HI Yvan,
There are several reasons:
1. The server or client is pretty old (4.8 and older if I remember correctly). In that case, one side (or both) does not sign the Diffie-Hellman parameters (which is used to estiblish symmetric encryption keys).
2. The server host name used by the client is a DNS alias that is not in the server host certificate's SAN entries. I forgot whether this will result in a message like "no delegated credentials for tpc", but it is one of the common reasons that fails the credential delegation.
regards,
--
Wei Yang | [log in to unmask] | 650-926-3338(O)
-----Original Message-----
From: <[log in to unmask]> on behalf of <[log in to unmask]>
Date: Friday, May 14, 2021 at 5:05 AM
To: <[log in to unmask]>
Subject: Error message "no delegated credentials for tpc"
Dear XRootD developers,
TPC transfers using Dirac replication actually fail with the error message "no delegated credentials for tpc". I therefore checked the log files on the redirector and the server:
* From the redirector myredirec:
210514 12:24:56 27573 secgsi_ServerDoCert: no signed DH parameters from client:kdf77245.17467:[log in to unmask] : will not delegate x509 proxy to it
210514 12:24:56 27573 secgsiVOMS_Fun: proxy: /C=UK/O=eScience/OU=Oxford/L=OeSC/CN=john doe/CN=zzzzzz/CN=tttttt
210514 12:24:56 27573 secgsiVOMS_Fun: adding cert: /C=UK/O=eScience/OU=Oxford/L=OeSC/CN=john doe/CN
=zzzzzz
210514 12:24:56 27573 secgsiVOMS_Fun: adding cert: /C=UK/O=eScience/OU=Oxford/L=OeSC/CN=john doe
210514 12:24:56 27573 secgsiVOMS_Fun: retrieval successful
210514 12:24:56 27573 secgsiVOMS_Fun: found VO: t2k.org
210514 12:24:56 27573 secgsiVOMS_Fun: ---> group: '/t2k.org', role: 'NULL', cap: 'NULL'
210514 12:24:56 27573 secgsiVOMS_Fun: ---> fqan: '/t2k.org/Role=NULL/Capability=NULL'
210514 12:24:56 27573 XrootdXeq: kdf77245.17467:[log in to unmask] pub IP64 login as 19478b73.0
210514 12:24:56 8601 Receive myredirec 24 bytes on 85128180
210514 12:24:56 8601 Decode myredirec redirects kdf77245.17467:[log in to unmask] to myserv.in2p3.fr:1094 /xrootd/in2p3.fr/disk/t2k.org/t2k.org/test/t2kdm
210514 12:24:56 8602 Receive [2001:660:5009:84:134:158:239:108] 24 bytes on 85129204
210514 12:24:56 8602 Decode myredirec redirects kdf77245.17467:[log in to unmask] to myserv.in2p3.fr:1094 /xrootd/in2p3.fr/disk/t2k.org/t2k.org/test/t2kdm/test1.txt
210514 12:24:57 27573 XrootdXeq: kdf77245.17467:[log in to unmask] disc 0:00:01
* From the server myserv:
210514 12:24:56 223744 secgsi_ServerDoCert: no signed DH parameters from client:kdf77245.17467:[log in to unmask] : will not delegate x509 proxy to it
210514 12:24:56 223744 secgsiVOMS_Fun: proxy: /C=UK/O=eScience/OU=Oxford/L=OeSC/CN=john doe/CN=zzzzzz/CN=tttttt
210514 12:24:56 223744 secgsiVOMS_Fun: adding cert: /C=UK/O=eScience/OU=Oxford/L=OeSC/CN=john doe/CN=zzzzzz
210514 12:24:56 223744 secgsiVOMS_Fun: adding cert: /C=UK/O=eScience/OU=Oxford/L=OeSC/CN=john doe
210514 12:24:56 223744 secgsiVOMS_Fun: retrieval successful
210514 12:24:56 223744 secgsiVOMS_Fun: found VO: t2k.org
210514 12:24:56 223744 secgsiVOMS_Fun: ---> group: '/t2k.org', role: 'NULL', cap: 'NULL'
210514 12:24:56 223744 secgsiVOMS_Fun: ---> fqan: '/t2k.org/Role=NULL/Capability=NULL'
210514 12:24:56 223744 XrootdXeq: kdf77245.17467:[log in to unmask] pub IP64 login as 19478b73.0
210514 12:24:56 223744 ofs_TPC: kdf77245.17467:[log in to unmask] Unable to open /xrootd/in2p3.fr/disk/t2k.org/t2k.org/test/t2kdm/test1.txt; no delegated credentials for tpc
210514 12:24:57 223744 XrootdXeq: kdf77245.17467:[log in to unmask] disc 0:00:01
I am not sure what the error message "no signed DH parameters from client:kdf77245.17467:[log in to unmask] : will not delegate x509 proxy to it" means. Is it something wrong on the client side at UK ("kdf77245.17467:[log in to unmask]") and how to solve this problem?
Note that from my side, the redirectors and servers have the following TPC settings:
ofs.tpc fcreds gsi =X509_USER_PROXY ttl 60 70 xfr 20 autorm pgm /usr/share/xrootd/utils/xrdcp-tpc.sh
sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null
with:
$ cat /usr/share/xrootd/utils/xrdcp-tpc.sh
#!/bin/sh
/usr/bin/xrdcp --server -f $1 $2
Last but not least, direct uploads from UK to CC-IN2P3 are working fine for VO T2K.
Thanks for your help,
Yvan
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
|