Hi Winnie, Daniela,
the default globus behaviour is described here:
http://toolkit.globus.org/toolkit/docs/6.0/gsic/admin/#idp36143376
Basically hasn't changed since GT3...
In summary, the lookup order:
1. value of the X509_CERT_DIR environment variable
2. $HOME/.globus/certificates
3. /etc/grid-security/certificates exists
4. $GLOBUS_LOCATION/share/certificates
Cheers,
Mischa
On Wed, May 27, 2015 at 03:33:41PM +0100, Daniela Bauer wrote:
> Hi Winnie,
>
> Are you sure it's not just because in one case X509_CERT_DIR is set and in
> the other it isn't ?
>
> Because as far as I can tell, it defaults to whatever is in .globus if that
> variable is unset - at least that's the case for my tarball UIs, your
> mileage might vary with a yum install. I don't see any difference between
> SL5 and SL6.
>
> Cheers,
> Daniela
>
>
> On 27 May 2015 at 14:32, Winnie Lacesso <[log in to unmask]>
> wrote:
>
> > Good afternoon!
> >
> > Some time ago I posted about not being able to submit to / query CREAM-CE
> > or ARC-CE from an emi-3 SL6 UI I built - two of them. From an Oxford emi-3
> > SL6 UI, I could. From an emi-3 SL5 UI I built, I could. Not from emi-3 SL6
> > UI. I thot I was building it wrong somehow.
> >
> > I think this is debugged. When I run certwizard (as I do now+then to
> > renew my or host certs), it creates ~/.globus/certificates
> >
> > If that directory exists, query / submit to CE from emi-3 SL6 UI fails.
> > For me. Can anyone else confirm/deny?
> >
> > Eg from Oxford-built emi-3 SL6 UI:
> > lacesso@pplxint8> voms-proxy-init --voms cms
> > Enter GRID pass phrase for this identity:
> > (snip)
> > lacesso@pplxint8> uberftp lcgce03.phy.bris.ac.uk pwd
> > 220 lcgce03.phy.bris.ac.uk GridFTP Server 6.38 (gcc64, 1382984154-83)
> > [Globus Toolkit 5.2.5] ready.
> > 230 User cms090 logged in.
> > /home/cms090
> >
> > Works great! Create empty dir called certificates & try again:
> >
> > lacesso@pplxint8> cd ~/.globus; mkdir certificates
> > lacesso@pplxint8> uberftp lcgce03.phy.bris.ac.uk pwd
> > 220 lcgce03.phy.bris.ac.uk GridFTP Server 6.38 (gcc64, 1382984154-83)
> > [Globus Toolkit 5.2.5] ready.
> > Failed to init security context
> > GSS Major Status: Authentication Failed
> > GSS Minor Status Error Chain:
> > globus_gsi_gssapi: SSLv3 handshake problems
> > OpenSSL Error: s3_clnt.c:1172: in library: SSL routines, function
> > SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> > globus_gsi_callback_module: Could not verify credential
> > globus_gsi_callback_module: Can't get the local trusted CA certificate:
> > Untrusted self-signed certificate in chain with hash 7ed47087
> >
> > Fascinating. Confirm non-existence of certificates dir = it works again:
> >
> > lacesso@pplxint8> rmdir certificates
> > lacesso@pplxint8> uberftp lcgce03.phy.bris.ac.uk pwd
> > 220 lcgce03.phy.bris.ac.uk GridFTP Server 6.38 (gcc64, 1382984154-83)
> > [Globus Toolkit 5.2.5] ready.
> > 230 User cms090 logged in.
> > /home/cms090
> >
> > Confirmed.
> > So I don't run certwizard on the Ox emi-3 SL6 UI, but on my own Bristol
> > workstation (which gets rsync'd nightly to main NFS server, automounts to
> > Bristol UI's both SL5 & SL6);
> > which explains why everything I tried before on Ox emi-3 SL6 UI worked:
> > there
> > was no ~/.globus/certificates directory, just ~/.globus with my
> > usercert.pem
> > & userkey.pem in it.
> >
> > At Bristol I deleted ~/.globus/certificates almost by accident a while ago
> > (& so the copy on main NFS server got deleted) & later found my SL6 emi-3
> > UI working; but didn't understand why. Then it broke again - puzzle!
> >
> > Today I ran certwizard this afternoon & by chance again tried my emi-3 SL6
> > UI - it didn't work. But I noticed certwizard created a fresh new
> > ~/.globus/certificates directory:
> >
> > phpwl@lcgbdii> pwd # never mind name, was site-bdii VM! now SL6 emi-3 UI
> > /users/phpwl/.globus
> > phpwl@lcgbdii> ls -ld certificates
> > drwxr-xr-x 2 phpwl users 4096 May 27 13:55 certificates/
> > phpwl@lcgbdii> uberftp lcgce04.phy.bris.ac.uk pwd
> > 220 lcgce04.phy.bris.ac.uk GridFTP Server 6.38 (gcc64, 1382984154-83)
> > [Globus
> > Toolkit 5.2.5] ready.
> > Failed to init security context
> > GSS Major Status: Authentication Failed
> > GSS Minor Status Error Chain:
> > globus_gsi_gssapi: SSLv3 handshake problems
> > globus_gsi_callback_module: Could not verify credential
> > globus_gsi_callback_module: Error with signing policy
> > globus_gsi_callback_module: Error in OLD GAA code: Could not get policy
> > info:
> > Minor status=201
> >
> > phpwl@lcgbdii> mv certificates certificates.made-by-certwizrd
> > phpwl@lcgbdii> uberftp lcgce04.phy.bris.ac.uk pwd
> > 220 lcgce04.phy.bris.ac.uk GridFTP Server 6.38 (gcc64, 1382984154-83)
> > [Globus
> > Toolkit 5.2.5] ready.
> > 230 User cms090 logged in.
> > /home/cms090
> >
> > So existence of ~/.globus/certificates = Not work from emi-3 SL6 UI.
> > I would never knowingly create ~/.globus/certificates, but certwizard
> > creates it, causing my attempts from SL6 emi-3 UI to fail.
> >
> > Same not true on SL5 emi-3 UI (automounts same NFS home dir)
> > phpwl@lcgmon01> pwd # never mind name, used to be old APEL VM!
> > /users/phpwl/.globus
> > phpwl@lcgmon01> mv certificates.made-by-certwizrd certificates
> > phpwl@lcgmon01> uberftp lcgce04.phy.bris.ac.uk pwd
> > 220 lcgce04.phy.bris.ac.uk GridFTP Server 6.38 (gcc64, 1382984154-83)
> > [Globus Toolkit 5.2.5] ready.
> > 230 User cms090 logged in.
> > /home/cms090
> >
> > SL5 emi-3 UI not care if ~/.globus/certificates exists. SL6 emi-3 UI won't
> > work if it does. Can anyone else duplicate this?
> >
> > I bet it is probably documented somewhere: "you must have your
> > usercert.pem &
> > userkey.pem in a directory ~/.globus, & if there's a directory in there
> > called 'certificates' (even if empty), then functions from an emi-3 SL6 UI
> > won't work."
> > I wonder where.
> >
> > Thanks very much to Maarten & Jens for their patience while I debugged
> > this.
> >
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]
> HEP Group/Physics Dep
> Imperial College
> London, SW7 2BW
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email [log in to unmask]
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
|