Hi Backjoo, Thanks for the clarification. Could you please enable client side logging? Just "-d 3" option in xrdcp. Cheers, Michal > On 25 Feb 2022, at 21:52, Bockjoo Kim <[log in to unmask]> wrote: > > Hi Michal, > > The server ztn sec.protocol is enabled. > > The issue is one client is fine with it but the other client (built in the CMS softaware ) is not able to use ztn for some reason. > > Here is the server log created by the client which can do the xrdcp with the token: > > 220225 15:35:49 26362 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask] > 220225 15:35:49 26362 Xrd_ProtLoad: matched port 1094 protocol xroot > 220225 15:35:49 26362 anon.0:[log in to unmask] Xrd_Poll: FD 34 attached to poller 0; num=1 > 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection... > 220225 15:35:49 26362 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2 > 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes. > 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Read: 85 out of 85 bytes. > 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes. > 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 16 out of 16 bytes. > 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 59 out of 59 bytes. > 220225 15:35:49 26421 Xrd_Sched: running monitor fstat inq=0 > 220225 15:35:49 26421 Xrd_Sched: scheduling monitor fstat in 60 seconds > 220225 15:35:49 26340 Xrd_Sched: Now have 5 workers > 220225 15:35:49 26340 Xrd_Sched: running monitor window clock inq=0 > 220225 15:35:49 26340 Xrd_Sched: scheduling monitor window clock in 5 seconds > 220225 15:35:50 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 24 out of 24 bytes. > 220225 15:35:50 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 722 out of 722 bytes. > 220225 15:35:50 26421 Xrd_Sched: running stats reporter inq=0 > 220225 15:35:50 26421 Xrd_Sched: scheduling stats reporter in 60 seconds > 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes. > 220225 15:35:53 26362 XrootdXeq: bockjoo.2777317:[log in to unmask] pub IPv4 TLSv1.2 login as e5fbec89-437f-45b8-a852-8d2690d85fef > 220225 15:35:53 26362 multiuser_UserSentry: Failed to lookup UID for username e5fbec89-437f-45b8-a852-8d2690d85fef Success > 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 24 out of 24 bytes. > 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 756 out of 756 bytes. > 220225 15:35:53 26362 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg > 220225 15:35:53 26362 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json > 220225 15:35:53 26362 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json > 220225 15:35:53 26362 multiuser_UserSentry: Switching FS uid for user bockjoo > 220225 15:35:53 26362 multiuser_Open: Will not create checksum > 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes. > 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 12 out of 12 bytes. > 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 82 out of 82 > > ..... > > > > Here's the log created by the client that fails to use the ztn protocol: > > 220225 15:34:38 26340 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask] > 220225 15:34:38 26340 Xrd_ProtLoad: matched port 1094 protocol xroot > 220225 15:34:38 26340 anon.0:[log in to unmask] Xrd_Poll: FD 34 attached to poller 0; num=1 > 220225 15:34:38 26340 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection... > 220225 15:34:39 26340 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2 > 220225 15:34:39 26340 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes. > 220225 15:34:39 26340 anon.0:[log in to unmask] TLS_Read: 93 out of 93 bytes. > 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 8 out of 8 bytes. > 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 16 out of 16 bytes. > 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 59 out of 59 bytes. > 220225 15:34:39 26340 XrdTLS: bockjoo.467:[log in to unmask] TLS error rc=0 ec=6 (zero_return) errno=0. > 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Shutdown: Doing fast shutdown. > 220225 15:34:39 26340 XrootdXeq: bockjoo.467:[log in to unmask] disc 0:00:01 > 220225 15:34:39 26340 multiuser_UserSentry: Anonymous client; no user set, cannot change FS UIDs > 220225 15:34:39 26340 bockjoo.467:[log in to unmask] Xrd_Poll: Poller 0 removing FD 34 > 220225 15:34:39 26340 bockjoo.467:[log in to unmask] Xrd_Poll: FD 34 detached from poller 0; num=0 > 220225 15:34:39 26339 Xrd_Sched: running monitor window clock inq=0 > 220225 15:34:39 26339 Xrd_Sched: scheduling monitor window clock in 5 seconds > 220225 15:34:39 26362 Xrd_Sched: running main accept inq=0 > 220225 15:34:40 26421 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask] > 220225 15:34:40 26421 Xrd_ProtLoad: matched port 1094 protocol xroot > 220225 15:34:40 26421 anon.0:[log in to unmask] Xrd_Poll: FD 37 attached to poller 0; num=1 > 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection... > 220225 15:34:40 26421 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2 > 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes. > 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Read: 93 out of 93 bytes. > 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 8 out of 8 bytes. > 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 16 out of 16 bytes. > 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 59 out of 59 bytes. > 220225 15:34:40 26421 XrdTLS: bockjoo.467:[log in to unmask] TLS error rc=0 ec=6 (zero_return) errno=0. > 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Shutdown: Doing fast shutdown. > 220225 15:34:40 26421 XrootdXeq: bockjoo.467:[log in to unmask] disc 0:00:00 > 220225 15:34:40 26421 multiuser_UserSentry: Anonymous client; no user set, cannot change FS UIDs > 220225 15:34:40 26421 bockjoo.467:[log in to unmask] Xrd_Poll: Poller 0 removing FD 37 > 220225 15:34:40 26421 bockjoo.467:[log in to unmask] Xrd_Poll: FD 37 detached from poller 0; num=0 > > > Thanks, > > Bockjoo > > On 2/25/22 15:33, Michal Simon wrote: >> Hi Bockjoo, >> >> It is the server that decides what authentication protocols the client can use to authenticate. From the logs you posted it seems that the server only allows GSI authentication. >> >> In order to use tokens it is recommended that the server enables ZTN authentication. >> >> Cheers, >> Michal >> >>> On 25 Feb 2022, at 17:55, Bockjoo Kim <[log in to unmask]> wrote: >>> >>> Hi, >>> >>> CMS built xrdcp as the CMS software external. >>> >>> When I run it, it does not look it recognizes the token passed and is looking for X509: >>> >>> -bash-4.2$ ( export BEARER_TOKEN=$BEARER_TOKEN ; unset X509_USER_PROXY ; xrdcp -d 1 -f root://cmsio2.rc.ufl.edu//store/user/bockjoo/sitedb.list?authz=Bearer%20$BEARER_TOKEN $(pwd)/sitedb.list ) >>> [2022-02-25 17:53:35.503759 +0100][Info ][AsyncSock ] [cmsio2.rc.ufl.edu:1094.0] TLS hand-shake done. >>> 220225 17:53:36 23215 cryptossl_X509CreateProxy: EEC certificate has expired >>> [2022-02-25 17:53:36.972629 +0100][Error ][XRootDTransport ] [cmsio2.rc.ufl.edu:1094.0] No protocols left to try >>> [2022-02-25 17:53:36.972675 +0100][Error ][AsyncSock ] [cmsio2.rc.ufl.edu:1094.0] Socket error while handshaking: [FATAL] Auth failed >>> >>> How can I check why this xrdcp version 5.4.0 built from the CMS software does not behave? >>> >>> Thanks, >>> >>> Bockjoo >>> >>> ######################################################################## >>> Use REPLY-ALL to reply to list >>> >>> To unsubscribe from the XROOTD-L list, click the following link: >>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1