[Halld-offline] problems using srm commands to UConn
Richard Jones
richard.t.jones at uconn.edu
Sat Apr 19 10:21:30 EDT 2014
Hello all,
Several of you have reported that you have problems with srm commands to
the UConn site, even though you have a valid proxy and are authenticated to
the voms. I have been able to reproduce the problem, as in the following
example.
$ srmls
srm://grinch.phys.uconn.edu/Gluex/dc1.1-12-2012/dana_rest_1000596.hddm
2014-04-19 01:04:59,523 [main] ERROR org.dcache.srm.client.SRMClientV2 -
srmLs : try # 0 failed with error ; nested exception is:
java.net.SocketException: Connection reset
2014-04-19 01:04:59,529 [main] ERROR org.dcache.srm.client.SRMClientV2 -
srmLs : try again
Here is what happened. At the top of the page on the digicert web
site<http://www.digicert-grid.com> are
the following words:
On January 8, 2014, DigiCert created two new SHA2 based issuing CAs for the
Grid-Only and Public Trust hierarchies. It is anticipated that these will
be used to issue grid certificates for existing clients from May, 2014.
They have been included in the IGTF Distribution of Authority Root
Certificates from version 1.56 of the distribution, built on Monday, 24
Mar, 2014.
So any certificates that were issued since Mar. 24, 2014 have this new
signature algorithm that can only be verified by recent updates to the osg
software. All of the client software at Jlab is up-to-date, and most of my
infrastructure -- except for the srm, which I was waiting until after the
data challenge to update. Remember we have been thinking this dc-2 was
immanent since January. This changeover to the new-style certificates that
took place on 3/24/2014 was almost perfectly aligned to catch me with my
proverbial drawers down.
The bottom line is that if you just renewed your certificate in the past 2
weeks then it is going to work with everything EXCEPT the UConn srm, until
I do the upgrade. I do not plan to do this until the dc-2 is over, in a
week or so.
If anyone would like an old-style proxy certificate that will work until
May 1, I have created it and uploaded it to the docdb as document 2457.
There is a README posted with it, to explain how to activate it on your
system. After you set it up, you can check it out with the voms-proxy-info
command. Of course, if you do a voms-proxy-init you will overwrite it and
need to fetch down a new copy.
Sorry for the inconvenience.
-Richard Jones
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20140419/0b662b94/attachment-0002.html>
More information about the Halld-offline
mailing list