Difference between revisions of "Security system errors and workarounds"

From GridPP Wiki
Jump to: navigation, search
(workaround for GSS error)
 
(X509_CERT_DIR)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=Security system errors and workarounds. === Error in OLD GAA code: Could not get policy info: Minor status=201 ==
+
== Error in OLD GAA code: Could not get policy info: ==
  
Users at various sites have experienced strange error when using voms proxies to access grid services. The error manifests itself with the following message:  
+
Users at various sites have experienced strange error when using voms proxies to access grid services, on SL6 systems. The error manifests itself with the following message:  
  
 
  ERROR: initializing context: GSS Error: GSS Major Status: Authentication Failed, MECH Error: GSS Minor Status Error  
 
  ERROR: initializing context: GSS Error: GSS Major Status: Authentication Failed, MECH Error: GSS Minor Status Error  
Line 8: Line 8:
 
  Could not get policy info: Minor status=201  
 
  Could not get policy info: Minor status=201  
  
Possible causes are suspected to include:
+
In all cases we are aware of, the user's ~/.globus directory contained items additional to the required usercert.pem, userkey.pem certificate and key pairs. Deleting the additional items, including subdirectories, appears to fix the problem, as a workaround.
  
* A bug in the globus_sgi_callback parser.
+
It is not known with certainty how these items become created in the user's account in all cases. In at least one case, they were created by the CertWizard tool, but we do not have conclusive evidence linking it to all other cases. However, if you want to run grid operations and CertWizard on the same system, it is possible to direct CertWizard to use a safer alternative location (e.g. /etc/grid-secrity/certificates) via the X509_CERT_DIR environment variable.
  
* Clashes when GSS and CertWizard work with each other.
+
The root cause of the error is also unknown at this point in time. It is possible that it is caused by an underlying bug in the globus_gsi_callback signing policy parser.
 
+
* Non-standard shared directories and defaults
+
 
+
A workaround exists for this condition. On the user's system, check whether the user's ~/.globus directory is cluttered with various extraneous items. If so, strip back the content to usercert.* and userkey.* and try the operation again.
+

Latest revision as of 14:02, 5 November 2015

Error in OLD GAA code: Could not get policy info:

Users at various sites have experienced strange error when using voms proxies to access grid services, on SL6 systems. The error manifests itself with the following message:

ERROR: initializing context: GSS Error: GSS Major Status: Authentication Failed, MECH Error: GSS Minor Status Error 
Chain:, globus_gsi_gssapi: SSLv3 handshake problems, globus_gsi_callback_module: Could not verify 
credential, globus_gsi_callback_module: Error with signing policy, globus_gsi_callback_module: Error in OLD GAA code: 
Could not get policy info: Minor status=201 

In all cases we are aware of, the user's ~/.globus directory contained items additional to the required usercert.pem, userkey.pem certificate and key pairs. Deleting the additional items, including subdirectories, appears to fix the problem, as a workaround.

It is not known with certainty how these items become created in the user's account in all cases. In at least one case, they were created by the CertWizard tool, but we do not have conclusive evidence linking it to all other cases. However, if you want to run grid operations and CertWizard on the same system, it is possible to direct CertWizard to use a safer alternative location (e.g. /etc/grid-secrity/certificates) via the X509_CERT_DIR environment variable.

The root cause of the error is also unknown at this point in time. It is possible that it is caused by an underlying bug in the globus_gsi_callback signing policy parser.