Dear DIRAC admins, Due to a limitation of ECHO storage at RAL, I am not able to use my normal DN for accessing DUNE data (while I suppose I will need it for accessing it at other sites). For this, is it possible add a second DN (below) for me so that I can submit DUNE jobs to DIRAC with the DN below? /DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Raja Nandakumar/CN=UID:nraja In the early years, I know that DIRAC had issues with multiple DNs for a given user, but I am hoping that this has been fixed at some level (or can at least be worked around). Thanks and Kind Regards, Raja.
Hi Raja, On Fri, Oct 25, 2019 at 09:51:07AM +0100, Raja Nandakumar wrote:
Due to a limitation of ECHO storage at RAL, I am not able to use my normal DN for accessing DUNE data (while I suppose I will need it for accessing it at other sites).
Just when I thought we'd finally got past the point where users had to have multiple-DNs to access storage as different VOs!
For this, is it possible add a second DN (below) for me so that I can submit DUNE jobs to DIRAC with the DN below? /DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Raja Nandakumar/CN=UID:nraja
I did some minimal tests and multiple-DNs in DIRAC appears to work, but I'm not convinced that DN isn't used as a primary key somewhere. Our auto-user-configuration agent certainly has limitations: - The "listMembers" SOAP call we do against the VOMS server only returns the primary DN. - We currently update users with their primary DN, which would overwrite any manually added multiple-DNs. Could you live with having that DN registered as a completely different user to your primary DN in DIRAC? If so, I could probably just manually register it for you in the dune_user group for testing. Regards, Simon
Hi Simon, Thanks! I am quite happy with a different username attached to my certificate. The next issue I am trying to understand / sort out is how to use this certificate to access data on ECHO. I am fairly certain that I am going to end up in a fairly detailed mess, but that is for another day I suppose. Regards, Raja. On 25/10/19 11:58, Simon Fayer wrote:
Hi Raja,
On Fri, Oct 25, 2019 at 09:51:07AM +0100, Raja Nandakumar wrote:
Due to a limitation of ECHO storage at RAL, I am not able to use my normal DN for accessing DUNE data (while I suppose I will need it for accessing it at other sites).
Just when I thought we'd finally got past the point where users had to have multiple-DNs to access storage as different VOs!
For this, is it possible add a second DN (below) for me so that I can submit DUNE jobs to DIRAC with the DN below? /DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Raja Nandakumar/CN=UID:nraja
I did some minimal tests and multiple-DNs in DIRAC appears to work, but I'm not convinced that DN isn't used as a primary key somewhere. Our auto-user-configuration agent certainly has limitations: - The "listMembers" SOAP call we do against the VOMS server only returns the primary DN. - We currently update users with their primary DN, which would overwrite any manually added multiple-DNs.
Could you live with having that DN registered as a completely different user to your primary DN in DIRAC? If so, I could probably just manually register it for you in the dune_user group for testing.
Regards, Simon
Hi Raja, OK, I've registered your second DN as "uidnraja" and added it to the dune_user group. Regards, Simon On Fri, Oct 25, 2019 at 01:07:10PM +0100, Raja Nandakumar wrote:
Hi Simon,
Thanks! I am quite happy with a different username attached to my certificate.
The next issue I am trying to understand / sort out is how to use this certificate to access data on ECHO. I am fairly certain that I am going to end up in a fairly detailed mess, but that is for another day I suppose.
Regards, Raja.
Hi Simon, Thanks a lot - it works now. Cheers, Raja. On 25/10/19 13:48, Simon Fayer wrote:
Hi Raja,
OK, I've registered your second DN as "uidnraja" and added it to the dune_user group.
Regards, Simon
On Fri, Oct 25, 2019 at 01:07:10PM +0100, Raja Nandakumar wrote:
Hi Simon,
Thanks! I am quite happy with a different username attached to my certificate.
The next issue I am trying to understand / sort out is how to use this certificate to access data on ECHO. I am fairly certain that I am going to end up in a fairly detailed mess, but that is for another day I suppose.
Regards, Raja.
Hi Simon, Could you check if there is an issue with my certificate /browser? When I try to load the web portal with my fermilab certificate, I get among other errors, the following dirac.gridpp.ac.uk didn’t accept your login certificate Regards, Raja. On 25/10/19 14:29, Raja Nandakumar wrote:
Hi Simon,
Thanks a lot - it works now.
Cheers, Raja.
On 25/10/19 13:48, Simon Fayer wrote:
Hi Raja,
OK, I've registered your second DN as "uidnraja" and added it to the dune_user group.
Regards, Simon
On Fri, Oct 25, 2019 at 01:07:10PM +0100, Raja Nandakumar wrote:
Hi Simon,
Thanks! I am quite happy with a different username attached to my certificate.
The next issue I am trying to understand / sort out is how to use this certificate to access data on ECHO. I am fairly certain that I am going to end up in a fairly detailed mess, but that is for another day I suppose.
Regards, Raja.
Hi Raja, The error on our side seems to just be: WARN:tornado.general:SSL Error on 12 (host, 46764): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) We have the right CA on there, so it should work. I've restarted the web server in-case it was caching the old user information, can you please try it again? Regards, Simon On Fri, Oct 25, 2019 at 02:57:20PM +0100, Raja Nandakumar wrote:
Hi Simon,
Could you check if there is an issue with my certificate /browser? When I try to load the web portal with my fermilab certificate, I get among other errors, the following
dirac.gridpp.ac.uk didn’t accept your login certificate
Regards, Raja.
Hi Simon, Unfortunately it still does not work. Regards, Raja. On 25/10/19 15:08, Simon Fayer wrote:
Hi Raja,
The error on our side seems to just be: WARN:tornado.general:SSL Error on 12 (host, 46764): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
We have the right CA on there, so it should work. I've restarted the web server in-case it was caching the old user information, can you please try it again?
Regards, Simon
On Fri, Oct 25, 2019 at 02:57:20PM +0100, Raja Nandakumar wrote:
Hi Simon,
Could you check if there is an issue with my certificate /browser? When I try to load the web portal with my fermilab certificate, I get among other errors, the following
dirac.gridpp.ac.uk didn’t accept your login certificate
Regards, Raja.
Hmm, have are you loaded the full certificate into your browser (i.e. not a proxy + chain)? Perhaps you could send me the usercert.pem bit so I can check it validates against the certificates directory on that machine? (Do you really need to access the web interface with this certificate? Your other (CERN) one should give you access to pretty much the same information...) Regards, Simon On Fri, Oct 25, 2019 at 03:15:04PM +0100, Raja Nandakumar wrote:
Hi Simon,
Unfortunately it still does not work.
Regards, Raja.
On 25/10/19 15:08, Simon Fayer wrote:
Hi Raja,
The error on our side seems to just be: WARN:tornado.general:SSL Error on 12 (host, 46764): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
We have the right CA on there, so it should work. I've restarted the web server in-case it was caching the old user information, can you please try it again?
Regards, Simon
On Fri, Oct 25, 2019 at 02:57:20PM +0100, Raja Nandakumar wrote:
Hi Simon,
Could you check if there is an issue with my certificate /browser? When I try to load the web portal with my fermilab certificate, I get among other errors, the following
dirac.gridpp.ac.uk didn’t accept your login certificate
Regards, Raja.
Hi Simon, I have left my office for the day. I will check and send you the information on Monday. Cheers Raja On 25 Oct 2019 16:03, Simon Fayer <simon.fayer05@imperial.ac.uk> wrote: Hmm, have are you loaded the full certificate into your browser (i.e. not a proxy + chain)? Perhaps you could send me the usercert.pem bit so I can check it validates against the certificates directory on that machine? (Do you really need to access the web interface with this certificate? Your other (CERN) one should give you access to pretty much the same information...) Regards, Simon On Fri, Oct 25, 2019 at 03:15:04PM +0100, Raja Nandakumar wrote:
Hi Simon,
Unfortunately it still does not work.
Regards, Raja.
On 25/10/19 15:08, Simon Fayer wrote:
Hi Raja,
The error on our side seems to just be: WARN:tornado.general:SSL Error on 12 (host, 46764): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
We have the right CA on there, so it should work. I've restarted the web server in-case it was caching the old user information, can you please try it again?
Regards, Simon
On Fri, Oct 25, 2019 at 02:57:20PM +0100, Raja Nandakumar wrote:
Hi Simon,
Could you check if there is an issue with my certificate /browser? When I try to load the web portal with my fermilab certificate, I get among other errors, the following
dirac.gridpp.ac.uk didn’t accept your login certificate
Regards, Raja.
Hi Simon, Following up on this, I agree that I do not need to access using this certificate. My other id already gives me all the information I need as you suggest below. Thanks and Regards, Raja. On 25/10/19 16:02, Simon Fayer wrote:
Hmm, have are you loaded the full certificate into your browser (i.e. not a proxy + chain)?
Perhaps you could send me the usercert.pem bit so I can check it validates against the certificates directory on that machine?
(Do you really need to access the web interface with this certificate? Your other (CERN) one should give you access to pretty much the same information...)
Regards, Simon
On Fri, Oct 25, 2019 at 03:15:04PM +0100, Raja Nandakumar wrote:
Hi Simon,
Unfortunately it still does not work.
Regards, Raja.
On 25/10/19 15:08, Simon Fayer wrote:
Hi Raja,
The error on our side seems to just be: WARN:tornado.general:SSL Error on 12 (host, 46764): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
We have the right CA on there, so it should work. I've restarted the web server in-case it was caching the old user information, can you please try it again?
Regards, Simon
On Fri, Oct 25, 2019 at 02:57:20PM +0100, Raja Nandakumar wrote:
Hi Simon,
Could you check if there is an issue with my certificate /browser? When I try to load the web portal with my fermilab certificate, I get among other errors, the following
dirac.gridpp.ac.uk didn’t accept your login certificate
Regards, Raja.
participants (2)
-
Raja Nandakumar
-
Simon Fayer