Tags:
tag this topic
create new tag
view all tags
<!-- keep this as a security measure: #uncomment if the subject should only be modifiable by the listed groups * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup #uncomment this if you want the page only be viewable by the listed groups # * Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup --> %TOC% %ICON{arrowleft}% Go to [[CMSTier3LogXX][previous page]] / [[CMSTier3LogXX][next page]] of Tier3 site log %M% ---+ Problems with myproxy renewal from PSI vobox and CSCS vobox ---++ 04. 02. 2016 * [[https://cern.service-now.com/service-portal/view-incident.do?n=INC0956110][t3cmsvobox.psi.ch]] myproxy issue * [[https://cern.service-now.com/service-portal/view-incident.do?n=INC0954270][cms02.lcg.cscs.ch]] myproxy issue ---++ 04. 12. 2012 The myproxy renewal now fails for the CMS vobox at T3_CH_PSI (and this had worked for a long time). The exact same commands work when we use it for our CMS cobox at T2_CH_CSCS. It may be that the error is due to the myproxy.cern.ch service having problems to deal with the certificate string of the renewer. <verbatim> /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch </verbatim> At least this was the reason for the same error some years ago. The parentheses in the "...(PSI)..." caused problems in the matching. We tried all kinds of renewer policies, including =*/CN=t3cmsvobox.psi.ch= in order to circumvent the issue and test it out. I am afraid that in 2011 maybe the old error causing problems with the certs matching may have surfaced again. At least a newer bug report on the globus website may indicate that * http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7211 * http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6903 But we ran fine until this week, and the bug reports seem to imply that the version has been in operation at CERN for some time. Without having access to the logs on the server, it may be difficult to debug this issue any further. ---+++ Functioning example with CSCS vobox <verbatim> I place the myproxy using t3ui02: [feichtinger@t3ui02 ~]$ myproxy-init -l psi_phedex_derek -x \ -R /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Zuerich/L=Zuerich/O=ETH Zuerich/CN=cmsvobox.lcg.cscs.ch -c 720 Then I log into the cmsvobox and initialize its host proxy: [phedex@cmsvobox:~]$ voms-proxy-info ... identity : /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Zuerich/L=Zuerich/O=ETH Zuerich/CN=cmsvobox.lcg.cscs.ch ... [phedex@cmsvobox:~]$ myproxy-get-delegation -v -s myproxy.cern.ch -v -l psi_phedex_derek -a /home/phedex/derek_x509 -o /tmp/gaga MyProxy v4.2 10 Jan 2008 PAM Socket bound to port 20000. Attempting to connect to 128.142.139.217:7512 using trusted certificates directory /etc/grid-security/certificates server name: /DC=ch/DC=cern/OU=computers/CN=px307.cern.ch checking that server name is acceptable... server name does not match "myproxy@px307.cern.ch" server name matches "host@px307.cern.ch" authenticated server name is acceptable A credential has been received for user psi_phedex_derek in /tmp/gaga. </verbatim> ---+++ Failing example for PSI vobox <verbatim> I place the myproxy using t3ui02: [feichtinger@t3ui02 ~]$ myproxy-init -l psi_phedex_derek -x -c 720 \ -R /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch Then I log into the cmsvobox and initialize its host proxy: [phedex@t3cmsvobox02 ~]$ voms-proxy-info ... identity : /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch ... [phedex@t3cmsvobox02 ~]$ myproxy-get-delegation -s myproxy.cern.ch -v -l psi_phedex_derek -a /home/phedex/gridcert/proxy.cert.derek -o /tmp/gaga MyProxy v4.2 10 Jan 2008 PAM Socket bound to port 20000. Attempting to connect to 128.142.139.217:7512 using trusted certificates directory /etc/grid-security/certificates/ server name: /DC=ch/DC=cern/OU=computers/CN=px307.cern.ch checking that server name is acceptable... server name does not match "myproxy@px307.cern.ch" server name matches "host@px307.cern.ch" authenticated server name is acceptable Failed to receive credentials. ERROR from myproxy-server (myproxy.cern.ch): no passphrase authentication failed </verbatim> ---+++ GGUS Ticket about this error REFERENCE LINK: https://ggus.eu/ws/ticket_info.php?ticket=89187 SUBJECT: Can't renew Phedex proxy vs myproxy.cern.ch ---+++ GGUS Ticket Solution A colleague from CERN was able to solve the issue. Indeed, there had been a configuration change at CERN: <verbatim> Public Diary : 10-12-2012 17:03:02 - Alexandre Lossent (Additional comments (Customer View)) Ticket resolved. The following solution was provided: Hello, There was indeed a change in the myproxy.cern.ch configuration on 28-Nov, when all DNs were normalized in order to prepare for a change in the configuration system software. Special entries were discarded in favor of the full DNs, in this case /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/CN=t3cmsvobox.psi.ch This was supposed to be transparent, but the myproxy configuration file format makes escaping of parenthesis in DNs necessary and this had not been done properly. The escaping has been corrected, and proxy renewal should work again. Please accept our apologies for the trouble this has caused. </verbatim> ---------------- %ICON{arrowleft}% Go to [[CMSTier3LogXX][previous page]] / [[CMSTier3LogXX][next page]] of Tier3 site log %M%
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r6
<
r5
<
r4
<
r3
<
r2
|
B
acklinks
|
V
iew topic
|
Ra
w
edit
|
M
ore topic actions
Topic revision: r6 - 2016-02-05
-
FabioMartinelli
CmsTier3
Log In
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
User Pages
Main Page
Policies
Monitoring Storage Space
Monitoring Slurm Usage
Physics Groups
Steering Board Meetings
Admin Pages
AdminArea
Cluster Specs
Home
Site map
CmsTier3 web
LCGTier2 web
PhaseC web
Main web
Sandbox web
TWiki web
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
P
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
E
dit
A
ttach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback