[gridshib-user] Problem with GridShibCA 0.6.0
Von Welch
vwelch at uiuc.edu
Tue Mar 25 23:58:48 CDT 2008
I believe I've tracked this down to a deployment goof on the
gridshib-ca in that it was using the wrong signing key.
Please get another credential from the CA, try again and let me know
if the problem persists.
Von
Tom Scavo wrote:
> Yes. If I delete the CA cert and its signing policy file, I get this
> error instead:
>
> C:\globus\test\ws-core-4.0.5>bin\globus-start-container
> 2008-03-25 18:10:11,676 ERROR container.GSIServiceThread
> [ServiceThread-1,process:141] Error processing request
> java.io.EOFException
> at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56)
> at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60)
> at org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:122)
> at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:142)
> at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
> at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:98)
> at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
> Failed to obtain a list of services from 'https://10.0.0.209:8443/wsrf/services/
> ContainerRegistryService' service: ; nested exception is:
> org.globus.common.ChainedIOException: Authentication failed [Caused by:
> Failure unspecified at GSS-API level [Caused by: Unknown CA]]
>
>
> On Tue, Mar 25, 2008 at 6:18 PM, Von Welch <vwelch at uiuc.edu> wrote:
>> Are you sure the GS-CA certificate is installed in
>> /etc/grid-security/certificates (and has the right permissions)?
>>
>> http://gridshib.globus.org/downloads/gridshib-ca-cert.tar
>>
>> Von
>>
>>
>>
>> Tom Scavo wrote:
>> > Well, I just did a fresh install of ws-core-4.0.5 and tried again.
>> > Same error. (I'm just following the Quick Start.)
>> >
>> > Tom
>> >
>> > On Tue, Mar 25, 2008 at 5:34 PM, Von Welch <vwelch at uiuc.edu> wrote:
>> >> So this doesn't happen if you use a container that doesn't have
>> >> GS4GT installed?
>> >>
>> >> Von
>> >>
>> >>
>> >>
>> >> Tom Scavo wrote:
>> >> > On Tue, Mar 25, 2008 at 1:31 PM, Giulio Galiero <giulio.galiero at eng.it> wrote:
>> >> >> Contacting the SecurityContextEchoService through your gridshibecho client
>> >> >> results in the following error from the container logs:
>> >> >>
>> >> >> ERROR container.GSIServiceThread [ServiceThread-3,process:147] Error
>> >> >> processing request
>> >> >> Authentication failed. Caused by Failure unspecified at GSS-API level.
>> >> >> Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Bad certificate
>> >> >> (The signature of 'DC=edu,DC=uiuc,DC=ncsa,DC=computer,O=Shibboleth
>> >> >> User,OU=https://idp.protectnetwork.org/protectnetwork-idp,CN=eng.it@idp.protectnetwork.org'
>> >> >> certificate does not match its issuer)
>> >> >
>> >> > I can replicate this error. When I try to start a secure container
>> >> > using a GridShib CA-issued EEC, I get the following:
>> >> >
>> >> > 2008-03-25 14:46:47,837 ERROR container.GSIServiceThread
>> >> > [ServiceThread-1,process:141] Error processing request
>> >> > java.io.EOFException
>> >> > at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56)
>> >> > at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:60)
>> >> > at org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:122)
>> >> > at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:142)
>> >> > at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
>> >> > at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:98)
>> >> > at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>> >> > Failed to obtain a list of services from
>> >> > 'https://192.168.1.106:8443/wsrf/services/ContainerRegistryService'
>> >> > service: ; nested exception is:
>> >> > org.globus.common.ChainedIOException: Authentication failed [Caused by:
>> >> > Failure unspecified at GSS-API level [Caused by: Bad certificate (The
>> >> > signature of 'DC=edu,DC=uiuc,DC=ncsa,DC=computer,O=Shibboleth
>> >> > User,OU=https://idp.protectnetwork.org/protectnetwork-idp,CN=trscavo@idp.protectnetwork.org'
>> >> > certificate does not match its issuer)]]
>> >> >
>> >> > We had some problems with the GridShib CA cert since GS4GT v0.6.0
>> >> > Alpha was released, so I'm trying to think how that might be related.
>> >> >
>> >> > Tom
>> >> >
>> >>
>>
More information about the gridshib-user
mailing list