perfSONAR User Q&A and Other Discussion

["Niederberger, Ralph" <>]

Dear all,

As far as I understand, my problem seems to be related to an expired
certificate at GEANT2/GEANT3/DANTE/...

But who takes care of this. I have this problem for more than three weeks.
I tested it this morning and it seems no one as made any effort yet.

Whom to contact for this?
As far as I know it takes only some minutes to reactivate a certificate (or
create a new one).  (:((

Best regards

Ralph  

***************************************************
 Ralph Niederberger
 Juelich Supercomputing Centre
 Institute for Advanced Simulation

 Phone:  +49 2461 61-4772
 Fax:    +49 2461 61-6656
 E-Mail: 

 WWW:    http://www.fz-juelich.de/jsc/

 JSC is the coordinator of the
 John von Neumann Institute for Computing
 and member of the
 Gauss Centre for Supercomputing
***************************************************

 Forschungszentrum Jülich GmbH
 52425 Jülich

 Sitz der Gesellschaft: Jülich
 Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
 Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
 Prof. Dr. Sebastian M. Schmidt 

***************************************************


> -----Ursprüngliche Nachricht-----
> Von: Herbert Monteiro 
> [mailto:]
> Gesendet: Freitag, 18. September 2009 16:14
> An: Nina Jeliazkova
> Cc: Niederberger, Ralph; Cándido Rodríguez Montes; perfsonar-
> ;
>  
> ;
>  GN3 SA2 Task3
> Betreff: Re: [pS-dev] Re: AW: [perfsonar-user] Problems with
> Authentication within perfsonar
> 
> Hi Nina,
> 
> I'm geting the same error in RNP sasl ca. Recently I had problems with
> a eduGAIN component (Bridging Element) who was using an expired
> certificate.
> 
> If I can see something like in the RNP sasl ca I notice, also to help
> in GIdP. also expect a response from the staff sasl ca.
> 
> []'s
> 
> 2009/9/18 Nina Jeliazkova 
> <>:
> > Ralph, Cándido, All,
> >
> > I am getting SASL CA library exception when trying to use AA via
> > perfsonarUI.
> >
> > The library itself hasn't changed since Oct 2007:
> > sasl-ca-1.0.jar  (hasn't changed since Oct 2007)
> > perfsonar-base-1.0.20080924.jar (hasn't changed since Sep 2008)
> >
> > The default MDS used  is https://mds.rediris.es:8443 .  One of the GIdP
> > retrieved and used below is gidp.geant2.net:4088
> >
> > java.security.PrivilegedActionException: java.io.IOException: error
> reading
> > message - unable to find delimiter.
> >     at java.security.AccessController.doPrivileged(Native Method)
> >     at javax.security.auth.Subject.doAs(Subject.java:396)
> >     at
> >
> org.perfsonar.client.base.authn.saslca.SASLCAClient.getCertficate(Unknown
> > Source)
> >     at
> >
> org.perfsonar.perfsonarui.aa.AACertificate.retrieveCertificate(AACertifica
> te.java:119)
> >     at
> > org.perfsonar.perfsonarui.aa.AASupport.getCertificate(AASupport.java:72)
> >     at
> >
> org.perfsonar.perfsonarui.aa.AAPerfsonarRequest.prepareEnvelope(AAPerfsona
> rRequest.java:66)
> >     at
> >
> org.perfsonar.perfsonarui.AbstractMARequest.run(AbstractMARequest.java:342
> )
> >     at
> >
> org.perfsonar.perfsonarui.AbstractMARequest.makeRequest(AbstractMARequest.
> java:287)
> >     at
> >
> org.perfsonar.perfsonarui.SmartMARequest.makeRequest(SmartMARequest.java:2
> 95)
> >     at
> >
> org.perfsonar.perfsonarui.ma.MAPerfsonarModel$1.makeRequest(MAPerfsonarMod
> el.java:268)
> >     at
> >
> org.perfsonar.perfsonarui.ma.ui.actions.SetupDataRetrieveAllAction.run(Set
> upDataRetrieveAllAction.java:96)
> >     at
> >
> org.perfsonar.perfsonarui.ui.actions.PerfsonarRequestAction$1.construct(Pe
> rfsonarRequestAction.java:127)
> >     at
> > org.perfsonar.perfsonarui.ui.actions.GUIWorker$2.run(GUIWorker.java:83)
> >     at java.lang.Thread.run(Thread.java:595)
> > Caused by: java.io.IOException: error reading message - unable to find
> > delimiter.
> >     at edu.psu.sasl_ca.ProtocolHandler.readMsg(ProtocolHandler.java:304)
> >     at
> >
> edu.psu.sasl_ca.ClientProtocolHandler.authenticateUser(ClientProtocolHandl
> er.java:425)
> >     at
> >
> edu.psu.sasl_ca.ClientProtocolHandler.run(ClientProtocolHandler.java:977)
> >     at
> >
> edu.psu.sasl_ca.ClientProtocolHandler.run(ClientProtocolHandler.java:134)
> >     ... 14 more
> >
> >
> > The same error is received when replacing perfsonar-base library with
> the
> > latest available one from jar repository  (perfsonar-base-
> 1.0.20090316.jar
> > ).
> >
> > The same error is received when replacing sasl-ca jar with a new one,
> > compiled from sources at
> > https://svn.perfsonar.net/svn/perfsonar/branches/saslca . (Note the
> sasl-ca
> > jar at the jars repository is from 10/31/2007 , while the SVN of sasl-ca
> has
> > been last modified June 2008 )
> >
> > PerfsonarUI AA support was working fine for several years and I suppose
> > something else has changed in the GIdP infrastructure, since the error
> is
> > thrown regardless of the jars versions.  Could anybody please help?
> >
> > Further debugging into SASL CA  ClientProtocolHandler.java  (lines
> > 1019-1025)
> >
> >     try {
> >         req = new CertificationRequest(pubKey, dn);
> >     } catch (ASN1Exception asn1Ex) {
> >         throw new ClientProtocolHandlerException("ASN.1 error while
> building
> > CSR", asn1Ex);
> >     } catch (InvalidKeyException ikEx) {
> >         throw new ClientProtocolHandlerException("Key is invalid while
> > building CSR", ikEx);
> >     }
> >
> > and inspecting the content of "req" variable :
> >
> > PKCS#10 Certification Request:
> > Subject: CN=edugain
> > Algorithm: X.509 AlgorithmIdentifier 1.2.840.113549.1.1.1
> > Key: Key algorithm not supported!
> > Attributes: 0elements
> >
> > Hope this will help with the troubleshooting.
> >
> > Best regards,
> > Nina
> >
> > Niederberger, Ralph wrote:
> >
> > Dear Nina,
> >
> >
> >
> > did you have the time to look into my AA problem ?
> >
> >
> >
> > best regards
> >
> >
> >
> > Ralph
> >
> >
> >
> > ________________________________
> >
> > Von: Nina Jeliazkova 
> > [mailto:]
> > Gesendet: Mittwoch, 9. September 2009 14:44
> > An: Niederberger, Ralph
> > Cc: 
> > 
> > Betreff: Re: [perfsonar-user] Problems with Authentication within
> perfsonar
> >
> >
> >
> > Dear Ralph,
> >
> > I am traveling until 15 Sep and will take a look at perfsonarUI AA after
> > returning.  Sorry for the delay.
> >
> > Best regards,
> > Nina
> >
> > Niederberger, Ralph wrote:
> >
> > Dear all,
> >
> >
> >
> > Has someone had the time to look into my problem with authentication
> >
> > service?
> >
> >
> >
> > I reinstalled the AS and SQL-MA several times to be sure that I did not
> >
> > misconfigure something. The problem remains the same (see log below).
> >
> >
> >
> > Could the problem be related to the fact that my GIdP account is not
> setup
> >
> > correctly?
> >
> >
> >
> > The following is what is stored at GEANT2:
> >
> >
> >
> > =======================================================
> >
> > User ID:                             RNiederberger-dfn.de
> >
> > Name:                                Ralph Niederberger
> >
> > Display Name:                 RNiederberger
> >
> > Postal Address:                      Forschungszentrum Jülich
> >
> > Leo-Brand-Strasse
> >
> > Postal Code:                  52425 Jülich
> >
> > Email:                               
> > 
> >
> > Telephone:                           02461614772
> >
> > Fax:                                 02461-616656
> >
> > Organisation:                 Forschungszentrum Jülich
> >
> > Organisation Type:
> >
> > Position:
> >
> > Project Memberships:
> >
> > Project Specific Roles:       Networkadmin
> >
> > Authorisation Attributes:
> >
> > Additional Information:
> >
> > Preferred Language:
> >
> > Account Status:                      activated
> >
> > ============================================================
> >
> >
> >
> > Any help would be really appreciated.
> >
> >
> >
> > Best regards
> >
> >
> >
> > Ralph
> >
> >
> >
> > =========== Log extract ==========
> >
> > 2009-09-09 13:32:16,281 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.base.Configurator - custom configuration loaded
> >
> > 2009-09-09 13:32:16,578 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.base.Configurator - keystore loaded:
> >
> >      java.security.KeyStore@16e2b70
> >
> > 2009-09-09 13:32:16,578 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.base.Configurator - keystore loaded:
> >
> >      java.security.KeyStore@1e5d007
> >
> > 2009-09-09 13:32:17,156 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.validation.Validator - default validator loaded
> >
> > 2009-09-09 13:32:17,156 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.validation.Validator - certificate
> >
> >      CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net issued by
> trusted
> >
> >      CN=eduGAINSCA, DC=geant, DC=net
> >
> > 2009-09-09 13:32:17,250 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.base.Configurator - expired CRL, successfully
> >
> >      retrieved from http://sca.edugain.org/crl/cacrl.der
> >
> > 2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG
> >
> >      net.geant.edugain.validation.Validator - validating subject
> alternative
> >
> >
> >
> >      name: https://registry.edugain.org/resolver?urn=urn:geant:edugain:
> >
> >         component:be:rediris:rediris.es
> >
> > 2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG
> >
> >      net.geant.edugain.validation.Validator - validating subject
> alternative
> >
> >
> >
> >      name: https://registry.edugain.org/resolver?urn=urn:geant:edugain:
> >
> >      component:mds:rediris.es
> >
> > 2009-09-09 13:32:17,250 [Load metadata and metrics] DEBUG
> >
> >      net.geant.edugain.base.Configurator - loading default valid
> components
> >
> >      from C:\Dokumente und Einstellungen\ralph\ValidComponentsFile
> >
> > 2009-09-09 13:32:17,250 [Load metadata and metrics] WARN
> >
> >      net.geant.edugain.base.Configurator - default valid components
> loaded.
> >
> >      Note this is intended only for development purpouses and is an
> insecure
> >
> >
> >
> >      behaviour!
> >
> > 2009-09-09 13:32:17,250 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.validation.eduGAINComponentID - component
> identifier
> >
> >      successfully decoded: urn:geant:edugain:component:mds:rediris.es
> >
> > 2009-09-09 13:32:17,250 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.validation.Validator - valid component found
> while
> >
> >      validating certificate CN=badulaque.rediris.es, O=FedIRIS,
DC=geant,
> >
> >      DC=net for component urn:geant:edugain:component:mds:rediris.es
> >
> > 2009-09-09 13:32:17,265 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.base.SecureConnection - certificate for
> >
> >      CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net was validated
> >
> > 2009-09-09 13:32:17,265 [Load metadata and metrics] INFO
> >
> >      net.geant.edugain.base.SecureConnection - successfully connected to
> >
> >      https://mds.rediris.es:8443
> >
> > 2009-09-09 13:32:17,593 [Load metadata and metrics] ERROR
> >
> >      net.geant.edugain.meta.query.MetaDataUnmarshaller - HLPattern type
> not
> >
> >      defined
> >
> > ================ end of log extract =========
> >
> >
> >
> > Could the problem be related to the fact that my GIdP account is not
> setup
> >
> > correctly?
> >
> >
> >
> > The following is what is stored at GEANT2:
> >
> >
> >
> > =======================================================
> >
> > User ID:                             RNiederberger-dfn.de
> >
> > Name:                                Ralph Niederberger
> >
> > Display Name:                 RNiederberger
> >
> > Postal Address:                      Forschungszentrum Jülich
> >
> > Leo-Brand-Strasse
> >
> > Postal Code:                  52425 Jülich
> >
> > Email:                               
> > 
> >
> > Telephone:                           02461614772
> >
> > Fax:                                 02461-616656
> >
> > Organisation:                 Forschungszentrum Jülich
> >
> > Organisation Type:
> >
> > Position:
> >
> > Project Memberships:
> >
> > Project Specific Roles:       Networkadmin
> >
> > Authorisation Attributes:
> >
> > Additional Information:
> >
> > Preferred Language:
> >
> > Account Status:                      activated
> >
> > ============================================================
> >
> >
> >
> > Any help would be really appreciated.
> >
> >
> >
> > Best regards
> >
> >
> >
> > Ralph
> >
> >
> >
> > ***************************************************
> >
> >  Ralph Niederberger
> >
> >  Juelich Supercomputing Centre
> >
> >  Institute for Advanced Simulation
> >
> >
> >
> >  Phone:  +49 2461 61-4772
> >
> >  Fax:    +49 2461 61-6656
> >
> >  E-Mail: 
> > 
> >
> >  WWW:    http://www.fz-juelich.de/jsc/
> >
> >
> >
> >  JSC is the coordinator of the
> >
> >  John von Neumann Institute for Computing
> >
> >  and member of the
> >
> >  Gauss Centre for Supercomputing
> >
> > ***************************************************
> >
> >
> >
> >  Forschungszentrum Jülich GmbH
> >
> >  52425 Jülich
> >
> >
> >
> >  Sitz der Gesellschaft: Jülich
> >
> >  Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> >
> >  Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> >
> >  Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
> >
> >  Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> >
> >  Prof. Dr. Sebastian M. Schmidt
> >
> >
> >
> > ***************************************************
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> >
> > Von: Niederberger, Ralph 
> > [mailto:]
> >
> > Gesendet: Freitag, 4. September 2009 09:40
> >
> > An: 
> > 
> >
> > Betreff: [perfsonar-user] Problems with Authentication within perfsonar
> >
> >
> >
> >
> >
> > Dear all,
> >
> >
> >
> > Using PerfsonarUI and specifying in Interfaces -> Query & search options
> -
> >
> >
> >
> > Options -> Request -> Enable authentication and authorization
> >
> >
> >
> > After having checked this box I have been asked for my GIdP. Specifying
> >
> > this
> >
> > and trying to access SQL-MA info from my DEISA measurement archive I get
> >
> > the
> >
> > following error:
> >
> >
> >
> >
> >
> > "Error code error.as.query Error description
> >
> > AADispatchSOAPProtocol.getAuthentication: General exception while
> >
> > retrieving
> >
> > report See the C:\Programme\PerfSONAR\PerfsonarUI-
> v0.15\bin\perfsonar.log
> >
> > file for further error details."
> >
> >
> >
> > Looking into the log file I see:
> >
> >
> >
> > -------------------------------------------------------------------
> >
> > 2009-09-04 09:23:05,578 [] INFO  net.geant.edugain.base.Configurator -
> >
> > custom configuration loaded
> >
> > 2009-09-04 09:23:05,890 [] INFO  net.geant.edugain.base.Configurator -
> >
> > keystore loaded: 
> > java.security.KeyStore@ad40a0
> >
> > 2009-09-04 09:23:05,890 [] INFO  net.geant.edugain.base.Configurator -
> >
> > keystore loaded: 
> > java.security.KeyStore@6dd60e
> >
> > 2009-09-04 09:23:06,593 [] INFO  net.geant.edugain.validation.Validator
> -
> >
> > default validator loaded
> >
> > 2009-09-04 09:23:06,609 [] INFO  net.geant.edugain.validation.Validator
> -
> >
> > certificate CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net issued
> by
> >
> > trusted CN=eduGAINSCA, DC=geant, DC=net
> >
> > 2009-09-04 09:23:06,781 [] INFO  net.geant.edugain.base.Configurator -
> >
> > expired CRL, successfully retrieved from
> >
> > http://sca.edugain.org/crl/cacrl.der
> >
> > 2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.validation.Validator
> -
> >
> > validating subject alternative name:
> >
> >
> https://registry.edugain.org/resolver?urn=urn:geant:edugain:component:be:r
> >
> > ed
> >
> > iris:rediris.es
> >
> > 2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.validation.Validator
> -
> >
> > validating subject alternative name:
> >
> >
> https://registry.edugain.org/resolver?urn=urn:geant:edugain:component:mds:
> >
> > re
> >
> > diris.es
> >
> > 2009-09-04 09:23:06,781 [] DEBUG net.geant.edugain.base.Configurator -
> >
> > loading default valid components from
> >
> > C:\Programme\PerfSONAR\PerfsonarUI-v0.15\bin\ValidComponentsFile
> >
> > 2009-09-04 09:23:06,781 [] WARN  net.geant.edugain.base.Configurator -
> >
> > default valid components loaded. Note this is intended only for
> >
> > development
> >
> > purpouses and is an insecure behaviour!
> >
> > 2009-09-04 09:23:06,796 [] INFO
> >
> > net.geant.edugain.validation.eduGAINComponentID - component identifier
> >
> > successfully decoded: urn:geant:edugain:component:mds:rediris.es
> >
> > 2009-09-04 09:23:06,796 [] INFO  net.geant.edugain.validation.Validator
> -
> >
> > valid component found while validating certificate
> >
> >
> >
> > CN=badulaque.rediris.es,
> >
> >
> >
> > O=FedIRIS, DC=geant, DC=net for component
> >
> > urn:geant:edugain:component:mds:rediris.es
> >
> > 2009-09-04 09:23:06,796 [] INFO  net.geant.edugain.base.SecureConnection
> -
> >
> > certificate for CN=badulaque.rediris.es, O=FedIRIS, DC=geant, DC=net was
> >
> > validated
> >
> > 2009-09-04 09:23:06,796 [] INFO  net.geant.edugain.base.SecureConnection
> -
> >
> > successfully connected to https://mds.rediris.es:8443
> >
> > 2009-09-04 09:23:07,203 [] ERROR
> >
> > net.geant.edugain.meta.query.MetaDataUnmarshaller - HLPattern type not
> >
> > defined
> >
> > --------------------------------------------------------
> >
> >
> >
> > Do you have any hints, what is going wrong.
> >
> >
> >
> > Thanks in advance
> >
> >
> >
> > Ralph
> >
> >
> >
> >
> >
> >
> >
> 
> 
> 
> --
> ------------------------------------------------
> Herbert Monteiro Souza
> Brasil - Bahia - Salvador
> ------------------------------------------------
> NUPERC - Nucleus of Research
> in Networks Computer
> ------------------------------------------------
> RNP - Computing and Networking Research Group
> ------------------------------------------------

Attachment: smime.p7s
Description: S/MIME cryptographic signature