[gin-auth] Heads-up for RFC proxies and VOMS ACs
Mike 'Mike' Jones
mike.jones at manchester.ac.uk
Thu Jun 8 10:30:09 CDT 2006
Hi Vincenzo,
Ah yes, my mistake, you're right, I only found out about the --newformat
option after convincing myself that the glite 1.5 VOMS server didn't do
the right thing (it could do the right thing but this was not the
default).
This still presents issues for using RFC proxies (where the new format is
required) until services at large have had their VOMS AC engines
upgraded. But I guess this won't be too far behind their general
acceptance of RFC proxies (if it is at all behind).
The gin.ggf.org VOMS daemon is currently using the default old style voms
server running configuration. If GIN is enforcing the use of RFC proxies
the daemon needs to be run in the newer mode and we have to hope that
sites supporting VOMS understand the right format (i.e. if they are gLite
based then gLite version >= 1.5).
Also it seems that the current GIN VO Server doesn't like the new style
proxies for authentication anyhow (is this just due to the version of the
underlying globus libraries):
voms-proxy-init -voms gin -proxyver 3
Your identity: /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
Enter GRID pass phrase:
Your proxy is valid until Fri Jun 9 04:15:05 2006
Creating temporary proxy
...................................................... Done
Contacting kuiken.nikhef.nl:15050
[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
Error: Could not establish authenticated connection with the server.
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
globus_gsi_gssapi: Unable to verify remote side's credentials
globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't
verify the remote certificate
OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
whereas:
voms-proxy-init -voms gin -proxyver 2
Your identity: /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
Enter GRID pass phrase:
Your proxy is valid until Fri Jun 9 04:21:13 2006
Creating temporary proxy ........................................ Done
Contacting kuiken.nikhef.nl:15050
[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
Done
Creating proxy ............................................ Done
Your proxy is valid until Fri Jun 9 04:21:15 2006
Thanks,
Mike
On Thu, 8 Jun 2006, vincenzo.ciaschini at cnaf.infn.it wrote:
> One correction: this is already present in the gLite 1.5 VOMS server
> (corresponding to 1.6.10 VOMS version, and therefore also on those that have
> been tested up to now by the gin group.
>
> Bye,
> Vincenzo
> Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
>
>>
>> Just to let you know that due to a bug in gLite 1.5 and earlier:
>> VOMS attribute certificates as issued by the current instance of the
>> gin.ggf.org VOMS cannot work inside an RFC proxy certificate due to the
>> Holder section of the attribute certificate being set to the wrong DN and
>> RFC proxies requiring different serial numbers.
>>
>> This I believe is fixed in the gLite 3.0 VOMS server (vomsd needing to be
>> run with the --newformat option). gLite 3.0 VOMS aware services recognise
>> both the 'old' (broken) and 'new' formats.
>>
>> This does not affect systems that currently construct a grid-mapfile for
>> the purposes of authorisation.
>>
>> Mike
>>
>> --
>> http://www.sve.man.ac.uk/General/Staff/jonesM/
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
--
http://www.sve.man.ac.uk/General/Staff/jonesM/
More information about the gin-auth
mailing list