[Halld-offline] problems using srm commands to UConn

Mark Ito marki at jlab.org
Sat Apr 19 19:14:02 EDT 2014 

Richard,

FWIW, I still have a copy of my old (ca. March 2013) credentials. They 
are about to expire, but not yet! Anyway, I re-obtained my proxy using 
the old pem file and now the srmls works. So I am OK for another week or so.

   -- Mark

On 04/19/2014 10:21 AM, Richard Jones wrote:
> Hello all,
>
> Several of you have reported that you have problems with srm commands 
> to the UConn site, even though you have a valid proxy and are 
> authenticated to the voms.  I have been able to reproduce the problem, 
> as in the following example.
>
> $ srmls 
> srm://grinch.phys.uconn.edu/Gluex/dc1.1-12-2012/dana_rest_1000596.hddm
> 2014-04-19 01:04:59,523 [main] ERROR org.dcache.srm.client.SRMClientV2 
> - srmLs : try # 0 failed with error ; nested exception is:
>         java.net.SocketException: Connection reset
> 2014-04-19 01:04:59,529 [main] ERROR org.dcache.srm.client.SRMClientV2 
> -  srmLs : try again
>
> Here is what happened.  At the top of the page onthe digicert web site 
> <http://www.digicert-grid.com> are the following words:
>
> On January 8, 2014, DigiCert created two new SHA2 based issuing CAs 
> for the Grid-Only and Public Trust hierarchies. It is anticipated that 
> these will be used to issue grid certificates for existing clients 
> from May, 2014. They have been included in the IGTF Distribution of 
> Authority Root Certificates from version 1.56 of the distribution, 
> built on Monday, 24 Mar, 2014.
>
>
> So any certificates that were issued since Mar. 24, 2014 have this new 
> signature algorithm that can only be verified by recent updates to the 
> osg software. All of the client software at Jlab is up-to-date, and 
> most of my infrastructure -- except for the srm, which I was waiting 
> until after the data challenge to update. Remember we have been 
> thinking this dc-2 was immanent since January. This changeover to the 
> new-style certificates that took place on 3/24/2014 was almost 
> perfectly aligned to catch me with my proverbial drawers down.
>
> The bottom line is that if you just renewed your certificate in the 
> past 2 weeks then it is going to work with everything EXCEPT the UConn 
> srm, until I do the upgrade. I do not plan to do this until the dc-2 
> is over, in a week or so.
>
> If anyone would like an old-style proxy certificate that will work 
> until May 1, I have created it and uploaded it to the docdb as 
> document 2457. There is a README posted with it, to explain how to 
> activate it on your system. After you set it up, you can check it out 
> with the voms-proxy-info command. Of course, if you do a 
> voms-proxy-init you will overwrite it and need to fetch down a new copy.
>
> Sorry for the inconvenience.
>
> -Richard Jones
>
>
> _______________________________________________
> Halld-offline mailing list
> Halld-offline at jlab.org
> https://mailman.jlab.org/mailman/listinfo/halld-offline

-- 
Mark M. Ito, Jefferson Lab, marki at jlab.org, (757)269-5295

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20140419/cb271140/attachment-0002.html>

More information about the Halld-offline mailing list