[GE users] csp problem

Andre Alefeld Andre.Alefeld at Sun.COM
Wed Oct 6 18:00:37 BST 2004


Hi,

can you send me the output of:

$SGE_ROOT/utilbin/<arch>/openssl version

and

/usr/bin/openssl version

As I mentioned already there had been a change during 5.3 patch releases,
where uniqueIdentifier had been replaced with userId. If the wrong openssl
binary is called accidentally by the sge_ca script it cannot work correctly.

Andre

Co Thai Ngo wrote:
> Andre, 
>  
> I've tried both install_qmaster -csp and sge_ca -init on the master node as 
> described in the webpage you mentioned. Anh both of them gave the same output: 
>  
> --------------- 
>  
> Initializing Certificate Authority (CA) for OpenSSL security framework 
> ---------------------------------------------------------------------- 
>  
>  
> Creating CA certificate and private key 
> --------------------------------------- 
> Please give some basic parameters to create the distinguished name (DN) 
>  
> You selected the following basic data for the distinguished name of 
> your certificates: 
>  
> Country code:         C=US 
> State:                ST=NM 
> Location:             L=LC 
> Organization:         O=NMSU 
> Organizational unit:  OU=Biology 
> CA email address:     emailAddress=cngo at nmsu.edu 
>  
> Do you want to use these data (y/n) [y] >> y 
>  
> Creating RANDFILE in >/var/sgeCA/sge_commd/default/private/rand.seed< 
> Creating CA certificate and private key 
> Using configuration from /tmp/sge_ca121018.tmp 
> Generating a 1024 bit RSA private key 
> ....................++++++ 
> ...............++++++ 
> writing new private key to '/var/sgeCA/sge_commd/default/private/cakey.pem' 
> ----- 
> problems making Certificate Request 
> 11222:error:0B083077:x509 certificate 
> routines:X509_NAME_ENTRY_create_by_txt:invalid field nam                                              
> e:x509name.c:285:name=userId 
>  
> Command failed: /usr/pkg/sge/utilbin/nbsd-i386/openssl req -md5 -nodes -config 
> /tmp/sge_ca1210                                              18.tmp -new -x509 
> -keyout /var/sgeCA/sge_commd/default/private/cakey.pem -out /usr/pkg/sge/def                                              
> ault/common/sgeCA/cacert.pem 
>  
> Probably a permission problem. Please check file access permissions. 
> Check root read/write permission. Check if SGE daemons are running. 
>  
> --------------- 
>  
> Here is the files created by sgeCA: 
>  
> --------- 
>  
> acacia# pwd 
> /usr/pkg/sge/default/common/sgeCA 
> acacia# ll 
> total 5 
> drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6 09:14 certs 
> drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6 09:14 crl 
> -rw-r--r--  1 sgeadmin  sgeadmin   34 Oct  6 09:15 dn.info 
> -rw-r--r--  1 sgeadmin  sgeadmin    0 Oct  6 09:14 index.txt 
> drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6 09:14 newcerts 
> -rw-r--r--  1 sgeadmin  sgeadmin    3 Oct  6 09:14 serial 
> acacia# 
>  
> acacia# pwd 
> /var/sgeCA/sge_commd/default/private 
> acacia# ll 
> total 2 
> -rw-------  1 sgeadmin  wheel   887 Oct  6 09:15 cakey.pem 
> -rw-------  1 sgeadmin  wheel  1024 Oct  6 09:15 rand.seed 
> acacia# 
>  
> -------------- 
>  
> Thank you, 
>  
> Co 
>  
> Quoting Andre Alefeld <Andre.Alefeld at Sun.COM>: 
>  
> 
>>Hi, 
>> 
>>Can you send me the requested output as well ;) 
>>The error you get might be related to openssl-0.9.6m. There had been 
>>an upgrade to openssl-0.9.7x that required a change in the sgeCA/* 
>>files. There had been renamings of some cert fields between these 
>>versions. 
>>Have you tried to follow the descriptions under: 
>>
> 
> http://gridengine.sunsource.net/unbranded-source/browse/%7Echeckout%7E/gridengine/source/security/sec/csp.html 
> 
>> 
>>You can run the cert generation script also standalone. 
>> 
>>On master host as root do: 
>> 
>>root % cd $SGE_ROOT 
>>root % source default/common/settings.csh 
>>root % util/sgeCA/sge_ca -init 
>> 
>>Please send me the output of this command. It should use the openssl  
>>command that is shipped with GE. 
>> 
>>Andre 
>> 
>>On Tue, 2004-10-05 at 17:05, Co Thai Ngo wrote: 
>>
>>>Hi,  
>>>  
>>>The version of openssl that I'm using is openssl-0.9.6m and here is the 
>>
>>output  
>>
>>>of ldd:  
>>>  
>>>------------  
>>>acacia: {9} ldd openssl  
>>>openssl:  
>>>         -lc.12 => /usr/lib/libc.so.12  
>>>         -lcrypto.300 => /usr/pkg/lib/libcrypto.so.300  
>>>         -lssl.300 => /usr/pkg/lib/libssl.so.300  
>>>acacia: {10}  
>>>--------------  
>>>  
>>>Thank you very much for your help,  
>>>  
>>>Co  
>>>  
>>>Quoting Andre Alefeld <Andre.Alefeld at Sun.COM>:  
>>>  
>>>
>>>>Hi,  
>>>>  
>>>>is it possible that a wrong openssl library is used ?  
>>>>Can you do a ldd $SGE_ROOT/utilbin/<arch>/openssl and  
>>>>$SGE_ROOT/utilbin/<arch>/openssl version  
>>>>and send me the output ?  
>>>>  
>>>>Andre  
>>>>  
>>>>Co Thai Ngo wrote:  
>>>>
>>>>>Yes, I'm using the SGE 5.3 package for NetBSD. When I run 
>>
>>install_qmaster  
>>
>>>>  
>>>>
>>>>>without csp option, I've got no problem. The problem comes when I run  
>>
>> 
>>
>>>>>install_qmater with csp.   
>>>>>Thank you,   
>>>>>   
>>>>>Co    
>>>>>    
>>>>>Quoting Rayson Ho <raysonho at eseenet.com>:   
>>>>>   
>>>>>  
>>>>>
>>>>>>>if you used the Sun pkgadd packages did you make sure to install all  
>>
>> 
>>
>>>>>>>patches as well?   
>>>>>>
>>>>>> 
>>>>>>  
>>>>>>He is using the package for NetBSD, not the one for Solaris...   
>>>>>>  
>>>>>> 
>>>>>>
>>>>>>>We have both, SGE 5.3 and SGE 6.0 available for download - I    
>>>>>>>suggest using 6.0 unless there is a specific reason to stay with    
>>>>>>>5.3.   
>>>>>>
>>>>>> 
>>>>>>  
>>>>>>SGE 6.0 isn't ready for *BSD yet :(    
>>>>>>  
>>>>>>Rayson   
>>>>>>  
>>>>>>  
>>>>>> 
>>>>>>
>>>>>>>Andy   
>>>>>>
>>>>>> 
>>>>>>---------------------------------------------------------   
>>>>>>Get your FREE E-mail account at http://www.eseenet.com !   
>>>>>>  
>>>>>>---------------------------------------------------------------------  
>>
>> 
>>
>>>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net   
>>>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net  
>>
>> 
>>
>>>>>>  
>>>>>>  
>>>>>
>>>>>  
>>>>>   
>>>>>   
>>>>>--    
>>>>>Co Thai Ngo    
>>>>>Dept. of Biology     
>>>>>New Mexico State University     
>>>>>  
>>>>>--------------------------------------------------------------------- 
>>
>> 
>>
>>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net  
>>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net  
>>>>>  
>>>>
>>>>  
>>>>--   
>>>>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
>>
>>-  
>>
>>>>Andre Alefeld                Phone: ++49 (0)941 3075-255  
>>>>Software Engineering         Fax:   ++49 (0)941 3075-222  
>>>>Sun Microsystems GmbH  
>>>>Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com  
>>>>D-93049 Regensburg           http://www.sun.com/grid 
>>>>  
>>>>  
>>>>---------------------------------------------------------------------  
>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net  
>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net  
>>>>  
>>>>  
>>>
>>> 
>>>--------------------------------------------------------------------- 
>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net 
>>>For additional commands, e-mail: users-help at gridengine.sunsource.net 
>>> 
>>
>> 
>> 
>>--------------------------------------------------------------------- 
>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net 
>>For additional commands, e-mail: users-help at gridengine.sunsource.net 
>> 
>> 
> 
>  
>  
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
> 

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Andre Alefeld                Phone: ++49 (0)941 3075-255
Software Engineering         Fax:   ++49 (0)941 3075-222
Sun Microsystems GmbH
Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com
D-93049 Regensburg           http://www.sun.com/grid


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list