Hi,
I've to say, configuring ARGUS seems a pain. I've just decided that because we are going to deploy >2 CREAM CE's we should deploy also ARGUS and possibly configure WN's to use glExec through ARGUS as well. However I seem to be stuck at the ARGUS level (even though I've also created a CREAM CE that is supposed to use it and that ain't working either).
So what I did was follow the EMI guide for ARGUS deployment, which is simple enough. You install SL5 (in my case SL5.6), deploy the usual repositories of EPEL, EMI-1.0 and trust anchors and install emi-argus metapackage after the CA's are installed. Running the Yaim configuration yielded no errors and all the PAP, PEP, PDP what not services are running.
Now I assume one has to define policies for the service to actually work because pap-admin lp showed none defined by default. So I did create a generic catch all policy:
resource ".*" {
action ".*" {
rule permit { vo = "cms" }
rule permit { vo = "ops" }
rule permit { vo = "balticgrid" }
}
}
I also tried once I had noticed things don't work a specific one:
resource "myCE" {
action "myAction" {
rule permit { vo = "cms" }
rule permit { vo = "ops" }
rule permit { vo = "balticgrid" }
}
}
Well neither work when I attempt for example to match my proxy to a user:
[root@mercury argus]# pepcli -p http://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myAction
libargus-pep:ERROR: pep_authorize: PEP#0: HTTP status code: 0.
pepcli:ERROR: failed to authorize XACML request: authorize request error
Trying to a simple command against the CREAM that's configured to use the ARGUS gives:
[mario@neptune Skim3lep]$ glite-ce-allowed-submission europa.hep.kbfi.ee:8443
2011-08-24 14:05:26,115 WARN - No configuration file suitable for loading. Using built-in configuration
2011-08-24 14:05:26,224 ERROR - MethodName=[invoke] ErrorCode=[0] Description=[No PEP daemon(s) [http://mercury.hep.kbfi.ee:8154/authz] was able to process the request] FaultCause=[No PEP daemon(s) [http://mercury.hep.kbfi.ee:8154/authz] was able to process the request] Timestamp=[Wed 24 Aug 2011 14:05:26]
And absolutely nothing useful is logged in any of the ARGUS services logs. I then increased the log level to DEBUG for PEPD and all I get is repetitive listings of
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_RC4_128_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_RC4_128_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
2011-08-24 11:10:26.756Z - DEBUG [JettySslSelectChannelConnector] - enabling ciphers: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
So the whole thing is not really helping me. Ideas how to debug this further? And in general it would be really helpful if the ARGUS deployment guide included example policies with testing instructions because deploying a thing is nice and dandy, but if there is no clue as to how to test it, then it's really a useless guide. I'm talking about this one:
https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment
The service reference card is not more helpful, it references a nagios module that might be used, but that's hardly manual testing option to validate installation.
The used site-info.def is here (with passwords modified):
http://neptune.hep.kbfi.ee/mario/dbg/site-info.def
Mario Kadastik, PhD
Researcher
---
"Physics is like sex, sure it may have practical reasons, but that's not why we do it"
-- Richard P. Feynman
|