[gin-ops] [gin-auth] start Savannah run

Colin Enticott Colin.Enticott at csse.monash.edu.au
Mon Dec 11 22:22:14 CST 2006 

Hi Stuart,

The errors are below.  Yes, as you can see the gt4 error said it was a
connection error.  Arguably, unable to establish trust is a connection
error, but yes, we started to investigate firewall problems rather than CA
issues.

Seeing as we are discussing error reporting, I always found the gt2.4 error
messages hard to read.  After a while, I started to look for key words in
the message (and in this case it was the word trust) and work my way from
there.  It always wasn't clear if it was an error message from the client or
the server.  

What I propose is the first line should say "Error from client/server" and
weather if it is a socket or trust error and if so, which socket or
certificate has caused the problem.  I believe this would save a few
headaches for test-bed creators.

GT4 error:
$ globusrun -a -r tg-grid1.uc.teragrid.org

GRAM Authentication test failure: connecting to the job manager failed.
Possible reasons: job terminated, invalid job contact, network problems, ...

GT2.4 error:
$ globusrun -a -r tg-grid1.uc.teragrid.org

GRAM Authentication test failure: authentication failed:
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:

init.c:499: globus_gss_assist_init_sec_context_async: Error during context
initialization
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify
remote side's credentials
globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake
problems: Couldn't do ssl handshake
OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function
SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could
not verify credential
globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not
verify credential
globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error
with signing policy
globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in
OLD GAA code: Error checking certificate with subject
/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against
signing policy file /etc/grid-security/certificates/d1b603c3.signing_policy


Thanks,
Colin

---
Colin Enticott, Research Scientist, Ph: +61 03 9903 2215
Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia


> -----Original Message-----
> From: Stuart Martin [mailto:smartin at mcs.anl.gov]
> Sent: Friday, 8 December 2006 2:52 AM
> To: Colin Enticott
> Cc: 'JP Navarro'; gin-auth at ggf.org; D.Bannon at vpac.org; gin-ops at ggf.org;
> 'Terrence Martin'
> Subject: Re: [gin-ops] [gin-auth] start Savannah run
> 
> Hi Colin,
> 
> Can you provide the error output for the gt4 commands you tried in
> this situation?  If the error reporting has become less effective,
> then we (GT) need to fix that.
> 
> Thanks,
> Stu
> 
> On Dec 5, 2006, at Dec 5, 6:34 PM, Colin Enticott wrote:
> > I've noticed in the past the gt4 gives less error messages than
> > gtk2.4, so I
> > tried globusrun with gtk2.4.3 and got this error:
> >
> > ...
> > globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth:
> > Error in
> > OLD GAA code: Error checking certificate with subject
> > /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against
> > signing policy file /etc/grid-security/certificates/
> > d1b603c3.signing_policy

More information about the gin-ops mailing list