Makes sense. Thanks for the explanation Rachana.
-Neha
On Oct 26, 2009, at 9:48 AM, Rachana Ananthakrishnan wrote:
Steve,
The only critical extensions processed by default in the CoG JGlobus
validator are the proxy extensions, basic constraint and key usage.
For other critical extensions policy handler have to be written and
configured. The validator only raises an exception for critical
extensions it does not know about - so if this extension used to be
not critical, it would not have failed.
Rachana
On Oct 26, 2009, at 8:43 AM, Steven Timm wrote:
Rachana--when you say "support for this OID has not been added"
what do you mean? do you think that this section of the code
threw an exception because the extendedKeyUsage section
of the cert was marked critical when it should not have been,
or would it throw an exception if the extendedKeyUsage section
was there at all, critical or not?
Steve Timm
On Sun, 25 Oct 2009, Rachana Ananthakrishnan wrote:
Hi,
This remains an open request and default support for this OID has
not been added. However CoG JGlobus has API to support custom
handlers, so you can write a handler for processing this extension
and configure it when the context is setup, and CoG will delegate
the handling of the extension to your code.
An interface, ProxyPolicyHandler is defined, that needs to be
implemented for every custom extension that you need to support
and should contain the processing of the extension. CoG JGlobus
provides API to consume a Map of extension OIDs to handler
mappings and invokes the appropriate handler during validation.
In, http://viewcvs.globus.org/viewcvs.cgi/jglobus/src/org/globus/gsi/gssapi/GlobusGSSContextImpl.java?view=annotate&root=Java+COG
, you can use the following:
public void setOption(Oid option, Object value)
to set GSSConstants.PROXY_POLICY_HANDLERS to a Map of OID to
handler classes that implement ProxyPolicyHandler interface. (http://viewcvs.globus.org/viewcvs.cgi/jglobus/src/org/globus/gsi/proxy/ProxyPolicyHandler.java?annotate=1.4&root=Java+COG
).
Here is a sample policy handler: http://viewcvs.globus.org/viewcvs.cgi/jglobus/src/org/globus/gsi/proxy/IgnoreProxyPolicyHandler.java?annotate=1.5&root=Java+COG
, that simply logs the value of the extension.
Rachana
On Oct 21, 2009, at 10:46 AM, Neha Sharma wrote:
Hi
DOEGrids recently added the following new critical extension in
the host certificate they issued -
"X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client
Authentication"
When we upgraded the host certificate on our gatekeeper node, so
that it had the above extension, the gatekeeper failed to
authenticate itself with the Site Authorization Service (SAZ)
The exception we are seeing is below:
"Exception org.globus.common.ChainedIOException: Authentication
failed [Caused by: Defective credential detected [Caused by:
[JGLOBUS-95] Unsuppored critical exception : "2.5.29.37"]]"
Upon googling it, I noticed a bugzilla entry which is similar to
what we are seeing, however I do not see any resolution
http://bugzilla.globus.org/globus/show_bug.cgi?id=3299
SAZ is using cog-jglobus-1.7.0.jar, which I believe is the latest
version. Also I have confirmed that the cryptix32.jar and cryptix-
asn1.jar are the latest that globus provides.
The exact point where the above exception gets thrown is when SAZ
attempts to read data from the input stream of the client socket
Is this a known problem? Was the above bug ever resolved?
Any input you can provide is greatly appreciated.
-Neha
--
------------------------------------------------------------------
Steven C. Timm, Ph.D (630) 840-8525
t...@fnal.gov http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant
Group Leader.
