Security system errors and workarounds

From GridPP Wiki
Jump to: navigation, search

Error in OLD GAA code: Could not get policy info:

Users at various sites have experienced strange error when using voms proxies to access grid services, on SL6 systems. The error manifests itself with the following message:

ERROR: initializing context: GSS Error: GSS Major Status: Authentication Failed, MECH Error: GSS Minor Status Error 
Chain:, globus_gsi_gssapi: SSLv3 handshake problems, globus_gsi_callback_module: Could not verify 
credential, globus_gsi_callback_module: Error with signing policy, globus_gsi_callback_module: Error in OLD GAA code: 
Could not get policy info: Minor status=201 

In all cases we are aware of, the user's ~/.globus directory contained items additional to the required usercert.pem, userkey.pem certificate and key pairs. Deleting the additional items, including subdirectories, appears to fix the problem, as a workaround.

It is not known with certainty how these items become created in the user's account in all cases. In at least one case, they were created by the CertWizard tool, but we do not have conclusive evidence linking it to all other cases. However, if you want to run grid operations and CertWizard on the same system, it is possible to direct CertWizard to use a safer alternative location (e.g. /etc/grid-secrity/certificates) via the X509_CERT_DIR environment variable.

The root cause of the error is also unknown at this point in time. It is possible that it is caused by an underlying bug in the globus_gsi_callback signing policy parser.