[Swift-user] ProxyPathValidatorException: No relevant signing policy for CA

[Thomas Uram]

I'm encountering the following running on PADS via coaster/ssh:pbs , running on various CI machines, including login1.pads.ci.uchicago.edu itself. As another datapoint, gsissh works to login1.pads.ci.uchicago.edu using this proxy certificate; I would guess gsissh would be validating the signing policy, too.

Authentication failed. Caused by Defective credential detected. Caused by org.globus.gsi.proxy.ProxyPathValidatorException: No relevant signing policy for CA "/DC=edu/DC=uchicago/DC=ci/OU=myproxy/CN=grid.ci.uchicago.edu/E=support at ci.uchicago.edu" in file "/etc/grid-security/certificates/de4bc9f5.signing_policy"
    at org.globus.gsi.proxy.ProxyPathValidator.checkSigningPolicy(ProxyPathValidator.java:978)
    at org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:555)
    at org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:354)
    at org.globus.gsi.gssapi.GlobusGSSContextImpl$GSSProxyPathValidator.validate(GlobusGSSContextImpl.java:695)
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.verifyChain(GlobusGSSContextImpl.java:731)
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.acceptSecContext(GlobusGSSContextImpl.java:325)
    at org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:129)
    at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:147)
    at org.globus.gsi.gssapi.net.GssSocket.getInputStream(GssSocket.java:177)
    at org.globus.cog.karajan.workflow.service.channels.AbstractTCPChannel.setSocket(AbstractTCPChannel.java:41)
    at org.globus.cog.karajan.workflow.service.channels.GSSChannel.<init>(GSSChannel.java:46)
    at org.globus.cog.karajan.workflow.service.ConnectionHandler.<init>(ConnectionHandler.java:44)
    at org.globus.cog.abstraction.coaster.service.local.LocalService.handleConnection(LocalService.java:71)
    at org.globus.net.BaseServer.run(BaseServer.java:247)
    at java.lang.Thread.run(Thread.java:662)


*** signing policy file 

cat /etc/grid-security/certificates/de4bc9f5.signing_policy
# Computation Institute MyProxy Certificate Authority Signing Policy
# generated by gx-ca-update (gx-map 0.5.3.3)
# See also <http://www.ci.uchicago.edu/de4bc9f5.signing_policy>

access_id_CA   X509    '/DC=edu/DC=uchicago/DC=ci/OU=myproxy/CN=grid.ci.uchicago.edu/emailAddress=support at ci.uchicago.edu'
pos_rights     globus  CA:sign
cond_subjects  globus  '/DC=edu/DC=uchicago/DC=ci/*'

*** sites.xml

<config>
<pool handle="Bugaboo">
  <execution jobmanager="ssh:pbs" provider="coaster" url="login1.pads.ci.uchicago.edu"/>
  <filesystem provider="local" url="none" />
  <profile namespace="globus" key="maxWallTime">2</profile>
  <profile namespace="globus" key="maxTime">300</profile>
  <profile key="jobsPerNode" namespace="globus">1</profile>
  <profile key="slots" namespace="globus">1</profile>
  <profile key="nodeGranularity" namespace="globus">1</profile>
  <profile key="maxNodes" namespace="globus">1</profile>
  <profile key="queue" namespace="globus">fast</profile>
  <profile key="jobThrottle" namespace="karajan">5.99</profile>
  <profile key="initialScore" namespace="karajan">10000</profile>
  <workdirectory>/home/turam/tmp</workdirectory>
</pool>
</config>