[Pgi-wg] OGF PGI - Security Model - X509 proxies - Format and delegation
Etienne URBAH
urbah at lal.in2p3.fr
Thu Apr 16 09:57:22 CDT 2009
Oxana,
Concerning X509 proxies accepted by VOMS servers :
VOMS servers with version older than 2.0 only accept Globus proxies.
After I fixed my PRIVATE version of the 'vomses' file, the
'voms-proxy-init' client presents a Globus proxy to my old VOMS server,
receives a Globus proxy with VOMS extensions, then converts it to a
RFC-compliant proxy with VOMS extensions (according to Vincenzo's mail
to me on 08 April 2004).
Some gLite commands accept RFC proxies, but the
'glite-wms-job-delegate-proxy' command requires Globus proxies (see log
below).
Anyway, the 'vomses' file, created by each VO manager, is installed 'as
it' by system engineers, and best practices such as ITIL forbid us to
require that each end user fixes the content of this file himself.
These best practices require that each 'vomses' file must be fixed ONLY
by its creator (the VO manager), and then deployed.
$ cat
$GLITE_LOCATION/etc/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient
"vo.lal.in2p3.fr" "grid12.lal.in2p3.fr" "20000"
"/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr" "vo.lal.in2p3.fr"
$ perl -wpe 's/$/"2"/'
$GLITE_LOCATION/etc/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient
> .glite/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient
$ cat .glite/vomses/vo.lal.in2p3.fr-grid12.lal.in2p3.fr.vo.ncm-vomsclient
"vo.lal.in2p3.fr" "grid12.lal.in2p3.fr" "20000"
"/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr" "vo.lal.in2p3.fr" "2"
$ voms-proxy-init -rfc -voms vo.lal.in2p3.fr
Enter GRID pass phrase:
Your identity: /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Etienne Urbah
Creating temporary proxy ...................................... Done
Contacting grid12.lal.in2p3.fr:20000
[/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr] "vo.lal.in2p3.fr"
Done
Creating proxy ......................... Done
Your proxy is valid until Fri Apr 17 03:15:50 2009
$ glite-wms-job-status -v 0
https://grid02.lal.in2p3.fr:9000/Z7juBUd0MCegqWG6ONugCQ
*************************************************************
BOOKKEEPING INFORMATION:
Status info for the Job :
https://grid02.lal.in2p3.fr:9000/Z7juBUd0MCegqWG6ONugCQ
Current Status: Aborted
*************************************************************
$ glite-wms-job-delegate-proxy -d rfc
Connecting to the service
https://node27.datagrid.cea.fr:7443/glite_wms_wmproxy_server
Connection failed: SSL_ERROR_SSL
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
SSL connect failed in tcp_connect()
Error code: SOAP-ENV:Client
Best regards.
----------------------------------
Etienne URBAH IN2P3 - LAL
Bat 200 91898 ORSAY France
Tel: +33 1 64 46 84 87
Mob: +33 6 22 30 53 27
Skype: etienne.urbah
mailto:urbah at lal.in2p3.fr
----------------------------------
On Thu, 16 Apr 2009, Oxana Smirnova wrote:
> Hi Etienne,
>
>>
>> X509 proxies accepted by VOMS servers
>> -------------------------------------
>> I have tried to use a VOMS server with a RFC-3820-compliant X.509 proxy,
>> but it failed : See http://forge.gridforum.org/sf/go/doc15591?nav=1
>>
>> Can you confirm that VOMS servers only accept GSI-style X.509 proxies ?
>
>
> I can show that VOMS servers and clients (recent enough) work fine with
> RFC-compliant proxies:
>
> oxana at svalbard:~ > voms-proxy-init -version
> voms-proxy-init
> Version: 1.8.9
> Compiled: Nov 19 2008 20:50:14
> oxana at svalbard:~ > voms-proxy-init -voms knowarc.eu -rfc
> Cannot find file or dir: /etc/vomses
> Enter GRID pass phrase:
> Your identity: /O=Grid/O=NorduGrid/OU=hep.lu.se/CN=Oxana Smirnova
> Creating temporary proxy ....................................... Done
> Contacting arthur.hep.lu.se:15001
> [/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se] "knowarc.eu" Done
> Creating proxy
> .................................................................................................
> Done
> Your proxy is valid until Thu Apr 16 15:49:56 2009
>
>
> Cheers,
> Oxana
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5060 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090416/3138bb04/attachment-0001.bin
More information about the Pgi-wg
mailing list