 |
 |
In order to validate the voms extension, the server also needs /etc/grid-security/vomsdir/dream folder, with LSC files for the voms servers that can act for dteam. (And similarly for other VOs). You didn't mention configuring this in your list of steps, so just checking... On Mon, 3 Oct 2022, 11:44 Vijayakumar Rajabathar - STFC UKRI, < [log in to unmask]> wrote: > Good Morning > > > > Facing an issue when using xrdcp in conjunction with GSI security. > > > > *Setup:* > > Server : Runs xrootd process and has access rights to a backend CEPH > cluster > > Client : Used to generate proxy certificate (voms-proxy-init), and run the > xrdcp > > > > Both server and client have the /etc/vomses and > /etc/grid-security/certificates folder setup for the VO's. > > > > Step 1) Server: xrootd process on the host is configured for GSI security > > > > xrootd.seclib /usr/lib64/libXrdSec.so > > sec.protparm gsi -vomsfun:libXrdVoms.so > -vomsfunparms:certfmt=pem|grpopt=useall|dbg > > sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require > -certdir:<dir location> -cert:<host cert location> -key:<host key location> > -gridmap:<gridmap file location> -gmapopt:trymap -d:3 > > sec.protbind * only gsi > > > > Step 2) Client: voms-proxy-init --voms <vo name> is used to generate a > VOMS proxy and certificate is generated successfully after contacting VO > > > > bash-4.2$ voms-proxy-init --voms dteam > > Enter GRID pass phrase for this identity: > > Contacting voms2.hellasgrid.gr:15004 > [/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr] "dteam"... > > Remote VOMS server contacted succesfully. > > Created proxy in /tmp/<filename>. > > Your proxy is valid until Mon Oct 03 > 23:37:37 BST 2022 > > > > > > Step 3) Client: xrdcp is used to copy a file from the client to the server > to write to the dteam VO > > > > xrdcp testfile.txt root://<server>/dteam:test/testfile.txt -v --force > > > > Step 4) Step 3 fails as follows > > XrdVomsFun: retrieval FAILED: Cannot verify AC signature! > > secgsi_Authenticate: VOMS: Entity.vorg: <none> > > secgsi_Authenticate: VOMS: Entity.grps: <none> > > secgsi_Authenticate: VOMS: Entity.role: <none> > > secgsi_Authenticate: VOMS: Entity.endorsements: <none> > > Any inputs would be much appreciated. If you need more information, pls > let me know > > Thanks > > Vijay > > > > This email and any attachments are intended solely for the use of the > named recipients. If you are not the intended recipient you must not use, > disclose, copy or distribute this email or any of its attachments and > should notify the sender immediately and delete this email from your > system. UK Research and Innovation (UKRI) has taken every reasonable > precaution to minimise risk of this email or any attachments containing > viruses or malware but the recipient should carry out its own virus and > malware checks before opening the attachments. UKRI does not accept any > liability for any losses or damages which the recipient may sustain due to > presence of any viruses. > > ------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1