Hi Rod,
It seems the SFT report OK for the CA test at triumf, but the CAs are
indeed not tested because of a bug (?) : cpp is not found.
So this test is not reliable for your site (yet).
I'll try to bypass this problem by trying to specify the full path in
this test ...
Cheers,
Frederic
David Groep a écrit :
> Hi,
>
> Maarten Litmaath, CERN wrote:
>
>> On Tue, 19 Apr 2005, Rod Walker wrote:
>>
>>> ...
>>> [rwalker@p9420 rwalker]$ globus-url-copy [...]
>>> ...
>>> globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to
>>> verify remote side's credentials
>>
>>
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> Do you have the latest CA rpms on your desktop?
>> For me it works fine with version 0.28 (also with 0.27).
>> It is known that various sites have not upgraded their CA rpms yet.
>
>
> Indeed the GRID-FR CA was released in 0.27 (the February release), so
> everyone please upgrade.(and here it also all works OK)
> For those interested in the details, the magic information is the
> utterly obfuscated error string:
>
>>> globus_gsi_callback.c:850:
>>> globus_i_gsi_callback_check_signing_policy: Error with signing policy
>>> globus_gsi_callback.c:1058: globus_i_gsi_callback_check_gaa_auth:
>>> Error in OLD GAA code: CA policy violation: <no reason given>
>>
>
> Which indicated that the list of acceptable subject names (DNs) for a CA
> to sign does not include the name you try to validate. In this case the
> error is likely in the parent CA for Grid-FR (namely CNRS-Projets). This
> file 34a509c3.signing_policy must include "/C=FR/O=CNRS/CN=GRID-FR"
> in the cond_subjects part of the EACL:
>
> tbn12:certificates:1032$ less 34a509c3.signing_policy
> # EACL French CA, project level: CNRS-Projets
> access_id_CA X509 '/C=FR/O=CNRS/CN=CNRS-Projets'
> pos_rights globus CA:sign
> cond_subjects globus '"/C=FR/O=CNRS/CN=Datagrid-fr"
> "/C=FR/O=CNRS/CN=GRID-FR" "/C=FR/O=CNRS/CN=CNRS-Projets"'
>
> Cheers,
> DavidG.
>
> PS: ... and sorry for taking your time on something you maybe don't even
> want to know :-)
>
|