On Aug 19, 2008, at 5:10 PM, Roland Luethy wrote:
grid-cert-info -subject
/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/
OU=proteowizrd.org/CN=Roland Luethy
grid-cert-info -file ~/globus/grid-security/containercert.pem -
subject
/O=Grid/OU=Cedars-Sinai/OU=cammcc.proteowizrd.org/CN=host/
cammcc.proteowizrd.org
What was the -issuer for the containercert? If it was signed by your
simpleCA, that's going to be the policy violation. The DN here does
not match the "cond_subjects" in the signing policy.
Charles
grid-cert-info -file ~/globus/grid-security/containercert.pem -issuer
/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/CN=Globus
Simple CA
cat ~/globus/grid-security/certificates/d71d2598.signing_policy |
tail
-10
#--------------|
---------------|-----------------------------------------
# EACL entry #1|
access_id_CA X509
'/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/CN=Globus
Simple CA'
pos_rights globus CA:sign
cond_subjects globus
'"/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/*"'
# end of EACL
On Tue, 2008-08-19 at 16:56 -0500, Charles Bacon wrote:
For the client: grid-cert-info -subject
For the server: grid-cert-info -file /etc/grid-security/
containercert.pem -subject
-issuer will give you the name of the issuer. Then you can use grid-
cert-info -subject on the various .0 files in /etc/grid-security to
find the one that matches. Then the signing_policy file will have
some regexps of what the CA is allowed to sign.
Charles
On Aug 19, 2008, at 4:47 PM, Roland Luethy wrote:
OK. I installed 4.0.8 and tried again. globusrun-ws still gives the
same
error message. The error in the server log is now:
2008-08-19 14:41:20,978 ERROR container.ServiceThread
[ServiceThread-76,run:297] Unexpected error during request
processing
java.lang.NullPointerException
at
org
.globus
.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:151)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:
291)
How do I find the DN on the server and client sides?
Thanks
Roland
On Tue, 2008-08-19 at 13:00 -0500, Charles Bacon wrote:
Is it possible to upgrade to 4.0.8? I believe the diagnostics
should
improve for the policy violation, or it should just be fixed.
If you can't upgrade, it sounds like one of the signing policies in
use does not correspond to the subject name being presented. In
which
case, I'd be interested in the DN on the server and client sides,
as
well as the signing_policy of the corresponding CA.
Charles
On Aug 19, 2008, at 12:24 PM, Roland Luethy wrote:
Hi all,
we are trying to use globus for a project and are having problems
with authorization when submitting jobs. There are several caveats
with
our installation: it is a nonroot installation, version 4.0.6,
on a
system with an older globus installation. We removed all
environment
variables referring to the older version and set the GLOBUS_PATH,
GLOBUS_LOCATION, GRID_SECURITY_DIR, X509_CERT_DIR and GRIDMAP
variables
to point to our files.
When submitting a job we get the following error:
globusrun-ws -submit -f gramtest -dbg
Submitting job...Failed.
globusrun-ws: Error submitting job
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Error with signing policy
globus_gsi_callback_module: Error in OLD GAA code: CA policy
violation:
<no reason given>
The corresponding error from the globus server is this:
2008-08-19 10:19:23,495 ERROR container.GSIServiceThread
[ServiceThread-20,process:147] Error processing request
java.io.EOFException
at
org
.globus
.gsi
.gssapi
.net
.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:
56)
at
org
.globus
.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:
60)
at
org
.globus
.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:
122)
at
org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:
142)
at
org
.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:
161)
at
org
.globus
.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:99)
at
org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:
291)
Any help is highly appreciated.
Thanks
Roland Luethy
IMPORTANT WARNING: This message is intended for the use of the
person or entity to which it is addressed and may contain
information that is privileged and confidential, the disclosure of
which is governed by
applicable law. If the reader of this message is not the intended
recipient, or the employee or agent responsible for delivering it to
the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this information is
STRICTLY PROHIBITED.
If you have received this message in error, please notify us
immediately
by calling (310) 423-6428 and destroy the related message. Thank
You for your cooperation.
