[Swift-user] ProxyPathValidatorException: No relevant signing policy for CA

Michael Wilde wilde at mcs.anl.gov
Tue Jan 31 17:29:34 CST 2012 

Tom, just a quick thing to try (as I cant looking into this more thoughtfully at the moment):

On various CI settings Ive had to use more recent CA signing policy files.

Can you try doing this setup to get those in your environment?

  source /opt/osg/setup.sh

This package is installed I think on bridled and communicado.
Can you try from one of those hosts  to PADS after sourcing that setup.sh?

Also make sure you are not manually setting X509_CERT_DIR or X509_CADIR to point to some out of date CA files.

- Mike


----- Original Message -----
> From: "Thomas Uram" <turam at mcs.anl.gov>
> To: "swift user" <swift-user at ci.uchicago.edu>
> Sent: Tuesday, January 31, 2012 5:22:52 PM
> Subject: [Swift-user] ProxyPathValidatorException: No relevant signing policy for CA
> I'm encountering the following running on PADS via coaster/ssh:pbs ,
> running on various CI machines, including login1.pads.ci.uchicago.edu
> itself. As another datapoint, gsissh works to
> login1.pads.ci.uchicago.edu using this proxy certificate; I would
> guess gsissh would be validating the signing policy, too.
> 
> Authentication failed. Caused by Defective credential detected. Caused
> by org.globus.gsi.proxy.ProxyPathValidatorException: No relevant
> signing policy for CA
> "/DC=edu/DC=uchicago/DC=ci/OU=myproxy/CN=grid.ci.uchicago.edu/E=support at ci.uchicago.edu"
> in file "/etc/grid-security/certificates/de4bc9f5.signing_policy"
> at
> org.globus.gsi.proxy.ProxyPathValidator.checkSigningPolicy(ProxyPathValidator.java:978)
> at
> org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:555)
> at
> org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:354)
> at
> org.globus.gsi.gssapi.GlobusGSSContextImpl$GSSProxyPathValidator.validate(GlobusGSSContextImpl.java:695)
> at
> org.globus.gsi.gssapi.GlobusGSSContextImpl.verifyChain(GlobusGSSContextImpl.java:731)
> at
> org.globus.gsi.gssapi.GlobusGSSContextImpl.acceptSecContext(GlobusGSSContextImpl.java:325)
> at
> org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:129)
> at
> org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:147)
> at
> org.globus.gsi.gssapi.net.GssSocket.getInputStream(GssSocket.java:177)
> at
> org.globus.cog.karajan.workflow.service.channels.AbstractTCPChannel.setSocket(AbstractTCPChannel.java:41)
> at
> org.globus.cog.karajan.workflow.service.channels.GSSChannel.<init>(GSSChannel.java:46)
> at
> org.globus.cog.karajan.workflow.service.ConnectionHandler.<init>(ConnectionHandler.java:44)
> at
> org.globus.cog.abstraction.coaster.service.local.LocalService.handleConnection(LocalService.java:71)
> at org.globus.net.BaseServer.run(BaseServer.java:247)
> at java.lang.Thread.run(Thread.java:662)
> 
> 
> *** signing policy file
> 
> cat /etc/grid-security/certificates/de4bc9f5.signing_policy
> # Computation Institute MyProxy Certificate Authority Signing Policy
> # generated by gx-ca-update (gx-map 0.5.3.3)
> # See also <http://www.ci.uchicago.edu/de4bc9f5.signing_policy>
> 
> access_id_CA X509
> '/DC=edu/DC=uchicago/DC=ci/OU=myproxy/CN=grid.ci.uchicago.edu/emailAddress=support at ci.uchicago.edu'
> pos_rights globus CA:sign
> cond_subjects globus '/DC=edu/DC=uchicago/DC=ci/*'
> 
> *** sites.xml
> 
> <config>
> <pool handle="Bugaboo">
> <execution jobmanager="ssh:pbs" provider="coaster"
> url="login1.pads.ci.uchicago.edu"/>
> <filesystem provider="local" url="none" />
> <profile namespace="globus" key="maxWallTime">2</profile>
> <profile namespace="globus" key="maxTime">300</profile>
> <profile key="jobsPerNode" namespace="globus">1</profile>
> <profile key="slots" namespace="globus">1</profile>
> <profile key="nodeGranularity" namespace="globus">1</profile>
> <profile key="maxNodes" namespace="globus">1</profile>
> <profile key="queue" namespace="globus">fast</profile>
> <profile key="jobThrottle" namespace="karajan">5.99</profile>
> <profile key="initialScore" namespace="karajan">10000</profile>
> <workdirectory>/home/turam/tmp</workdirectory>
> </pool>
> </config>
> 
> _______________________________________________
> Swift-user mailing list
> Swift-user at ci.uchicago.edu
> https://lists.ci.uchicago.edu/cgi-bin/mailman/listinfo/swift-user

-- 
Michael Wilde
Computation Institute, University of Chicago
Mathematics and Computer Science Division
Argonne National Laboratory

More information about the Swift-user mailing list