Thank you so much, Wei! I will try these out tomorrow. -Al ________________________________________________ Albert L. Rossi Application Developer & Systems Analyst III Scientific Computing Division, Data Movement Development FCC 229A Mail Station 369 (FCC 2W) Fermi National Accelerator Laboratory Batavia, IL 60510 (630) 840-3023 ________________________________ From: Yang, Wei <[log in to unmask]> Sent: Monday, March 11, 2019 3:07 PM To: Albert Rossi; xrootd-l Subject: Re: setting up server for delegation Hi Albert, These are the relevant lines I have: ofs.tpc oids fcreds ?gsi =X509_USER_PROXY autorm ttl 60 70 xfr 20 pgm /etc/xrootd/xrdcp-tpc.sh xrootd.seclib /opt/xrootd/libXrdSec.so sec.protparm gsi -vomsfun:/opt/xrootd/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|vos=atlas,cms,dteam|grps=/atlas,/cms,/dteam|grpopt=10|dbg sec.protocol /opt/xrootd gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null (I have to specify the path /opt/xrootd because I used the binary that I compiled from source). In the last line, do not trust what you cut-and-paste from the xrootd.org doc. One of those is a dash-like thing but not a dash (I guess it came from MS office to HTML conversion). Also, I used a script for TPC so that I can see what is going on when the destination run TPC. BTW, you donšt have to use libXrdSecgsiVOMS.so. regards, -- Wei Yang | [log in to unmask]<mailto:[log in to unmask]> | 650-926-3338(O) From: Albert Rossi <[log in to unmask]> Date: Monday, March 11, 2019 at 12:51 PM To: Wei Yang <[log in to unmask]>, xrootd-l <[log in to unmask]> Subject: Re: setting up server for delegation Hi Wei, Ah, OK. So is there anything else that needs to be configured when using that option? For instance, what should authzpxy:opt Defines if and how the user proxy information is exported in the XrdSecEntity for authorization. Options are entered in the form opt = what * 10 + where with what possibly taking the following values 0 full proxy chain (CA, certificate, proxies) 1 last user proxy only and where 1 in the XrdSecEntity.creds field 2 in the XrdSecEntity.endorsements field Default is 0, i.e. no export. Be set to ... 1 ? Thanks, Al ________________________________________________ Albert L. Rossi Application Developer & Systems Analyst III Scientific Computing Division, Data Movement Development FCC 229A Mail Station 369 (FCC 2W) Fermi National Accelerator Laboratory Batavia, IL 60510 (630) 840-3023 ________________________________ From: Yang, Wei <[log in to unmask]> Sent: Monday, March 11, 2019 2:47 PM To: Albert Rossi; xrootd-l Subject: Re: setting up server for delegation Hi Albert, I never tried using -exppxy:/tmp/x509up_u<uid>. I don?t know if this has been verified. In most cases, we use =creds instead of /tmp/? regards, -- Wei Yang | [log in to unmask]<mailto:[log in to unmask]> | 650-926-3338(O) From: <[log in to unmask]> on behalf of Albert Rossi <[log in to unmask]> Date: Monday, March 11, 2019 at 7:52 AM To: xrootd-l <[log in to unmask]> Subject: setting up server for delegation I am having a little difficulty getting tpc proxy delegation to work between the xrdcp client and two xrootd servers. I have the 4.9 client running on my desktop, and two 4.9 servers running on a testbed machine, one on the default port 1094 and one on port 1095. In the client environment, export XrdSecGSIDELEGPROXY=1 is set (I also set it on the server side, though it should not be necessary there). In the server configs: sec.protocol gsi -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -dlgpxy:2 -exppxy:/tmp/x509up_u<uid> This does not seem to be either correct or sufficient. Doing xrdcp49 --tpc only root://fndcatemp2.fnal.gov:1094//data/xrootdfs/testdata root://fndcatemp2.fnal.gov:1095//data/xrootdfs/testdata-from-fndcatemp1-`date | tr ' ' '.'` ends with: Run: [ERROR] Server responded with an error: [3005] [FATAL] Auth failed What I see at the beginning of the server logs in this case: secgsi_InitOpts: Proxy delegation option: 0 The tpc transfer between the two servers fails because there is no proxy found: TPC job 8: 190311 09:07:15 30920 cryptossl_X509ParseFile: unable to open file (errno: 2) TPC job 8: 190311 09:07:15 30920 secgsi_QueryProxy: proxy files must have at least two certificates (found: 0) TPC job 8: 190311 09:07:15 30920 secgsi_InitProxy: Not a tty: cannot prompt for proxies - do nothing TPC job 8: 190311 09:07:15 30920 secgsi_QueryProxy: problems initializing proxy via external shell TPC job 8: 190311 09:07:15 30920 secgsi_getCredentials: error getting user proxies CF: 0x7f5fb4362940 TPC job 8: secgsi: error getting user proxies I also tried this with: sec.protocol gsi -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -dlgpxy:1 There I see at the beginning of the server log secgsi_InitOpts: Proxy delegation option: 1 but with precisely the same error on the destination side: TPC job 8: 190311 09:40:46 20495 cryptossl_X509ParseFile: unable to open file (errno: 2) TPC job 8: 190311 09:40:46 20495 secgsi_QueryProxy: proxy files must have at least two certificates (found: 0) TPC job 8: 190311 09:40:46 20495 secgsi_InitProxy: Not a tty: cannot prompt for proxies - do nothing TPC job 8: 190311 09:40:46 20495 secgsi_QueryProxy: problems initializing proxy via external shell TPC job 8: 190311 09:40:46 20495 secgsi_getCredentials: error getting user proxies CF: 0x7fcbbede2940 TPC job 8: secgsi: error getting user proxies NOTE: If I set: export X509_USER_PROXY=/etc/grid-security/xrootd/fndcatemp2-proxy on the servers as we have been doing in order to use the robocert, the transfer succeeds without authentication issues. What magic needs to be done to get this to work? There must be something missing from the configuration which I have not taken into account. Thanks, Al ________________________________________________ Albert L. Rossi Application Developer & Systems Analyst III Scientific Computing Division, Data Movement Development FCC 229A Mail Station 369 (FCC 2W) Fermi National Accelerator Laboratory Batavia, IL 60510 (630) 840-3023 ________________________________ Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1<https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=engfHEm9wTMO5fDkzNneuvwZGzKDP51XGfaonetnRYo&s=Xf2t3AaD5I3OtzOCXJvE3iC3UzvJ2bxwjjbhXdXZHTI&e=> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1