[Pgi-wg] OGF PGI - Security Model - X509 proxies - Format and delegation

Etienne URBAH urbah at lal.in2p3.fr
Thu Apr 16 09:57:22 CDT 2009 

Oxana,

Concerning X509 proxies accepted by VOMS servers :

VOMS servers with version older than 2.0 only accept Globus proxies.

After I fixed my PRIVATE version of the 'vomses' file, the 
'voms-proxy-init' client presents a Globus proxy to my old VOMS server, 
receives a Globus proxy with VOMS extensions, then converts it to a 
RFC-compliant proxy with VOMS extensions (according to Vincenzo's mail 
to me on 08 April 2004).

Some gLite commands accept RFC proxies, but the 
'glite-wms-job-delegate-proxy' command requires Globus proxies  (see log 
below).

Anyway, the 'vomses' file, created by each VO manager, is installed 'as 
it' by system engineers, and best practices such as ITIL forbid us to 
require that each end user fixes the content of this file himself. 
These best practices require that each 'vomses' file must be fixed ONLY 
by its creator (the VO manager), and then deployed.


$ cat 
$GLITE_LOCATION/etc/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient
"vo.lal.in2p3.fr" "grid12.lal.in2p3.fr" "20000" 
"/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr" "vo.lal.in2p3.fr"

$ perl -wpe 's/$/"2"/' 
$GLITE_LOCATION/etc/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient 
 > .glite/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient

$ cat .glite/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient
"vo.lal.in2p3.fr" "grid12.lal.in2p3.fr" "20000" 
"/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr" "vo.lal.in2p3.fr" "2"

$ voms-proxy-init -rfc -voms vo.lal.in2p3.fr
Enter GRID pass phrase:
Your identity: /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Etienne Urbah
Creating temporary proxy ...................................... Done
Contacting grid12.lal.in2p3.fr:20000 
[/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr] "vo.lal.in2p3.fr" 
Done
Creating proxy ......................... Done
Your proxy is valid until Fri Apr 17 03:15:50 2009

$ glite-wms-job-status -v 0 
https://grid02.lal.in2p3.fr:9000/Z7juBUd0MCegqWG6ONugCQ

*************************************************************
BOOKKEEPING INFORMATION:

Status info for the Job : 
https://grid02.lal.in2p3.fr:9000/Z7juBUd0MCegqWG6ONugCQ
Current Status: Aborted
*************************************************************

$ glite-wms-job-delegate-proxy -d rfc

Connecting to the service 
https://node27.datagrid.cea.fr:7443/glite_wms_wmproxy_server

Connection failed: SSL_ERROR_SSL
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
SSL connect failed in tcp_connect()
Error code: SOAP-ENV:Client


Best regards.

----------------------------------
Etienne URBAH          IN2P3 - LAL
Bat 200     91898 ORSAY     France
Tel: +33 1 64 46 84 87
Mob: +33 6 22 30 53 27
Skype: etienne.urbah
mailto:urbah at lal.in2p3.fr
----------------------------------


On Thu, 16 Apr 2009, Oxana Smirnova wrote:
> Hi Etienne,
> 
>>
>> X509 proxies accepted by VOMS servers
>> -------------------------------------
>> I have tried to use a VOMS server with a RFC-3820-compliant X.509 proxy,
>> but it failed : See http://forge.gridforum.org/sf/go/doc15591?nav=1
>>
>> Can you confirm that VOMS servers only accept GSI-style X.509 proxies ?
> 
> 
> I can show that VOMS servers and clients (recent enough) work fine with 
> RFC-compliant proxies:
> 
> oxana at svalbard:~ > voms-proxy-init -version
> voms-proxy-init
> Version: 1.8.9
> Compiled: Nov 19 2008 20:50:14
> oxana at svalbard:~ > voms-proxy-init -voms knowarc.eu -rfc
> Cannot find file or dir: /etc/vomses
> Enter GRID pass phrase:
> Your identity: /O=Grid/O=NorduGrid/OU=hep.lu.se/CN=Oxana Smirnova
> Creating temporary proxy ....................................... Done
> Contacting  arthur.hep.lu.se:15001 
> [/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se] "knowarc.eu" Done
> Creating proxy 
> ................................................................................................. 
> Done
> Your proxy is valid until Thu Apr 16 15:49:56 2009
> 
> 
> Cheers,
> Oxana
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5060 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090416/3138bb04/attachment-0001.bin

More information about the Pgi-wg mailing list