On Host A: D:\GT4\cog-jglobus-1.6.0\bin>globus-url-copy file:///D:\TestFileSystem\test.txt gsiftp://hostB/tmp/test.txt
GlobusUrlCopy error: UrlCopy transfer failed. [Caused by: 530-globus_xio: Authentication Error 530-globus_gsi_callback_module: Could not verify credential 530-globus_gsi_callback_module: Error with signing policy 530-globus_gsi_callback_module: Error in OLD GAA code: CA policy violation: <no reason given> 530 End.] D:\GT4\cog-jglobus-1.6.0\bin>globus-url-copy gsiftp://hostB/etc/group gsiftp://hostB/tmp/test.txt GlobusUrlCopy error: UrlCopy third party transfer failed. [Caused by: 530-globus_xio: Authentication Error 530-globus_gsi_callback_module: Could not verify credential 530-globus_gsi_callback_module: Error with signing policy 530-globus_gsi_callback_module: Error in OLD GAA code: CA policy violation: <no reason given> 530 End.] I'm in the process of installing the advisories now. Sandra > -----Original Message----- > From: Charles Bacon [mailto:[EMAIL PROTECTED] > Sent: jueves, 20 de noviembre de 2008 16:56 > To: Sandra Jimenez Doval > Cc: [email protected] > Subject: Re: [gt-user] Security issues - Windows , OGSA-DAI and GridFTP > > Okay. So what happens if you try from hostA: > globus-url-copy file:///some/file/on/hostA gsiftp://hostB/tmp/asdf > and > globus-url-copy gsiftp://hostB/etc/group gsiftp://hostB/tmp/qwerty > > If both of those work, I'd like to know if the user running the OGSA- > DAI container on hostB has a cog.properties file. > > > Charles > > On Nov 20, 2008, at 9:49 AM, Sandra Jimenez Doval wrote: > > > On my client machine A I've got: > > dae41ace.0 (with its dae41ace.signing_policy) > > > > Also, the cog.properties contains: > > cacert=C:\\Documents and > > Settings\\A128463\\.globus\\certificates\\dae41ace.0 > > usercert=C:\\Documents and Settings\\A128463\\.globus\\usercert.pem > > hostcert=C:\\Documents and Settings\\A128463\\.globus\\hostcert.pem > > proxy=C:\\Documents and Settings\\A128463\\Local > > Settings\\Temp\\x509up_u_A128463 > > userkey=C:\\Documents and Settings\\A128463\\.globus\\userkey.pem > > hostkey=C:\\Documents and Settings\\A128463\\.globus\\hostkey.pem > > > > > > On host B: > > I've checked that in /etc/grid-security/certificates there are > > dae41ace.0 and dae41ace.signing_policy > > > > /etc/xinetd.d/gsiftp contains: > > > > # GLOBUS - GSIFTP SERVICE > > service gsiftp > > { > > disable = no > > instances = 1000 > > socket_type = stream > > wait = no > > user = root > > env = GLOBUS_LOCATION=/usr/local/globus > > env += LD_LIBRARY_PATH=/usr/local/globus/lib > > env += GLOBUS_TCP_PORT_RANGE=60000,65535 > > server = /usr/local/globus/sbin/globus-gridftp-server > > server_args = -i > > log_on_success += USERID > > nice = 10 > > } > > > > No X509_* environment variable is set. > > > > Thanks :) > > > > Sandra > > > > > >> -----Original Message----- > >> From: Charles Bacon [mailto:[EMAIL PROTECTED] > >> Sent: jueves, 20 de noviembre de 2008 16:18 > >> To: Sandra Jimenez Doval > >> Cc: [email protected] > >> Subject: Re: [gt-user] Security issues - Windows , OGSA-DAI and > > GridFTP > >> > >> Okay. You can install all the advisories from 4.0.5 onwards, though > >> they don't actually represent the total of moving from 4.0.5 -> > >> 4.0.8. But it should get you an improvement in those error messages, > >> at least. > >> > >> So, I agree with the earlier analysis that the interaction between > >> your ogsadai client and server looks okay. And that it looks like > >> the > >> problem is with the GridFTP server not trusting your certificate. So > >> let's debug that, calling your client machine "A" and the GridFTP > >> server machine "B". > >> > >> What's your CA Hash? Do <hash.0> and <hash.signing_policy> appear in > > / > >> etc/grid-security/certificates on B? If not, where are they on B? I > >> ask because you mentioned having a cog.properties file earlier, and > >> I'm a little suspicious that your container that hosts OGSA-DAI may > >> be > >> using a non-standard location for certificates that the GridFTP > >> server > >> isn't sharing with it. Does /etc/xinetd.d/gsiftp contain any X509_* > >> environment variable settings? > >> > >> > >> Charles > >> > >> On Nov 20, 2008, at 8:58 AM, Sandra Jimenez Doval wrote: > >> > >>> Hi Charles, > >>> > >>> Thank you for the tip, I didn't know about the advisories *blush*. > > So, > >>> if glbous version is 4.0.5, can all advisories from version 4.0.5 > >>> onwards be installed, or only the ones of that version? Also, I'm > > not > >>> the original administrator of the host where simpleCA and gridFTP > > are, > >>> but it seems I'll be from now own... :S > >>> > >>> The DN of my host certificate is > >>> /O=Grid/CN=host/ES-D610J2J.es.int.atosorigin.com > >>> > >>> The signing policy contains: > >>> access_id_CA X509 '/CN=KARI CA' > >>> pos_rights globus CA:sign > >>> cond_subjects globus '"/*"' > >>> > >>> > >>> Thanks again, > >>> > >>> Sandra > >>> > >>> > >>>> -----Original Message----- > >>>> From: Charles Bacon [mailto:[EMAIL PROTECTED] > >>>> Sent: jueves, 20 de noviembre de 2008 15:26 > >>>> To: Sandra Jimenez Doval > >>>> Cc: Christopher Kunz; [email protected] > >>>> Subject: Re: [gt-user] Security issues - Windows , OGSA-DAI and > >>> GridFTP > >>>> > >>>> Two things: you should install any relevant advisories from > >>>> http://www.globus.org/toolkit/advisories.html > >>>> . The most recent packages include improvements for the error > >>>> message > >>>> your'e quoting. > >>>> > >>>> Secondly, this is a signing policy error. It implies that the DN > > of > >>>> your certificate "/O=Blah/OU=foo/..." is not listed in the regexp > >>>> inside your *.signing_policy file. If you include your DN and > >>>> signing > >>>> policy file, we can probably help get it fixed up. (If it's not a > >>>> problem with the namespaces matching, then it is probably a syntax > >>>> error in the signing policy itself, which is unlikely unless you > > have > >>>> hand-edited it) > >>>> > >>>> > >>>> Cheers, > >>>> > >>>> Charles > >>>> > >>>> On Nov 20, 2008, at 7:27 AM, Sandra Jimenez Doval wrote: > >>>> > >>>>> Hi Christopher, > >>>>> > >>>>> Thank you for your time and help. I'm new to Globus, new to > >>> OGSA-DAI, > >>>>> and new to security... so trying to set up all this is a bit > >>>>> overwhelming, (and it's highly probably that I understood > > something > >>>>> wrong the GT4 and OGSA-DAI documentation). Let's see if I can > >>> explain > >>>>> myself more clearly. > >>>>> > >>>>> My client is running on the same host as my OGSA-DAI server, which > >>> is > >>>>> deployed on GT4 Java WS Core standalone container. There's a > > second > >>>>> host, where there is a whole deployment of GT4, where there is the > >>>>> GridFTP server I want to use, and the SimpleCA that has signed my > >>> host > >>>>> and user certificates. I'm not the administrator of this second > >>>>> host, so > >>>>> I don't have direct access to its configuration. > >>>>> > >>>>> I've configured my host with the trusted CA, puting the <CAhash>.0 > >>> and > >>>>> <CAhast>.signing_policy files at %USERPROFILE%\.globus. These are > >>> the > >>>>> ones of the simpleCA of the 2nd host. > >>>>> I created a grid proxy with my host certificate. > >>>>> > >>>>> When I call the OGSA-DAI service I'm using the globus delegated > >>>>> credentials, using, as I said, GSI secure conversation and > >>>>> HostAuthenticatio. I've also configured my OGSA-DAI service to run > >>> as > >>>>> caller identity, so that the OGSA-DAI service can call other > >>>>> services as > >>>>> if it were the original caller (i.e., my client). > >>>>> > >>>>> Does this configuration make sense? > >>>>> > >>>>> As you pointed out, I believe the problem could be on the > >>>>> configuration > >>>>> of the gridFTP server, but I'm not sure how to proceed on that. In > >>> any > >>>>> case, I'll try to check what you suggested. > >>>>> > >>>>> Best, > >>>>> > >>>>> Sandra > >>>>> > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: Christopher Kunz [mailto:[EMAIL PROTECTED] > >>>>>> Sent: jueves, 20 de noviembre de 2008 13:09 > >>>>>> To: Sandra Jimenez Doval > >>>>>> Cc: [email protected] > >>>>>> Subject: Re: [gt-user] Security issues - Windows , OGSA-DAI and > >>>>> GridFTP > >>>>>> > >>>>>> Sandra Jimenez Doval schrieb: > >>>>>> > >>>>>>> I'm using a host certificate that was singed using simpleCA. I > >>>>> created a > >>>>>>> grid proxy with this host certificate, and I'm configuring > >>> OGSA-DAI > >>>>> to > >>>>>>> use Host authorization, with GSI Secure Conversation Message > > Level > >>>>>>> security, so that OGSA-DAI takes globus' delegated credentials. > >>>>>> > >>>>>> Uh. Help me on this: You are authenticating to the OGSA-DAI > > service > >>>>>> as > >>>>> a > >>>>>> client with a proxy derived from the very same credentials that > >>>>> server > >>>>>> is using? I'm not sure if that makes a lot of sense. > >>>>>> > >>>>>> Why don't you create a EEC for yourself, sign that with the > >>> SimpleCA > >>>>>> certificate and derive proxies from that EEC? I think that is > > much > >>>>>> closer to the normal use case. > >>>>>> > >>>>>>> What else should I check? > >>>>>>> > >>>>>>> One thing I'm not sure whether I have correctly or not is the > >>>>>>> grid-mapfile, but I couldn't find any tips on how to correctly > >>>>> configure > >>>>>>> this on Windows. > >>>>>>> > >>>>>> That's almost certainly not the issue. The error you quoted > >>> pertains > >>>>> to > >>>>>> authentication, not authorization. > >>>>>> > >>>>>> The exception states this: > >>>>>>> Authentication Error > >>>>>> > >>>>>> And the actual error information is fairly verbose, too: > >>>>>> > >>>>>>> 530-globus_gsi_callback_module: Could not verify credential > >>>>>>> > >>>>>>> 530-globus_gsi_callback_module: Error with signing policy > >>>>>>> > >>>>>>> 530-globus_gsi_callback_module: Error in OLD GAA code: CA policy > >>>>>>> violation: <no reason given> > >>>>>>> > >>>>>>> 530 End. > >>>>>> > >>>>>> The error numbers indicate that the problem occurs not on the > > OGSA- > >>>>>> DAI > >>>>>> server but on the remote GridFTP server (530 is an FTP protocol > >>> error > >>>>>> number). > >>>>>> > >>>>>> My first guess is that your remote GridFTP server (i.e. the one > > you > >>>>> are > >>>>>> DeliverToGFTP'ing to) is not configured to accept SimpleCA > >>>>> certificates > >>>>>> and thus is not able to authenticate you. You should check if > >>>>> connecting > >>>>>> to that server by means of uberftp or another GridFTP > >>> implementation > >>>>>> works from the OGSA-DAI server. > >>>>>> > >>>>>> Another idea would be that -- in case there is a SimpleCA > >>> configured > >>>>> on > >>>>>> the GridFTP server -- the signing policiy for that CA is invalid. > >>>>>> From > >>>>>> Globus 4.0.5 on (or so), you must have signing policies in place > >>> for > >>>>>> each CA. So, normally you would see a number of > >>> <hash>.signing_policy > >>>>>> files in your equivalent of /etc/grid_security/certificates - one > >>>>>> file > >>>>>> for each CA certificate. > >>>>>> > >>>>>> Regards, > >>>>>> > >>>>>> --ck > >>>>>> > >>>>>> -- > >>>>>> M. Sc. Christopher Kunz > >>>>>> Regionales Rechenzentrum fuer Niedersachsen (RRZN) > >>>>>> Gottfried Wilhelm Leibniz Universitaet Hannover > >>>>>> +49 511 762-79KUNZ | [EMAIL PROTECTED] > >>>>> ------------------------------------------------------------------ > >>>>> This e-mail and the documents attached are confidential and > > intended > >>>>> solely for the addressee; it may also be privileged. If you > > receive > >>>>> this e-mail in error, please notify the sender immediately and > >>>>> destroy it. > >>>>> As its integrity cannot be secured on the Internet, the Atos > > Origin > >>>>> group liability cannot be triggered for the message content. > >>> Although > >>>>> the sender endeavours to maintain a computer virus-free network, > >>>>> the sender does not warrant that this transmission is virus-free > > and > >>>>> will not be liable for any damages resulting from any virus > >>>>> transmitted. > >>>>> > >>>>> Este mensaje y los ficheros adjuntos pueden contener informacion > >>>>> confidencial > >>>>> destinada solamente a la(s) persona(s) mencionadas anteriormente > >>>>> pueden estar protegidos por secreto profesional. > >>>>> Si usted recibe este correo electronico por error, gracias por > >>>>> informar > >>>>> inmediatamente al remitente y destruir el mensaje. > >>>>> Al no estar asegurada la integridad de este mensaje sobre la red, > >>>>> Atos Origin > >>>>> no se hace responsable por su contenido. Su contenido no > > constituye > >>>>> ningun > >>>>> compromiso para el grupo Atos Origin, salvo ratificacion escrita > > por > >>>>> ambas partes. > >>>>> Aunque se esfuerza al maximo por mantener su red libre de virus, > > el > >>>>> emisor > >>>>> no puede garantizar nada al respecto y no sera responsable de > >>>>> cualesquiera > >>>>> danos que puedan resultar de una transmision de virus. > >>>>> ------------------------------------------------------------------ > >>>>> > >>> > >>> ------------------------------------------------------------------ > >>> This e-mail and the documents attached are confidential and intended > >>> solely for the addressee; it may also be privileged. If you receive > >>> this e-mail in error, please notify the sender immediately and > >>> destroy it. > >>> As its integrity cannot be secured on the Internet, the Atos Origin > >>> group liability cannot be triggered for the message content. > > Although > >>> the sender endeavours to maintain a computer virus-free network, > >>> the sender does not warrant that this transmission is virus-free and > >>> will not be liable for any damages resulting from any virus > >>> transmitted. > >>> > >>> Este mensaje y los ficheros adjuntos pueden contener informacion > >>> confidencial > >>> destinada solamente a la(s) persona(s) mencionadas anteriormente > >>> pueden estar protegidos por secreto profesional. > >>> Si usted recibe este correo electronico por error, gracias por > >>> informar > >>> inmediatamente al remitente y destruir el mensaje. > >>> Al no estar asegurada la integridad de este mensaje sobre la red, > >>> Atos Origin > >>> no se hace responsable por su contenido. Su contenido no constituye > >>> ningun > >>> compromiso para el grupo Atos Origin, salvo ratificacion escrita por > >>> ambas partes. > >>> Aunque se esfuerza al maximo por mantener su red libre de virus, el > >>> emisor > >>> no puede garantizar nada al respecto y no sera responsable de > >>> cualesquiera > >>> danos que puedan resultar de una transmision de virus. > >>> ------------------------------------------------------------------ > >>> > > > > ------------------------------------------------------------------ > > This e-mail and the documents attached are confidential and intended > > solely for the addressee; it may also be privileged. If you receive > > this e-mail in error, please notify the sender immediately and > > destroy it. > > As its integrity cannot be secured on the Internet, the Atos Origin > > group liability cannot be triggered for the message content. Although > > the sender endeavours to maintain a computer virus-free network, > > the sender does not warrant that this transmission is virus-free and > > will not be liable for any damages resulting from any virus > > transmitted. > > > > Este mensaje y los ficheros adjuntos pueden contener informacion > > confidencial > > destinada solamente a la(s) persona(s) mencionadas anteriormente > > pueden estar protegidos por secreto profesional. > > Si usted recibe este correo electronico por error, gracias por > > informar > > inmediatamente al remitente y destruir el mensaje. > > Al no estar asegurada la integridad de este mensaje sobre la red, > > Atos Origin > > no se hace responsable por su contenido. Su contenido no constituye > > ningun > > compromiso para el grupo Atos Origin, salvo ratificacion escrita por > > ambas partes. > > Aunque se esfuerza al maximo por mantener su red libre de virus, el > > emisor > > no puede garantizar nada al respecto y no sera responsable de > > cualesquiera > > danos que puedan resultar de una transmision de virus. > > ------------------------------------------------------------------ > > ------------------------------------------------------------------ This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. Este mensaje y los ficheros adjuntos pueden contener informacion confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente pueden estar protegidos por secreto profesional. Si usted recibe este correo electronico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos Origin no se hace responsable por su contenido. Su contenido no constituye ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por ambas partes. Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no sera responsable de cualesquiera danos que puedan resultar de una transmision de virus. ------------------------------------------------------------------
