You are here

Home » PROOF » Using PROOF » Connecting to PROOF

Client-side authentication issues

WARNING : page under construction

Contents:

Authentication is performed using the security modules delivered with xrootd. In this section we address some setup issues which could occur on the client-side.

Password authentication

GSI authentication

libXrdSecgsi.so

The plug-in needed for GSI authentication is build automatically during a ROOT build if OpenSSL is available on the machine. However, for ROOT versions older than 5.21/06 the configuration option '--enable-globus' needs to be specified. Note that, despite what ./configure --help outputs, you do not need the Globus Tool Kit for libXrdSecgsi.so.

CA certificates

In addition to a valid a {certificate, key} pair, GSI authentication requires the certificates of the CA issuing the certificate of the server machine (the master). By default these are located under /etc/grid-security/certificates. If a certificate is missing there (or has expired) it can be obtained from the related CA web site.If the certificate cannot be copied into the standard directory, for example because of lack of rights, it can be saved to any directory, provide that the chosen directory is communicated to the client application by means of the environment variable X509_CERT_DIR .

Host names

The GSI plug-in coming with ROOT versions newer than 5.21/04 contains a security fix which does not accept any longer mismatches between the real server name and the name found in the server certificate: the latter should be in the form '*/' or ''. If a message like this appears 

root [0] p = TProof::Open("alicecaf")
081027 13:37:31 001 Proofx-E: Conn::Authenticate: cannot obtain credentials
081027 13:37:31 001 Proofx-E: Conn::GetAccessToSrv: client could not login at [lxfsrd0506.cern.ch:1093]
081027 13:37:31 001 Proofx-E: Conn::Connect: failure: cannot obtain credentials: Secgsi: ErrParseBuffer: \
server certificate CN 'lxb6041.cern.ch' does not match the expected format(s): \
'*/lxfsrd0506.cern.ch' (default); exceptions are controlled by the env XrdSecGSISRVNAMES
081027 13:37:31 001 Proofx-E: XrdProofConn: XrdProofConn: severe error occurred while opening a connection to server \
[lxfsrd0506.cern.ch:1093]
(class TProof*)0x0
root [1]

and the server is trusted, exceptions to the rule can be set using the environment variable XrdSecGSISRVNAMES; in the example above the following fixes problem:

export XrdSecGSISRVNAMES="lxb6041.cern.ch"

It is possible to specify multiple exceptions using the separator '|'; the wild card '*' is also accepted.