[GE users] csp problem

Andre Alefeld Andre.Alefeld at Sun.COM
Thu Oct 7 10:09:29 BST 2004


Hi,

the NetBSD packages seem to contain either the wrong openssl version or
the wrong scripts.
To fix you issue you have to edit the following three files and replace all occurences of
userId with uniqueIdentifier:

$SGE_ROOT/util/sgeCA/sge_ca

$SGE_ROOT/util/sgeCA/sge_ssl.cnf

$SGE_ROOT/util/sgeCA/sge_ssl_template.cnf

Check if everything has been replaced with:
grep userId $SGE_ROOT/util/sgeCA/*

Then retry the installation.


Andre

Co Thai Ngo wrote:
> Andre, 
>  
> Here are the output of openssl: 
>  
> acacia# /usr/bin/openssl version 
> OpenSSL 0.9.6g 9 Aug 2002 
>  
> acacia# /usr/pkg/sge/utilbin/nbsd-i386/openssl version 
> OpenSSL 0.9.6m 17 Mar 2004 
>  
> Thank you, 
>  
> Co 
>  
> Quoting Andre Alefeld <Andre.Alefeld at Sun.COM>: 
>  
> 
>>Hi, 
>> 
>>can you send me the output of: 
>> 
>>$SGE_ROOT/utilbin/<arch>/openssl version 
>> 
>>and 
>> 
>>/usr/bin/openssl version 
>> 
>>As I mentioned already there had been a change during 5.3 patch releases, 
>>where uniqueIdentifier had been replaced with userId. If the wrong openssl 
>>binary is called accidentally by the sge_ca script it cannot work 
>>correctly. 
>> 
>>Andre 
>> 
>>Co Thai Ngo wrote: 
>>
>>>Andre,  
>>>  
>>>I've tried both install_qmaster -csp and sge_ca -init on the master node as 
>>
>> 
>>
>>>described in the webpage you mentioned. Anh both of them gave the same 
>>
>>output:  
>>
>>>  
>>>---------------  
>>>  
>>>Initializing Certificate Authority (CA) for OpenSSL security framework  
>>>----------------------------------------------------------------------  
>>>  
>>>  
>>>Creating CA certificate and private key  
>>>---------------------------------------  
>>>Please give some basic parameters to create the distinguished name (DN)  
>>>  
>>>You selected the following basic data for the distinguished name of  
>>>your certificates:  
>>>  
>>>Country code:         C=US  
>>>State:                ST=NM  
>>>Location:             L=LC  
>>>Organization:         O=NMSU  
>>>Organizational unit:  OU=Biology  
>>>CA email address:     emailAddress=cngo at nmsu.edu  
>>>  
>>>Do you want to use these data (y/n) [y] >> y  
>>>  
>>>Creating RANDFILE in >/var/sgeCA/sge_commd/default/private/rand.seed<  
>>>Creating CA certificate and private key  
>>>Using configuration from /tmp/sge_ca121018.tmp  
>>>Generating a 1024 bit RSA private key  
>>>....................++++++  
>>>...............++++++  
>>>writing new private key to '/var/sgeCA/sge_commd/default/private/cakey.pem' 
>>
>> 
>>
>>>-----  
>>>problems making Certificate Request  
>>>11222:error:0B083077:x509 certificate  
>>>routines:X509_NAME_ENTRY_create_by_txt:invalid field nam                    
>>
>>                           
>>
>>>e:x509name.c:285:name=userId  
>>>  
>>>Command failed: /usr/pkg/sge/utilbin/nbsd-i386/openssl req -md5 -nodes 
>>
>>-config  
>>
>>>/tmp/sge_ca1210                                              18.tmp -new 
>>
>>-x509  
>>
>>>-keyout /var/sgeCA/sge_commd/default/private/cakey.pem -out 
>>
>>/usr/pkg/sge/def                                               
>>
>>>ault/common/sgeCA/cacert.pem  
>>>  
>>>Probably a permission problem. Please check file access permissions.  
>>>Check root read/write permission. Check if SGE daemons are running.  
>>>  
>>>---------------  
>>>  
>>>Here is the files created by sgeCA:  
>>>  
>>>---------  
>>>  
>>>acacia# pwd  
>>>/usr/pkg/sge/default/common/sgeCA  
>>>acacia# ll  
>>>total 5  
>>>drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6 09:14 certs  
>>>drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6 09:14 crl  
>>>-rw-r--r--  1 sgeadmin  sgeadmin   34 Oct  6 09:15 dn.info  
>>>-rw-r--r--  1 sgeadmin  sgeadmin    0 Oct  6 09:14 index.txt  
>>>drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6 09:14 newcerts  
>>>-rw-r--r--  1 sgeadmin  sgeadmin    3 Oct  6 09:14 serial  
>>>acacia#  
>>>  
>>>acacia# pwd  
>>>/var/sgeCA/sge_commd/default/private  
>>>acacia# ll  
>>>total 2  
>>>-rw-------  1 sgeadmin  wheel   887 Oct  6 09:15 cakey.pem  
>>>-rw-------  1 sgeadmin  wheel  1024 Oct  6 09:15 rand.seed  
>>>acacia#  
>>>  
>>>--------------  
>>>  
>>>Thank you,  
>>>  
>>>Co  
>>>  
>>>Quoting Andre Alefeld <Andre.Alefeld at Sun.COM>:  
>>>  
>>> 
>>>
>>>>Hi,  
>>>> 
>>>>Can you send me the requested output as well ;)  
>>>>The error you get might be related to openssl-0.9.6m. There had been  
>>>>an upgrade to openssl-0.9.7x that required a change in the sgeCA/*  
>>>>files. There had been renamings of some cert fields between these  
>>>>versions.  
>>>>Have you tried to follow the descriptions under:  
>>>>
>>>
>>> 
>>>
>>
> http://gridengine.sunsource.net/unbranded-source/browse/%7Echeckout%7E/gridengine/source/security/sec/csp.html 
> 
>> 
>>
>>> 
>>>
>>>> 
>>>>You can run the cert generation script also standalone.  
>>>> 
>>>>On master host as root do:  
>>>> 
>>>>root % cd $SGE_ROOT  
>>>>root % source default/common/settings.csh  
>>>>root % util/sgeCA/sge_ca -init  
>>>> 
>>>>Please send me the output of this command. It should use the openssl   
>>>>command that is shipped with GE.  
>>>> 
>>>>Andre  
>>>> 
>>>>On Tue, 2004-10-05 at 17:05, Co Thai Ngo wrote:  
>>>>
>>>>
>>>>>Hi,   
>>>>>  
>>>>>The version of openssl that I'm using is openssl-0.9.6m and here is the  
>>>>
>>>>output   
>>>>
>>>>
>>>>>of ldd:   
>>>>>  
>>>>>------------   
>>>>>acacia: {9} ldd openssl   
>>>>>openssl:   
>>>>>        -lc.12 => /usr/lib/libc.so.12   
>>>>>        -lcrypto.300 => /usr/pkg/lib/libcrypto.so.300   
>>>>>        -lssl.300 => /usr/pkg/lib/libssl.so.300   
>>>>>acacia: {10}   
>>>>>--------------   
>>>>>  
>>>>>Thank you very much for your help,   
>>>>>  
>>>>>Co   
>>>>>  
>>>>>Quoting Andre Alefeld <Andre.Alefeld at Sun.COM>:   
>>>>>  
>>>>>
>>>>>
>>>>>>Hi,   
>>>>>>  
>>>>>>is it possible that a wrong openssl library is used ?   
>>>>>>Can you do a ldd $SGE_ROOT/utilbin/<arch>/openssl and   
>>>>>>$SGE_ROOT/utilbin/<arch>/openssl version   
>>>>>>and send me the output ?   
>>>>>>  
>>>>>>Andre   
>>>>>>  
>>>>>>Co Thai Ngo wrote:   
>>>>>>
>>>>>>
>>>>>>>Yes, I'm using the SGE 5.3 package for NetBSD. When I run  
>>>>
>>>>install_qmaster   
>>>>
>>>>
>>>>>>  
>>>>>>
>>>>>>
>>>>>>>without csp option, I've got no problem. The problem comes when I run  
>>
>> 
>>
>>>> 
>>>>
>>>>
>>>>>>>install_qmater with csp.    
>>>>>>>Thank you,    
>>>>>>>   
>>>>>>>Co     
>>>>>>>    
>>>>>>>Quoting Rayson Ho <raysonho at eseenet.com>:    
>>>>>>>   
>>>>>>>  
>>>>>>>
>>>>>>>
>>>>>>>>>if you used the Sun pkgadd packages did you make sure to install all  
>>
>> 
>>
>>>> 
>>>>
>>>>
>>>>>>>>>patches as well?    
>>>>>>>>
>>>>>>>> 
>>>>>>>>  
>>>>>>>>He is using the package for NetBSD, not the one for Solaris...    
>>>>>>>>  
>>>>>>>> 
>>>>>>>>
>>>>>>>>
>>>>>>>>>We have both, SGE 5.3 and SGE 6.0 available for download - I     
>>>>>>>>>suggest using 6.0 unless there is a specific reason to stay with     
>>>>>>>>>5.3.    
>>>>>>>>
>>>>>>>> 
>>>>>>>>  
>>>>>>>>SGE 6.0 isn't ready for *BSD yet :(     
>>>>>>>>  
>>>>>>>>Rayson    
>>>>>>>>  
>>>>>>>>  
>>>>>>>> 
>>>>>>>>
>>>>>>>>
>>>>>>>>>Andy    
>>>>>>>>
>>>>>>>> 
>>>>>>>>---------------------------------------------------------    
>>>>>>>>Get your FREE E-mail account at http://www.eseenet.com !    
>>>>>>>>  
>>>>>>>>---------------------------------------------------------------------  
>>
>> 
>>
>>>> 
>>>>
>>>>
>>>>>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net    
>>>>>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net  
>>
>> 
>>
>>>> 
>>>>
>>>>
>>>>>>>>  
>>>>>>>>  
>>>>>>>
>>>>>>>  
>>>>>>>   
>>>>>>>   
>>>>>>>--     
>>>>>>>Co Thai Ngo     
>>>>>>>Dept. of Biology      
>>>>>>>New Mexico State University      
>>>>>>>  
>>>>>>>---------------------------------------------------------------------  
>>>>
>>>> 
>>>>
>>>>
>>>>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net   
>>>>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net   
>>>>>>>  
>>>>>>
>>>>>>  
>>>>>>--    
>>>>>>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
>>
>> 
>>
>>>>-   
>>>>
>>>>
>>>>>>Andre Alefeld                Phone: ++49 (0)941 3075-255   
>>>>>>Software Engineering         Fax:   ++49 (0)941 3075-222   
>>>>>>Sun Microsystems GmbH   
>>>>>>Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com   
>>>>>>D-93049 Regensburg           http://www.sun.com/grid  
>>>>>>  
>>>>>>  
>>>>>>---------------------------------------------------------------------   
>>>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net   
>>>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net   
>>>>>>  
>>>>>>  
>>>>>
>>>>> 
>>>>>---------------------------------------------------------------------  
>>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net  
>>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net  
>>>>> 
>>>>
>>>> 
>>>> 
>>>>---------------------------------------------------------------------  
>>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net  
>>>>For additional commands, e-mail: users-help at gridengine.sunsource.net  
>>>> 
>>>> 
>>>
>>> 
>>>  
>>>  
>>> 
>>>--------------------------------------------------------------------- 
>>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net 
>>>For additional commands, e-mail: users-help at gridengine.sunsource.net 
>>> 
>>
>> 
>>--  
>>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
>>Andre Alefeld                Phone: ++49 (0)941 3075-255 
>>Software Engineering         Fax:   ++49 (0)941 3075-222 
>>Sun Microsystems GmbH 
>>Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com 
>>D-93049 Regensburg           http://www.sun.com/grid 
>> 
>> 
>>--------------------------------------------------------------------- 
>>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net 
>>For additional commands, e-mail: users-help at gridengine.sunsource.net 
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
> 

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Andre Alefeld                Phone: ++49 (0)941 3075-255
Software Engineering         Fax:   ++49 (0)941 3075-222
Sun Microsystems GmbH
Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com
D-93049 Regensburg           http://www.sun.com/grid


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list