Hi Vladimir,
there appears to be a bug indeed, so please open a Savannah bug in the
Security category.
> On Sun, 14 Dec 2008 12:21:18 +0300
> "Voznesensky Vladimir" <[log in to unmask]> wrote:
> > Hello there.
> >
> > I've tried to use classic CE with RFC proxy certificate
> >chain (i.e. proxy issued using a proxy), and had no luck.
> > 1. Using a globus proxy chain:
> > ---8<---
> > vovic@ui:~$ glite-voms-proxy-init -voms rfusion
> >-path-length 20 -valid 24:00
> > Enter GRID pass phrase:
> > Your identity:
> >/C=RU/O=RDIG/OU=users/OU=grid.kiae.ru/CN=Vladimir
> >Voznesensky
> > Creating temporary proxy
> >............................................ Done
> > Contacting rdig-registrar.sinp.msu.ru:15005
> >[/C=RU/O=RDIG/OU=hosts/OU=sinp.msu.ru/CN=rdig-registrar.sinp.msu.ru]
> >"rfusion" Done
> > Creating proxy .........................................
> >Done
> > Your proxy is valid until Sun Dec 14 17:21:51 2008
> > vovic@ui:~$ glite-voms-proxy-init -voms rfusion -cert
> >/tmp/x509up_u1006 -key /tmp/x509up_u1006 -out proxy2
> >-path-length 15
> > Your identity:
> >/C=RU/O=RDIG/OU=users/OU=grid.kiae.ru/CN=Vladimir
> >Voznesensky/CN=proxy
> > Creating temporary proxy
> >..........................................................................
> >Done
> > Contacting rdig-registrar.sinp.msu.ru:15005
> >[/C=RU/O=RDIG/OU=hosts/OU=sinp.msu.ru/CN=rdig-registrar.sinp.msu.ru]
> >"rfusion" Done
> > Creating proxy .....................................
> >Done
> > Your proxy is valid until Sun Dec 14 05:22:05 2008
> > vovic@ui:~$ mv proxy2 /tmp/x509up_u1006
> > vovic@ui:~$ globusrun -a -r gate.grid.kiae.ru
> > GRAM Authentication test successful
> > --->8---
> > Works.
> > 2. Now with simple RFC proxy certificate:
> > ---8<---
> > vovic@ui:~$ glite-voms-proxy-init -rfc -voms rfusion
> >-path-length 20 -valid 24:00
> > Enter GRID pass phrase:
> > Your identity:
> >/C=RU/O=RDIG/OU=users/OU=grid.kiae.ru/CN=Vladimir
> >Voznesensky
> > Creating temporary proxy
> >.......................................... Done
> > Contacting rdig-registrar.sinp.msu.ru:15005
> >[/C=RU/O=RDIG/OU=hosts/OU=sinp.msu.ru/CN=rdig-registrar.sinp.msu.ru]
> >"rfusion" Done
> > Creating proxy ................................. Done
> > Your proxy is valid until Sun Dec 14 17:27:24 2008
> > vovic@ui:~$ globusrun -a -r gate.grid.kiae.ru
> > GRAM Authentication test successful
> > --->8---
> > Works too.
> > 3. And now derive an RFC proxy from another RFC proxy:
> > ---8<---
> > vovic@ui:~$ glite-voms-proxy-init -rfc -voms rfusion
> >-cert /tmp/x509up_u1006 -key /tmp/x509up_u1006 -out
> >proxy2 -path-length 15
> > Your identity:
> >/C=RU/O=RDIG/OU=users/OU=grid.kiae.ru/CN=Vladimir
> >Voznesensky/CN=1667011474
> > Creating temporary proxy
> >.............................................. Done
> > Contacting rdig-registrar.sinp.msu.ru:15005
> >[/C=RU/O=RDIG/OU=hosts/OU=sinp.msu.ru/CN=rdig-registrar.sinp.msu.ru]
> >"rfusion" Done
> > Creating proxy
> >................................................. Done
> > Your proxy is valid until Sun Dec 14 05:28:56 2008
> > vovic@ui:~$ mv proxy2 /tmp/x509up_u1006
> > vovic@ui:~$ globusrun -a -r gate.grid.kiae.ru
> > GRAM Authentication test failure: authentication with
> >the remote server failed
> > --->8---
> >Failed!
> >
> > If I understand correct, this bug will prevent WMS and
> >other services from submission of jobs to classic CEs
> >using RFC proxies.
> >
> > Ideas?
> >
> > Thank you.
> > VV
>
|