If you don't intend for ~/globus/certificates, then can you try deleting the certificates directory? Here is a document that outlines the order and location from which trusted certificates are picked up: http://www.globus.org/toolkit/docs/4.2/4.2.1/common/javacog/admin/#javacog-a dmin-configuring-trusted-certs. Can you check if you have CoG Properties file that overrides the location of trusted certificate? What version of Globus are you using? Rachana
_____ From: Jan Muhammad [mailto:j...@dcs.gla.ac.uk] Sent: Thursday, January 15, 2009 6:40 AM To: Rachana Ananthakrishnan Cc: gt-u...@globus.org Subject: RE: [gt-user] Globus-Container-Start Error Messages! Hi Rachana, Thanks indeed for your response. After your pointing out the problem of ~/.globus/certificates; there was a problem with ~/.globus/certificates; hence removed it contents and have rested the conatiner certificates with some hint got from this Globus mail archieve (http://www.globus.org/mail_archive/discuss/2005/09/msg00270.html). Now with $globus-conatiner-start -nosec the container running fine; but the actual problem with $globus-conatiner-start (i.e full security) is still there and I'm getting almost the same error. Wonder how do I change the Trusted CA certificate problem, as it seems that conatiner not recognizing the CA signed certificates. The error is as follow when I try to run the container $globus-conatiner-start -debug option:- ---------------------------------------------------------------------------- --------- [glo...@callisto etc]$ globus-start-container -debug 2009-01-15 12:25:08,108 ERROR service.ReliableFileTransferImpl [main,<init>:69] Unable to setup database driver with pooling.Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections. 2009-01-15 12:25:10,691 WARN service.ReliableFileTransferHome [main,initialize:97] All RFT requests will fail and all GRAM jobs that require file staging will fail.Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections. 2009-01-15 12:25:14,677 ERROR container.GSIServiceThread [ServiceThread-9,process:141] Error processing request java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:168) at org.globus.gsi.gssapi.SSLUtil.read(SSLUtil.java:37) at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readToken(GSIGssInputStream .java:64) at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssIn putStream.java:54) at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60) at org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:122) at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:142) at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:98) at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291) AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: org.globus.common.ChainedIOException: Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]] faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:Authentication failed. Caused by Failure unspecified at GSS-API level. Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Unknown CA at COM.claymoresystems.ptls.SSLConn.alert(SSLConn.java:235) at COM.claymoresystems.ptls.SSLHandshake.recvCertificate(SSLHandshake.java:304) at COM.claymoresystems.ptls.SSLHandshakeClient.processTokens(SSLHandshakeClient .java:128) at COM.claymoresystems.ptls.SSLHandshake.processHandshake(SSLHandshake.java:135 ) at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextIm pl.java:483) at org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:102) at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140) at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: 32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2727) at org.apache.axis.client.Call.invoke(Call.java:2710) at org.apache.axis.client.Call.invoke(Call.java:2386) at org.apache.axis.client.Call.invoke(Call.java:2309) at org.apache.axis.client.Call.invoke(Call.java:1766) at org.oasis.wsrf.properties.GetResourcePropertySOAPBindingStub.getResourceProp erty(GetResourcePropertySOAPBindingStub.java:397) at org.globus.wsrf.container.ServiceContainer.listServices(ServiceContainer.jav a:492) at org.globus.wsrf.container.ServiceContainer.main(ServiceContainer.java:424) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.globus.bootstrap.BootstrapBase.launch(BootstrapBase.java:95) at org.globus.bootstrap.Bootstrap.main(Bootstrap.java:37) {http://xml.apache.org/axis/}hostname:callisto.nesc.gla.ac.uk org.globus.common.ChainedIOException: Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]] at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: 32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2727) at org.apache.axis.client.Call.invoke(Call.java:2710) at org.apache.axis.client.Call.invoke(Call.java:2386) at org.apache.axis.client.Call.invoke(Call.java:2309) at org.apache.axis.client.Call.invoke(Call.java:1766) at org.oasis.wsrf.properties.GetResourcePropertySOAPBindingStub.getResourceProp erty(GetResourcePropertySOAPBindingStub.java:397) at org.globus.wsrf.container.ServiceContainer.listServices(ServiceContainer.jav a:492) at org.globus.wsrf.container.ServiceContainer.main(ServiceContainer.java:424) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.globus.bootstrap.BootstrapBase.launch(BootstrapBase.java:95) at org.globus.bootstrap.Bootstrap.main(Bootstrap.java:37) Caused by: org.globus.common.ChainedIOException: Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]] at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:145) at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135) ... 18 more Failed to obtain a list of services from 'https://130.209.58.58:8443/wsrf/services/ContainerRegistryService' service: ; nested exception is: org.globus.common.ChainedIOException: Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]] Regards ________________________ Jan Muhammad -----Original Message----- From: Rachana Ananthakrishnan [mailto:ranan...@mcs.anl.gov] Sent: Wed 14/01/2009 19:39 To: Jan Muhammad; 'Tom Scavo' Cc: gt-u...@globus.org Subject: RE: [gt-user] Globus-Container-Start Error Messages![MESSAGE NOT SCANNED] 1. Are there any environment variables (X509_*) configured on this machine? 2. Is there a ~/.globus/certificates directory on either machine for the user running the container? If there is, that location is used as trusted certificate directory before /etc/grid-security/certificates is used. 3. Try: openssl.exe x509 -in <path to host cert configured for container> -issuer_hash -noout The output will be the hash of the CA certificate that issued the certificate and you are looking for output.0 as the CA certificate. Rachana _____ From: gt-user-boun...@lists.globus.org [mailto:gt-user-boun...@lists.globus.org] On Behalf Of Jan Muhammad Sent: Wednesday, January 14, 2009 11:48 AM To: Tom Scavo Cc: gt-u...@globus.org Subject: Re: [gt-user] Globus-Container-Start Error Messages! ________________________ Hi Tom, Yes the certificate I have for user and host are both identical and at the same locations e.g /home/jan/.globus & /etc/grid-security/certificates respectively on my desktop and laptop machines. This error as below I'm getting on my desk. "Failed to obtain a list of services from 'https://130.209.58.58:8443/wsrf/services/ContainerRegistryService' service: ; nested exception is: org.globus.common.ChainedIOException: Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]" I revoked and then generated proxy-certificates on the desktop machine but still the same above error I'm getting. Any alternative solution to this? Regards Jan Muhammad -----Original Message----- From: Tom Scavo [mailto:trsc...@gmail.com] Sent: Wed 14/01/2009 17:09 To: Jan Muhammad Cc: gt-u...@globus.org Subject: Re: [gt-user] Globus-Container-Start Error Messages![MESSAGE NOT SCANNED] On Wed, Jan 14, 2009 at 10:32 AM, Jan Muhammad <j...@dcs.gla.ac.uk> wrote: > > One thing more, I use the same user-certificates on another machine, there > is no any problem and containers running fine. Are the trusted certificate stores on the two systems identical? Tom