[gridshib-user] Problem with GridShibCA 0.6.0

Tom Scavo trscavo at gmail.com
Tue Mar 25 18:12:54 CDT 2008 

Yes.  If I delete the CA cert and its signing policy file, I get this
error instead:

C:\globus\test\ws-core-4.0.5>bin\globus-start-container
2008-03-25 18:10:11,676 ERROR container.GSIServiceThread
[ServiceThread-1,process:141] Error processing request
java.io.EOFException
        at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56)
        at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60)
        at org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:122)
        at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:142)
        at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
        at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:98)
        at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
Failed to obtain a list of services from 'https://10.0.0.209:8443/wsrf/services/
ContainerRegistryService' service: ; nested exception is:
        org.globus.common.ChainedIOException: Authentication failed [Caused by:
Failure unspecified at GSS-API level [Caused by: Unknown CA]]


On Tue, Mar 25, 2008 at 6:18 PM, Von Welch <vwelch at uiuc.edu> wrote:
> Are you sure the GS-CA certificate is installed in
>  /etc/grid-security/certificates (and has the right permissions)?
>
>  http://gridshib.globus.org/downloads/gridshib-ca-cert.tar
>
>  Von
>
>
>
>  Tom Scavo wrote:
>  > Well, I just did a fresh install of ws-core-4.0.5 and tried again.
>  > Same error.  (I'm just following the Quick Start.)
>  >
>  > Tom
>  >
>  > On Tue, Mar 25, 2008 at 5:34 PM, Von Welch <vwelch at uiuc.edu> wrote:
>  >> So this doesn't happen if you use a container that doesn't have
>  >>  GS4GT installed?
>  >>
>  >>  Von
>  >>
>  >>
>  >>
>  >>  Tom Scavo wrote:
>  >>  > On Tue, Mar 25, 2008 at 1:31 PM, Giulio Galiero <giulio.galiero at eng.it> wrote:
>  >>  >>  Contacting the SecurityContextEchoService through your gridshibecho client
>  >>  >> results in the following error from the container logs:
>  >>  >>
>  >>  >> ERROR container.GSIServiceThread [ServiceThread-3,process:147] Error
>  >>  >> processing request
>  >>  >>  Authentication failed. Caused by Failure unspecified at GSS-API level.
>  >>  >> Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Bad certificate
>  >>  >> (The signature of 'DC=edu,DC=uiuc,DC=ncsa,DC=computer,O=Shibboleth
>  >>  >> User,OU=https://idp.protectnetwork.org/protectnetwork-idp,CN=eng.it@idp.protectnetwork.org'
>  >>  >> certificate does not match its issuer)
>  >>  >
>  >>  > I can replicate this error.  When I try to start a secure container
>  >>  > using a GridShib CA-issued EEC, I get the following:
>  >>  >
>  >>  > 2008-03-25 14:46:47,837 ERROR container.GSIServiceThread
>  >>  > [ServiceThread-1,process:141] Error processing request
>  >>  > java.io.EOFException
>  >>  >         at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56)
>  >>  >         at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60)
>  >>  >         at org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:122)
>  >>  >         at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:142)
>  >>  >         at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
>  >>  >         at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:98)
>  >>  >         at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>  >>  > Failed to obtain a list of services from
>  >>  > 'https://192.168.1.106:8443/wsrf/services/ContainerRegistryService'
>  >>  > service: ; nested exception is:
>  >>  >         org.globus.common.ChainedIOException: Authentication failed [Caused by:
>  >>  > Failure unspecified at GSS-API level [Caused by: Bad certificate (The
>  >>  > signature of 'DC=edu,DC=uiuc,DC=ncsa,DC=computer,O=Shibboleth
>  >>  > User,OU=https://idp.protectnetwork.org/protectnetwork-idp,CN=trscavo@idp.protectnetwork.org'
>  >>  > certificate does not match its issuer)]]
>  >>  >
>  >>  > We had some problems with the GridShib CA cert since GS4GT v0.6.0
>  >>  > Alpha was released, so I'm trying to think how that might be related.
>  >>  >
>  >>  > Tom
>  >>  >
>  >>
>

More information about the gridshib-user mailing list