Hi Maarten,
On Wed, 2013-12-18 at 18:51 +0100, Maarten Litmaath wrote:
> Hi Andreas, all,
>
> > During the investigation I found out that e.g. glite-ce-job-submit from
> > the EMI-2 UI (I don't have a EMI-3 UI here to check), produces 512-bit
> > delegation proxies by default when used with the '-a' switch.
>
> I was not able to reproduce that with our UIs and CEs?!
> Our CEs were not updated to the latest "gridsite" yet
> and on the UIs the exact version does not seem to matter...
That's really strange!
> Maybe there was a confusion with glite-wms-job-submit (sic)?
No, I really used glite-ce-job-submit - but you're right:
glite-wms-job-submit also produces 512-bit proxies.
> That command indeed delegates 512-bit proxies, unless the "gridsite"
> rpms on the target _WMS_ have been updated to the latest version.
I updated gridsite on our test CREAM to the latest version
(gridsite-libs-1.7.29-1.el6.x86_64). The UI client is still EMI-2 with
an older version.
[nomos127] ~/grid/test % voms-proxy-info -all
subject : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=proxy
issuer : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
identity : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
type : proxy
strength : 1024 bits
path : /tmp/x509up_u9132
timeleft : 11:54:49
key usage : Digital Signature, Key Encipherment, Data Encipherment
=== VO dteam extension information ===
VO : dteam
subject : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/NGI_DE/Role=NULL/Capability=NULL
timeleft : 11:54:49
uri : voms.hellasgrid.gr:15004
[nomos127] ~/grid/test % glite-ce-job-submit -a -r nero-vm4.ifh.de:8443/cream-pbs-dteam test.jdl
https://nero-vm4.ifh.de:8443/CREAM106844330
[nomos127] ~/grid/test % glite-ce-job-status https://nero-vm4.ifh.de:8443/CREAM106844330
****** JobID=[https://nero-vm4.ifh.de:8443/CREAM106844330]
Status = [DONE-FAILED]
ExitCode = [N/A]
FailureReason = [Cannot move ISB (retry_copy ${globus_transfer_cmd} gsiftp://nero-vm4.ifh.de/var/cream_sandbox/dteam/CN_Andreas_Haupt_OU_DESY_O_GermanGrid_dteam_Role_NULL_Capability_NULL_dteam029/10/CREAM106844330/ISB/test.sh file:///home/dteam029/home_cream_106844330/CREAM106844330/test.sh): error: globus_ftp_control: gss_init_sec_context failedglobus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshakeOpenSSL Error: s3_clnt.c:2985: in library: SSL routines, function SSL3_SEND_CLIENT_VERIFY: EVP libOpenSSL Error: rsa_sign.c:127: in library: rsa routines, function RSA_sign: digest too big for rsa key; reason=1; Cannot move ISB (retry_copy ${globus_transfer_cmd} gsiftp://nero-vm4.ifh.de/var/cream_sandbox/dteam/CN_Andreas_Haupt_OU_DESY_O_GermanGrid_dteam_Role_NULL_Capability_NULL_dteam029/10/CREAM106844330/ISB/test.sh file:///home/dteam029/home_cream_106844330/CREAM106844330/test.sh): error: globus_ftp_control: gss_init_sec_context failed globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_clnt.c:2985: in library: SSL routines, function SSL3_SEND_CLIENT_VERIFY: EVP lib OpenSSL Error: rsa_sign.c:127: in library: rsa routines, function RSA_sign: digest too big for rsa key]
On the test worker node I still get a 512-bit proxy:
bash-4.1$ X509_USER_PROXY=`pwd`/cream_106844330.proxy voms-proxy-info -all
subject : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=proxy/CN=proxy/CN=limited proxy
issuer : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=proxy/CN=proxy
identity : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=proxy/CN=proxy
type : limited proxy
strength : 512 bits
path : /home/dteam029/home_cream_106844330/cream_106844330.proxy
timeleft : 11:49:12
key usage :
=== VO dteam extension information ===
VO : dteam
subject : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/NGI_DE/Role=NULL/Capability=NULL
timeleft : 11:50:30
uri : voms.hellasgrid.gr:15004
> It would be good news if we will not have to worry about client machines,
> but "only" the various WMS and what else?
Doesn't look like this - an WMS isn't even involved in my setup.
Cheers,
Andreas
--
| Andreas Haupt | E-Mail: [log in to unmask]
| DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216
|