes sense to me. I kind of understand >>>>>>>>>>> it but I still have a few questions: >>>>>>>>>>> On Oct 30, 2009, at 1:18 PM, Alexandra Nenadic wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Dina, >>>>>>>>>>>> >>>>>>>>>>>> Here are some details on how we implemented security in >>>>>>>>>>>> cagrid plugin. You can download the source code from: >>>>>>>>>>>> >>>>>>>>>>>> https://gforge.nci.nih.gov/svnroot/taverna-cagrid/trunk/ >>>>>>>>>>>> >>>>>>>>>>>> You'd need cagrid-activity, cagrid-activity-ui and >>>>>>>>>>>> cagrid-wsdl-generic modules. >>>>>>>>>>>> >>>>>>>>>>>> CaGridActivity.executeAsynch() method is where the >>>>>>>>>>>> execution of the client that tries to connect to the >>>>>>>>>>>> service takes place. The first thing this method will do is >>>>>>>>>>>> try to configure security by invoking the >>>>>>>>>>>> configureSecurity() method on the activity. This method >>>>>>>>>>>> will check if security settings have already been obtained >>>>>>>>>>>> for this endpoint, otherwise will invoke the >>>>>>>>>>>> getServiceSecurityMetadata() method to fetch security >>>>>>>>>>>> properties. At this point, we have obtained anough >>>>>>>>>>>> information to know what kind of security the service >>>>>>>>>>>> expects but we have not actually fetched the user's proxy. >>>>>>>>>>> >>>>>>>>>>> The above part makes sense to me. We don't need to make any >>>>>>>>>>> changes here i guess. But before reaching the >>>>>>>>>>> executeAsynch() method, initializeSecurity() method is >>>>>>>>>>> invoked. One of the method in there is >>>>>>>>>>> loadCaGridCAsCertificates() that involves initializing the >>>>>>>>>>> CredentialManager(CM) with GUI (asking CM Master password). >>>>>>>>>>> We somehow need to skip this part as we don't want to use CM >>>>>>>>>>> when inside Workflow Service (right?). We will be storing >>>>>>>>>>> user's credential in some custom path and the Workflow >>>>>>>>>>> Service can later override the CaGridWSDLSOAPInvoker >>>>>>>>>>> .getGSSCredential() method and get the credentials on its >>>>>>>>>>> own (and not from CM). >>>>>>>>>>> >>>>>>>>>>> Does this make sense? Basically, I want to put a flag such >>>>>>>>>>> that if it is inside workflow service, I want to completely >>>>>>>>>>> avoid CM. I can probably do it easily in the >>>>>>>>>>> CaGridWSDLSOAPInvoker .getGSSCredential() while fetching the >>>>>>>>>>> credential, but I need to skip the CM initialization process >>>>>>>>>>> also so as to skip the GUI asking for master password. >>>>>>>>>>> If I comment the loadCaGridCAsCertificates() method >>>>>>>>>>> completely or if I just comment the CM parts in that method, >>>>>>>>>>> I get the following error: >>>>>>>>>> >>>>>>>>>> After debugging a little more, the error is coming from the >>>>>>>>>> configure() method in the CaGridActivity.java, specifically >>>>>>>>>> it fails in the parseWSDL() method. It happens when I take >>>>>>>>>> out the CM parts from the loadCaGridCAsCertificates() method. >>>>>>>>>> >>>>>>>>>> -Dina >>>>>>>>>> >>>>>>>>>>> sun.security.validator.ValidatorException: PKIX path >>>>>>>>>>> building failed: >>>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: >>>>>>>>>>> unable to find valid certification path to requested target. >>>>>>>>>>> >>>>>>>>>>> ** This error pops up in GUI (Something like >>>>>>>>>>> JOptionPane.showMessageDialog(...)) >>>>>>>>>>> >>>>>>>>>>> I am running this from eclipse and i have attached the >>>>>>>>>>> cagrid-activity source code to the debugger. I will continue >>>>>>>>>>> to debug this.. >>>>>>>>>>> >>>>>>>>>>> Thanks, -Dina >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> This happens in the invoke() method on the >>>>>>>>>>>> CaGridWSDLSOAPInvoker, where we fill the Axis call with the >>>>>>>>>>>> security settings and fetch the user's proxy either from >>>>>>>>>>>> Credential Manager (if it has it or from Dorian by asking >>>>>>>>>>>> user to provide username and password). Fetching of the >>>>>>>>>>>> credential happens in the method called getGSSCredential() >>>>>>>>>>>> on the CaGridWSDLSOAPInvoker, and I suppose you can >>>>>>>>>>>> override this method to get user's proxy in some other way. >>>>>>>>>>>> There was a reason why we separated fetching the security >>>>>>>>>>>> properties and the proxy itself, but I won't bother you >>>>>>>>>>>> with the details :-). >>>>>>>>>>>> >>>>>>>>>>>> Hope it makes sense (or it will when you have a look at the >>>>>>>>>>>> source code). >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Alex >>>>>>>>>>>> >>>>>>>>>> >>>>>> >>>> >>> >>> -------------------------- >>> Dinanath Sulakhe >>> The Globus Alliance >>> Computation Institute, University of Chicago & >>> Math and Computer Science Division, Argonne National Laboratory. >>> Ph: (630) 252-7856 >>> >>> >>> > > -------------------------- > Dinanath Sulakhe > The Globus Alliance > Computation Institute, University of Chicago & > Math and Computer Science Division, Argonne National Laboratory. > Ph: (630) 252-7856 > > > ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ taverna-hackers mailing list [email protected] Web site: http://www.taverna.org.uk Mailing lists: http://www.taverna.org.uk/taverna-mailing-lists/ Developers Guide: http://www.mygrid.org.uk/tools/developer-information
