It's always like that... Now it's working. Could it be that restarting the argus daemons is not equivalent to running "/etc/init.d/argus-pepd clearcache ; /etc/init.d/argus-pdp reloadpolicy" (which I just tried) ? Txs De : LHC Computer Grid - Rollout [mailto:[log in to unmask]] De la part de SCHAER Frederic Envoyé : vendredi 27 septembre 2013 18:22 À : [log in to unmask] Objet : [PROVENANCE INTERNET] [LCG-ROLLOUT] argus configuration problems Hi, I hope someone can help me on this... I'm attempting to configure a CREAM CE, with ARGUS enabled, using yaim. I did get those up and running without argus, but with it configured the CREAM CE refuses to get any job or delegation with this error at submit time : 2013-09-27 17:59:17,745 FATAL - CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR not authorized for {http://www.gridsite.org/namespaces/delegation-2}getProxyReq On the CREAM, the logs are : 27 Sep 2013 17:59:17,736 org.glite.ce.commonj.authz.axis2.AuthorizationHandler - request for OPERATION={http://www.gridsite.org/namespaces/delegation-2}getProxyReq; REMOTE_REQUEST_ADDRESS=192.54.206.17; USER_DN=CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR; USER_FQAN={ /vo.irfu.cea.fr/Role=NULL/Capability=NULL; }; NOT AUTHORIZED 27 Sep 2013 17:59:17,736 org.apache.axis2.engine.AxisEngine - Authorization error org.apache.axis2.AxisFault: Authorization error (blah blah) I've tried many things, enabled debug logging for pepd/pdp/pap, without success. I only can see in the pepd logs : 2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - A decision of Indeterminate was reached by https://pre7231.datagrid.cea.fr:8152/authz in response t o request _4ea7ebd25f09d74db4839473b77372a7 2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - Processing obligations 2013-09-27 15:59:17.701Z - DEBUG [ObligationService] - Obligations in effect for this result: [] 2013-09-27 15:59:17.701Z - INFO [protocol] - Complete hessian response Response{ results:[Result{ decision(2): Indeterminate, resourceId: http://datagrid.cea.fr/cream-pre7230, status: Status{ statusCode: StatusCode{ code: urn:oasis :names:tc:xacml:1.0:status:ok, subCode: null}, message: null}, obligations:[]}], request: Request{ subjects:[Subject{ category: urn:oasis:names:tc:xacml:1.0:sub ject-category:access-subject, attributes:[Attribute{ id: http://glite.org/xacml/attribute/subject-issuer, dataType: urn:oasis:names:tc:xacml:1.0:data-type:x500N ame, issuer: null, values:[CN=CNRS2,O=CNRS,C=FR, CN=CNRS2-Projets,O=CNRS,C=FR, CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR, CN=GRID2-FR,O=CNRS,C=FR]}, Attri bute{ id: urn:oasis:names:tc:xacml:1.0:subject:key-info, dataType: http://www.w3.org/2001/XMLSchema#string, issuer: null, values:[-----BEGIN CERTIFICATE----- I also increased logging to debug in the pdp, but actually nothing usefull is loggued except maybe this "syntax error" : 2013-09-27 15:59:17.661Z - DEBUG [TargetMatcherImpl] - Matching with function: http://glite.org/xacml/algorithm/fqan-match 2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Syntax error occurred. 2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Target match resulted in: INDETERMINATE 2013-09-27 15:59:17.662Z - DEBUG [RuleFirstApplicableAlgorithm] - Evaluation of ae03359a-dd41-4fd9-b3cc-aae355e1d95e was: INDETERMINATE My policy contains this for the VO in question : resource "http://datagrid.cea.fr/cream-pre7230" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit {pfqan = "/vo.irfu.cea.fr/Role=NULL/Capability=NULL" } rule permit {pfqan = "/vo.irfu.cea.fr" } } } I loaded it with "pap-admin apf" Would someone have an Idea of what I did wrong ? I tried unsetting the env variable "GT_PROXY_MODE=old" on the UI, without success. So now... I don't know what else to try to get something working ? Any idea ? I've seen warnings about terena certificates, but AFAIK, I'm not using one. I'm probably wrong in my policy, but... how/why ? Any help would be greatly appreciated :] Thanks && regards Frederic Schaer