[gin-auth] Heads-up for RFC proxies and VOMS ACs

Alex Sim asim at lbl.gov
Thu Jun 8 11:16:35 CDT 2006 

How did you manage connect to the VOMS server for GIN?
It gives me this unknown error since last Monday, but it used to work
before.
--Alex


% voms-proxy-init -voms gin.ggf.org
Your identity: /DC=org/DC=doegrids/OU=People/CN=Alexander Sim 546622
Enter GRID pass phrase:
Your proxy is valid until Thu Jun  8 21:13:22 2006

Creating temporary proxy ............................................. Done
Contacting  kuiken.nikhef.nl:15050
[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
Error: 
 


 | -----Original Message-----
 | From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org] 
 | On Behalf Of Mike 'Mike' Jones
 | Sent: Thursday, June 08, 2006 8:30 AM
 | To: vincenzo.ciaschini at cnaf.infn.it
 | Cc: gin-auth at ggf.org
 | Subject:  Re: [gin-auth] Heads-up for RFC 
 | proxies and VOMS ACs
 | Sensitivity: Personal
 | 
 | 
 | Hi Vincenzo,
 | 
 | Ah yes, my mistake, you're right, I only found out about the 
 | --newformat option after convincing myself that the glite 
 | 1.5 VOMS server didn't do the right thing (it could do the 
 | right thing but this was not the default).
 | 
 | This still presents issues for using RFC proxies (where the 
 | new format is
 | required) until services at large have had their VOMS AC 
 | engines upgraded.  But I guess this won't be too far behind 
 | their general acceptance of RFC proxies (if it is at all behind).
 | 
 | The gin.ggf.org VOMS daemon is currently using the default 
 | old style voms server running configuration.  If GIN is 
 | enforcing the use of RFC proxies the daemon needs to be run 
 | in the newer mode and we have to hope that sites supporting 
 | VOMS understand the right format (i.e. if they are gLite 
 | based then gLite version >= 1.5).
 | 
 | Also it seems that the current GIN VO Server doesn't like 
 | the new style proxies for authentication anyhow (is this 
 | just due to the version of the underlying globus libraries):
 | 
 |    voms-proxy-init -voms gin -proxyver 3
 | 
 |    Your identity: 
 | /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
 |    Enter GRID pass phrase:
 |    Your proxy is valid until Fri Jun  9 04:15:05 2006
 | 
 |    Creating temporary proxy
 |    ...................................................... Done
 |    Contacting  kuiken.nikhef.nl:15050
 |    [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] 
 | "gin.ggf.org"
 |    Error: Could not establish authenticated connection with 
 | the server.
 |    GSS Major Status: Authentication Failed
 |    GSS Minor Status Error Chain:
 |    globus_gss_assist: Error during context initialization
 |    globus_gsi_gssapi: Unable to verify remote side's credentials
 |    globus_gsi_gssapi: Unable to verify remote side's 
 | credentials: Couldn't
 |    verify the remote certificate
 |    OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
 |    SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
 | 
 | whereas:
 | 
 |    voms-proxy-init -voms gin -proxyver 2
 | 
 |    Your identity: 
 | /C=UK/O=eScience/OU=Manchester/L=MC/CN=michael jones
 |    Enter GRID pass phrase:
 |    Your proxy is valid until Fri Jun  9 04:21:13 2006
 | 
 |    Creating temporary proxy 
 | ........................................ Done
 |    Contacting  kuiken.nikhef.nl:15050
 |    [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] 
 | "gin.ggf.org"
 |     Done
 |    Creating proxy ............................................ Done
 |    Your proxy is valid until Fri Jun  9 04:21:15 2006
 | 
 | Thanks,
 | Mike
 | 
 | 
 | On Thu, 8 Jun 2006, vincenzo.ciaschini at cnaf.infn.it wrote:
 | 
 | > One correction: this is already present in the gLite 1.5 
 | VOMS server 
 | > (corresponding to 1.6.10 VOMS version, and therefore also on those 
 | > that have been tested up to now by the gin group.
 | >
 | > Bye,
 | >  Vincenzo
 | > Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
 | >
 | >> 
 | >> Just to let you know that due to a bug in gLite 1.5 and earlier:
 | >> VOMS attribute certificates as issued by the current 
 | instance of the 
 | >> gin.ggf.org VOMS cannot work inside an RFC proxy 
 | certificate due to 
 | >> the Holder section of the attribute certificate being set to the 
 | >> wrong DN and RFC proxies requiring different serial numbers.
 | >> 
 | >> This I believe is fixed in the gLite 3.0 VOMS server 
 | (vomsd needing 
 | >> to be run with the --newformat option). gLite 3.0 VOMS 
 | aware services 
 | >> recognise both the 'old' (broken) and 'new' formats.
 | >> 
 | >> This does not affect systems that currently construct a 
 | grid-mapfile 
 | >> for the purposes of authorisation.
 | >> 
 | >> Mike
 | >> 
 | >> --
 | >> http://www.sve.man.ac.uk/General/Staff/jonesM/
 | >> 
 | >> 
 | >
 | >
 | >
 | > ----------------------------------------------------------------
 | > This message was sent using IMP, the Internet Messaging Program.
 | >
 | 
 | --
 | http://www.sve.man.ac.uk/General/Staff/jonesM/

More information about the gin-auth mailing list