[gin-auth] Heads-up for RFC proxies and VOMS ACs

Mike 'Mike' Jones mike.jones at manchester.ac.uk
Thu Jun 8 13:18:03 CDT 2006 

Hi Vincenzo,

Yep, the "24" at least allows me to communicate with the server but the 
proxy returned is bad (the AC is unverifiable and still seems to belong to 
my proxy cert). I guess I should expect this. The server is still 
giving me old style VOMS ACs, but I didn't expect an ASN1 decoding 
failure:

-------

   $ voms-proxy-info -all
   WARNING: Unable to verify signature!
   Error: Cannot find certificate of AC issuer for vo gin.ggf.org
   subject   : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones/CN=82689651
   issuer    : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
   identity  : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
   type      : unknown
   strength  : 512 bits
   path      : /tmp/x509up_u6360
   timeleft  : 11:56:09
   === VO gin.ggf.org extension information ===
   VO        : gin.ggf.org
   subject   : /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones/CN=82689651
   issuer    : /O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl
   attribute : /gin.ggf.org/Role=NULL/Capability=NULL
   timeleft  : 11:56:08

-------

   $ voms-proxy-info -version
   voms-proxy-info
   Version: 1.6.10
   Compiled: Apr 27 2006 18:04:07

-------

   $ grid-proxy-info -debug
   ERROR: Couldn't get the proxy type from the proxy credential


   grid_proxy_info.c:467:globus_credential: Error with credential's
   certificate
   globus_cert_utils: Proxy does not comply with proxy certificate
   standardError determining certificate type: Can't convert DER encoded
   PROXYCERTINFO extension to internalform
   OpenSSL Error: proxycertinfo.c:464: in library: asn1 encoding routines,
   function (null): asn1 length mismatch address=136219056 offset=2

-------

And there's more:

If I manufacture either version of the VOMS credential myself and stick it 
inside a Legacy proxy it works (as you suggested earlier) but as soon as I 
do this with an RFC or a pre-RFC proxy I get the same general error:

   $ voms-proxy-info -all
   WARNING: Unable to verify signature!
   Error: Cannot find certificate of AC issuer for vo gin.ggf.org
   ...

Something is still odd!  tomorrow I can send you a copy of each of my 
proxy certificates (minus the key!) that I've been generating with a 
homemade perl version of VOMS and grid-proxy-init. And perhaps we should 
continue this off the list. I think I've dragged this beyond the realm of 
a "Heads-up".

Thanks,
Mike


On Thu, 8 Jun 2006, vincenzo.ciaschini at cnaf.infn.it wrote:

> Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
>
>> 
>> Hi Vincenzo,
> Hi Mike,
>
>> 
>> The gin.ggf.org VOMS daemon is currently using the default old style voms 
>> server running configuration.  If GIN is enforcing the use of RFC proxies 
>> the daemon needs to be run in the newer mode and we have to hope that sites 
>> supporting VOMS understand the right format (i.e. if they are gLite based 
>> then gLite version >= 1.5).
> If they version 1.6.7 of the API or later (that is, gLite 1.5 or later) they 
> are
> already fully capable of understanding this new format.  In fact, it is in 
> the
> plans to eventually make the option a no-op and only issuing ACs in this
> format.
>
>
>> 
>> Also it seems that the current GIN VO Server doesn't like the new style 
>> proxies for authentication anyhow (is this just due to the version of the 
>> underlying globus libraries):
>>
>>   voms-proxy-init -voms gin -proxyver 3
>>
>>   Your identity: /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
>>   Enter GRID pass phrase:
>>   Your proxy is valid until Fri Jun  9 04:15:05 2006
>>
>>   Creating temporary proxy
>>   ...................................................... Done
>>   Contacting  kuiken.nikhef.nl:15050
>>   [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
>>   Error: Could not establish authenticated connection with the server.
>>   GSS Major Status: Authentication Failed
>>   GSS Minor Status Error Chain:
>>   globus_gss_assist: Error during context initialization
>>   globus_gsi_gssapi: Unable to verify remote side's credentials
>>   globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't
>>   verify the remote certificate
>>   OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
>>   SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
>> 
> Can you show me your vomses file with the entry for the gin VO? Also, which
> version of globus is run on the server?  If, as I suspect, is version 2.4.x,
> then a final "24" should be appended to the entry.  If it is not there, add 
> it
> and retry creating a proxy.
>> 
>> Thanks,
>> Mike
>
> Feel free to ask for any further problem you may have.
>
> Bye,
>  Vincenzo
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>

-- 
http://www.sve.man.ac.uk/General/Staff/jonesM/

More information about the gin-auth mailing list