[gin-auth] Heads-up for RFC proxies and VOMS ACs

vincenzo.ciaschini at cnaf.infn.it vincenzo.ciaschini at cnaf.infn.it
Thu Jun 8 12:45:06 CDT 2006 

Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:

>
> Hi Vincenzo,
Hi Mike,

>
> The gin.ggf.org VOMS daemon is currently using the default old style 
> voms server running configuration.  If GIN is enforcing the use of 
> RFC proxies the daemon needs to be run in the newer mode and we have 
> to hope that sites supporting VOMS understand the right format (i.e. 
> if they are gLite based then gLite version >= 1.5).
If they version 1.6.7 of the API or later (that is, gLite 1.5 or later) 
they are
already fully capable of understanding this new format.  In fact, it is in the
plans to eventually make the option a no-op and only issuing ACs in this
format.


>
> Also it seems that the current GIN VO Server doesn't like the new 
> style proxies for authentication anyhow (is this just due to the 
> version of the underlying globus libraries):
>
>   voms-proxy-init -voms gin -proxyver 3
>
>   Your identity: /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
>   Enter GRID pass phrase:
>   Your proxy is valid until Fri Jun  9 04:15:05 2006
>
>   Creating temporary proxy
>   ...................................................... Done
>   Contacting  kuiken.nikhef.nl:15050
>   [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
>   Error: Could not establish authenticated connection with the server.
>   GSS Major Status: Authentication Failed
>   GSS Minor Status Error Chain:
>   globus_gss_assist: Error during context initialization
>   globus_gsi_gssapi: Unable to verify remote side's credentials
>   globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't
>   verify the remote certificate
>   OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
>   SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
>
Can you show me your vomses file with the entry for the gin VO? Also, which
version of globus is run on the server?  If, as I suspect, is version 2.4.x,
then a final "24" should be appended to the entry.  If it is not there, add it
and retry creating a proxy.
>
> Thanks,
> Mike

Feel free to ask for any further problem you may have.

Bye,
   Vincenzo


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the gin-auth mailing list