TWiki>
EGEE Web>SA3>EGEECertification>SA3Testing>CertificationReportForPatch3992 (2010-11-29, ZdenekSustr)
EditAttachPDF
EGEE Web>SA3>EGEECertification>SA3Testing>CertificationReportForPatch3992 (2010-11-29, ZdenekSustr) EditAttachPDFCertification Report for Patch #3992 ( [ gridsite ] lsc capability + fix for mod_ssl update)
- Certification Report for Patch #3992 ( [ gridsite ] lsc capability + fix for mod_ssl update)
- Origins
- Clean installation
- Upgrade from production
- Review of Linked Bugs (manual regression tests)
- #39254 – mod_gridsite LSC awareness
- #52274 – ldconfig complains libgridsite*.so.1.5 is not a symbolic link
- #52429 – gridsite-apache is packaged with the wrong prefix
- #53314 – WMSProxy(mod_gridsite) ignores VOMS attributes of 'new' VOMS proxies
- #53497 – GridSite rejects VOMS ACs if matching expired VOMS issuer cert is present
- #53721 – Gridsite produces version 4 certificates on delegation
- #56238 – gridsite htttp2.2 and slc5
- #56974 – Gridsite delegation proxy style mix up
- #72185 – gridsite hardcodes md5 as the signature algorithm
Origins
| Authors | František Dvořák, Daniel Kouřil, Zdeněk Šustr |
| Build Report | http://etics-repository.cern.ch/repository/reports/id/2ae74be1-fdd5-4c08-8436-c8fcabd6a64f/sl5_x86_64_gcc412/-/reports/index.html |
| YUM repo file | http://etics-repository.cern.ch/repository/pm/registered/repomd/id/2ae74be1-fdd5-4c08-8436-c8fcabd6a64f/sl5_x86_64_gcc412/etics-registered-build-by-id-protect.repo |
| Patch | https://savannah.cern.ch/patch/?3992 |
| Subsystem | org.gridsite |
| Outcome | Certified |
Clean installation
Environment
* Clean SL5 installation according to gLite guidelines (CA certificates, ...)Process
yum -y -c http://etics-repository.cern.ch/repository/pm/registered/repomd/id/2ae74be1-fdd5-4c08-8436-c8fcabd6a64f/sl5_x86_64_gcc412/etics-registered-build-by-id-protect.repo install gridsite-apache gridsite-commands gridsite-debuginfo gridsite-devel gridsite-gsexec gridsite-service-clients gridsite-services gridsite-shared
Full output of the installation
[root@forkys-sl65 ~]# yum -y -c http://etics-repository.cern.ch/repository/pm/registered/repomd/id/2ae74be1-fdd5-4c08-8436-c8fcabd6a64f/sl5_x86_64_gcc412/etics-registered-build-by-id-protect.repo install gridsite-apache gridsite-commands gridsite-debuginfo gridsite-devel gridsite-gsexec gridsite-service-clients gridsite-services gridsite-shared
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gridsite-apache.x86_64 0:1.7.9-2.sl5 set to be updated
---> Package gridsite-commands.x86_64 0:1.7.9-2.sl5 set to be updated
---> Package gridsite-debuginfo.x86_64 0:1.7.9-2.sl5 set to be updated
---> Package gridsite-devel.x86_64 0:1.7.9-2.sl5 set to be updated
---> Package gridsite-gsexec.x86_64 0:1.7.9-2.sl5 set to be updated
---> Package gridsite-service-clients.x86_64 0:1.7.9-2.sl5 set to be updated
---> Package gridsite-services.x86_64 0:1.7.9-2.sl5 set to be updated
---> Package gridsite-shared.x86_64 0:1.7.9-2.sl5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
gridsite-apache x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
70 k
gridsite-commands x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
29 k
gridsite-debuginfo x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
405 k
gridsite-devel x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
80 k
gridsite-gsexec x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
12 k
gridsite-service-clients x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
79 k
gridsite-services x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
69 k
gridsite-shared x86_64 1.7.9-2.sl5 ETICS-registered-build-2ae74be1-fdd5-4c08-8436-c8fcabd6a64f-sl5_x86_64_gcc412
129 k
Transaction Summary
================================================================================
Install 8 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 872 k
Downloading Packages:
(1/8): gridsite-gsexec-1.7.9-2.sl5.x86_64.rpm | 12 kB 00:00
(2/8): gridsite-commands-1.7.9-2.sl5.x86_64.rpm | 29 kB 00:00
(3/8): gridsite-services-1.7.9-2.sl5.x86_64.rpm | 69 kB 00:00
(4/8): gridsite-apache-1.7.9-2.sl5.x86_64.rpm | 70 kB 00:00
(5/8): gridsite-service-clients-1.7.9-2.sl5.x86_64.rpm | 79 kB 00:00
(6/8): gridsite-devel-1.7.9-2.sl5.x86_64.rpm | 80 kB 00:00
(7/8): gridsite-shared-1.7.9-2.sl5.x86_64.rpm | 129 kB 00:00
(8/8): gridsite-debuginfo-1.7.9-2.sl5.x86_64.rpm | 405 kB 00:00
--------------------------------------------------------------------------------
Total 606 kB/s | 872 kB 00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : gridsite-shared 1/8
Installing : gridsite-debuginfo 2/8
Installing : gridsite-services 3/8
Installing : gridsite-gsexec 4/8
Installing : gridsite-service-clients 5/8
Installing : gridsite-commands 6/8
Installing : gridsite-devel 7/8
Installing : gridsite-apache 8/8
Installed:
gridsite-apache.x86_64 0:1.7.9-2.sl5
gridsite-commands.x86_64 0:1.7.9-2.sl5
gridsite-debuginfo.x86_64 0:1.7.9-2.sl5
gridsite-devel.x86_64 0:1.7.9-2.sl5
gridsite-gsexec.x86_64 0:1.7.9-2.sl5
gridsite-service-clients.x86_64 0:1.7.9-2.sl5
gridsite-services.x86_64 0:1.7.9-2.sl5
gridsite-shared.x86_64 0:1.7.9-2.sl5
Complete!
Tests
https://twiki.cern.ch/twiki/bin/view/EGEE/GridSiteTestPlan Test preparations:yum -y install httpd mod_ssl sed -e '1,$s!/usr/lib/httpd/modules/!modules/!' /usr/share/doc/gridsite-*/httpd-webserver.conf | sed 's!/var/www/html!/var/www/htdocs!' | sed "s/FULL.SERVER.NAME/$(hostname -f)/" | sed "s/\(GridSiteGSIProxyLimit\)/# \1/"> /tmp/httpd-webserver.conf echo "AddHandler cgi-script .cgi" >> /tmp/httpd-webserver.conf echo "ScriptAlias /gridsite-delegation.cgi /usr/sbin/gridsite-delegation.cgi" >> /tmp/httpd-webserver.conf mkdir /var/www/htdocs httpd -f /tmp/httpd-webserver.conf
Ping Tests
./ping-remote.sh -x `hostname -f`Nov 25 14:06:58 forkys-sl65 ping-remote.sh: start
Testing if all binaries are available done
Testing ping to Apache server forkys-sl65.zcu.cz done
Testing Apache server at forkys-sl65.zcu.cz:443 done
Nov 25 14:07:01 forkys-sl65 ping-remote.sh: end
./ping-local.sh -x -f /tmp/httpd-webserver.confNov 25 14:33:59 forkys-sl65 ping-local.sh: start
Testing if all binaries are available done
Testing if Apache is running done
Testing if GridSite is loaded done
Testing if Apache is listening on port 443 done
Nov 25 14:34:00 forkys-sl65 ping-local.sh: end
Functionality tests
READ (read permissions)
[root@forkys-sl65 ~]# cat >/var/www/htdocs/test.html <<EOF
> <html><body><h1>Hello Grid</h1></body></html>
> EOF
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' https://$(hostname -f)/test.html`
[root@forkys-sl65 ~]# [ "$code" = "403" ] && echo "OK"
OK
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# cat >/var/www/htdocs/.gacl <<EOF
> <gacl>
> <entry>
> <any-user/>
> <allow><read/></allow>
> </entry>
> </gacl>
> EOF
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' https://$(hostname -f)/test.html`
[root@forkys-sl65 ~]# [ "$code" = "200" ] && echo "OK"
OK
Get index (list & read permissions)
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
> https://$(hostname -f)/`
[root@forkys-sl65 ~]# [ "$code" = "403" ] && echo "OK"
OK
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# cat >/var/www/htdocs/.gacl <<EOF
> <gacl>
> <entry>
> <person>
> <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
> </person>
> <allow><read/><list/></allow>
> </entry>
> </gacl>
> EOF
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
> https://$(hostname -f)/`
[root@forkys-sl65 ~]# [ "$code" = "200" ] && echo "OK"
OK
WRITE & DELETE (write permissions)
[root@forkys-sl65 ~]# rm -f /var/www/htdocs/.gacl /var/www/htdocs/test.txt
[root@forkys-sl65 ~]# date > /tmp/test.txt
[root@forkys-sl65 ~]# chown apache /var/www/htdocs/
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
> --upload-file /tmp/test.txt https://$(hostname -f)/test.txt`
[root@forkys-sl65 ~]# [ "$code" = "403" ] && echo "OK"
OK
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# cat >/var/www/htdocs/.gacl <<EOF
> <gacl>
> <entry>
> <person>
> <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
> </person>
> <allow><write/></allow>
> </entry>
> </gacl>
> EOF
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
> --upload-file /tmp/test.txt https://$(hostname -f)/test.txt`
[root@forkys-sl65 ~]# cmp -s /tmp/test.txt /var/www/htdocs/test.txt
[root@forkys-sl65 ~]# [ $? -eq 0 -a "$code" = "201" ] && echo "OK"
OK
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# mv /var/www/htdocs/.gacl /var/www/htdocs/.gacl.bak
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
> -X DELETE https://$(hostname -f)/test.txt`
[root@forkys-sl65 ~]# [ "$code" = "403" ] && echo "OK"
OK
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# mv /var/www/htdocs/.gacl.bak /var/www/htdocs/.gacl
[root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
> -X DELETE https://$(hostname -f)/test.txt`
[root@forkys-sl65 ~]# [ "$code" = "200" ] && echo "OK"
OK
[root@forkys-sl65 ~]# chown root /var/www/htdocs
Check the attributes and passed on to the environment
[root@forkys-sl65 ~]# cat >/var/www/htdocs/.gacl <<EOF
> <gacl>
> <entry>
> <person>
> <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
> </person>
> <allow><read/></allow>
> </entry>
> </gacl>
> EOF
[root@forkys-sl65 ~]# cat >/var/www/htdocs/test.cgi <<EOF
> #!/bin/sh
> echo 'Content-type: text/plain'
> echo
> printenv
> EOF
[root@forkys-sl65 ~]# chmod +x /var/www/htdocs/test.cgi
[root@forkys-sl65 ~]# code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /tmp/gridsite.log --silent --write-out '%{http_code}\n' https://$(hostname -f)/test.cgi`
[root@forkys-sl65 ~]# [ "$code" = "200" ] && echo "OK"
OK
[root@forkys-sl65 ~]# grep "^GRST_" /tmp/gridsite.log 2>/dev/null
GRST_CRED_AURI_0=dn:/DC=cz/DC=cesnet-ca/O=University+of+West+Bohemia/CN=forkys.zcu.cz
GRST_CRED_AURI_1=dns:forkys-sl65.zcu.cz
GRST_CRED_AURI_2=ip:127.0.0.1
GRST_ACL_FORMAT=GACL
GRST_DN_LISTS=/etc/grid-security/dn-lists/:/var/www/htdocs/dn-lists/
GRST_DISK_MODE=0x0600
GRST_HEAD_FILE=gridsitehead.txt
GRST_CONN_AURI_0=dn:/DC=cz/DC=cesnet-ca/O=University+of+West+Bohemia/CN=forkys.zcu.cz
GRST_PERM=1
GRST_CRED_0=X509USER 1265031720 1298988720 0 /DC=cz/DC=cesnet-ca/O=University of West Bohemia/CN=forkys.zcu.cz
GRST_EDITABLE= txt shtml html htm css js php jsp
GRST_REQUIRE_PASSCODE=off
GRST_GSIPROXY_LIMIT=1
GRST_CONN_VALID_0=notbefore=1265031720 notafter=1298988720 delegation=0 nist-loa=0
GRST_CRED_VALID_2=notbefore=0 notafter=2147483647 delegation=0 nist-loa=0
GRST_DN_LISTS_URI=/dn-lists/
GRST_FOOT_FILE=gridsitefoot.txt
GRST_CRED_VALID_1=notbefore=0 notafter=2147483647 delegation=0 nist-loa=0
GRST_CRED_VALID_0=notbefore=1265031720 notafter=1298988720 delegation=0 nist-loa=3
GRST_DIR_PATH=/var/www/htdocs
GRST_ADMIN_FILE=gridsite-admin.cgi
[root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK"
OK
Test the basic commands (htcp, htls, htmkdir, htmv, htrm)
[root@forkys-sl65 ~]# cat >/var/www/htdocs/.gacl <<EOF > <gacl> > <entry> > <person> > <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn> > </person> > <allow><read/><write/><list/></allow> > </entry> > </gacl> > EOF [root@forkys-sl65 ~]# [root@forkys-sl65 ~]# chown apache /var/www/htdocs/ [root@forkys-sl65 ~]# [root@forkys-sl65 ~]# date > /tmp/test.txt [root@forkys-sl65 ~]# htcp --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ /tmp/test.txt https://$(hostname -f)/ [root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK" OK [root@forkys-sl65 ~]# htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test.txt > /dev/null [root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK" OK [root@forkys-sl65 ~]# htmv --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test.txt https://$(hostname -f)/test2.txt [root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK" OK [root@forkys-sl65 ~]# htcp --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt /tmp [root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK" OK [root@forkys-sl65 ~]# htrm --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt [root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK" OK [root@forkys-sl65 ~]# htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt 2> /dev/null [root@forkys-sl65 ~]# [ $? -eq 22 ] && echo "OK" OK [root@forkys-sl65 ~]# htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/ > /dev/null [root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK" OK [root@forkys-sl65 ~]# cmp /tmp/test.txt /tmp/test2.txt [root@forkys-sl65 ~]# [ $? -eq 0 ] && echo "OK" OK [root@forkys-sl65 ~]# [root@forkys-sl65 ~]# chown root /var/www/htdocs/
Test proxy delegation (see also DelegationTestPlan)
[root@forkys-sl65 ~]# mkdir /var/www/proxycache [root@forkys-sl65 ~]# chown apache /var/www/proxycache [root@forkys-sl65 ~]# [root@forkys-sl65 ~]# #delegation [root@forkys-sl65 ~]# id=`htproxyput --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates https://$(hostname -f)/gridsite-delegation.cgi` SOAP 1.1 fault: SOAP-ENV:Client [no subcode] "SSL error" Detail: SSL certificate host name mismatch in tcp_connect() [root@forkys-sl65 ~]# [ $? -eq 0 -a -n "$id" ] && echo OK [root@forkys-sl65 ~]#
[root@forkys-sl65 ~]# #delegation [root@forkys-sl65 ~]# id=`htproxyput --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates https://$(hostname -f)/gridsite-delegation.cgi` [root@forkys-sl65 ~]# [ $? -eq 0 -a -n "$id" ] && echo OK OK [root@forkys-sl65 ~]# [root@forkys-sl65 ~]# expiry=`htproxyunixtime --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi` [root@forkys-sl65 ~]# [root@forkys-sl65 ~]# newid=`htproxyrenew --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi` [root@forkys-sl65 ~]# [ $? -eq 0 -a -n "$newid" ] && echo OK OK [root@forkys-sl65 ~]# [root@forkys-sl65 ~]# htproxydestroy --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgiA bug due to alternative Subject Name. Used workaround by editing /etc/hosts here.
Upgrade from production
N/AReview of Linked Bugs (manual regression tests)
Before starting, make sure that the test.cgi is available and working. #39254 – mod_gridsite LSC awareness
Grant access to the test.cgi above to be to <any-user>. Create a VOMS proxy and check it can be verified iff the proper .lsc file is specified
[root@forkys-sl65 htdocs]# voms-proxy-info --fqan /voce/Role=NULL/Capability=NULL [root@forkys-sl65 htdocs]# rm -rf /etc/grid-security/vomsdir [root@forkys-sl65 htdocs]# curl --cert /tmp/x509up_u0 --key /tmp/x509up_u0 --capath /etc/grid-security/certificates --silent https://$(hostname -f)/test.cgi|grep GRST_CRED_2 [root@forkys-sl65 htdocs]# mkdir -p /etc/grid-security/vomsdir/voce/ [root@forkys-sl65 htdocs]# cat > /etc/grid-security/vomsdir/voce/voms1.egee.cesnet.cz.lsc <<EOF > /DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz > /DC=cz/DC=cesnet-ca/CN=CESNET CA > EOF [root@forkys-sl65 htdocs]# curl --cert /tmp/x509up_u0 --key /tmp/x509up_u0 --capath /etc/grid-security/certificates --silent https://$(hostname -f)/test.cgi|grep GRST_CRED_2 GRST_CRED_2=VOMS 47264323295072 1290804316 0 /voce/Role=NULL/Capability=NULLFix certified
#52274 – ldconfig complains libgridsite*.so.1.5 is not a symbolic link
[root@forkys-sl65 htdocs]# ls -l /usr/lib64/libgridsite*.so.1.7 lrwxrwxrwx 1 root root 27 Nov 25 14:01 /usr/lib64/libgridsite_globus.so.1.7 -> libgridsite_globus.so.1.7.9 lrwxrwxrwx 1 root root 26 Nov 25 14:01 /usr/lib64/libgridsite_nossl.so.1.7 -> libgridsite_nossl.so.1.7.9 lrwxrwxrwx 1 root root 20 Nov 25 14:01 /usr/lib64/libgridsite.so.1.7 -> libgridsite.so.1.7.9Fix certified
#52429 – gridsite-apache is packaged with the wrong prefix
All files are installed under /usr:
[root@forkys-sl65 htdocs]# rpm -ql gridsite-apache-1.7.9-2.sl5.x86_64 /usr/lib64/httpd/modules/mod_gridsite.so /usr/sbin/gridsite-copy.cgi /usr/sbin/gridsite-storage.cgi /usr/sbin/real-gridsite-admin.cgi /usr/share/man/man8/mod_gridsite.8.gzFix certified
#53314 – WMSProxy(mod_gridsite) ignores VOMS attributes of 'new' VOMS proxies
Grant access to the test.cgi above to be to <any-user> and create a VOMS proxy containg FQAN of the new format. Check that the VOMS ACs are correctly verified and passed on by GridSite.
[root@forkys-sl65 httpd]# voms-proxy-info -file /tmp/x509up_u500 -fqan /voms1 /voms1/group1 [root@forkys-sl65 httpd]# curl --cert /tmp/x509up_u500 --key /tmp/x509up_u500 --capath /etc/grid-security/certificates --silent https://$(hostname -f)/test.cgi|grep GRST_CRED_\[23\] GRST_CRED_2=VOMS 47264323295072 1286421584 0 /voms1 GRST_CRED_3=VOMS 47264323295072 1286421584 0 /voms1/group1Fix certified
#53497 – GridSite rejects VOMS ACs if matching expired VOMS issuer cert is present
Grant access to the test.cgi above to be to <any-user> and create a VOMS proxy. Verify that the the VOMS ACs are correctly verified even if an expired VOMS certificate is available (and used first by the library - check using strace for sure). Make sure no .lsc file is given for the VO.
[root@forkys-sl65 ~]# voms-proxy-info --fqan /voce/Role=NULL/Capability=NULL [root@forkys-sl65 ~]# ls /etc/grid-security/vomsdir/ voms3.pem [root@forkys-sl65 ~]# voms-proxy-info -issuer -subject -timeleft -file /etc/grid-security/vomsdir/voms3.pem /DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz /DC=cz/DC=cesnet-ca/CN=CESNET CA 0 [root@forkys-sl65 ~]# curl --cert /tmp/x509up_u0 --key /tmp/x509up_u0 --capath /etc/grid-security/certificates --silent https://$(hostname -f)/test.cgi|grep GRST_CRED_2 [root@forkys-sl65 ~]# cp /tmp/voms1.pem /etc/grid-security/vomsdir [root@forkys-sl65 ~]# voms-proxy-info -issuer -subject -timeleft -file /etc/grid-security/vomsdir/voms1.pem /DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz /DC=cz/DC=cesnet-ca/CN=CESNET CA 29578489 [root@forkys-sl65 ~]# curl --cert /tmp/x509up_u0 --key /tmp/x509up_u0 --capath /etc/grid-security/certificates --silent https://$(hostname -f)/test.cgi|grep GRST_CRED_2 GRST_CRED_2=VOMS 1290761116 1290804316 0 /voce/Role=NULL/Capability=NULLFix certified
#53721 – Gridsite produces version 4 certificates on delegation
Follow the test for #56974 and check the Version afterwards:
[root@forkys-sl65 ~]# openssl x509 -in /var/www/proxycache/%3A%2FDC%3Dcz%2FDC%3Dcesnet-ca%2FO%3DMasaryk%2BUniversity%2FCN%3DDaniel%2BKouril/40dd2d7f18cf2c69/userproxy.pem -noout -text|grep Version:
Version: 3 (0x2)
Fix certified
#56238 – gridsite htttp2.2 and slc5
The certification tests have been done on SLC5 using httpd-2.2.3, which demonstrates that GridSite works correctly on that combination.
Fix certified
#56974 – Gridsite delegation proxy style mix up
Make sure delegation retains the RFC format
[root@forkys-sl65 ~]# voms-proxy-init -cert ~/.globus/usercert.pem -key ~/.globus/userkey.pem -rfc Enter GRID pass phrase: Your identity: /DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril Creating proxy ........................................................................... Done Your proxy is valid until Sat Nov 27 02:54:25 2010 [root@forkys-sl65 ~]# htproxyput --capath /etc/grid-security/certificates https://$(hostname -f)/gridsite-delegation.cgi 40dd2d7f18cf2c69 [root@forkys-sl65 ~]# voms-proxy-info -file /var/www/proxycache/%3A%2FDC%3Dcz%2FDC%3Dcesnet-ca%2FO%3DMasaryk%2BUniversity%2FCN%3DDaniel%2BKouril/40dd2d7f18cf2c69/userproxy.pem -type RFC compliant proxyFix certified
#72185 – gridsite hardcodes md5 as the signature algorithm
Grant access to the test.cgi above to be to <any-user> and create a VOMS proxy. Make sure the VOMS AC is signed using SHA1 and verify it gets accepted by GridSite.
[root@forkys-sl65 ~]# voms-proxy-info -fqan -acissuer /C=IT/O=INFN/OU=Host/L=CNAF/CN=emitestbed07.cnaf.infn.it /emitest/Role=NULL/Capability=NULL [root@forkys-sl65 ~]# openssl asn1parse -offset 479 -i -in /tmp/x509up_u0 |grep -A 2 emitestbed07 21877:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: 207:d=6 hl=2 l= 25 prim: PRINTABLESTRING :emitestbed07.cnaf.infn.it 234:d=0 hl=2 l= 13 cons: SEQUENCE 236:d=1 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption [root@forkys-sl65 ~]# curl --cert /tmp/x509up_u0 --key /tmp/x509up_u0 --capath /etc/grid-security/certificates --silent https://$(hostname -f)/test.cgi|grep GRST_CRED_2 GRST_CRED_2=VOMS 1290777928 1290821127 0 /emitest/Role=NULL/Capability=NULLFix certified -- DanielKouril - 4-Nov-2010
Topic revision: r25 - 2010-11-29 - ZdenekSustr
- EGEE Web
- EGEE Web Home
- gLite
- ProductTeams
- SA3
- JRA1
- TMB
- EMT
- SA1
- SA2
- NA2
- NA4
- EGEE-UIG
- List of registered projects
- List of EGEE-RP interactions
- Changes
- Index
- Search
Main.WebList
 |
|
Copyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback