For its certificate authority (CA), our institution is using Microsoft
Certificate Services (MSCS) in its production environment. Our
intention is to use this CA to issue certificates for use with Globus.
Microsoft Certificate Services uses "Certificate Templates" to define
the attributes for certificate types. Below is a link to an article
about Windows 2000 Certificate Services (hopefully still relevant) which
covers the topic of Certificate Templates:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_gfrr.mspx
With a client-side (user) certificate issued using the "Web Server"
certificate template, I am able to establish a TLS based secure
connection with a Globus service running under Java WS Core 4.0.5.
However, it appears the TLS connection fails when attempting to connect
with the same service running under Java WS Core 4.0.7. When this
happens, the client-side error message looks like this (nothing is
logged on the server side):
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.io.EOFException
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:java.io.EOFException
at
org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56)
at
org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60)
at
org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:110)
at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140)
at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
at
org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2745)
at org.apache.axis.client.Call.invoke(Call.java:2728)
at org.apache.axis.client.Call.invoke(Call.java:2405)
at org.apache.axis.client.Call.invoke(Call.java:2327)
at org.apache.axis.client.Call.invoke(Call.java:1767)
at
net.agnis.grid.stubs.bindings.FormHandlerPortTypeSOAPBindingStub.ping(FormHandlerPortTypeSOAPBindingStub.java:1354)
at net.agnis.grid.client.FormHandlerClient.ping(FormHandlerClient.java:396)
at net.agnis.grid.client.PingClient.main(PingClient.java:84)
...
java.io.EOFException
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2745)
at org.apache.axis.client.Call.invoke(Call.java:2728)
at org.apache.axis.client.Call.invoke(Call.java:2405)
at org.apache.axis.client.Call.invoke(Call.java:2327)
at org.apache.axis.client.Call.invoke(Call.java:1767)
at
net.agnis.grid.stubs.bindings.FormHandlerPortTypeSOAPBindingStub.ping(FormHandlerPortTypeSOAPBindingStub.java:1354)
at net.agnis.grid.client.FormHandlerClient.ping(FormHandlerClient.java:396)
at net.agnis.grid.client.PingClient.main(PingClient.java:84)
Caused by: java.io.EOFException
at
org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56)
at
org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60)
at
org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:110)
at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140)
at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
at
org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
... 12 more
The service is configured to use GSITransport, and to reject anonymous
access:
<auth-method>
<GSITransport>
<protection-level>
<privacy />
</protection-level>
</GSITransport>
</auth-method>
<ns1:defaultCommunicationMechanism anonymousPermitted="false"
xsi:type="ns1:CommunicationMechanism">
<ns1:GSITransport protectionLevel="privacy" xsi:type="ns1:GSITransport"/>
</ns1:defaultCommunicationMechanism>
Questions:
1) Has something in Java WS Core (or cog-jglobus?) changed between 4.0.5
and 4.0.7 which would cause it to no longer accept the client-side
("Web Server" template) certificate we created using Microsoft
Certificate Services?
2) Is there documentation available which I could show our MSCS
administrators, to describe the certificate attributes required for
interoperability with Globus? Maybe something like this (?):
[ v3_req ]
basicConstraints = critical,CA:false
keyUsage =
keyAgreement,dataEncipherment,keyEncipherment,digitalSignature
extendedKeyUsage =
serverAuth,clientAuth,codeSigning,emailProtection,timeStamping
3) Is there any existing Microsoft Certificate Service "Certificate
Template" available which can be used to create a user certificate
compatible with Globus? (Template for host cert also needed?)
Help with this problem would be much appreciated.
Best regards,
Joel
--
Joel Schneider National Marrow Donor Program
Software Developer (Contractor) 3001 Broadway Street NE
phone: 612-617-8321 Minneapolis, MN 55413
email: [EMAIL PROTECTED] http://www.marrow.org/
