Hi Christina, Maarten,
On Thu, 2013-12-19 at 12:29 +0100, [log in to unmask] wrote:
> > All involved nodes run with openssl-1.0.1e-16.el6_5.x86_64. Nevertheless
> > there's are some "globus_ssl" libraries linked as well on my client:
[...]
> > Could that be an issue?
> probably.
> It was announced that a new version of Globus Toolkit, v. 5.2.5, solving
> some issues due to the same update of openssl
> (https://ggus.eu/ws/ticket_info.php?ticket=99406) is present now in
> EPEL-testing:
> https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-12307/
>
> " The update of globus-gssapi-gsi fixes the problems with the
> globus-gatekeeper that stopped working due to the openssl update from
> 1.0.0 to 1.0.1 when RHEL/CentOS/SL was updated from 6.4 to 6.5."
I investigated this problem a bit further - you're probably right with
your assumption! Looks like you don't need to update gridsite at all to
fix the obvious problem. When the client's proxy is delegated to the
CREAM instance, it is actually delegated twice. voms-proxy-info -all
show this (look at the proxy subject with CN=proxy/CN=proxy):
subject : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=proxy/CN=proxy/CN=limited proxy
issuer : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=proxy/CN=proxy
identity : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=proxy/CN=proxy
type : limited proxy
strength : 1024 bits
path : /home/dteam029/home_cream_905069628/cream_905069628.proxy
timeleft : 11:35:54
key usage :
=== VO dteam extension information ===
VO : dteam
subject : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/NGI_DE/Role=NULL/Capability=NULL
timeleft : 11:37:16
uri : voms.hellasgrid.gr:15004
So even if your client delegates a 1024-bit proxy to CREAM, it get
delegated another time inside CREAM - and this one is just 512-bit, no
matter if you updated gridsite or not!
It turns out all you have to do on the CREAM side is to update the
globus-* rpms from EPEL, as the UMD-2 packages do not contain the
openssl fixes, yet. After that all jobs are provided with a 1024-bit
proxy - see this my example above.
Shall I open a GGUS ticket to request a UMD-2 update with up-to-date
globus packages + gridsite? Here the list of my rpms on the test CREAM
node which now provides correct proxies:
[root@nero-vm4 ~]# rpm -qa 'openssl*' 'globus*' 'gridsite*' | sort
globus-authz-2.2-8.el6.x86_64
globus-authz-callout-error-2.2-8.el6.x86_64
globus-callout-2.4-2.el6.x86_64
globus-common-14.10-2.el6.x86_64
globus-ftp-control-4.7-1.el6.x86_64
globus-gfork-3.2-1.el6.x86_64
globus-gridftp-server-6.38-1.el6.x86_64
globus-gridftp-server-control-2.10-1.el6.x86_64
globus-gridftp-server-progs-6.38-1.el6.x86_64
globus-gridmap-callout-error-1.2-9.el6.x86_64
globus-gsi-callback-4.6-2.el6.x86_64
globus-gsi-cert-utils-8.6-2.el6.x86_64
globus-gsi-credential-6.0-2.el6.x86_64
globus-gsi-openssl-error-2.1-10.el6.x86_64
globus-gsi-proxy-core-6.2-9.el6.x86_64
globus-gsi-proxy-ssl-4.1-10.el6.x86_64
globus-gsi-sysconfig-5.3-8.el6.x86_64
globus-gssapi-error-4.1-10.el6.x86_64
globus-gssapi-gsi-10.10-2.el6.x86_64
globus-gss-assist-9.0-1.el6.x86_64
globus-io-9.5-1.el6.x86_64
globus-openssl-module-3.3-2.el6.x86_64
globus-proxy-utils-5.2-1.el6.x86_64
globus-usage-3.1-2.el6.x86_64
globus-xio-3.6-2.el6.x86_64
globus-xio-gsi-driver-2.4-1.el6.x86_64
globus-xio-pipe-driver-2.2-1.el6.x86_64
gridsite-libs-1.7.25-1.emi2.el6.x86_64
openssl-1.0.1e-16.el6_5.x86_64
openssl-devel-1.0.1e-16.el6_5.x86_64
Cheers,
Andreas
--
| Andreas Haupt | E-Mail: [log in to unmask]
| DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216
|