Hi Andy, yes, that is the env variable I have been setting (see the script I mentioned below). There is something wrong, then, with the way I am doing it, because it does not seem to be working. i.e., > #!/bin/bash > > export LD_LIBRARY_PATH="/usr/share/xrootd/xrootd-4.9.0/lib64:$LD_LIBRARY_PATH" > export XrdSecGSIDELEGPROXY=1 > > /usr/share/xrootd/xrootd-4.9.0/bin/xrdcp $@ > does not work for me. thanks, Al ________________________________________________ Albert L. Rossi Application Developer & Systems Analyst III Scientific Computing Division, Data Movement Development FCC 229A Mail Station 369 (FCC 2W) Fermi National Accelerator Laboratory Batavia, IL 60510 (630) 840-3023 ________________________________ From: Andrew Hanushevsky <[log in to unmask]> Sent: Wednesday, March 6, 2019 8:50 AM To: Albert Rossi Cc: xrootd-dev; [log in to unmask] Subject: Re: activating client delegation Hi Albert, This is handled by an envar XrdSecGSIDELEGPROXY and is documented in the security reference https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=Hc0rm9dtHt1Ayif3JHCgkTFwgTRXRG4ZPfmxfZptGm4&e= Specifically, in section https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm-23-5FToc517294107&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=ToMmFfGRbGkTb02agcNUN2GeJD9cXHKonGBxfRPXmDw&e= It is done this way because the client does not have a config file, so it relies on envars to enable specific behaviour. Andy On Wed, 6 Mar 2019, Albert Rossi wrote: > Hello, > > > What is necessary in order to get the 4.9 xrdcp client to sign proxy requests besides setting the env variable? > > > I cannot find anything in the documentation that describes this (your GSI document merely mentions the kgsiHandshakeOpts enum that is used internally). > > > I have looked at > > > XrdSecprotocolgsi.cc > > > With respect to the client, here is what I see. > > > Your extern C initializing function, char *XrdSecProtocolgsiInit, at l. 2557 does: > > > cenv = getenv("XrdSecGSIDELEGPROXY"); > if (cenv) > opts.dlgpxy = atoi(cenv); > > this function does a tail call on the C++ initializer: char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp) > > which in turn, at l. 989, sets up the options for the client: > > // Delegate proxy options > if (opt.dlgpxy > 0) { > PxyReqOpts |= kOptsSigReq; > if (opt.dlgpxy == 2) { > PxyReqOpts |= kOptsFwdPxy; > } else { > PxyReqOpts |= kOptsDlgPxy; > } > } > > > So, from the looks of it, all it should take to get the client to sign delegation requests is to set the env var XrdSecGSIDELEGPROXY to 1. > > > The script I am using to run the 4.9 client has this: > > > #!/bin/bash > > export LD_LIBRARY_PATH="/usr/share/xrootd/xrootd-4.9.0/lib64:$LD_LIBRARY_PATH" > export XrdSecGSIDELEGPROXY=1 > > /usr/share/xrootd/xrootd-4.9.0/bin/xrdcp $@ > > > > and yet, the dCache server/door tells me on the sigpxy step that it has received a kXRS_message bucket with the following: > > > "client cannot sign request; Not allowed to sign proxy requests." > > > Is there something else that needs to be done in order to get the client to sign proxy requests? > > > Thanks, Al > > > ________________________________________________ > Albert L. Rossi > Application Developer & Systems Analyst III > Scientific Computing Division, Data Movement Development > FCC 229A > Mail Station 369 (FCC 2W) > Fermi National Accelerator Laboratory > Batavia, IL 60510 > (630) 840-3023 > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-DEV list, click the following link: > https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DDEV-26A-3D1&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=7Swm5XvoFU7BM2FilUQyaUIPVWPb03Lmr-k631NqojQ&e= > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1