Hi Mischa,
I'll just say a few words, before I dig deeper, and perhaps it might
remind you of something. I'm use GSI_PEP_CALLOUT in a HTCondor-CE setup
on CentOS7. We use an ARGUS system. I'm using your argus test tool to
debug the setep (which doesn't work yet). I suspect NSS/Libcurl.
Part 1 : Running a job through HTCondor-CE that has to authenticate on
ARGUS:
In /var/log/messages, I see no activity on the ARGUS server. On the
HTCondor-CE client I see this:
Jan 2 16:26:17 hepgrid6 gsi_pep_callout[14917]: Authorizing DN
/C=UK/O=eScience/OU=Liverpool/L=CSD/CN=stephen jones
Jan 2 16:26:18 hepgrid6 gsi_pep_callout[14917]: argus_pep_callout:
gsi_pep_callout_error: Authorization error: Can not map
/C=UK/O=eScience/OU=Liverpool/L=CSD/CN=stephen jones to local
identity#012gsi_pep_callout_error: PEP client error: Failed to authorize
XACML request: Problem with the local SSL certificate
And on the HTCondor-CE client in the GSI_PEP_CALLOUT_DEBUGFILE, I see this:
* failed to load '/etc/grid-security/certificates/530f7122.r0' from
CURLOPT_CAPATH
* failed to load '/etc/grid-security/certificates/ffc3d59b.r0' from
CURLOPT_CAPATH
* CAfile: /etc/grid-security/hostcert.pem
CApath: /etc/grid-security/certificates
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
Part 2 : Using your tool.
Using the tool with PILOT_PROXY=/etc/grid-security/hostcert.pem, I again
get "unable to load client key: -8178 (SEC_ERROR_BAD_KEY)". No sign of
action on ARGUS server.
Using the tool with PILOT_PROXY=$X509_USER_PROXY, I see this:
DEBUG4:debug_xacml_response: response.result[0].decision= Not Applicable
I.e. it's getting through to the ARGUS server, but it says "Not Applicable".
Given all this information, where would you be looking to find out
what's up? And what is PILOT_PROXY supposed to be? A user proxy, some
random job proxy or the hostcert of the system or what?
Cheers in advance for any help,
Ste
--
Steve Jones [log in to unmask]
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/
########################################################################
To unsubscribe from the LCG-ROLLOUT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
|