[AG-DEV] Identity certificates

Luis Galárraga lgalarra at fiec.espol.edu.ec
Fri Mar 28 16:35:52 CDT 2008 

It looks like there is a problem with WSDL, as I get the following error
when using WSDL2Java, the tool that comes with Axis distribution. I am using
the file obtained by requesting
https://proyectossw.espol.edu.ec:8000/Venues/default?WSDL
The server is using AccessGrid 3.1.

 $ ./wsdl2java.sh -uri Venue.wsdl  Using AXIS2_HOME:
> /home/luis/Desktop/axis2-1.3
>  Using JAVA_HOME:       /usr/lib/jvm/java-6-sun-1.6.0.03/
> Exception in thread "main"
> org.apache.axis2.wsdl.codegen.CodeGenerationException: Error parsing WSDL
>         at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(
> CodeGenerationEngine.java:150)
>         at org.apache.axis2.wsdl.WSDL2Code.main(WSDL2Code.java:35)
>         at org.apache.axis2.wsdl.WSDL2Java.main(WSDL2Java.java:24)
> Caused by: javax.wsdl.WSDLException: WSDLException (at
> /definitions/types): faultCode=INVALID_WSDL: Encountered illegal extension
> attribute 'targetNamespace'. Extension attributes must be in a namespace
> other than WSDL's.
>         at com.ibm.wsdl.xml.WSDLReaderImpl.parseExtensibilityAttributes(Unknown
> Source)
>         at com.ibm.wsdl.xml.WSDLReaderImpl.parseTypes(Unknown Source)
>         at com.ibm.wsdl.xml.WSDLReaderImpl.parseDefinitions(Unknown
> Source)
>         at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
>         at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
>         at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
>         at
> org.apache.axis2.wsdl.codegen.CodeGenerationEngine.readInTheWSDLFile(
> CodeGenerationEngine.java:286)
>         at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(
> CodeGenerationEngine.java:105)
>         ... 2 more
>

Regards,
Luis

2008/3/28, Thomas D. Uram <turam at mcs.anl.gov>:
>
>  AG2 did rely on the Globus toolkit.
>
> AG3 does not rely on the Globus toolkit.  We are using Doc-Lit SOAP via
> Python ZSI (pywebsvcs.sourceforge.net).  You should be able to consume
> these services using other-language SOAP implementations.  If not, something
> is wrong with our WSDL, ZSI, or your other-language SOAP implementation.
> I'll follow up on your other mail regarding the error message you're
> getting.
>
> For what it's worth, I know other people have consumed the AG web services
> using a Java SOAP implementation (you should be able to find information
> about this in the mailing list archives).
>
> Tom
>
>
>
>
>
> On 3/27/08 6:53 PM, Luis Galárraga wrote:
>
> Thanks a lot for your help!!. We understand AG a little better now :-)
>
> Another question: we are trying to consume Venue and VenueServer web
> services without success. Now, I understand that as AccessGrid relies on
> Globus Toolkit (I have heard about it before, but I understand it better) we
> need to construct clients compatible with it. Using JAX-WS (used by Netbeans
> IDE) is not a good idea. Am I in the right way??
>
> Luis,
>
> 2008/3/27, Thomas D. Uram <turam at mcs.anl.gov>:
> >
> > Luis:
> >
> > See responses inline.
> >
> > On 3/14/08 3:24 PM, Luis Galárraga wrote:
> >
> > Greetings Tom:
> >
> > First of all, thanks again for your help, I have several questions, this
> > time related to server certificates. Do the things we were talking about
> > identity certificates apply to server certificates?. We have a developer who
> > is working in consuming AG server web services from a Java Client. He would
> > like to work at home, but unfortunately our request for opening certain tcp
> > ports was denied because of security issues. I told him to run server and
> > client in his machine. I had to make a server certificate request to be able
> > to run the server first time:
> > - Is it possible to omit this step?.
> >
> > The server does require a certificate; this requirement cannot be
> > avoided.
> >
> > - If not, is it possible to create it with a tool like openssl. When
> > starting server from terminal, it asks for a certificate.
> >
> > You can build up the required certificate state completely independent
> > from the Access Grid Developers CA if you want.  In that case, you'll have
> > to make sure that the CA cert is installed at both the server and at client
> > machines.  And the CA cert will have to be used to sign the certificate used
> > to run the server.  This is standard PKI practice, so you should be able to
> > find sufficient references online.  If you have trouble, please ask.
> >
> > - Is there a way of exporting a certificate from command line. I have a
> > problem with the certificate management tool (it crashes unexpectedly. I
> > reported it and there is someone working to provide you a better report) so
> > I cannot do it through graphical interface.
> >
> > You can use certmgr.py.  In some cases, it will be called certmgr3.py.
> > After running it, type 'help' for a list of available commands.
> >
> >
> > Regards,
> > Luis
> >
> >
> >
> > 2008/3/13, Thomas D. Uram <turam at mcs.anl.gov>:
> > >
> > > Hi Luis:
> > >
> > > There are a few things you need to know in this regard:
> > >
> > > - By default, AG3 venues do not require that clients have a
> > > certificate
> > > to enter.  Venues can be optionally configured to require a
> > > certificate,
> > > in which case the user must present a certificate that satisfies the
> > > access controls on the venue.
> > >
> > > - You can run your own CA and issue your own certificates.  In that
> > > case, you'll need to make sure your clients have both your CA
> > > certificate and their personal certificate.
> > >
> > > Otherwise, this is general PKI.  If you have other questions, don't
> > > hesitate to ask.
> > >
> > > Tom
> > >
> > >
> > > On 3/6/08 3:41 PM, Luis Galárraga wrote:
> > > > Greetings:
> > > >
> > > > I am part of project for developing a webinar infraestructure based
> > > on
> > > > Access Grid. After a long discussion in which suggestions in this
> > > > mailing list were strongly considered, we have decided to implement
> > > a
> > > > simple client for venues (in servers 3.x) using Java Web Start Apps.
> > > > As you can see, there are many things to do, and developers have
> > > > started by making tests with the soap interfaces in the our AG
> > > server,
> > > > however they are not clear about the  concepts behind the
> > > > authentication process. We know AG uses digital certificates for
> > > > everything: users and services and those certificates are generated
> > > by
> > > > AG developers (after a process request). Can our developer team
> > > > generate certificates signed by us or it is required your sign?
> > > > Several people in our university will probably use the system so we
> > > > would like to have the privilege to generate the certificates. Could
> > > > someone explain us in a better way, the technical issues behind
> > > > authentication based on certificates (= how you implemented it)?. I
> > > > hope you can help us.
> > > >
> > > > Thanks in advance,
> > > >
> > > > Regards,
> > > > Luis Galárraga
> > >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080328/d911d9ef/attachment.htm>

More information about the ag-dev mailing list