Difference between revisions of "DUNE third party copy IC to RAL"
| Line 20: | Line 20: | ||
Solution A: On you pool nodes set: dcache.authn.namespace-mode=IGNORE (webdav.authn.namespace-mode=IGNORE didn't seem to be enough). | Solution A: On you pool nodes set: dcache.authn.namespace-mode=IGNORE (webdav.authn.namespace-mode=IGNORE didn't seem to be enough). | ||
| − | + | We also currently have the following settings on our headnode (in dcache.conf) <br> | |
| − | We also currently have the following settings on our headnode | + | |
| − | + | ||
webdav.enable.third-party.requiring-verification-by-default = false <br> | webdav.enable.third-party.requiring-verification-by-default = false <br> | ||
webdav.authn.namespace-mode=IGNORE <br> | webdav.authn.namespace-mode=IGNORE <br> | ||
webdav.authn.crl-mode=IGNORE ← I don't think I need that one as I have my crls, but can only restart the head node so often <br> | webdav.authn.crl-mode=IGNORE ← I don't think I need that one as I have my crls, but can only restart the head node so often <br> | ||
webdav.authn.ocsp-mode=IGNORE <br> | webdav.authn.ocsp-mode=IGNORE <br> | ||
| + | |||
| + | Now, off you go. <br> | ||
| + | |||
| + | Solution B: The hacker special <br> | ||
| + | Leave dcache.authn.namespace-mode on the default setting. Make yourself (on the pool node) a QuoVadis-SSL-ICA-G3.signing_policy with the following content (and don't forget the link: 35e514f6.signing_policy -> QuoVadis-SSL-ICA-G3.signing_policy): <br> | ||
| + | |||
| + | access_id_CA X509 '/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G3' <br> | ||
| + | pos_rights globus CA:sign <br> | ||
| + | cond_subjects globus '"/C=GB/*"' <br> | ||
| + | |||
| + | This now matches the RAL Dynafed certificate. Uh oh. <br> | ||
| + | |||
Revision as of 16:14, 12 September 2018
Third party copies Imperial dCache to RAL ECHO
Baseline versions
dCache version: 3.2.15-1
gfal-* on an up-to-date CentOS 7 node (lxplus7.cern.ch will do) with gfal2-util version 1.5.1 (gfal2 2.15.4)
Issues
- Expired delegation is not updated (happens when you start testing on a Friday and come back on a Monday):
Short term solution: remove delegation from dCache, start afresh.
Long term solution: wait for dCache fix provided by Dmitry to make it into the release.
- Checksums on ECHO: Apparently it doesn't provide any.
Short term solution: Set webdav.enable.third-party.requiring-verification-by-default = false in dcache.conf on the head node.
Long term solution: ???
- Dynafed's QuoVadis certificate: Dynafed needs an intermediate CA (QuoVadis Global SSL ICA G3).
Short term solution: Procure certificate from from here: Downloads. Distribute it on the head and pool nodes. Remember to make the .0 file and create a link:
[root@blah certificates]# openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash 35e514f6 [root@blah certificates]# ln -s QuoVadis-SSL-ICA-G3.pem 35e514f6.0 openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hashMake a QuoVadis-SSL-ICA-G3.crl_url file while you are at it.
Now it gets interesting.
Solution A: On you pool nodes set: dcache.authn.namespace-mode=IGNORE (webdav.authn.namespace-mode=IGNORE didn't seem to be enough).
We also currently have the following settings on our headnode (in dcache.conf)
webdav.enable.third-party.requiring-verification-by-default = false
webdav.authn.namespace-mode=IGNORE
webdav.authn.crl-mode=IGNORE ← I don't think I need that one as I have my crls, but can only restart the head node so often
webdav.authn.ocsp-mode=IGNORE
Now, off you go.
Solution B: The hacker special
Leave dcache.authn.namespace-mode on the default setting. Make yourself (on the pool node) a QuoVadis-SSL-ICA-G3.signing_policy with the following content (and don't forget the link: 35e514f6.signing_policy -> QuoVadis-SSL-ICA-G3.signing_policy):
access_id_CA X509 '/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G3'
pos_rights globus CA:sign
cond_subjects globus '"/C=GB/*"'
This now matches the RAL Dynafed certificate. Uh oh.
Side note: How to remove a delegation
use 'delegation' from dcache-srmclient-3.0.9-1.noarch (certificates must be installed in /etch/grid-security/certificates):
lx> delegation
$ endpoint https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation ← find this in the gfal-copy -vvv log
[https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation]> $ help
[...]
[https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation] $ destroy 1234 ← I can't remember where I found this.
