[gin-auth] Heads-up for RFC proxies and VOMS ACs
Mike 'Mike' Jones
mike.jones at manchester.ac.uk
Thu Jun 8 13:18:03 CDT 2006
Hi Vincenzo,
Yep, the "24" at least allows me to communicate with the server but the
proxy returned is bad (the AC is unverifiable and still seems to belong to
my proxy cert). I guess I should expect this. The server is still
giving me old style VOMS ACs, but I didn't expect an ASN1 decoding
failure:
-------
$ voms-proxy-info -all
WARNING: Unable to verify signature!
Error: Cannot find certificate of AC issuer for vo gin.ggf.org
subject : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones/CN=82689651
issuer : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
identity : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
type : unknown
strength : 512 bits
path : /tmp/x509up_u6360
timeleft : 11:56:09
=== VO gin.ggf.org extension information ===
VO : gin.ggf.org
subject : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones/CN=82689651
issuer : /O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl
attribute : /gin.ggf.org/Role=NULL/Capability=NULL
timeleft : 11:56:08
-------
$ voms-proxy-info -version
voms-proxy-info
Version: 1.6.10
Compiled: Apr 27 2006 18:04:07
-------
$ grid-proxy-info -debug
ERROR: Couldn't get the proxy type from the proxy credential
grid_proxy_info.c:467:globus_credential: Error with credential's
certificate
globus_cert_utils: Proxy does not comply with proxy certificate
standardError determining certificate type: Can't convert DER encoded
PROXYCERTINFO extension to internalform
OpenSSL Error: proxycertinfo.c:464: in library: asn1 encoding routines,
function (null): asn1 length mismatch address=136219056 offset=2
-------
And there's more:
If I manufacture either version of the VOMS credential myself and stick it
inside a Legacy proxy it works (as you suggested earlier) but as soon as I
do this with an RFC or a pre-RFC proxy I get the same general error:
$ voms-proxy-info -all
WARNING: Unable to verify signature!
Error: Cannot find certificate of AC issuer for vo gin.ggf.org
...
Something is still odd! tomorrow I can send you a copy of each of my
proxy certificates (minus the key!) that I've been generating with a
homemade perl version of VOMS and grid-proxy-init. And perhaps we should
continue this off the list. I think I've dragged this beyond the realm of
a "Heads-up".
Thanks,
Mike
On Thu, 8 Jun 2006, vincenzo.ciaschini at cnaf.infn.it wrote:
> Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
>
>>
>> Hi Vincenzo,
> Hi Mike,
>
>>
>> The gin.ggf.org VOMS daemon is currently using the default old style voms
>> server running configuration. If GIN is enforcing the use of RFC proxies
>> the daemon needs to be run in the newer mode and we have to hope that sites
>> supporting VOMS understand the right format (i.e. if they are gLite based
>> then gLite version >= 1.5).
> If they version 1.6.7 of the API or later (that is, gLite 1.5 or later) they
> are
> already fully capable of understanding this new format. In fact, it is in
> the
> plans to eventually make the option a no-op and only issuing ACs in this
> format.
>
>
>>
>> Also it seems that the current GIN VO Server doesn't like the new style
>> proxies for authentication anyhow (is this just due to the version of the
>> underlying globus libraries):
>>
>> voms-proxy-init -voms gin -proxyver 3
>>
>> Your identity: /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
>> Enter GRID pass phrase:
>> Your proxy is valid until Fri Jun 9 04:15:05 2006
>>
>> Creating temporary proxy
>> ...................................................... Done
>> Contacting kuiken.nikhef.nl:15050
>> [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
>> Error: Could not establish authenticated connection with the server.
>> GSS Major Status: Authentication Failed
>> GSS Minor Status Error Chain:
>> globus_gss_assist: Error during context initialization
>> globus_gsi_gssapi: Unable to verify remote side's credentials
>> globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't
>> verify the remote certificate
>> OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
>> SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
>>
> Can you show me your vomses file with the entry for the gin VO? Also, which
> version of globus is run on the server? If, as I suspect, is version 2.4.x,
> then a final "24" should be appended to the entry. If it is not there, add
> it
> and retry creating a proxy.
>>
>> Thanks,
>> Mike
>
> Feel free to ask for any further problem you may have.
>
> Bye,
> Vincenzo
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
--
http://www.sve.man.ac.uk/General/Staff/jonesM/
More information about the gin-auth
mailing list