Jim
Thanks for the response.
We should have mentioned that we had tried all of the settings of
GT_PROXY_MODE we know of (none, old and rfc). I just tried again with
GT_PROXY_MODE=old and got the same application failure
For reference here is the result of a grid-proxy-info
$ grid-proxy-info
subject : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard
Lander/CN=proxy/CN=proxy/CN=proxy
issuer : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard
Lander/CN=proxy/CN=proxy
identity : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard Lander
type : full legacy globus proxy
strength : 1024 bits
path : /tmp/x509up_u1014
timeleft : 11:59:52
Looks reasonable enough to me, but I clearly don't know what to look
for, or I'd have fixed this by now! :)
Any thoughts?
Thanks
Howard
Jim Basney wrote:
Steve,
Just a guess... Maybe the new proxy in the myproxy-server is of a
different "type" than the old one
(http://dev.globus.org/wiki/Security/ProxyCertTypes), and some
software in your software stack isn't upgraded to handle that new
proxy type. You may want to have Howard try setting
GT_PROXY_MODE="old" in his environment and running myproxy-init
again. This will store a "legacy globus proxy" in the MyProxy
repository. (You can verify the proxy type by running
myproxy-get-delegation then grid-proxy-info.) If that fixes the
problem, you may want to investigate to see what software needs to be
updated to work with the new proxy types. If not, maybe someone else
on the list will have a better suggestion...
-Jim
Steve Thorpe wrote:
Hello Globus and CoG Friends,
Have been struggling with my colleague Howard Lander from RENCI since
yesterday on a Globus proxy related problem. We've had a functioning
workflow for a couple years now, that sends globus jobs out to
various sites on the grid.
The other day Howard's credential expired, so he got it upgraded and
uploaded it to the myproxy server the system uses. Success of this
process was confirmed from the command line to the remote resources,
by using myproxy-get-delegation then globus-job-run and globus-url-copy.
Next we tried submitting from our Java-based system that uses GRAM to
run remote jobs, after first retrieving the proxy from the MyProxy
server. Although the command-line tests run remote jobs just fine,
from the Java system we're suddenly getting "Defective Credential
Detected" Exceptions, as in:
[java] 11:13:58 Apr 29 2008 ERROR [Thread-10]
(GassServer.java:427) - Error writing response: Authentication failed
[Caused by: Defective credential detected [Caused by: CA certificate
cannot sign Proxy Certificate]]
(See below for a stack trace if you're interested in the gory details).
This is frustrating the heck out of us, as things were working fine
for so long, and in fact still work fine from the command line.
Wonder if anyone might possibly have any suggestions?
Many thanks,
Steve
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Running
scoops.itsc.uah.edu:/state/partition1/home/thorpe/estimateNumFreeCPUsUAH_cluster.sh
with non-null cred
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Cred name:
/O=RENCI/OU=Globus/OU=renci.org/CN=Howard Lander
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Remaining
lifetime: 43199
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - GASS URL:
https://152.54.1.70:40000
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Writing proxy
file: /tmp/x509up_u200
[java] 11:13:53 Apr 29 2008 INFO [main] (?:?) - Sending job
request to: scoops.itsc.uah.edu
[java] 11:13:53 Apr 29 2008 INFO [main] (?:?) - with non-null
credential
[java] 11:13:53 Apr 29 2008 ERROR [Thread-4]
(GassServer.java:427) - Error writing response: Authentication failed
[Caused by: Defective credential detected [Caused by: CA certificate
cannot sign Proxy Certificate]]
[java] Authentication failed
--
Howard Lander <mailto:[EMAIL PROTECTED]>
Senior Research Software Developer
Renaissance Computing Institute <http://www.renci.org>
The University of North Carolina at Chapel Hill
Duke University
North Carolina State University
100 Europa Drive
Suite 540
Chapel Hill, NC 27517
919-445-9651
