On Fri, Oct 23, 2009 at 5:36 AM, Tom Fifield <[log in to unmask]> wrote:
> Hi All,
>
> So I'm trying to setup a local VOMS, and the VOMS service itself appears to
> be functioning quite well: voms-proxy-init works great:
>
> [ui]$ voms-proxy-init --voms neuropsychiatry
> Your identity: /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
> Fifield
> Creating temporary proxy ............................ Done
> Contacting voms.atlas.unimelb.edu.au:16000 [/C=AU/O=APACGrid/OU=The
> University of Melbourne/CN=voms.atlas.unimelb.edu.au] "neuropsychiatry" Done
> Creating proxy ............................. Done
>
> However, voms-proxy-info and similar tools report that they can't verify its
> certificate. Note that this is the *error* message and not the similar
> harmless warning.
>
Hi Tom,
Create a file:
/etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
containing 2 lines.
/C=AU/O=APACGrid/OU=The University of Melbourne/CN=voms.atlas.unimelb.edu.au
<issur dn of this host cert>
Get the last line with
openssl x509 -in /etc/grid-security/hostcert.pem -noout -issuer
> [ui]$ voms-proxy-info --all
> WARNING: Unable to verify signature! Server certificate possibly not
> installed.
> Error: Cannot verify AC signature!
> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
> Fifield/CN=proxy
> issuer : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
> identity : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
> type : proxy
> strength : 1024 bits
> path : /tmp/x509up_u1056
> timeleft : 11:59:44
> === VO neuropsychiatry extension information ===
> VO : neuropsychiatry
> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
> issuer : /C=AU/O=APACGrid/OU=The University of
> Melbourne/CN=voms.atlas.unimelb.edu.au
> attribute : /neuropsychiatry/Role=NULL/Capability=NULL
> timeleft : 11:59:24
> uri : voms.atlas.unimelb.edu.au:16000
>
> Which means things like job submission fail:
>
> [ui]$ glite-ce-job-submit -a --vo neuropsychiatry -r
> agh5.atlas.unimelb.edu.au/cream-pbs-neuropsychiatry test_freesurfer.jdl
> 2009-10-23 02:31:44,980 FATAL - Problems with proxyfile [/tmp/x509up_u1056]:
> WARNING: The VOMS attribute could not be verified. Possibly, the VOMS server
> certificate is not installed.
>
> Of course, you can use the --donot-verify-ac-sign option, but the CREAM CE
> is configured identically (all hail cfengine) and similar issues are
> encountered with the LCAS VOMS plugin. (If you'd really like to see those
> logs they're here: https://eppwiki.ph.unimelb.edu.au/glexec_lcas_lcmaps.log
> - vomsdata::Retrieve() returns VERR_SIGN)
>
> So, config:
>
> [ui]$ ls -l /etc/grid-security/vomsdir/
> ...
> drwxr-xr-x 2 root root 4096 Oct 23 01:05 neuropsychiatry
> ...
> voms.atlas.unimelb.edu.au.2009-09-04.pem
>
>
> [ui]$ cat
> /etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
> /C=AU/O=APACGrid/OU=The University of Melbourne/CN=voms.atlas.unimelb.edu.au
> [log in to unmask]
>
> [ui]$ cat /opt/glite/etc/vomses/neuropsychiatry-voms.atlas.unimelb.edu.au
> "neuropsychiatry" "voms.atlas.unimelb.edu.au" "16000"
> "/C=AU/O=APACGrid/OU=The University of
> Melbourne/CN=voms.atlas.unimelb.edu.au" "neuropsychiatry"
>
> CA cert is from IGTF distribution rpm ca_APAC.noarch and look fine in
> /etc/grid-security/certificates/1e12d831.*
>
> This UI and the CREAM CE I'm attempting to submit to work fine with other
> VOs (atlas, dteam, belle).
>
> Random conspiracy theory: Our CA is probably one of very few that uses 4096
> bit certificates and the emailAddress field in its DN.
>
> I've probably missed something really trivial, but this is driving me mad.
> So if anyone has any suggestions, comments or queries that would make my
> fortnight...
>
> Regards,
>
> Tom
>
--
Steve Traylen
|