Hi Oliver, Thank you for prompt reply and showing a solution which will work for us for now. Dmitry ________________________________________ From: Oliver Freyermuth <[log in to unmask]> Sent: Thursday, May 17, 2018 1:34 PM To: Dmitry O Litvintsev; [log in to unmask] Cc: Peter Wienemann Subject: Re: GSI xrootd and TPC Hi, until proxy delegation is implemented upstream, we are solving proxy generation with a script instead of xrdcp, i.e. we have the following in xrootd.cfg: ofs.tpc autorm scan all ttl 180 1800 pgm /usr/local/bin/xrdcp-voms --server The script is the following: -------------------------------------------------- #!/bin/bash if [ -e "/etc/grid-security/robotcert.pem" ]; then export X509_USER_CERT=/etc/grid-security/robotcert.pem export X509_USER_KEY=/etc/grid-security/robotkey.pem voms-proxy-info -exists > /dev/null 2>&1 if [ $? -eq 1 ]; then voms-proxy-init -voms atlas fi export X509_USER_PROXY=$(voms-proxy-info -path) fi /usr/bin/xrdcp -v -d 3 "$@" # Fixup permissions, allow everybody to read. # This obscure syntax is a bashism to get the last argument: transfered_file="${@: -1}" if [ -f "${transfered_file}" ]; then chmod go+r "${transfered_file}" fi -------------------------------------------------- However, as you can see, we are using a robot certificate here, *not* the host certificate. This is needed since for us the certificate needs to be registered in the ATLAS VO, to get a VOMS proxy for authentication against other servers. For this, we have requested a robot certificate and registered it in the VO. Maybe something similar will also help in your case? Cheers, Oliver Am 17.05.2018 um 20:06 schrieb Dmitry O Litvintsev: > Hello, > > We have setup two GSI authenticated XRootD servers. I can read/write to any of them. > > When I tried 3-rd party transfers (TPC) I had to specify these variables: > > in StartXRD.cf : > > export X509_USER_CERT=/etc/grid-security/xrootd/hostcert.pem > export X509_USER_KEY=/etc/grid-security/xrootd/hostkey.pem > export X509_USER_PROXY=/tmp/x509up_u498 > > Unfortunately I have to have some external process renewing proxy b/c the client when invoked by the server to perform TPC would not create proxy (from cert/key pair). I get: > > TPC job 8: 180517 11:46:47 6099 secgsi_InitProxy: Not a tty: cannot prompt for proxies - do nothing > TPC job 8: 180517 11:46:47 6099 secgsi_QueryProxy: problems initializing proxy via external shell > > Apparently a system call to "grid-proxy-init" is protected against non tty invocation. > (based on my reading of https://github.com/xrootd/xrootd/blob/master/src/XrdSecgsi/XrdSecProtocolgsi.cc) > > This seems awkward. I wonder, am I missing something in my setup? > > Thank you, > Dmitry > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > -- Oliver Freyermuth Universität Bonn Physikalisches Institut, Raum 1.047 Nußallee 12 53115 Bonn -- Tel.: +49 228 73 2367 Fax: +49 228 73 7869 -- ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1