Difference between revisions of "Security system errors and workarounds"
(workaround for GSS error) |
(X509_CERT_DIR) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | == Error in OLD GAA code: Could not get policy info: == | |
− | Users at various sites have experienced strange error when using voms proxies to access grid services. The error manifests itself with the following message: | + | Users at various sites have experienced strange error when using voms proxies to access grid services, on SL6 systems. The error manifests itself with the following message: |
ERROR: initializing context: GSS Error: GSS Major Status: Authentication Failed, MECH Error: GSS Minor Status Error | ERROR: initializing context: GSS Error: GSS Major Status: Authentication Failed, MECH Error: GSS Minor Status Error | ||
Line 8: | Line 8: | ||
Could not get policy info: Minor status=201 | Could not get policy info: Minor status=201 | ||
− | + | In all cases we are aware of, the user's ~/.globus directory contained items additional to the required usercert.pem, userkey.pem certificate and key pairs. Deleting the additional items, including subdirectories, appears to fix the problem, as a workaround. | |
− | + | It is not known with certainty how these items become created in the user's account in all cases. In at least one case, they were created by the CertWizard tool, but we do not have conclusive evidence linking it to all other cases. However, if you want to run grid operations and CertWizard on the same system, it is possible to direct CertWizard to use a safer alternative location (e.g. /etc/grid-secrity/certificates) via the X509_CERT_DIR environment variable. | |
− | + | The root cause of the error is also unknown at this point in time. It is possible that it is caused by an underlying bug in the globus_gsi_callback signing policy parser. | |
− | + | ||
− | + | ||
− | + | ||
− | + |
Latest revision as of 14:02, 5 November 2015
Error in OLD GAA code: Could not get policy info:
Users at various sites have experienced strange error when using voms proxies to access grid services, on SL6 systems. The error manifests itself with the following message:
ERROR: initializing context: GSS Error: GSS Major Status: Authentication Failed, MECH Error: GSS Minor Status Error Chain:, globus_gsi_gssapi: SSLv3 handshake problems, globus_gsi_callback_module: Could not verify credential, globus_gsi_callback_module: Error with signing policy, globus_gsi_callback_module: Error in OLD GAA code: Could not get policy info: Minor status=201
In all cases we are aware of, the user's ~/.globus directory contained items additional to the required usercert.pem, userkey.pem certificate and key pairs. Deleting the additional items, including subdirectories, appears to fix the problem, as a workaround.
It is not known with certainty how these items become created in the user's account in all cases. In at least one case, they were created by the CertWizard tool, but we do not have conclusive evidence linking it to all other cases. However, if you want to run grid operations and CertWizard on the same system, it is possible to direct CertWizard to use a safer alternative location (e.g. /etc/grid-secrity/certificates) via the X509_CERT_DIR environment variable.
The root cause of the error is also unknown at this point in time. It is possible that it is caused by an underlying bug in the globus_gsi_callback signing policy parser.