Go to previous page / next page of Tier3 site log

Problems with myproxy renewal from PSI vobox and CSCS vobox

04. 02. 2016

• t3cmsvobox.psi.ch myproxy issue
• cms02.lcg.cscs.ch myproxy issue

04. 12. 2012

The myproxy renewal now fails for the CMS vobox at T3_CH_PSI (and this had worked for a long time). The exact same commands work when we use it for our CMS cobox at T2_CH_CSCS.

It may be that the error is due to the myproxy.cern.ch service having problems to deal with the certificate string of the renewer.

/DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch

At least this was the reason for the same error some years ago. The parentheses in the "...(PSI)..." caused problems in the matching. We tried all kinds of renewer policies, including */CN=t3cmsvobox.psi.ch in order to circumvent the issue and test it out.

I am afraid that in 2011 maybe the old error causing problems with the certs matching may have surfaced again. At least a newer bug report on the globus website may indicate that

• http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7211
• http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6903

But we ran fine until this week, and the bug reports seem to imply that the version has been in operation at CERN for some time.

Without having access to the logs on the server, it may be difficult to debug this issue any further.

Functioning example with CSCS vobox

I place the myproxy using t3ui02:

[feichtinger@t3ui02 ~]$ myproxy-init -l psi_phedex_derek -x \
      -R /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Zuerich/L=Zuerich/O=ETH Zuerich/CN=cmsvobox.lcg.cscs.ch -c 720

Then I log into the cmsvobox and initialize its host proxy:

[phedex@cmsvobox:~]$ voms-proxy-info
...
identity  : /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Zuerich/L=Zuerich/O=ETH Zuerich/CN=cmsvobox.lcg.cscs.ch
...

[phedex@cmsvobox:~]$ myproxy-get-delegation -v -s myproxy.cern.ch -v -l psi_phedex_derek -a /home/phedex/derek_x509 -o /tmp/gaga
MyProxy v4.2 10 Jan 2008 PAM
Socket bound to port 20000. 
Attempting to connect to 128.142.139.217:7512 
using trusted certificates directory /etc/grid-security/certificates
server name: /DC=ch/DC=cern/OU=computers/CN=px307.cern.ch
checking that server name is acceptable...
server name does not match "myproxy@px307.cern.ch"
server name matches "host@px307.cern.ch"
authenticated server name is acceptable
A credential has been received for user psi_phedex_derek in /tmp/gaga.

Failing example for PSI vobox

I place the myproxy using t3ui02:

[feichtinger@t3ui02 ~]$ myproxy-init -l psi_phedex_derek -x  -c 720 \
            -R /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch


Then I log into the cmsvobox and initialize its host proxy:

[phedex@t3cmsvobox02 ~]$ voms-proxy-info
...
identity  : /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch
...

[phedex@t3cmsvobox02 ~]$  myproxy-get-delegation -s myproxy.cern.ch -v -l psi_phedex_derek -a /home/phedex/gridcert/proxy.cert.derek -o /tmp/gaga
MyProxy v4.2 10 Jan 2008 PAM
Socket bound to port 20000.
Attempting to connect to 128.142.139.217:7512
using trusted certificates directory /etc/grid-security/certificates/
server name: /DC=ch/DC=cern/OU=computers/CN=px307.cern.ch
checking that server name is acceptable...
server name does not match "myproxy@px307.cern.ch"
server name matches "host@px307.cern.ch"
authenticated server name is acceptable
Failed to receive credentials.
ERROR from myproxy-server (myproxy.cern.ch):
no passphrase
authentication failed

GGUS Ticket about this error

https://ggus.eu/ws/ticket_info.php?ticket=89187

GGUS Ticket Solution

A colleague from CERN was able to solve the issue. Indeed, there had been a configuration change at CERN:

Public Diary     : 10-12-2012 17:03:02 - Alexandre Lossent (Additional comments (Customer View))
Ticket resolved. The following solution was provided:

Hello,

There was indeed a change in the myproxy.cern.ch configuration on 28-Nov, when all DNs were normalized in order to prepare for a change in the configuration system software. Special entries were discarded in favor of the full DNs, in this case /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch 

This was supposed to be transparent, but the myproxy configuration file format makes escaping of parenthesis in DNs necessary and this had not been done properly. 

The escaping has been corrected, and proxy renewal should work again. Please accept our apologies for the trouble this has caused.

Go to previous page / next page of Tier3 site log