Previous Message |
Next Message Previous in Topic | Next in Topic Previous by Same Author | Next by Same Author Previous Page (August 2008) | Back to Main CAGRID_USERS-L Page | |
|
Reply
| Post a New Message |
Join or Leave CAGRID_USERS-L, or Change Options
|
Search |
|
Chronologically |
Most Recent First |
Wrap Text (Proportional Font) |
Don't Wrap Text (Non-proportional Font) |
| |
Content-Type: multipart/alternative; References: <[log in to unmask]> <[log in to unmask]> <[log in to unmask]> <[log in to unmask]> Message-ID: <[log in to unmask]> Date: Thu, 7 Aug 2008 15:27:48 -0600 Reply-To: caGrid Users discussion Forum <[log in to unmask]> Sender: caGrid Users discussion Forum <[log in to unmask]> From: Ron Price <[log in to unmask]> Subject: Re: user proxy needed to make secure container functional: why? In-Reply-To: <[log in to unmask]>Scott, Comments in-line below: Can you look in your > $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file? If there is > an entry like this: > > <parameter name="containerSecDesc" value="<path to global security > descriptor>"> > > I didn't have an entry like you describe above on either of my nodes. So, I think that it is just using the security descriptor that I hand on the command line. Thanks, -Ron > Either comment it out, delete it, or change it to be the location of where > you put the security descriptor you created here: > > http://cagrid.org/wiki/Introduce:1.2:Tutorial:Phase6:SecurityDescriptor > > > > > > Scott > > > > *From:* caGrid Users discussion Forum [mailto:[log in to unmask]] > *On Behalf Of *Ron Price > *Sent:* Thursday, August 07, 2008 4:37 PM > *To:* [log in to unmask] > *Subject:* Re: user proxy needed to make secure container functional: why? > > > > Hello, > > Comments/questions in-line below: > > > The error you are seeing (below) is indicative of a misconfigured server; > the service is trying to make an outgoing connection which requires > authentication, is not finding the server's credentials, and is so trying to > fall back to looking for a proxy in the default location. > > Yes, I think this is exactly what is going on, although I don't know what > is wrong with the server. I've been careful to follow cagrid documentation > throughout the server installation and config. Since my security descriptor > seems to be okay the only other thing that comes to mind is permissions on > the host cert and key. Currently they are as the gaards ui left them: > > -rw-rw-r-- 1 globus globus 1180 Jul 31 11:14 host-cert.pem > -rw------- 1 globus globus 887 Jul 31 11:14 host-key.pem > > Is that the right permissions? > > I'll look around with the -debug option on. > > -Ron > > > > > > > > > > > Both of these errors are service side error; your client credentials are > fine. If they weren't you would have seen an error (during authentication) > on the client before the service even tried to communicate with grid grouper > (during authorization). > > > > Scott > > > > > > > > *From:* caGrid Users discussion Forum [mailto:[log in to unmask]] > *On Behalf Of *Ron Price > *Sent:* Thursday, August 07, 2008 3:52 PM > *To:* [log in to unmask] > *Subject:* user proxy needed to make secure container functional: why? > > > > Sorry for some duplicate content, I decided the subject of my previous > emails was not > accurate base off of my problem. Also, I've updated the error messages to > more accurately reflect my problem. Please take a look. > > Hello, > > > I've just finished adding security to several grid services using this > tutorial http://cagrid.org/wiki/Introduce:1.2:Tutorial:Phase6. > Everything seems to work, but in order to make things work I have to place > a copy of my proxy in /tmp on the server side. The tutorial > doesn't mention that I should have to do this and I looked around > (programmers guide, faq and so on) and didn't find much. The error messages > I was getting lead me to sticking a copy of > my proxy cert in /tmp. Maybe I have overlooked some sort of configuration. > > I'm programmatically obtaining a proxy on the client side then invoking my > grid service. I've verified that the proxy I get > on the client side has time left. Also, via grid grouper I've given myself > access to the ZipCode service. Here is the server sider error: > > *2008-08-07 13:47:26,551 ERROR client.GridGrouper > [ServiceThread-8,isMember:279] ; nested exception is: > GSSException: Defective credential detected [Caused by: Proxy file > (/tmp/x509up_u700) not found.] > AxisFault > faultCode: { > http://schemas.xmlsoap.org/soap/envelope/}Server.userException<http://schemas.xmlsoap.org/soap/envelope/%7dServer.userException> > faultSubcode: > faultString: GSSException: Defective credential detected [Caused by: Proxy > file (/tmp/x509up_u700) not found.] > faultActor: > faultNode: > faultDetail: > {http://xml.apache.org/axis/}stackTrace:Defective<http://xml.apache.org/axis/%7dstackTrace:Defective>credential detected. Caused by org.globus.gsi.GlobusCredentialException: > Proxy file (/tmp/x509up_u700) not found. > at > org.globus.gsi.GlobusCredential.<init>(GlobusCredential.java:102) > at > org.globus.gsi.GlobusCredential.reloadDefaultCredential(GlobusCredential.java:544) > at > org.globus.gsi.GlobusCredential.getDefaultCredential(GlobusCredential.java:529) > at > org.globus.gsi.gssapi.GlobusGSSManagerImpl.createCredential(GlobusGSSManagerImpl.java:125) > at > org.globus.gsi.gssapi.GlobusGSSManagerImpl.createCredential(GlobusGSSManagerImpl.java:66) > at > org.globus.gsi.gssapi.GlobusGSSManagerImpl.createContext(GlobusGSSManagerImpl.java:263) > at > org.globus.axis.transport.SSLContextHelper.init(SSLContextHelper.java:112) > at > org.globus.axis.transport.SSLContextHelper.<init>(SSLContextHelper.java:60) > at > org.globus.axis.transport.HTTPSSender.getSocket(HTTPSSender.java:43) > at > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:397) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at org.apache.axis.client.Call.invokeEngine(Call.java:2727) > at org.apache.axis.client.Call.invoke(Call.java:2710) > at org.apache.axis.client.Call.invoke(Call.java:2386) > at org.apache.axis.client.Call.invoke(Call.java:2309) > at org.apache.axis.client.Call.invoke(Call.java:1766) > at > gov.nih.nci.cagrid.gridgrouper.stubs.bindings.GridGrouperPortTypeSOAPBindingStub.isMember(GridGrouperPortTypeSOAPBindingStub.java:3648) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClient.isMember(GridGrouperClient.java:726) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouper.isMember(GridGrouper.java:277) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:62) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:47) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:52) > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.authorizeQuery(ZipCodeAuthorization.java:167) > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.isPermitted(ZipCodeAuthorization.java:221) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.intercept(ServiceAuthorizationChain.java:217) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:282) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:272) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:235) > at > org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(AuthorizationHandler.java:173) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) > at > org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:676) > at > org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:397) > at > org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:151) > at > org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:302) > > {http://xml.apache.org/axis/}hostname:phgrid2.chpc.utah.edu<http://xml.apache.org/axis/%7dhostname:phgrid2.chpc.utah.edu> > > GSSException: Defective credential detected [Caused by: Proxy file > (/tmp/x509up_u700) not found.] > at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at org.apache.axis.client.Call.invokeEngine(Call.java:2727) > at org.apache.axis.client.Call.invoke(Call.java:2710) > at org.apache.axis.client.Call.invoke(Call.java:2386) > at org.apache.axis.client.Call.invoke(Call.java:2309) > at org.apache.axis.client.Call.invoke(Call.java:1766) > at > gov.nih.nci.cagrid.gridgrouper.stubs.bindings.GridGrouperPortTypeSOAPBindingStub.isMember(GridGrouperPortTypeSOAPBindingStub.java:3648) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClient.isMember(GridGrouperClient.java:726) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouper.isMember(GridGrouper.java:277) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:62) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:47) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:52) > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.authorizeQuery(ZipCodeAuthorization.java:167) > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.isPermitted(ZipCodeAuthorization.java:221) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.intercept(ServiceAuthorizationChain.java:217) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:282) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:272) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:235) > at > org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(AuthorizationHandler.java:173) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) > at > org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:676) > at > org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:397) > at > org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:151) > at > org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:302) > Caused by: GSSException: Defective credential detected [Caused by: Proxy > file (/tmp/x509up_u700) not found.] > at > org.globus.gsi.gssapi.GlobusGSSManagerImpl.createCredential(GlobusGSSManagerImpl.java:130) > at > org.globus.gsi.gssapi.GlobusGSSManagerImpl.createCredential(GlobusGSSManagerImpl.java:66) > at > org.globus.gsi.gssapi.GlobusGSSManagerImpl.createContext(GlobusGSSManagerImpl.java:263) > at > org.globus.axis.transport.SSLContextHelper.init(SSLContextHelper.java:112) > at > org.globus.axis.transport.SSLContextHelper.<init>(SSLContextHelper.java:60) > at > org.globus.axis.transport.HTTPSSender.getSocket(HTTPSSender.java:43) > at > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:397) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135) > ... 30 more > edu.internet2.middleware.grouper.GrouperRuntimeException: GSSException: > Defective credential detected [Caused by: Proxy file (/tmp/x509up_u700) not > found.] > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouper.isMember(GridGrouper.java:280) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:62) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:47) > at > gov.nih.nci.cagrid.gridgrouper.client.GridGrouperClientUtils.isMember(GridGrouperClientUtils.java:52) > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.authorizeQuery(ZipCodeAuthorization.java:167) > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.isPermitted(ZipCodeAuthorization.java:221) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.intercept(ServiceAuthorizationChain.java:217) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:282) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:272) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:235) > at > org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(AuthorizationHandler.java:173) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) > at > org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:676) > at > org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:397) > at > org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:151) > at > org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:302) > java.rmi.RemoteException: Error determining if caller is authorized to > perform request > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.authorizeQuery(ZipCodeAuthorization.java:170) > at > utah.edu.phgrid.zipcode.service.globus.ZipCodeAuthorization.isPermitted(ZipCodeAuthorization.java:221) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.intercept(ServiceAuthorizationChain.java:217) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:282) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:272) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:235) > at > org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(AuthorizationHandler.java:173) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) > at > org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:676) > at > org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:397) > at > org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:151) > at > org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:302) > 2008-08-07 13:47:26,565 WARN authorization.ServiceAuthorizationChain > [ServiceThread-8,authorize:292] > "/O=caBIG/OU=caGrid/OU=LOA1/OU=Dorian/CN=rprice" is not authorized to use > operation: {http://zipcode.phgrid.edu.utah/ZipCode}query<http://zipcode.phgrid.edu.utah/ZipCode%7dquery>on this service > * > Here is the client side error: > > AxisFault > faultCode: { > http://schemas.xmlsoap.org/soap/envelope/}Server.userException<http://schemas.xmlsoap.org/soap/envelope/%7dServer.userException> > faultSubcode: > faultString: > org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: > "/O=caBIG/OU=caGrid/OU=LOA1/OU=Dorian/CN=rprice" is not authorized > to use operation: {http://zipcode.phgrid.edu.utah/ZipCode}query<http://zipcode.phgrid.edu.utah/ZipCode%7dquery>on this service > faultActor: > faultNode: > faultDetail: > { > http://xml.apache.org/axis/}stackTrace:org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException<http://xml.apache.org/axis/%7dstackTrace:org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException>: > "/O=caBIG/OU=caGrid/OU=LOA1/OU=Dorian/CN=rprice" is not authorized > to use operation: {http://zipcode.phgrid.edu.utah/ZipCode}query<http://zipcode.phgrid.edu.utah/ZipCode%7dquery>on this service > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:301) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:272) > at > org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.authorize(ServiceAuthorizationChain.java:235) > at > org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(AuthorizationHandler.java:173) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) > at > org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:676) > at > org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:397) > at > org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:151) > at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:302) > > {http://xml.apache.org/axis/}hostname:phgrid2.chpc.utah.edu<http://xml.apache.org/axis/%7dhostname:phgrid2.chpc.utah.edu> > > org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: > "/O=caBIG/OU=caGrid/OU=LOA1/OU=Dorian/CN=rprice" is not authorized to use > operation: {http://zipcode.phgrid.edu.utah/ZipCode}query<http://zipcode.phgrid.edu.utah/ZipCode%7dquery>on this service > at > org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221) > at > org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:128) > at > org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087) > at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown > Source) > at > org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown > Source) > at > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown > Source) > at > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown > Source) > at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) > at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) > at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) > at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) > at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown > Source) > at javax.xml.parsers.SAXParser.parse(Unknown Source) > at > org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227) > at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:645) > at org.apache.axis.Message.getSOAPEnvelope(Message.java:424) > at > org.apache.axis.message.addressing.handler.AddressingHandler.processClientResponse(AddressingHandler.java:305) > at > org.apache.axis.message.addressing.handler.AddressingHandler.invoke(AddressingHandler.java:110) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:190) > at org.apache.axis.client.Call.invokeEngine(Call.java:2727) > at org.apache.axis.client.Call.invoke(Call.java:2710) > at org.apache.axis.client.Call.invoke(Call.java:2386) > at org.apache.axis.client.Call.invoke(Call.java:2309) > at org.apache.axis.client.Call.invoke(Call.java:1766) > at > utah.edu.phgrid.zipcode.stubs.bindings.ZipCodePortTypeSOAPBindingStub.query(ZipCodePortTypeSOAPBindingStub.java:1416) > at > utah.edu.phgrid.zipcode.client.ZipCodeClient.query(ZipCodeClient.java:158) > at > utah.edu.phgrid.zipcode.client.ZipCodeClient.main(ZipCodeClient.java:112) > * > > *So, if I place a copy of my grid proxy in /tmp/x509up_u700 on the server > side everything is fine. Why? > > > * > * > -- > Thanks, > > Ron Price > 801.560.2305 > > > > > -- > Thanks, > > Ron Price > 801.560.2305 > > > > > -- > Thanks, > > Ron Price > 801.560.2305 > -- Thanks, Ron Price 801.560.2305
[text/html]
Center for Information Technology National Institutes of Health Bethesda, Maryland 20892 301 594 6248 (v) 301 496 8294 (TDD) Comments and Assistance Accessibility |