Re: [gin-ops] [gin-auth] start Savannah run
Hi Terrence, Some success. I can submit from uaf-1.t2.ucsd.edu to all sites using both with a generated proxy and the proxy I was trying everywhere else. The machines I was trying from are: 130.194.70.23 131.170.184.61 198.202.88.52 I know the first machine has no firewall as I have exempted the host. When we run the experiment, we will be running it from 130.194.70.23. I guess it comes down to an IP firewall issue, or our servers not trusting the host cert. I have added to my server all the CA here, am I missing one?: http://goc.pragma-grid.net/gin/gin-resources.html Thanks, Colin --- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] Sent: Tuesday, 5 December 2006 5:47 PM To: Colin Enticott Cc: 'Yoshio Tanaka'; D.Bannon@vpac.org; navarro@mcs.anl.gov; gin- auth@ggf.org; gin-ops@ggf.org Subject: Re: [gin-ops] [gin-auth] start Savannah run
Just to make sure I am not missing you in the log, what IP are you coming from?
Terrence
Colin Enticott wrote:
Thanks Yoshio,
So it looks like authentication issues as I can connect to port 2119 on both hosts:
cme@edda$ globusrun -a -r tg-grid1.uc.teragrid.org
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ... cme@edda$ globusrun -a -r osg-gw-2.t2.ucsd.edu
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ...
Regards, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Yoshio Tanaka [mailto:yoshio.tanaka@aist.go.jp] Sent: Tuesday, 5 December 2006 12:21 PM To: Colin.Enticott@csse.monash.edu.au Cc: D.Bannon@vpac.org; tmartin@physics.ucsd.edu; navarro@mcs.anl.gov; gin- auth@ggf.org; gin-ops@ggf.org; yoshio.tanaka@aist.go.jp Subject: Re: [gin-ops] [gin-auth] start Savannah run
Hi Colin,
Please test the authentication by the following command:
% globusrun -a -r osg-gw-2.t2.ucsd.edu
% globusrun -a -r tg-grid1.uc.teragrid.org
Thanks,
-- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/
From: Colin Enticott <Colin.Enticott@csse.monash.edu.au> Subject: Re: [gin-ops] [gin-auth] start Savannah run Date: Tue, 05 Dec 2006 11:44:05 +1100 Message-ID: <017401c71806$77cf6760$1e46c282@nail>
Thanks David,
But still the same problem. As you can see, my certificate still works
on
the vpac host and there is definitely no firewall in the way:
cme@edda$ grid-proxy-init -cert usercert.pem.APACGrid -key userkey.pem.APACGrid Your identity: /C=AU/O=APACGrid/OU=Monash University/CN=Colin Enticott Enter GRID pass phrase for this identity: Creating proxy ................................... Done Your proxy is valid until: Tue Dec 5 23:28:47 2006 cme@edda$ globus-job-run osg-gw-2.t2.ucsd.edu/jobmanager-fork /bin/uname
-a
GRAM Job submission failed because the connection to the server failed (check host and port) (error code 12) cme@edda$ globus-job-run tg-grid1.uc.teragrid.org/jobmanager-fork
/bin/uname
-a GRAM Job submission failed because the connection to the server failed (check host and port) (error code 12) cme@edda$ globus-job-run ng1.vpac.org/jobmanager-fork /bin/uname -a Linux ng1.vpac.org 2.6.16.29-xen #4 SMP Sun Oct 15 13:20:46 BST 2006
i686
i686 i386 GNU/Linux cme@edda$ telnet tg-grid1.uc.teragrid.org 2119 Trying 192.5.198.225... Connected to tg-grid1.uc.teragrid.org. Escape character is '^]'.
Connection closed by foreign host. cme@edda$ telnet osg-gw-2.t2.ucsd.edu 2119 Trying 137.110.141.17... Connected to osg-gw-2.t2.ucsd.edu. Escape character is '^]'.
Connection closed by foreign host.
Any other thoughts from anyone?
Thanks, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145,
Australia
-----Original Message----- From: David Bannon [mailto:D.Bannon@vpac.org] Sent: Monday, 4 December 2006 6:08 PM To: JP Navarro Cc: Colin Enticott; gin-auth@ggf.org; gin-ops@ggf.org; 'Terrence
Martin'
Subject: Re: [gin-auth] start Savannah run
Colin, you can run as a Gin user on any of the VPAC machines, my be easier to debug....
David
On Fri, 2006-12-01 at 12:34 -0600, JP Navarro wrote:
Colin,
The error in the logs is below. Not sure what it means. Could you try this test again from your SDSC TeraGrid account so we can rule out software and firewall issues?
Thanks,
JP
TIME: Thu Nov 30 18:49:42 2006 PID: 9608 -- Notice: 0: GATEKEEPER_ACCT_FD=5 (/var/globus/prews- gram-4.0.1-r3-i1/log/globus-gatekeeper.log) TIME: Thu Nov 30 18:49:42 2006 PID: 9608 -- Notice: 6: Got connection 198.202.88.52 at Thu Nov 30 18:49:42 2006
Failed reading length 0 GSS authentication failure globus_gss_assist token :3: read failure: Connection closed Failure: GSS failed Major:01090000 Minor:00000000 Token:00000003
TIME: Thu Nov 30 18:49:42 2006 PID: 9608 -- Failure: GSS failed Major:01090000 Minor:00000000 Token:00000003
On Nov 30, 2006, at 7:05 PM, Colin Enticott wrote:
> Thanks JP, > > But I am running into some problems. I've tried both from our > server and > rocks-52 and this is what I get: > [cme@rocks-52 ~]$ globus-job-run tg-grid1.uc.teragrid.org/ > jobmanager-fork > /bin/uname -a > GRAM Job submission failed because the connection to the server > failed
> (check host and port) (error code 12) > [cme@rocks-52 ~]$ grid-proxy-info > subject : /C=AU/O=APACGrid/OU=Monash University/CN=Colin > Enticott/CN=1087048434 > issuer : /C=AU/O=APACGrid/OU=Monash University/CN=Colin Enticott > identity : /C=AU/O=APACGrid/OU=Monash University/CN=Colin Enticott > type : Proxy draft (pre-RFC) compliant impersonation proxy > strength : 512 bits > path : /home/cme/globus_proxy.APACGrid > timeleft : 836:30:26 (34.8 days) > [cme@rocks-52 ~]$ ssh tg-grid1.uc.teragrid.org > Warning: Permanently added 'tg-grid1.uc.teragrid.org' (RSA) to the > list of > known hosts. > Permission denied (external- > keyx,gssapi,publickey,gssapi,hostbased).
> [cme@rocks-52 ~]$ > > That is the certificate that I registered with. I also tried the > ssh key > pair I put up on the pragma wiki. > > Any thoughts? > > Thanks, > Colin > > --- > Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 > Room H7.26, Level 7, Building H, Monash University Caulfield 3145, > Australia > > > >> -----Original Message----- >> From: JP Navarro [mailto:navarro@mcs.anl.gov] >> Sent: Friday, 1 December 2006 2:47 AM >> To: Colin Enticott >> Cc: zhengc@sdsc.edu; 'Terrence Martin'; gin-ops@ggf.org; 'Oscar >> Koeroo'; >> gin-auth@ggf.org >> Subject: Re: start Savannah run >> >> Colin, >> >> You should be set to go on the UC/ANL TeraGrid cluster. >> >> GT4 Pre-WS GRAM: tg-grid1.uc.teragrid.org:2119 >> GT4 WS GRAM: tg-grid1.uc.teragrid.org:8443 (FORK, PBS) >> GT4 GridFTP: tg-gridftp.uc.teragrid.org:2811 >> >> Regards, >> >> JP >> >> On Nov 30, 2006, at 2:43 AM, Colin Enticott wrote: >> >> >>> Thankyou everyone. >>> >>> I am now registered on the GIN VO (well, I appear here: >>> http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile). >>> >>> What is my next step? >>> >>> Thanks, >>> Colin >>> >>> --- >>> Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 >>> Room H7.26, Level 7, Building H, Monash University Caulfield >>> 3145,
>>> Australia >>> >>> >>> >>>> -----Original Message----- >>>> From: Cindy Zheng [mailto:zhengc@sdsc.edu] >>>> Sent: Thursday, 30 November 2006 11:59 AM >>>> To: 'Terrence Martin' >>>> Cc: 'JP Navarro'; gin-ops@ggf.org; 'Oscar Koeroo'; 'Colin >>>> Enticott'; gin- >>>> auth@ggf.org >>>> Subject: RE: FW: start Savannah run >>>> >>>> Thank you, Terrence! >>>> We'll wait to hear from Colin when Colin finishes >>>> registering to gin vo. >>>> Cindy >>>> >>>> >>>>> -----Original Message----- >>>>> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] >>>>> Sent: Wednesday, November 29, 2006 11:36 AM >>>>> To: Oscar Koeroo >>>>> Cc: zhengc@sdsc.edu; 'JP Navarro'; gin-ops@ggf.org; 'Colin >>>>> Enticott'; gin-auth@ggf.org >>>>> Subject: Re: FW: start Savannah run >>>>> >>>>> >>>>> Oscar Koeroo wrote: >>>>> >>>>>> Hi Terrence and Cindy, >>>>>> >>>>>> Getting new users up for registration on the GIN VO is easy. >>>>>> To be >>>>>> able to access the secured website and for authentication >>>>>> reasons
>>>>>> during the registration process new users must have their >>>>>> >>>>> certificate >>>>> >>>>>> loaded and ready in their webbrowser. The VOMS server is >>>>>> >>>>> loaded with >>>>> >>>>>> all IGTF accredited CAs including the Fermilab kCA. >>>>>> >>>>>> Go to the website: >>>>>> >>>>> https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/ and >>>>> >>>>>> apply for a "New user registration". >>>>>> >>>>>> >>>>>> The usual VOMS configuration info is also available. I >>>>>> >>>>> don't know what >>>>> >>>>>> you'll need to populate a GUMS server. This VOMS server is as >>>>>> any
>>>>>> other so I guess you can use your regular setup. >>>>>> In addition to the secured interface I've also made available >>>>>> a
>>>>>> non-secured way of grabbing a grid-mapfile. >>>>>> http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile >>>>>> There is also an RSS-feed pointing to the grid-mapfile and >>>>>> >>>>> the secured >>>>> >>>>>> interface at >>>>>> >>>>> http://kuiken.nikhef.nl/gin.ggf.org/feed-gin.ggf.org.xml >>>>> >>>>>> Unfortunately I'm not aware of a clear guide. I do know a >>>>>> guide for >>>>>> creating the packed certificate files that go into your >>>>>> >>>>> browser if you >>>>> >>>>>> start from a two PEM formated files (certificate file + >>>>>> private key >>>>>> file) that's at http://certificate.nikhef.nl/info/browser >>>>>> Once a user has passed that stage, the registration for the >>>>>> >>>>> VO is as >>>>> >>>>>> trivial as any web-forum account registration. >>>>>> >>>>>> >>>>> I am assuming this user already has a grid cert since they >>>>> list a DN so >>>>> only VOMS registration is required. Once that is done either I >>>>> run my >>>>> update of GUMS manually or in 720/2 minutes on average the >>>>> user will be >>>>> automatically downloaded into my GUMS database. I actually do >>>>> not have >>>>> to do anything, but I can speed things up ever so slightly if >>>>> I
>>>>> am in >>>>> the office and someone asks me to try refreshing gums. >>>>> >>>>> Terrence >>>>> >>>>> >>>>> >>>>>> Oscar >>>>>> >>>>>> >>>>>> >>>>>> Cindy Zheng wrote: >>>>>> >>>>>>> Sounds right, Terrence. Let me ask Oscar who has helped me >>>>>>> >>>>> with GIN >>>>> >>>>>>> VO before. >>>>>>> >>>>>>> Hi, Oscar, >>>>>>> Could you advise Colin what need to be done to be >>>>>>> added in GIN VO? >>>>>>> I'm also cc'ing to gin-auth list. >>>>>>> If there is a guide for potential GIN users, please >>>>>>> let me know the url and I can link it to our GINOPS >>>>>>> page. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Cindy >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] >>>>>>>> Sent:
>>>>>>>> Tuesday, November 28, 2006 3:24 PM >>>>>>>> To: zhengc@sdsc.edu >>>>>>>> Cc: 'JP Navarro'; gin-ops@ggf.org; 'Colin Enticott' >>>>>>>> Subject: Re: FW: start Savannah run >>>>>>>> >>>>>>>> >>>>>>>> The quickest and easiest way for me is to have him added to >>>>>>>> a VO. >>>>>>>> How easy is it to add him to the GIN VO? One in there I >>>>>>>> >>>>> can hit my >>>>> >>>>>>>> gums reload and he will be able to access UCSD as a GIN >>>>>>>> user. Any >>>>>>>> other approach requires me hacking his DN into my local >>>>>>>> >>>>> VO which I >>>>> >>>>>>>> prefer to avoid and does not help him with any other site. >>>>>>>> >>>>>>>> Terrence >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Cindy Zheng wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Thanks, Terrence, for the quick reply! >>>>>>>>> Colin has not been a GIN user. >>>>>>>>> What do you think it's the best way to get colin access? >>>>>>>>> Cindy >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] >>>>>>>>>> Sent:
>>>>>>>>>> Tuesday, November 28, 2006 2:53 PM >>>>>>>>>> To: zhengc@sdsc.edu >>>>>>>>>> Cc: 'JP Navarro'; gin-ops@ggf.org >>>>>>>>>> Subject: Re: FW: start Savannah run >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> We only have a production cluster, but I should still >>>>>>>>>> >>>>> be >>>>> >>>>>>>> able to help. >>>>>>>> >>>>>>>> >>>>>>>>>> I do not seem to have Colin in my GUMS database though >>>>>>>>>> >>>>> for >>>>> >>>>>>>> GIN or any >>>>>>>> >>>>>>>>>> other VO. Should he be downloaded with GIN's users? >>>>>>>>>> >>>>>>>>>> Terrence >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Cindy Zheng wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hi, JP and Terrence, >>>>>>>>>>> >>>>>>>>>>> Could you help Colin to get ready to run Savannah >>>>>>>>>>> application on your GIN testbed clusters? >>>>>>>>>>> You can find Colin's user info at >>>>>>>>>>> http://wiki.pragma-grid.net/index.php?title=ColinDetails >>>>>>>>>>> If you need more info or action from Colin, or have >>>>>>>>>>> >>>>> any questions >>>>> >>>>>>>>>>> for Colin or me, please let us know. >>>>>>>>>>> >>>>>>>>>>> Thank you very much! >>>>>>>>>>> >>>>>>>>>>> Cindy >>>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> From: Cindy Zheng [mailto:zhengc@sdsc.edu] Sent: >>>>>>>>>>> Tuesday,
>>>>>>>>>>> November 28, 2006 2:31 PM >>>>>>>>>>> To: 'gin-ops@ggf.org' >>>>>>>>>>> Subject: start Savannah run >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Dear all, >>>>>>>>>>> >>>>>>>>>>> Thanks for all the people involved to help make >>>>>>>>>>> TDDFT application run and GIN testbed monitoring >>>>>>>>>>> very fruitful experiments! We have learned a lot and >>>>>>>>>>> have
>>>>>>>>>>> presented our learnings at OGF and SC06. >>>>>>>>>>> >>>>>>>>>>> Let's continue our collaborative effort with our plan >>>>>>>>>>> >>>>> - start our >>>>> >>>>>>>>>>> next experiment with Savannah >>>>>>>>>>> fire simulation - a data-intensive application, to >>>>>>>>>>> >>>>> explore data >>>>> >>>>>>>>>>> related interoperation issues. >>>>>>>>>>> >>>>>>>>>>> Colin Enticott at Monash University of Australia >>>>>>>>>>> is the lead driver. Colin has documented the >>>>>>>>>>> introduction and requirements of this application at >>>>>>>>>>> http://wiki.pragma-grid.net/index.php?title=Savannah >>>>>>>>>>> or go to >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> http://forge.gridforum.org/sf/wiki/do/viewPage/ >>>>>>>>>> projects.gin/wi >>>>>>>>>> >>>>>>>>>> >>>>>>>>> ki/GinOps >>>>>>>>> >>>>>>>>> >>>>>>>>>> click "Savannah" under "Applications", >>>>>>>>>> where "first Savannah experiment" is refering to >>>>>>>>>> a previous experiment in PRAGMA testbed. The >>>>>>>>>> "second Savannah experiment" is the one for GIN testbed. >>>>>>>>>> >>>>>>>>>> We like to run this application on all Grids in GIN >>>>>>>>>> >>>>> testbed, but >>>>> >>>>>>>>>> in 2 steps. First, we will run it on >>>>>>>>>> >>>>> PRAGMA/TeraGrid/OSG - since >>>>> >>>>>>>>>> these should be relatively easier to do. We like to get >>>>>>>>>> >>>>> this done >>>>> >>>>>>>>>> before the year end. >>>>>>>>>> The next step, Colin will work with EGEE and Nordugrid >>>>>>>>>> to develop possible solutions, to enable interoperation >>>>>>>>>> and to include all 5 Grids in the run. >>>>>>>>>> >>>>>>>>>> Thanks in advance for your continued help with this! >>>>>>>>>> >>>>>>>>>> Cindy >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- gin-auth mailing list gin-auth@ogf.org http://www.ogf.org/mailman/listinfo/gin-auth
-- gin-ops mailing list gin-ops@ogf.org http://www.ogf.org/mailman/listinfo/gin-ops
Colin, UC/ANL TeraGrid GT4 client software and our services use GLOBUS_TCP_PORT_RANGE of "50000,51000". What range does the firewall that your clients are sitting behind have open? The GLOBUS_TCP_PORT_RANGE on your clients should be set to that open range. JP On Dec 5, 2006, at 1:01 AM, Colin Enticott wrote:
Hi Terrence,
Some success. I can submit from uaf-1.t2.ucsd.edu to all sites using both with a generated proxy and the proxy I was trying everywhere else.
The machines I was trying from are: 130.194.70.23 131.170.184.61 198.202.88.52
I know the first machine has no firewall as I have exempted the host.
When we run the experiment, we will be running it from 130.194.70.23. I guess it comes down to an IP firewall issue, or our servers not trusting the host cert. I have added to my server all the CA here, am I missing one?: http://goc.pragma-grid.net/gin/gin-resources.html
Thanks, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] Sent: Tuesday, 5 December 2006 5:47 PM To: Colin Enticott Cc: 'Yoshio Tanaka'; D.Bannon@vpac.org; navarro@mcs.anl.gov; gin- auth@ggf.org; gin-ops@ggf.org Subject: Re: [gin-ops] [gin-auth] start Savannah run
Just to make sure I am not missing you in the log, what IP are you coming from?
Terrence
Colin Enticott wrote:
Thanks Yoshio,
So it looks like authentication issues as I can connect to port 2119 on both hosts:
cme@edda$ globusrun -a -r tg-grid1.uc.teragrid.org
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ... cme@edda$ globusrun -a -r osg-gw-2.t2.ucsd.edu
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ...
Regards, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Yoshio Tanaka [mailto:yoshio.tanaka@aist.go.jp] Sent: Tuesday, 5 December 2006 12:21 PM To: Colin.Enticott@csse.monash.edu.au Cc: D.Bannon@vpac.org; tmartin@physics.ucsd.edu; navarro@mcs.anl.gov; gin- auth@ggf.org; gin-ops@ggf.org; yoshio.tanaka@aist.go.jp Subject: Re: [gin-ops] [gin-auth] start Savannah run
Hi Colin,
Please test the authentication by the following command:
% globusrun -a -r osg-gw-2.t2.ucsd.edu
% globusrun -a -r tg-grid1.uc.teragrid.org
Thanks,
-- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/
From: Colin Enticott <Colin.Enticott@csse.monash.edu.au> Subject: Re: [gin-ops] [gin-auth] start Savannah run Date: Tue, 05 Dec 2006 11:44:05 +1100 Message-ID: <017401c71806$77cf6760$1e46c282@nail>
Thanks David,
But still the same problem. As you can see, my certificate still works
on
the vpac host and there is definitely no firewall in the way:
cme@edda$ grid-proxy-init -cert usercert.pem.APACGrid -key userkey.pem.APACGrid Your identity: /C=AU/O=APACGrid/OU=Monash University/CN=Colin Enticott Enter GRID pass phrase for this identity: Creating proxy ................................... Done Your proxy is valid until: Tue Dec 5 23:28:47 2006 cme@edda$ globus-job-run osg-gw-2.t2.ucsd.edu/jobmanager-fork /bin/uname
-a
GRAM Job submission failed because the connection to the server failed (check host and port) (error code 12) cme@edda$ globus-job-run tg-grid1.uc.teragrid.org/jobmanager-fork
/bin/uname
-a GRAM Job submission failed because the connection to the server failed (check host and port) (error code 12) cme@edda$ globus-job-run ng1.vpac.org/jobmanager-fork /bin/ uname -a Linux ng1.vpac.org 2.6.16.29-xen #4 SMP Sun Oct 15 13:20:46 BST 2006
i686
i686 i386 GNU/Linux cme@edda$ telnet tg-grid1.uc.teragrid.org 2119 Trying 192.5.198.225... Connected to tg-grid1.uc.teragrid.org. Escape character is '^]'.
Connection closed by foreign host. cme@edda$ telnet osg-gw-2.t2.ucsd.edu 2119 Trying 137.110.141.17... Connected to osg-gw-2.t2.ucsd.edu. Escape character is '^]'.
Connection closed by foreign host.
Any other thoughts from anyone?
Thanks, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145,
Australia
-----Original Message----- From: David Bannon [mailto:D.Bannon@vpac.org] Sent: Monday, 4 December 2006 6:08 PM To: JP Navarro Cc: Colin Enticott; gin-auth@ggf.org; gin-ops@ggf.org; 'Terrence
Martin'
Subject: Re: [gin-auth] start Savannah run
Colin, you can run as a Gin user on any of the VPAC machines, my be easier to debug....
David
On Fri, 2006-12-01 at 12:34 -0600, JP Navarro wrote:
> Colin, > > The error in the logs is below. Not sure what it means. > Could you > try this > test again from your SDSC TeraGrid account so we can rule out > software and > firewall issues? > > Thanks, > > JP > > TIME: Thu Nov 30 18:49:42 2006 > PID: 9608 -- Notice: 0: GATEKEEPER_ACCT_FD=5 (/var/globus/ > prews- > gram-4.0.1-r3-i1/log/globus-gatekeeper.log) > TIME: Thu Nov 30 18:49:42 2006 > PID: 9608 -- Notice: 6: Got connection 198.202.88.52 at Thu > Nov 30 > 18:49:42 2006 > > Failed reading length 0 > GSS authentication failure > globus_gss_assist token :3: read failure: Connection closed > Failure: GSS failed Major:01090000 Minor:00000000 Token:00000003 > > TIME: Thu Nov 30 18:49:42 2006 > PID: 9608 -- Failure: GSS failed Major:01090000 Minor:00000000 > Token:00000003 > > > > On Nov 30, 2006, at 7:05 PM, Colin Enticott wrote: > > >> Thanks JP, >> >> But I am running into some problems. I've tried both from our >> server and >> rocks-52 and this is what I get: >> [cme@rocks-52 ~]$ globus-job-run tg-grid1.uc.teragrid.org/ >> jobmanager-fork >> /bin/uname -a >> GRAM Job submission failed because the connection to the server >> failed
>> (check host and port) (error code 12) >> [cme@rocks-52 ~]$ grid-proxy-info >> subject : /C=AU/O=APACGrid/OU=Monash University/CN=Colin >> Enticott/CN=1087048434 >> issuer : /C=AU/O=APACGrid/OU=Monash University/CN=Colin >> Enticott >> identity : /C=AU/O=APACGrid/OU=Monash University/CN=Colin >> Enticott >> type : Proxy draft (pre-RFC) compliant impersonation proxy >> strength : 512 bits >> path : /home/cme/globus_proxy.APACGrid >> timeleft : 836:30:26 (34.8 days) >> [cme@rocks-52 ~]$ ssh tg-grid1.uc.teragrid.org >> Warning: Permanently added 'tg-grid1.uc.teragrid.org' (RSA) >> to the >> list of >> known hosts. >> Permission denied (external- >> keyx,gssapi,publickey,gssapi,hostbased).
>> [cme@rocks-52 ~]$ >> >> That is the certificate that I registered with. I also >> tried the >> ssh key >> pair I put up on the pragma wiki. >> >> Any thoughts? >> >> Thanks, >> Colin >> >> --- >> Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 >> Room H7.26, Level 7, Building H, Monash University Caulfield >> 3145, >> Australia >> >> >> >>> -----Original Message----- >>> From: JP Navarro [mailto:navarro@mcs.anl.gov] >>> Sent: Friday, 1 December 2006 2:47 AM >>> To: Colin Enticott >>> Cc: zhengc@sdsc.edu; 'Terrence Martin'; gin-ops@ggf.org; >>> 'Oscar >>> Koeroo'; >>> gin-auth@ggf.org >>> Subject: Re: start Savannah run >>> >>> Colin, >>> >>> You should be set to go on the UC/ANL TeraGrid cluster. >>> >>> GT4 Pre-WS GRAM: tg-grid1.uc.teragrid.org:2119 >>> GT4 WS GRAM: tg-grid1.uc.teragrid.org:8443 (FORK, PBS) >>> GT4 GridFTP: tg-gridftp.uc.teragrid.org:2811 >>> >>> Regards, >>> >>> JP >>> >>> On Nov 30, 2006, at 2:43 AM, Colin Enticott wrote: >>> >>> >>>> Thankyou everyone. >>>> >>>> I am now registered on the GIN VO (well, I appear here: >>>> http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile). >>>> >>>> What is my next step? >>>> >>>> Thanks, >>>> Colin >>>> >>>> --- >>>> Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 >>>> Room H7.26, Level 7, Building H, Monash University Caulfield >>>> 3145,
>>>> Australia >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: Cindy Zheng [mailto:zhengc@sdsc.edu] >>>>> Sent: Thursday, 30 November 2006 11:59 AM >>>>> To: 'Terrence Martin' >>>>> Cc: 'JP Navarro'; gin-ops@ggf.org; 'Oscar Koeroo'; 'Colin >>>>> Enticott'; gin- >>>>> auth@ggf.org >>>>> Subject: RE: FW: start Savannah run >>>>> >>>>> Thank you, Terrence! >>>>> We'll wait to hear from Colin when Colin finishes >>>>> registering to gin vo. >>>>> Cindy >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] >>>>>> Sent: Wednesday, November 29, 2006 11:36 AM >>>>>> To: Oscar Koeroo >>>>>> Cc: zhengc@sdsc.edu; 'JP Navarro'; gin-ops@ggf.org; 'Colin >>>>>> Enticott'; gin-auth@ggf.org >>>>>> Subject: Re: FW: start Savannah run >>>>>> >>>>>> >>>>>> Oscar Koeroo wrote: >>>>>> >>>>>>> Hi Terrence and Cindy, >>>>>>> >>>>>>> Getting new users up for registration on the GIN VO is >>>>>>> easy. >>>>>>> To be >>>>>>> able to access the secured website and for authentication >>>>>>> reasons
>>>>>>> during the registration process new users must have their >>>>>>> >>>>>> certificate >>>>>> >>>>>>> loaded and ready in their webbrowser. The VOMS server is >>>>>>> >>>>>> loaded with >>>>>> >>>>>>> all IGTF accredited CAs including the Fermilab kCA. >>>>>>> >>>>>>> Go to the website: >>>>>>> >>>>>> https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/ and >>>>>> >>>>>>> apply for a "New user registration". >>>>>>> >>>>>>> >>>>>>> The usual VOMS configuration info is also available. I >>>>>>> >>>>>> don't know what >>>>>> >>>>>>> you'll need to populate a GUMS server. This VOMS server >>>>>>> is as >>>>>>> any
>>>>>>> other so I guess you can use your regular setup. >>>>>>> In addition to the secured interface I've also made >>>>>>> available >>>>>>> a
>>>>>>> non-secured way of grabbing a grid-mapfile. >>>>>>> http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile >>>>>>> There is also an RSS-feed pointing to the grid-mapfile and >>>>>>> >>>>>> the secured >>>>>> >>>>>>> interface at >>>>>>> >>>>>> http://kuiken.nikhef.nl/gin.ggf.org/feed-gin.ggf.org.xml >>>>>> >>>>>>> Unfortunately I'm not aware of a clear guide. I do know a >>>>>>> guide for >>>>>>> creating the packed certificate files that go into your >>>>>>> >>>>>> browser if you >>>>>> >>>>>>> start from a two PEM formated files (certificate file + >>>>>>> private key >>>>>>> file) that's at http://certificate.nikhef.nl/info/browser >>>>>>> Once a user has passed that stage, the registration for >>>>>>> the >>>>>>> >>>>>> VO is as >>>>>> >>>>>>> trivial as any web-forum account registration. >>>>>>> >>>>>>> >>>>>> I am assuming this user already has a grid cert since they >>>>>> list a DN so >>>>>> only VOMS registration is required. Once that is done >>>>>> either I >>>>>> run my >>>>>> update of GUMS manually or in 720/2 minutes on average the >>>>>> user will be >>>>>> automatically downloaded into my GUMS database. I >>>>>> actually do >>>>>> not have >>>>>> to do anything, but I can speed things up ever so >>>>>> slightly if >>>>>> I
>>>>>> am in >>>>>> the office and someone asks me to try refreshing gums. >>>>>> >>>>>> Terrence >>>>>> >>>>>> >>>>>> >>>>>>> Oscar >>>>>>> >>>>>>> >>>>>>> >>>>>>> Cindy Zheng wrote: >>>>>>> >>>>>>>> Sounds right, Terrence. Let me ask Oscar who has >>>>>>>> helped me >>>>>>>> >>>>>> with GIN >>>>>> >>>>>>>> VO before. >>>>>>>> >>>>>>>> Hi, Oscar, >>>>>>>> Could you advise Colin what need to be done to be >>>>>>>> added in GIN VO? >>>>>>>> I'm also cc'ing to gin-auth list. >>>>>>>> If there is a guide for potential GIN users, please >>>>>>>> let me know the url and I can link it to our GINOPS >>>>>>>> page. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Cindy >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] >>>>>>>>> Sent:
>>>>>>>>> Tuesday, November 28, 2006 3:24 PM >>>>>>>>> To: zhengc@sdsc.edu >>>>>>>>> Cc: 'JP Navarro'; gin-ops@ggf.org; 'Colin Enticott' >>>>>>>>> Subject: Re: FW: start Savannah run >>>>>>>>> >>>>>>>>> >>>>>>>>> The quickest and easiest way for me is to have him >>>>>>>>> added to >>>>>>>>> a VO. >>>>>>>>> How easy is it to add him to the GIN VO? One in there I >>>>>>>>> >>>>>> can hit my >>>>>> >>>>>>>>> gums reload and he will be able to access UCSD as a GIN >>>>>>>>> user. Any >>>>>>>>> other approach requires me hacking his DN into my local >>>>>>>>> >>>>>> VO which I >>>>>> >>>>>>>>> prefer to avoid and does not help him with any other >>>>>>>>> site. >>>>>>>>> >>>>>>>>> Terrence >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Cindy Zheng wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> Thanks, Terrence, for the quick reply! >>>>>>>>>> Colin has not been a GIN user. >>>>>>>>>> What do you think it's the best way to get colin >>>>>>>>>> access? >>>>>>>>>> Cindy >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> From: Terrence Martin >>>>>>>>>>> [mailto:tmartin@physics.ucsd.edu] >>>>>>>>>>> Sent:
>>>>>>>>>>> Tuesday, November 28, 2006 2:53 PM >>>>>>>>>>> To: zhengc@sdsc.edu >>>>>>>>>>> Cc: 'JP Navarro'; gin-ops@ggf.org >>>>>>>>>>> Subject: Re: FW: start Savannah run >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> We only have a production cluster, but I should still >>>>>>>>>>> >>>>>> be >>>>>> >>>>>>>>> able to help. >>>>>>>>> >>>>>>>>> >>>>>>>>>>> I do not seem to have Colin in my GUMS database though >>>>>>>>>>> >>>>>> for >>>>>> >>>>>>>>> GIN or any >>>>>>>>> >>>>>>>>>>> other VO. Should he be downloaded with GIN's users? >>>>>>>>>>> >>>>>>>>>>> Terrence >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Cindy Zheng wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Hi, JP and Terrence, >>>>>>>>>>>> >>>>>>>>>>>> Could you help Colin to get ready to run Savannah >>>>>>>>>>>> application on your GIN testbed clusters? >>>>>>>>>>>> You can find Colin's user info at >>>>>>>>>>>> http://wiki.pragma-grid.net/index.php? >>>>>>>>>>>> title=ColinDetails >>>>>>>>>>>> If you need more info or action from Colin, or have >>>>>>>>>>>> >>>>>> any questions >>>>>> >>>>>>>>>>>> for Colin or me, please let us know. >>>>>>>>>>>> >>>>>>>>>>>> Thank you very much! >>>>>>>>>>>> >>>>>>>>>>>> Cindy >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: Cindy Zheng [mailto:zhengc@sdsc.edu] Sent: >>>>>>>>>>>> Tuesday,
>>>>>>>>>>>> November 28, 2006 2:31 PM >>>>>>>>>>>> To: 'gin-ops@ggf.org' >>>>>>>>>>>> Subject: start Savannah run >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Dear all, >>>>>>>>>>>> >>>>>>>>>>>> Thanks for all the people involved to help make >>>>>>>>>>>> TDDFT application run and GIN testbed monitoring >>>>>>>>>>>> very fruitful experiments! We have learned a lot and >>>>>>>>>>>> have
>>>>>>>>>>>> presented our learnings at OGF and SC06. >>>>>>>>>>>> >>>>>>>>>>>> Let's continue our collaborative effort with our plan >>>>>>>>>>>> >>>>>> - start our >>>>>> >>>>>>>>>>>> next experiment with Savannah >>>>>>>>>>>> fire simulation - a data-intensive application, to >>>>>>>>>>>> >>>>>> explore data >>>>>> >>>>>>>>>>>> related interoperation issues. >>>>>>>>>>>> >>>>>>>>>>>> Colin Enticott at Monash University of Australia >>>>>>>>>>>> is the lead driver. Colin has documented the >>>>>>>>>>>> introduction and requirements of this application at >>>>>>>>>>>> http://wiki.pragma-grid.net/index.php?title=Savannah >>>>>>>>>>>> or go to >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> http://forge.gridforum.org/sf/wiki/do/viewPage/ >>>>>>>>>>> projects.gin/wi >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> ki/GinOps >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> click "Savannah" under "Applications", >>>>>>>>>>> where "first Savannah experiment" is refering to >>>>>>>>>>> a previous experiment in PRAGMA testbed. The >>>>>>>>>>> "second Savannah experiment" is the one for GIN >>>>>>>>>>> testbed. >>>>>>>>>>> >>>>>>>>>>> We like to run this application on all Grids in GIN >>>>>>>>>>> >>>>>> testbed, but >>>>>> >>>>>>>>>>> in 2 steps. First, we will run it on >>>>>>>>>>> >>>>>> PRAGMA/TeraGrid/OSG - since >>>>>> >>>>>>>>>>> these should be relatively easier to do. We like to >>>>>>>>>>> get >>>>>>>>>>> >>>>>> this done >>>>>> >>>>>>>>>>> before the year end. >>>>>>>>>>> The next step, Colin will work with EGEE and Nordugrid >>>>>>>>>>> to develop possible solutions, to enable >>>>>>>>>>> interoperation >>>>>>>>>>> and to include all 5 Grids in the run. >>>>>>>>>>> >>>>>>>>>>> Thanks in advance for your continued help with this! >>>>>>>>>>> >>>>>>>>>>> Cindy >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> > -- > gin-auth mailing list > gin-auth@ogf.org > http://www.ogf.org/mailman/listinfo/gin-auth > -- gin-ops mailing list gin-ops@ogf.org http://www.ogf.org/mailman/listinfo/gin-ops
Hi JP, GLOBUS_TCP_PORT_RANGE specifies which port range to create a listen socket. Therefore they do not need to be the same at both sites as firewalls generally (not all the time) tend to affect incoming socket requests. On our servers, we only allow incoming ports on 43000-44000, so if your site is only allowing 50000-51000 to come in on your side, it should have no effect. Unless your site only allows those ports going out if so, I think you should be using GLOBUS_TCP_SOURCE_RANGE and our sites could never work together. Even so, I think "globusrun -a -r" should work as it only uses port 2119 which (as I've tested) is allowed. I've noticed in the past the gt4 gives less error messages than gtk2.4, so I tried globusrun with gtk2.4.3 and got this error: ... globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/d1b603c3.signing_policy I had a look in my /etc/grid-security/certificates I only had these three files: d1b603c3.0 d1b603c3.crl_url d1b603c3.signing_policy Where on uaf-1.t2.ucsd.edu had: d1b603c3.0 d1b603c3.crl_url d1b603c3.info d1b603c3.namespaces d1b603c3.r0 d1b603c3.signing_policy I copied them across and everything is working well. So it looks like a CA file problem after all. Thankyou everyone for your help. I wish the gt4 error reporting is as useful at the gt2.4.3 error reporting as it really sent us down the wrong track. Regards, Colin --- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: JP Navarro [mailto:navarro@mcs.anl.gov] Sent: Wednesday, 6 December 2006 2:59 AM To: Colin Enticott Cc: 'Terrence Martin'; 'Yoshio Tanaka'; D.Bannon@vpac.org; gin- auth@ggf.org; gin-ops@ggf.org Subject: Re: [gin-ops] [gin-auth] start Savannah run
Colin,
UC/ANL TeraGrid GT4 client software and our services use GLOBUS_TCP_PORT_RANGE of "50000,51000".
What range does the firewall that your clients are sitting behind have open? The GLOBUS_TCP_PORT_RANGE on your clients should be set to that open range.
JP
On Dec 5, 2006, at 1:01 AM, Colin Enticott wrote:
Hi Terrence,
Some success. I can submit from uaf-1.t2.ucsd.edu to all sites using both with a generated proxy and the proxy I was trying everywhere else.
The machines I was trying from are: 130.194.70.23 131.170.184.61 198.202.88.52
I know the first machine has no firewall as I have exempted the host.
When we run the experiment, we will be running it from 130.194.70.23. I guess it comes down to an IP firewall issue, or our servers not trusting the host cert. I have added to my server all the CA here, am I missing one?: http://goc.pragma-grid.net/gin/gin-resources.html
Thanks, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] Sent: Tuesday, 5 December 2006 5:47 PM To: Colin Enticott Cc: 'Yoshio Tanaka'; D.Bannon@vpac.org; navarro@mcs.anl.gov; gin- auth@ggf.org; gin-ops@ggf.org Subject: Re: [gin-ops] [gin-auth] start Savannah run
Just to make sure I am not missing you in the log, what IP are you coming from?
Terrence
Colin Enticott wrote:
Thanks Yoshio,
So it looks like authentication issues as I can connect to port 2119 on both hosts:
cme@edda$ globusrun -a -r tg-grid1.uc.teragrid.org
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ... cme@edda$ globusrun -a -r osg-gw-2.t2.ucsd.edu
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ...
Regards, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Yoshio Tanaka [mailto:yoshio.tanaka@aist.go.jp] Sent: Tuesday, 5 December 2006 12:21 PM To: Colin.Enticott@csse.monash.edu.au Cc: D.Bannon@vpac.org; tmartin@physics.ucsd.edu; navarro@mcs.anl.gov; gin- auth@ggf.org; gin-ops@ggf.org; yoshio.tanaka@aist.go.jp Subject: Re: [gin-ops] [gin-auth] start Savannah run
Hi Colin,
Please test the authentication by the following command:
% globusrun -a -r osg-gw-2.t2.ucsd.edu
% globusrun -a -r tg-grid1.uc.teragrid.org
Thanks,
-- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/
From: Colin Enticott <Colin.Enticott@csse.monash.edu.au> Subject: Re: [gin-ops] [gin-auth] start Savannah run Date: Tue, 05 Dec 2006 11:44:05 +1100 Message-ID: <017401c71806$77cf6760$1e46c282@nail>
Thanks David,
But still the same problem. As you can see, my certificate still works
on
the vpac host and there is definitely no firewall in the way:
cme@edda$ grid-proxy-init -cert usercert.pem.APACGrid -key userkey.pem.APACGrid Your identity: /C=AU/O=APACGrid/OU=Monash University/CN=Colin Enticott Enter GRID pass phrase for this identity: Creating proxy ................................... Done Your proxy is valid until: Tue Dec 5 23:28:47 2006 cme@edda$ globus-job-run osg-gw-2.t2.ucsd.edu/jobmanager-fork /bin/uname
-a
GRAM Job submission failed because the connection to the server failed (check host and port) (error code 12) cme@edda$ globus-job-run tg-grid1.uc.teragrid.org/jobmanager-fork
/bin/uname
-a GRAM Job submission failed because the connection to the server failed (check host and port) (error code 12) cme@edda$ globus-job-run ng1.vpac.org/jobmanager-fork /bin/ uname -a Linux ng1.vpac.org 2.6.16.29-xen #4 SMP Sun Oct 15 13:20:46 BST 2006
i686
i686 i386 GNU/Linux cme@edda$ telnet tg-grid1.uc.teragrid.org 2119 Trying 192.5.198.225... Connected to tg-grid1.uc.teragrid.org. Escape character is '^]'.
Connection closed by foreign host. cme@edda$ telnet osg-gw-2.t2.ucsd.edu 2119 Trying 137.110.141.17... Connected to osg-gw-2.t2.ucsd.edu. Escape character is '^]'.
Connection closed by foreign host.
Any other thoughts from anyone?
Thanks, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145,
Australia
> -----Original Message----- > From: David Bannon [mailto:D.Bannon@vpac.org] > Sent: Monday, 4 December 2006 6:08 PM > To: JP Navarro > Cc: Colin Enticott; gin-auth@ggf.org; gin-ops@ggf.org; 'Terrence >
Martin'
> Subject: Re: [gin-auth] start Savannah run > > > Colin, you can run as a Gin user on any of the VPAC machines, > my be > easier to debug.... > > David > > > On Fri, 2006-12-01 at 12:34 -0600, JP Navarro wrote: > >> Colin, >> >> The error in the logs is below. Not sure what it means. >> Could you >> try this >> test again from your SDSC TeraGrid account so we can rule out >> software and >> firewall issues? >> >> Thanks, >> >> JP >> >> TIME: Thu Nov 30 18:49:42 2006 >> PID: 9608 -- Notice: 0: GATEKEEPER_ACCT_FD=5 (/var/globus/ >> prews- >> gram-4.0.1-r3-i1/log/globus-gatekeeper.log) >> TIME: Thu Nov 30 18:49:42 2006 >> PID: 9608 -- Notice: 6: Got connection 198.202.88.52 at Thu >> Nov 30 >> 18:49:42 2006 >> >> Failed reading length 0 >> GSS authentication failure >> globus_gss_assist token :3: read failure: Connection closed >> Failure: GSS failed Major:01090000 Minor:00000000 Token:00000003 >> >> TIME: Thu Nov 30 18:49:42 2006 >> PID: 9608 -- Failure: GSS failed Major:01090000 Minor:00000000 >> Token:00000003 >> >> >> >> On Nov 30, 2006, at 7:05 PM, Colin Enticott wrote: >> >> >>> Thanks JP, >>> >>> But I am running into some problems. I've tried both from our >>> server and >>> rocks-52 and this is what I get: >>> [cme@rocks-52 ~]$ globus-job-run tg-grid1.uc.teragrid.org/ >>> jobmanager-fork >>> /bin/uname -a >>> GRAM Job submission failed because the connection to the server >>> failed
>>> (check host and port) (error code 12) >>> [cme@rocks-52 ~]$ grid-proxy-info >>> subject : /C=AU/O=APACGrid/OU=Monash University/CN=Colin >>> Enticott/CN=1087048434 >>> issuer : /C=AU/O=APACGrid/OU=Monash University/CN=Colin >>> Enticott >>> identity : /C=AU/O=APACGrid/OU=Monash University/CN=Colin >>> Enticott >>> type : Proxy draft (pre-RFC) compliant impersonation proxy >>> strength : 512 bits >>> path : /home/cme/globus_proxy.APACGrid >>> timeleft : 836:30:26 (34.8 days) >>> [cme@rocks-52 ~]$ ssh tg-grid1.uc.teragrid.org >>> Warning: Permanently added 'tg-grid1.uc.teragrid.org' (RSA) >>> to the >>> list of >>> known hosts. >>> Permission denied (external- >>> keyx,gssapi,publickey,gssapi,hostbased).
>>> [cme@rocks-52 ~]$ >>> >>> That is the certificate that I registered with. I also >>> tried the >>> ssh key >>> pair I put up on the pragma wiki. >>> >>> Any thoughts? >>> >>> Thanks, >>> Colin >>> >>> --- >>> Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 >>> Room H7.26, Level 7, Building H, Monash University Caulfield >>> 3145, >>> Australia >>> >>> >>> >>>> -----Original Message----- >>>> From: JP Navarro [mailto:navarro@mcs.anl.gov] >>>> Sent: Friday, 1 December 2006 2:47 AM >>>> To: Colin Enticott >>>> Cc: zhengc@sdsc.edu; 'Terrence Martin'; gin-ops@ggf.org; >>>> 'Oscar >>>> Koeroo'; >>>> gin-auth@ggf.org >>>> Subject: Re: start Savannah run >>>> >>>> Colin, >>>> >>>> You should be set to go on the UC/ANL TeraGrid cluster. >>>> >>>> GT4 Pre-WS GRAM: tg-grid1.uc.teragrid.org:2119 >>>> GT4 WS GRAM: tg-grid1.uc.teragrid.org:8443 (FORK, PBS) >>>> GT4 GridFTP: tg-gridftp.uc.teragrid.org:2811 >>>> >>>> Regards, >>>> >>>> JP >>>> >>>> On Nov 30, 2006, at 2:43 AM, Colin Enticott wrote: >>>> >>>> >>>>> Thankyou everyone. >>>>> >>>>> I am now registered on the GIN VO (well, I appear here: >>>>> http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile). >>>>> >>>>> What is my next step? >>>>> >>>>> Thanks, >>>>> Colin >>>>> >>>>> --- >>>>> Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 >>>>> Room H7.26, Level 7, Building H, Monash University Caulfield >>>>> 3145,
>>>>> Australia >>>>> >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: Cindy Zheng [mailto:zhengc@sdsc.edu] >>>>>> Sent: Thursday, 30 November 2006 11:59 AM >>>>>> To: 'Terrence Martin' >>>>>> Cc: 'JP Navarro'; gin-ops@ggf.org; 'Oscar Koeroo'; 'Colin >>>>>> Enticott'; gin- >>>>>> auth@ggf.org >>>>>> Subject: RE: FW: start Savannah run >>>>>> >>>>>> Thank you, Terrence! >>>>>> We'll wait to hear from Colin when Colin finishes >>>>>> registering to gin vo. >>>>>> Cindy >>>>>> >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] >>>>>>> Sent: Wednesday, November 29, 2006 11:36 AM >>>>>>> To: Oscar Koeroo >>>>>>> Cc: zhengc@sdsc.edu; 'JP Navarro'; gin-ops@ggf.org; 'Colin >>>>>>> Enticott'; gin-auth@ggf.org >>>>>>> Subject: Re: FW: start Savannah run >>>>>>> >>>>>>> >>>>>>> Oscar Koeroo wrote: >>>>>>> >>>>>>>> Hi Terrence and Cindy, >>>>>>>> >>>>>>>> Getting new users up for registration on the GIN VO is >>>>>>>> easy. >>>>>>>> To be >>>>>>>> able to access the secured website and for authentication >>>>>>>> reasons
>>>>>>>> during the registration process new users must have their >>>>>>>> >>>>>>> certificate >>>>>>> >>>>>>>> loaded and ready in their webbrowser. The VOMS server is >>>>>>>> >>>>>>> loaded with >>>>>>> >>>>>>>> all IGTF accredited CAs including the Fermilab kCA. >>>>>>>> >>>>>>>> Go to the website: >>>>>>>> >>>>>>> https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/ and >>>>>>> >>>>>>>> apply for a "New user registration". >>>>>>>> >>>>>>>> >>>>>>>> The usual VOMS configuration info is also available. I >>>>>>>> >>>>>>> don't know what >>>>>>> >>>>>>>> you'll need to populate a GUMS server. This VOMS server >>>>>>>> is as >>>>>>>> any
>>>>>>>> other so I guess you can use your regular setup. >>>>>>>> In addition to the secured interface I've also made >>>>>>>> available >>>>>>>> a
>>>>>>>> non-secured way of grabbing a grid-mapfile. >>>>>>>> http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile >>>>>>>> There is also an RSS-feed pointing to the grid-mapfile and >>>>>>>> >>>>>>> the secured >>>>>>> >>>>>>>> interface at >>>>>>>> >>>>>>> http://kuiken.nikhef.nl/gin.ggf.org/feed-gin.ggf.org.xml >>>>>>> >>>>>>>> Unfortunately I'm not aware of a clear guide. I do know a >>>>>>>> guide for >>>>>>>> creating the packed certificate files that go into your >>>>>>>> >>>>>>> browser if you >>>>>>> >>>>>>>> start from a two PEM formated files (certificate file + >>>>>>>> private key >>>>>>>> file) that's at http://certificate.nikhef.nl/info/browser >>>>>>>> Once a user has passed that stage, the registration for >>>>>>>> the >>>>>>>> >>>>>>> VO is as >>>>>>> >>>>>>>> trivial as any web-forum account registration. >>>>>>>> >>>>>>>> >>>>>>> I am assuming this user already has a grid cert since they >>>>>>> list a DN so >>>>>>> only VOMS registration is required. Once that is done >>>>>>> either I >>>>>>> run my >>>>>>> update of GUMS manually or in 720/2 minutes on average the >>>>>>> user will be >>>>>>> automatically downloaded into my GUMS database. I >>>>>>> actually do >>>>>>> not have >>>>>>> to do anything, but I can speed things up ever so >>>>>>> slightly if >>>>>>> I
>>>>>>> am in >>>>>>> the office and someone asks me to try refreshing gums. >>>>>>> >>>>>>> Terrence >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Oscar >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Cindy Zheng wrote: >>>>>>>> >>>>>>>>> Sounds right, Terrence. Let me ask Oscar who has >>>>>>>>> helped me >>>>>>>>> >>>>>>> with GIN >>>>>>> >>>>>>>>> VO before. >>>>>>>>> >>>>>>>>> Hi, Oscar, >>>>>>>>> Could you advise Colin what need to be done to be >>>>>>>>> added in GIN VO? >>>>>>>>> I'm also cc'ing to gin-auth list. >>>>>>>>> If there is a guide for potential GIN users, please >>>>>>>>> let me know the url and I can link it to our GINOPS >>>>>>>>> page. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Cindy >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu] >>>>>>>>>> Sent:
>>>>>>>>>> Tuesday, November 28, 2006 3:24 PM >>>>>>>>>> To: zhengc@sdsc.edu >>>>>>>>>> Cc: 'JP Navarro'; gin-ops@ggf.org; 'Colin Enticott' >>>>>>>>>> Subject: Re: FW: start Savannah run >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The quickest and easiest way for me is to have him >>>>>>>>>> added to >>>>>>>>>> a VO. >>>>>>>>>> How easy is it to add him to the GIN VO? One in there I >>>>>>>>>> >>>>>>> can hit my >>>>>>> >>>>>>>>>> gums reload and he will be able to access UCSD as a GIN >>>>>>>>>> user. Any >>>>>>>>>> other approach requires me hacking his DN into my local >>>>>>>>>> >>>>>>> VO which I >>>>>>> >>>>>>>>>> prefer to avoid and does not help him with any other >>>>>>>>>> site. >>>>>>>>>> >>>>>>>>>> Terrence >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Cindy Zheng wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Thanks, Terrence, for the quick reply! >>>>>>>>>>> Colin has not been a GIN user. >>>>>>>>>>> What do you think it's the best way to get colin >>>>>>>>>>> access? >>>>>>>>>>> Cindy >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: Terrence Martin >>>>>>>>>>>> [mailto:tmartin@physics.ucsd.edu] >>>>>>>>>>>> Sent:
>>>>>>>>>>>> Tuesday, November 28, 2006 2:53 PM >>>>>>>>>>>> To: zhengc@sdsc.edu >>>>>>>>>>>> Cc: 'JP Navarro'; gin-ops@ggf.org >>>>>>>>>>>> Subject: Re: FW: start Savannah run >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> We only have a production cluster, but I should still >>>>>>>>>>>> >>>>>>> be >>>>>>> >>>>>>>>>> able to help. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> I do not seem to have Colin in my GUMS database though >>>>>>>>>>>> >>>>>>> for >>>>>>> >>>>>>>>>> GIN or any >>>>>>>>>> >>>>>>>>>>>> other VO. Should he be downloaded with GIN's users? >>>>>>>>>>>> >>>>>>>>>>>> Terrence >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Cindy Zheng wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Hi, JP and Terrence, >>>>>>>>>>>>> >>>>>>>>>>>>> Could you help Colin to get ready to run Savannah >>>>>>>>>>>>> application on your GIN testbed clusters? >>>>>>>>>>>>> You can find Colin's user info at >>>>>>>>>>>>> http://wiki.pragma-grid.net/index.php? >>>>>>>>>>>>> title=ColinDetails >>>>>>>>>>>>> If you need more info or action from Colin, or have >>>>>>>>>>>>> >>>>>>> any questions >>>>>>> >>>>>>>>>>>>> for Colin or me, please let us know. >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you very much! >>>>>>>>>>>>> >>>>>>>>>>>>> Cindy >>>>>>>>>>>>> >>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>> From: Cindy Zheng [mailto:zhengc@sdsc.edu] Sent: >>>>>>>>>>>>> Tuesday,
>>>>>>>>>>>>> November 28, 2006 2:31 PM >>>>>>>>>>>>> To: 'gin-ops@ggf.org' >>>>>>>>>>>>> Subject: start Savannah run >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Dear all, >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for all the people involved to help make >>>>>>>>>>>>> TDDFT application run and GIN testbed monitoring >>>>>>>>>>>>> very fruitful experiments! We have learned a lot and >>>>>>>>>>>>> have
>>>>>>>>>>>>> presented our learnings at OGF and SC06. >>>>>>>>>>>>> >>>>>>>>>>>>> Let's continue our collaborative effort with our plan >>>>>>>>>>>>> >>>>>>> - start our >>>>>>> >>>>>>>>>>>>> next experiment with Savannah >>>>>>>>>>>>> fire simulation - a data-intensive application, to >>>>>>>>>>>>> >>>>>>> explore data >>>>>>> >>>>>>>>>>>>> related interoperation issues. >>>>>>>>>>>>> >>>>>>>>>>>>> Colin Enticott at Monash University of Australia >>>>>>>>>>>>> is the lead driver. Colin has documented the >>>>>>>>>>>>> introduction and requirements of this application at >>>>>>>>>>>>> http://wiki.pragma-grid.net/index.php?title=Savannah >>>>>>>>>>>>> or go to >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> http://forge.gridforum.org/sf/wiki/do/viewPage/ >>>>>>>>>>>> projects.gin/wi >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> ki/GinOps >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> click "Savannah" under "Applications", >>>>>>>>>>>> where "first Savannah experiment" is refering to >>>>>>>>>>>> a previous experiment in PRAGMA testbed. The >>>>>>>>>>>> "second Savannah experiment" is the one for GIN >>>>>>>>>>>> testbed. >>>>>>>>>>>> >>>>>>>>>>>> We like to run this application on all Grids in GIN >>>>>>>>>>>> >>>>>>> testbed, but >>>>>>> >>>>>>>>>>>> in 2 steps. First, we will run it on >>>>>>>>>>>> >>>>>>> PRAGMA/TeraGrid/OSG - since >>>>>>> >>>>>>>>>>>> these should be relatively easier to do. We like to >>>>>>>>>>>> get >>>>>>>>>>>> >>>>>>> this done >>>>>>> >>>>>>>>>>>> before the year end. >>>>>>>>>>>> The next step, Colin will work with EGEE and Nordugrid >>>>>>>>>>>> to develop possible solutions, to enable >>>>>>>>>>>> interoperation >>>>>>>>>>>> and to include all 5 Grids in the run. >>>>>>>>>>>> >>>>>>>>>>>> Thanks in advance for your continued help with this! >>>>>>>>>>>> >>>>>>>>>>>> Cindy >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >> -- >> gin-auth mailing list >> gin-auth@ogf.org >> http://www.ogf.org/mailman/listinfo/gin-auth >> -- gin-ops mailing list gin-ops@ogf.org http://www.ogf.org/mailman/listinfo/gin-ops
Hi Colin, Can you provide the error output for the gt4 commands you tried in this situation? If the error reporting has become less effective, then we (GT) need to fix that. Thanks, Stu On Dec 5, 2006, at Dec 5, 6:34 PM, Colin Enticott wrote:
I've noticed in the past the gt4 gives less error messages than gtk2.4, so I tried globusrun with gtk2.4.3 and got this error:
... globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/ d1b603c3.signing_policy
Hi Stuart, The errors are below. Yes, as you can see the gt4 error said it was a connection error. Arguably, unable to establish trust is a connection error, but yes, we started to investigate firewall problems rather than CA issues. Seeing as we are discussing error reporting, I always found the gt2.4 error messages hard to read. After a while, I started to look for key words in the message (and in this case it was the word trust) and work my way from there. It always wasn't clear if it was an error message from the client or the server. What I propose is the first line should say "Error from client/server" and weather if it is a socket or trust error and if so, which socket or certificate has caused the problem. I believe this would save a few headaches for test-bed creators. GT4 error: $ globusrun -a -r tg-grid1.uc.teragrid.org GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ... GT2.4 error: $ globusrun -a -r tg-grid1.uc.teragrid.org GRAM Authentication test failure: authentication failed: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/d1b603c3.signing_policy Thanks, Colin --- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Stuart Martin [mailto:smartin@mcs.anl.gov] Sent: Friday, 8 December 2006 2:52 AM To: Colin Enticott Cc: 'JP Navarro'; gin-auth@ggf.org; D.Bannon@vpac.org; gin-ops@ggf.org; 'Terrence Martin' Subject: Re: [gin-ops] [gin-auth] start Savannah run
Hi Colin,
Can you provide the error output for the gt4 commands you tried in this situation? If the error reporting has become less effective, then we (GT) need to fix that.
Thanks, Stu
On Dec 5, 2006, at Dec 5, 6:34 PM, Colin Enticott wrote:
I've noticed in the past the gt4 gives less error messages than gtk2.4, so I tried globusrun with gtk2.4.3 and got this error:
... globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/ d1b603c3.signing_policy
Thanks Colin! This is very helpful information about the problem. I'll get back to you once we figure out what we can do here. -Stu On Dec 11, 2006, at Dec 11, 10:22 PM, Colin Enticott wrote:
Hi Stuart,
The errors are below. Yes, as you can see the gt4 error said it was a connection error. Arguably, unable to establish trust is a connection error, but yes, we started to investigate firewall problems rather than CA issues.
Seeing as we are discussing error reporting, I always found the gt2.4 error messages hard to read. After a while, I started to look for key words in the message (and in this case it was the word trust) and work my way from there. It always wasn't clear if it was an error message from the client or the server.
What I propose is the first line should say "Error from client/ server" and weather if it is a socket or trust error and if so, which socket or certificate has caused the problem. I believe this would save a few headaches for test-bed creators.
GT4 error: $ globusrun -a -r tg-grid1.uc.teragrid.org
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ...
GT2.4 error: $ globusrun -a -r tg-grid1.uc.teragrid.org
GRAM Authentication test failure: authentication failed: GSS Major Status: Authentication Failed GSS Minor Status Error Chain:
init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/ d1b603c3.signing_policy
Thanks, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Stuart Martin [mailto:smartin@mcs.anl.gov] Sent: Friday, 8 December 2006 2:52 AM To: Colin Enticott Cc: 'JP Navarro'; gin-auth@ggf.org; D.Bannon@vpac.org; gin- ops@ggf.org; 'Terrence Martin' Subject: Re: [gin-ops] [gin-auth] start Savannah run
Hi Colin,
Can you provide the error output for the gt4 commands you tried in this situation? If the error reporting has become less effective, then we (GT) need to fix that.
Thanks, Stu
On Dec 5, 2006, at Dec 5, 6:34 PM, Colin Enticott wrote:
I've noticed in the past the gt4 gives less error messages than gtk2.4, so I tried globusrun with gtk2.4.3 and got this error:
... globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/ d1b603c3.signing_policy
participants (3)
-
Colin Enticott -
JP Navarro -
Stuart Martin