[AG-DEV] Identity certificates
Luis Galárraga
lgalarra at fiec.espol.edu.ec
Wed Apr 2 14:39:47 CDT 2008
Greetings Tom:
We have not been able to consume the services yet. I have generated stub and
test classes for VenueServer, Venue and VenueClient interfaces. We have
started by testing the simplest methods: Checkpoint and GetVersion (they are
configured to be accessed by everybody). Using VenueServer or VenueClient, I
get:
Exception in thread "main" org.apache.axis2.AxisFault: Processing Failure
> at
> org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:486)
> at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:343)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
> at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
> at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> at
> org.accessgrid.www.v3_0.venueclient.VenueClientStub.GetVersion(VenueClientStub.java:3587)
> at
> test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.main(VenueClientTest.java:597)
>
The soap request message is:
<?xml version='1.0' encoding='utf-8'?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> ">
> <soapenv:Body>
> <ns2:CheckpointRequest xmlns:ns2="
> http://www.accessgrid.org/v3.0/venueserver">
> <ns2:secondsFromNow>12</ns2:secondsFromNow>
> </ns2:CheckpointRequest>
> </soapenv:Body>
> </soapenv:Envelope>
>
Checking the log in the server (in debug mode), I just get:
04/02/08 14:34:56 -1286157424 Hosting ServiceContainer.py:17 ERROR
> Processing Failure
> None
>
The log message is not verbose and I do not know the code, but I suspect
there is something missing in my request.
Luis,
2008/4/2, Luis Galárraga <lgalarra at fiec.espol.edu.ec>:
>
> Thanks Tom, in fact I am working now in getting the exact SOAP messages
> being sent. I will check the log files of the server.
>
> Luis,
>
> 2008/4/2, Thomas D. Uram <turam at mcs.anl.gov>:
> >
> >
> >
> > On 4/1/08 5:15 PM, Luis Galárraga wrote:
> >
> > Greetings:
> >
> > Finally, I could generate stubs for AG soap interfaces
> > (CommunityVenueServer, VenueServer, Venue and VenueClient) using wsdl2java
> > with files *Binding.wsdl. I used wsdl files located in CVS repository
> > instead of requesting wsdl from server. Now I have several questions:
> >
> > - There was a file generate.py which I ran and generated extra wsdl
> > files: CommunityServerBinding.wsdl and CommunityServerInterface.wsdl. What
> > is CommunityServer service for? Searching in Google I understood that it has
> > security purposes but reading the generated code I cannot deduce its
> > function. Does this service accept requests in the same port as VenueServer?
> >
> >
> > You can ignore the CommunityServer code. That was preliminary and is
> > not being used.
> >
> >
> > - I configured my server (proyectossw.espol.edu.ec:8000) to accept
> > GetVersionRequests for everybody. But when I invoked this method for any
> > stub, I get the following message (in this case with VenueClientStub. Those
> > examples pointed to localhost so I changed them for my server url):
> >
> > Exception in thread "main" org.apache.axis2.AxisFault: Processing
> > Failure
> > at
> > org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:486)
> > at
> > org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:343)
> > at
> > org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
> > at
> > org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
> > at
> > org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> > at
> > org.accessgrid.www.v3_0.venueclient.VenueClientStub.GetVersion(VenueClientStub.java:3586)
> > at
> > test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.testGetVersion(VenueClientTest.java:352)
> > at
> > test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.main(VenueClientTest.java:584)
> >
> > I can't determine anything from this error message, unfortunately.
> > Have you looked at the VenueServer log following this call? Can you look at
> > the SOAP data between the server and client, to get an idea of the problem?
> >
> >
> > Does anybody have an idea? Thanks in advance.
> >
> > Luis,
> >
> >
> > 2008/3/28, Luis Galárraga <lgalarra at fiec.espol.edu.ec>:
> > >
> > > It looks like there is a problem with WSDL, as I get the following
> > > error when using WSDL2Java, the tool that comes with Axis distribution. I am
> > > using the file obtained by requesting
> > > https://proyectossw.espol.edu.ec:8000/Venues/default?WSDL
> > > The server is using AccessGrid 3.1.
> > >
> > > $ ./wsdl2java.sh -uri Venue.wsdl Using AXIS2_HOME:
> > > > /home/luis/Desktop/axis2-1.3
> > > > Using JAVA_HOME: /usr/lib/jvm/java-6-sun-1.6.0.03/
> > > > Exception in thread "main"
> > > > org.apache.axis2.wsdl.codegen.CodeGenerationException: Error parsing WSDL
> > > > at
> > > > org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerationEngine.java:150)
> > > > at org.apache.axis2.wsdl.WSDL2Code.main(WSDL2Code.java:35)
> > > > at org.apache.axis2.wsdl.WSDL2Java.main(WSDL2Java.java:24)
> > > > Caused by: javax.wsdl.WSDLException: WSDLException (at
> > > > /definitions/types): faultCode=INVALID_WSDL: Encountered illegal extension
> > > > attribute 'targetNamespace'. Extension attributes must be in a namespace
> > > > other than WSDL's.
> > > > at
> > > > com.ibm.wsdl.xml.WSDLReaderImpl.parseExtensibilityAttributes(Unknown Source)
> > > > at com.ibm.wsdl.xml.WSDLReaderImpl.parseTypes(Unknown
> > > > Source)
> > > > at com.ibm.wsdl.xml.WSDLReaderImpl.parseDefinitions(Unknown
> > > > Source)
> > > > at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> > > > at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> > > > at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> > > > at
> > > > org.apache.axis2.wsdl.codegen.CodeGenerationEngine.readInTheWSDLFile(CodeGenerationEngine.java:286)
> > > > at
> > > > org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerationEngine.java:105)
> > > > ... 2 more
> > > >
> > >
> > > Regards,
> > > Luis
> > >
> > > 2008/3/28, Thomas D. Uram <turam at mcs.anl.gov>:
> > > >
> > > > AG2 did rely on the Globus toolkit.
> > > >
> > > > AG3 does not rely on the Globus toolkit. We are using Doc-Lit SOAP
> > > > via Python ZSI (pywebsvcs.sourceforge.net). You should be able to
> > > > consume these services using other-language SOAP implementations. If not,
> > > > something is wrong with our WSDL, ZSI, or your other-language SOAP
> > > > implementation. I'll follow up on your other mail regarding the error
> > > > message you're getting.
> > > >
> > > > For what it's worth, I know other people have consumed the AG web
> > > > services using a Java SOAP implementation (you should be able to find
> > > > information about this in the mailing list archives).
> > > >
> > > > Tom
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 3/27/08 6:53 PM, Luis Galárraga wrote:
> > > >
> > > > Thanks a lot for your help!!. We understand AG a little better now
> > > > :-)
> > > >
> > > > Another question: we are trying to consume Venue and VenueServer web
> > > > services without success. Now, I understand that as AccessGrid relies on
> > > > Globus Toolkit (I have heard about it before, but I understand it better) we
> > > > need to construct clients compatible with it. Using JAX-WS (used by Netbeans
> > > > IDE) is not a good idea. Am I in the right way??
> > > >
> > > > Luis,
> > > >
> > > > 2008/3/27, Thomas D. Uram <turam at mcs.anl.gov>:
> > > > >
> > > > > Luis:
> > > > >
> > > > > See responses inline.
> > > > >
> > > > > On 3/14/08 3:24 PM, Luis Galárraga wrote:
> > > > >
> > > > > Greetings Tom:
> > > > >
> > > > > First of all, thanks again for your help, I have several
> > > > > questions, this time related to server certificates. Do the things we were
> > > > > talking about identity certificates apply to server certificates?. We have a
> > > > > developer who is working in consuming AG server web services from a Java
> > > > > Client. He would like to work at home, but unfortunately our request for
> > > > > opening certain tcp ports was denied because of security issues. I told him
> > > > > to run server and client in his machine. I had to make a server certificate
> > > > > request to be able to run the server first time:
> > > > > - Is it possible to omit this step?.
> > > > >
> > > > > The server does require a certificate; this requirement cannot be
> > > > > avoided.
> > > > >
> > > > > - If not, is it possible to create it with a tool like openssl.
> > > > > When starting server from terminal, it asks for a certificate.
> > > > >
> > > > > You can build up the required certificate state completely
> > > > > independent from the Access Grid Developers CA if you want. In that case,
> > > > > you'll have to make sure that the CA cert is installed at both the server
> > > > > and at client machines. And the CA cert will have to be used to sign the
> > > > > certificate used to run the server. This is standard PKI practice, so you
> > > > > should be able to find sufficient references online. If you have trouble,
> > > > > please ask.
> > > > >
> > > > > - Is there a way of exporting a certificate from command line. I
> > > > > have a problem with the certificate management tool (it crashes
> > > > > unexpectedly. I reported it and there is someone working to provide you a
> > > > > better report) so I cannot do it through graphical interface.
> > > > >
> > > > > You can use certmgr.py. In some cases, it will be called
> > > > > certmgr3.py. After running it, type 'help' for a list of available
> > > > > commands.
> > > > >
> > > > >
> > > > > Regards,
> > > > > Luis
> > > > >
> > > > >
> > > > >
> > > > > 2008/3/13, Thomas D. Uram <turam at mcs.anl.gov>:
> > > > > >
> > > > > > Hi Luis:
> > > > > >
> > > > > > There are a few things you need to know in this regard:
> > > > > >
> > > > > > - By default, AG3 venues do not require that clients have a
> > > > > > certificate
> > > > > > to enter. Venues can be optionally configured to require a
> > > > > > certificate,
> > > > > > in which case the user must present a certificate that satisfies
> > > > > > the
> > > > > > access controls on the venue.
> > > > > >
> > > > > > - You can run your own CA and issue your own certificates. In
> > > > > > that
> > > > > > case, you'll need to make sure your clients have both your CA
> > > > > > certificate and their personal certificate.
> > > > > >
> > > > > > Otherwise, this is general PKI. If you have other questions,
> > > > > > don't
> > > > > > hesitate to ask.
> > > > > >
> > > > > > Tom
> > > > > >
> > > > > >
> > > > > > On 3/6/08 3:41 PM, Luis Galárraga wrote:
> > > > > > > Greetings:
> > > > > > >
> > > > > > > I am part of project for developing a webinar infraestructure
> > > > > > based on
> > > > > > > Access Grid. After a long discussion in which suggestions in
> > > > > > this
> > > > > > > mailing list were strongly considered, we have decided to
> > > > > > implement a
> > > > > > > simple client for venues (in servers 3.x) using Java Web Start
> > > > > > Apps.
> > > > > > > As you can see, there are many things to do, and developers
> > > > > > have
> > > > > > > started by making tests with the soap interfaces in the our AG
> > > > > > server,
> > > > > > > however they are not clear about the concepts behind the
> > > > > > > authentication process. We know AG uses digital certificates
> > > > > > for
> > > > > > > everything: users and services and those certificates are
> > > > > > generated by
> > > > > > > AG developers (after a process request). Can our developer
> > > > > > team
> > > > > > > generate certificates signed by us or it is required your
> > > > > > sign?
> > > > > > > Several people in our university will probably use the system
> > > > > > so we
> > > > > > > would like to have the privilege to generate the certificates.
> > > > > > Could
> > > > > > > someone explain us in a better way, the technical issues
> > > > > > behind
> > > > > > > authentication based on certificates (= how you implemented
> > > > > > it)?. I
> > > > > > > hope you can help us.
> > > > > > >
> > > > > > > Thanks in advance,
> > > > > > >
> > > > > > > Regards,
> > > > > > > Luis Galárraga
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080402/752fac2c/attachment.htm>
More information about the ag-dev
mailing list