Hi All,
So I'm trying to setup a local VOMS, and the VOMS service itself appears
to be functioning quite well: voms-proxy-init works great:
[ui]$ voms-proxy-init --voms neuropsychiatry
Your identity: /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
Fifield
Creating temporary proxy ............................ Done
Contacting voms.atlas.unimelb.edu.au:16000 [/C=AU/O=APACGrid/OU=The
University of Melbourne/CN=voms.atlas.unimelb.edu.au] "neuropsychiatry" Done
Creating proxy ............................. Done
However, voms-proxy-info and similar tools report that they can't verify
its certificate. Note that this is the *error* message and not the
similar harmless warning.
[ui]$ voms-proxy-info --all
WARNING: Unable to verify signature! Server certificate possibly not
installed.
Error: Cannot verify AC signature!
subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
Fifield/CN=proxy
issuer : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
identity : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
type : proxy
strength : 1024 bits
path : /tmp/x509up_u1056
timeleft : 11:59:44
=== VO neuropsychiatry extension information ===
VO : neuropsychiatry
subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
issuer : /C=AU/O=APACGrid/OU=The University of
Melbourne/CN=voms.atlas.unimelb.edu.au
attribute : /neuropsychiatry/Role=NULL/Capability=NULL
timeleft : 11:59:24
uri : voms.atlas.unimelb.edu.au:16000
Which means things like job submission fail:
[ui]$ glite-ce-job-submit -a --vo neuropsychiatry -r
agh5.atlas.unimelb.edu.au/cream-pbs-neuropsychiatry test_freesurfer.jdl
2009-10-23 02:31:44,980 FATAL - Problems with proxyfile
[/tmp/x509up_u1056]: WARNING: The VOMS attribute could not be verified.
Possibly, the VOMS server certificate is not installed.
Of course, you can use the --donot-verify-ac-sign option, but the CREAM
CE is configured identically (all hail cfengine) and similar issues are
encountered with the LCAS VOMS plugin. (If you'd really like to see
those logs they're here:
https://eppwiki.ph.unimelb.edu.au/glexec_lcas_lcmaps.log -
vomsdata::Retrieve() returns VERR_SIGN)
So, config:
[ui]$ ls -l /etc/grid-security/vomsdir/
...
drwxr-xr-x 2 root root 4096 Oct 23 01:05 neuropsychiatry
...
voms.atlas.unimelb.edu.au.2009-09-04.pem
[ui]$ cat
/etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
/C=AU/O=APACGrid/OU=The University of Melbourne/CN=voms.atlas.unimelb.edu.au
[log in to unmask]
[ui]$ cat /opt/glite/etc/vomses/neuropsychiatry-voms.atlas.unimelb.edu.au
"neuropsychiatry" "voms.atlas.unimelb.edu.au" "16000"
"/C=AU/O=APACGrid/OU=The University of
Melbourne/CN=voms.atlas.unimelb.edu.au" "neuropsychiatry"
CA cert is from IGTF distribution rpm ca_APAC.noarch and look fine in
/etc/grid-security/certificates/1e12d831.*
This UI and the CREAM CE I'm attempting to submit to work fine with
other VOs (atlas, dteam, belle).
Random conspiracy theory: Our CA is probably one of very few that uses
4096 bit certificates and the emailAddress field in its DN.
I've probably missed something really trivial, but this is driving me
mad. So if anyone has any suggestions, comments or queries that would
make my fortnight...
Regards,
Tom
|