Hi Michal, The server ztn sec.protocol is enabled. The issue is one client is fine with it but the other client (built in the CMS softaware ) is not able to use ztn for some reason. Here is the server log created by the client which can do the xrdcp with the token: 220225 15:35:49 26362 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask] 220225 15:35:49 26362 Xrd_ProtLoad: matched port 1094 protocol xroot 220225 15:35:49 26362 anon.0:[log in to unmask] Xrd_Poll: FD 34 attached to poller 0; num=1 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection... 220225 15:35:49 26362 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes. 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Read: 85 out of 85 bytes. 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes. 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 16 out of 16 bytes. 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 59 out of 59 bytes. 220225 15:35:49 26421 Xrd_Sched: running monitor fstat inq=0 220225 15:35:49 26421 Xrd_Sched: scheduling monitor fstat in 60 seconds 220225 15:35:49 26340 Xrd_Sched: Now have 5 workers 220225 15:35:49 26340 Xrd_Sched: running monitor window clock inq=0 220225 15:35:49 26340 Xrd_Sched: scheduling monitor window clock in 5 seconds 220225 15:35:50 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 24 out of 24 bytes. 220225 15:35:50 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 722 out of 722 bytes. 220225 15:35:50 26421 Xrd_Sched: running stats reporter inq=0 220225 15:35:50 26421 Xrd_Sched: scheduling stats reporter in 60 seconds 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes. 220225 15:35:53 26362 XrootdXeq: bockjoo.2777317:[log in to unmask] pub IPv4 TLSv1.2 login as e5fbec89-437f-45b8-a852-8d2690d85fef 220225 15:35:53 26362 multiuser_UserSentry: Failed to lookup UID for username e5fbec89-437f-45b8-a852-8d2690d85fef Success 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 24 out of 24 bytes. 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 756 out of 756 bytes. 220225 15:35:53 26362 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg 220225 15:35:53 26362 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json 220225 15:35:53 26362 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json 220225 15:35:53 26362 multiuser_UserSentry: Switching FS uid for user bockjoo 220225 15:35:53 26362 multiuser_Open: Will not create checksum 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes. 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 12 out of 12 bytes. 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 82 out of 82 ..... Here's the log created by the client that fails to use the ztn protocol: 220225 15:34:38 26340 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask] 220225 15:34:38 26340 Xrd_ProtLoad: matched port 1094 protocol xroot 220225 15:34:38 26340 anon.0:[log in to unmask] Xrd_Poll: FD 34 attached to poller 0; num=1 220225 15:34:38 26340 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection... 220225 15:34:39 26340 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2 220225 15:34:39 26340 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes. 220225 15:34:39 26340 anon.0:[log in to unmask] TLS_Read: 93 out of 93 bytes. 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 8 out of 8 bytes. 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 16 out of 16 bytes. 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 59 out of 59 bytes. 220225 15:34:39 26340 XrdTLS: bockjoo.467:[log in to unmask] TLS error rc=0 ec=6 (zero_return) errno=0. 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Shutdown: Doing fast shutdown. 220225 15:34:39 26340 XrootdXeq: bockjoo.467:[log in to unmask] disc 0:00:01 220225 15:34:39 26340 multiuser_UserSentry: Anonymous client; no user set, cannot change FS UIDs 220225 15:34:39 26340 bockjoo.467:[log in to unmask] Xrd_Poll: Poller 0 removing FD 34 220225 15:34:39 26340 bockjoo.467:[log in to unmask] Xrd_Poll: FD 34 detached from poller 0; num=0 220225 15:34:39 26339 Xrd_Sched: running monitor window clock inq=0 220225 15:34:39 26339 Xrd_Sched: scheduling monitor window clock in 5 seconds 220225 15:34:39 26362 Xrd_Sched: running main accept inq=0 220225 15:34:40 26421 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask] 220225 15:34:40 26421 Xrd_ProtLoad: matched port 1094 protocol xroot 220225 15:34:40 26421 anon.0:[log in to unmask] Xrd_Poll: FD 37 attached to poller 0; num=1 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection... 220225 15:34:40 26421 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes. 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Read: 93 out of 93 bytes. 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 8 out of 8 bytes. 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 16 out of 16 bytes. 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 59 out of 59 bytes. 220225 15:34:40 26421 XrdTLS: bockjoo.467:[log in to unmask] TLS error rc=0 ec=6 (zero_return) errno=0. 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Shutdown: Doing fast shutdown. 220225 15:34:40 26421 XrootdXeq: bockjoo.467:[log in to unmask] disc 0:00:00 220225 15:34:40 26421 multiuser_UserSentry: Anonymous client; no user set, cannot change FS UIDs 220225 15:34:40 26421 bockjoo.467:[log in to unmask] Xrd_Poll: Poller 0 removing FD 37 220225 15:34:40 26421 bockjoo.467:[log in to unmask] Xrd_Poll: FD 37 detached from poller 0; num=0 Thanks, Bockjoo On 2/25/22 15:33, Michal Simon wrote: > Hi Bockjoo, > > It is the server that decides what authentication protocols the client can use to authenticate. From the logs you posted it seems that the server only allows GSI authentication. > > In order to use tokens it is recommended that the server enables ZTN authentication. > > Cheers, > Michal > >> On 25 Feb 2022, at 17:55, Bockjoo Kim <[log in to unmask]> wrote: >> >> Hi, >> >> CMS built xrdcp as the CMS software external. >> >> When I run it, it does not look it recognizes the token passed and is looking for X509: >> >> -bash-4.2$ ( export BEARER_TOKEN=$BEARER_TOKEN ; unset X509_USER_PROXY ; xrdcp -d 1 -f root://cmsio2.rc.ufl.edu//store/user/bockjoo/sitedb.list?authz=Bearer%20$BEARER_TOKEN $(pwd)/sitedb.list ) >> [2022-02-25 17:53:35.503759 +0100][Info ][AsyncSock ] [cmsio2.rc.ufl.edu:1094.0] TLS hand-shake done. >> 220225 17:53:36 23215 cryptossl_X509CreateProxy: EEC certificate has expired >> [2022-02-25 17:53:36.972629 +0100][Error ][XRootDTransport ] [cmsio2.rc.ufl.edu:1094.0] No protocols left to try >> [2022-02-25 17:53:36.972675 +0100][Error ][AsyncSock ] [cmsio2.rc.ufl.edu:1094.0] Socket error while handshaking: [FATAL] Auth failed >> >> How can I check why this xrdcp version 5.4.0 built from the CMS software does not behave? >> >> Thanks, >> >> Bockjoo >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1