Difference between revisions of "Common Security Troubleshooting"
Andrea.turli (Talk | contribs) (→Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Decrypt error) |
|||
| (3 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | [[ | + | This page contains exceptions that commonly occurs in security configurations for gCube services. Exception should be clearly reported in sections using keywords as the Axis fault obtained, the error code returned by commands and so on (see already existing exceptions). For any exception a list of reasons can be reported as separate subsections. For each reason a solution should be also provided (if already discovered). |
| + | To properly configure security for gCube services please follows the [[How To Enable Security]] page. | ||
| − | + | ==Authentication required for "{<nowiki>http://www....</nowiki>" operation== | |
| − | + | This exception tells the clients that an authentication mechanism is required to acces the service: in general this mechanism is GSISecureTransport, that means https, even if also GSISecureConversation could be required. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==org.globus.wsrf.security.SecurityException: [SEC]Operation name could not be determined== | ==org.globus.wsrf.security.SecurityException: [SEC]Operation name could not be determined== | ||
| Line 15: | Line 10: | ||
==voms-proxy-init error stream:Error: VERR_NOSOCKET== | ==voms-proxy-init error stream:Error: VERR_NOSOCKET== | ||
| − | Exception related to authentication of clients to the VOMS server (ie. | + | Exception related to authentication of clients to the VOMS server (ie. voms.research-infrastructures.eu in this case) |
| − | Contacting | + | Contacting voms.research-infrastructures.eu:15001 [/C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=voms.research-infrastructures.eu] "gCube" |
| − | Failed to contact servers for | + | Failed to contact servers for gCube. |
Please doublecheck these settings: | Please doublecheck these settings: | ||
* the glite-security-voms-* rpms installed in your machine should be at least 1.7.xy | * the glite-security-voms-* rpms installed in your machine should be at least 1.7.xy | ||
| − | * The clock on your computer could be not in sync with VOMS server. Use with ntp server [ | + | * The clock on your computer could be not in sync with VOMS server. Use with ntp server [https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/Administrator%27s_Guide:How_to_set_up_a_gCube_infrastructure#Secure_configuration Configure gContainer security] |
* The CRLs has to be updated using /usr/sbin/fetch-crl -o /etc/grid-security/certificates | * The CRLs has to be updated using /usr/sbin/fetch-crl -o /etc/grid-security/certificates | ||
* Some CA certificates in /etc/grid-security/certificates could be expired, please update them. | * Some CA certificates in /etc/grid-security/certificates could be expired, please update them. | ||
| Line 34: | Line 29: | ||
==Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=host/hostname" target but received "/O=Grid/CN=your_personal_certificate")== | ==Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=host/hostname" target but received "/O=Grid/CN=your_personal_certificate")== | ||
It could be thrown for a misconfiguration of the host certificates. | It could be thrown for a misconfiguration of the host certificates. | ||
| − | Please doublecheck [ | + | Please doublecheck [https://wiki.gcore.research-infrastructures.eu/gCube/index.php/Administrator_Guide#Configure_container_security Install host credentials]. |
==Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Decrypt error== | ==Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Decrypt error== | ||
Latest revision as of 11:40, 24 October 2011
This page contains exceptions that commonly occurs in security configurations for gCube services. Exception should be clearly reported in sections using keywords as the Axis fault obtained, the error code returned by commands and so on (see already existing exceptions). For any exception a list of reasons can be reported as separate subsections. For each reason a solution should be also provided (if already discovered). To properly configure security for gCube services please follows the How To Enable Security page.
Contents
- 1 Authentication required for "{http://www...." operation
- 2 org.globus.wsrf.security.SecurityException: [SEC]Operation name could not be determined
- 3 voms-proxy-init error stream:Error: VERR_NOSOCKET
- 4 Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=host/your_ip_number" target but received "/O=Grid/CN=host/your_hostname")
- 5 Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=host/hostname" target but received "/O=Grid/CN=your_personal_certificate")
- 6 Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Decrypt error
- 7 org.apache.axis.types.URI$MalformedURIException: Cannot initialize URI with empty parameters.
Authentication required for "{http://www...." operation
This exception tells the clients that an authentication mechanism is required to acces the service: in general this mechanism is GSISecureTransport, that means https, even if also GSISecureConversation could be required.
org.globus.wsrf.security.SecurityException: [SEC]Operation name could not be determined
This exception is thrown when operations in the WSDL interface does not match with methods in the service implementation class.
voms-proxy-init error stream:Error: VERR_NOSOCKET
Exception related to authentication of clients to the VOMS server (ie. voms.research-infrastructures.eu in this case) Contacting voms.research-infrastructures.eu:15001 [/C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=voms.research-infrastructures.eu] "gCube" Failed to contact servers for gCube.
Please doublecheck these settings:
- the glite-security-voms-* rpms installed in your machine should be at least 1.7.xy
- The clock on your computer could be not in sync with VOMS server. Use with ntp server Configure gContainer security
- The CRLs has to be updated using /usr/sbin/fetch-crl -o /etc/grid-security/certificates
- Some CA certificates in /etc/grid-security/certificates could be expired, please update them.
- Your firewall or VOMS Server firewall blocks the client
When voms-proxy-init runs as root it will try to use host credentials: in this situation some globus toolkit library has hardcoded usage of /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem. Please remove them from that path or rename them.
Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=host/your_ip_number" target but received "/O=Grid/CN=host/your_hostname")
It is thrown when the hostname cannot be resolved in the IP asking the DNS server. Usually this problem disappear as soon as the DNS is updated.
Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=host/hostname" target but received "/O=Grid/CN=your_personal_certificate")
It could be thrown for a misconfiguration of the host certificates. Please doublecheck Install host credentials.
Caused by COM.claymoresystems.ptls.SSLThrewAlertException: Decrypt error
This Exception is thrown when certificate and private key used to perform a secure communication do not match.
org.apache.axis.types.URI$MalformedURIException: Cannot initialize URI with empty parameters.
You could get this exception during a VOMSServlet installation: it is thrown when the tomcat container that hosts vomsSservlet has inside his CLASSPATH env. var. the GLOBUS_LOCATION. This makes use to tomcat the wrong axis version causing the exception. Please clean the CLASSPATH.
