[gin-auth] RE: tests
Erwin Laure
Erwin.Laure at cern.ch
Fri Sep 1 01:34:23 CDT 2006
Hi Cindy,
Gridftp works perfectly for me:
lxplus060[erwin]: globus-url-copy -vb file:$PWD/HelloWorld.jdl
gsiftp://cmsdsk00.hep.ph.ic.ac.uk/hello1.txt
156 bytes 0.19 KB/sec avg 0.19 KB/sec inst
Is your CA approved by the IGTF? I copy gin-auth for further details.
Cheers,
-- Erwin
> -----Original Message-----
> From: Cindy Zheng [mailto:zhengc at sdsc.edu]
> Sent: Friday, September 01, 2006 8:09 AM
> To: Erwin Laure; o.van-der-aa at imperial.ac.uk; David Colling
> Cc: somsak_sr at thaigrid.net; 'Sugree Phatanapherom';
> parzberg at ucsd.edu; phil at sdsc.edu
> Subject: RE: tests
>
> Thanks, Erwin! I installed all IGTF accredited Cas.
> But still getting errors. The Ukescience certificate files
> are appended after the test output. Please check and let me
> know if I missed something. Thanks!
>
> [zhengc at rocks-52 ~]$ voms-proxy-info
> subject : /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc/CN=proxy
> issuer : /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
> identity : /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
> type : proxy
> strength : 512 bits
> path : /home/zhengc/.globus/.proxy
> timeleft : 6:05:56
> [zhengc at rocks-52 ~]$ globusrun -a -r gw39.hep.ph.ic.ac.uk
>
> GRAM Authentication test failure: connecting to the job
> manager failed.
> Possible reasons: job terminated, invalid job contact,
> network problems, ...
> [zhengc at rocks-52 ~]$ globus-job-run
> gw39.hep.ph.ic.ac.uk:2119/jobmanager-lcgpbs date GRAM Job
> submission failed because the connection to the server failed
> (check host and port) (error code 12)
> [zhengc at rocks-52 ~]$ globus-url-copy
> file:///export/home/zhengc/test.txt
> gsiftp://cmsdsk00.hep.ph.ic.ac.uk/tmp/cindy-test.txt
>
> error: globus_ftp_client: the server responded with an error
> 535 Authentication failed: GSSException: Failure unspecified
> at GSS-API level [Caused by: Unknown CA]
> [zhengc at rocks-52 ~]$ cat /etc/grid-security/certificates/adc*
> -----BEGIN CERTIFICATE-----
> MIID1DCCArygAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVSzEV
> MBMGA1UEChMMZVNjaWVuY2VSb290MRIwEAYDVQQLEwlBdXRob3JpdHkxDTALBgNV
> BAcTBFJvb3QxCzAJBgNVBAMTAkNBMB4XDTA2MDcxNDE2MzI1NVoXDTExMDcxNTE2
> MzI1NVowQzELMAkGA1UEBhMCVUsxEzARBgNVBAoTCmVTY2llbmNlQ0ExEjAQBgNV
> BAsTCUF1dGhvcml0eTELMAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
> DwAwggEKAoIBAQC08S40q4YSCt4sNNM9T5qB133eCLW5B0Qg0YWHgViSVc6f6f2B
> VJS4MBpOth6sdwvca7mO7C+dOnMEBwyRdFu7wtVOyRR86dbStMkKyljvOOwM6AYf
> lz52x9XnVPvTj+FN9mLD5/NmboSRv86Kw6erKJhAQQwuHVPkCOjtWorhdmpcHVci
> oA4FfVEBZGeAND5IPrOXTYH281baPBciDqfPOESNEh4xltyUrbFnhmAgYGb7IGoP
> b0sNOEOIWOivKuSHMU+dthIBZuytXzctcAtGa4yIGZluj0vs7Ak2HunA2PuXw6/c
> v2j41jBBNpil5WgxYNwt4FsFjLUvWy+gS7mPAgMBAAGjgcEwgb4wDwYDVR0TAQH/
> BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP+lqRpuD2+U6TfRwKVG
> Haghk2pLMHwGA1UdIwR1MHOAFHF3LsIiojijsKfITB2XKpWJ2oKjoVikVjBUMQsw
> CQYDVQQGEwJVSzEVMBMGA1UEChMMZVNjaWVuY2VSb290MRIwEAYDVQQLEwlBdXRo
> b3JpdHkxDTALBgNVBAcTBFJvb3QxCzAJBgNVBAMTAkNBggEAMA0GCSqGSIb3DQEB
> BQUAA4IBAQCBuqI6gcY6/BpOTSYHb4B6ga9LBPK9zo96pVOy4IFfoMN6VS9Bo2fK
> lBCK+OOSWy5KpN1q6UOyWh8Dcf/hc2lmEBo92gFqG+4gRKBa4IrTDJBARVWXd379
> kOAl68sqUDGcciUrQJwVclTO+KsgaVYmo3BvAhqJf4gnLm6XVUgHKl9+WPqDAQdf
> DeBCGOOPd0pPMy6RUgXIE+HAgh14yyGfJkiFlYHqaeqqL7A8gxrGSABcqbcUHnH1
> kTdHshE2ulkcpqV9wwWldr8S26tIYg9ZvYO1KNNgkwgoLIcKIc22r5IvQ8c7zeI7
> 8tqPk/TcVznFNfvmsrJSn2urKL4pKJrT
> -----END CERTIFICATE-----
> http://ca.grid-support.ac.uk/pub/crl/escience-ca-crl.crl
> #
> # @(#)$Id: adcbc9ef.info,v 1.1 2006/07/19 15:09:40 pmacvsdg
> Exp $ # Information for CA UKeScience eScience subordinate CA
> # alias = UKeScienceCA url =
> http://www.grid-support.ac.uk/ca/ crl_url =
> http://ca.grid-support.ac.uk/pub/crl/escience-ca-crl.crl
> email = support at grid-support.ac.uk
> status = accredited:classic
> version = 1.8
> sha1fp.0 = 0A:E0:5B:0C:64:99:18:2B:4F:FB:15:33:6F:77:33:F9:8E:F2:6D:C7
> # Signing policy for UK e-Science CA
> # This file should be installed in
> # /etc/grid-security/certificates
> # as <hash>.signing_policy along with
> # the CA certificate as <hash>.<digit>
> # -- here <hash> is the output of
> # openssl x509 -hash -noout -in <certificate> # and <digit>
> is the lowest single (decimal) # digit that makes the file
> unique (in case # you have other CA certificates that hash
> to # the same value)
> access_id_CA X509
> '/C=UK/O=eScienceCA/OU=Authority/CN=CA'
> pos_rights globus CA:sign
> cond_subjects globus '"/C=UK/O=eScience/*"'
>
> > -----Original Message-----
> > From: Erwin Laure [mailto:Erwin.Laure at cern.ch]
> > Sent: Thursday, August 31, 2006 9:31 PM
> > To: Cindy Zheng; o.van-der-aa at imperial.ac.uk; David Colling
> > Cc: somsak_sr at thaigrid.net; Sugree Phatanapherom;
> parzberg at ucsd.edu;
> > phil at sdsc.edu
> > Subject: RE: tests
> >
> >
> > Hi Cindy,
> >
> > I have to let Oliver answer for GRAM. But for gridftp it seems that
> > you don't have the UK eScience CA installed. You should install all
> > the IGTF approved Cas - should be available via the IGTF webpage.
> >
> > Cheers,
> >
> > -- Erwin
> >
> > > -----Original Message-----
> > > From: Cindy Zheng [mailto:zhengc at sdsc.edu]
> > > Sent: Friday, September 01, 2006 3:49 AM
> > > To: Erwin Laure; o.van-der-aa at imperial.ac.uk; David Colling
> > > Cc: somsak_sr at thaigrid.net; 'Sugree Phatanapherom';
> > > parzberg at ucsd.edu; phil at sdsc.edu
> > > Subject: RE: tests
> > >
> > > Thanks, Erwin, for the pointer!
> > >
> > > I just did some tests manually, try to verify globus
> authentication,
> > > job submission and gridftp.
> > > So far, all failed. (See output below)
> > >
> > > Seems that at least gridftp is looking for certificate for
> > > /C=UK/O=eScience/OU=Imperial/L=Physics/CN=cmsdsk00.hep.ph.ic.a
> > > c.uk/email
> > > Address=lcg-site-admin at imperial.ac.uk
> > > But I only have the site certificate files 16da7552.0 and
> > > 16da7552.signing_policy for EGEE. I appended the contents
> of these 2
> > > files after the tests output.
> > > Where can I get the required certificate files for EGEE's
> resources?
> > >
> > > Also, with NorduGrid, we need to run different commands for some
> > > tests. I don't know if this is the case too for EGEE.
> > > Appreciate any advice on that as well.
> > >
> > > Cindy
> > >
> > > [zhengc at rocks-52 ~]$ voms-proxy-info
> > > subject : /C=US/O=SDSC/OU=SDSC/CN=Cindy
> > Zheng/USERID=zhengc/CN=proxy
> > > issuer : /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
> > > identity : /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
> > > type : proxy
> > > strength : 512 bits
> > > path : /home/zhengc/.globus/.proxy
> > > timeleft : 10:56:10
> > > [zhengc at rocks-52 ~]$ date -u
> > > Fri Sep 1 01:03:36 UTC 2006
> > > [zhengc at rocks-52 ~]$ globusrun -a -r gw39.hep.ph.ic.ac.uk
> > >
> > > GRAM Authentication test failure: connecting to the job manager
> > > failed.
> > > Possible reasons: job terminated, invalid job contact, network
> > > problems, ...
> > > [zhengc at rocks-52 ~]$ globus-job-run
> > > gw39.hep.ph.ic.ac.uk:2119/jobmanager-lcgpbs date GRAM Job
> submission
> > > failed because the connection to the server failed (check
> host and
> > > port) (error code 12)
> > > [zhengc at rocks-52 ~]$ globus-url-copy
> > > file:///export/home/zhengc/test.txt
> > > gsiftp://cmsdsk00.hep.ph.ic.ac.uk/tmp/cindy-test.txt
> > >
> > > error: globus_ftp_control: gss_init_sec_context failed OpenSSL
> > > Error: s3_clnt.c:842: in library: SSL routines, function
> > > SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> > > globus_gsi_callback_module: Could not verify credential
> > > globus_gsi_callback_module: Can't get the local trusted CA
> > > certificate:
> > > Cannot find issuer certificate for local credential with subject:
> > > /C=UK/O=eScience/OU=Imperial/L=Physics/CN=cmsdsk00.hep.ph.ic.a
> > > c.uk/email
> > > Address=lcg-site-admin at imperial.ac.uk
> > > [root at rocks-52 certificates]# cat
> > > /etc/grid-security/certificates/16da7552*
> > > Certificate:
> > > Data:
> > > Version: 3 (0x2)
> > > Serial Number: 0 (0x0)
> > > Signature Algorithm: sha1WithRSAEncryption
> > > Issuer: C=NL, O=NIKHEF, CN=NIKHEF medium-security
> > > certification auth
> > > Validity
> > > Not Before: Sep 21 00:00:00 2001 GMT
> > > Not After : Feb 9 00:00:00 2021 GMT
> > > Subject: C=NL, O=NIKHEF, CN=NIKHEF medium-security
> > > certification auth
> > > Subject Public Key Info:
> > > Public Key Algorithm: rsaEncryption
> > > RSA Public Key: (2048 bit)
> > > Modulus (2048 bit):
> > > 00:a3:dc:c0:e5:91:32:75:cb:30:2a:00:5d:e1:9c:
> > > 0f:79:ae:43:44:30:be:e4:7d:d4:ea:76:6d:fb:9b:
> > > dd:e1:a1:b6:1f:7b:5d:35:2d:75:fb:db:f4:eb:94:
> > > 0b:74:29:8e:d7:bf:96:8b:93:3e:da:24:4f:5c:b3:
> > > 2f:bc:a3:ef:34:c5:d9:ff:4e:51:ea:97:bc:c4:6a:
> > > 3f:eb:30:d6:c9:96:58:1f:e5:bc:e5:ec:91:e4:74:
> > > fb:ea:df:d8:31:0b:15:52:d4:db:2c:2f:ea:64:5b:
> > > 35:89:35:de:12:cd:20:7c:a6:1c:49:2d:0a:9e:b1:
> > > e7:8a:93:4f:cc:25:a3:09:59:5a:1e:c1:b2:25:da:
> > > d4:c9:c1:8f:a1:c9:65:30:ce:9a:b3:79:94:c8:cb:
> > > c8:82:ba:03:97:6e:d3:43:a6:10:42:ea:a0:f3:2a:
> > > 01:58:03:60:2a:52:1e:b1:10:55:ab:38:d5:93:d1:
> > > fa:9e:2a:9f:20:47:42:e3:eb:d0:89:23:59:bb:33:
> > > 08:48:62:d3:5f:68:78:cd:73:de:e8:2e:cc:6d:0a:
> > > 8b:c3:70:49:f4:30:d4:0d:7c:e5:d0:65:e6:86:c5:
> > > 4d:e6:2f:27:32:cd:48:e1:71:ce:30:ee:c2:98:0a:
> > > 9e:d5:0f:12:0a:9a:9d:e4:03:8b:ba:3e:65:22:73:
> > > 22:f5
> > > Exponent: 65537 (0x10001)
> > > X509v3 extensions:
> > > X509v3 Basic Constraints: critical
> > > CA:TRUE
> > > X509v3 Key Usage: critical
> > > Digital Signature, Certificate Sign, CRL Sign
> > > X509v3 Subject Alternative Name:
> > > email:ca at dutchgrid.nl
> > > X509v3 Subject Key Identifier:
> > >
> > > 5B:05:3A:99:C6:D5:22:BD:FD:94:80:FC:11:A8:D0:F1:71:D6:4B:A4
> > > X509v3 CRL Distribution Points:
> > > URI:http://ca.dutchgrid.nl/medium/cacrl.pem
> > >
> > > Netscape Cert Type:
> > > SSL CA, S/MIME CA, Object Signing CA
> > > Netscape CA Revocation Url:
> > > http://ca.dutchgrid.nl/medium/cacrl.pem
> > > Netscape CA Policy Url:
> > > http://ca.dutchgrid.nl/medium/policy/
> > > Netscape Comment:
> > > DutchGrid and NIKHEF medium-security
> Certification
> > > Authority; policies at http://ca.dutchgrid.nl/medium/policy/
> > > Signature Algorithm: sha1WithRSAEncryption
> > > 7d:3e:11:47:f3:ba:6f:d8:39:98:29:4c:fb:2f:ef:5e:8d:30:
> > > 67:6d:3f:a2:0b:4f:7a:16:b5:b5:36:a8:61:ef:ac:0c:41:32:
> > > de:ee:2a:2c:1d:53:2e:d8:81:0a:22:ba:ac:72:d9:2c:67:dd:
> > > 70:ed:b5:d1:15:06:2a:3e:8a:01:61:9d:5b:5b:b7:a7:e3:df:
> > > dd:5f:be:d8:36:27:41:14:b9:95:07:be:a6:98:fd:45:b4:78:
> > > 97:86:4a:f1:10:2a:e4:b5:88:a9:84:d3:e0:85:cf:80:86:f5:
> > > 42:f0:17:40:0d:41:58:2b:8a:0d:60:7f:50:ea:2f:4d:ff:e3:
> > > 59:d3:bb:ab:c2:9f:99:2c:0a:51:b7:65:5a:d8:5e:e3:f1:ba:
> > > 59:62:f9:c4:3c:54:36:c4:68:4a:00:48:6d:91:58:4d:1b:f3:
> > > 4c:a3:6e:da:dc:a9:36:dc:06:34:dc:79:c5:cb:b4:88:0b:ae:
> > > b3:6b:3c:06:13:6c:ce:30:41:42:16:57:9e:fe:49:df:86:32:
> > > a9:63:25:33:c7:84:39:45:0d:71:c2:a0:28:66:1d:35:09:85:
> > > 2b:2f:b2:37:b6:2f:74:32:39:55:05:f6:67:33:02:2b:3a:71:
> > > b7:ed:b2:19:97:81:4a:69:37:b4:74:0d:11:3b:fb:c4:54:bb:
> > > 11:bb:9a:fc
> > > -----BEGIN CERTIFICATE-----
> > > MIIEvDCCA6SgAwIBAgIBADANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJOTDEP
> > > MA0GA1UEChMGTklLSEVGMTIwMAYDVQQDEylOSUtIRUYgbWVkaXVtLXNlY3VyaXR5
> > > IGNlcnRpZmljYXRpb24gYXV0aDAeFw0wMTA5MjEwMDAwMDBaFw0yMTAyMDkwMDAw
> > > MDBaMFIxCzAJBgNVBAYTAk5MMQ8wDQYDVQQKEwZOSUtIRUYxMjAwBgNVBAMTKU5J
> > > S0hFRiBtZWRpdW0tc2VjdXJpdHkgY2VydGlmaWNhdGlvbiBhdXRoMIIBIjANBgkq
> > > hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo9zA5ZEydcswKgBd4ZwPea5DRDC+5H3U
> > > 6nZt+5vd4aG2H3tdNS11+9v065QLdCmO17+Wi5M+2iRPXLMvvKPvNMXZ/05R6pe8
> > > xGo/6zDWyZZYH+W85eyR5HT76t/YMQsVUtTbLC/qZFs1iTXeEs0gfKYcSS0KnrHn
> > > ipNPzCWjCVlaHsGyJdrUycGPocllMM6as3mUyMvIgroDl27TQ6YQQuqg8yoBWANg
> > > KlIesRBVqzjVk9H6niqfIEdC4+vQiSNZuzMISGLTX2h4zXPe6C7MbQqLw3BJ9DDU
> > > DXzl0GXmhsVN5i8nMs1I4XHOMO7CmAqe1Q8SCpqd5AOLuj5lInMi9QIDAQABo4IB
> > > mzCCAZcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwGgYDVR0RBBMw
> > > EYEPY2FAZHV0Y2hncmlkLm5sMB0GA1UdDgQWBBRbBTqZxtUivf2UgPwRqNDxcdZL
> > > pDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY2EuZHV0Y2hncmlkLm5sL21lZGl1
> > > bS9jYWNybC5wZW0wEQYJYIZIAYb4QgEBBAQDAgAHMDYGCWCGSAGG+EIBBAQpFido
> > > dHRwOi8vY2EuZHV0Y2hncmlkLm5sL21lZGl1bS9jYWNybC5wZW0wNAYJYIZIAYb4
> > > QgEIBCcWJWh0dHA6Ly9jYS5kdXRjaGdyaWQubmwvbWVkaXVtL3BvbGljeS8wfgYJ
> > > YIZIAYb4QgENBHEWb0R1dGNoR3JpZCBhbmQgTklLSEVGIG1lZGl1bS1zZWN1cml0
> > > eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTsgcG9saWNpZXMgYXQgaHR0cDovL2Nh
> > > LmR1dGNoZ3JpZC5ubC9tZWRpdW0vcG9saWN5LzANBgkqhkiG9w0BAQUFAAOCAQEA
> > > fT4RR/O6b9g5mClM+y/vXo0wZ20/ogtPeha1tTaoYe+sDEEy3u4qLB1TLtiBCiK6
> > > rHLZLGfdcO210RUGKj6KAWGdW1u3p+Pf3V++2DYnQRS5lQe+ppj9RbR4l4ZK8RAq
> > > 5LWIqYTT4IXPgIb1QvAXQA1BWCuKDWB/UOovTf/jWdO7q8KfmSwKUbdlWthe4/G6
> > > WWL5xDxUNsRoSgBIbZFYTRvzTKNu2typNtwGNNx5xcu0iAuus2s8BhNszjBBQhZX
> > > nv5J34YyqWMlM8eEOUUNccKgKGYdNQmFKy+yN7YvdDI5VQX2ZzMCKzpxt+2yGZeB
> > > Smk3tHQNETv7xFS7Ebua/A==
> > > -----END CERTIFICATE-----
> > > # EACL Netherlands CA
> > > access_id_CA X509 '/C=NL/O=NIKHEF/CN=NIKHEF
> > > medium-security certification auth'
> > > pos_rights globus CA:sign
> > > cond_subjects globus '"/C=NL/O=NIKHEF/CN=NIKHEF
> > > medium-security certification auth" "/O=dutchgrid/O=users/*"
> > > "/O=dutchgrid/O=hosts/*"'
> > > > -----Original Message-----
> > > > From: Erwin Laure [mailto:Erwin.Laure at cern.ch]
> > > > Sent: Thursday, August 31, 2006 12:29 PM
> > > > To: zhengc at sdsc.edu; o.van-der-aa at imperial.ac.uk; David Colling
> > > > Cc: somsak_sr at thaigrid.net; Sugree Phatanapherom;
> > > parzberg at ucsd.edu;
> > > > phil at sdsc.edu
> > > > Subject: RE: tests
> > > >
> > > >
> > > > Hi Cindy,
> > > >
> > > > You should get all the endpoints needed from the original
> > > wiki page (I
> > > > don't think it has migrated to gridforge, yet):
> > > > http://wiki.nesc.ac.uk/read/gin-jobs?GinResources
> > > >
> > > > I don't understand the comment about the personal (zhengc)
> > > proxy. You
> > > > mean your certificate you used to sign up with the gin VO
> > > > (/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/UID=zhengc)? That
> should be
> > > > automatically configured on the resources.
> > > >
> > > > Cheers,
> > > >
> > > > -- Erwin
> > > >
> > > > > -----Original Message-----
> > > > > From: Cindy Zheng [mailto:zhengc at sdsc.edu]
> > > > > Sent: Wednesday, August 30, 2006 12:31 AM
> > > > > To: o.van-der-aa at imperial.ac.uk
> > > > > Cc: Erwin Laure; somsak_sr at thaigrid.net; 'Sugree
> > Phatanapherom';
> > > > > parzberg at ucsd.edu; phil at sdsc.edu
> > > > > Subject: tests
> > > > >
> > > > > Dear Olivier,
> > > > >
> > > > > SCMSWeb team has upgraded SCMSWeb software to a new
> > > version, so we
> > > > > can probe services on different hosts within a site and
> > show the
> > > > > correct status for your cluster in gin testbed.
> > > > > We plan to use my personal (zhengc) proxy for these.
> > > > >
> > > > > We need your help to get this working right for EGEE.
> > > > > Could you let us know
> > > > > 1. what authentication test (something equivalent to
> > > > > globusrun?) we should run to which host/IP# to confirm
> > that user
> > > > > zhengc is setup to access EGEE resources?
> > > > > 2. what gridftp test we should run to which host/IP# to
> > > test gridftp
> > > > > access?
> > > > > 3. similarly, how can we test job submission at your site?
> > > > > 4. Do you have MDS services? At what host/IP#?
> > > > >
> > > > > Thank you very much in advance,
> > > > >
> > > > > Cindy
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
More information about the gin-auth
mailing list