[gin-auth] Debugging Globus SSL (Was: Re: start Savannah run)
Mike 'Mike' Jones
mike.jones at manchester.ac.uk
Mon Feb 5 05:00:47 CST 2007
Hi Folks,
For debugging Globus SSL errors I have always found that
the globus-url-copy client tool provides the most useful output:
globus-url-copy -vb -dbg \
gsiftp://tg-gridftp.uc.teragrid.org:2811/etc/hosts \
file:///tmp/null
In this case gram and gsiftp are on different servers but, if the machines
are administered similarly then there should be some useful info to be
gleaned.
By the way, mapping all users to one account is a serious security flaw.
Just to illustrate, don't do this:
$ globus-job-run tg-grid1.uc.teragrid.org:2120 \
-stderr /dev/null \
/usr/bin/find .globus/.gass_cache \
-type f \
-mtime +1 \
-name data \
-exec openssl x509 -in '{}' -noout -subject -dates \;
Rgds,
Mike
On Mon, 5 Feb 2007, Oscar Koeroo wrote:
> Hi,
>
> Here are my 2cts worth:
>
> According to the SSL message (through Globus) it seems as if there is
> something wrong on the teragrid side with:
> - NTP, sounds stupid, but it may very well have such an error message as a
> result
> - The CA that Colin uses is not installed at the TeraGrid host
> - Out of date CAs, I dunno if the CA has roled over in the past months but
> this might be an issue
> - The fetch-crl client is out of date, disabling the used CA of Colin at the
> TeraGrid host which could result in such a message
>
>
>
>
> Oscar
>
More information about the gin-auth
mailing list