[gin-auth] Heads-up for RFC proxies and VOMS ACs
Alex Sim
asim at lbl.gov
Thu Jun 8 11:16:35 CDT 2006
How did you manage connect to the VOMS server for GIN?
It gives me this unknown error since last Monday, but it used to work
before.
--Alex
% voms-proxy-init -voms gin.ggf.org
Your identity: /DC=org/DC=doegrids/OU=People/CN=Alexander Sim 546622
Enter GRID pass phrase:
Your proxy is valid until Thu Jun 8 21:13:22 2006
Creating temporary proxy ............................................. Done
Contacting kuiken.nikhef.nl:15050
[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
Error:
| -----Original Message-----
| From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
| On Behalf Of Mike 'Mike' Jones
| Sent: Thursday, June 08, 2006 8:30 AM
| To: vincenzo.ciaschini at cnaf.infn.it
| Cc: gin-auth at ggf.org
| Subject: Re: [gin-auth] Heads-up for RFC
| proxies and VOMS ACs
| Sensitivity: Personal
|
|
| Hi Vincenzo,
|
| Ah yes, my mistake, you're right, I only found out about the
| --newformat option after convincing myself that the glite
| 1.5 VOMS server didn't do the right thing (it could do the
| right thing but this was not the default).
|
| This still presents issues for using RFC proxies (where the
| new format is
| required) until services at large have had their VOMS AC
| engines upgraded. But I guess this won't be too far behind
| their general acceptance of RFC proxies (if it is at all behind).
|
| The gin.ggf.org VOMS daemon is currently using the default
| old style voms server running configuration. If GIN is
| enforcing the use of RFC proxies the daemon needs to be run
| in the newer mode and we have to hope that sites supporting
| VOMS understand the right format (i.e. if they are gLite
| based then gLite version >= 1.5).
|
| Also it seems that the current GIN VO Server doesn't like
| the new style proxies for authentication anyhow (is this
| just due to the version of the underlying globus libraries):
|
| voms-proxy-init -voms gin -proxyver 3
|
| Your identity:
| /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
| Enter GRID pass phrase:
| Your proxy is valid until Fri Jun 9 04:15:05 2006
|
| Creating temporary proxy
| ...................................................... Done
| Contacting kuiken.nikhef.nl:15050
| [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl]
| "gin.ggf.org"
| Error: Could not establish authenticated connection with
| the server.
| GSS Major Status: Authentication Failed
| GSS Minor Status Error Chain:
| globus_gss_assist: Error during context initialization
| globus_gsi_gssapi: Unable to verify remote side's credentials
| globus_gsi_gssapi: Unable to verify remote side's
| credentials: Couldn't
| verify the remote certificate
| OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
| SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
|
| whereas:
|
| voms-proxy-init -voms gin -proxyver 2
|
| Your identity:
| /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
| Enter GRID pass phrase:
| Your proxy is valid until Fri Jun 9 04:21:13 2006
|
| Creating temporary proxy
| ........................................ Done
| Contacting kuiken.nikhef.nl:15050
| [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl]
| "gin.ggf.org"
| Done
| Creating proxy ............................................ Done
| Your proxy is valid until Fri Jun 9 04:21:15 2006
|
| Thanks,
| Mike
|
|
| On Thu, 8 Jun 2006, vincenzo.ciaschini at cnaf.infn.it wrote:
|
| > One correction: this is already present in the gLite 1.5
| VOMS server
| > (corresponding to 1.6.10 VOMS version, and therefore also on those
| > that have been tested up to now by the gin group.
| >
| > Bye,
| > Vincenzo
| > Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
| >
| >>
| >> Just to let you know that due to a bug in gLite 1.5 and earlier:
| >> VOMS attribute certificates as issued by the current
| instance of the
| >> gin.ggf.org VOMS cannot work inside an RFC proxy
| certificate due to
| >> the Holder section of the attribute certificate being set to the
| >> wrong DN and RFC proxies requiring different serial numbers.
| >>
| >> This I believe is fixed in the gLite 3.0 VOMS server
| (vomsd needing
| >> to be run with the --newformat option). gLite 3.0 VOMS
| aware services
| >> recognise both the 'old' (broken) and 'new' formats.
| >>
| >> This does not affect systems that currently construct a
| grid-mapfile
| >> for the purposes of authorisation.
| >>
| >> Mike
| >>
| >> --
| >> http://www.sve.man.ac.uk/General/Staff/jonesM/
| >>
| >>
| >
| >
| >
| > ----------------------------------------------------------------
| > This message was sent using IMP, the Internet Messaging Program.
| >
|
| --
| http://www.sve.man.ac.uk/General/Staff/jonesM/
More information about the gin-auth
mailing list