Re: [Condor-users] Condor-G + Globus proxy delegation problem ( Unknown CA )

[kschwarz@xxxxxxxxxxxxxx]

Hi Ian,

Yes there is a signing_policy file that
I post below:

# ca-signing-policy.conf, see ca-signing-policy.doc
for more information
#
# This is the configuration file describing the policy
for what CAs are
# allowed to sign whoses certificates.
#
# This file is parsed from start to finish with a
given CA and subject
# name.
# subject names may include the following wildcard
characters:
#    *    Matches any number of
characters.
#    ?    Matches any single character.
#
# CA names must be specified (no wildcards). Names
containing whitespaces
# must be included in single quotes, e.g. 'Certification
Authority'.
# Names must not contain new line symbols.
# The value of condition attribute is represented
as a set of regular
# expressions. Each regular _expression_ must be included
in double quotes.
#
# This policy file dictates the following policy:
#   -The Globus CA can sign Globus certificates
#
# Format:
#------------------------------------------------------------------------
#  token type  | def.authority |  
             value
#--------------|---------------|-----------------------------------------
# EACL entry #1|

 access_id_CA      X509  
      '/O=Grid/OU=GlobusTest/OU=simpleCA-pc222771.corp.ad.emb/CN=Globus
Simple CA'

 pos_rights        globus
       CA:sign

 cond_subjects     globus    
  '"/O=Grid/OU=GlobusTest/OU=simpleCA-pc222771.corp.ad.emb/*"'

# end of EACL


The list of files that are available
at $GLOBUS_LOCATION/share/certificates
are:

globus@pc222771:~> ls -l $GLOBUS_LOCATION/share/certificates
total 20
-rw-r--r-- 1 root root  952 2008-12-02 14:08
7a6f0f62.0
-rw-r--r-- 1 root root 1357 2008-12-02 14:08 7a6f0f62.signing_policy
-rw-r--r-- 1 root root 2719 2008-12-02 14:08 globus-host-ssl.conf.7a6f0f62
-rw-r--r-- 1 root root 2830 2008-12-02 14:08 globus-user-ssl.conf.7a6f0f62
-rw-r--r-- 1 root root 1375 2008-12-02 14:08 grid-security.conf.7a6f0f62
globus@pc222771:~>

Seems to be according to the refered
link.

Klaus

"Ian D. Alderman" <ialderman@xxxxxxxxxxxxxxxxxx>
Sent by: condor-users-bounces@xxxxxxxxxxx

18/02/2009 18:25

Please respond to
Condor-Users Mail List <condor-users@xxxxxxxxxxx>

To	Condor-Users Mail List <condor-users@xxxxxxxxxxx>
cc
Subject	Re: [Condor-users] Condor-G + Globus proxy delegation problem (        Unknown CA )

(snip)
> The Condor Gridmanagerlog log file has some messages:
>
> ...
> 2/18 08:48:49 [4098] GAHP[4100] (stderr) ->  
> org.globus.common.ChainedIOException: Authentication failed [Caused
 
> by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]

(snip)

Klaus,

It looks like there's an authentication problem because the CA isn't  
recognized.

One idea: Do you have a signing_policy file?  It would be:
/sandbox/globus/latest/share/certificates/7a6f0f62.signing_policy

See also:

http://www.globus.org/toolkit/docs/latest-stable/security/gsic/pi/#id2537209

Cheers,

-Ian

--
===================================
Ian D. Alderman
office: 608.554.4605
main: 888.292.5320

Cycle Computing, LLC
Leader in Condor Grid Solutions
Enterprise Condor Support and Management Tools

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at: 
https://lists.cs.wisc.edu/archive/condor-users/

---

This message is intended solely for the
use of its addressee and may contain privileged or confidential information.
If you are not the addressee you should not distribute, copy or file this
message. In this case, please notify the sender and destroy its contents
immediately.
Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações
privilegiadas e confidenciais. Se você não é o destinatário não deve distribuir,
copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente
da mesma e destrua imediatamente a mensagem.