RE: [gt-user] Pre-WS Authentication & Authorization error

[Andrea Lelj Garolla Di Bard]

Hi Charles,
 
I just modify the Borja's tutorial to make my service, I'll put at the end of 
this mail the wsdl and the client that I modify. To start the container i just 
use the "globus-start-container -nosec" command like in the tutorial.
Trying to resolve my problem I have realized that if I point the 
X509_USER_CERT/KEY respectively to usercert.pem, userkey.pem when i try to do 
"globus-url-copy gsiftp://orion.ing.unina2.it:2812/home/scope/andrea/Prova.dat 
file:///home/scope/Prova.dat_copy" I get se following error:
 
[EMAIL PROTECTED] .globus]$ globus-url-copy 
gsiftp://orion.ing.unina2.it:2812/home/scope/andrea/Prova.dat 
file:///home/scope/Prova.dat_copy
 
error: globus_ftp_control: gss_init_sec_context failedGSS Major Status: 
Unexpected Gatekeeper or Service Nameglobus_gsi_gssapi: Authorization denied: 
The name of the remote host (andrea), and the expected name for the remote host 
(orion.ing.unina2.it) do not match. This happens when the name in the host 
certificate does not match the information obtained from DNS and is often a DNS 
configuration problem.
instead, if i point my X509_USER_CERT/KEY to host cert and key, it works:
 
[EMAIL PROTECTED] .globus]$ grid-proxy-init 
Your identity: 
/O=Grid/OU=GlobusTest/OU=simpleCA-orion.ing.unina2.it/CN=host/orion.ing.unina2.itCreating
 proxy ................................... DoneYour proxy is valid until: Thu 
Jan 10 23:15:57 2008
[EMAIL PROTECTED] .globus]$ globus-url-copy 
gsiftp://orion.ing.unina2.it:2812/home/scope/andrea/Prova.dat 
file:///home/scope/Prova.dat_copy
 
I haven't installed SUDO but I think that it was present because there is 
another installation (root installation) of GT (maybe older than 4.0.5) on the 
cluster.
 
 
----WSDL----
 
<?xml version="1.0" encoding="UTF-8"?><definitions name="MathService"    
targetNamespace="http://www.globus.org/namespaces/examples/core/MathService_instance";
    xmlns="http://schemas.xmlsoap.org/wsdl/";    
xmlns:tns="http://www.globus.org/namespaces/examples/core/MathService_instance"; 
   xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";    
xmlns:wsrp="http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceProperties-1.2-draft-01.xsd";
    
xmlns:wsrpw="http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceProperties-1.2-draft-01.wsdl";
    xmlns:wsdlpp="http://www.globus.org/namespaces/2004/10/WSDLPreprocessor";    
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<wsdl:import    namespace=    
"http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceProperties-1.2-draft-01.wsdl";
    location="../../wsrf/properties/WS-ResourceProperties.wsdl" />
<!--============================================================
                      T Y P E S
  
============================================================--><types><xsd:schema
 
targetNamespace="http://www.globus.org/namespaces/examples/core/MathService_instance";
    
xmlns:tns="http://www.globus.org/namespaces/examples/core/MathService_instance"; 
   xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
        <!-- REQUESTS AND RESPONSES -->
        <xsd:element name="sottometti">               <xsd:complexType/>        
</xsd:element>        <xsd:element name="sottomettiResponse">                
<xsd:complexType/>        </xsd:element>
        <!-- RESOURCE PROPERTIES -->
</xsd:schema></types>
<!--============================================================
                       M E S S A G E S
  ============================================================--><message 
name="SottomettiInputMessage">        <part name="parameters" 
element="tns:sottometti"/></message><message name="SottomettiOutputMessage">    
    <part name="parameters" element="tns:sottomettiResponse"/></message>
 
<!--============================================================
                       P O R T T Y P E
  ============================================================--><portType 
name="MathPortType"    wsdlpp:extends="wsrpw:GetResourceProperty"    
wsrp:ResourceProperties="tns:MathResourceProperties">
        <operation name="sottometti">                <input 
message="tns:SottomettiInputMessage"/>                <output 
message="tns:SottomettiOutputMessage"/>        </operation>
</portType>
</definitions>                    
 
 
-----Client.java----
 
package org.globus.examples.clients.MathService_instance
;
import org.apache.axis.message.addressing.Address;import 
org.apache.axis.message.addressing.EndpointReferenceType;
import org.globus.examples.stubs.MathService_instance.MathPortType;import 
org.globus.examples.stubs.MathService_instance.Sottometti;import 
org.globus.examples.stubs.MathService_instance.service.MathServiceAddressingLocator;
 
public class Client {
        public static void main(String[] args) {                
MathServiceAddressingLocator locator = new MathServiceAddressingLocator();
                try {                        String serviceURI = args[0];
                        // Create endpoint reference to service                 
       EndpointReferenceType endpoint = new EndpointReferenceType();            
            endpoint.setAddress(new Address(serviceURI));                       
 MathPortType math = locator.getMathPortTypePort(endpoint);
                        // Get PortType                        math = 
locator.getMathPortTypePort(endpoint);
                        // Perform submission                        
math.sottometti(new Sottometti());
                } catch (Exception e) {                        
e.printStackTrace();                }        }
}
 
 
--------
 
Thanks for your help.
Andrea
> CC: gt-user@globus.org> From: [EMAIL PROTECTED]> Subject: Re: [gt-user] 
> Pre-WS Authentication & Authorization error> Date: Wed, 9 Jan 2008 14:45:25 
> -0600> To: [EMAIL PROTECTED]> > I'm a little curious about your port number. 
> You show 8080 in your > example, but that's usually only used when SSL is not 
> being used. > How are you starting your container? If you use -nosec, an SSL 
> > client should fail to connect.> > > Charles> > On Jan 7, 2008, at 10:37 AM, 
> Andrea Lelj Garolla Di Bard wrote:> > > Hi All,> >> > I tried one of the 
> tests that i found at Pre-WS Authentication & > > Authorization web page in 
> Globus web Site (http://www.globus.org/ > > 
> toolkit/docs/4.0/security/prewsaa/user-index.html), it give me this > > 
> error:> >> > -----> >> > [EMAIL PROTECTED] globus-4.0.5]$ openssl s_client 
> -ssl3 -cert /home/ > > scope/.globus/usercert.pem -key 
> /home/scope/.globus/userkey.pem - > > CApath 
> $GLOBUS_LOCATION/etc/grid-security/certificates -connect > > 
> 143.225.25.111:8080> >> > Enter PEM pass phrase:> > CONNECTED(00000003)> > 
> 30942:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > > 
> number:s3_pkt.c:286:> >> > -----> >> >> > Googling arround I found, in Apache 
> web site> > 
> (http://mail-archives.apache.org/mod_mbox/httpd-bugs/200603.mbox/% > > [EMAIL 
> PROTECTED]),> > that this error is generated by a SSL Bug:> >> > -----> >> > 
> ------- Additional Comments From [EMAIL PROTECTED] > > 2006-03-02 18:58 
> -------> > (In reply to comment #11)> > The bug is definitely still present 
> in 2.0.55. I am testing on > > Linux, and I> > suspect most of the others 
> involved have been testing on something > > that uses the> > unix build of 
> httpd in one way or another.> >> > However, I would be surprised if this is a 
> platform specific bug, > > based on what> > the real problem is (bug is in 
> proxy_connect, not in mod_ssl). Are > > you sure you> > understand the 
> original test case? For my testing, I am using > > "openssl s_client> > 
> -connect 127.0.0.1:443" on the same machine running the server, and > > 
> sending a> > CONNECT request to the server through this SSL channel. The 
> client > > errors out> > with "15949:error:1408F10B:SSL 
> routines:SSL3_GET_RECORD:wrong version> > number:s3_pkt.c:286:" when the 
> proxy_connect module starts to send > > data because> > proxy_connect is 
> writing to the socket directly instead of going > > through the> > filter 
> stack. Because it skips the filter stack, the SSL module > > doesn't get> > 
> called and the data is sent in the clear.> >> > ------> >> >> > Is it 
> possible that this error is related to the following error > > that I get in 
> the container, when i try to use Delegetion Service???:> >> > -----> >> > 
> 2007-12-26 15:55:56,309 ERROR service.DelegationResource > > 
> [RunQueueThread_2,authorize:386] "/O=Grid/OU=GlobusTest/OU=simpleCA- > > 
> orion.ing.unina2.it/OU=ing.unina2.it/CN=andrea lelj" is not > > authorized to 
> access this resource> > 2007-12-26 15:55:56,314 ERROR 
> service.ReliableFileTransferResource > > 
> [RunQueueThread_2,processDelegatedCredential:389] Error processing > > 
> delegated credential"/O=Grid/OU=GlobusTest/OU=simpleCA- > > 
> orion.ing.unina2.it/OU=ing.unina2.it/CN=andrea lelj" is not > > authorized to 
> access this resource> > org.globus.delegation.DelegationException: 
> "/O=Grid/OU=GlobusTest/ > > 
> OU=simpleCA-orion.ing.unina2.it/OU=ing.unina2.it/CN=andrea lelj" is > > not 
> authorized to access this resource> >> > ------> >> > Thanks in Advance.> > 
> Andrea> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > 
> Interviste, concerti, news e videoclip! Solo su MSN Video! MSN Video> 
_________________________________________________________________
Conosci Doretta? Contattala, è ora su Messenger!
http://www.doretta82.it/banner/index.html