Hello,
> Is the VOMS server configured for --newformat certificates ? This
> won't work with the WMS just yet and would produce the error you
> see. See https://savannah.cern.ch/bugs/?53314
I tried with both actually but neither works. Now I again made sure
that newformat is not used:
/opt/glite/etc/voms/test/voms.conf--vo=test:
--port=15000
--code=15000
--uri=testvoms.edgitest:15000
--loglevel=4
--logtype=7
--timeout=86400
--logfile=/var/log/glite/voms.test
--passfile=/opt/glite/etc/voms/test/voms.pass
--sqlloc=/opt/glite/lib64/libvomsmysql.so
--dbname=test_db
--username=test_user
(deleted database and reconfigured VOMS).
And the created voms proxy also seems to be "OK" (the one WMS in gLite
3.1 expects):
$ voms-proxy-info -all
subject : /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser/CN=proxy
issuer : /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
identity : /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
type : proxy
strength : 1024 bits
path : /tmp/x509up_u500
timeleft : 11:02:48
=== VO test extension information ===
VO : test
subject : /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
issuer : /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testvoms.edgitest
attribute : /test/Role=NULL/Capability=NULL
timeleft : 11:03:18
uri : testvoms.edgitest:15000
$ openssl asn1parse -in /tmp/x509up_u500 -i -dump -strparse 445
0:d=0 hl=4 l=1187 cons: SEQUENCE
4:d=1 hl=4 l=1183 cons: SEQUENCE
8:d=2 hl=4 l=1179 cons: SEQUENCE
12:d=3 hl=4 l=1028 cons: SEQUENCE
16:d=4 hl=2 l= 1 prim: INTEGER :01
19:d=4 hl=2 l= 98 cons: SEQUENCE
21:d=5 hl=2 l= 96 cons: cont [ 0 ]
23:d=6 hl=2 l= 91 cons: SEQUENCE
25:d=7 hl=2 l= 89 cons: cont [ 4 ]
27:d=8 hl=2 l= 87 cons: SEQUENCE
29:d=9 hl=2 l= 13 cons: SET
31:d=10 hl=2 l= 11 cons: SEQUENCE
33:d=11 hl=2 l= 3 prim:
OBJECT :organizationName
38:d=11 hl=2 l= 4 prim: PRINTABLESTRING :Grid
44:d=9 hl=2 l= 17 cons: SET
46:d=10 hl=2 l= 15 cons: SEQUENCE
48:d=11 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
53:d=11 hl=2 l= 8 prim: PRINTABLESTRING :simpleCA
63:d=9 hl=2 l= 13 cons: SET
65:d=10 hl=2 l= 11 cons: SEQUENCE
67:d=11 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
72:d=11 hl=2 l= 4 prim: PRINTABLESTRING :EDGI
78:d=9 hl=2 l= 17 cons: SET
80:d=10 hl=2 l= 15 cons: SEQUENCE
82:d=11 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
87:d=11 hl=2 l= 8 prim: PRINTABLESTRING :edgitest
97:d=9 hl=2 l= 17 cons: SET
99:d=10 hl=2 l= 15 cons: SEQUENCE
101:d=11 hl=2 l= 3 prim: OBJECT :commonName
106:d=11 hl=2 l= 8 prim: PRINTABLESTRING :testuser
116:d=6 hl=2 l= 1 prim: INTEGER :05
119:d=4 hl=2 l= 102 cons: cont [ 0 ]
121:d=5 hl=2 l= 100 cons: SEQUENCE
123:d=6 hl=2 l= 98 cons: cont [ 4 ]
125:d=7 hl=2 l= 96 cons: SEQUENCE
127:d=8 hl=2 l= 13 cons: SET
129:d=9 hl=2 l= 11 cons: SEQUENCE
131:d=10 hl=2 l= 3 prim:
OBJECT :organizationName
136:d=10 hl=2 l= 4 prim: PRINTABLESTRING :Grid
142:d=8 hl=2 l= 17 cons: SET
144:d=9 hl=2 l= 15 cons: SEQUENCE
146:d=10 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
151:d=10 hl=2 l= 8 prim: PRINTABLESTRING :simpleCA
161:d=8 hl=2 l= 13 cons: SET
163:d=9 hl=2 l= 11 cons: SEQUENCE
165:d=10 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
170:d=10 hl=2 l= 4 prim: PRINTABLESTRING :EDGI
176:d=8 hl=2 l= 17 cons: SET
178:d=9 hl=2 l= 15 cons: SEQUENCE
180:d=10 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
185:d=10 hl=2 l= 8 prim: PRINTABLESTRING :edgitest
195:d=8 hl=2 l= 26 cons: SET
197:d=9 hl=2 l= 24 cons: SEQUENCE
199:d=10 hl=2 l= 3 prim: OBJECT :commonName
204:d=10 hl=2 l= 17 prim:
PRINTABLESTRING :testvoms.edgitest
223:d=4 hl=2 l= 13 cons: SEQUENCE
225:d=5 hl=2 l= 9 prim:
OBJECT :sha1WithRSAEncryption
236:d=5 hl=2 l= 0 prim: NULL
238:d=4 hl=2 l= 16 prim: INTEGER :
68285BA57E674C21BAAA0A1201E77499
256:d=4 hl=2 l= 34 cons: SEQUENCE
258:d=5 hl=2 l= 15 prim: GENERALIZEDTIME :20100827141432Z
275:d=5 hl=2 l= 15 prim: GENERALIZEDTIME :20100828021432Z
292:d=4 hl=2 l= 87 cons: SEQUENCE
294:d=5 hl=2 l= 85 cons: SEQUENCE
296:d=6 hl=2 l= 10 prim: OBJECT :
1.3.6.1.4.1.8005.100.100.4
308:d=6 hl=2 l= 71 cons: SET
310:d=7 hl=2 l= 69 cons: SEQUENCE
312:d=8 hl=2 l= 32 cons: cont [ 0 ]
314:d=9 hl=2 l= 30 prim: cont [ 6 ]
346:d=8 hl=2 l= 33 cons: SEQUENCE
348:d=9 hl=2 l= 31 prim: OCTET STRING :/test/
Role=NULL/Capability=NULL
gsiftp works:
$ uberftp testwms.edgitest pwd220 testwms.edgitest GridFTP Server 2.3
(gcc32dbg, 1144436882-63) ready.
230 User test001 logged in.
/home/test001
but wmproxy says:
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": getProxyReq operation
called
27 Aug, 16:51:03 -I- PID: 16296 - "wmpcommon::initWMProxyOperation":
================== Incoming Request ==================
27 Aug, 16:51:03 -I- PID: 16296 - "wmpcommon::initWMProxyOperation":
Called Operation: getProxyReq
27 Aug, 16:51:03 -D- PID: 16296 - "wmpcommon::initWMProxyOperation":
Remote Host Address: 192.168.143.101:44472
27 Aug, 16:51:03 -D- PID: 16296 - "wmpcommon::initWMProxyOperation":
Remote Host Name: testui.edgitest
27 Aug, 16:51:03 -D- PID: 16296 - "wmpcommon::initWMProxyOperation":
Remote CLIENT S DN: /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/
CN=testuser/CN=proxy
27 Aug, 16:51:03 -D- PID: 16296 - "wmpcommon::initWMProxyOperation":
Remote GRST CRED: Not Available
27 Aug, 16:51:03 -D- PID: 16296 - "wmpcommon::initWMProxyOperation":
Service GRST PROXY LIMIT: 6
27 Aug, 16:51:03 -I- PID: 16296 - "wmpcommon::initWMProxyOperation":
WMProxy instance serving core request N.: 2
27 Aug, 16:51:03 -D- PID: 16296 - "wmpcommon::setGlobalSandboxDir":
Sandbox directory: SandboxDir
27 Aug, 16:51:03 -D- PID: 16296 - "wmpoperations::getProxyReq":
Authorizing user...
27 Aug, 16:51:03 -D- PID: 16296 - "WMPAuthorizer::WMPAuthorizer":
LCMAPS log file: /var/log/glite/lcmaps.log
27 Aug, 16:51:03 -D- PID: 16296 - "WMPAuthorizer::authorize":
Delegated Proxy FQAN:
27 Aug, 16:51:03 -D- PID: 16296 - "WMPAuthorizer::authorize":
Request's Proxy FQAN:
27 Aug, 16:51:03 -W- PID: 16296 - "WMPAuthorizer::checkGaclUserAuthZ":
Unknown voms fqan: GRST_CRED_2 environment variable not set
27 Aug, 16:51:03 -D- PID: 16296 - "WMPAuthorizer::checkGaclUserAuthZ":
fqan=
27 Aug, 16:51:03 -D- PID: 16296 - "wmputils::getUserDN": Getting user
DN...
27 Aug, 16:51:03 -D- PID: 16296 - "wmputils::convertDNEMailAddress":
Converted DN: /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
27 Aug, 16:51:03 -D- PID: 16296 - "wmputils::getUserDN": User DN: /
O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
27 Aug, 16:51:03 -D- PID: 16296 - "wmputils::getUserDN": Getting user
DN...
27 Aug, 16:51:03 -D- PID: 16296 - "wmputils::convertDNEMailAddress":
Converted DN: /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
27 Aug, 16:51:03 -D- PID: 16296 - "wmputils::getUserDN": User DN: /
O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
27 Aug, 16:51:03 -D- PID: 16296 - "wmputils::convertDNEMailAddress":
Converted DN: /O=Grid/OU=simpleCA/OU=EDGI/OU=edgitest/CN=testuser
27 Aug, 16:51:03 -D- PID: 16296 - "GaclManager::gaclExists": checking
file gacl existence
27 Aug, 16:51:03 -D- PID: 16296 - "GaclManager::loadFromFile": loading
gacl from file : [/opt/glite/etc/glite_wms_wmproxy.gacl]
27 Aug, 16:51:03 -D- PID: 16296 - "WMPAuthorizer::checkGaclUserAuthZ":
Checking gacl file entries...
27 Aug, 16:51:03 -D- PID: 16296 - "WMPAuthorizer::checkGaclUserAuthZ":
VOMS credential type present
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq":
------------------------------- Fault Description
--------------------------------
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": Method: getProxyReq
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": Code: 58
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": Description:
Authorization error: user not authorized
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": Stack:
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq":
AuthorizationException: Authorization error: user not authorized
at checkGaclUserAuthZ()[wmpauthorizer.cpp:464]
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": at
checkGaclUserAuthZ()[wmpauthorizer.cpp:303]
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": at authorize()
[wmpauthorizer.cpp:169]
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": at getProxyReq()
[wmpoperations.cpp:629]
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq":
----------------------------------------------------------------------------------
27 Aug, 16:51:03 -D- PID: 16296 -
"wmpgsoapoperations::delegationns__getProxyReq": getProxyReq operation
completed
The gridsite debug log says:
[Fri Aug 27 16:51:03 2010] [debug] mod_gridsite.c(2622): Skip Invalid
CA error in case a GSI Proxy
[Fri Aug 27 16:51:03 2010] [debug] ssl_engine_kernel.c(1180):
Certificate Verification: depth: 1, subject: /O=Grid/OU=simpleCA/
OU=EDGI/OU=edgitest/CN=testuser, issuer: /O=Grid/OU=simpleCA/OU=EDGI/
CN=EDGI Test CA
[Fri Aug 27 16:51:03 2010] [debug] ssl_engine_kernel.c(1180):
Certificate Verification: depth: 2, subject: /O=Grid/OU=simpleCA/
OU=EDGI/CN=EDGI Test CA, issuer: /O=Grid/OU=simpleCA/OU=EDGI/CN=EDGI
Test CA
[Fri Aug 27 16:51:03 2010] [debug] ssl_engine_kernel.c(1372): CA CRL:
Issuer: O=Grid, OU=simpleCA, OU=EDGI, CN=EDGI Test CA, lastUpdate:
Aug 5 18:44:35 2010 GMT, nextUpdate: Aug 4 18:44:35 2015 GMT
[Fri Aug 27 16:51:03 2010] [debug] ssl_engine_kernel.c(1180):
Certificate Verification: depth: 1, subject: /O=Grid/OU=simpleCA/
OU=EDGI/OU=edgitest/CN=testuser, issuer: /O=Grid/OU=simpleCA/OU=EDGI/
CN=EDGI Test CA
[Fri Aug 27 16:51:03 2010] [debug] ssl_engine_kernel.c(1180):
Certificate Verification: depth: 0, subject: /O=Grid/OU=simpleCA/
OU=EDGI/OU=edgitest/CN=testuser/CN=proxy, issuer: /O=Grid/OU=simpleCA/
OU=EDGI/OU=edgitest/CN=testuser
[Fri Aug 27 16:51:03 2010] [debug] mod_gridsite.c(2679): Valid
certificate chain reported by GRSTx509CheckChain()
[Fri Aug 27 16:51:03 2010] [debug] mod_gridsite.c(2073): set
GRST_save_ssl_creds
[Fri Aug 27 16:51:03 2010] [debug] mod_gridsite.c(2104): store
GRST_CRED_0=X509USER 1281192654 1360075854 1 /O=Grid/OU=simpleCA/
OU=EDGI/OU=edgitest/CN=testuser
[Fri Aug 27 16:51:03 2010] [debug] mod_gridsite.c(2104): store
GRST_CRED_1=GSIPROXY 1282918142 1282961642 1 /O=Grid/OU=simpleCA/
OU=EDGI/OU=edgitest/CN=testuser/CN=proxy
[Fri Aug 27 16:51:03 2010] [debug] ssl_engine_kernel.c(1730): OpenSSL:
Loop: SSLv3 read client certificate A
It seems gridsite just ignores the voms extension created by a gLite
3.2 VOMS for some reason. I remember a similar problem from some time
ago that was caused by the latest updates to mod_ssl so I also tried
downgrading to a known working version to no avail. Currently I have:
glite-WMS-3.1.29-0.slc4
httpd-suexec-2.0.52-41.sl4.6
httpd-2.0.52-41.sl4.6
mod_fastcgi-2.4.3-1.slc4
mod_ssl-2.0.52-41.sl4.6
glite-security-voms-api-c-1.9.10-6.slc4
glite-security-lcmaps-plugins-voms-1.3.7-5.slc4
glite-security-voms-api-cpp-1.9.10-8.slc4
lcg-vomscerts-6.0.0-1
glite-security-lcas-plugins-voms-1.3.4-5.slc4
Interestingly however a proxy generated by a gLite 3.1 VOMS server
works:
$ X509_USER_PROXY=x509up_u10000 voms-proxy-info -all
subject : /C=HU/O=NIIF CA/OU=GRID/OU=SZTAKI/CN=Balaton Zoltan/CN=proxy
issuer : /C=HU/O=NIIF CA/OU=GRID/OU=SZTAKI/CN=Balaton Zoltan
identity : /C=HU/O=NIIF CA/OU=GRID/OU=SZTAKI/CN=Balaton Zoltan
type : proxy
strength : 1024 bits
path : x509up_u10000
timeleft : 8:38:14
=== VO desktopgrid.vo.edges-grid.eu extension information ===
VO : desktopgrid.vo.edges-grid.eu
subject : /C=HU/O=NIIF CA/OU=GRID/OU=SZTAKI/CN=Balaton Zoltan
issuer : /C=HU/O=NIIF CA/OU=GRID/OU=MTA SZTAKI/CN=voms.grid.edges-
grid.eu
attribute : /desktopgrid.vo.edges-grid.eu/Role=NULL/Capability=NULL
timeleft : 8:38:14
uri : voms.grid.edges-grid.eu:15000
0:d=0 hl=4 l=1868 cons: SEQUENCE
4:d=1 hl=4 l=1864 cons: SEQUENCE
8:d=2 hl=4 l=1860 cons: SEQUENCE
12:d=3 hl=4 l=1709 cons: SEQUENCE
16:d=4 hl=2 l= 1 prim: INTEGER :01
19:d=4 hl=2 l= 100 cons: SEQUENCE
21:d=5 hl=2 l= 98 cons: cont [ 0 ]
23:d=6 hl=2 l= 92 cons: SEQUENCE
25:d=7 hl=2 l= 90 cons: cont [ 4 ]
27:d=8 hl=2 l= 88 cons: SEQUENCE
29:d=9 hl=2 l= 11 cons: SET
31:d=10 hl=2 l= 9 cons: SEQUENCE
33:d=11 hl=2 l= 3 prim: OBJECT :countryName
38:d=11 hl=2 l= 2 prim: PRINTABLESTRING :HU
42:d=9 hl=2 l= 16 cons: SET
44:d=10 hl=2 l= 14 cons: SEQUENCE
46:d=11 hl=2 l= 3 prim:
OBJECT :organizationName
51:d=11 hl=2 l= 7 prim: PRINTABLESTRING :NIIF CA
60:d=9 hl=2 l= 13 cons: SET
62:d=10 hl=2 l= 11 cons: SEQUENCE
64:d=11 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
69:d=11 hl=2 l= 4 prim: PRINTABLESTRING :GRID
75:d=9 hl=2 l= 15 cons: SET
77:d=10 hl=2 l= 13 cons: SEQUENCE
79:d=11 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
84:d=11 hl=2 l= 6 prim: PRINTABLESTRING :SZTAKI
92:d=9 hl=2 l= 23 cons: SET
94:d=10 hl=2 l= 21 cons: SEQUENCE
96:d=11 hl=2 l= 3 prim: OBJECT :commonName
101:d=11 hl=2 l= 14 prim: PRINTABLESTRING :Balaton
Zoltan
117:d=6 hl=2 l= 2 prim: INTEGER :042F
121:d=4 hl=2 l= 107 cons: cont [ 0 ]
123:d=5 hl=2 l= 105 cons: SEQUENCE
125:d=6 hl=2 l= 103 cons: cont [ 4 ]
127:d=7 hl=2 l= 101 cons: SEQUENCE
129:d=8 hl=2 l= 11 cons: SET
131:d=9 hl=2 l= 9 cons: SEQUENCE
133:d=10 hl=2 l= 3 prim: OBJECT :countryName
138:d=10 hl=2 l= 2 prim: PRINTABLESTRING :HU
142:d=8 hl=2 l= 16 cons: SET
144:d=9 hl=2 l= 14 cons: SEQUENCE
146:d=10 hl=2 l= 3 prim:
OBJECT :organizationName
151:d=10 hl=2 l= 7 prim: PRINTABLESTRING :NIIF CA
160:d=8 hl=2 l= 13 cons: SET
162:d=9 hl=2 l= 11 cons: SEQUENCE
164:d=10 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
169:d=10 hl=2 l= 4 prim: PRINTABLESTRING :GRID
175:d=8 hl=2 l= 19 cons: SET
177:d=9 hl=2 l= 17 cons: SEQUENCE
179:d=10 hl=2 l= 3 prim:
OBJECT :organizationalUnitName
184:d=10 hl=2 l= 10 prim: PRINTABLESTRING :MTA SZTAKI
196:d=8 hl=2 l= 32 cons: SET
198:d=9 hl=2 l= 30 cons: SEQUENCE
200:d=10 hl=2 l= 3 prim: OBJECT :commonName
205:d=10 hl=2 l= 23 prim:
PRINTABLESTRING :voms.grid.edges-grid.eu
230:d=4 hl=2 l= 13 cons: SEQUENCE
232:d=5 hl=2 l= 9 prim:
OBJECT :md5WithRSAEncryption
243:d=5 hl=2 l= 0 prim: NULL
245:d=4 hl=2 l= 16 prim: INTEGER :
78AC65B80A144C76943A64C473DFB121
263:d=4 hl=2 l= 34 cons: SEQUENCE
265:d=5 hl=2 l= 15 prim: GENERALIZEDTIME :20100827123931Z
282:d=5 hl=2 l= 15 prim: GENERALIZEDTIME :20100828003931Z
299:d=4 hl=3 l= 142 cons: SEQUENCE
302:d=5 hl=3 l= 139 cons: SEQUENCE
305:d=6 hl=2 l= 10 prim: OBJECT :
1.3.6.1.4.1.8005.100.100.4
317:d=6 hl=2 l= 125 cons: SET
319:d=7 hl=2 l= 123 cons: SEQUENCE
321:d=8 hl=2 l= 62 cons: cont [ 0 ]
323:d=9 hl=2 l= 60 prim: cont [ 6 ]
385:d=8 hl=2 l= 57 cons: SEQUENCE
387:d=9 hl=2 l= 55 prim: OCTET STRING :/
desktopgrid.vo.edges-grid.eu/Role=NULL/Capability=NULL
Although it looks quite similar to me. Any idea on how to further
debug or solve this is greatly appreciated.
Thank you,
BALATON Zoltan
|