Hi Albert,

This is handled by an envar XrdSecGSIDELEGPROXY and is documented in the
security reference
https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=Hc0rm9dtHt1Ayif3JHCgkTFwgTRXRG4ZPfmxfZptGm4&e=

Specifically, in section
https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm-23-5FToc517294107&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=ToMmFfGRbGkTb02agcNUN2GeJD9cXHKonGBxfRPXmDw&e=

It is done this way because the client does not have a config file, so it
relies on envars to enable specific behaviour.

Andy

On Wed, 6 Mar 2019, Albert Rossi wrote:

> Hello,
>
>
> What is necessary in order to get the 4.9 xrdcp client to sign proxy requests besides setting the env variable?
>
>
> I cannot find anything in the documentation that describes this (your GSI document merely mentions the kgsiHandshakeOpts enum that is used internally).
>
>
> I have looked at
>
>
> XrdSecprotocolgsi.cc
>
>
> With respect to the client, here is what I see.
>
>
> Your extern C initializing function, char *XrdSecProtocolgsiInit, at l. 2557 does:
>
>
> cenv = getenv("XrdSecGSIDELEGPROXY");
> if (cenv)
>         opts.dlgpxy = atoi(cenv);
>
> this function does a tail call on the C++ initializer:  char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
>
> which in turn, at l. 989, sets up the options for the client:
>
>      // Delegate proxy options
>      if (opt.dlgpxy > 0) {
>         PxyReqOpts |= kOptsSigReq;
>         if (opt.dlgpxy == 2) {
>            PxyReqOpts |= kOptsFwdPxy;
>         } else {
>            PxyReqOpts |= kOptsDlgPxy;
>         }
>      }
>
>
> So, from the looks of it, all it should take to get the client to sign delegation requests is to set the env var XrdSecGSIDELEGPROXY to 1.
>
>
> The script I am using to run the 4.9 client has this:
>
>
> #!/bin/bash
>
> export LD_LIBRARY_PATH="/usr/share/xrootd/xrootd-4.9.0/lib64:$LD_LIBRARY_PATH"
> export XrdSecGSIDELEGPROXY=1
>
> /usr/share/xrootd/xrootd-4.9.0/bin/xrdcp $@
>
>
>
> and yet, the dCache server/door tells me on the sigpxy step that it has received a kXRS_message bucket with the following:
>
>
> "client cannot sign request; Not allowed to sign proxy requests."
>
>
> Is there something else that needs to be done in order to get the client to sign proxy requests?
>
>
> Thanks, Al
>
>
> ________________________________________________
> Albert L. Rossi
> Application Developer & Systems Analyst III
> Scientific Computing Division, Data Movement Development
> FCC 229A
> Mail Station 369 (FCC 2W)
> Fermi National Accelerator Laboratory
> Batavia, IL 60510
> (630) 840-3023
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-DEV list, click the following link:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DDEV-26A-3D1&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=7Swm5XvoFU7BM2FilUQyaUIPVWPb03Lmr-k631NqojQ&e=
>