Hi Christopher, Thank you for your time and help. I'm new to Globus, new to OGSA-DAI, and new to security... so trying to set up all this is a bit overwhelming, (and it's highly probably that I understood something wrong the GT4 and OGSA-DAI documentation). Let's see if I can explain myself more clearly.
My client is running on the same host as my OGSA-DAI server, which is deployed on GT4 Java WS Core standalone container. There's a second host, where there is a whole deployment of GT4, where there is the GridFTP server I want to use, and the SimpleCA that has signed my host and user certificates. I'm not the administrator of this second host, so I don't have direct access to its configuration. I've configured my host with the trusted CA, puting the <CAhash>.0 and <CAhast>.signing_policy files at %USERPROFILE%\.globus. These are the ones of the simpleCA of the 2nd host. I created a grid proxy with my host certificate. When I call the OGSA-DAI service I'm using the globus delegated credentials, using, as I said, GSI secure conversation and HostAuthenticatio. I've also configured my OGSA-DAI service to run as caller identity, so that the OGSA-DAI service can call other services as if it were the original caller (i.e., my client). Does this configuration make sense? As you pointed out, I believe the problem could be on the configuration of the gridFTP server, but I'm not sure how to proceed on that. In any case, I'll try to check what you suggested. Best, Sandra > -----Original Message----- > From: Christopher Kunz [mailto:[EMAIL PROTECTED] > Sent: jueves, 20 de noviembre de 2008 13:09 > To: Sandra Jimenez Doval > Cc: [email protected] > Subject: Re: [gt-user] Security issues - Windows , OGSA-DAI and GridFTP > > Sandra Jimenez Doval schrieb: > > > I'm using a host certificate that was singed using simpleCA. I created a > > grid proxy with this host certificate, and I'm configuring OGSA-DAI to > > use Host authorization, with GSI Secure Conversation Message Level > > security, so that OGSA-DAI takes globus' delegated credentials. > > Uh. Help me on this: You are authenticating to the OGSA-DAI service as a > client with a proxy derived from the very same credentials that server > is using? I'm not sure if that makes a lot of sense. > > Why don't you create a EEC for yourself, sign that with the SimpleCA > certificate and derive proxies from that EEC? I think that is much > closer to the normal use case. > > > What else should I check? > > > > One thing I'm not sure whether I have correctly or not is the > > grid-mapfile, but I couldn't find any tips on how to correctly configure > > this on Windows. > > > That's almost certainly not the issue. The error you quoted pertains to > authentication, not authorization. > > The exception states this: > > Authentication Error > > And the actual error information is fairly verbose, too: > > > 530-globus_gsi_callback_module: Could not verify credential > > > > 530-globus_gsi_callback_module: Error with signing policy > > > > 530-globus_gsi_callback_module: Error in OLD GAA code: CA policy > > violation: <no reason given> > > > > 530 End. > > The error numbers indicate that the problem occurs not on the OGSA-DAI > server but on the remote GridFTP server (530 is an FTP protocol error > number). > > My first guess is that your remote GridFTP server (i.e. the one you are > DeliverToGFTP'ing to) is not configured to accept SimpleCA certificates > and thus is not able to authenticate you. You should check if connecting > to that server by means of uberftp or another GridFTP implementation > works from the OGSA-DAI server. > > Another idea would be that -- in case there is a SimpleCA configured on > the GridFTP server -- the signing policiy for that CA is invalid. From > Globus 4.0.5 on (or so), you must have signing policies in place for > each CA. So, normally you would see a number of <hash>.signing_policy > files in your equivalent of /etc/grid_security/certificates - one file > for each CA certificate. > > Regards, > > --ck > > -- > M. Sc. Christopher Kunz > Regionales Rechenzentrum fuer Niedersachsen (RRZN) > Gottfried Wilhelm Leibniz Universitaet Hannover > +49 511 762-79KUNZ | [EMAIL PROTECTED] ------------------------------------------------------------------ This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. Este mensaje y los ficheros adjuntos pueden contener informacion confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente pueden estar protegidos por secreto profesional. Si usted recibe este correo electronico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos Origin no se hace responsable por su contenido. Su contenido no constituye ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por ambas partes. Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no sera responsable de cualesquiera danos que puedan resultar de una transmision de virus. ------------------------------------------------------------------
