[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Condor-G + Globus proxy delegation problem ( Unknown CA )

Hi Ian,

Yes there is a signing_policy file that I post below:

# ca-signing-policy.conf, see ca-signing-policy.doc for more information
# This is the configuration file describing the policy for what CAs are
# allowed to sign whoses certificates.
# This file is parsed from start to finish with a given CA and subject
# name.
# subject names may include the following wildcard characters:
#    *    Matches any number of characters.
#    ?    Matches any single character.
# CA names must be specified (no wildcards). Names containing whitespaces
# must be included in single quotes, e.g. 'Certification Authority'.
# Names must not contain new line symbols.
# The value of condition attribute is represented as a set of regular
# expressions. Each regular _expression_ must be included in double quotes.
# This policy file dictates the following policy:
#   -The Globus CA can sign Globus certificates
# Format:
#  token type  | def.authority |                value
# EACL entry #1|

 access_id_CA      X509         '/O=Grid/OU=GlobusTest/OU=simpleCA-pc222771.corp.ad.emb/CN=Globus Simple CA'

 pos_rights        globus        CA:sign

 cond_subjects     globus       '"/O=Grid/OU=GlobusTest/OU=simpleCA-pc222771.corp.ad.emb/*"'

# end of EACL

The list of files that are available at $GLOBUS_LOCATION/share/certificates are:

globus@pc222771:~> ls -l $GLOBUS_LOCATION/share/certificates
total 20
-rw-r--r-- 1 root root  952 2008-12-02 14:08 7a6f0f62.0
-rw-r--r-- 1 root root 1357 2008-12-02 14:08 7a6f0f62.signing_policy
-rw-r--r-- 1 root root 2719 2008-12-02 14:08 globus-host-ssl.conf.7a6f0f62
-rw-r--r-- 1 root root 2830 2008-12-02 14:08 globus-user-ssl.conf.7a6f0f62
-rw-r--r-- 1 root root 1375 2008-12-02 14:08 grid-security.conf.7a6f0f62

Seems to be according to the refered link.


"Ian D. Alderman" <ialderman@xxxxxxxxxxxxxxxxxx>
Sent by: condor-users-bounces@xxxxxxxxxxx

18/02/2009 18:25

Please respond to
Condor-Users Mail List <condor-users@xxxxxxxxxxx>

Condor-Users Mail List <condor-users@xxxxxxxxxxx>
Re: [Condor-users] Condor-G + Globus proxy delegation problem (        Unknown CA )

> The Condor Gridmanagerlog log file has some messages:
> ...
> 2/18 08:48:49 [4098] GAHP[4100] (stderr) ->  
> org.globus.common.ChainedIOException: Authentication failed [Caused  
> by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]



It looks like there's an authentication problem because the CA isn't  

One idea: Do you have a signing_policy file?  It would be:

See also:




Ian D. Alderman
office: 608.554.4605
main: 888.292.5320

Cycle Computing, LLC
Leader in Condor Grid Solutions
Enterprise Condor Support and Management Tools

Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at:

This message is intended solely for the use of its addressee and may contain privileged or confidential information. If you are not the addressee you should not distribute, copy or file this message. In this case, please notify the sender and destroy its contents immediately.
Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações privilegiadas e confidenciais. Se você não é o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente da mesma e destrua imediatamente a mensagem.