Discussion:
Invocation from GT4 service to https axis service
(too old to reply)
Andrea Turli
2009-02-24 15:53:16 UTC
Permalink
Hi all,

I'm trying to consume a secure Axis Web service (the voms server in
https) but I've many problems. In particular, I'm using this code in a
-nosec container (GT4.1)

static {
Util.registerTransport();
}
....
VOMSAdminServiceLocator locator = new VOMSAdminServiceLocator();
URL vomsAdminURL = new
URL("https://my_server:8443/voms/myVO/services/VOMSAdmin");

VOMSAdmin stub = locator.getVOMSAdmin(vomsAdminURL);

// credentials
stub._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);

// Authentication method
stub._setProperty(Constants.GSI_SEC_CONV, Constants.ENCRYPTION);

// delegation
stub._setProperty(GSIConstants.GSI_MODE, GSIConstants.GSI_MODE_NO_DELEG);

// set Context lifetime
stub._setProperty(Constants.CONTEXT_LIFETIME, 300);


try {
stub.createUser(user);
logger.info("User created with CN " + username + " with DN " + dn
+ " with CA " + ca + " with mail " + email);
} catch (Exception e) {
e.printStackTrace();
throw e;
}

and I get this fault:
AxisFault
faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}General
faultSubcode:
faultString: ; nested exception is:
org.globus.common.ChainedIOException: Authentication failed [Caused
by: Failure unspecified at GSS-API level [Caused by: Handshake
failure]]
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: org.globus.common.ChainedIOException: Authentication
failed [Caused by: Failure unspecified at GSS-API level [Caused by:
Handshake failure]]
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:Authentication failed. Caused
by Failure unspecified at GSS-API level. Caused by
COM.claymoresystems.ptls.SSLCaughtAlertException: Handshake failure
at COM.claymoresystems.ptls.SSLRecordReader.processAlert(SSLRecordReader.java:153)
at COM.claymoresystems.ptls.SSLRecordReader.readRecord(SSLRecordReader.java:90)
at COM.claymoresystems.ptls.SSLHandshake.recvHandshakeToken(SSLHandshake.java:177)
at COM.claymoresystems.ptls.SSLHandshakeClient.processTokens(SSLHandshakeClient.java:108)
at COM.claymoresystems.ptls.SSLHandshake.processHandshake(SSLHandshake.java:135)
at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextImpl.java:483)
at org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:102)
at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140)
at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
at org.apache.axis.client.Call.invoke(Call.java:2710)
at org.apache.axis.client.Call.invoke(Call.java:2386)
at org.apache.axis.client.Call.invoke(Call.java:2309)
at org.apache.axis.client.Call.invoke(Call.java:1766)
at org.globus.wsrf.security.impl.secconv.SecureConversationSOAPBindingStub.requestSecurityToken(SecureConversationSOAPBindingStub.java:1153)
at org.globus.wsrf.impl.security.authentication.secureconv.Authenticator.authenticate(Authenticator.java:95)
at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:265)
at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
at org.apache.axis.client.Call.invoke(Call.java:2710)
at org.apache.axis.client.Call.invoke(Call.java:2386)
at org.apache.axis.client.Call.invoke(Call.java:2309)
at org.apache.axis.client.Call.invoke(Call.java:1766)
at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)

{http://xml.apache.org/axis/}hostname:grids16.eng.it

org.globus.common.ChainedIOException: Authentication failed [Caused
by: Failure unspecified at GSS-API level [Caused by: Handshake
failure]]
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
at org.apache.axis.client.Call.invoke(Call.java:2710)
at org.apache.axis.client.Call.invoke(Call.java:2386)
at org.apache.axis.client.Call.invoke(Call.java:2309)
at org.apache.axis.client.Call.invoke(Call.java:1766)
at org.globus.wsrf.security.impl.secconv.SecureConversationSOAPBindingStub.requestSecurityToken(SecureConversationSOAPBindingStub.java:1153)
at org.globus.wsrf.impl.security.authentication.secureconv.Authenticator.authenticate(Authenticator.java:95)
at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:265)
at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
at org.apache.axis.client.Call.invoke(Call.java:2710)
at org.apache.axis.client.Call.invoke(Call.java:2386)
at org.apache.axis.client.Call.invoke(Call.java:2309)
at org.apache.axis.client.Call.invoke(Call.java:1766)
at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
Caused by: org.globus.common.ChainedIOException: Authentication failed
[Caused by: Failure unspecified at GSS-API level [Caused by: Handshake
failure]]
at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:145)
at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
... 54 more

{http://xml.apache.org/axis/}hostname:grids16.eng.it

; nested exception is:
org.globus.common.ChainedIOException: Authentication failed [Caused
by: Failure unspecified at GSS-API level [Caused by: Handshake
failure]]
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:216)
at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
at org.apache.axis.client.Call.invoke(Call.java:2710)
at org.apache.axis.client.Call.invoke(Call.java:2386)
at org.apache.axis.client.Call.invoke(Call.java:2309)
at org.apache.axis.client.Call.invoke(Call.java:1766)
at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
Caused by: javax.xml.rpc.soap.SOAPFaultException: ; nested exception is:
org.globus.common.ChainedIOException: Authentication failed [Caused
by: Failure unspecified at GSS-API level [Caused by: Handshake
failure]]
at org.globus.wsrf.impl.security.authentication.wssec.WSSecurityFault.makeFault(WSSecurityFault.java:105)
at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:273)
at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
... 36 more


I've tried to invoke the same voms server from a java client and I've
no problem.
Could you give me any kind of support?

Thank you,
Andrea
Tom Scavo
2009-02-24 21:31:27 UTC
Permalink
Andrea, on a long shot, are you perhaps using OpenSSL 0.9.8j on the
client? This particular version of OpenSSL is known to have SSL/TLS
handshake issues.

Tom

On Tue, Feb 24, 2009 at 10:53 AM, Andrea Turli <***@eng.it> wrote:
> Hi all,
>
> I'm trying to consume a secure Axis Web service (the voms server in
> https) but I've many problems. In particular, I'm using this code in a
> -nosec container (GT4.1)
>
>    static {
>        Util.registerTransport();
>    }
> ....
>        VOMSAdminServiceLocator locator = new VOMSAdminServiceLocator();
>        URL vomsAdminURL = new
> URL("https://my_server:8443/voms/myVO/services/VOMSAdmin");
>
>        VOMSAdmin stub = locator.getVOMSAdmin(vomsAdminURL);
>
>                // credentials
>                stub._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);
>
>                // Authentication method
>                stub._setProperty(Constants.GSI_SEC_CONV, Constants.ENCRYPTION);
>
>                // delegation
>                stub._setProperty(GSIConstants.GSI_MODE, GSIConstants.GSI_MODE_NO_DELEG);
>
>                // set Context lifetime
>                stub._setProperty(Constants.CONTEXT_LIFETIME, 300);
>
>
>        try {
>            stub.createUser(user);
>            logger.info("User created with CN " + username + " with DN " + dn
>                    + " with CA " + ca + " with mail " + email);
>        } catch (Exception e) {
>            e.printStackTrace();
>            throw e;
>        }
>
> and I get this fault:
> AxisFault
>  faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}General
>  faultSubcode:
>  faultString: ; nested exception is:
>        org.globus.common.ChainedIOException: Authentication failed [Caused
> by: Failure unspecified at GSS-API level [Caused by: Handshake
> failure]]
>  faultActor:
>  faultNode:
>  faultDetail:
>        {http://xml.apache.org/axis/}stackTrace:AxisFault
>  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
>  faultSubcode:
>  faultString: org.globus.common.ChainedIOException: Authentication
> failed [Caused by: Failure unspecified at GSS-API level [Caused by:
> Handshake failure]]
>  faultActor:
>  faultNode:
>  faultDetail:
>        {http://xml.apache.org/axis/}stackTrace:Authentication failed. Caused
> by Failure unspecified at GSS-API level. Caused by
> COM.claymoresystems.ptls.SSLCaughtAlertException: Handshake failure
>        at COM.claymoresystems.ptls.SSLRecordReader.processAlert(SSLRecordReader.java:153)
>        at COM.claymoresystems.ptls.SSLRecordReader.readRecord(SSLRecordReader.java:90)
>        at COM.claymoresystems.ptls.SSLHandshake.recvHandshakeToken(SSLHandshake.java:177)
>        at COM.claymoresystems.ptls.SSLHandshakeClient.processTokens(SSLHandshakeClient.java:108)
>        at COM.claymoresystems.ptls.SSLHandshake.processHandshake(SSLHandshake.java:135)
>        at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextImpl.java:483)
>        at org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:102)
>        at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140)
>        at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
>        at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
>        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>        at org.globus.wsrf.security.impl.secconv.SecureConversationSOAPBindingStub.requestSecurityToken(SecureConversationSOAPBindingStub.java:1153)
>        at org.globus.wsrf.impl.security.authentication.secureconv.Authenticator.authenticate(Authenticator.java:95)
>        at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:265)
>        at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
>        at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>        at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
>        at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
>        at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
>        at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
>        at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>        at java.lang.reflect.Method.invoke(Method.java:585)
>        at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
>        at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
>        at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
>        at java.security.AccessController.doPrivileged(Native Method)
>        at javax.security.auth.Subject.doAs(Subject.java:396)
>        at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
>        at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
>        at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
>        at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
>        at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
>        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
>        at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
>        at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
>        at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>
>        {http://xml.apache.org/axis/}hostname:grids16.eng.it
>
> org.globus.common.ChainedIOException: Authentication failed [Caused
> by: Failure unspecified at GSS-API level [Caused by: Handshake
> failure]]
>        at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
>        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>        at org.globus.wsrf.security.impl.secconv.SecureConversationSOAPBindingStub.requestSecurityToken(SecureConversationSOAPBindingStub.java:1153)
>        at org.globus.wsrf.impl.security.authentication.secureconv.Authenticator.authenticate(Authenticator.java:95)
>        at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:265)
>        at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
>        at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>        at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
>        at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
>        at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
>        at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
>        at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>        at java.lang.reflect.Method.invoke(Method.java:585)
>        at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
>        at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
>        at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
>        at java.security.AccessController.doPrivileged(Native Method)
>        at javax.security.auth.Subject.doAs(Subject.java:396)
>        at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
>        at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
>        at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
>        at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
>        at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
>        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
>        at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
>        at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
>        at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
> Caused by: org.globus.common.ChainedIOException: Authentication failed
> [Caused by: Failure unspecified at GSS-API level [Caused by: Handshake
> failure]]
>        at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:145)
>        at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
>        at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
>        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
>        ... 54 more
>
>        {http://xml.apache.org/axis/}hostname:grids16.eng.it
>
> ; nested exception is:
>        org.globus.common.ChainedIOException: Authentication failed [Caused
> by: Failure unspecified at GSS-API level [Caused by: Handshake
> failure]]
>        at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:216)
>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>        at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
>        at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
>        at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
>        at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
>        at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>        at java.lang.reflect.Method.invoke(Method.java:585)
>        at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
>        at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
>        at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
>        at java.security.AccessController.doPrivileged(Native Method)
>        at javax.security.auth.Subject.doAs(Subject.java:396)
>        at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
>        at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
>        at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
>        at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
>        at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
>        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
>        at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
>        at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
>        at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
> Caused by: javax.xml.rpc.soap.SOAPFaultException: ; nested exception is:
>        org.globus.common.ChainedIOException: Authentication failed [Caused
> by: Failure unspecified at GSS-API level [Caused by: Handshake
> failure]]
>        at org.globus.wsrf.impl.security.authentication.wssec.WSSecurityFault.makeFault(WSSecurityFault.java:105)
>        at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:273)
>        at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
>        at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
>        ... 36 more
>
>
> I've tried to invoke the same voms server from a java client and I've
> no problem.
> Could you give me any kind of support?
>
> Thank you,
> Andrea
>
Andrea Turli
2009-02-25 13:50:35 UTC
Permalink
I've checked the version installed in the server
$ rpm -qa | grep openssl
openssl-0.9.7a-33.24

Does also this version have known issues?

Btw, could it be a problem related to the "stubs format"?
I've generated these stubs starting from wsdl distributed by voms
developers (in attachment) with this ant command:

<java classname="org.apache.axis.wsdl.WSDL2Java" fork="true">
<arg line="-o ${build.stubs.src.dir} --noWrapped
glite-security-voms-admin-2.0.2.wsdl"/>
<classpath>
<fileset dir="${container.dir}/lib">
<include name="*.jar" />
</fileset>
</classpath>
</java>

Did I make any mistakes?

Andrea



On Tue, Feb 24, 2009 at 10:31 PM, Tom Scavo <***@gmail.com> wrote:
> Andrea, on a long shot, are you perhaps using OpenSSL 0.9.8j on the
> client?  This particular version of OpenSSL is known to have SSL/TLS
> handshake issues.
>
> Tom
>
> On Tue, Feb 24, 2009 at 10:53 AM, Andrea Turli <***@eng.it> wrote:
>> Hi all,
>>
>> I'm trying to consume a secure Axis Web service (the voms server in
>> https) but I've many problems. In particular, I'm using this code in a
>> -nosec container (GT4.1)
>>
>>    static {
>>        Util.registerTransport();
>>    }
>> ....
>>        VOMSAdminServiceLocator locator = new VOMSAdminServiceLocator();
>>        URL vomsAdminURL = new
>> URL("https://my_server:8443/voms/myVO/services/VOMSAdmin");
>>
>>        VOMSAdmin stub = locator.getVOMSAdmin(vomsAdminURL);
>>
>>                // credentials
>>                stub._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);
>>
>>                // Authentication method
>>                stub._setProperty(Constants.GSI_SEC_CONV, Constants.ENCRYPTION);
>>
>>                // delegation
>>                stub._setProperty(GSIConstants.GSI_MODE, GSIConstants.GSI_MODE_NO_DELEG);
>>
>>                // set Context lifetime
>>                stub._setProperty(Constants.CONTEXT_LIFETIME, 300);
>>
>>
>>        try {
>>            stub.createUser(user);
>>            logger.info("User created with CN " + username + " with DN " + dn
>>                    + " with CA " + ca + " with mail " + email);
>>        } catch (Exception e) {
>>            e.printStackTrace();
>>            throw e;
>>        }
>>
>> and I get this fault:
>> AxisFault
>>  faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}General
>>  faultSubcode:
>>  faultString: ; nested exception is:
>>        org.globus.common.ChainedIOException: Authentication failed [Caused
>> by: Failure unspecified at GSS-API level [Caused by: Handshake
>> failure]]
>>  faultActor:
>>  faultNode:
>>  faultDetail:
>>        {http://xml.apache.org/axis/}stackTrace:AxisFault
>>  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
>>  faultSubcode:
>>  faultString: org.globus.common.ChainedIOException: Authentication
>> failed [Caused by: Failure unspecified at GSS-API level [Caused by:
>> Handshake failure]]
>>  faultActor:
>>  faultNode:
>>  faultDetail:
>>        {http://xml.apache.org/axis/}stackTrace:Authentication failed. Caused
>> by Failure unspecified at GSS-API level. Caused by
>> COM.claymoresystems.ptls.SSLCaughtAlertException: Handshake failure
>>        at COM.claymoresystems.ptls.SSLRecordReader.processAlert(SSLRecordReader.java:153)
>>        at COM.claymoresystems.ptls.SSLRecordReader.readRecord(SSLRecordReader.java:90)
>>        at COM.claymoresystems.ptls.SSLHandshake.recvHandshakeToken(SSLHandshake.java:177)
>>        at COM.claymoresystems.ptls.SSLHandshakeClient.processTokens(SSLHandshakeClient.java:108)
>>        at COM.claymoresystems.ptls.SSLHandshake.processHandshake(SSLHandshake.java:135)
>>        at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextImpl.java:483)
>>        at org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:102)
>>        at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:140)
>>        at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
>>        at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
>>        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
>>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>>        at org.globus.wsrf.security.impl.secconv.SecureConversationSOAPBindingStub.requestSecurityToken(SecureConversationSOAPBindingStub.java:1153)
>>        at org.globus.wsrf.impl.security.authentication.secureconv.Authenticator.authenticate(Authenticator.java:95)
>>        at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:265)
>>        at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
>>        at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
>>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>>        at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
>>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
>>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
>>        at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
>>        at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
>>        at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:585)
>>        at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
>>        at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
>>        at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
>>        at java.security.AccessController.doPrivileged(Native Method)
>>        at javax.security.auth.Subject.doAs(Subject.java:396)
>>        at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
>>        at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
>>        at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
>>        at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
>>        at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
>>        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
>>        at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
>>        at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
>>        at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>>
>>        {http://xml.apache.org/axis/}hostname:grids16.eng.it
>>
>> org.globus.common.ChainedIOException: Authentication failed [Caused
>> by: Failure unspecified at GSS-API level [Caused by: Handshake
>> failure]]
>>        at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
>>        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
>>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>>        at org.globus.wsrf.security.impl.secconv.SecureConversationSOAPBindingStub.requestSecurityToken(SecureConversationSOAPBindingStub.java:1153)
>>        at org.globus.wsrf.impl.security.authentication.secureconv.Authenticator.authenticate(Authenticator.java:95)
>>        at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:265)
>>        at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
>>        at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
>>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>>        at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
>>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
>>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
>>        at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
>>        at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
>>        at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:585)
>>        at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
>>        at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
>>        at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
>>        at java.security.AccessController.doPrivileged(Native Method)
>>        at javax.security.auth.Subject.doAs(Subject.java:396)
>>        at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
>>        at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
>>        at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
>>        at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
>>        at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
>>        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
>>        at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
>>        at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
>>        at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>> Caused by: org.globus.common.ChainedIOException: Authentication failed
>> [Caused by: Failure unspecified at GSS-API level [Caused by: Handshake
>> failure]]
>>        at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:145)
>>        at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:161)
>>        at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:433)
>>        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:135)
>>        ... 54 more
>>
>>        {http://xml.apache.org/axis/}hostname:grids16.eng.it
>>
>> ; nested exception is:
>>        org.globus.common.ChainedIOException: Authentication failed [Caused
>> by: Failure unspecified at GSS-API level [Caused by: Handshake
>> failure]]
>>        at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
>>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:216)
>>        at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
>>        at org.apache.axis.client.Call.invoke(Call.java:2710)
>>        at org.apache.axis.client.Call.invoke(Call.java:2386)
>>        at org.apache.axis.client.Call.invoke(Call.java:2309)
>>        at org.apache.axis.client.Call.invoke(Call.java:1766)
>>        at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:415)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
>>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
>>        at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
>>        at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
>>        at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
>>        at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
>>        at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:585)
>>        at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
>>        at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
>>        at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
>>        at java.security.AccessController.doPrivileged(Native Method)
>>        at javax.security.auth.Subject.doAs(Subject.java:396)
>>        at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
>>        at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
>>        at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
>>        at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
>>        at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
>>        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
>>        at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
>>        at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
>>        at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>> Caused by: javax.xml.rpc.soap.SOAPFaultException: ; nested exception is:
>>        org.globus.common.ChainedIOException: Authentication failed [Caused
>> by: Failure unspecified at GSS-API level [Caused by: Handshake
>> failure]]
>>        at org.globus.wsrf.impl.security.authentication.wssec.WSSecurityFault.makeFault(WSSecurityFault.java:105)
>>        at org.globus.wsrf.impl.security.authentication.secureconv.SecContextHandler.handleRequest(SecContextHandler.java:273)
>>        at org.apache.axis.handlers.HandlerChainImpl.handleRequest(HandlerChainImpl.java:105)
>>        at org.apache.axis.handlers.JAXRPCHandler.invoke(JAXRPCHandler.java:52)
>>        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>>        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>>        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>>        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
>>        ... 36 more
>>
>>
>> I've tried to invoke the same voms server from a java client and I've
>> no problem.
>> Could you give me any kind of support?
>>
>> Thank you,
>> Andrea
>>
>
>
Tom Scavo
2009-02-25 14:32:02 UTC
Permalink
On Wed, Feb 25, 2009 at 7:50 AM, Andrea Turli <***@eng.it> wrote:
> I've checked the version installed in the server
> $ rpm -qa | grep openssl
> openssl-0.9.7a-33.24
>
> Does also this version have known issues?

No, the issue affects only OpenSSL 0.9.8j:

https://mail.internet2.edu/wws/arc/shibboleth-dev/2009-02/msg00000.html

Still, it wouldn't hurt to try the openssl commands suggested in the
above thread (on the client):

$ openssl s_client -connect localhost:443 -no_ssl2
$ openssl s_client -connect localhost:443 -tls1
$ openssl s_client -connect localhost:443 -ssl3

Tom
Andrea Turli
2009-02-25 15:23:04 UTC
Permalink
Hi Tom,

I've tried to run these three commands
> $ openssl s_client -connect localhost:443 -no_ssl2
> $ openssl s_client -connect localhost:443 -tls1
> $ openssl s_client -connect localhost:443 -ssl3

and I have the same problem. This command also

openssl s_client -connect localhost:443

doesn't work

This is the stacktrace I can see:
CONNECTED(00000003)
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=21:unable to verify the first certificate
verify return:1
20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1046:SSL alert number 42
20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

So the problem seems related to SSL. Can anyone give me an hint?

Thank you in advance,
Andrea


On Wed, Feb 25, 2009 at 3:32 PM, Tom Scavo <***@gmail.com> wrote:
> On Wed, Feb 25, 2009 at 7:50 AM, Andrea Turli <***@eng.it> wrote:
>> I've checked the version installed in the server
>> $ rpm -qa | grep openssl
>> openssl-0.9.7a-33.24
>>
>> Does also this version have known issues?
>
> No, the issue affects only OpenSSL 0.9.8j:
>
> https://mail.internet2.edu/wws/arc/shibboleth-dev/2009-02/msg00000.html
>
> Still, it wouldn't hurt to try the openssl commands suggested in the
> above thread (on the client):
>
> $ openssl s_client -connect localhost:443 -no_ssl2
> $ openssl s_client -connect localhost:443 -tls1
> $ openssl s_client -connect localhost:443 -ssl3
>
> Tom
>
>
Andrea Turli
2009-02-25 15:39:06 UTC
Permalink
Trying to understand if my issue is related to SSL or GLOBUS, I've
found on globus documentation some tests to validate host certificate
setup

http://www.globus.org/toolkit/docs/4.0/security/cas/user-index.html#id2532610

Running the commands specified there everything works.
I'm really confused. Any ideas?

Andrea

On Wed, Feb 25, 2009 at 4:23 PM, Andrea Turli <***@eng.it> wrote:
> Hi Tom,
>
> I've tried to run these three commands
>> $ openssl s_client -connect localhost:443 -no_ssl2
>> $ openssl s_client -connect localhost:443 -tls1
>> $ openssl s_client -connect localhost:443 -ssl3
>
> and I have the same problem. This command also
>
> openssl s_client -connect localhost:443
>
> doesn't work
>
> This is the stacktrace I can see:
> CONNECTED(00000003)
> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
> verify error:num=21:unable to verify the first certificate
> verify return:1
> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1046:SSL alert number 42
> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
>
> So the problem seems related to SSL. Can anyone give me an hint?
>
> Thank you in advance,
> Andrea
>
>
> On Wed, Feb 25, 2009 at 3:32 PM, Tom Scavo <***@gmail.com> wrote:
>> On Wed, Feb 25, 2009 at 7:50 AM, Andrea Turli <***@eng.it> wrote:
>>> I've checked the version installed in the server
>>> $ rpm -qa | grep openssl
>>> openssl-0.9.7a-33.24
>>>
>>> Does also this version have known issues?
>>
>> No, the issue affects only OpenSSL 0.9.8j:
>>
>> https://mail.internet2.edu/wws/arc/shibboleth-dev/2009-02/msg00000.html
>>
>> Still, it wouldn't hurt to try the openssl commands suggested in the
>> above thread (on the client):
>>
>> $ openssl s_client -connect localhost:443 -no_ssl2
>> $ openssl s_client -connect localhost:443 -tls1
>> $ openssl s_client -connect localhost:443 -ssl3
>>
>> Tom
>>
>>
>
Tom Scavo
2009-02-25 19:34:47 UTC
Permalink
On Wed, Feb 25, 2009 at 10:39 AM, Andrea Turli <***@eng.it> wrote:
> Trying to understand if my issue is related to SSL or GLOBUS, I've
> found on globus documentation some tests to validate host certificate
> setup
>
> http://www.globus.org/toolkit/docs/4.0/security/cas/user-index.html#id2532610
>
> Running the commands specified there everything works.
> I'm really confused. Any ideas?

I'm stumped, too. Take a look at this google search:

site:globus.org
"COM.claymoresystems.ptls.SSLRecordReader.processAlert"
"Authentication failed" "Failure unspecified at GSS-API level"

The only message there directly applicable to your problem is

http://www.globus.org/mail_archive/myproxy-user/2008/08/msg00001.html

but no solution is given, unfortunately.

Tom
Tom Scavo
2009-02-25 19:22:18 UTC
Permalink
On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <***@eng.it> wrote:
>
> This command also
>
> openssl s_client -connect localhost:443
>
> doesn't work
>
> This is the stacktrace I can see:
> CONNECTED(00000003)
> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
> verify error:num=21:unable to verify the first certificate
> verify return:1
> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1046:SSL alert number 42
> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:

Hmm, so what happens when you run this command on the client that
doesn't have a problem communicating with the VOMS server? Also, what
version of openssl are you running on the other client?

Tom
Vincenzo Ciaschini
2009-02-26 10:35:44 UTC
Permalink
Vincenzo Ciaschini wrote:
> Tom Scavo wrote:
>> On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <***@eng.it>
>> wrote:
>>> This command also
>>>
>>> openssl s_client -connect localhost:443
>>>
>>> doesn't work
>>>
>>> This is the stacktrace I can see:
>>> CONNECTED(00000003)
>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>>> certificate:s3_pkt.c:1046:SSL alert number 42
>>> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>> failure:s23_lib.c:226:
>
> This error trace seem to hint to the fact that OpenSSL could not find
> the CA certificate of the grids16.eng.it host cert in the CA store. What
> is the default value of -CApath when one does not specify it?
It is '/certs'. I assume you do not have it, right?

> Are you
> sure you have the CA certificate installed?

Ciao,
Vincenzo
Andrea Turli
2009-02-26 12:03:01 UTC
Permalink
I don't know if this will answer you're questions but I've tried these
three commands:

$ openssl verify -CApath /etc/grid-security/certificates -purpose
sslclient ~/.globus/usercert.pem
/home/turli/.globus/usercert.pem: OK

$ openssl verify -CApath /etc/grid-security/certificates -purpose
sslclient /etc/grid-security/containercert.pem
/etc/grid-security/containercert.pem: OK

$ openssl verify -purpose sslclient /etc/grid-security/containercert.pem
/etc/grid-security/containercert.pem:
/C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
error 20 at 0 depth lookup:unable to get local issuer certificate

Wnat could be the solution?

Andrea



On Thu, Feb 26, 2009 at 11:35 AM, Vincenzo Ciaschini
<***@cnaf.infn.it> wrote:
> Vincenzo Ciaschini wrote:
>>
>> Tom Scavo wrote:
>>>
>>> On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <***@eng.it>
>>> wrote:
>>>>
>>>> This command also
>>>>
>>>> openssl s_client -connect localhost:443
>>>>
>>>> doesn't work
>>>>
>>>> This is the stacktrace I can see:
>>>> CONNECTED(00000003)
>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>> verify error:num=20:unable to get local issuer certificate
>>>> verify return:1
>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>> verify error:num=27:certificate not trusted
>>>> verify return:1
>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>> verify error:num=21:unable to verify the first certificate
>>>> verify return:1
>>>> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>>>> certificate:s3_pkt.c:1046:SSL alert number 42
>>>> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>>> failure:s23_lib.c:226:
>>
>> This error trace seem to hint to the fact that OpenSSL could not find the
>> CA certificate of the grids16.eng.it host cert in the CA store. What is the
>> default value of -CApath when one does not specify it?
>
> It is '/certs'.  I assume you do not have it, right?
>
>>  Are you sure you have the CA certificate installed?
>
> Ciao,
>   Vincenzo
>
>
>
Vincenzo Ciaschini
2009-02-26 12:47:35 UTC
Permalink
Andrea Turli wrote:
> I don't know if this will answer you're questions but I've tried these
> three commands:
>
> $ openssl verify -CApath /etc/grid-security/certificates -purpose
> sslclient /etc/grid-security/containercert.pem
> /etc/grid-security/containercert.pem: OK
>
> $ openssl verify -purpose sslclient /etc/grid-security/containercert.pem
> /etc/grid-security/containercert.pem:
> /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
> error 20 at 0 depth lookup:unable to get local issuer certificate
The difference here is the missing -CApath in the second command, which
confirms the act that you did not put hem in /certs instead.

In this situation, all your openssl subcommands should specify the
-CApath option if that option is available. For example, verify,
s_client and s_server should, x509 should not.

Which means, retry this command:
openssl s_client -CApath /etc/grid-security/certificates -connect
localhost:443

instead of just:
openssl s_client -connect localhost:443

Ciao,
Vincenzo

>
> Wnat could be the solution?
>
> Andrea
>
>
>
> On Thu, Feb 26, 2009 at 11:35 AM, Vincenzo Ciaschini
> <***@cnaf.infn.it> wrote:
>> Vincenzo Ciaschini wrote:
>>> Tom Scavo wrote:
>>>> On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <***@eng.it>
>>>> wrote:
>>>>> This command also
>>>>>
>>>>> openssl s_client -connect localhost:443
>>>>>
>>>>> doesn't work
>>>>>
>>>>> This is the stacktrace I can see:
>>>>> CONNECTED(00000003)
>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>> verify error:num=20:unable to get local issuer certificate
>>>>> verify return:1
>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>> verify error:num=27:certificate not trusted
>>>>> verify return:1
>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>> verify error:num=21:unable to verify the first certificate
>>>>> verify return:1
>>>>> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>>>>> certificate:s3_pkt.c:1046:SSL alert number 42
>>>>> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>>>> failure:s23_lib.c:226:
>>> This error trace seem to hint to the fact that OpenSSL could not find the
>>> CA certificate of the grids16.eng.it host cert in the CA store. What is the
>>> default value of -CApath when one does not specify it?
>> It is '/certs'. I assume you do not have it, right?
>>
>>> Are you sure you have the CA certificate installed?
>> Ciao,
>> Vincenzo
>>
>>
>>
Andrea Turli
2009-02-26 13:41:16 UTC
Permalink
Thanks Vincenzo. Now it's clear.

Unfortunately, the problem here is that I get this "handshake failure"
fault during an axis invocation from inside globus service in a GT4
container towards the VOMS server.

How can I set this low-lewel openssl parameter (CAPath) for this axis
invocation?

Moreover a generic GET HTTPS call from inside the same GT4 service
works correctly. For this reason I think that "globus" overwrites in
some sense the standard SSL behavior (cog ?). Is it possible?

Andrea

On Thu, Feb 26, 2009 at 1:47 PM, Vincenzo Ciaschini
<***@cnaf.infn.it> wrote:
> Andrea Turli wrote:
>>
>> I don't know if this will answer you're questions but I've tried these
>> three commands:
>>
>> $ openssl verify -CApath /etc/grid-security/certificates -purpose
>> sslclient /etc/grid-security/containercert.pem
>> /etc/grid-security/containercert.pem: OK
>>
>> $ openssl verify -purpose sslclient /etc/grid-security/containercert.pem
>> /etc/grid-security/containercert.pem:
>> /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> The difference here is the missing -CApath in the second command, which
> confirms the act that you did not put hem in /certs instead.
>
> In this situation, all your openssl subcommands should specify the -CApath
> option if that option is available.  For example, verify, s_client and
> s_server should, x509 should not.
>
> Which means, retry this command:
> openssl s_client -CApath /etc/grid-security/certificates -connect
> localhost:443
>
> instead of just:
> openssl s_client -connect localhost:443
>
> Ciao,
>   Vincenzo
>
>>
>> Wnat could be the solution?
>>
>> Andrea
>>
>>
>>
>> On Thu, Feb 26, 2009 at 11:35 AM, Vincenzo Ciaschini
>> <***@cnaf.infn.it> wrote:
>>>
>>> Vincenzo Ciaschini wrote:
>>>>
>>>> Tom Scavo wrote:
>>>>>
>>>>> On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <***@eng.it>
>>>>> wrote:
>>>>>>
>>>>>> This command also
>>>>>>
>>>>>> openssl s_client -connect localhost:443
>>>>>>
>>>>>> doesn't work
>>>>>>
>>>>>> This is the stacktrace I can see:
>>>>>> CONNECTED(00000003)
>>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>>> verify error:num=20:unable to get local issuer certificate
>>>>>> verify return:1
>>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>>> verify error:num=27:certificate not trusted
>>>>>> verify return:1
>>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>>> verify error:num=21:unable to verify the first certificate
>>>>>> verify return:1
>>>>>> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>>>>>> certificate:s3_pkt.c:1046:SSL alert number 42
>>>>>> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>>>>> failure:s23_lib.c:226:
>>>>
>>>> This error trace seem to hint to the fact that OpenSSL could not find
>>>> the
>>>> CA certificate of the grids16.eng.it host cert in the CA store. What is
>>>> the
>>>> default value of -CApath when one does not specify it?
>>>
>>> It is '/certs'.  I assume you do not have it, right?
>>>
>>>>  Are you sure you have the CA certificate installed?
>>>
>>> Ciao,
>>>  Vincenzo
>>>
>>>
>>>
>
>
>
Vincenzo Ciaschini
2009-02-26 15:42:15 UTC
Permalink
Andrea Turli wrote:
> Thanks Vincenzo. Now it's clear.
>
> Unfortunately, the problem here is that I get this "handshake failure"
> fault during an axis invocation from inside globus service in a GT4
> container towards the VOMS server.
>
> How can I set this low-lewel openssl parameter (CAPath) for this axis
> invocation?
No idea. But why, does it call openssl ? You can see I do not have
much experience with it :)

>
> Moreover a generic GET HTTPS call from inside the same GT4 service
> works correctly. For this reason I think that "globus" overwrites in
> some sense the standard SSL behavior (cog ?). Is it possible?
I expect it does, otherwise legacy proxies could not work. But here it
is better if Tom takes charge of it.

Ciao,
Vincenzo
>
> Andrea
>
> On Thu, Feb 26, 2009 at 1:47 PM, Vincenzo Ciaschini
> <***@cnaf.infn.it> wrote:
>> Andrea Turli wrote:
>>> I don't know if this will answer you're questions but I've tried these
>>> three commands:
>>>
>>> $ openssl verify -CApath /etc/grid-security/certificates -purpose
>>> sslclient /etc/grid-security/containercert.pem
>>> /etc/grid-security/containercert.pem: OK
>>>
>>> $ openssl verify -purpose sslclient /etc/grid-security/containercert.pem
>>> /etc/grid-security/containercert.pem:
>>> /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>> The difference here is the missing -CApath in the second command, which
>> confirms the act that you did not put hem in /certs instead.
>>
>> In this situation, all your openssl subcommands should specify the -CApath
>> option if that option is available. For example, verify, s_client and
>> s_server should, x509 should not.
>>
>> Which means, retry this command:
>> openssl s_client -CApath /etc/grid-security/certificates -connect
>> localhost:443
>>
>> instead of just:
>> openssl s_client -connect localhost:443
>>
>> Ciao,
>> Vincenzo
>>
>>> Wnat could be the solution?
>>>
>>> Andrea
>>>
>>>
>>>
>>> On Thu, Feb 26, 2009 at 11:35 AM, Vincenzo Ciaschini
>>> <***@cnaf.infn.it> wrote:
>>>> Vincenzo Ciaschini wrote:
>>>>> Tom Scavo wrote:
>>>>>> On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <***@eng.it>
>>>>>> wrote:
>>>>>>> This command also
>>>>>>>
>>>>>>> openssl s_client -connect localhost:443
>>>>>>>
>>>>>>> doesn't work
>>>>>>>
>>>>>>> This is the stacktrace I can see:
>>>>>>> CONNECTED(00000003)
>>>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>>>> verify error:num=20:unable to get local issuer certificate
>>>>>>> verify return:1
>>>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>>>> verify error:num=27:certificate not trusted
>>>>>>> verify return:1
>>>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>>>>>>> verify error:num=21:unable to verify the first certificate
>>>>>>> verify return:1
>>>>>>> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>>>>>>> certificate:s3_pkt.c:1046:SSL alert number 42
>>>>>>> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>>>>>> failure:s23_lib.c:226:
>>>>> This error trace seem to hint to the fact that OpenSSL could not find
>>>>> the
>>>>> CA certificate of the grids16.eng.it host cert in the CA store. What is
>>>>> the
>>>>> default value of -CApath when one does not specify it?
>>>> It is '/certs'. I assume you do not have it, right?
>>>>
>>>>> Are you sure you have the CA certificate installed?
>>>> Ciao,
>>>> Vincenzo
>>>>
>>>>
>>>>
>>
>>
Tom Scavo
2009-02-26 16:21:01 UTC
Permalink
On Thu, Feb 26, 2009 at 10:42 AM, Vincenzo Ciaschini
<***@cnaf.infn.it> wrote:
> Andrea Turli wrote:
>>
>> Moreover a generic GET HTTPS call from inside the same GT4 service
>> works correctly. For this reason I think that "globus" overwrites in
>> some sense the standard SSL behavior (cog ?). Is it possible?
>
> I expect it does, otherwise legacy proxies could not work.  But here it is
> better if Tom takes charge of it.

I wish I could help more. Someone with more knowledge of globus
internals will have to step in here, I'm afraid.

Tom
Tom Scavo
2009-03-01 20:38:06 UTC
Permalink
On Thu, Feb 26, 2009 at 11:21 AM, Tom Scavo <***@gmail.com> wrote:
> On Thu, Feb 26, 2009 at 10:42 AM, Vincenzo Ciaschini
> <***@cnaf.infn.it> wrote:
>> Andrea Turli wrote:
>>>
>>> Moreover a generic GET HTTPS call from inside the same GT4 service
>>> works correctly. For this reason I think that "globus" overwrites in
>>> some sense the standard SSL behavior (cog ?). Is it possible?
>>
>> I expect it does, otherwise legacy proxies could not work.  But here it is
>> better if Tom takes charge of it.
>
> I wish I could help more.  Someone with more knowledge of globus
> internals will have to step in here, I'm afraid.

I just found this mail archive that might prove useful:

http://lists.globus.org/pipermail/gt-user/2008-July/006629.html

Hope this helps,
Tom
Vincenzo Ciaschini
2009-02-26 10:28:34 UTC
Permalink
Tom Scavo wrote:
> On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <***@eng.it> wrote:
>> This command also
>>
>> openssl s_client -connect localhost:443
>>
>> doesn't work
>>
>> This is the stacktrace I can see:
>> CONNECTED(00000003)
>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>> certificate:s3_pkt.c:1046:SSL alert number 42
>> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:226:

This error trace seem to hint to the fact that OpenSSL could not find
the CA certificate of the grids16.eng.it host cert in the CA store.
What is the default value of -CApath when one does not specify it? Are
you sure you have the CA certificate installed?

Ciao,
Vincenzo
Tim Freeman
2009-03-03 22:07:44 UTC
Permalink
On Tue, 24 Feb 2009 16:53:16 +0100
Andrea Turli <***@eng.it> wrote:

> // credentials
> stub._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);
>
> // Authentication method
> stub._setProperty(Constants.GSI_SEC_CONV,
> Constants.ENCRYPTION);
>
> // delegation
> stub._setProperty(GSIConstants.GSI_MODE,
> GSIConstants.GSI_MODE_NO_DELEG);
>
> // set Context lifetime
> stub._setProperty(Constants.CONTEXT_LIFETIME, 300);

Are you intentionally setting "Constants.GSI_SEC_CONV" there? Only an educated
guess, but I wouldn't think secure conversation is the appropriate choice for
VOMS admin service. Try setting the "Constants.GSI_TRANSPORT" to
"Constants.SIGNATURE" or "Constants.ENCRYPTION" instead?

Tim
Andrea Turli
2009-04-24 08:19:32 UTC
Permalink
Yaohhh!!!!

Finally we manage to communicate with VOMS from a GT container by
setting "Constants.GSI_TRANSPORT" as stub property.

Thanks Tim for your precious suggestion

Andrea

On Wed, Mar 4, 2009 at 12:07 AM, Tim Freeman <***@mcs.anl.gov> wrote:
> On Tue, 24 Feb 2009 16:53:16 +0100
> Andrea Turli <***@eng.it> wrote:
>
>>               // credentials
>>               stub._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);
>>
>>               // Authentication method
>>               stub._setProperty(Constants.GSI_SEC_CONV,
>> Constants.ENCRYPTION);
>>
>>               // delegation
>>               stub._setProperty(GSIConstants.GSI_MODE,
>> GSIConstants.GSI_MODE_NO_DELEG);
>>
>>               // set Context lifetime
>>               stub._setProperty(Constants.CONTEXT_LIFETIME, 300);
>
> Are you intentionally setting "Constants.GSI_SEC_CONV" there?  Only an educated
> guess, but I wouldn't think secure conversation is the appropriate choice for
> VOMS admin service.  Try setting the "Constants.GSI_TRANSPORT" to
> "Constants.SIGNATURE" or "Constants.ENCRYPTION" instead?
>
> Tim
>
>
Andrea Turli
2009-04-27 20:43:53 UTC
Permalink
I'm trying to consume a secure Axis Web service (the voms server in
https) but also specifying GSI_TRANSPORT In particular, I'm using this
code in a -nosec container (GT4.1)

  static {
      Util.registerTransport();
  }
....
      VOMSAdminServiceLocator locator = new VOMSAdminServiceLocator();
      URL vomsAdminURL = new
URL("https://my_server:8443/voms/myVO/services/VOMSAdmin");

      VOMSAdmin stub = locator.getVOMSAdmin(vomsAdminURL);

              // credentials
              stub._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);

              // Authentication method
              stub._setProperty(Constants.GSI_TRANSPORT, Constants.ENCRYPTION);

              // delegation
              stub._setProperty(GSIConstants.GSI_MODE,
GSIConstants.GSI_MODE_NO_DELEG);

              // set Context lifetime
              stub._setProperty(Constants.CONTEXT_LIFETIME, 300);


      try {
          stub.createUser(user);
          logger.info("User created with CN " + username + " with DN " + dn
                  + " with CA " + ca + " with mail " + email);
      } catch (Exception e) {
          e.printStackTrace();
          throw e;
      }

Also by specifying GSI_TRANSPORT instead of GSI_SECURE_CONV (I haven't
understood exactly why and when) I got this exception:
AxisFault
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
 faultSubcode:
 faultString: No client transport named 'https' found!
 faultActor:
 faultNode:
 faultDetail:
      {http://xml.apache.org/axis/}stackTrace:No client transport named
'https' found!
      at org.apache.axis.client.AxisClient.invoke(AxisClient.java:170)
      at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
      at org.apache.axis.client.Call.invoke(Call.java:2710)
      at org.apache.axis.client.Call.invoke(Call.java:2386)
      at org.apache.axis.client.Call.invoke(Call.java:2309)
      at org.apache.axis.client.Call.invoke(Call.java:1766)
      at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
      at org.gcube.vomanagement.vomsAdmin.impl.VOMSAdminImpl.createUser(VOMSAdminImpl.java:137)
      at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:395)
      at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
      at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
      at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
      at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
      at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
      at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
      at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
      at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
      at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:396)
      at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
      at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
      at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
      at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
      at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
      at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
      at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
      at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
      at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
      at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
      at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
      at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
      at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)

      {http://xml.apache.org/axis/}hostname:grids16.eng.it

No client transport named 'https' found!
      at org.apache.axis.client.AxisClient.invoke(AxisClient.java:170)
      at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
      at org.apache.axis.client.Call.invoke(Call.java:2710)
      at org.apache.axis.client.Call.invoke(Call.java:2386)
      at org.apache.axis.client.Call.invoke(Call.java:2309)
      at org.apache.axis.client.Call.invoke(Call.java:1766)
      at org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
      at org.gcube.vomanagement.vomsAdmin.impl.VOMSAdminImpl.createUser(VOMSAdminImpl.java:137)
      at org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:395)
      at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
      at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
      at org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
      at org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
      at org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
      at org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
      at org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
      at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
      at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:396)
      at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
      at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
      at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
      at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
      at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
      at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
      at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
      at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
      at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
      at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
      at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
      at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
      at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)


Can anyone give me a clarification and/or some snippet of code to
understand how can I correctly manage VOMS server from a GT4 service?

Thank you in advance,
Andrea



> On Fri, Apr 24, 2009 at 10:19 AM, Andrea Turli <***@eng.it> wrote:
>>
>> Finally we manage to communicate with VOMS from a GT container by
>> setting "Constants.GSI_TRANSPORT" as stub property.
>>
>> Thanks Tim for your precious suggestion
>>
>> Andrea
>>
>> On Wed, Mar 4, 2009 at 12:07 AM, Tim Freeman <***@mcs.anl.gov> wrote:
>>> On Tue, 24 Feb 2009 16:53:16 +0100
>>> Andrea Turli <***@eng.it> wrote:
>>>
>>>>               // credentials
>>>>               stub._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);
>>>>
>>>>               // Authentication method
>>>>               stub._setProperty(Constants.GSI_SEC_CONV,
>>>> Constants.ENCRYPTION);
>>>>
>>>>               // delegation
>>>>               stub._setProperty(GSIConstants.GSI_MODE,
>>>> GSIConstants.GSI_MODE_NO_DELEG);
>>>>
>>>>               // set Context lifetime
>>>>               stub._setProperty(Constants.CONTEXT_LIFETIME, 300);
>>>
>>> Are you intentionally setting "Constants.GSI_SEC_CONV" there?  Only an educated
>>> guess, but I wouldn't think secure conversation is the appropriate choice for
>>> VOMS admin service.  Try setting the "Constants.GSI_TRANSPORT" to
>>> "Constants.SIGNATURE" or "Constants.ENCRYPTION" instead?
>>>
>>> Tim
>>>
>>>
>>
>
Andrea Turli
2009-05-06 16:35:04 UTC
Permalink
Hi all,

I'm trying to consume a secure Axis Web service (the voms server in https)
from a GT4 service running in a -nosec container (GT4.1)

Finally I've understood what follows: I generated stubs with standard Axis'
wsdl2java from "glite-security-voms-admin-2.0.2.wsdl" released by voms
developers. This wsdl defines all wsdl:operation like the one I pasted as
example:

<wsdl:operation name="getVOName">
<wsdlsoap:operation soapAction=""/>
<wsdl:input name="getVONameRequest">
<wsdlsoap:body encodingStyle="
http://schemas.xmlsoap.org/soap/encoding/" namespace="
http://glite.org/wsdl/services/org.glite.security.voms.service.admin"
use="encoded"/>
</wsdl:input>
<wsdl:output name="getVONameResponse">
<wsdlsoap:body encodingStyle="
http://schemas.xmlsoap.org/soap/encoding/" namespace="
http://glite.org/wsdl/services/org.glite.security.voms.service.admin"
use="encoded"/>
</wsdl:output>
<wsdl:fault name="VOMSException">
<wsdlsoap:fault encodingStyle="
http://schemas.xmlsoap.org/soap/encoding/" name="VOMSException" namespace="
http://glite.org/wsdl/services/org.glite.security.voms.service.admin"
use="encoded"/>
</wsdl:fault>
</wsdl:operation>

where soapAction="". As far as I understood googling a bit
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5502
<http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5502%20>) this is not
GT4 compliant cause "expect soapAction to be populated".

So for test, I've tried to specify, in a given operation of that wsdl, the
correct soapAction. Then I've re-generated the stubs and everything works!

After this long explaination (sorry) my question is: could it be possible to
inject the correct soapAction at stub creation time, in order to have GT4
compliant stubs?
Or could you suggest me another workaround?

Thank you very much,

Andrea




On Mon, Apr 27, 2009 at 10:43 PM, Andrea Turli <***@eng.it> wrote:
> I'm trying to consume a secure Axis Web service (the voms server in
> https) but also specifying GSI_TRANSPORT In particular, I'm using this
> code in a -nosec container (GT4.1)
>
> static {
> Util.registerTransport();
> }
> ....
> VOMSAdminServiceLocator locator = new VOMSAdminServiceLocator();
> URL vomsAdminURL = new
> URL("https://my_server:8443/voms/myVO/services/VOMSAdmin");
>
> VOMSAdmin stub = locator.getVOMSAdmin(vomsAdminURL);
>
> // credentials
> stub._setProperty(GSIConstants.GSI_CREDENTIALS,
credentials);
>
> // Authentication method
> stub._setProperty(Constants.GSI_TRANSPORT,
Constants.ENCRYPTION);
>
> // delegation
> stub._setProperty(GSIConstants.GSI_MODE,
> GSIConstants.GSI_MODE_NO_DELEG);
>
> // set Context lifetime
> stub._setProperty(Constants.CONTEXT_LIFETIME, 300);
>
>
> try {
> stub.createUser(user);
> logger.info("User created with CN " + username + " with DN " +
dn
> + " with CA " + ca + " with mail " + email);
> } catch (Exception e) {
> e.printStackTrace();
> throw e;
> }
>
> Also by specifying GSI_TRANSPORT instead of GSI_SECURE_CONV (I haven't
> understood exactly why and when) I got this exception:
> AxisFault
> faultCode: {
http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> faultSubcode:
> faultString: No client transport named 'https' found!
> faultActor:
> faultNode:
> faultDetail:
> {http://xml.apache.org/axis/}stackTrace:No client transport named
> 'https' found!
> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:170)
> at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
> at org.apache.axis.client.Call.invoke(Call.java:2710)
> at org.apache.axis.client.Call.invoke(Call.java:2386)
> at org.apache.axis.client.Call.invoke(Call.java:2309)
> at org.apache.axis.client.Call.invoke(Call.java:1766)
> at
org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
> at
org.gcube.vomanagement.vomsAdmin.impl.VOMSAdminImpl.createUser(VOMSAdminImpl.java:137)
> at
org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:395)
> at
org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
> at
org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
> at
org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
> at
org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
> at
org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
> at
org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
> at
org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
> at
org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
> at
org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
> at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
> at
org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
> at
org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
> at
org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
> at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at
org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
> at
org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
> at
org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
> at
org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>
> {http://xml.apache.org/axis/}hostname:grids16.eng.it
>
> No client transport named 'https' found!
> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:170)
> at org.apache.axis.client.Call.invokeEngine(Call.java:2727)
> at org.apache.axis.client.Call.invoke(Call.java:2710)
> at org.apache.axis.client.Call.invoke(Call.java:2386)
> at org.apache.axis.client.Call.invoke(Call.java:2309)
> at org.apache.axis.client.Call.invoke(Call.java:1766)
> at
org.glite.wsdl.services.org_glite_security_voms_service_admin.VOMSAdminSoapBindingStub.createUser(VOMSAdminSoapBindingStub.java:905)
> at
org.gcube.vomanagement.vomsAdmin.impl.VOMSAdminImpl.createUser(VOMSAdminImpl.java:137)
> at
org.gcube.vomanagement.credentialsrenewal.impl.Delegator.addVOMSUser(Delegator.java:395)
> at
org.gcube.vomanagement.credentialsrenewal.impl.CredentialsAccountResource.initialise(CredentialsAccountResource.java:694)
> at
org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:91)
> at
org.gcube.common.core.state.GCUBEWSResource.initialise(GCUBEWSResource.java:34)
> at
org.gcube.common.core.state.GCUBEResourceHome._create(GCUBEResourceHome.java:279)
> at
org.gcube.common.core.state.GCUBEResourceHome.create(GCUBEResourceHome.java:250)
> at
org.gcube.common.core.state.GCUBEWSHome.create(GCUBEWSHome.java:164)
> at
org.gcube.vomanagement.credentialsrenewal.impl.CredentialsRenewalService.createCAAccountOperation(CredentialsRenewalService.java:84)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
> at
org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107)
> at
org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeMethodAction.java:42)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
> at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
> at
org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97)
> at
org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
> at
org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
> at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at
org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450)
> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
> at
org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
> at
org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
> at
org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
>
>
> Can anyone give me a clarification and/or some snippet of code to
> understand how can I correctly manage VOMS server from a GT4 service?
>
> Thank you in advance,
> Andrea
>
>
>
>> On Fri, Apr 24, 2009 at 10:19 AM, Andrea Turli <***@eng.it>
wrote:
>>>
>>> Finally we manage to communicate with VOMS from a GT container by
>>> setting "Constants.GSI_TRANSPORT" as stub property.
>>>
>>> Thanks Tim for your precious suggestion
>>>
>>> Andrea
>>>
>>> On Wed, Mar 4, 2009 at 12:07 AM, Tim Freeman <***@mcs.anl.gov>
wrote:
>>>> On Tue, 24 Feb 2009 16:53:16 +0100
>>>> Andrea Turli <***@eng.it> wrote:
>>>>
>>>>> // credentials
>>>>> stub._setProperty(GSIConstants.GSI_CREDENTIALS,
credentials);
>>>>>
>>>>> // Authentication method
>>>>> stub._setProperty(Constants.GSI_SEC_CONV,
>>>>> Constants.ENCRYPTION);
>>>>>
>>>>> // delegation
>>>>> stub._setProperty(GSIConstants.GSI_MODE,
>>>>> GSIConstants.GSI_MODE_NO_DELEG);
>>>>>
>>>>> // set Context lifetime
>>>>> stub._setProperty(Constants.CONTEXT_LIFETIME, 300);
>>>>
>>>> Are you intentionally setting "Constants.GSI_SEC_CONV" there? Only an
educated
>>>> guess, but I wouldn't think secure conversation is the appropriate
choice for
>>>> VOMS admin service. Try setting the "Constants.GSI_TRANSPORT" to
>>>> "Constants.SIGNATURE" or "Constants.ENCRYPTION" instead?
>>>>
>>>> Tim
>>>>
>>>>
>>>
>>
>
Jan Muhammad
2009-05-08 15:28:09 UTC
Permalink
Hi,

I'm configuring postgreSQL on globus 4.0.8; my standalone postgreSQL is running fine. Now while trying to integrate it with Globus, I came across this documentation page:
http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch10.html

Under heading 2.3. Required configuration: configuring the PostgreSQL database; point number 3. says creating a user 'globus' being user "postgres"; If i try to create user it does so.
But when it comes down to step 5; to create RFT database; createdb rftDatabase ; I need to sudo to 'globus' which asks me for a password. When I try to issue a password to 'globus' from within 'postgres' user; I get the error message "passwd: Only root can specify a user name".

Now I'm confused here; as have two users with same name 'globus' the one which is running globus conatiner and 2nd is the one I created within 'postgres' user. So at this step (5) while creating rftDatabase which user should I use? Do I need to issue a password to 'globus' under 'root'? Or what can be possible solution?

Thanks for help in advance.

Regards
________________________

Jan Muhammad
Prashanth Chengi
2009-05-10 08:06:01 UTC
Permalink
Hi Jan,

The adding of the user in postgres is done after su-ing to user postgres,
but you have to make other changes to the pg_hba.conf file before you are
ready to go. You could refer to the section "Configuring RFT" in this
document:
http://www.globus.org/toolkit/docs/4.0/admin/docbook/quickstart.html#q-rft-configure

It is quite well detailed and should be easy to follow.

Regards,
Prashanth Chengi
National PARAM SuperComputing Facility
System Administration and Networking Group
C-DAC Pune
Ext-183
Mob: 09766044870

--
Our greatest triumph is not in never falling.
It is in getting up every time we fall.


On Fri, 8 May 2009, Jan Muhammad wrote:

> Hi,
>
> I'm configuring postgreSQL on globus 4.0.8; my standalone postgreSQL is running fine. Now while trying to integrate it with Globus, I came across this documentation page:
> http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch10.html
>
> Under heading 2.3. Required configuration: configuring the PostgreSQL database; point number 3. says creating a user 'globus' being user "postgres"; If i try to create user it does so.
> But when it comes down to step 5; to create RFT database; createdb rftDatabase ; I need to sudo to 'globus' which asks me for a password. When I try to issue a password to 'globus' from within 'postgres' user; I get the error message "passwd: Only root can specify a user name".
>
> Now I'm confused here; as have two users with same name 'globus' the one which is running globus conatiner and 2nd is the one I created within 'postgres' user. So at this step (5) while creating rftDatabase which user should I use? Do I need to issue a password to 'globus' under 'root'? Or what can be possible solution?
>
> Thanks for help in advance.
>
> Regards
> ________________________
>
> Jan Muhammad
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
Loading...