Maarten, Jan Just, good day.
Tue, Jul 15, 2008 at 09:49:20AM +0200, Jan Just Keijser wrote:
> the box wmslb.itep.ru seems to be a glite 3.0 WMS. This version of glite
> is based on VDT Globus 2.4 and does not support RFC compliant proxies.
> You have to upgrade your WMS to the recently released glite 3.1 WMS if
> you want to use RFC (or gt3 style) proxies.
OK, I had installed combined WMS/LB node from gLite 3.1,
glite-WMS-3.1.2-0 and glite-LB-3.1.1-1.
Still no luck with RFC and gt3 proxies.
RFC proxy fails to be validated on the WMProxy daemon:
-----
$ glite-wms-job-submit -a gate-alice.jdl
Connecting to the service https://octopus.grid.kiae.ru:7443/glite_wms_wmproxy_server
Connection failed: SSL_ERROR_SSL
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
SSL connect failed in tcp_connect()
Error code: SOAP-ENV:Client
Error - Operation failed
Unable to find any endpoint where to perform service request
=======================================================================
<WMProxy log>:
[Thu Jul 31 12:33:13 2008] [debug] ssl_engine_kernel.c(1165): Certificate Verification: depth: 0, subject: /C=RU/O=RDIG/OU=users/OU=grid.kiae.ru/CN=Eygene Ryabinkin atALICE/CN=1465040036, issuer: /C=RU/O=RDIG/OU=users/OU=grid.kiae.ru/CN=Eygene Ryabinkin atALICE
[Thu Jul 31 12:33:13 2008] [error] Certificate Verification: Error (34): unhandled critical extension
[Thu Jul 31 12:33:13 2008] [debug] ssl_engine_kernel.c(1745): OpenSSL: Write: SSLv3 read client certificate B
[Thu Jul 31 12:33:13 2008] [debug] ssl_engine_kernel.c(1764): OpenSSL: Exit: error in SSLv3 read client certificate B
[Thu Jul 31 12:33:13 2008] [debug] ssl_engine_kernel.c(1764): OpenSSL: Exit: error in SSLv3 read client certificate B
[Thu Jul 31 12:33:13 2008] [info] SSL library error 1 in handshake (server octopus.grid.kiae.ru:443, client 144.206.66.14)
[Thu Jul 31 12:33:13 2008] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Thu Jul 31 12:33:13 2008] [info] Connection to child 0 closed with abortive shutdown(server octopus.grid.kiae.ru:443, client 144.206.66.14)
-----
GT3 proxy validates within WMProxy service, but LB fails to
verify the certificate:
-----
$ glite-wms-job-submit -a gate-alice.jdl
Connecting to the service https://octopus.grid.kiae.ru:7443/glite_wms_wmproxy_server
Warning - Unable to register the job to the service: https://octopus.grid.kiae.ru:7443/glite_wms_wmproxy_server
LBProxy is enabled
Register job failed to LB server: octopus.grid.kiae.ru:9000
edg_wll_RegisterJobProxy/Sync
Exit code: 1416
LB[Proxy] Error: LB server (bkserver,lbproxy) store protocol error
(edg_wll_RegisterJobProxy(): unable to register with bkserver
LB server (bkserver,lbproxy) store protocol error;; Logging library ERROR:
LB server (bkserver,lbproxy) store protocol error;; edg_wll_DoLogEventDirect(): edg_wll_log_direct_connect error
GSSAPI Error;; edg_wll_gss_connect();; GSS Error: GSS failure occured: GSS Major Status: Authentication Failed
(GSS Minor Status Error Chain:
globus_gsi_gssapi: SSLv3 handshake problems
globus_gsi_gssapi: Unable to verify remote side's credentials
globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake
OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert certificate unknown SSL alert number 46
))
Method: jobRegister
Switching to next WMProxy Server...
Error - Operation failed
Unable to find any endpoint where to perform service request
=======================================================================
<WMProxy log>:
[Thu Jul 31 12:35:18 2008] [info] Initial (No.1) HTTPS request received for child 5 (server octopus.grid.kiae.ru:443)
[Thu Jul 31 12:35:18 2008] [debug] mod_gridsite.c(2194): Using identity X509USER 1205413718 1239628118 1 /C=RU/O=RDIG/OU=users/OU=grid.kiae.ru/CN=Eygene Ryabinkin atALICE from SSL/TLS
[Thu Jul 31 12:35:18 2008] [debug] mod_gridsite.c(2397): After GACL/Onetime evaluation, GRST_PERM=0
[Thu Jul 31 12:35:21 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19429)
[Thu Jul 31 12:35:24 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19435)
[Thu Jul 31 12:35:27 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19441)
[Thu Jul 31 12:35:30 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19447)
[Thu Jul 31 12:35:33 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19453)
[Thu Jul 31 12:35:36 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19462)
[Thu Jul 31 12:35:39 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19468)
[Thu Jul 31 12:35:42 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19481)
[Thu Jul 31 12:35:45 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19487)
[Thu Jul 31 12:35:48 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19493)
[Thu Jul 31 12:35:51 2008] [warn] FastCGI: (dynamic) server "/opt/glite/bin/glite_wms_wmproxy_server" started (pid 19499)
[Thu Jul 31 12:35:52 2008] [debug] ssl_engine_kernel.c(1745): OpenSSL: Write: SSL negotiation finished successfully
[Thu Jul 31 12:35:52 2008] [info] Connection to child 5 closed with standard shutdown(server octopus.grid.kiae.ru:443, client 144.206.66.14)
-----
As I understand, the message 'Unable to verify remote side's
credentials' is spitted by LB, so the remote side is the client
(WMProxy that acts on the behalf of the user) who tries to use the
service.
And a bit strange thing is that FastCGI backend
/opt/glite/bin/glite_wms_wmproxy_server is started 11 times to serve
one request. Is it normal?
Tue, Jul 15, 2008 at 11:44:01AM +0200, Maarten Litmaath wrote:
> Note that also gLite 3.0 lcg-CE nodes (still in use at many sites) and
> other gLite 3.0 services will not work with RFC proxies.
But will gLite 3.1 lcg-CEs work with GT3/RFC proxies?
Thank you!
--
Eygene Ryabinkin, Russian Research Centre "Kurchatov Institute"
|