Print

Print

Hello, Everyone.


I checked again today, and I'm contacting you because the cause is somewhere else. 


The issue was caused by not executing fetch-crl and is now resolved. 


I'm sorry for inquiring about the no-problem content. Have a great end of the year.


Regards,


----- Original Message -----
From : [log in to unmask]
To : xrootd-l <[log in to unmask]>
Cc :
Sent : 2021-12-21 16:53:36
Subject : Question about libXrdSecgsiVOMS.so


Dear XRootD experts,


I am currently setting up GSI authentication for XRootD v5.4.0 using SecgsiVOMS.so.


I set it as follows using the information on the Internet. 


However, I am contacting you because the daemon has not started.


--- xrootd-public.cfg ---

# Enable security

xrootd.seclib /usr/lib64/libXrdSec.so


# X509 VOMS security in xroot protocol

sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:dbg

sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null                                                              

#Authorizatoin

acc.audit deny

acc.authdb /etc/xrootd/auth_file

acc.authrefresh 60

ofs.authorize

--- End of cfg ---

--- Error log ---
211221 16:38:35 30555 secgsi_GetSrvCertEnt: failed to load certificate for the issuing CA 'ead666c8.0|06769ccd.0'
211221 16:38:35 30555 secgsi_Init: problems loading srv cert
211221 16:38:35 30555  XrdVomsInit: ++++++++++++++++++ VOMS plug-in +++++++++++++++++++++++++++++++
211221 16:38:35 30555  XrdVomsInit: +++ proxy fmt:    raw
211221 16:38:35 30555  XrdVomsInit: +++ group option: all of all groups
211221 16:38:35 30555  XrdVomsInit: +++ group(s):      <not specified>
211221 16:38:35 30555  XrdVomsInit: +++ VO(s):         all
211221 16:38:35 30555  XrdVomsInit: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
211221 16:38:35 30555 secgsi_LoadVOMSFun: using 'XrdSecgsiVOMSFun()' from /usr/lib64/libXrdSecgsiVOMS.so
211221 16:38:35 30555 secgsi_Init: Secgsi: ErrInit: unable to generate ca cert hash list!
Secgsi: ErrInit: unable to generate ca cert hash list!
Config Failed to load gsi authentication protocol!
---- End of log ----

The host certificate I am using is KISTIv3 certificate, and the certificate refers to the same file in both ead666c8.0 and 06769ccd0 files. 
[root@cms-xrdr public]# ls -l /etc/grid-security/certificates/ead666c8.0
lrwxrwxrwx. 1 root root 11 Dec 21 15:27 /etc/grid-security/certificates/ead666c8.0 -> KISTIv3.pem
[root@cms-xrdr public]# ls -l /etc/grid-security/certificates/06769ccd.0
lrwxrwxrwx. 1 root root 11 Dec 21 15:27 /etc/grid-security/certificates/06769ccd.0 -> KISTIv3.pem

Due to 2 certificates are pointed out at the same time (read666c8.0|06769ccd.0), we are contacting you because we suspect that the problem was caused by not being properly taken.

I would like to hear good opinions from those who have experienced similar problems as above. 

Thank you.

Regards,





Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1