On 24/08/11 13:15, Mario Kadastik wrote:
> Hi,
>
> I've to say, configuring ARGUS seems a pain. I've just decided that because we are going to deploy>2 CREAM CE's we should deploy also ARGUS and possibly configure WN's to use glExec through ARGUS as well. However I seem to be stuck at the ARGUS level (even though I've also created a CREAM CE that is supposed to use it and that ain't working either).
>
> So what I did was follow the EMI guide for ARGUS deployment, which is simple enough. You install SL5 (in my case SL5.6), deploy the usual repositories of EPEL, EMI-1.0 and trust anchors and install emi-argus metapackage after the CA's are installed. Running the Yaim configuration yielded no errors and all the PAP, PEP, PDP what not services are running.
>
> Now I assume one has to define policies for the service to actually work because pap-admin lp showed none defined by default. So I did create a generic catch all policy:
>
> resource ".*" {
> action ".*" {
> rule permit { vo = "cms" }
> rule permit { vo = "ops" }
> rule permit { vo = "balticgrid" }
> }
> }
>
> I also tried once I had noticed things don't work a specific one:
>
> resource "myCE" {
> action "myAction" {
> rule permit { vo = "cms" }
> rule permit { vo = "ops" }
> rule permit { vo = "balticgrid" }
> }
> }
>
> Well neither work when I attempt for example to match my proxy to a user:
>
> [root@mercury argus]# pepcli -p http://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myAction
First thing that I see is that the argus should be using ssl, so the url
should start with https:
Cheers,
Joni
> libargus-pep:ERROR: pep_authorize: PEP#0: HTTP status code: 0.
> pepcli:ERROR: failed to authorize XACML request: authorize request error
>
> Trying to a simple command against the CREAM that's configured to use the ARGUS gives:
> [mario@neptune Skim3lep]$ glite-ce-allowed-submission europa.hep.kbfi.ee:8443
> 2011-08-24 14:05:26,115 WARN - No configuration file suitable for loading. Using built-in configuration
> 2011-08-24 14:05:26,224 ERROR - MethodName=[invoke] ErrorCode=[0] Description=[No PEP daemon(s) [http://mercury.hep.kbfi.ee:8154/authz] was able to process the request] FaultCause=[No PEP daemon(s) [http://mercury.hep.kbfi.ee:8154/authz] was able to process the request] Timestamp=[Wed 24 Aug 2011 14:05:26]
>
> And absolutely nothing useful is logged in any of the ARGUS services logs. I then increased the log level to DEBUG for PEPD and all I get is repetitive listings of
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_RC4_128_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_RC4_128_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> 2011-08-24 11:10:26.754Z - DEBUG [JettySslSelectChannelConnector] - disabling cipher: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> 2011-08-24 11:10:26.756Z - DEBUG [JettySslSelectChannelConnector] - enabling ciphers: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
>
> So the whole thing is not really helping me. Ideas how to debug this further? And in general it would be really helpful if the ARGUS deployment guide included example policies with testing instructions because deploying a thing is nice and dandy, but if there is no clue as to how to test it, then it's really a useless guide. I'm talking about this one:
> https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment
>
> The service reference card is not more helpful, it references a nagios module that might be used, but that's hardly manual testing option to validate installation.
>
> The used site-info.def is here (with passwords modified):
> http://neptune.hep.kbfi.ee/mario/dbg/site-info.def
>
> Mario Kadastik, PhD
> Researcher
>
> ---
> "Physics is like sex, sure it may have practical reasons, but that's not why we do it"
> -- Richard P. Feynman
|