Introduction
This guide contains advanced configuration information for system administrators working with C WS A&A. It provides references to information on procedures typically performed by system administrators, including installing, configuring, deploying, and testing the installation.
![[Important]](/docbook-images/important.gif) | Important |
|---|---|
C WS A&A is built, installed and deployed as part of C WS Core - which is part of a default GT installation. See Installing GT 4.2.1 for installation details. |
The main administration issues for this component deal with configuring credential-related settings. There are multiple mechanisms for doing this:
Security Descriptors (This is the preferred mechanism)
- Container Security Descriptor
- Service Security Descriptor
- CoG properties
- Environment variables
- Relying on default behavior. The only default behaviors available concern the proxy file and trusted certificates locations.
More information on these mechanisms can be found in the public interface guide.
Table of Contents
The GT4 C WS A&A component is currently installed as part of the GT4 C WS Core component. More information on installing this component can be found in the "Building and Installing" section of the Java WS Core Admin Guide.
Table of Contents
Configuration of service-side security settings can be achieved by using container or service security descriptor. Some of the security configuration, like the credential to use and trusted certificates location, can also be configured using CoG properties or rely on default location. The preferred way is to provide these settings in a security descriptor.
The next section provides details on the relevant properties. An overview of the syntax of security descriptors can be found in Java WS A&A Security Descriptor Framework. Available CoG security properties can be found in Chapter 2, Configuring
The following properties are relevant to authentication and message/transport security:
Table 2.1. Configuring server side authentication and message/transport security
| Number | Task | Descriptor Configuration | Alternate Configuration |
| 1 | Credentials | Container or service descriptor configuration |
If no explicit configuration is
found, the default proxy is read from
|
| 2 | Trusted Certificates | Container security descriptor configuration | CoG Configuration |
| 3 | Limited proxy policy configuration | Container or service descriptor configuration | None. |
| 4 | Replay Attack Window | Container or service descriptor configuration | None. |
| 5 | Replay Attack Filter | Container or service descriptor configuration | None. |
| 6 | Replay timer interval | Container descriptor configuration | None. |
| 7 | Context timer interval | Container descriptor configuration | None. |
The GT4 C WS A&A component is currently deployed as part of the GT4 C WS Core component.
Table of Contents
The Java security code currently does not enforce secure permissions and, implicitly, file ownership requirements on any of the security related files, e.g. configuration and credential files. It is thus important that administrators ensure that the relevant files have correct permissions and ownership. Permissions should generally be as restrictive as possible, i.e. private keys should be readable only by the file owner and other files should be writable by owner only, and the files should generally be owned by the globus user (the requirements that the C code enforces are documented in Configuring GSI).
Also refer to Section 5, “Known Problems” for details on any other open issues.
Table of Contents
Because this component is built on C WS Core, it uses the same sys admin logging, described below:
As of 4.2.1, the Globus Toolkit provides system administration logs that are CEDPs best practices compliant.
To enable CEDPS logging, pass the -log PATH parameter to the globus-wsc-container program.
For more details on the CEDPS Logging format, including descriptions of reserved name-value pairs, see http://cedps.net/index.php/LoggingBestPractices:
The sample log file contains many log entries for various scenarios in the C WS container.
Table of Contents
For a list of common errors in GT, see Error Codes.
Table 7.1. C WS A&A Errors
| Error Code | Definition | Possible Solutions |
|---|---|---|
ERROR: Couldn't read user key: Bad passphrase key file location: /Users/bester/.globus/userkey.pem globus_credential: Error reading user credential: Can't read credential's private key from PEM OpenSSL Error: pem_lib.c:423: in library: PEM routines, function PEM_do_header: bad decrypt OpenSSL Error: evp_enc.c:509: in library: digital envelope routines, function EVP_DecryptFinal: bad decrypt Use -debug for further information. | Unable to decrypt private key | Rerun grid-proxy-init with the correct password. |
globus_gsi_gssapi: Error with gss credential handle globus_credential: Valid credentials could not be found in any of the possible locations specified by the credential search order. Valid credentials could not be found in any of the possible locations specified by the credential search order. Attempt 1 globus_credential: Error reading host credential globus_sysconfig: Error with certificate filename globus_sysconfig: Error with certificate filename globus_sysconfig: File is not owned by current user: /etc/grid-security/hostcert.pem is not owned by current user Attempt 2 globus_credential: Error reading proxy credential globus_sysconfig: Could not find a valid proxy certificate file location globus_sysconfig: Error with key filename globus_sysconfig: File does not exist: /tmp/x509up_u501 is not a valid file Attempt 3 globus_credential: Error reading user credential globus_credential: Key is password protected: GSI does not currently support password protected private keys. OpenSSL Error: pem_lib.c:401: in library: PEM routines, function PEM_do_header: bad password read | No user proxy could be found |
|
globus_gsi_gssapi: Error with GSI credential
globus_gsi_gssapi: Error with gss credential handle
globus_credential: Error with credential: The proxy credential:
/tmp/x509up_u1499
with subject: /DC=org/DC=example/DC=grid/OU=People/CN=Joe
User/CN=1235439010
expired 44 minutes ago. | Proxy has expired. | Run grid-proxy-init to generate a new proxy. |
globus_xio: The GSI XIO driver failed to establish a secure connection. The failure occured during a handshake read. globus_xio: An end of file occurred | Communication disrupted during SSL handshake | Verify with the service administrator that your certificate is signed by a certificate authority that is trusted by the service. |
globus_gsi_gssapi: Unable to verify
remote side's credentials
globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't verify
the remote certificate
OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
| Unable to verify remote certificate. Often a clock-synchronization problem where the service clock is behind that of the client. | Verify that the client and service hosts have accurate time of day clocks. Use a NTP daemon if possible. |
OpenSSL Error: s3_clnt.c:894: in
library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: The certificate is not yet valid: Cert with
subject: /DC=org/DC=example/DC=grid/OU=People/CN=Joe User/CN=464555355 is not
yet valid- check clock skew between hosts.
| Unable to verify remote certificate. Often a clock-synchronization problem where the client clock is behind that of the service. | Verify that the client and service hosts have accurate time of day clocks. Use a NTP daemon if possible. |
globus_gsi_callback_module: Error with signing policy globus_sysconfig: Error getting signing policy file globus_sysconfig: File does not exist: /etc/grid-security/certificates/2b0e42b2.signing_policy is not a valid file | The service's certificate is not trusted by the client | Determine if the certificate authority used by the server is worth trusting. If so, retrieve the CA certificate and signing policy and place them in the client's trusted certificate directory. |
globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Error with signing policy globus_gsi_callback_module: Error in OLD GAA code: CA policy violation: <no reason given> | Service certificate is not trusted because the CA signing policy does not trust the CA to sign the subject name of the certificate. | Verify with the service administrator that the certificate is valid. Verify that the signing policy file is up-to-date |
Error: globus_soap_message_module: SOAP Fault Fault code: Client Fault string: globus_handler_ws_secure_message: Server Request handling failed globus_handler_ws_secure_message: Failed to verify the message: Unable to get Security header element from message attributes. | The client sent a request to a service which message security without properly invoking the security handlers | Invoke the client program with the WS-SecureMessage handler.
Typically this is done by add -m msg to the
command-line. |
Error: globus_soap_message_module: SOAP Fault
Fault code: Client
Fault string: globus_soap_message_module: Loaded message handlers do not
understand required header element:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
Security | The client sent a request protected with message-level security but the server did not understand the required security headers | Disable WS-SecureMessage on the client |
The following are some common problems that may cause clients or servers to report that credentials are invalid:
For a list of common errors in GT, see Error Codes.
Table 7.2. Credential Errors
| Error Code | Definition | Possible Solutions |
|---|---|---|
Your proxy credential may have expired | Your proxy credential may have expired. | Use grid-proxy-info to check whether the proxy credential has actually expired. If it has, generate a new proxy with grid-proxy-init. |
The system clock on either the local or remote system
is wrong. | This may cause the server or client to conclude that a credential has expired. | Check the system clocks on the local and remote system. |
Your end-user certificate may have
expired | Your end-user certificate may have expired | Use grid-cert-info to check your certificate's expiration date. If it has expired, follow your CA's procedures to get a new one. |
The permissions may be wrong on your proxy
file | If the permissions on your proxy file are too lax (for example, if others can read your proxy file), Globus Toolkit clients will not use that file to authenticate. | You can "fix" this problem by changing the permissions on
the file or by destroying it (with grid-proxy-destroy) and
creating a new one (with grid-proxy-init).
Important: However, it is still possible that someone else has made a copy of that file during the time that the permissions were wrong. In that case, they will be able to impersonate you until the proxy file expires or your permissions or end-user certificate are revoked, whichever happens first. |
The permissions may be wrong on your private key
file | If the permissions on your end user certificate private key file are too lax (for example, if others can read the file), grid-proxy-init will refuse to create a proxy certificate. | You can "fix" this by changing the permissions on the
private key file. Important: However, you will still have a much more serious problem: it is possible that someone has made a copy of your private key file. Although this file is encrypted, it is possible that someone will be able to decrypt the private key, at which point they will be able to impersonate you as long as your end user certificate is valid. You should contact your CA to have your end-user certificate revoked and get a new one. |
The remote system may not trust your
CA | The remote system may not trust your CA | Verify that the remote system is configured to trust the CA that issued your end-entity certificate. See Installing GT 4.2.1 for details. |
You may not trust the remote system's
CA | You may not trust the remote system's CA | Verify that your system is configured to trust the remote CA (or that your environment is set up to trust the remote CA). See Installing GT 4.2.1 for details. |
There may be something wrong with the remote
service's credentials | There may be something wrong with the remote service's credentials | It is sometimes difficult to distinguish between errors reported by the remote service regarding your credentials and errors reported by the client interface regarding the remote service's credentials. If you cannot find anything wrong with your credentials, check for the same conditions on the remote system (or ask a remote administrator to do so) . |
The grid-cert-diagnostics program checks prints diagnostics about the user's certificates, and host security environment.
%grid-cert-diagnostics-p
openssl verify -CApath /etc/grid-security/certificates -purpose sslclient ~/.globus/usercert.pem
openssl s_client -ssl3 -cert ~/.globus/usercert.pem -key
~/.globus/userkey.pem -CApath /etc/grid-security/certificates
-connect <host:port>Here <host:port> denotes the
server and port you connect to.
If it prints an error and puts you back at the command prompt, then it typically means that the server has closed the connection, i.e. that the server was not happy with the client's certificate and verification. Check the SSL log on the server.
If the command "hangs" then it has actually opened a telnet style (but secure) socket, and you can "talk" to the server.
You should be able to scroll up and see the subject names of the server's verification chain:
depth=2 /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
verify return:1
depth=1 /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
verify return:1
depth=0 /DC=org/DC=doegrids/OU=Services/CN=wiggum.mcs.anl.gov
verify return:1
In this case, there were no errors. Errors would give you an extra line next to the subject name of the certificate that caused the error.
P
- private key
The private part of a key pair. Depending on the type of certificate the key corresponds to it may typically be found in
$HOME/.globus/userkey.pem(for user certificates),/etc/grid-security/hostkey.pem(for host certificates) or/etc/grid-security/(for service certificates).<service>/<service>key.pemFor more information on possible private key locations see this.
S
- scheduler
Term used to describe a job scheduler mechanism to which GRAM interfaces. It is a networked system for submitting, controlling, and monitoring the workload of batch jobs in one or more computers. The jobs or tasks are scheduled for execution at a time chosen by the subsystem according to an available policy and availability of resources. Popular job schedulers include Portable Batch System (PBS), Platform LSF, and IBM LoadLeveler.