perfsonar development work

[Candido Rodriguez Montes <>]

Hi Nina,

I'm afraid that there is a problem in the SASL CA of the GIdP. It seems that the digital certificate of that SASL CA has expired (it had a one year validity) so every certificate issued by the SASL CA are not valid. Checking the certificate in the eduGAIN PKI, I can see that the certificate expired last June and that's something I told someone of Dante by the beginning of that month.

Regards

On Sep 18, 2009, at 10:30 AM, Nina Jeliazkova wrote:

Ralph, Cándido, All,

I am getting SASL CA library exception when trying to use AA via perfsonarUI.  

The library itself hasn't changed since Oct 2007: 
sasl-ca-1.0.jar  (hasn't changed since Oct 2007)
perfsonar-base-1.0.20080924.jar (hasn't changed since Sep 2008)

The default MDS used  is https://mds.rediris.es:8443 .  One of the GIdP retrieved and used below is gidp.geant2.net:4088

java.security.PrivilegedActionException: java.io.IOException: error reading message - unable to find delimiter.
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.perfsonar.client.base.authn.saslca.SASLCAClient.getCertficate(Unknown Source)
    at org.perfsonar.perfsonarui.aa.AACertificate.retrieveCertificate(AACertificate.java:119)
    at org.perfsonar.perfsonarui.aa.AASupport.getCertificate(AASupport.java:72)
    at org.perfsonar.perfsonarui.aa.AAPerfsonarRequest.prepareEnvelope(AAPerfsonarRequest.java:66)
    at org.perfsonar.perfsonarui.AbstractMARequest.run(AbstractMARequest.java:342)
    at org.perfsonar.perfsonarui.AbstractMARequest.makeRequest(AbstractMARequest.java:287)
    at org.perfsonar.perfsonarui.SmartMARequest.makeRequest(SmartMARequest.java:295)
    at org.perfsonar.perfsonarui.ma.MAPerfsonarModel$1.makeRequest(MAPerfsonarModel.java:268)
    at org.perfsonar.perfsonarui.ma.ui.actions.SetupDataRetrieveAllAction.run(SetupDataRetrieveAllAction.java:96)
    at org.perfsonar.perfsonarui.ui.actions.PerfsonarRequestAction$1.construct(PerfsonarRequestAction.java:127)
    at org.perfsonar.perfsonarui.ui.actions.GUIWorker$2.run(GUIWorker.java:83)
    at java.lang.Thread.run(Thread.java:595)
Caused by: java.io.IOException: error reading message - unable to find delimiter.
    at edu.psu.sasl_ca.ProtocolHandler.readMsg(ProtocolHandler.java:304)
    at edu.psu.sasl_ca.ClientProtocolHandler.authenticateUser(ClientProtocolHandler.java:425)
    at edu.psu.sasl_ca.ClientProtocolHandler.run(ClientProtocolHandler.java:977)
    at edu.psu.sasl_ca.ClientProtocolHandler.run(ClientProtocolHandler.java:134)
    ... 14 more

The same error is received when replacing perfsonar-base library with the latest available one from jar repository  (perfsonar-base-1.0.20090316.jar ).

The same error is received when replacing sasl-ca jar with a new one, compiled from sources at https://svn.perfsonar.net/svn/perfsonar/branches/saslca . (Note the sasl-ca jar at the jars repository is from 10/31/2007 , while the SVN of sasl-ca has been last modified June 2008 )

PerfsonarUI AA support was working fine for several years and I suppose something else has changed in the GIdP infrastructure, since the error is thrown regardless of the jars versions.  Could anybody please help?  

Further debugging into SASL CA  ClientProtocolHandler.java  (lines 1019-1025) 

    try {
        req = new CertificationRequest(pubKey, dn);
    } catch (ASN1Exception asn1Ex) {
        throw new ClientProtocolHandlerException("ASN.1 error while building CSR", asn1Ex);
    } catch (InvalidKeyException ikEx) {
        throw new ClientProtocolHandlerException("Key is invalid while building CSR", ikEx);
    }

and inspecting the content of "req" variable :

PKCS#10 Certification Request:
Subject: CN=edugain
Algorithm: X.509 AlgorithmIdentifier 1.2.840.113549.1.1.1
Key: Key algorithm not supported!
Attributes: 0elements 

Hope this will help with the troubleshooting.

Best regards,
Nina

Niederberger, Ralph wrote:

Dear Nina,

 

did you have the time to look into my AA problem ?

 

best regards

 

Ralph

 

---

Von: Nina Jeliazkova [] 
Gesendet: Mittwoch, 9. September 2009 14:44
An: Niederberger, Ralph
Cc: 
Betreff: Re: [perfsonar-user] Problems with Authentication within perfsonar

 

Dear Ralph,

I am traveling until 15 Sep and will take a look at perfsonarUI AA after returning.  Sorry for the delay.

Best regards,
Nina

Niederberger, Ralph wrote:

Dear all,

Has someone had the time to look into my problem with authentication

service?

I reinstalled the AS and SQL-MA several times to be sure that I did not

misconfigure something. The problem remains the same (see log below).

Could the problem be related to the fact that my GIdP account is not setup

correctly?

The following is what is stored at GEANT2: 

=======================================================

User ID:                             RNiederberger-dfn.de 

Name:                                Ralph Niederberger 

Display Name:                 RNiederberger 

Postal Address:                      Forschungszentrum Jülich

Leo-Brand-Strasse  

Postal Code:                  52425 Jülich 

Email:                                

Telephone:                           02461614772 

Fax:                                 02461-616656 

Organisation:                 Forschungszentrum Jülich 

Organisation Type:  

Position:  

Project Memberships:  

Project Specific Roles:       Networkadmin 

Authorisation Attributes:      

Additional Information:  

Preferred Language:  

Account Status:                      activated

============================================================

Any help would be really appreciated.

Best regards

Ralph

=========== Log extract ==========

2009-09-09 13:32:16,281 [Load metadata and metrics] INFO  

     net.geant.edugain.base.Configurator - custom configuration loaded

2009-09-09 13:32:16,578 [Load metadata and metrics] INFO  

     net.geant.edugain.base.Configurator - keystore loaded: 

     java.security.KeyStore@16e2b70

2009-09-09 13:32:16,578 [Load metadata and metrics] INFO  

     net.geant.edugain.base.Configurator - keystore loaded: 

     java.security.KeyStore@1e5d007

2009-09-09 13:32:17,156 [Load metadata and metrics] INFO  

     net.geant.edugain.validation.Validator - default validator loaded

2009-09-09 13:32:17,156 [Load metadata and metrics] INFO   

     net.geant.edugain.validation.Validator - certificate 

     CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net issued by trusted 

     CN=eduGAINSCA, DC=geant, DC=net

2009-09-09 13:32:17,250 [Load metadata and metrics] INFO  

     net.geant.edugain.base.Configurator - expired CRL, successfully 

     retrieved from http://sca.edugain.org/crl/cacrl.der

2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG  

     net.geant.edugain.validation.Validator - validating subject alternative

     name: https://registry.edugain.org/resolver?urn=urn:geant:edugain:

        component:be:rediris:rediris.es

2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG 

     net.geant.edugain.validation.Validator - validating subject alternative

     name: https://registry.edugain.org/resolver?urn=urn:geant:edugain:

     component:mds:rediris.es

2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG 

     net.geant.edugain.base.Configurator - loading default valid components 

     from C:\Dokumente und Einstellungen\ralph\ValidComponentsFile

2009-09-09 13:32:17,250 [Load metadata and metrics] WARN  

     net.geant.edugain.base.Configurator - default valid components loaded. 

     Note this is intended only for development purpouses and is an insecure

     behaviour!

2009-09-09 13:32:17,250 [Load metadata and metrics] INFO  

     net.geant.edugain.validation.eduGAINComponentID - component identifier 

     successfully decoded: urn:geant:edugain:component:mds:rediris.es

2009-09-09 13:32:17,250 [Load metadata and metrics] INFO  

     net.geant.edugain.validation.Validator - valid component found while 

     validating certificate CN=badulaque.rediris.es, O=FedIRIS, DC=geant, 

     DC=net for component urn:geant:edugain:component:mds:rediris.es

2009-09-09 13:32:17,265 [Load metadata and metrics] INFO  

     net.geant.edugain.base.SecureConnection - certificate for 

     CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net was validated

2009-09-09 13:32:17,265 [Load metadata and metrics] INFO  

     net.geant.edugain.base.SecureConnection - successfully connected to 

     https://mds.rediris.es:8443

2009-09-09 13:32:17,593 [Load metadata and metrics] ERROR 

     net.geant.edugain.meta.query.MetaDataUnmarshaller - HLPattern type not 

     defined

================ end of log extract =========

Could the problem be related to the fact that my GIdP account is not setup

correctly?

The following is what is stored at GEANT2: 

=======================================================

User ID:                             RNiederberger-dfn.de 

Name:                                Ralph Niederberger 

Display Name:                 RNiederberger 

Postal Address:                      Forschungszentrum Jülich

Leo-Brand-Strasse  

Postal Code:                  52425 Jülich 

Email:                                

Telephone:                           02461614772 

Fax:                                 02461-616656 

Organisation:                 Forschungszentrum Jülich 

Organisation Type:  

Position:  

Project Memberships:  

Project Specific Roles:       Networkadmin 

Authorisation Attributes:      

Additional Information:  

Preferred Language:  

Account Status:                      activated

============================================================

Any help would be really appreciated.

Best regards

Ralph

***************************************************

 Ralph Niederberger

 Juelich Supercomputing Centre

 Institute for Advanced Simulation

 Phone:  +49 2461 61-4772

 Fax:    +49 2461 61-6656

 E-Mail: 

 WWW:    http://www.fz-juelich.de/jsc/

 JSC is the coordinator of the

 John von Neumann Institute for Computing

 and member of the

 Gauss Centre for Supercomputing

***************************************************

 Forschungszentrum Jülich GmbH

 52425 Jülich

 Sitz der Gesellschaft: Jülich

 Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498

 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe

 Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),

 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,

 Prof. Dr. Sebastian M. Schmidt 

***************************************************

-----Ursprüngliche Nachricht-----

Von: Niederberger, Ralph []

Gesendet: Freitag, 4. September 2009 09:40

An: 

Betreff: [perfsonar-user] Problems with Authentication within perfsonar

Dear all,

Using PerfsonarUI and specifying in Interfaces -> Query & search options -

Options -> Request -> Enable authentication and authorization

After having checked this box I have been asked for my GIdP. Specifying

this

and trying to access SQL-MA info from my DEISA measurement archive I get

the

following error:

"Error code error.as.query Error description

AADispatchSOAPProtocol.getAuthentication: General exception while

retrieving

report See the C:\Programme\PerfSONAR\PerfsonarUI-v0.15\bin\perfsonar.log

file for further error details."

Looking into the log file I see:

-------------------------------------------------------------------

2009-09-04 09:23:05,578 [] INFO  net.geant.edugain.base.Configurator -

custom configuration loaded

2009-09-04 09:23:05,890 [] INFO  net.geant.edugain.base.Configurator -

keystore loaded: java.security.KeyStore@ad40a0

2009-09-04 09:23:05,890 [] INFO  net.geant.edugain.base.Configurator -

keystore loaded: java.security.KeyStore@6dd60e

2009-09-04 09:23:06,593 [] INFO  net.geant.edugain.validation.Validator -

default validator loaded

2009-09-04 09:23:06,609 [] INFO  net.geant.edugain.validation.Validator -

certificate CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net issued by

trusted CN=eduGAINSCA, DC=geant, DC=net

2009-09-04 09:23:06,781 [] INFO  net.geant.edugain.base.Configurator -

expired CRL, successfully retrieved from

http://sca.edugain.org/crl/cacrl.der

2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.validation.Validator -

validating subject alternative name:

https://registry.edugain.org/resolver?urn=urn:geant:edugain:component:be:r

ed

iris:rediris.es

2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.validation.Validator -

validating subject alternative name:

https://registry.edugain.org/resolver?urn=urn:geant:edugain:component:mds:

re

diris.es

2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.base.Configurator -

loading default valid components from

C:\Programme\PerfSONAR\PerfsonarUI-v0.15\bin\ValidComponentsFile

2009-09-04 09:23:06,781 [] WARN  net.geant.edugain.base.Configurator -

default valid components loaded. Note this is intended only for

development

purpouses and is an insecure behaviour!

2009-09-04 09:23:06,796 [] INFO

net.geant.edugain.validation.eduGAINComponentID - component identifier

successfully decoded: urn:geant:edugain:component:mds:rediris.es

2009-09-04 09:23:06,796 [] INFO  net.geant.edugain.validation.Validator -

valid component found while validating certificate

CN=badulaque.rediris.es,

O=FedIRIS, DC=geant, DC=net for component

urn:geant:edugain:component:mds:rediris.es

2009-09-04 09:23:06,796 [] INFO  net.geant.edugain.base.SecureConnection -

certificate for CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net was

validated

2009-09-04 09:23:06,796 [] INFO  net.geant.edugain.base.SecureConnection -

successfully connected to https://mds.rediris.es:8443

2009-09-04 09:23:07,203 [] ERROR

net.geant.edugain.meta.query.MetaDataUnmarshaller - HLPattern type not

defined

--------------------------------------------------------

Do you have any hints, what is going wrong.

Thanks in advance

Ralph

 

--

Cándido Rodríguez Montes E-mail: 

Middleware warrior Tel:+34 955 05 66 13

Red.ES/RedIRIS

Edificio CICA

Avenida Reina Mercedes, s/n

41012 Sevilla

SPAIN