[AG-DEV] Identity certificates
Thomas D. Uram
turam at mcs.anl.gov
Wed Apr 2 15:07:11 CDT 2008
Are you able to view the SOAP data being returned by the VenueServer to
your code?
On 4/2/08 2:39 PM, Luis Galárraga wrote:
> Greetings Tom:
>
> We have not been able to consume the services yet. I have generated
> stub and test classes for VenueServer, Venue and VenueClient
> interfaces. We have started by testing the simplest methods:
> Checkpoint and GetVersion (they are configured to be accessed by
> everybody). Using VenueServer or VenueClient, I get:
>
> Exception in thread "main" org.apache.axis2.AxisFault: Processing
> Failure
> at
> org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:486)
> at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:343)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
> at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
> at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> at
> org.accessgrid.www.v3_0.venueclient.VenueClientStub.GetVersion(VenueClientStub.java:3587)
> at
> test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.main(VenueClientTest.java:597)
>
>
> The soap request message is:
>
> <?xml version='1.0' encoding='utf-8'?>
> <soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> <soapenv:Body>
> <ns2:CheckpointRequest
> xmlns:ns2="http://www.accessgrid.org/v3.0/venueserver">
> <ns2:secondsFromNow>12</ns2:secondsFromNow>
> </ns2:CheckpointRequest>
> </soapenv:Body>
> </soapenv:Envelope>
>
>
> Checking the log in the server (in debug mode), I just get:
>
> 04/02/08 14:34:56 -1286157424 Hosting ServiceContainer.py:17
> ERROR Processing Failure
> None
>
>
> The log message is not verbose and I do not know the code, but I
> suspect there is something missing in my request.
>
> Luis,
>
> 2008/4/2, Luis Galárraga <lgalarra at fiec.espol.edu.ec
> <mailto:lgalarra at fiec.espol.edu.ec>>:
>
> Thanks Tom, in fact I am working now in getting the exact SOAP
> messages being sent. I will check the log files of the server.
>
> Luis,
>
> 2008/4/2, Thomas D. Uram <turam at mcs.anl.gov
> <mailto:turam at mcs.anl.gov>>:
>
>
>
> On 4/1/08 5:15 PM, Luis Galárraga wrote:
>> Greetings:
>>
>> Finally, I could generate stubs for AG soap interfaces
>> (CommunityVenueServer, VenueServer, Venue and VenueClient)
>> using wsdl2java with files *Binding.wsdl. I used wsdl files
>> located in CVS repository instead of requesting wsdl from
>> server. Now I have several questions:
>>
>> - There was a file generate.py which I ran and generated
>> extra wsdl files: CommunityServerBinding.wsdl and
>> CommunityServerInterface.wsdl. What is CommunityServer
>> service for? Searching in Google I understood that it has
>> security purposes but reading the generated code I cannot
>> deduce its function. Does this service accept requests in the
>> same port as VenueServer?
>
> You can ignore the CommunityServer code. That was preliminary
> and is not being used.
>>
>> - I configured my server (proyectossw.espol.edu.ec:8000
>> <http://proyectossw.espol.edu.ec:8000>) to accept
>> GetVersionRequests for everybody. But when I invoked this
>> method for any stub, I get the following message (in this
>> case with VenueClientStub. Those examples pointed to
>> localhost so I changed them for my server url):
>>
>> Exception in thread "main" org.apache.axis2.AxisFault:
>> Processing Failure
>> at
>> org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:486)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:343)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
>> at
>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
>> at
>> org.accessgrid.www.v3_0.venueclient.VenueClientStub.GetVersion(VenueClientStub.java:3586)
>> at
>> test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.testGetVersion(VenueClientTest.java:352)
>> at
>> test.org.accessgrid.www.v3_0.venueclient.VenueClientTest.main(VenueClientTest.java:584)
>>
> I can't determine anything from this error message,
> unfortunately. Have you looked at the VenueServer log
> following this call? Can you look at the SOAP data between
> the server and client, to get an idea of the problem?
>
>> Does anybody have an idea? Thanks in advance.
>>
>> Luis,
>>
>>
>> 2008/3/28, Luis Galárraga <lgalarra at fiec.espol.edu.ec
>> <mailto:lgalarra at fiec.espol.edu.ec>>:
>>
>> It looks like there is a problem with WSDL, as I get the
>> following error when using WSDL2Java, the tool that comes
>> with Axis distribution. I am using the file obtained by
>> requesting
>> https://proyectossw.espol.edu.ec:8000/Venues/default?WSDL
>> The server is using AccessGrid 3.1.
>>
>> $ ./wsdl2java.sh -uri Venue.wsdl Using
>> AXIS2_HOME: /home/luis/Desktop/axis2-1.3
>> Using JAVA_HOME: /usr/lib/jvm/java-6-sun-1.6.0.03/
>> Exception in thread "main"
>> org.apache.axis2.wsdl.codegen.CodeGenerationException:
>> Error parsing WSDL
>> at
>> org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerationEngine.java:150)
>> at
>> org.apache.axis2.wsdl.WSDL2Code.main(WSDL2Code.java:35)
>> at
>> org.apache.axis2.wsdl.WSDL2Java.main(WSDL2Java.java:24)
>> Caused by: javax.wsdl.WSDLException: WSDLException
>> (at /definitions/types): faultCode=INVALID_WSDL:
>> Encountered illegal extension attribute
>> 'targetNamespace'. Extension attributes must be in a
>> namespace other than WSDL's.
>> at
>> com.ibm.wsdl.xml.WSDLReaderImpl.parseExtensibilityAttributes(Unknown
>> Source)
>> at
>> com.ibm.wsdl.xml.WSDLReaderImpl.parseTypes(Unknown
>> Source)
>> at
>> com.ibm.wsdl.xml.WSDLReaderImpl.parseDefinitions(Unknown
>> Source)
>> at
>> com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
>> at
>> com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
>> at
>> com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
>> at
>> org.apache.axis2.wsdl.codegen.CodeGenerationEngine.readInTheWSDLFile(CodeGenerationEngine.java:286)
>> at
>> org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerationEngine.java:105)
>> ... 2 more
>>
>>
>> Regards,
>> Luis
>>
>> 2008/3/28, Thomas D. Uram <turam at mcs.anl.gov
>> <mailto:turam at mcs.anl.gov>>:
>>
>> AG2 did rely on the Globus toolkit.
>>
>> AG3 does not rely on the Globus toolkit. We are
>> using Doc-Lit SOAP via Python ZSI
>> (pywebsvcs.sourceforge.net
>> <http://pywebsvcs.sourceforge.net>). You should be
>> able to consume these services using other-language
>> SOAP implementations. If not, something is wrong
>> with our WSDL, ZSI, or your other-language SOAP
>> implementation. I'll follow up on your other mail
>> regarding the error message you're getting.
>>
>> For what it's worth, I know other people have
>> consumed the AG web services using a Java SOAP
>> implementation (you should be able to find
>> information about this in the mailing list archives).
>>
>> Tom
>>
>>
>>
>>
>>
>>
>> On 3/27/08 6:53 PM, Luis Galárraga wrote:
>>> Thanks a lot for your help!!. We understand AG a
>>> little better now :-)
>>>
>>> Another question: we are trying to consume Venue and
>>> VenueServer web services without success. Now, I
>>> understand that as AccessGrid relies on Globus
>>> Toolkit (I have heard about it before, but I
>>> understand it better) we need to construct clients
>>> compatible with it. Using JAX-WS (used by Netbeans
>>> IDE) is not a good idea. Am I in the right way??
>>>
>>> Luis,
>>>
>>> 2008/3/27, Thomas D. Uram <turam at mcs.anl.gov
>>> <mailto:turam at mcs.anl.gov>>:
>>>
>>> Luis:
>>>
>>> See responses inline.
>>>
>>> On 3/14/08 3:24 PM, Luis Galárraga wrote:
>>>> Greetings Tom:
>>>>
>>>> First of all, thanks again for your help, I
>>>> have several questions, this time related to
>>>> server certificates. Do the things we were
>>>> talking about identity certificates apply to
>>>> server certificates?. We have a developer who
>>>> is working in consuming AG server web services
>>>> from a Java Client. He would like to work at
>>>> home, but unfortunately our request for opening
>>>> certain tcp ports was denied because of
>>>> security issues. I told him to run server and
>>>> client in his machine. I had to make a server
>>>> certificate request to be able to run the
>>>> server first time:
>>>> - Is it possible to omit this step?.
>>> The server does require a certificate; this
>>> requirement cannot be avoided.
>>>> - If not, is it possible to create it with a
>>>> tool like openssl. When starting server from
>>>> terminal, it asks for a certificate.
>>> You can build up the required certificate state
>>> completely independent from the Access Grid
>>> Developers CA if you want. In that case, you'll
>>> have to make sure that the CA cert is installed
>>> at both the server and at client machines. And
>>> the CA cert will have to be used to sign the
>>> certificate used to run the server. This is
>>> standard PKI practice, so you should be able to
>>> find sufficient references online. If you have
>>> trouble, please ask.
>>>> - Is there a way of exporting a certificate
>>>> from command line. I have a problem with the
>>>> certificate management tool (it crashes
>>>> unexpectedly. I reported it and there is
>>>> someone working to provide you a better report)
>>>> so I cannot do it through graphical interface.
>>> You can use certmgr.py. In some cases, it will
>>> be called certmgr3.py. After running it, type
>>> 'help' for a list of available commands.
>>>
>>>
>>>>
>>>> Regards,
>>>> Luis
>>>>
>>>>
>>>>
>>>> 2008/3/13, Thomas D. Uram <turam at mcs.anl.gov
>>>> <mailto:turam at mcs.anl.gov>>:
>>>>
>>>> Hi Luis:
>>>>
>>>> There are a few things you need to know in
>>>> this regard:
>>>>
>>>> - By default, AG3 venues do not require
>>>> that clients have a certificate
>>>> to enter. Venues can be optionally
>>>> configured to require a certificate,
>>>> in which case the user must present a
>>>> certificate that satisfies the
>>>> access controls on the venue.
>>>>
>>>> - You can run your own CA and issue your
>>>> own certificates. In that
>>>> case, you'll need to make sure your clients
>>>> have both your CA
>>>> certificate and their personal certificate.
>>>>
>>>> Otherwise, this is general PKI. If you
>>>> have other questions, don't
>>>> hesitate to ask.
>>>>
>>>> Tom
>>>>
>>>>
>>>> On 3/6/08 3:41 PM, Luis Galárraga wrote:
>>>> > Greetings:
>>>> >
>>>> > I am part of project for developing a
>>>> webinar infraestructure based on
>>>> > Access Grid. After a long discussion in
>>>> which suggestions in this
>>>> > mailing list were strongly considered, we
>>>> have decided to implement a
>>>> > simple client for venues (in servers 3.x)
>>>> using Java Web Start Apps.
>>>> > As you can see, there are many things to
>>>> do, and developers have
>>>> > started by making tests with the soap
>>>> interfaces in the our AG server,
>>>> > however they are not clear about
>>>> the concepts behind the
>>>> > authentication process. We know AG uses
>>>> digital certificates for
>>>> > everything: users and services and those
>>>> certificates are generated by
>>>> > AG developers (after a process request).
>>>> Can our developer team
>>>> > generate certificates signed by us or it
>>>> is required your sign?
>>>> > Several people in our university will
>>>> probably use the system so we
>>>> > would like to have the privilege to
>>>> generate the certificates. Could
>>>> > someone explain us in a better way, the
>>>> technical issues behind
>>>> > authentication based on certificates (=
>>>> how you implemented it)?. I
>>>> > hope you can help us.
>>>> >
>>>> > Thanks in advance,
>>>> >
>>>> > Regards,
>>>> > Luis Galárraga
>>>>
>>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080402/3e1e1bda/attachment.htm>
More information about the ag-dev
mailing list