[gin-auth] The new VOMS Server for GIN is active from now
Oscar Koeroo
okoeroo at nikhef.nl
Mon Mar 6 08:41:30 CST 2006
Hi Cindy,
I've check my logs, but they are unconclusive.
You didn't show up in the logs at all... pretty odd though.
Do you get a strange error message in your browser or something like it?
Do you get a connection to the machine? Pingable or connectable on port
8443?
'failing authentication' is very vague to me. Nevertheless I want to
see/know/understand what is going on here.
If it is not working at all, you can always send your usercert.pem file
to me (privately) so that I can do the registration manually and check
if my security stuff is setup correctly.
At the moment we have 4 successfull registrations in the VO.
cheers,
Oscar
Cindy Zheng wrote:
>Hi, Oscar,
>
>I'm still failing to authenticate to the VOM site.
>Maybe you can find some clue for the cause in your logs?
>
>Thanks,
>
>Cindy
>
>
>
>>-----Original Message-----
>>From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>Sent: Saturday, March 04, 2006 4:25 PM
>>To: Cindy Zheng
>>Cc: gin-auth at ggf.org; 'Olivier van der Aa'; 'Philip
>>Papadopoulos'; 'Catlett Charlie'; 'David Colling';
>>m.aggarwal at imperial.ac.uk; yoshio.tanaka at aist.go.jp; 'Yusuke
>>Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>fplin at nchc.org.tw; 'Mason Katz'
>>Subject: RE: [gin-auth] The new VOMS Server for GIN is active from now
>>
>>
>>Hi Cindy,
>>
>>You didn't do anything wrong. The VOMS Admin doesn't allow
>>unauthenticatable access to the service. I think you've used a
>>certificate signed by the SDSC CA. That CA is not (correct me if I'm
>>very wrong) within the IGTF accredited CAs and thus it was
>>not supported
>>
>>To comfort you and others using the SDSC CA, I've manually added the
>>trust in that CA on the VOMS services.
>>
>>I hope this additional CA to the service is exceptional.
>>Personally I do
>>advise to only use CA certificates within the accreditation
>>of the IGTF
>>to ease such problems around the world. But, I guess that
>>this could be
>>hard to achieved within a few days if you don't have the 'right'
>>certificates yet.
>>
>>You don't need to import the VOMS host cert. You should install the
>>NIKHEF CA file into your preferred browser (to kill the warning/error
>>and) to mutually trust the connection.
>>This page might be helpfull:
>>http://marianne.in2p3.fr/ca/ca-table-ca.html
>>
>>
>>
>>Cheers,
>>
>> Oscar
>>
>>
>>Cindy Zheng wrote:
>>
>>
>>
>>>Hi, Oscar Koeroo and gen-auth team,
>>>
>>>Thank you for setting up VO for GIN testbed!
>>>
>>>Erwin suggested me to contact gin-auth for VO questions
>>>and problems. First, let me spill all the related
>>>background info to make sure that we are on the same page.
>>>
>>>You probably already know about this, that PRAGMA Grid
>>>and Teragrid had started a GIN experiment, running a grid
>>>application on a few PRAGMA grid clusters and a TeraGrid
>>>cluster. In the immediate next step, we want to include
>>>one or more Imperial College (EGEE) clusters in this
>>>application run.
>>>
>>>As we have found out in our first round effort, trying to
>>>run an application across grid boundry, the first issue
>>>is authentication. Our application drivers, certified by
>>>AIST, SDSC, need access to clusters of all GIN testbed
>>>resources. In the case of TeraGrid and PRAGMA grid, PRAGMA
>>>grid already accept AIST and SDSC CAs and TeraGrid already
>>>accept SDSC CA, but was not yet accept AIST CA. AIST CA is
>>>signed by APGrid PMA, a member of IGTF. The solution was
>>>then decided by TeraGrid to accepted AIST CA on the cluster
>>>involved, while working on a formal process of accepting
>>>AIST's CA TeraGrid-wise.
>>>
>>>Now comes to EGEE. My basic question is how can we
>>>accomplish the same goal here? From application drivers
>>>point of view, we need the certificate files (~.0,
>>>~.signing_policy) of the CA who signs Imperial College
>>>personal/resources certificates. We need to install them on
>>>the globus client side. On the other end, we need Imperial
>>>College resources to accept AIST and SDSC certificates
>>>(http://pragma-goc.rocksclusters.org/pragma-doc/resources.html).
>>>Is VO registration a solution to all or part of these?
>>>I thought to find some answers by accessing the VO site,
>>>but failed. This leads to more detail questions about
>>>VO site access:
>>>I'm new to VO registration process. I tried to access
>>>the urls given in your email use either firefox or IE,
>>>with my personal certificate (signed by SDSC/NPACI)
>>>imported, but the browsers does not recognize the CA
>>>of your site. When I accept your cert anyway, I still
>>>got rejected by the site. Do I need to import
>>>dec-2005-kuiken.nikhef.nl.pem in website cert list in
>>>my browser? If so, could you give me the p12 version?
>>>Without the key, I cannot convert it to p12 format and
>>>the browsers do not take pem format. Also, maybe I need
>>>to add your CA in trusted CA list in my browser? Which
>>>CA?
>>>
>>>Thanks in advance for your help,
>>>
>>>Cindy
>>>
>>>-----Original Message-----
>>>From: Erwin Laure [mailto:Erwin.Laure at cern.ch]
>>>Sent: Saturday, March 04, 2006 7:37 AM
>>>To: zhengc at sdsc.edu
>>>Cc: 'Olivier van der Aa'; 'Philip Papadopoulos'; 'Catlett Charlie';
>>>'David Colling'; m.aggarwal at imperial.ac.uk; yoshio.tanaka at aist.go.jp;
>>>'Yusuke Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>>fplin at nchc.org.tw; 'Mason Katz'
>>>Subject: Re: E-intro and getting some Gin.
>>>
>>>Hi Cindy,
>>>
>>>I suggest you address your question about the VO to
>>>
>>>
>>gin-auth at ggf.org. If
>>
>>
>>>there are problems this group should resolve them for
>>>
>>>
>>everybody rather
>>
>>
>>>than we are trying to do it only bilaterally.
>>>
>>>The important point I think is that each site should
>>>
>>>
>>recognize all the
>>
>>
>>>IGTF approved CAs. Then we should not have problems, but I'm not a
>>>security expert.
>>>
>>>Cheers,
>>>
>>>-- Erwin
>>>
>>>Cindy Zheng wrote:
>>>
>>>
>>>
>>>
>>>>Thank you, Erwin and Olivier, for the info and quick response!
>>>>
>>>>Most Oliviers questions are best answered by Yoshio and Yusuke.
>>>>
>>>>Olivier, I need the certificate files (~.0, ~.signing_policy)
>>>>of the CA who signs all your personal/host certificates.
>>>>
>>>>Our CA certificate files can be obtained from the user info paks,
>>>>or can be downloaded from
>>>>http://pragma-goc.rocksclusters.org/pragma-doc/resources.html
>>>>I think you need to install AIST and SDSC CA files in your
>>>>system, so it will accept our user certificates.
>>>>
>>>>For the VO registration, it's new process for me. I tried to
>>>>access the urls given in Erwin's attachment use either firefox
>>>>or IE, with my personal certificate imported, but the browsers
>>>>does not recognize the CA of your site. If I accept your cert
>>>>anyway, I still get rejected by the site. Do I need to import
>>>>dec-2005-kuiken.nikhef.nl.pem as website cert in my browser?
>>>>If so, could you give me the p12 version? Without the key,
>>>>I cannot convert it to p12 format and the browsers do not
>>>>take pem format. Also, I think I would need to put your root
>>>>CA in my trusted CA list. I need to know the CA who sign your
>>>>site.
>>>>
>>>>Maybe I completely missed the boat :-) In that case, please
>>>>give me a pointer, I'll try to swim over :-)
>>>>
>>>>Thanks,
>>>>
>>>>Cindy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
>>>>On Behalf Of Oscar Koeroo
>>>>Sent: Friday, March 03, 2006 5:18 AM
>>>>To: gin-auth at ggf.org
>>>>Subject: [gin-auth] The new VOMS Server for GIN is active from now
>>>>
>>>>
>>>>Hi all,
>>>>
>>>>Trying to incorporate all ideas of the VO naming debate into
>>>>a live and
>>>>kicking VO-name I gave it my own twist and created
>>>>'GIN-GGF-ORG'. This
>>>>VO name can be changed when we have a common agreement on the
>>>>VO naming
>>>>convention.
>>>>
>>>>The server is 'kuiken.nikhef.nl' which is running the
>>>>
>>>>
>>EGEE/Glite VOMS
>>
>>
>>>>services VOMS-Admin and the VOMS (core) daemon. This means that the
>>>>Fully Qualified Attribute Names (FQANs) are in the format of:
>>>>/GIN-GGF-ORG
>>>>/GIN-GGF-ORG/<group 1>
>>>>/GIN-GGF-ORG/<group 1>/<sub group 1>
>>>>/GIN-GGF-ORG/Role=VO-Admin
>>>>/GIN-GGF-ORG/<group 1>/Role=<your role here>
>>>>
>>>>The set of CAs is compliant with the newest classic-IGTF
>>>>which should be
>>>>suffient, if not, please mail me.
>>>>
>>>>
>>>>Registration info:
>>>>The URL of the website is:
>>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-> ORG/
>>>>A direct link
>>>>to the registration page is:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/request/
>>>
>>>
>user/create
>
>
>>Config info:
>>The link to the configuration page is:
>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/config
>>Basicly the VOMS daemon is running on portnumber 15050.
>>
>>For voms-proxy-init (the ~/.vomses or /opt/glite/etc/vomses/GIN-GGF-ORG
>>
>>
>
>
>
>>file):
>>"GIN-GGF-ORG" "kuiken.nikhef.nl" "15050"
>>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "GIN-GGF-ORG"
>>
>>For mkgridmap.conf:
>>group vomss://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG .GIN-GGF-ORG
>>
>>VOMS Host cert:
>>Because there's not a common way of supplying the hostcert of the VOMS
>>server, I've attached it in the mail.
>>
>>
>>cheers,
>>
>> Oscar "/GIN-GGF-ORG/Role=VO-Admin" Koeroo
>>
>>
>>
>>
More information about the gin-auth
mailing list