On Thu, Jan 15, 2009 at 10:28 AM, Jan Muhammad <j...@dcs.gla.ac.uk> wrote: > > What you suggest to do for removing this annoying error of Authentication?
I already gave a definitive test involving the X509_CERT_DIR environment variable. If you're sure that GT is using such and such trusted certificate store, then it shouldn't matter if you set X509_CERT_DIR to the directory you think GT is using. If, however, you set X509_CERT_DIR and the problem goes away, then you've shown that GT is *not* using the trusted certificate store you think it is. Either way, you'll know more than what you do now. Hope that helps, Tom > -----Original Message----- > From: Rachana Ananthakrishnan [mailto:ranan...@mcs.anl.gov] > Sent: Thu 15/01/2009 15:12 > To: Jan Muhammad > Cc: gt-u...@globus.org > Subject: RE: [gt-user] Globus-Container-Start Error Messages![MESSAGE NOT > SCANNED] > > If you don't intend for ~/globus/certificates, then can you try deleting the > certificates directory? > > Here is a document that outlines the order and location from which trusted > certificates are picked up: > > http://www.globus.org/toolkit/docs/4.2/4.2.1/common/javacog/admin/#javacog-a > dmin-configuring-trusted-certs. > > Can you check if you have CoG Properties file that overrides the location of > trusted certificate? > > What version of Globus are you using? > > Rachana > > > _____ > > From: Jan Muhammad [mailto:j...@dcs.gla.ac.uk] > Sent: Thursday, January 15, 2009 6:40 AM > To: Rachana Ananthakrishnan > Cc: gt-u...@globus.org > Subject: RE: [gt-user] Globus-Container-Start Error Messages! > > > > Hi Rachana, > > Thanks indeed for your response. > > After your pointing out the problem of ~/.globus/certificates; there was a > problem with ~/.globus/certificates; hence removed it contents and have > rested the conatiner certificates with some hint got from this Globus mail > archieve (http://www.globus.org/mail_archive/discuss/2005/09/msg00270.html). > > Now with $globus-conatiner-start -nosec the container running fine; but the > actual problem with $globus-conatiner-start (i.e full security) is still > there and I'm getting almost the same error. Wonder how do I change the > Trusted CA certificate problem, as it seems that conatiner not recognizing > the CA signed certificates. The error is as follow when I try to run the > container $globus-conatiner-start -debug option:- > > ---------------------------------------------------------------------------- > --------- > [glo...@callisto etc]$ globus-start-container -debug > 2009-01-15 12:25:08,108 ERROR service.ReliableFileTransferImpl > [main,<init>:69] Unable to setup database driver with pooling.Connection > refused. Check that the hostname and port are correct and that the > postmaster is accepting TCP/IP connections. > 2009-01-15 12:25:10,691 WARN service.ReliableFileTransferHome > [main,initialize:97] All RFT requests will fail and all GRAM jobs that > require file staging will fail.Connection refused. Check that the hostname > and port are correct and that the postmaster is accepting TCP/IP > connections. > 2009-01-15 12:25:14,677 ERROR container.GSIServiceThread > [ServiceThread-9,process:141] Error processing request > java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:168) > at org.globus.gsi.gssapi.SSLUtil.read(SSLUtil.java:37) > at > org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readToken(GSIGssInputStream > .java:64) > at > org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssIn > putStream.java:54) > at > org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60) > at > org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:122) > at > org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:142) > at > org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) > at > org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:98) > at > org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291) > AxisFault > faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException > faultSubcode: > faultString: org.globus.common.ChainedIOException: Authentication failed > [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]] > faultActor: > faultNode: > faultDetail: > {http://xml.apache.org/axis/}stackTrace:Authentication failed. > Caused by Failure unspecified at GSS-API level. Caused by > COM.claymoresystems.ptls.SSLThrewAlertException: Unknown CA > at COM.claymoresystems.ptls.SSLConn.alert(SSLConn.java:235) > at > COM.claymoresystems.ptls.SSLHandshake.recvCertificate(SSLHandshake.java:304) > at > COM.claymoresystems.ptls.SSLHandshakeClient.processTokens(SSLHandshakeClient > .java:128) > at > COM.claymoresystems.ptls.SSLHandshake.processHandshake(SSLHandshake.java:135 > ) > at > org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextIm > pl.java:483) > at > org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:102) > at > org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140) > at > org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) > at > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: > 32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at org.apache.axis.client.Call.invokeEngine(Call.java:2727) > at org.apache.axis.client.Call.invoke(Call.java:2710) > at org.apache.axis.client.Call.invoke(Call.java:2386) > at org.apache.axis.client.Call.invoke(Call.java:2309) > at org.apache.axis.client.Call.invoke(Call.java:1766) > at > org.oasis.wsrf.properties.GetResourcePropertySOAPBindingStub.getResourceProp > erty(GetResourcePropertySOAPBindingStub.java:397) > at > org.globus.wsrf.container.ServiceContainer.listServices(ServiceContainer.jav > a:492) > at > org.globus.wsrf.container.ServiceContainer.main(ServiceContainer.java:424) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 > ) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl > .java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.globus.bootstrap.BootstrapBase.launch(BootstrapBase.java:95) > at org.globus.bootstrap.Bootstrap.main(Bootstrap.java:37) > > {http://xml.apache.org/axis/}hostname:callisto.nesc.gla.ac.uk > > org.globus.common.ChainedIOException: Authentication failed [Caused by: > Failure unspecified at GSS-API level [Caused by: Unknown CA]] > at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: > 32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at org.apache.axis.client.Call.invokeEngine(Call.java:2727) > at org.apache.axis.client.Call.invoke(Call.java:2710) > at org.apache.axis.client.Call.invoke(Call.java:2386) > at org.apache.axis.client.Call.invoke(Call.java:2309) > at org.apache.axis.client.Call.invoke(Call.java:1766) > at > org.oasis.wsrf.properties.GetResourcePropertySOAPBindingStub.getResourceProp > erty(GetResourcePropertySOAPBindingStub.java:397) > at > org.globus.wsrf.container.ServiceContainer.listServices(ServiceContainer.jav > a:492) > at > org.globus.wsrf.container.ServiceContainer.main(ServiceContainer.java:424) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 > ) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl > .java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.globus.bootstrap.BootstrapBase.launch(BootstrapBase.java:95) > at org.globus.bootstrap.Bootstrap.main(Bootstrap.java:37) > Caused by: org.globus.common.ChainedIOException: Authentication failed > [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]] > at > org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:145) > at > org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161) > at > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135) > ... 18 more > Failed to obtain a list of services from > 'https://130.209.58.58:8443/wsrf/services/ContainerRegistryService' service: > ; nested exception is: > org.globus.common.ChainedIOException: Authentication failed [Caused > by: Failure unspecified at GSS-API level [Caused by: Unknown CA]] > > > > Regards > ________________________ > Jan Muhammad > > > -----Original Message----- > From: Rachana Ananthakrishnan [mailto:ranan...@mcs.anl.gov] > Sent: Wed 14/01/2009 19:39 > To: Jan Muhammad; 'Tom Scavo' > Cc: gt-u...@globus.org > Subject: RE: [gt-user] Globus-Container-Start Error Messages![MESSAGE NOT > SCANNED] > > 1. Are there any environment variables (X509_*) configured on this machine? > > 2. Is there a ~/.globus/certificates directory on either machine for the > user running the container? If there is, that location is used as trusted > certificate directory before /etc/grid-security/certificates is used. > > 3. Try: openssl.exe x509 -in <path to host cert configured for container> > -issuer_hash -noout > > The output will be the hash of the CA certificate that issued the > certificate and you are looking for output.0 as the CA certificate. > > Rachana > > _____ > > From: gt-user-boun...@lists.globus.org > [mailto:gt-user-boun...@lists.globus.org] On Behalf Of Jan Muhammad > Sent: Wednesday, January 14, 2009 11:48 AM > To: Tom Scavo > Cc: gt-u...@globus.org > Subject: Re: [gt-user] Globus-Container-Start Error Messages! > > > > > > ________________________ > Hi Tom, > > Yes the certificate I have for user and host are both identical and at the > same locations e.g /home/jan/.globus & /etc/grid-security/certificates > respectively on my desktop and laptop machines. This error as below I'm > getting on my desk. > > "Failed to obtain a list of services from > 'https://130.209.58.58:8443/wsrf/services/ContainerRegistryService' service: > ; nested exception is: > org.globus.common.ChainedIOException: Authentication failed [Caused > by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]" > > > I revoked and then generated proxy-certificates on the desktop machine but > still the same above error I'm getting. Any alternative solution to this? > > > Regards > > Jan Muhammad > > > > > -----Original Message----- > From: Tom Scavo [mailto:trsc...@gmail.com] > Sent: Wed 14/01/2009 17:09 > To: Jan Muhammad > Cc: gt-u...@globus.org > Subject: Re: [gt-user] Globus-Container-Start Error Messages![MESSAGE NOT > SCANNED] > > On Wed, Jan 14, 2009 at 10:32 AM, Jan Muhammad <j...@dcs.gla.ac.uk> wrote: >> >> One thing more, I use the same user-certificates on another machine, there >> is no any problem and containers running fine. > > Are the trusted certificate stores on the two systems identical? > > Tom > > > > > > > >
