Hi Steve,
Thanks for the reply. Unfortunately I already have that file in place.
>> [ui]$ cat
>> /etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
>> /C=AU/O=APACGrid/OU=The University of
Melbourne/CN=voms.atlas.unimelb.edu.au
>> [log in to unmask]
Regards,
Tom
Steve Traylen wrote:
> On Fri, Oct 23, 2009 at 5:36 AM, Tom Fifield <[log in to unmask]> wrote:
>> Hi All,
>>
>> So I'm trying to setup a local VOMS, and the VOMS service itself appears to
>> be functioning quite well: voms-proxy-init works great:
>>
>> [ui]$ voms-proxy-init --voms neuropsychiatry
>> Your identity: /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
>> Fifield
>> Creating temporary proxy ............................ Done
>> Contacting voms.atlas.unimelb.edu.au:16000 [/C=AU/O=APACGrid/OU=The
>> University of Melbourne/CN=voms.atlas.unimelb.edu.au] "neuropsychiatry" Done
>> Creating proxy ............................. Done
>>
>> However, voms-proxy-info and similar tools report that they can't verify its
>> certificate. Note that this is the *error* message and not the similar
>> harmless warning.
>>
>
> Hi Tom,
>
> Create a file:
>
> /etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
>
> containing 2 lines.
>
>
> /C=AU/O=APACGrid/OU=The University of Melbourne/CN=voms.atlas.unimelb.edu.au
> <issur dn of this host cert>
>
>
> Get the last line with
> openssl x509 -in /etc/grid-security/hostcert.pem -noout -issuer
>
>
>
>
>
>
>> [ui]$ voms-proxy-info --all
>> WARNING: Unable to verify signature! Server certificate possibly not
>> installed.
>> Error: Cannot verify AC signature!
>> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
>> Fifield/CN=proxy
>> issuer : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
>> identity : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
>> type : proxy
>> strength : 1024 bits
>> path : /tmp/x509up_u1056
>> timeleft : 11:59:44
>> === VO neuropsychiatry extension information ===
>> VO : neuropsychiatry
>> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
>> issuer : /C=AU/O=APACGrid/OU=The University of
>> Melbourne/CN=voms.atlas.unimelb.edu.au
>> attribute : /neuropsychiatry/Role=NULL/Capability=NULL
>> timeleft : 11:59:24
>> uri : voms.atlas.unimelb.edu.au:16000
>>
>> Which means things like job submission fail:
>>
>> [ui]$ glite-ce-job-submit -a --vo neuropsychiatry -r
>> agh5.atlas.unimelb.edu.au/cream-pbs-neuropsychiatry test_freesurfer.jdl
>> 2009-10-23 02:31:44,980 FATAL - Problems with proxyfile [/tmp/x509up_u1056]:
>> WARNING: The VOMS attribute could not be verified. Possibly, the VOMS server
>> certificate is not installed.
>>
>> Of course, you can use the --donot-verify-ac-sign option, but the CREAM CE
>> is configured identically (all hail cfengine) and similar issues are
>> encountered with the LCAS VOMS plugin. (If you'd really like to see those
>> logs they're here: https://eppwiki.ph.unimelb.edu.au/glexec_lcas_lcmaps.log
>> - vomsdata::Retrieve() returns VERR_SIGN)
>>
>> So, config:
>>
>> [ui]$ ls -l /etc/grid-security/vomsdir/
>> ...
>> drwxr-xr-x 2 root root 4096 Oct 23 01:05 neuropsychiatry
>> ...
>> voms.atlas.unimelb.edu.au.2009-09-04.pem
>>
>>
>> [ui]$ cat
>> /etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
>> /C=AU/O=APACGrid/OU=The University of Melbourne/CN=voms.atlas.unimelb.edu.au
>> [log in to unmask]
>>
>> [ui]$ cat /opt/glite/etc/vomses/neuropsychiatry-voms.atlas.unimelb.edu.au
>> "neuropsychiatry" "voms.atlas.unimelb.edu.au" "16000"
>> "/C=AU/O=APACGrid/OU=The University of
>> Melbourne/CN=voms.atlas.unimelb.edu.au" "neuropsychiatry"
>>
>> CA cert is from IGTF distribution rpm ca_APAC.noarch and look fine in
>> /etc/grid-security/certificates/1e12d831.*
>>
>> This UI and the CREAM CE I'm attempting to submit to work fine with other
>> VOs (atlas, dteam, belle).
>>
>> Random conspiracy theory: Our CA is probably one of very few that uses 4096
>> bit certificates and the emailAddress field in its DN.
>>
>> I've probably missed something really trivial, but this is driving me mad.
>> So if anyone has any suggestions, comments or queries that would make my
>> fortnight...
>>
>> Regards,
>>
>> Tom
>>
>
>
>
|