perfsonar-dev - Re: [pS-dev] Re: AW: [perfsonar-user] Problems with Authentication within perfsonar
Subject: perfsonar development work
List archive
Re: [pS-dev] Re: AW: [perfsonar-user] Problems with Authentication within perfsonar
Chronological Thread
- From: Herbert Monteiro <>
- To: Nina Jeliazkova <>
- Cc: "Niederberger, Ralph" <>, Cándido Rodríguez Montes <>, "" <>, , GN3 SA2 Task3 <>
- Subject: Re: [pS-dev] Re: AW: [perfsonar-user] Problems with Authentication within perfsonar
- Date: Fri, 18 Sep 2009 11:14:14 -0300
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=evgFUybRQxZBU6OhRHRf7k7ayQw5YLFWc1jOf4MkKqtBbTKRoXFJbYTRH279gxZ6zB 7B1qIyI3caPF+VbUJmXVQa3OVQAZWSP+8XvWFEodCvMP9vP3l6AbGdeP5NgEy8p+MGhc CS44Vv0u4SDhknh2It4TCRxw+6bkwoXGMKVzs=
Hi Nina,
I'm geting the same error in RNP sasl ca. Recently I had problems with
a eduGAIN component (Bridging Element) who was using an expired
certificate.
If I can see something like in the RNP sasl ca I notice, also to help
in GIdP. also expect a response from the staff sasl ca.
[]'s
2009/9/18 Nina Jeliazkova
<>:
> Ralph, Cándido, All,
>
> I am getting SASL CA library exception when trying to use AA via
> perfsonarUI.
>
> The library itself hasn't changed since Oct 2007:
> sasl-ca-1.0.jar (hasn't changed since Oct 2007)
> perfsonar-base-1.0.20080924.jar (hasn't changed since Sep 2008)
>
> The default MDS used is https://mds.rediris.es:8443 . One of the GIdP
> retrieved and used below is gidp.geant2.net:4088
>
> java.security.PrivilegedActionException: java.io.IOException: error reading
> message - unable to find delimiter.
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at
> org.perfsonar.client.base.authn.saslca.SASLCAClient.getCertficate(Unknown
> Source)
> at
> org.perfsonar.perfsonarui.aa.AACertificate.retrieveCertificate(AACertificate.java:119)
> at
> org.perfsonar.perfsonarui.aa.AASupport.getCertificate(AASupport.java:72)
> at
> org.perfsonar.perfsonarui.aa.AAPerfsonarRequest.prepareEnvelope(AAPerfsonarRequest.java:66)
> at
> org.perfsonar.perfsonarui.AbstractMARequest.run(AbstractMARequest.java:342)
> at
> org.perfsonar.perfsonarui.AbstractMARequest.makeRequest(AbstractMARequest.java:287)
> at
> org.perfsonar.perfsonarui.SmartMARequest.makeRequest(SmartMARequest.java:295)
> at
> org.perfsonar.perfsonarui.ma.MAPerfsonarModel$1.makeRequest(MAPerfsonarModel.java:268)
> at
> org.perfsonar.perfsonarui.ma.ui.actions.SetupDataRetrieveAllAction.run(SetupDataRetrieveAllAction.java:96)
> at
> org.perfsonar.perfsonarui.ui.actions.PerfsonarRequestAction$1.construct(PerfsonarRequestAction.java:127)
> at
> org.perfsonar.perfsonarui.ui.actions.GUIWorker$2.run(GUIWorker.java:83)
> at java.lang.Thread.run(Thread.java:595)
> Caused by: java.io.IOException: error reading message - unable to find
> delimiter.
> at edu.psu.sasl_ca.ProtocolHandler.readMsg(ProtocolHandler.java:304)
> at
> edu.psu.sasl_ca.ClientProtocolHandler.authenticateUser(ClientProtocolHandler.java:425)
> at
> edu.psu.sasl_ca.ClientProtocolHandler.run(ClientProtocolHandler.java:977)
> at
> edu.psu.sasl_ca.ClientProtocolHandler.run(ClientProtocolHandler.java:134)
> ... 14 more
>
>
> The same error is received when replacing perfsonar-base library with the
> latest available one from jar repository (perfsonar-base-1.0.20090316.jar
> ).
>
> The same error is received when replacing sasl-ca jar with a new one,
> compiled from sources at
> https://svn.perfsonar.net/svn/perfsonar/branches/saslca . (Note the sasl-ca
> jar at the jars repository is from 10/31/2007 , while the SVN of sasl-ca has
> been last modified June 2008 )
>
> PerfsonarUI AA support was working fine for several years and I suppose
> something else has changed in the GIdP infrastructure, since the error is
> thrown regardless of the jars versions. Could anybody please help?
>
> Further debugging into SASL CA ClientProtocolHandler.java (lines
> 1019-1025)
>
> try {
> req = new CertificationRequest(pubKey, dn);
> } catch (ASN1Exception asn1Ex) {
> throw new ClientProtocolHandlerException("ASN.1 error while building
> CSR", asn1Ex);
> } catch (InvalidKeyException ikEx) {
> throw new ClientProtocolHandlerException("Key is invalid while
> building CSR", ikEx);
> }
>
> and inspecting the content of "req" variable :
>
> PKCS#10 Certification Request:
> Subject: CN=edugain
> Algorithm: X.509 AlgorithmIdentifier 1.2.840.113549.1.1.1
> Key: Key algorithm not supported!
> Attributes: 0elements
>
> Hope this will help with the troubleshooting.
>
> Best regards,
> Nina
>
> Niederberger, Ralph wrote:
>
> Dear Nina,
>
>
>
> did you have the time to look into my AA problem ?
>
>
>
> best regards
>
>
>
> Ralph
>
>
>
> ________________________________
>
> Von: Nina Jeliazkova
> [mailto:]
> Gesendet: Mittwoch, 9. September 2009 14:44
> An: Niederberger, Ralph
> Cc:
>
> Betreff: Re: [perfsonar-user] Problems with Authentication within perfsonar
>
>
>
> Dear Ralph,
>
> I am traveling until 15 Sep and will take a look at perfsonarUI AA after
> returning. Sorry for the delay.
>
> Best regards,
> Nina
>
> Niederberger, Ralph wrote:
>
> Dear all,
>
>
>
> Has someone had the time to look into my problem with authentication
>
> service?
>
>
>
> I reinstalled the AS and SQL-MA several times to be sure that I did not
>
> misconfigure something. The problem remains the same (see log below).
>
>
>
> Could the problem be related to the fact that my GIdP account is not setup
>
> correctly?
>
>
>
> The following is what is stored at GEANT2:
>
>
>
> =======================================================
>
> User ID: RNiederberger-dfn.de
>
> Name: Ralph Niederberger
>
> Display Name: RNiederberger
>
> Postal Address: Forschungszentrum Jülich
>
> Leo-Brand-Strasse
>
> Postal Code: 52425 Jülich
>
> Email:
>
>
> Telephone: 02461614772
>
> Fax: 02461-616656
>
> Organisation: Forschungszentrum Jülich
>
> Organisation Type:
>
> Position:
>
> Project Memberships:
>
> Project Specific Roles: Networkadmin
>
> Authorisation Attributes:
>
> Additional Information:
>
> Preferred Language:
>
> Account Status: activated
>
> ============================================================
>
>
>
> Any help would be really appreciated.
>
>
>
> Best regards
>
>
>
> Ralph
>
>
>
> =========== Log extract ==========
>
> 2009-09-09 13:32:16,281 [Load metadata and metrics] INFO
>
> net.geant.edugain.base.Configurator - custom configuration loaded
>
> 2009-09-09 13:32:16,578 [Load metadata and metrics] INFO
>
> net.geant.edugain.base.Configurator - keystore loaded:
>
> java.security.KeyStore@16e2b70
>
> 2009-09-09 13:32:16,578 [Load metadata and metrics] INFO
>
> net.geant.edugain.base.Configurator - keystore loaded:
>
> java.security.KeyStore@1e5d007
>
> 2009-09-09 13:32:17,156 [Load metadata and metrics] INFO
>
> net.geant.edugain.validation.Validator - default validator loaded
>
> 2009-09-09 13:32:17,156 [Load metadata and metrics] INFO
>
> net.geant.edugain.validation.Validator - certificate
>
> CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net issued by trusted
>
> CN=eduGAINSCA, DC=geant, DC=net
>
> 2009-09-09 13:32:17,250 [Load metadata and metrics] INFO
>
> net.geant.edugain.base.Configurator - expired CRL, successfully
>
> retrieved from http://sca.edugain.org/crl/cacrl.der
>
> 2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG
>
> net.geant.edugain.validation.Validator - validating subject alternative
>
>
>
> name: https://registry.edugain.org/resolver?urn=urn:geant:edugain:
>
> component:be:rediris:rediris.es
>
> 2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG
>
> net.geant.edugain.validation.Validator - validating subject alternative
>
>
>
> name: https://registry.edugain.org/resolver?urn=urn:geant:edugain:
>
> component:mds:rediris.es
>
> 2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG
>
> net.geant.edugain.base.Configurator - loading default valid components
>
> from C:\Dokumente und Einstellungen\ralph\ValidComponentsFile
>
> 2009-09-09 13:32:17,250 [Load metadata and metrics] WARN
>
> net.geant.edugain.base.Configurator - default valid components loaded.
>
> Note this is intended only for development purpouses and is an insecure
>
>
>
> behaviour!
>
> 2009-09-09 13:32:17,250 [Load metadata and metrics] INFO
>
> net.geant.edugain.validation.eduGAINComponentID - component identifier
>
> successfully decoded: urn:geant:edugain:component:mds:rediris.es
>
> 2009-09-09 13:32:17,250 [Load metadata and metrics] INFO
>
> net.geant.edugain.validation.Validator - valid component found while
>
> validating certificate CN=badulaque.rediris.es, O=FedIRIS, DC=geant,
>
> DC=net for component urn:geant:edugain:component:mds:rediris.es
>
> 2009-09-09 13:32:17,265 [Load metadata and metrics] INFO
>
> net.geant.edugain.base.SecureConnection - certificate for
>
> CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net was validated
>
> 2009-09-09 13:32:17,265 [Load metadata and metrics] INFO
>
> net.geant.edugain.base.SecureConnection - successfully connected to
>
> https://mds.rediris.es:8443
>
> 2009-09-09 13:32:17,593 [Load metadata and metrics] ERROR
>
> net.geant.edugain.meta.query.MetaDataUnmarshaller - HLPattern type not
>
> defined
>
> ================ end of log extract =========
>
>
>
> Could the problem be related to the fact that my GIdP account is not setup
>
> correctly?
>
>
>
> The following is what is stored at GEANT2:
>
>
>
> =======================================================
>
> User ID: RNiederberger-dfn.de
>
> Name: Ralph Niederberger
>
> Display Name: RNiederberger
>
> Postal Address: Forschungszentrum Jülich
>
> Leo-Brand-Strasse
>
> Postal Code: 52425 Jülich
>
> Email:
>
>
> Telephone: 02461614772
>
> Fax: 02461-616656
>
> Organisation: Forschungszentrum Jülich
>
> Organisation Type:
>
> Position:
>
> Project Memberships:
>
> Project Specific Roles: Networkadmin
>
> Authorisation Attributes:
>
> Additional Information:
>
> Preferred Language:
>
> Account Status: activated
>
> ============================================================
>
>
>
> Any help would be really appreciated.
>
>
>
> Best regards
>
>
>
> Ralph
>
>
>
> ***************************************************
>
> Ralph Niederberger
>
> Juelich Supercomputing Centre
>
> Institute for Advanced Simulation
>
>
>
> Phone: +49 2461 61-4772
>
> Fax: +49 2461 61-6656
>
> E-Mail:
>
>
> WWW: http://www.fz-juelich.de/jsc/
>
>
>
> JSC is the coordinator of the
>
> John von Neumann Institute for Computing
>
> and member of the
>
> Gauss Centre for Supercomputing
>
> ***************************************************
>
>
>
> Forschungszentrum Jülich GmbH
>
> 52425 Jülich
>
>
>
> Sitz der Gesellschaft: Jülich
>
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>
> Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
>
> Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>
> Prof. Dr. Sebastian M. Schmidt
>
>
>
> ***************************************************
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
>
> Von: Niederberger, Ralph
> [mailto:]
>
> Gesendet: Freitag, 4. September 2009 09:40
>
> An:
>
>
> Betreff: [perfsonar-user] Problems with Authentication within perfsonar
>
>
>
>
>
> Dear all,
>
>
>
> Using PerfsonarUI and specifying in Interfaces -> Query & search options -
>
>
>
> Options -> Request -> Enable authentication and authorization
>
>
>
> After having checked this box I have been asked for my GIdP. Specifying
>
> this
>
> and trying to access SQL-MA info from my DEISA measurement archive I get
>
> the
>
> following error:
>
>
>
>
>
> "Error code error.as.query Error description
>
> AADispatchSOAPProtocol.getAuthentication: General exception while
>
> retrieving
>
> report See the C:\Programme\PerfSONAR\PerfsonarUI-v0.15\bin\perfsonar.log
>
> file for further error details."
>
>
>
> Looking into the log file I see:
>
>
>
> -------------------------------------------------------------------
>
> 2009-09-04 09:23:05,578 [] INFO net.geant.edugain.base.Configurator -
>
> custom configuration loaded
>
> 2009-09-04 09:23:05,890 [] INFO net.geant.edugain.base.Configurator -
>
> keystore loaded:
> java.security.KeyStore@ad40a0
>
> 2009-09-04 09:23:05,890 [] INFO net.geant.edugain.base.Configurator -
>
> keystore loaded:
> java.security.KeyStore@6dd60e
>
> 2009-09-04 09:23:06,593 [] INFO net.geant.edugain.validation.Validator -
>
> default validator loaded
>
> 2009-09-04 09:23:06,609 [] INFO net.geant.edugain.validation.Validator -
>
> certificate CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net issued by
>
> trusted CN=eduGAINSCA, DC=geant, DC=net
>
> 2009-09-04 09:23:06,781 [] INFO net.geant.edugain.base.Configurator -
>
> expired CRL, successfully retrieved from
>
> http://sca.edugain.org/crl/cacrl.der
>
> 2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.validation.Validator -
>
> validating subject alternative name:
>
> https://registry.edugain.org/resolver?urn=urn:geant:edugain:component:be:r
>
> ed
>
> iris:rediris.es
>
> 2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.validation.Validator -
>
> validating subject alternative name:
>
> https://registry.edugain.org/resolver?urn=urn:geant:edugain:component:mds:
>
> re
>
> diris.es
>
> 2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.base.Configurator -
>
> loading default valid components from
>
> C:\Programme\PerfSONAR\PerfsonarUI-v0.15\bin\ValidComponentsFile
>
> 2009-09-04 09:23:06,781 [] WARN net.geant.edugain.base.Configurator -
>
> default valid components loaded. Note this is intended only for
>
> development
>
> purpouses and is an insecure behaviour!
>
> 2009-09-04 09:23:06,796 [] INFO
>
> net.geant.edugain.validation.eduGAINComponentID - component identifier
>
> successfully decoded: urn:geant:edugain:component:mds:rediris.es
>
> 2009-09-04 09:23:06,796 [] INFO net.geant.edugain.validation.Validator -
>
> valid component found while validating certificate
>
>
>
> CN=badulaque.rediris.es,
>
>
>
> O=FedIRIS, DC=geant, DC=net for component
>
> urn:geant:edugain:component:mds:rediris.es
>
> 2009-09-04 09:23:06,796 [] INFO net.geant.edugain.base.SecureConnection -
>
> certificate for CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net was
>
> validated
>
> 2009-09-04 09:23:06,796 [] INFO net.geant.edugain.base.SecureConnection -
>
> successfully connected to https://mds.rediris.es:8443
>
> 2009-09-04 09:23:07,203 [] ERROR
>
> net.geant.edugain.meta.query.MetaDataUnmarshaller - HLPattern type not
>
> defined
>
> --------------------------------------------------------
>
>
>
> Do you have any hints, what is going wrong.
>
>
>
> Thanks in advance
>
>
>
> Ralph
>
>
>
>
>
>
>
--
------------------------------------------------
Herbert Monteiro Souza
Brasil - Bahia - Salvador
------------------------------------------------
NUPERC - Nucleus of Research
in Networks Computer
------------------------------------------------
RNP - Computing and Networking Research Group
------------------------------------------------
- Re: AW: [perfsonar-user] Problems with Authentication within perfsonar, Nina Jeliazkova, 09/18/2009
- Re: [pS-dev] Re: AW: [perfsonar-user] Problems with Authentication within perfsonar, Herbert Monteiro, 09/18/2009
- AW: [pS-dev] Re: AW: [perfsonar-user] Problems with Authentication within perfsonar, Niederberger, Ralph, 09/25/2009
- Re: [pS-dev] Re: AW: [perfsonar-user] Problems with Authentication within perfsonar, Candido Rodriguez Montes, 09/21/2009
- Re: [pS-dev] Re: AW: [perfsonar-user] Problems with Authentication within perfsonar, Herbert Monteiro, 09/18/2009
Archive powered by MHonArc 2.6.16.