You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@airavata.apache.org by Marlon Pierce <ma...@iu.edu> on 2013/10/02 14:44:03 UTC
Re: Error retrieving credentials using certificates/private keys
returned by OA4MP service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Akos--
You may want to take this question to the Apache Airavata dev list:
dev@airavata.apache.org (cc'd).
Marlon
On 10/2/13 5:37 AM, Akos Hajnal wrote:
> I don't know what "OA4MP" is, but I guess we use the
> same cog-jglobus-1.8.jar-bcprov-jdk14-140.jar libs (downloaded my maven),
> and get
> the same Exception.
>
> What is amazing the exception is thrown
> in BouncyCastleUtil.getIdentity(X509Certificate cert), in a line
silimar to
>
> if (! (cert instanceof
> org.bouncycastle.jce.provider.X509CertificateObject) ) {
> System.out.println(cert.getClass()); throw new Exception(); }
>
> and the classname printed is:
> "org.bouncycastle.jce.provider.X509CertificateObject". Another X-file...
>
> Regards, Akos Hajnal
>
>
>
> 2013. október 1., kedd 17:42:05 UTC+2 időpontban Jeff Gaynor a következőt
> írta:
>>
>> What version of OA4MP are you using and where did you get it from?
>>
>> Jeff
>>
>> On 09/30/2013 08:43 AM, Akos Hajnal wrote:
>>
>> Dear Jeff,ďż˝
>> I tried:
>> Security.addProvider(new BouncyCastleProvider());
>> setProvider("BC");
>> installSecureRandomProvider();
>>
>> (the same as static code of�CertUtil)
>> at the very beginning when my webapp is deployed, but I get the same
>> exception.
>> Maybe something stucked earlier. On the first deploy it works without
>> exception, but never after redeploy.
>> I use v1.8.
>>
>> Regards, Akos Hajnal
>>
>> 2013. m�jus 22., szerda 22:58:39 UTC+2 id�pontban Jeff Gaynor a
>> k�vetkez�t �rta:
>>>
>>> Hmmm. You might try the following two lines of code
>>>
>>> Security.addProvider(new
>>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>> CertUtil.setCertFactory(CertificateFactory.getInstance("X.509", "BC"));
>>>
>>> The first call is from java.security and the CertUtil is in OA4MP.ďż˝
>>> This will require that the bouncy castle provider be used. This
should be
>>> used as early in your code as possible, before any OA4MP calls.
>>>
>>> There is also a chance this might be a class loader issue, but it would
>>> be good to check this possibility out first since it is easy.
>>>
>>> Jeff
>>>
>>>
>>> On 05/22/2013 03:26 PM, Amila Jayasekara wrote:
>>>
>>> Hi All,
>>>
>>> I am getting following error when trying to communicate with MyProxy
>>> server to create credentials.
>>>
>>> *An error occurred while retrieving credentials from credential store.
>>> But continuing with password credentials.ďż˝*
>>> *java.lang.IllegalArgumentException: [JGLOBUS-35] Unexpected
certificate
>>> type: "class sun.security.x509.X509CertImpl"*
>>> * at
>>>
org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:453)
>>> *
>>> * at
>>>
org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:470)
>>> *
>>> * at
>>> org.globus.gsi.GlobusCredential.getIdentity(GlobusCredential.java:401)*
>>> * at
>>>
org.globus.gsi.gssapi.GlobusGSSCredentialImpl.<init>(GlobusGSSCredentialImpl.java:70)
>>> *
>>> * at
>>>
org.apache.airavata.gfac.utils.MyProxyManager.getCredentialsFromStore(MyProxyManager.java:231)
>>> *
>>> at
>>>
org.apache.airavata.gfac.context.security.GSISecurityContext.getGssCredentials(GSISecurityContext.java:82)
>>> at
>>>
org.apache.airavata.gfac.handler.GramDirectorySetupHandler.invoke(GramDirectorySetupHandler.java:80)
>>> at
>>> org.apache.airavata.gfac.GFacAPI.invokeInFlowHandlers(GFacAPI.java:132)
>>> at org.apache.airavata.gfac.GFacAPI.schedule(GFacAPI.java:63)
>>> at org.apache.airavata.gfac.GFacAPI.submitJob(GFacAPI.java:53)
>>> at
>>>
org.apache.airavata.xbaya.invoker.EmbeddedGFacInvoker.invoke(EmbeddedGFacInvoker.java:334)
>>> at
>>>
org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.handleWSComponent(WorkflowInterpreter.java:710)
>>> at
>>>
org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.executeDynamically(WorkflowInterpreter.java:530)
>>> at
>>>
org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.access$000(WorkflowInterpreter.java:89)
>>> at
>>>
org.apache.airavata.xbaya.interpretor.WorkflowInterpreter$1.run(WorkflowInterpreter.java:197)
>>>
>>> In�*org.apache.airavata.gfac.utils.MyProxyManager*�I have
following
>>> code;
>>>
>>> X509Certificate[] certificates = new X509Certificate[1];
>>> certificates[0] = <certificate from oa4mp>
>>>
>>>
>>> GlobusCredential newCredential = new GlobusCredential(<privateKey
>>> from oa4mp>,
>>> ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ certificates);
>>>
>>> return new GlobusGSSCredentialImpl(newCredential,
>>> � � � � � � �GSSCredential.INITIATE_AND_ACCEPT);
>>>
>>>
>>> I debugged and confirmed that the assetResponse returned by OA4MP
>>> server has "*sun.security.x509.X509CertImpl" *object type.
>>>
>>> What am I doing wrong here ?
>>> Any help to resolve this issue is appreciated.
>>>
>>> Thanks in advance.
>>> Regards,
>>> Amilaďż˝
>>>
>>> --
>>> You received this message because you are subscribed to the Google
Groups
>>> "science gateway security discussion" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send an
>>> email to discuss+u...@sciencegatewaysecurity.org.
>>> Visit this group at
>>>
http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/?hl=en-US
>>> .
>>> ďż˝
>>> ďż˝
>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google
Groups
>> "science gateway security discussion" group.
>> To unsubscribe from this group and stop receiving emails from it,
send an
>> email to discuss+u...@sciencegatewaysecurity.org <javascript:>.
>> Visit this group at
>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSTBUTAAoJEOEgD2XReDo5zskH/jebarHRrjMG2XBCB43PEH0A
2MY+zfrS1YieGGeFggRUV1j10iirn2doDPtvIfek1P8hXWbzHd7AAX0vMwvaVi+4
05J0Ydj3a+wGObGqd3h6rYmr535jmkWvgL7NhnSqvQfYbAi/0SxrUjW8fTadFNvg
d139jrKsmYEpnRg2gWxERfi1jqQoJw1ZrXgbvytoL7+nXNC4/z6YoEQy8EwwG3LC
oW6H480imcQGQOlCnW1ZrOIz8M2RecR/rvlt+0Cic1565e0GyzkUReHCnSgOPU5v
hi9+ZguHPl6oEFfwn+3BpoAhD/2+1evqzefm9rw2Bs9G2OiooqFKfmHFvzjVYQA=
=d026
-----END PGP SIGNATURE-----
Re: Error retrieving credentials using certificates/private keys
returned by OA4MP service
Posted by Akos Hajnal <ak...@gmail.com>.
Dear Raminder,
Just one more note. I also had to move cryptix*.jar and
puretls-0.9-beta-4.jar to tomcat/lib, otherwise I got a new exception
after redeploy:
GSSException: Failure unspecified at GSS-API level [Caused by: Bad
certificate (The signature of '...' certificate does not match its issuer)]
Regards, Akos
Akos Hajnal wrote:
> Raminder,
>
> Yes, it helped. By moving bcprov jar to the lib solves this exception
> issue.
> I use apache-tomcat-7.0.42, no other webapps contain
> X509CertificateObject in any jars or classes folders.
>
> What I don't know, why this class cannot be reloaded on redeloy. I
> switched on tomcat's -verbose:class option,
> lots of classes loaded, could not figure out what is wrong.
>
> I have to move on, but if you find a better solution later, please let
> me know, because I am curious.
>
> Regards, Akos
>
> Raminder Singh wrote:
>
>> Akos,
>> Try to find this class in your tomcat webapps folder and if the jar
>> is in multiple projects then delete them and have a single copy of
>> the jar to lib folder of tomcat (tomcat 6+ does not have shared lib
>> added to configuration). Its a class loading issue and this may help.
>> If you want we can have a Skype session to debug this together. My
>> Skype id is sandhu_raman1.
>> find apache-tomcat-7.0.39/webapps/ -name "*.jar" -exec grep -Hls
>> org.bouncycastle.jce.provider.X509CertificateObject {} \;
>>
>> Thanks
>> Raminder
>>
>> On Oct 3, 2013, at 7:42 AM, Akos Hajnal <ak...@gmail.com> wrote:
>>
>>
>
Re: Error retrieving credentials using certificates/private keys
returned by OA4MP service
Posted by Akos Hajnal <ak...@gmail.com>.
Raminder,
Yes, it helped. By moving bcprov jar to the lib solves this exception issue.
I use apache-tomcat-7.0.42, no other webapps contain
X509CertificateObject in any jars or classes folders.
What I don't know, why this class cannot be reloaded on redeloy. I
switched on tomcat's -verbose:class option,
lots of classes loaded, could not figure out what is wrong.
I have to move on, but if you find a better solution later, please let
me know, because I am curious.
Regards, Akos
Raminder Singh wrote:
>Akos,
>
>Try to find this class in your tomcat webapps folder and if the jar is in multiple projects then delete them and have a single copy of the jar to lib folder of tomcat (tomcat 6+ does not have shared lib added to configuration). Its a class loading issue and this may help. If you want we can have a Skype session to debug this together. My Skype id is sandhu_raman1.
>
>find apache-tomcat-7.0.39/webapps/ -name "*.jar" -exec grep -Hls org.bouncycastle.jce.provider.X509CertificateObject {} \;
>
>Thanks
>Raminder
>
>On Oct 3, 2013, at 7:42 AM, Akos Hajnal <ak...@gmail.com> wrote:
>
>
>
>>Dear Raminder,
>>
>>I've tried the patched version together with bcprov16, but the same exception after redeploy.
>>
>>Now it seems that on tomcat removes class org.bouncycastle.jce.provider.X509CertificateObject on undeploy, and cannot re-load this class
>>on redeploy. If I put bcprov-jdk14-140.jar into tomcat/lib, X509CertificateObject is not unloaded, and it seems to work without exception.
>>I don't know why, and how to fix it.
>>
>>I don't know Airavata. Maybe I search for it...
>>
>>Regards, Akos Hajnal
>>
>>ps.
>>//test proxy file exception
>>GlobusCredential cred = new GlobusCredential("x509up");
>>for (X509Certificate cert: cred.getCertificateChain()) {
>> Class<? extends X509Certificate> c = cert.getClass();
>> log.info(c.getName() + " class is from jar " + c.getResource('/'+ c.getName().replace('.', '/')+".class")); // <- see error below
>> ...
>>}
>>
>>Oct 03, 2013 1:20:03 PM org.apache.catalina.loader.WebappClassLoader findResourceInternal
>>INFO: Illegal access: this web application instance has been stopped already. Could not load org/bouncycastle/jce/provider/X509CertificateO
>>bject.class. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the
>>thread which caused the illegal access, and has no functional impact.
>>
>>Raminder Singh wrote:
>>
>>
>>
>>>Hi Akos,
>>>
>>>I faced similar problem with cog-jglobus and patched a version of cog-jglobus. You can be download patched version from http://community.ucs.indiana.edu:9090/archiva/repository/ogce.m2.all/cog-jglobus/cog-jglobus/1.8.0_bc/ repository. You need to update bouncycastle version to jdk1.6.1.46. I will not recommend you to go this path. If you can use Airavata 0.9 release you don't need cog-jgloubs. Airavata 0.9 and later uses Jglobus 2.0.6 and is a better library to use to handle grid security and job submission.
>>><dependency>
>>> <groupId>cog-jglobus</groupId>
>>> <artifactId>cog-jglobus</artifactId>
>>> <version>1.8.0_bc</version>
>>></dependency>
>>><dependency>
>>> <groupId>org.bouncycastle</groupId>
>>> <artifactId>bcprov-jdk16</artifactId>
>>> <version>1.46</version>
>>></dependency>
>>>
>>>Please let us know if you need any help with Airavata. Thanks
>>>Raminder
>>>
>>>On Oct 2, 2013, at 8:44 AM, Marlon Pierce <marpierc@iu.edu <ma...@iu.edu>> wrote:
>>>
>>>
>>>
>>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>>Hash: SHA1
>>>>
>>>>Hi Akos--
>>>>
>>>>You may want to take this question to the Apache Airavata dev list:
>>>>dev@airavata.apache.org <ma...@airavata.apache.org> (cc'd).
>>>>
>>>>
>>>>Marlon
>>>>
>>>>On 10/2/13 5:37 AM, Akos Hajnal wrote:
>>>>
>>>>
>>>>
>>>>>I don't know what "OA4MP" is, but I guess we use the
>>>>>same cog-jglobus-1.8.jar-bcprov-jdk14-140.jar libs (downloaded my maven),
>>>>>and get
>>>>>the same Exception.
>>>>>
>>>>>What is amazing the exception is thrown
>>>>>in BouncyCastleUtil.getIdentity(X509Certificate cert), in a line
>>>>>
>>>>>
>>>>silimar to
>>>>
>>>>
>>>>
>>>>>if (! (cert instanceof
>>>>>org.bouncycastle.jce.provider.X509CertificateObject) ) {
>>>>>System.out.println(cert.getClass()); throw new Exception(); }
>>>>>
>>>>>and the classname printed is:
>>>>>"org.bouncycastle.jce.provider.X509CertificateObject". Another X-file...
>>>>>
>>>>>Regards, Akos Hajnal
>>>>>
>>>>>
>>>>>
>>>>>2013. október 1., kedd 17:42:05 UTC+2 időpontban Jeff Gaynor a következőt
>>>>>írta:
>>>>>
>>>>>
>>>>>
>>>>>>What version of OA4MP are you using and where did you get it from?
>>>>>>
>>>>>>Jeff
>>>>>>
>>>>>>On 09/30/2013 08:43 AM, Akos Hajnal wrote:
>>>>>>
>>>>>>Dear Jeff,ďż˝
>>>>>>I tried:
>>>>>>Security.addProvider(new BouncyCastleProvider());
>>>>>>setProvider("BC");
>>>>>>installSecureRandomProvider();
>>>>>>
>>>>>>(the same as static code of�CertUtil)
>>>>>>at the very beginning when my webapp is deployed, but I get the same
>>>>>>exception.
>>>>>>Maybe something stucked earlier. On the first deploy it works without
>>>>>>exception, but never after redeploy.
>>>>>>I use v1.8.
>>>>>>
>>>>>>Regards, Akos Hajnal
>>>>>>
>>>>>>2013. m�jus 22., szerda 22:58:39 UTC+2 id�pontban Jeff Gaynor a
>>>>>>k�vetkez�t �rta:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Hmmm. You might try the following two lines of code
>>>>>>>
>>>>>>>Security.addProvider(new
>>>>>>>org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>>>>>CertUtil.setCertFactory(CertificateFactory.getInstance("X.509", "BC"));
>>>>>>>
>>>>>>>The first call is from java.security and the CertUtil is in OA4MP.ďż˝
>>>>>>>This will require that the bouncy castle provider be used. This
>>>>>>>
>>>>>>>
>>>>should be
>>>>
>>>>
>>>>
>>>>>>>used as early in your code as possible, before any OA4MP calls.
>>>>>>>
>>>>>>>There is also a chance this might be a class loader issue, but it would
>>>>>>>be good to check this possibility out first since it is easy.
>>>>>>>
>>>>>>>Jeff
>>>>>>>
>>>>>>>
>>>>>>>On 05/22/2013 03:26 PM, Amila Jayasekara wrote:
>>>>>>>
>>>>>>>Hi All,
>>>>>>>
>>>>>>>I am getting following error when trying to communicate with MyProxy
>>>>>>>server to create credentials.
>>>>>>>
>>>>>>>*An error occurred while retrieving credentials from credential store.
>>>>>>>But continuing with password credentials.ďż˝*
>>>>>>>*java.lang.IllegalArgumentException: [JGLOBUS-35] Unexpected
>>>>>>>
>>>>>>>
>>>>certificate
>>>>
>>>>
>>>>
>>>>>>>type: "class sun.security.x509.X509CertImpl"*
>>>>>>>* at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:453)
>>>>
>>>>
>>>>
>>>>>>>*
>>>>>>>* at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:470)
>>>>
>>>>
>>>>
>>>>>>>*
>>>>>>>* at
>>>>>>>org.globus.gsi.GlobusCredential.getIdentity(GlobusCredential.java:401)*
>>>>>>>* at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.globus.gsi.gssapi.GlobusGSSCredentialImpl.<init>(GlobusGSSCredentialImpl.java:70)
>>>>
>>>>
>>>>
>>>>>>>*
>>>>>>>* at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.gfac.utils.MyProxyManager.getCredentialsFromStore(MyProxyManager.java:231)
>>>>
>>>>
>>>>
>>>>>>>*
>>>>>>>at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.gfac.context.security.GSISecurityContext.getGssCredentials(GSISecurityContext.java:82)
>>>>
>>>>
>>>>
>>>>>>>at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.gfac.handler.GramDirectorySetupHandler.invoke(GramDirectorySetupHandler.java:80)
>>>>
>>>>
>>>>
>>>>>>>at
>>>>>>>org.apache.airavata.gfac.GFacAPI.invokeInFlowHandlers(GFacAPI.java:132)
>>>>>>>at org.apache.airavata.gfac.GFacAPI.schedule(GFacAPI.java:63)
>>>>>>>at org.apache.airavata.gfac.GFacAPI.submitJob(GFacAPI.java:53)
>>>>>>>at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.xbaya.invoker.EmbeddedGFacInvoker.invoke(EmbeddedGFacInvoker.java:334)
>>>>
>>>>
>>>>
>>>>>>>at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.handleWSComponent(WorkflowInterpreter.java:710)
>>>>
>>>>
>>>>
>>>>>>>at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.executeDynamically(WorkflowInterpreter.java:530)
>>>>
>>>>
>>>>
>>>>>>>at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.access$000(WorkflowInterpreter.java:89)
>>>>
>>>>
>>>>
>>>>>>>at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>org.apache.airavata.xbaya.interpretor.WorkflowInterpreter$1.run(WorkflowInterpreter.java:197)
>>>>
>>>>
>>>>
>>>>>>>In�*org.apache.airavata.gfac.utils.MyProxyManager*�I have
>>>>>>>
>>>>>>>
>>>>following
>>>>
>>>>
>>>>
>>>>>>>code;
>>>>>>>
>>>>>>> X509Certificate[] certificates = new X509Certificate[1];
>>>>>>>certificates[0] = <certificate from oa4mp>
>>>>>>>
>>>>>>>
>>>>>>> GlobusCredential newCredential = new GlobusCredential(<privateKey
>>>>>>>from oa4mp>,
>>>>>>>ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ certificates);
>>>>>>>
>>>>>>> return new GlobusGSSCredentialImpl(newCredential,
>>>>>>>� � � � � � �GSSCredential.INITIATE_AND_ACCEPT);
>>>>>>>
>>>>>>>
>>>>>>>I debugged and confirmed that the assetResponse returned by OA4MP
>>>>>>>server has "*sun.security.x509.X509CertImpl" *object type.
>>>>>>>
>>>>>>>What am I doing wrong here ?
>>>>>>>Any help to resolve this issue is appreciated.
>>>>>>>
>>>>>>>Thanks in advance.
>>>>>>>Regards,
>>>>>>>Amilaďż˝
>>>>>>>
>>>>>>>--
>>>>>>>You received this message because you are subscribed to the Google
>>>>>>>
>>>>>>>
>>>>Groups
>>>>
>>>>
>>>>
>>>>>>>"science gateway security discussion" group.
>>>>>>>To unsubscribe from this group and stop receiving emails from it,
>>>>>>>
>>>>>>>
>>>>send an
>>>>
>>>>
>>>>
>>>>>>>email to discuss+u...@sciencegatewaysecurity.org <http://sciencegatewaysecurity.org>.
>>>>>>>Visit this group at
>>>>>>>
>>>>>>>
>>>>>>>
>>>>http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/?hl=en-US
>>>>
>>>>
>>>>
>>>>>>>.
>>>>>>>ďż˝
>>>>>>>ďż˝
>>>>>>>
>>>>>>>
>>>>>>>--
>>>>>>>
>>>>>>>
>>>>>>You received this message because you are subscribed to the Google
>>>>>>
>>>>>>
>>>>Groups
>>>>
>>>>
>>>>
>>>>>>"science gateway security discussion" group.
>>>>>>To unsubscribe from this group and stop receiving emails from it,
>>>>>>
>>>>>>
>>>>send an
>>>>
>>>>
>>>>
>>>>>>email to discuss+u...@sciencegatewaysecurity.org <javascript:>.
>>>>>>Visit this group at
>>>>>>http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>-----BEGIN PGP SIGNATURE-----
>>>>Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>>>>Comment: GPGTools - http://gpgtools.org
>>>>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>
>>>>iQEcBAEBAgAGBQJSTBUTAAoJEOEgD2XReDo5zskH/jebarHRrjMG2XBCB43PEH0A
>>>>2MY+zfrS1YieGGeFggRUV1j10iirn2doDPtvIfek1P8hXWbzHd7AAX0vMwvaVi+4
>>>>05J0Ydj3a+wGObGqd3h6rYmr535jmkWvgL7NhnSqvQfYbAi/0SxrUjW8fTadFNvg
>>>>d139jrKsmYEpnRg2gWxERfi1jqQoJw1ZrXgbvytoL7+nXNC4/z6YoEQy8EwwG3LC
>>>>oW6H480imcQGQOlCnW1ZrOIz8M2RecR/rvlt+0Cic1565e0GyzkUReHCnSgOPU5v
>>>>hi9+ZguHPl6oEFfwn+3BpoAhD/2+1evqzefm9rw2Bs9G2OiooqFKfmHFvzjVYQA=
>>>>=d026
>>>>-----END PGP SIGNATURE-----
>>>>
>>>>--
>>>>You received this message because you are subscribed to the Google Groups "science gateway security discussion" group.
>>>>To unsubscribe from this group and stop receiving emails from it, send an email to discuss+unsubscribe@sciencegatewaysecurity.org.
>>>>Visit this group at http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>>>
>>>>
>>>
>>>
>
>
>
>
Re: Error retrieving credentials using certificates/private keys returned by OA4MP service
Posted by Raminder Singh <ra...@gmail.com>.
Akos,
Try to find this class in your tomcat webapps folder and if the jar is in multiple projects then delete them and have a single copy of the jar to lib folder of tomcat (tomcat 6+ does not have shared lib added to configuration). Its a class loading issue and this may help. If you want we can have a Skype session to debug this together. My Skype id is sandhu_raman1.
find apache-tomcat-7.0.39/webapps/ -name "*.jar" -exec grep -Hls org.bouncycastle.jce.provider.X509CertificateObject {} \;
Thanks
Raminder
On Oct 3, 2013, at 7:42 AM, Akos Hajnal <ak...@gmail.com> wrote:
> Dear Raminder,
>
> I've tried the patched version together with bcprov16, but the same exception after redeploy.
>
> Now it seems that on tomcat removes class org.bouncycastle.jce.provider.X509CertificateObject on undeploy, and cannot re-load this class
> on redeploy. If I put bcprov-jdk14-140.jar into tomcat/lib, X509CertificateObject is not unloaded, and it seems to work without exception.
> I don't know why, and how to fix it.
>
> I don't know Airavata. Maybe I search for it...
>
> Regards, Akos Hajnal
>
> ps.
> //test proxy file exception
> GlobusCredential cred = new GlobusCredential("x509up");
> for (X509Certificate cert: cred.getCertificateChain()) {
> Class<? extends X509Certificate> c = cert.getClass();
> log.info(c.getName() + " class is from jar " + c.getResource('/'+ c.getName().replace('.', '/')+".class")); // <- see error below
> ...
> }
>
> Oct 03, 2013 1:20:03 PM org.apache.catalina.loader.WebappClassLoader findResourceInternal
> INFO: Illegal access: this web application instance has been stopped already. Could not load org/bouncycastle/jce/provider/X509CertificateO
> bject.class. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the
> thread which caused the illegal access, and has no functional impact.
>
> Raminder Singh wrote:
>
>> Hi Akos,
>>
>> I faced similar problem with cog-jglobus and patched a version of cog-jglobus. You can be download patched version from http://community.ucs.indiana.edu:9090/archiva/repository/ogce.m2.all/cog-jglobus/cog-jglobus/1.8.0_bc/ repository. You need to update bouncycastle version to jdk1.6.1.46. I will not recommend you to go this path. If you can use Airavata 0.9 release you don't need cog-jgloubs. Airavata 0.9 and later uses Jglobus 2.0.6 and is a better library to use to handle grid security and job submission.
>> <dependency>
>> <groupId>cog-jglobus</groupId>
>> <artifactId>cog-jglobus</artifactId>
>> <version>1.8.0_bc</version>
>> </dependency>
>> <dependency>
>> <groupId>org.bouncycastle</groupId>
>> <artifactId>bcprov-jdk16</artifactId>
>> <version>1.46</version>
>> </dependency>
>>
>> Please let us know if you need any help with Airavata. Thanks
>> Raminder
>>
>> On Oct 2, 2013, at 8:44 AM, Marlon Pierce <marpierc@iu.edu <ma...@iu.edu>> wrote:
>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi Akos--
>>>
>>> You may want to take this question to the Apache Airavata dev list:
>>> dev@airavata.apache.org <ma...@airavata.apache.org> (cc'd).
>>>
>>>
>>> Marlon
>>>
>>> On 10/2/13 5:37 AM, Akos Hajnal wrote:
>>>
>>>> I don't know what "OA4MP" is, but I guess we use the
>>>> same cog-jglobus-1.8.jar-bcprov-jdk14-140.jar libs (downloaded my maven),
>>>> and get
>>>> the same Exception.
>>>>
>>>> What is amazing the exception is thrown
>>>> in BouncyCastleUtil.getIdentity(X509Certificate cert), in a line
>>>
>>> silimar to
>>>
>>>>
>>>> if (! (cert instanceof
>>>> org.bouncycastle.jce.provider.X509CertificateObject) ) {
>>>> System.out.println(cert.getClass()); throw new Exception(); }
>>>>
>>>> and the classname printed is:
>>>> "org.bouncycastle.jce.provider.X509CertificateObject". Another X-file...
>>>>
>>>> Regards, Akos Hajnal
>>>>
>>>>
>>>>
>>>> 2013. október 1., kedd 17:42:05 UTC+2 időpontban Jeff Gaynor a következőt
>>>> írta:
>>>>
>>>>>
>>>>> What version of OA4MP are you using and where did you get it from?
>>>>>
>>>>> Jeff
>>>>>
>>>>> On 09/30/2013 08:43 AM, Akos Hajnal wrote:
>>>>>
>>>>> Dear Jeff,ďż˝
>>>>> I tried:
>>>>> Security.addProvider(new BouncyCastleProvider());
>>>>> setProvider("BC");
>>>>> installSecureRandomProvider();
>>>>>
>>>>> (the same as static code of�CertUtil)
>>>>> at the very beginning when my webapp is deployed, but I get the same
>>>>> exception.
>>>>> Maybe something stucked earlier. On the first deploy it works without
>>>>> exception, but never after redeploy.
>>>>> I use v1.8.
>>>>>
>>>>> Regards, Akos Hajnal
>>>>>
>>>>> 2013. m�jus 22., szerda 22:58:39 UTC+2 id�pontban Jeff Gaynor a
>>>>> k�vetkez�t �rta:
>>>>>
>>>>>>
>>>>>> Hmmm. You might try the following two lines of code
>>>>>>
>>>>>> Security.addProvider(new
>>>>>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>>>> CertUtil.setCertFactory(CertificateFactory.getInstance("X.509", "BC"));
>>>>>>
>>>>>> The first call is from java.security and the CertUtil is in OA4MP.ďż˝
>>>>>> This will require that the bouncy castle provider be used. This
>>>>>
>>> should be
>>>
>>>>>> used as early in your code as possible, before any OA4MP calls.
>>>>>>
>>>>>> There is also a chance this might be a class loader issue, but it would
>>>>>> be good to check this possibility out first since it is easy.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>>
>>>>>> On 05/22/2013 03:26 PM, Amila Jayasekara wrote:
>>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I am getting following error when trying to communicate with MyProxy
>>>>>> server to create credentials.
>>>>>>
>>>>>> *An error occurred while retrieving credentials from credential store.
>>>>>> But continuing with password credentials.ďż˝*
>>>>>> *java.lang.IllegalArgumentException: [JGLOBUS-35] Unexpected
>>>>>
>>> certificate
>>>
>>>>>> type: "class sun.security.x509.X509CertImpl"*
>>>>>> * at
>>>>>>
>>> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:453)
>>>
>>>>>> *
>>>>>> * at
>>>>>>
>>> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:470)
>>>
>>>>>> *
>>>>>> * at
>>>>>> org.globus.gsi.GlobusCredential.getIdentity(GlobusCredential.java:401)*
>>>>>> * at
>>>>>>
>>> org.globus.gsi.gssapi.GlobusGSSCredentialImpl.<init>(GlobusGSSCredentialImpl.java:70)
>>>
>>>>>> *
>>>>>> * at
>>>>>>
>>> org.apache.airavata.gfac.utils.MyProxyManager.getCredentialsFromStore(MyProxyManager.java:231)
>>>
>>>>>> *
>>>>>> at
>>>>>>
>>> org.apache.airavata.gfac.context.security.GSISecurityContext.getGssCredentials(GSISecurityContext.java:82)
>>>
>>>>>> at
>>>>>>
>>> org.apache.airavata.gfac.handler.GramDirectorySetupHandler.invoke(GramDirectorySetupHandler.java:80)
>>>
>>>>>> at
>>>>>> org.apache.airavata.gfac.GFacAPI.invokeInFlowHandlers(GFacAPI.java:132)
>>>>>> at org.apache.airavata.gfac.GFacAPI.schedule(GFacAPI.java:63)
>>>>>> at org.apache.airavata.gfac.GFacAPI.submitJob(GFacAPI.java:53)
>>>>>> at
>>>>>>
>>> org.apache.airavata.xbaya.invoker.EmbeddedGFacInvoker.invoke(EmbeddedGFacInvoker.java:334)
>>>
>>>>>> at
>>>>>>
>>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.handleWSComponent(WorkflowInterpreter.java:710)
>>>
>>>>>> at
>>>>>>
>>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.executeDynamically(WorkflowInterpreter.java:530)
>>>
>>>>>> at
>>>>>>
>>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.access$000(WorkflowInterpreter.java:89)
>>>
>>>>>> at
>>>>>>
>>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter$1.run(WorkflowInterpreter.java:197)
>>>
>>>>>>
>>>>>> In�*org.apache.airavata.gfac.utils.MyProxyManager*�I have
>>>>>
>>> following
>>>
>>>>>> code;
>>>>>>
>>>>>> X509Certificate[] certificates = new X509Certificate[1];
>>>>>> certificates[0] = <certificate from oa4mp>
>>>>>>
>>>>>>
>>>>>> GlobusCredential newCredential = new GlobusCredential(<privateKey
>>>>>> from oa4mp>,
>>>>>> ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ certificates);
>>>>>>
>>>>>> return new GlobusGSSCredentialImpl(newCredential,
>>>>>> � � � � � � �GSSCredential.INITIATE_AND_ACCEPT);
>>>>>>
>>>>>>
>>>>>> I debugged and confirmed that the assetResponse returned by OA4MP
>>>>>> server has "*sun.security.x509.X509CertImpl" *object type.
>>>>>>
>>>>>> What am I doing wrong here ?
>>>>>> Any help to resolve this issue is appreciated.
>>>>>>
>>>>>> Thanks in advance.
>>>>>> Regards,
>>>>>> Amilaďż˝
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>
>>> Groups
>>>
>>>>>> "science gateway security discussion" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>
>>> send an
>>>
>>>>>> email to discuss+u...@sciencegatewaysecurity.org <http://sciencegatewaysecurity.org>.
>>>>>> Visit this group at
>>>>>>
>>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/?hl=en-US
>>>
>>>>>> .
>>>>>> ďż˝
>>>>>> ďż˝
>>>>>>
>>>>>>
>>>>>> --
>>>>>
>>>>> You received this message because you are subscribed to the Google
>>>>
>>> Groups
>>>
>>>>> "science gateway security discussion" group.
>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>
>>> send an
>>>
>>>>> email to discuss+u...@sciencegatewaysecurity.org <javascript:>.
>>>>> Visit this group at
>>>>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQEcBAEBAgAGBQJSTBUTAAoJEOEgD2XReDo5zskH/jebarHRrjMG2XBCB43PEH0A
>>> 2MY+zfrS1YieGGeFggRUV1j10iirn2doDPtvIfek1P8hXWbzHd7AAX0vMwvaVi+4
>>> 05J0Ydj3a+wGObGqd3h6rYmr535jmkWvgL7NhnSqvQfYbAi/0SxrUjW8fTadFNvg
>>> d139jrKsmYEpnRg2gWxERfi1jqQoJw1ZrXgbvytoL7+nXNC4/z6YoEQy8EwwG3LC
>>> oW6H480imcQGQOlCnW1ZrOIz8M2RecR/rvlt+0Cic1565e0GyzkUReHCnSgOPU5v
>>> hi9+ZguHPl6oEFfwn+3BpoAhD/2+1evqzefm9rw2Bs9G2OiooqFKfmHFvzjVYQA=
>>> =d026
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "science gateway security discussion" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to discuss+unsubscribe@sciencegatewaysecurity.org.
>>> Visit this group at http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>
>>
>
Re: Error retrieving credentials using certificates/private keys
returned by OA4MP service
Posted by Akos Hajnal <ak...@gmail.com>.
Dear Raminder,
I've tried the patched version together with bcprov16, but the same
exception after redeploy.
Now it seems that on tomcat removes class
org.bouncycastle.jce.provider.X509CertificateObject on undeploy, and
cannot re-load this class
on redeploy. If I put bcprov-jdk14-140.jar into tomcat/lib,
X509CertificateObject is not unloaded, and it seems to work without
exception.
I don't know why, and how to fix it.
I don't know Airavata. Maybe I search for it...
Regards, Akos Hajnal
ps.
//test proxy file exception
GlobusCredential cred = new GlobusCredential("x509up");
for (X509Certificate cert: cred.getCertificateChain()) {
Class<? extends X509Certificate> c = cert.getClass();
log.info(c.getName() + " class is from jar " +
c.getResource('/'+ c.getName().replace('.', '/')+".class")); // <- see
error below
...
}
Oct 03, 2013 1:20:03 PM org.apache.catalina.loader.WebappClassLoader
findResourceInternal
INFO: Illegal access: this web application instance has been stopped
already. Could not load org/bouncycastle/jce/provider/X509CertificateO
bject.class. The eventual following stack trace is caused by an error
thrown for debugging purposes as well as to attempt to terminate the
thread which caused the illegal access, and has no functional impact.
Raminder Singh wrote:
> Hi Akos,
>
> I faced similar problem with cog-jglobus and patched a version of
> cog-jglobus. You can be download patched version
> from http://community.ucs.indiana.edu:9090/archiva/repository/ogce.m2.all/cog-jglobus/cog-jglobus/1.8.0_bc/ repository.
> You need to update bouncycastle version to jdk1.6.1.46. I will not
> recommend you to go this path. If you can use Airavata 0.9 release you
> don't need cog-jgloubs. Airavata 0.9 and later uses Jglobus 2.0.6 and
> is a better library to use to handle grid security and job submission.
>
> <dependency>
> <groupId>cog-jglobus</groupId>
> <artifactId>cog-jglobus</artifactId>
> <version>1.8.0_bc</version>
> </dependency>
> <dependency>
> <groupId>org.bouncycastle</groupId>
> <artifactId>bcprov-jdk16</artifactId>
> <version>1.46</version>
> </dependency>
>
> Please let us know if you need any help with Airavata.
> Thanks
> Raminder
>
> On Oct 2, 2013, at 8:44 AM, Marlon Pierce <marpierc@iu.edu
> <ma...@iu.edu>> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Akos--
>>
>> You may want to take this question to the Apache Airavata dev list:
>> dev@airavata.apache.org <ma...@airavata.apache.org> (cc'd).
>>
>>
>> Marlon
>>
>> On 10/2/13 5:37 AM, Akos Hajnal wrote:
>>
>>> I don't know what "OA4MP" is, but I guess we use the
>>> same cog-jglobus-1.8.jar-bcprov-jdk14-140.jar libs (downloaded my
>>> maven),
>>> and get
>>> the same Exception.
>>>
>>> What is amazing the exception is thrown
>>> in BouncyCastleUtil.getIdentity(X509Certificate cert), in a line
>>
>> silimar to
>>
>>>
>>> if (! (cert instanceof
>>> org.bouncycastle.jce.provider.X509CertificateObject) ) {
>>> System.out.println(cert.getClass()); throw new Exception(); }
>>>
>>> and the classname printed is:
>>> "org.bouncycastle.jce.provider.X509CertificateObject". Another X-file...
>>>
>>> Regards, Akos Hajnal
>>>
>>>
>>>
>>> 2013. október 1., kedd 17:42:05 UTC+2 időpontban Jeff Gaynor a
>>> következőt
>>> írta:
>>>
>>>>
>>>> What version of OA4MP are you using and where did you get it from?
>>>>
>>>> Jeff
>>>>
>>>> On 09/30/2013 08:43 AM, Akos Hajnal wrote:
>>>>
>>>> Dear Jeff,ďż˝
>>>> I tried:
>>>> Security.addProvider(new BouncyCastleProvider());
>>>> setProvider("BC");
>>>> installSecureRandomProvider();
>>>>
>>>> (the same as static code of�CertUtil)
>>>> at the very beginning when my webapp is deployed, but I get the same
>>>> exception.
>>>> Maybe something stucked earlier. On the first deploy it works without
>>>> exception, but never after redeploy.
>>>> I use v1.8.
>>>>
>>>> Regards, Akos Hajnal
>>>>
>>>> 2013. m�jus 22., szerda 22:58:39 UTC+2 id�pontban Jeff Gaynor a
>>>> k�vetkez�t �rta:
>>>>
>>>>>
>>>>> Hmmm. You might try the following two lines of code
>>>>>
>>>>> Security.addProvider(new
>>>>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>>> CertUtil.setCertFactory(CertificateFactory.getInstance("X.509",
>>>>> "BC"));
>>>>>
>>>>> The first call is from java.security and the CertUtil is in OA4MP.ďż˝
>>>>> This will require that the bouncy castle provider be used. This
>>>>
>> should be
>>
>>>>> used as early in your code as possible, before any OA4MP calls.
>>>>>
>>>>> There is also a chance this might be a class loader issue, but it
>>>>> would
>>>>> be good to check this possibility out first since it is easy.
>>>>>
>>>>> Jeff
>>>>>
>>>>>
>>>>> On 05/22/2013 03:26 PM, Amila Jayasekara wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> I am getting following error when trying to communicate with MyProxy
>>>>> server to create credentials.
>>>>>
>>>>> *An error occurred while retrieving credentials from credential store.
>>>>> But continuing with password credentials.ďż˝*
>>>>> *java.lang.IllegalArgumentException: [JGLOBUS-35] Unexpected
>>>>
>> certificate
>>
>>>>> type: "class sun.security.x509.X509CertImpl"*
>>>>> * at
>>>>>
>> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:453)
>>
>>>>> *
>>>>> * at
>>>>>
>> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:470)
>>
>>>>> *
>>>>> * at
>>>>> org.globus.gsi.GlobusCredential.getIdentity(GlobusCredential.java:401)*
>>>>> * at
>>>>>
>> org.globus.gsi.gssapi.GlobusGSSCredentialImpl.<init>(GlobusGSSCredentialImpl.java:70)
>>
>>>>> *
>>>>> * at
>>>>>
>> org.apache.airavata.gfac.utils.MyProxyManager.getCredentialsFromStore(MyProxyManager.java:231)
>>
>>>>> *
>>>>> at
>>>>>
>> org.apache.airavata.gfac.context.security.GSISecurityContext.getGssCredentials(GSISecurityContext.java:82)
>>
>>>>> at
>>>>>
>> org.apache.airavata.gfac.handler.GramDirectorySetupHandler.invoke(GramDirectorySetupHandler.java:80)
>>
>>>>> at
>>>>> org.apache.airavata.gfac.GFacAPI.invokeInFlowHandlers(GFacAPI.java:132)
>>>>> at org.apache.airavata.gfac.GFacAPI.schedule(GFacAPI.java:63)
>>>>> at org.apache.airavata.gfac.GFacAPI.submitJob(GFacAPI.java:53)
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.invoker.EmbeddedGFacInvoker.invoke(EmbeddedGFacInvoker.java:334)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.handleWSComponent(WorkflowInterpreter.java:710)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.executeDynamically(WorkflowInterpreter.java:530)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.access$000(WorkflowInterpreter.java:89)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter$1.run(WorkflowInterpreter.java:197)
>>
>>>>>
>>>>> In�*org.apache.airavata.gfac.utils.MyProxyManager*�I have
>>>>
>> following
>>
>>>>> code;
>>>>>
>>>>> X509Certificate[] certificates = new X509Certificate[1];
>>>>> certificates[0] = <certificate from oa4mp>
>>>>>
>>>>>
>>>>> GlobusCredential newCredential = new GlobusCredential(<privateKey
>>>>> from oa4mp>,
>>>>> ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ certificates);
>>>>>
>>>>> return new GlobusGSSCredentialImpl(newCredential,
>>>>> � � � � � � �GSSCredential.INITIATE_AND_ACCEPT);
>>>>>
>>>>>
>>>>> I debugged and confirmed that the assetResponse returned by OA4MP
>>>>> server has "*sun.security.x509.X509CertImpl" *object type.
>>>>>
>>>>> What am I doing wrong here ?
>>>>> Any help to resolve this issue is appreciated.
>>>>>
>>>>> Thanks in advance.
>>>>> Regards,
>>>>> Amilaďż˝
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>
>> Groups
>>
>>>>> "science gateway security discussion" group.
>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>
>> send an
>>
>>>>> email to discuss+u...@sciencegatewaysecurity.org
>>>>> <http://sciencegatewaysecurity.org>.
>>>>> Visit this group at
>>>>>
>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/?hl=en-US
>>
>>>>> .
>>>>> ďż˝
>>>>> ďż˝
>>>>>
>>>>>
>>>>> --
>>>>
>>>> You received this message because you are subscribed to the Google
>>>
>> Groups
>>
>>>> "science gateway security discussion" group.
>>>> To unsubscribe from this group and stop receiving emails from it,
>>>
>> send an
>>
>>>> email to discuss+u...@sciencegatewaysecurity.org <javascript:>.
>>>> Visit this group at
>>>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>>>
>>>>
>>>>
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJSTBUTAAoJEOEgD2XReDo5zskH/jebarHRrjMG2XBCB43PEH0A
>> 2MY+zfrS1YieGGeFggRUV1j10iirn2doDPtvIfek1P8hXWbzHd7AAX0vMwvaVi+4
>> 05J0Ydj3a+wGObGqd3h6rYmr535jmkWvgL7NhnSqvQfYbAi/0SxrUjW8fTadFNvg
>> d139jrKsmYEpnRg2gWxERfi1jqQoJw1ZrXgbvytoL7+nXNC4/z6YoEQy8EwwG3LC
>> oW6H480imcQGQOlCnW1ZrOIz8M2RecR/rvlt+0Cic1565e0GyzkUReHCnSgOPU5v
>> hi9+ZguHPl6oEFfwn+3BpoAhD/2+1evqzefm9rw2Bs9G2OiooqFKfmHFvzjVYQA=
>> =d026
>> -----END PGP SIGNATURE-----
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "science gateway security discussion" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to discuss+unsubscribe@sciencegatewaysecurity.org.
>> Visit this group at
>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>
>
Re: Error retrieving credentials using certificates/private keys returned by OA4MP service
Posted by Raminder Singh <rs...@gmail.com>.
Hi Akos,
I faced similar problem with cog-jglobus and patched a version of cog-jglobus. You can be download patched version from http://community.ucs.indiana.edu:9090/archiva/repository/ogce.m2.all/cog-jglobus/cog-jglobus/1.8.0_bc/ repository. You need to update bouncycastle version to jdk1.6.1.46. I will not recommend you to go this path. If you can use Airavata 0.9 release you don't need cog-jgloubs. Airavata 0.9 and later uses Jglobus 2.0.6 and is a better library to use to handle grid security and job submission.
<dependency>
<groupId>cog-jglobus</groupId>
<artifactId>cog-jglobus</artifactId>
<version>1.8.0_bc</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk16</artifactId>
<version>1.46</version>
</dependency>
Please let us know if you need any help with Airavata.
Thanks
Raminder
On Oct 2, 2013, at 8:44 AM, Marlon Pierce <ma...@iu.edu> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Akos--
>
> You may want to take this question to the Apache Airavata dev list:
> dev@airavata.apache.org (cc'd).
>
>
> Marlon
>
> On 10/2/13 5:37 AM, Akos Hajnal wrote:
>> I don't know what "OA4MP" is, but I guess we use the
>> same cog-jglobus-1.8.jar-bcprov-jdk14-140.jar libs (downloaded my maven),
>> and get
>> the same Exception.
>>
>> What is amazing the exception is thrown
>> in BouncyCastleUtil.getIdentity(X509Certificate cert), in a line
> silimar to
>>
>> if (! (cert instanceof
>> org.bouncycastle.jce.provider.X509CertificateObject) ) {
>> System.out.println(cert.getClass()); throw new Exception(); }
>>
>> and the classname printed is:
>> "org.bouncycastle.jce.provider.X509CertificateObject". Another X-file...
>>
>> Regards, Akos Hajnal
>>
>>
>>
>> 2013. október 1., kedd 17:42:05 UTC+2 időpontban Jeff Gaynor a következőt
>> írta:
>>>
>>> What version of OA4MP are you using and where did you get it from?
>>>
>>> Jeff
>>>
>>> On 09/30/2013 08:43 AM, Akos Hajnal wrote:
>>>
>>> Dear Jeff,ďż˝
>>> I tried:
>>> Security.addProvider(new BouncyCastleProvider());
>>> setProvider("BC");
>>> installSecureRandomProvider();
>>>
>>> (the same as static code of�CertUtil)
>>> at the very beginning when my webapp is deployed, but I get the same
>>> exception.
>>> Maybe something stucked earlier. On the first deploy it works without
>>> exception, but never after redeploy.
>>> I use v1.8.
>>>
>>> Regards, Akos Hajnal
>>>
>>> 2013. m�jus 22., szerda 22:58:39 UTC+2 id�pontban Jeff Gaynor a
>>> k�vetkez�t �rta:
>>>>
>>>> Hmmm. You might try the following two lines of code
>>>>
>>>> Security.addProvider(new
>>>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>> CertUtil.setCertFactory(CertificateFactory.getInstance("X.509", "BC"));
>>>>
>>>> The first call is from java.security and the CertUtil is in OA4MP.ďż˝
>>>> This will require that the bouncy castle provider be used. This
> should be
>>>> used as early in your code as possible, before any OA4MP calls.
>>>>
>>>> There is also a chance this might be a class loader issue, but it would
>>>> be good to check this possibility out first since it is easy.
>>>>
>>>> Jeff
>>>>
>>>>
>>>> On 05/22/2013 03:26 PM, Amila Jayasekara wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I am getting following error when trying to communicate with MyProxy
>>>> server to create credentials.
>>>>
>>>> *An error occurred while retrieving credentials from credential store.
>>>> But continuing with password credentials.ďż˝*
>>>> *java.lang.IllegalArgumentException: [JGLOBUS-35] Unexpected
> certificate
>>>> type: "class sun.security.x509.X509CertImpl"*
>>>> * at
>>>>
> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:453)
>>>> *
>>>> * at
>>>>
> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:470)
>>>> *
>>>> * at
>>>> org.globus.gsi.GlobusCredential.getIdentity(GlobusCredential.java:401)*
>>>> * at
>>>>
> org.globus.gsi.gssapi.GlobusGSSCredentialImpl.<init>(GlobusGSSCredentialImpl.java:70)
>>>> *
>>>> * at
>>>>
> org.apache.airavata.gfac.utils.MyProxyManager.getCredentialsFromStore(MyProxyManager.java:231)
>>>> *
>>>> at
>>>>
> org.apache.airavata.gfac.context.security.GSISecurityContext.getGssCredentials(GSISecurityContext.java:82)
>>>> at
>>>>
> org.apache.airavata.gfac.handler.GramDirectorySetupHandler.invoke(GramDirectorySetupHandler.java:80)
>>>> at
>>>> org.apache.airavata.gfac.GFacAPI.invokeInFlowHandlers(GFacAPI.java:132)
>>>> at org.apache.airavata.gfac.GFacAPI.schedule(GFacAPI.java:63)
>>>> at org.apache.airavata.gfac.GFacAPI.submitJob(GFacAPI.java:53)
>>>> at
>>>>
> org.apache.airavata.xbaya.invoker.EmbeddedGFacInvoker.invoke(EmbeddedGFacInvoker.java:334)
>>>> at
>>>>
> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.handleWSComponent(WorkflowInterpreter.java:710)
>>>> at
>>>>
> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.executeDynamically(WorkflowInterpreter.java:530)
>>>> at
>>>>
> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.access$000(WorkflowInterpreter.java:89)
>>>> at
>>>>
> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter$1.run(WorkflowInterpreter.java:197)
>>>>
>>>> In�*org.apache.airavata.gfac.utils.MyProxyManager*�I have
> following
>>>> code;
>>>>
>>>> X509Certificate[] certificates = new X509Certificate[1];
>>>> certificates[0] = <certificate from oa4mp>
>>>>
>>>>
>>>> GlobusCredential newCredential = new GlobusCredential(<privateKey
>>>> from oa4mp>,
>>>> ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ certificates);
>>>>
>>>> return new GlobusGSSCredentialImpl(newCredential,
>>>> � � � � � � �GSSCredential.INITIATE_AND_ACCEPT);
>>>>
>>>>
>>>> I debugged and confirmed that the assetResponse returned by OA4MP
>>>> server has "*sun.security.x509.X509CertImpl" *object type.
>>>>
>>>> What am I doing wrong here ?
>>>> Any help to resolve this issue is appreciated.
>>>>
>>>> Thanks in advance.
>>>> Regards,
>>>> Amilaďż˝
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
> Groups
>>>> "science gateway security discussion" group.
>>>> To unsubscribe from this group and stop receiving emails from it,
> send an
>>>> email to discuss+u...@sciencegatewaysecurity.org.
>>>> Visit this group at
>>>>
> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/?hl=en-US
>>>> .
>>>> ďż˝
>>>> ďż˝
>>>>
>>>>
>>>> --
>>> You received this message because you are subscribed to the Google
> Groups
>>> "science gateway security discussion" group.
>>> To unsubscribe from this group and stop receiving emails from it,
> send an
>>> email to discuss+u...@sciencegatewaysecurity.org <javascript:>.
>>> Visit this group at
>>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>>
>>>
>>>
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSTBUTAAoJEOEgD2XReDo5zskH/jebarHRrjMG2XBCB43PEH0A
> 2MY+zfrS1YieGGeFggRUV1j10iirn2doDPtvIfek1P8hXWbzHd7AAX0vMwvaVi+4
> 05J0Ydj3a+wGObGqd3h6rYmr535jmkWvgL7NhnSqvQfYbAi/0SxrUjW8fTadFNvg
> d139jrKsmYEpnRg2gWxERfi1jqQoJw1ZrXgbvytoL7+nXNC4/z6YoEQy8EwwG3LC
> oW6H480imcQGQOlCnW1ZrOIz8M2RecR/rvlt+0Cic1565e0GyzkUReHCnSgOPU5v
> hi9+ZguHPl6oEFfwn+3BpoAhD/2+1evqzefm9rw2Bs9G2OiooqFKfmHFvzjVYQA=
> =d026
> -----END PGP SIGNATURE-----
>
> --
> You received this message because you are subscribed to the Google Groups "science gateway security discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to discuss+unsubscribe@sciencegatewaysecurity.org.
> Visit this group at http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.