Hi,
Any idea on what can cause MyProxy server to suddenly start not to recognize
WMS/LB (which is trying to renew user's proxies) as authorized, after
previously successfully renewing proxies on requests from the same WMS/LB and
the same user for hours? The delegated credentials did not expire for that
user. This is the excerpt from /var/log/messages:
Jun 19 10:43:11 myproxy myproxy-server: <11733> Connection from 147.91.84.25
Jun 19 10:43:11 myproxy myproxy-server: <22407> using trusted certificates
directory /etc/grid-security/certificates
Jun 19 10:43:11 myproxy myproxy-server: <22407> Authenticated client
/C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=host/wms.phy.bg.ac.yu
Jun 19 10:43:11 myproxy myproxy-server: <22407> applying trusted_retrievers policy
Jun 19 10:43:11 myproxy myproxy-server: <22407> applying authorized_retrievers
policy
Jun 19 10:43:11 myproxy myproxy-server: <22407> applying authorized_renewers
policy
Jun 19 10:43:11 myproxy myproxy-server: <22407> sending
MYPROXY_AUTHORIZATION_RESPONSE
Jun 19 10:43:11 myproxy myproxy-server: <22407> client chose X509_certificate
Jun 19 10:43:11 myproxy myproxy-server: <22407> authorization failed
Jun 19 10:43:11 myproxy myproxy-server: <22407> Exiting: certificate chain
verification failed "/C=RS/O=AEGIS/OU=Institute of Physics
Belgrade/CN=host/wms.phy.bg.ac.yu" not authorized by server's trusted_
retrievers policy X509_verify_cert() failed authentication failed
authentication failed
After several minutes of such madness, MyProxy server suddenly again continues
to renew proxy for this same WMS/LB (however, for another user, since for the
original one all jobs are aborted; I am not sure if this is relevant, since
the problem reported is that WMS/LB is not authorized).
/etc/myproxy-server.config is created on 18 May, and since it is re-created
each time myproxy service is restarted, which excludes the possibility that
myproxy was restarted at 10:43 or so toady. authorized_renewers contains DN of
WMS/LB, while authorized_retrievers is set to "*".
Any idea is appreciated. Also, is it possible to convince WMS/LB not to give
up immediately on a job for which it cannot renew the proxy, but to try again
later (i.e. 10 minutes later would save the day here)?
Thanks, Antun
-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/
Phone: +381 11 3713152
Fax: +381 11 3162190
Scientific Computing Laboratory
Institute of Physics Belgrade
Pregrevica 118, 11080 Belgrade, Serbia
-----
|