We're running sl6.9 and see the problem with trust anchors 1.88. As far
as I'm aware sl6.9 is just a normal update of the sl6 operating system
(we're running it everywhere where we haven't yet moved to CentOS7).
John
On 29/11/2017 17:09, Andrew Lahiff wrote:
>
> You're still running sl6.4? That's rather old now...
>
> ________________________________________
> From: Testbed Support for GridPP member institutes [[log in to unmask]] on behalf of sjones [[log in to unmask]]
> Sent: Wednesday, November 29, 2017 5:04 PM
> To: [log in to unmask]
> Subject: Re: We think trust anchors 1.88-1 breaks on SL6
>
> sl6.9 is an odd release. it's half way to 7, or something. it's not
> typical.
>
> Try sl6.4
>
> Ste
>
> On 2017-11-29 16:38, Jensen, Jens (STFC,RAL,SC) wrote:
>> Just to follow up on this, I happened to be in a call with Mischa from
>> NIKHEF earlier today and we took some time after the call to discuss
>> this peculiar problem. Mischa says he can replicate the problem -
>> although he is not a member of a GridPP-hosted VO, he can contact the
>> VOMS server and trigger the error in the client.
>>
>> It seems to be due to an ancient BouncyCastle library (1.46) on SL6, as
>> Steve also mentioned in the call this morning.
>>
>> Unfortunately Mischa says it's not possible to backport a working BC
>> library because they make a lot of incompatible changes between
>> releases.
>>
>> Curiously, I just set up an SL6 (6.9) box in the cloud and I cannot
>> replicate the error. What am I missing? This is using Java 1.7.0 and
>> UMD3.
>>
>> [jj47@vm102 ~]$ rpm -qa|grep igtf
>> ca_policy_igtf-iota-1.88-1.noarch
>> ca_policy_igtf-slcs-1.88-1.noarch
>> ca_policy_igtf-classic-1.88-1.noarch
>> ca_policy_igtf-mics-1.88-1.noarch
>> [jj47@vm102 ~]$ rpm -qa|grep bouncy
>> bouncycastle-1.46-1.el6.noarch
>> bouncycastle-mail-1.46-2.el6.noarch
>> [jj47@vm102 ~]$ voms-proxy-destroy
>> [jj47@vm102 ~]$ voms-proxy-init3 -voms gridpp -vomses
>> /etc/vomses/gridpp-voms02.gridpp.ac.uk
>> Enter GRID pass phrase for this identity:
>> Contacting voms02.gridpp.ac.uk:15000
>> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp"...
>> Remote VOMS server contacted succesfully.
>>
>>
>> Created proxy in /tmp/x509up_u500.
>>
>> Your proxy is valid until Thu Nov 30 04:24:25 GMT 2017
>> [jj47@vm102 ~]$ voms-proxy-destroy
>> [jj47@vm102 ~]$ voms-proxy-init3 -voms gridpp -vomses
>> /etc/vomses/gridpp-voms.gridpp.ac.uk
>> Enter GRID pass phrase for this identity:
>> Contacting voms.gridpp.ac.uk:15000
>> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp"...
>> Remote VOMS server contacted succesfully.
>>
>>
>> Created proxy in /tmp/x509up_u500.
>>
>> Your proxy is valid until Thu Nov 30 04:24:52 GMT 2017
>> [jj47@vm102 ~]$ voms-proxy-destroy
>> [jj47@vm102 ~]$ voms-proxy-init3 -voms gridpp -vomses
>> /etc/vomses/gridpp-voms03.gridpp.ac.uk
>> Enter GRID pass phrase for this identity:
>> Contacting voms03.gridpp.ac.uk:15000
>> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk]
>> "gridpp"...
>> Remote VOMS server contacted succesfully.
>>
>>
>> Created proxy in /tmp/x509up_u500.
>>
>> Your proxy is valid until Thu Nov 30 04:29:27 GMT 2017
>>
>> [jj47@vm102 ~]$ voms-proxy-info -all
>> subject : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2
>> jensen/CN=198921768
>> issuer : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2 jensen
>> identity : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2 jensen
>> type : RFC3820 compliant impersonation proxy
>> strength : 1024
>> path : /tmp/x509up_u500
>> timeleft : 11:53:48
>> key usage : Digital Signature, Key Encipherment, Data Encipherment
>> === VO gridpp extension information ===
>> VO : gridpp
>> subject : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2 jensen
>> issuer :
>> /C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk
>> attribute : /gridpp/Role=NULL/Capability=NULL
>> timeleft : 11:53:48
>> uri : voms03.gridpp.ac.uk:15000
|