Friday, October 3, 2008

3rd Party Certificates within Globus

Verisign Certificates within Globus


grid-proxy-init ERROR: Couldn't verify the authenticity of the user's credential to generate a proxy from.

grid_proxy_init.c:1070:globus_gsi_cred_handle.c:globus_gsi_cred_verify_cert_chain:1733:
Error verifying credential: Failed to verify credential
globus_gsi_callback.c:globus_i_gsi_callback_create_proxy_callback:442:
Could not verify credential
globus_gsi_callback.c:globus_i_gsi_callback_cred_verify:681:
Can't get the local trusted CA certificate: Cannot find issuer certificate for local credential with subject: DATA-REMOVED-BY-DAN

GridFTP Error:

error: globus_ftp_client_state.c:globus_l_ftp_client_connection_error:4217:
the server responded with an error
530 530-globus_xio: Authentication Error
530-globus_gsi_callback_module: Could not verify credential
530-globus_gsi_callback_module: Error with signing policy
530-globus_gsi_callback_module: Error in OLD GAA code: CA policy violation:


Solution Summary:

The certificates were extracted using the Portecle application in PEM format. The entire certificate chain should be used in each hash file. Remove the private key data from the file.

The commands:

openssl x509 -issuer_hash -in [file_name].pem was used to determine the hash name the file should be named after.

openssl x509 -issuer -in [file_name].pem was used to determine the access_id_CA that should be used in the signing policy.

openssl x509 -subject -in [file_name].pem was used to determine the cond_subjects that should be used in the signing policy.


The step by step solution:

1. Export your certificate with Internet Explorer using the Personal Information Exchange PKCS12 option.

2. Check the, “Include all certificates and certificate paths” box. NOTE: This should be the only option checked.

3. Upload the exported certificates to the Globus node. (Root, Intermediate, and Private)

4. Use Portecle to view the exported certificates. Portcle is started using the following command: java -jar portecle.jar

5. Right click on the certificate, then use the PEM Encoded option to export private key and public key certificate within Portecle.

6. Remove the private key data from the PEM file that was created.

7. Create a hash name for the PEM file that was created using the following command:

openssl x509 -issuer_hash -in [file_name].pem was used to determine the hash name the file should be named after.
openssl x509 -issuer -in [file_name].pem was used to determine the access_id_CA that should be used in the signing policy.
openssl x509 -subject -in [file_name].pem was used to determine the cond_subjects that should be used in the signing policy.

openssl x509 -in yourfile.pem -noout -hash

8. Rename the file to the hash number displayed in the following format: hash.0

9. .Manually create a signing policy named (hash.signing_policy)

10. Copy the new files to /etc/grid-security/certificates

11. Create a duplicate copy of the hash.0 file for the Issuer_Hash and the hash. Example: awd2dq.0 7847a3s.0 ( There should be two hash files that contain the same certificate chain. Only the names are different)

12. Create signing policy files for each hash file based on Intermediate and Root certificates.

No comments: