[gin-auth] Heads-up for RFC proxies and VOMS ACs

Mike 'Mike' Jones mike.jones at manchester.ac.uk
Thu Jun 8 10:30:09 CDT 2006 

Hi Vincenzo,

Ah yes, my mistake, you're right, I only found out about the --newformat 
option after convincing myself that the glite 1.5 VOMS server didn't do 
the right thing (it could do the right thing but this was not the 
default).

This still presents issues for using RFC proxies (where the new format is 
required) until services at large have had their VOMS AC engines 
upgraded.  But I guess this won't be too far behind their general 
acceptance of RFC proxies (if it is at all behind).

The gin.ggf.org VOMS daemon is currently using the default old style voms 
server running configuration.  If GIN is enforcing the use of RFC proxies 
the daemon needs to be run in the newer mode and we have to hope that 
sites supporting VOMS understand the right format (i.e. if they are gLite 
based then gLite version >= 1.5).

Also it seems that the current GIN VO Server doesn't like the new style 
proxies for authentication anyhow (is this just due to the version of the 
underlying globus libraries):

   voms-proxy-init -voms gin -proxyver 3

   Your identity: /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
   Enter GRID pass phrase:
   Your proxy is valid until Fri Jun  9 04:15:05 2006

   Creating temporary proxy
   ...................................................... Done
   Contacting  kuiken.nikhef.nl:15050
   [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
   Error: Could not establish authenticated connection with the server.
   GSS Major Status: Authentication Failed
   GSS Minor Status Error Chain:
   globus_gss_assist: Error during context initialization
   globus_gsi_gssapi: Unable to verify remote side's credentials
   globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't
   verify the remote certificate
   OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
   SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42

whereas:

   voms-proxy-init -voms gin -proxyver 2

   Your identity: /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
   Enter GRID pass phrase:
   Your proxy is valid until Fri Jun  9 04:21:13 2006

   Creating temporary proxy ........................................ Done
   Contacting  kuiken.nikhef.nl:15050
   [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
    Done
   Creating proxy ............................................ Done
   Your proxy is valid until Fri Jun  9 04:21:15 2006

Thanks,
Mike


On Thu, 8 Jun 2006, vincenzo.ciaschini at cnaf.infn.it wrote:

> One correction: this is already present in the gLite 1.5 VOMS server
> (corresponding to 1.6.10 VOMS version, and therefore also on those that have
> been tested up to now by the gin group.
>
> Bye,
>  Vincenzo
> Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
>
>> 
>> Just to let you know that due to a bug in gLite 1.5 and earlier:
>> VOMS attribute certificates as issued by the current instance of the 
>> gin.ggf.org VOMS cannot work inside an RFC proxy certificate due to the 
>> Holder section of the attribute certificate being set to the wrong DN and 
>> RFC proxies requiring different serial numbers.
>> 
>> This I believe is fixed in the gLite 3.0 VOMS server (vomsd needing to be 
>> run with the --newformat option). gLite 3.0 VOMS aware services recognise 
>> both the 'old' (broken) and 'new' formats.
>> 
>> This does not affect systems that currently construct a grid-mapfile for 
>> the purposes of authorisation.
>> 
>> Mike
>> 
>> -- 
>> http://www.sve.man.ac.uk/General/Staff/jonesM/
>> 
>> 
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>

-- 
http://www.sve.man.ac.uk/General/Staff/jonesM/

More information about the gin-auth mailing list