On Mon, Aug 21, 2006 at 05:26:24PM +0100 or thereabouts, Jensen, J (Jens) wrote:
> Right, this definitely sounds like FNAL, CERN, and IN2P3 have not
> installed release 1.7 of the LCG CAs. And the latest release is
> 1.8.

Jens,

 Feel free to tag these as urgent now. They are well overdue on these.

 Steve
>
> Worth firing off a ggus ticket methinks.
>
> Cheers
> -j
>
> -----Original Message-----
> From: GRIDPP2: Deployment and support of SRM and local storage
> management [mailto:[log in to unmask]]On Behalf Of Brew, CAJ
> (Chris)
> Sent: 21 August 2006 17:12
> To: [log in to unmask]
> Subject: UKeScience Certificates WAS RE: CMS PhEDEx SC4 web page
>
>
> Ok, more circumstancial evidence:
>
> Using my host certificate to try to do an srm-get-metadata like so:
>
> /opt/d-cache/srm/bin/srm-get-metadata --use_proxy=false
> -x509_user_cert=/etc/grid-security/hostcert.pem
> -x509_user_key=/etc/grid-security/hostkey.pem
>
> to Birmingham, Edinburgh, FZK, and RAL (sites I can srmcp files to and
> from) I get an error like:
>
> SRMClientV1 : connecting to srm at
> httpg://a01-004-166-e.gridka.de:8443/srm/managerv1
> SRMClientV1 : copy: try # 0 failed with error
> SRMClientV1 : org.dcache.srm.SRMAuthorizationException: can not
> determine username from
> GlobusId=/C=UK/O=eScience/OU=CLRC/L=RAL/CN=heplnx204.pp.rl.ac.uk/E=ppd.g
> [log in to unmask]
>
> (exact wording depends on the SE at the far end).
>
> To CERN, FNAL and IN2P3 I just get:
>
> SRMClientV1 : connecting to srm at
> httpg://ccdcamli01.in2p3.fr:8443/srm/managerv1
> SRMClientV1 : copy: try # 0 failed with error
> SRMClientV1 : java.net.SocketException: Connection reset
>
> Does anyone have a dteam user certificate signed by the new CA chain to
> really test this?
>
> Anyway It's good enough for me to submit a speculative GGUS ticket to
> CERN to get it checked out.
>
> Yours,
> Chris.
>
> > -----Original Message-----
> > From: GRIDPP2: Deployment and support of SRM and local
> > storage management [mailto:[log in to unmask]] On
> > Behalf Of Brew, CAJ (Chris)
> > Sent: 21 August 2006 16:30
> > To: [log in to unmask]
> > Subject: Re: CMS PhEDEx SC4 web page
> >
> > Hmm,
> >
> > CERN isn't looking to good either. I can srmcp a file from
> > CERN to me but not the otherway round.
> >
> > Is there any basic connection I can make to the srm port
> > using wget to see if it accepts the hosts certificate.
> >
> > For instance I can do:
> >
> > [root@heplnx204 log]# wget -d --no-check-certificate
> > --ca-directory=/etc/grid-security/certificates/
> > --certificate=/etc/grid-security/hostcert.pem
> > --private-key=/etc/grid-security/hostkey.pem
> > 'https://na48-voms.cern.ch:8443/voms/na48/services/VOMSCompati
> > bility?met
> > hod=getGridmapUsers&container=%2Fna48'
> > Setting --check-certificate (checkcertificate) to 0 Setting
> > --ca-directory (cadirectory) to
> > /etc/grid-security/certificates/ Setting --certificate
> > (certificate) to /etc/grid-security/hostcert.pem Setting
> > --private-key (privatekey) to /etc/grid-security/hostkey.pem
> > DEBUG output created by Wget 1.10.2 (Red Hat modified) on linux-gnu.
> >
> > --16:27:26--
> > https://na48-voms.cern.ch:8443/voms/na48/services/VOMSCompatib
> > ility?meth
> > od=getGridmapUsers&container=%2Fna48
> > =>
> > `VOMSCompatibility?method=getGridmapUsers&container=%2Fna48'
> > Resolving na48-voms.cern.ch... 137.138.251.206 Caching
> > na48-voms.cern.ch => 137.138.251.206 Connecting to
> > na48-voms.cern.ch|137.138.251.206|:8443... connected.
> > Created socket 3.
> > Releasing 0x09d5f4c8 (new refcount 1).
> > Initiating SSL handshake.
> > SSL handshake failed.
> > OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
> > alert certificate unknown Closed fd 3 Unable to establish SSL
> > connection.
> >
> > To show that the na48 voms server (one amongst several)
> > doesn't yet have the new UKeScience certificates installed.
> >
> > Anyone know of a simmilar call I can do against an srm to test it?
> >
> > Thanks,
> > Chris.
> >
> > > -----Original Message-----
> > > From: GRIDPP2: Deployment and support of SRM and local storage
> > > management [mailto:[log in to unmask]] On Behalf
> > Of Brew,
> > > CAJ (Chris)
> > > Sent: 21 August 2006 15:53
> > > To: [log in to unmask]
> > > Subject: Re: CMS PhEDEx SC4 web page
> > >
> > > Hi Simon + others,
> > >
> > > (Added GridPP-Storage in case I'm missing something - a bit of
> > > background, large numbers of CMS PhEDEx transfers to RALPP are
> > > failing)
> > >
> > > I think IN2P3 might not have the new UKeScience CA certificates
> > > installed on their srm.
> > >
> > > I cannot srmcp a file from me to them, though I can do it the other
> > > way or if I set pushmode=true
> > >
> > > heplnx101 - ~ $ srmcp
> > > srm://heplnx204.pp.rl.ac.uk:8443/pnfs/pp.rl.ac.uk/data/dteam/t
> > > fr2tier2/c
> > > anned1G
> > > srm://ccsrm.in2p3.fr:8443/pnfs/in2p3.fr/data/dteam/brew/canned1G
> > > user credentials are: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris
> > > dteam brew
> > > SRMClientV1 : connecting to srm at
> > > httpg://ccdcamli01.in2p3.fr:8443/srm/managerv1
> > > srmcp error: Request with requestId =-2144892145 rs.state = Failed
> > > rs.error =
> > > RequestFileStatus#-2144892144 failed with error:[ retrieval
> > of "from"
> > > TURL failed with error java.lang.RuntimeException:
> > > org.globus.common.ChainedIOException: Authentication failed [Caused
> > > by:
> > > Failure unspecified at GSS-API level [Caused by: Unknown CA]]]
> > > java.io.IOException: Request with requestId =-2144892145 rs.state =
> > > Failed rs.error =
> > > RequestFileStatus#-2144892144 failed with error:[ retrieval
> > of "from"
> > > TURL failed with error java.lang.RuntimeException:
> > > org.globus.common.ChainedIOException: Authentication failed [Caused
> > > by:
> > > Failure unspecified at GSS-API level [Caused by: Unknown CA]]]
> > >
> > > FZK seems to work both ways, I'm just about to test CERN.
> > >
> > > Chris.
> > >
> > > > -----Original Message-----
> > > > From: Simon Metson [mailto:[log in to unmask]]
> > > > Sent: 21 August 2006 10:58
> > > > To: Brew, CAJ (Chris)
> > > > Subject: Re: CMS PhEDEx SC4 web page
> > > >
> > > > It was from FZK to PPD. Seemed to go fine.
> > > >
> > > > On 21 Aug 2006, at 10:56, Brew, CAJ ((Chris)) wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Where did you do the transfer from/to, I think if the
> > remote SE's
> > > > > haven't updated their CA rpms then there might be a problem
> > > > > transfering to my SE.
> > > > >
> > > > > Chris.
> > > > >
> > > > >> -----Original Message-----
> > > > >> From: Simon Metson [mailto:[log in to unmask]]
> > > > >> Sent: 21 August 2006 10:42
> > > > >> To: Brew, CAJ (Chris)
> > > > >> Subject: Re: CMS PhEDEx SC4 web page
> > > > >>
> > > > >> I've done a successful transfer via fts (!!) and checked
> > > > through the
> > > > >> config and restarted the agents. Lets see what happens.
> > > > >> Cheers
> > > > >> Simon
> > > > >>
> > > > >> On 21 Aug 2006, at 10:12, Brew, CAJ ((Chris)) wrote:
> > > > >>
> > > > >>> Hi,
> > > > >>>
> > > > >>> It might be a certificate issue rather than a PhEDEx issue,
> > > > >> I updated
> > > > >>> the certifcates on the two dCache nodes so they've now got
> > > > >>> certificates singed by the new UKeScience CA, you might
> > > > >> want to try an
> > > > >>> srmcp to various failing sites.
> > > > >>>
> > > > >>> Yours,
> > > > >>> Chris.
> > > > >>>
> > > > >>>> -----Original Message-----
> > > > >>>> From: Simon Metson [mailto:[log in to unmask]]
> > > > >>>> Sent: 21 August 2006 10:10
> > > > >>>> To: Brew, CAJ (Chris)
> > > > >>>> Subject: Re: CMS PhEDEx SC4 web page
> > > > >>>>
> > > > >>>> Yes, that's not good :) I've stopped the agents and am
> > > > >> having a look
> > > > >>>> at them now.
> > > > >>>> Cheers
> > > > >>>> Simon
> > > > >>>>
> > > > >>>> On 21 Aug 2006, at 10:01, Brew, CAJ ((Chris)) wrote:
> > > > >>>>
> > > > >>>>> Hi Simon,
> > > > >>>>>
> > > > >>>>> I've occasionall been looking at
> > > > >>>>>
> > > > http://cms-project-phedex.web.cern.ch/cms-project-phedex/cgi-bin/
> > > > >>>>> browser
> > > > >>>>> ?
> > > > >>>>>
> > > > >>>>
> > > > >>
> > > >
> > >
> > page=rates&db=sc&span=d&errors=on&tofilter=Rutherford&andor=or&fromfi
> > > > >>>> l
> > > > >>>>> t
> > > > >>>>> er=Rutherford to see what sort of state RALPP is in.
> > > > >>>>>
> > > > >>>>> Now to me at the moment it looks pretty bad. Is the
> > > > >> "Errors" column
> > > > >>>>> the number of times a transfer has failed?
> > > > >>>>>
> > > > >>>>> Thanks,
> > > > >>>>> Chris.
> > > > >>>>
> > > > >>>>
> > > > >>
> > > > >>
> > > >
> > > >
> > >
> >

--
Steve Traylen
work email: [log in to unmask]
personal email: [log in to unmask]
jabber: xmpp:[log in to unmask]