Print

Print
In order to validate the voms extension, the server also needs /etc/grid-security/vomsdir/dream folder, with LSC files for the voms servers that can act for dteam.
(And similarly for other VOs). 
You didn't mention configuring this in your list of steps, so just checking...

On Mon, 3 Oct 2022, 11:44 Vijayakumar Rajabathar - STFC UKRI, <[log in to unmask]> wrote:

Good Morning

 

Facing an issue when using xrdcp in conjunction with GSI security.

 

Setup:

Server : Runs xrootd process and has access rights to a backend CEPH cluster

Client : Used to generate proxy certificate (voms-proxy-init), and run the xrdcp

 

Both server and client have the /etc/vomses and /etc/grid-security/certificates folder setup for the VO's.

 

Step 1) Server: xrootd process on the host is configured for GSI security

 

  xrootd.seclib /usr/lib64/libXrdSec.so

  sec.protparm gsi -vomsfun:libXrdVoms.so -vomsfunparms:certfmt=pem|grpopt=useall|dbg

  sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -certdir:<dir location> -cert:<host cert location> -key:<host key location> -gridmap:<gridmap file location> -gmapopt:trymap -d:3

  sec.protbind * only gsi

 

Step 2) Client: voms-proxy-init --voms <vo name> is used to generate a VOMS proxy and certificate is generated successfully after contacting VO

 

                                bash-4.2$ voms-proxy-init --voms dteam

                                Enter GRID pass phrase for this identity:

                                Contacting voms2.hellasgrid.gr:15004 [/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr] "dteam"...

                                Remote VOMS server contacted succesfully.

                                Created proxy in /tmp/<filename>.

                                Your proxy is valid until Mon Oct 03 23:37:37 BST 2022

              

                      

Step 3) Client: xrdcp is used to copy a file from the client to the server to write to the dteam VO

 

   xrdcp testfile.txt root://<server>/dteam:test/testfile.txt -v --force

  

Step 4) Step 3 fails as follows

   XrdVomsFun: retrieval FAILED: Cannot verify AC signature!

   secgsi_Authenticate: VOMS: Entity.vorg:         <none>

   secgsi_Authenticate: VOMS: Entity.grps:         <none>

   secgsi_Authenticate: VOMS: Entity.role:         <none>

   secgsi_Authenticate: VOMS: Entity.endorsements: <none>

 Any inputs would be much appreciated. If you need more information, pls let me know

 Thanks

Vijay

  

This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. 


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1