[AG-DEV] Identity certificates

Thomas D. Uram turam at mcs.anl.gov
Wed Apr 2 11:52:18 CDT 2008



On 4/1/08 5:15 PM, Luis Galárraga wrote:
> Greetings:
>
> Finally, I could generate stubs for AG soap interfaces 
> (CommunityVenueServer, VenueServer, Venue and VenueClient)  using 
> wsdl2java with files *Binding.wsdl. I used wsdl files located in CVS 
> repository instead of requesting wsdl from server. Now I have several 
> questions:
>
> - There was a file generate.py which I ran and generated extra wsdl 
> files: CommunityServerBinding.wsdl and CommunityServerInterface.wsdl. 
> What is CommunityServer service for? Searching in Google I understood 
> that it has security purposes but reading the generated code I cannot 
> deduce its function. Does this service accept requests in the same 
> port as VenueServer?

You can ignore the CommunityServer code.  That was preliminary and is 
not being used.
>
> - I configured my server (proyectossw.espol.edu.ec:8000 
> <http://proyectossw.espol.edu.ec:8000>) to accept GetVersionRequests 
> for everybody. But when I invoked this method for any stub, I get the 
> following message (in this case with VenueClientStub. Those examples 
> pointed to localhost so I changed them for my server url):
>
>     Exception in thread "main" org.apache.axis2.AxisFault: Processing
>     Failure
>             at
>     org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:486)
>             at
>     org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:343)
>             at
>     org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
>             at
>     org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
>             at
>     org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
>             at
>     org.accessgrid.www.v3_0.venueclient.VenueClientStub.GetVersion(VenueClientStub.java:3586)
>             at
>     test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.testGetVersion(VenueClientTest.java:352)
>             at
>     test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.main(VenueClientTest.java:584)
>
I can't determine anything from this error message, unfortunately.  Have 
you looked at the VenueServer log following this call?  Can you look at 
the SOAP data between the server and client, to get an idea of the 
problem? 

> Does anybody have an idea? Thanks in advance.
>
> Luis,
>
>
> 2008/3/28, Luis Galárraga <lgalarra at fiec.espol.edu.ec 
> <mailto:lgalarra at fiec.espol.edu.ec>>:
>
>     It looks like there is a problem with WSDL, as I get the following
>     error when using WSDL2Java, the tool that comes with Axis
>     distribution. I am using the file obtained by requesting
>     https://proyectossw.espol.edu.ec:8000/Venues/default?WSDL
>     The server is using AccessGrid 3.1.
>
>          $ ./wsdl2java.sh -uri Venue.wsdl  Using AXIS2_HOME:  
>         /home/luis/Desktop/axis2-1.3
>          Using JAVA_HOME:       /usr/lib/jvm/java-6-sun-1.6.0.03/
>         Exception in thread "main"
>         org.apache.axis2.wsdl.codegen.CodeGenerationException: Error
>         parsing WSDL
>                 at
>         org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerationEngine.java:150)
>                 at org.apache.axis2.wsdl.WSDL2Code.main(WSDL2Code.java:35)
>                 at org.apache.axis2.wsdl.WSDL2Java.main(WSDL2Java.java:24)
>         Caused by: javax.wsdl.WSDLException: WSDLException (at
>         /definitions/types): faultCode=INVALID_WSDL: Encountered
>         illegal extension attribute 'targetNamespace'. Extension
>         attributes must be in a namespace other than WSDL's.
>                 at
>         com.ibm.wsdl.xml.WSDLReaderImpl.parseExtensibilityAttributes(Unknown
>         Source)
>                 at com.ibm.wsdl.xml.WSDLReaderImpl.parseTypes(Unknown
>         Source)
>                 at
>         com.ibm.wsdl.xml.WSDLReaderImpl.parseDefinitions(Unknown Source)
>                 at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown
>         Source)
>                 at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown
>         Source)
>                 at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown
>         Source)
>                 at
>         org.apache.axis2.wsdl.codegen.CodeGenerationEngine.readInTheWSDLFile(CodeGenerationEngine.java:286)
>                 at
>         org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerationEngine.java:105)
>                 ... 2 more
>
>
>     Regards,
>     Luis
>
>     2008/3/28, Thomas D. Uram <turam at mcs.anl.gov
>     <mailto:turam at mcs.anl.gov>>:
>
>         AG2 did rely on the Globus toolkit.
>
>         AG3 does not rely on the Globus toolkit.  We are using Doc-Lit
>         SOAP via Python ZSI (pywebsvcs.sourceforge.net
>         <http://pywebsvcs.sourceforge.net>).  You should be able to
>         consume these services using other-language SOAP
>         implementations.  If not, something is wrong with our WSDL,
>         ZSI, or your other-language SOAP implementation.  I'll follow
>         up on your other mail regarding the error message you're getting.
>
>         For what it's worth, I know other people have consumed the AG
>         web services using a Java SOAP implementation (you should be
>         able to find information about this in the mailing list archives).
>
>         Tom
>
>
>
>
>
>
>         On 3/27/08 6:53 PM, Luis Galárraga wrote:
>>         Thanks a lot for your help!!. We understand AG a little
>>         better now :-)
>>
>>         Another question: we are trying to consume Venue and
>>         VenueServer web services without success. Now, I understand
>>         that as AccessGrid relies on Globus Toolkit (I have heard
>>         about it before, but I understand it better) we need to
>>         construct clients compatible with it. Using JAX-WS (used by
>>         Netbeans IDE) is not a good idea. Am I in the right way??
>>
>>         Luis,
>>
>>         2008/3/27, Thomas D. Uram <turam at mcs.anl.gov
>>         <mailto:turam at mcs.anl.gov>>:
>>
>>             Luis:
>>
>>             See responses inline.
>>
>>             On 3/14/08 3:24 PM, Luis Galárraga wrote:
>>>             Greetings Tom:
>>>
>>>             First of all, thanks again for your help, I have several
>>>             questions, this time related to server certificates. Do
>>>             the things we were talking about identity certificates
>>>             apply to server certificates?. We have a developer who
>>>             is working in consuming AG server web services from a
>>>             Java Client. He would like to work at home, but
>>>             unfortunately our request for opening certain tcp ports
>>>             was denied because of security issues. I told him to run
>>>             server and client in his machine. I had to make a server
>>>             certificate request to be able to run the server first time:
>>>             - Is it possible to omit this step?.
>>             The server does require a certificate; this requirement
>>             cannot be avoided.
>>>             - If not, is it possible to create it with a tool like
>>>             openssl. When starting server from terminal, it asks for
>>>             a certificate.
>>             You can build up the required certificate state
>>             completely independent from the Access Grid Developers CA
>>             if you want.  In that case, you'll have to make sure that
>>             the CA cert is installed at both the server and at client
>>             machines.  And the CA cert will have to be used to sign
>>             the certificate used to run the server.  This is standard
>>             PKI practice, so you should be able to find sufficient
>>             references online.  If you have trouble, please ask.
>>>             - Is there a way of exporting a certificate from command
>>>             line. I have a problem with the certificate management
>>>             tool (it crashes unexpectedly. I reported it and there
>>>             is someone working to provide you a better report) so I
>>>             cannot do it through graphical interface.
>>             You can use certmgr.py.  In some cases, it will be called
>>             certmgr3.py.  After running it, type 'help' for a list of
>>             available commands.
>>
>>
>>>
>>>             Regards,
>>>             Luis
>>>
>>>
>>>
>>>             2008/3/13, Thomas D. Uram <turam at mcs.anl.gov
>>>             <mailto:turam at mcs.anl.gov>>:
>>>
>>>                 Hi Luis:
>>>
>>>                 There are a few things you need to know in this regard:
>>>
>>>                 - By default, AG3 venues do not require that clients
>>>                 have a certificate
>>>                 to enter.  Venues can be optionally configured to
>>>                 require a certificate,
>>>                 in which case the user must present a certificate
>>>                 that satisfies the
>>>                 access controls on the venue.
>>>
>>>                 - You can run your own CA and issue your own
>>>                 certificates.  In that
>>>                 case, you'll need to make sure your clients have
>>>                 both your CA
>>>                 certificate and their personal certificate.
>>>
>>>                 Otherwise, this is general PKI.  If you have other
>>>                 questions, don't
>>>                 hesitate to ask.
>>>
>>>                 Tom
>>>
>>>
>>>                 On 3/6/08 3:41 PM, Luis Galárraga wrote:
>>>                 > Greetings:
>>>                 >
>>>                 > I am part of project for developing a webinar
>>>                 infraestructure based on
>>>                 > Access Grid. After a long discussion in which
>>>                 suggestions in this
>>>                 > mailing list were strongly considered, we have
>>>                 decided to implement a
>>>                 > simple client for venues (in servers 3.x) using
>>>                 Java Web Start Apps.
>>>                 > As you can see, there are many things to do, and
>>>                 developers have
>>>                 > started by making tests with the soap interfaces in
>>>                 the our AG server,
>>>                 > however they are not clear about the  concepts
>>>                 behind the
>>>                 > authentication process. We know AG uses digital
>>>                 certificates for
>>>                 > everything: users and services and those
>>>                 certificates are generated by
>>>                 > AG developers (after a process request). Can our
>>>                 developer team
>>>                 > generate certificates signed by us or it is
>>>                 required your sign?
>>>                 > Several people in our university will probably use
>>>                 the system so we
>>>                 > would like to have the privilege to generate the
>>>                 certificates. Could
>>>                 > someone explain us in a better way, the technical
>>>                 issues behind
>>>                 > authentication based on certificates (= how you
>>>                 implemented it)?. I
>>>                 > hope you can help us.
>>>                 >
>>>                 > Thanks in advance,
>>>                 >
>>>                 > Regards,
>>>                 > Luis Galárraga
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080402/3603ccfc/attachment.htm>


More information about the ag-dev mailing list