On Tue, 19 Mar 2024, Petr Vokac wrote: > KEK is using StoRM, could you try your tests with other StoRM source? > Yes, I can reproduce an error with another KEK SE; for belle2-webdav-raw-daa.cc.kek.jp only Belle production role proxies have access to. However, the curl commands do not work. Using it, fails to verify my cert/proxy on the redirector. Using gfal-copy in pull mode works, while push mode via gfal-copy -vvv -f https://belle2-webdav-analysis-data.cc.kek.jp:8443/disk/belle/TMP/belle/Raw/e0012_8GBTest/physics/r04420/sub00/physics.0012.4420.8GBTest.f00000.root https://rdc-redirector.belle.uvic.ca:1094/TMP/belle/some_test_file gives the error: failure: SocketException while pushing https://rdc-redirector.belle.uvic.ca:1094/TMP/belle/some_test_file: Connection reset by peer (Write failed) full log: https://particle.phys.uvic.ca/~mebert/xrootd/gfal-copy.log What is interesting is that if I substitute "rdc-redirector" with one of the servers, then it always works. Looking to the connections on the network, it seems the initial connection with gfal-copy gets redirected to one of the servers and gfal-copy tries to keep the connection open, while the KEK SE goes again to the redirector as it should and gets then redirected to a server. It seems at that point the connection gets reset by the server that initally was connected with gfal-copy. Cheers, Marcus > You could try to download file with curl or even initiate HTTP-TPC manually, > e.g. > > export > SRC=https://belle2-webdav-raw-data.cc.kek.jp:8443/belle/TMP/belle/Raw/e0026/physics/r00194/sub00/physics.0026.00194.HLT2.f00002.root > export DST=https://rdc-redirector.belle.uvic.ca:1094/TMP/belle/some_test_file > export TSRC=$(curl --silent --cert /tmp/x509up_u$(id -u) --key > /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath > /etc/grid-security/certificates -X POST -H 'Content-Type: > application/macaroon-request' -d '{"caveats": ["activity:DOWNLOAD"], > "validity": "PT30M"}' "$SRC" | jq -r '.macaroon') > export TDST=$(curl --silent --cert /tmp/x509up_u$(id -u) --key > /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath > /etc/grid-security/certificates -X POST -H 'Content-Type: > application/macaroon-request' -d '{"caveats": > ["activity:UPLOAD,DELETE,LIST"], "validity": "PT30M"}' "$DST" | jq -r > '.macaroon') > # StoRM is using JWT tokens, so you can inspect token from KEK site using > # e.g.https://jwt.io > # it is possible to inspect also macaroon tokens returned by XRootD with > # e.g. > # python -c "import macaroons; > # print(macaroons.deserialize('$TDST'[12:]).inspect())" > > # Download > curl -v --capath /etc/grid-security/certificates -L -X GET -H > 'Secure-Redirection: 1' -H "Authorization: Bearer $TSRC" --output /tmp/x > "$SRC" > # Upload > curl -v --capath /etc/grid-security/certificates -L -X PUT -H > 'Secure-Redirection: 1' -H "Authorization: Bearer $TDST" --upload-file > /etc/services "$DST" > # TPC pull > curl -v --capath /etc/grid-security/certificates -L -X COPY -H > 'Secure-Redirection: 1' -H 'X-No-Delegate: 1' -H 'Credential: none' -H > "Authorization: Bearer $TDST" -H "TransferHeaderAuthorization: Bearer $TSRC" > -H "Source: $SRC" "$DST" > # TPC push > curl -v --capath /etc/grid-security/certificates -L -X COPY -H > 'Secure-Redirection: 1' -H 'X-No-Delegate: 1' -H 'Credential: none' -H > "Authorization: Bearer $TSRC" -H "TransferHeaderAuthorization: Bearer $TDST" > -H "Destination: $DST" "$SRC" > > Petr > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1