[AG-DEV] Identity certificates

Luis Galárraga lgalarra at fiec.espol.edu.ec
Tue Apr 1 17:15:41 CDT 2008 

Greetings:

Finally, I could generate stubs for AG soap interfaces
(CommunityVenueServer, VenueServer, Venue and VenueClient)  using wsdl2java
with files *Binding.wsdl. I used wsdl files located in CVS repository
instead of requesting wsdl from server. Now I have several questions:

- There was a file generate.py which I ran and generated extra wsdl files:
CommunityServerBinding.wsdl and CommunityServerInterface.wsdl. What is
CommunityServer service for? Searching in Google I understood that it has
security purposes but reading the generated code I cannot deduce its
function. Does this service accept requests in the same port as VenueServer?

- I configured my server (proyectossw.espol.edu.ec:8000) to accept
GetVersionRequests for everybody. But when I invoked this method for any
stub, I get the following message (in this case with VenueClientStub. Those
examples pointed to localhost so I changed them for my server url):

Exception in thread "main" org.apache.axis2.AxisFault: Processing Failure
        at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(
Utils.java:486)
        at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:343)
        at org.apache.axis2.description.OutInAxisOperationClient.send(
OutInAxisOperation.java:389)
        at org.apache.axis2.description.OutInAxisOperationClient.executeImpl
(OutInAxisOperation.java:211)
        at org.apache.axis2.client.OperationClient.execute(
OperationClient.java:163)
        at org.accessgrid.www.v3_0.venueclient.VenueClientStub.GetVersion(
VenueClientStub.java:3586)
        at
test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.testGetVersion(
VenueClientTest.java:352)
        at test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.main(
VenueClientTest.java:584)

Does anybody have an idea? Thanks in advance.

Luis,


2008/3/28, Luis Galárraga <lgalarra at fiec.espol.edu.ec>:
>
> It looks like there is a problem with WSDL, as I get the following error
> when using WSDL2Java, the tool that comes with Axis distribution. I am using
> the file obtained by requesting
> https://proyectossw.espol.edu.ec:8000/Venues/default?WSDL
> The server is using AccessGrid 3.1.
>
>  $ ./wsdl2java.sh -uri Venue.wsdl  Using AXIS2_HOME:
> > /home/luis/Desktop/axis2-1.3
> >  Using JAVA_HOME:       /usr/lib/jvm/java-6-sun-1.6.0.03/
> > Exception in thread "main"
> > org.apache.axis2.wsdl.codegen.CodeGenerationException: Error parsing
> > WSDL
> >         at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(
> > CodeGenerationEngine.java:150)
> >         at org.apache.axis2.wsdl.WSDL2Code.main(WSDL2Code.java:35)
> >         at org.apache.axis2.wsdl.WSDL2Java.main(WSDL2Java.java:24)
> > Caused by: javax.wsdl.WSDLException: WSDLException (at
> > /definitions/types): faultCode=INVALID_WSDL: Encountered illegal extension
> > attribute 'targetNamespace'. Extension attributes must be in a namespace
> > other than WSDL's.
> >         at com.ibm.wsdl.xml.WSDLReaderImpl.parseExtensibilityAttributes(Unknown
> > Source)
> >         at com.ibm.wsdl.xml.WSDLReaderImpl.parseTypes(Unknown Source)
> >         at com.ibm.wsdl.xml.WSDLReaderImpl.parseDefinitions(Unknown
> > Source)
> >         at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> >         at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> >         at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> >         at
> > org.apache.axis2.wsdl.codegen.CodeGenerationEngine.readInTheWSDLFile(
> > CodeGenerationEngine.java:286)
> >         at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(
> > CodeGenerationEngine.java:105)
> >         ... 2 more
> >
>
> Regards,
> Luis
>
> 2008/3/28, Thomas D. Uram <turam at mcs.anl.gov>:
> >
> >  AG2 did rely on the Globus toolkit.
> >
> > AG3 does not rely on the Globus toolkit.  We are using Doc-Lit SOAP via
> > Python ZSI (pywebsvcs.sourceforge.net).  You should be able to consume
> > these services using other-language SOAP implementations.  If not, something
> > is wrong with our WSDL, ZSI, or your other-language SOAP implementation.
> > I'll follow up on your other mail regarding the error message you're
> > getting.
> >
> > For what it's worth, I know other people have consumed the AG web
> > services using a Java SOAP implementation (you should be able to find
> > information about this in the mailing list archives).
> >
> > Tom
> >
> >
> >
> >
> >
> > On 3/27/08 6:53 PM, Luis Galárraga wrote:
> >
> > Thanks a lot for your help!!. We understand AG a little better now :-)
> >
> > Another question: we are trying to consume Venue and VenueServer web
> > services without success. Now, I understand that as AccessGrid relies on
> > Globus Toolkit (I have heard about it before, but I understand it better) we
> > need to construct clients compatible with it. Using JAX-WS (used by Netbeans
> > IDE) is not a good idea. Am I in the right way??
> >
> > Luis,
> >
> > 2008/3/27, Thomas D. Uram <turam at mcs.anl.gov>:
> > >
> > > Luis:
> > >
> > > See responses inline.
> > >
> > > On 3/14/08 3:24 PM, Luis Galárraga wrote:
> > >
> > > Greetings Tom:
> > >
> > > First of all, thanks again for your help, I have several questions,
> > > this time related to server certificates. Do the things we were talking
> > > about identity certificates apply to server certificates?. We have a
> > > developer who is working in consuming AG server web services from a Java
> > > Client. He would like to work at home, but unfortunately our request for
> > > opening certain tcp ports was denied because of security issues. I told him
> > > to run server and client in his machine. I had to make a server certificate
> > > request to be able to run the server first time:
> > > - Is it possible to omit this step?.
> > >
> > > The server does require a certificate; this requirement cannot be
> > > avoided.
> > >
> > > - If not, is it possible to create it with a tool like openssl. When
> > > starting server from terminal, it asks for a certificate.
> > >
> > > You can build up the required certificate state completely independent
> > > from the Access Grid Developers CA if you want.  In that case, you'll have
> > > to make sure that the CA cert is installed at both the server and at client
> > > machines.  And the CA cert will have to be used to sign the certificate used
> > > to run the server.  This is standard PKI practice, so you should be able to
> > > find sufficient references online.  If you have trouble, please ask.
> > >
> > > - Is there a way of exporting a certificate from command line. I have
> > > a problem with the certificate management tool (it crashes unexpectedly. I
> > > reported it and there is someone working to provide you a better report) so
> > > I cannot do it through graphical interface.
> > >
> > > You can use certmgr.py.  In some cases, it will be called certmgr3.py.
> > > After running it, type 'help' for a list of available commands.
> > >
> > >
> > > Regards,
> > > Luis
> > >
> > >
> > >
> > > 2008/3/13, Thomas D. Uram <turam at mcs.anl.gov>:
> > > >
> > > > Hi Luis:
> > > >
> > > > There are a few things you need to know in this regard:
> > > >
> > > > - By default, AG3 venues do not require that clients have a
> > > > certificate
> > > > to enter.  Venues can be optionally configured to require a
> > > > certificate,
> > > > in which case the user must present a certificate that satisfies the
> > > > access controls on the venue.
> > > >
> > > > - You can run your own CA and issue your own certificates.  In that
> > > > case, you'll need to make sure your clients have both your CA
> > > > certificate and their personal certificate.
> > > >
> > > > Otherwise, this is general PKI.  If you have other questions, don't
> > > > hesitate to ask.
> > > >
> > > > Tom
> > > >
> > > >
> > > > On 3/6/08 3:41 PM, Luis Galárraga wrote:
> > > > > Greetings:
> > > > >
> > > > > I am part of project for developing a webinar infraestructure
> > > > based on
> > > > > Access Grid. After a long discussion in which suggestions in this
> > > > > mailing list were strongly considered, we have decided to
> > > > implement a
> > > > > simple client for venues (in servers 3.x) using Java Web Start
> > > > Apps.
> > > > > As you can see, there are many things to do, and developers have
> > > > > started by making tests with the soap interfaces in the our AG
> > > > server,
> > > > > however they are not clear about the  concepts behind the
> > > > > authentication process. We know AG uses digital certificates for
> > > > > everything: users and services and those certificates are
> > > > generated by
> > > > > AG developers (after a process request). Can our developer team
> > > > > generate certificates signed by us or it is required your sign?
> > > > > Several people in our university will probably use the system so
> > > > we
> > > > > would like to have the privilege to generate the certificates.
> > > > Could
> > > > > someone explain us in a better way, the technical issues behind
> > > > > authentication based on certificates (= how you implemented it)?.
> > > > I
> > > > > hope you can help us.
> > > > >
> > > > > Thanks in advance,
> > > > >
> > > > > Regards,
> > > > > Luis Galárraga
> > > >
> > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080401/91c9d82a/attachment.htm>

More information about the ag-dev mailing list