[GE users] csp problem

Andre Alefeld Andre.Alefeld at Sun.COM
Mon Oct 18 09:57:33 BST 2004


Hi,

I don't know exactly which NetBSD version is available as a bundle (qstat -help should give you
the version). In general we bundle the openssl version with GE. I don't know if this has been done
or if the preinstalled openssl version has been used. There had been a switch from 0.9.6x to 0.9.7x.
Here there had been a fix of the certificate format to fulfill x500 standards where uniqueIdentifier
had been replaced by userId and X500uniqueIdentifier. We used userId from this version on in the
certificates and adapted util/sgeCA/sge* and the binaries.
If this distribution is used with openssl 0.9.6x you get into trouble.

Dan maybe you can comment what exactly has been bundled into the package. Maybe the problem resolves
without changing the util/sgeCA/sge* files by upgrading the openssl version to 0.9.7d under NetBSD.
Are there plans to bundle N1GE 6.0 as NetBSD packages ?

Andre

Ron Chen wrote:
> So what was the cause of the problem?
> 
> Please also cc Dan so that he can fix it in the NetBSD
> tree.
> 
>  -Ron
> 
> 
> --- Co Thai Ngo <cngo at nmsu.edu> wrote:
> 
>>Hi Andre, 
>> 
>>Sorry for late response. I was busy with somethings
>>else. I've just tried to 
>>change the files as your advice and IT WORKS. Thank
>>you very much for your 
>>help. 
>> 
>>Co  
>> 
>>Quoting Andre Alefeld <Andre.Alefeld at Sun.COM>: 
>> 
>>
>>>Hi, 
>>> 
>>>the NetBSD packages seem to contain either the
>>
>>wrong openssl version or 
>>
>>>the wrong scripts. 
>>>To fix you issue you have to edit the following
>>
>>three files and replace all 
>>
>>>occurences of 
>>>userId with uniqueIdentifier: 
>>> 
>>>$SGE_ROOT/util/sgeCA/sge_ca 
>>> 
>>>$SGE_ROOT/util/sgeCA/sge_ssl.cnf 
>>> 
>>>$SGE_ROOT/util/sgeCA/sge_ssl_template.cnf 
>>> 
>>>Check if everything has been replaced with: 
>>>grep userId $SGE_ROOT/util/sgeCA/* 
>>> 
>>>Then retry the installation. 
>>> 
>>> 
>>>Andre 
>>> 
>>>Co Thai Ngo wrote: 
>>>
>>>>Andre,  
>>>>  
>>>>Here are the output of openssl:  
>>>>  
>>>>acacia# /usr/bin/openssl version  
>>>>OpenSSL 0.9.6g 9 Aug 2002  
>>>>  
>>>>acacia# /usr/pkg/sge/utilbin/nbsd-i386/openssl
>>
>>version  
>>
>>>>OpenSSL 0.9.6m 17 Mar 2004  
>>>>  
>>>>Thank you,  
>>>>  
>>>>Co  
>>>>  
>>>>Quoting Andre Alefeld <Andre.Alefeld at Sun.COM>:  
>>>>  
>>>> 
>>>>
>>>>>Hi,  
>>>>> 
>>>>>can you send me the output of:  
>>>>> 
>>>>>$SGE_ROOT/utilbin/<arch>/openssl version  
>>>>> 
>>>>>and  
>>>>> 
>>>>>/usr/bin/openssl version  
>>>>> 
>>>>>As I mentioned already there had been a change
>>
>>during 5.3 patch releases, 
>>
>>> 
>>>
>>>>>where uniqueIdentifier had been replaced with
>>
>>userId. If the wrong openssl 
>>
>>> 
>>>
>>>>>binary is called accidentally by the sge_ca
>>
>>script it cannot work  
>>
>>>>>correctly.  
>>>>> 
>>>>>Andre  
>>>>> 
>>>>>Co Thai Ngo wrote:  
>>>>>
>>>>>
>>>>>>Andre,   
>>>>>>  
>>>>>>I've tried both install_qmaster -csp and sge_ca
>>
>>-init on the master node 
>>
>>>as  
>>>
>>>>> 
>>>>>
>>>>>
>>>>>>described in the webpage you mentioned. Anh
>>
>>both of them gave the same  
>>
>>>>>output:   
>>>>>
>>>>>
>>>>>>  
>>>>>>---------------   
>>>>>>  
>>>>>>Initializing Certificate Authority (CA) for
>>
>>OpenSSL security framework   
>>
>>>>----------------------------------------------------------------------
>>
>>  
>>
>>>>>>  
>>>>>>  
>>>>>>Creating CA certificate and private key   
>>>>>>---------------------------------------   
>>>>>>Please give some basic parameters to create the
>>
>>distinguished name (DN)  
>>
>>> 
>>>
>>>>>>  
>>>>>>You selected the following basic data for the
>>
>>distinguished name of   
>>
>>>>>>your certificates:   
>>>>>>  
>>>>>>Country code:         C=US   
>>>>>>State:                ST=NM   
>>>>>>Location:             L=LC   
>>>>>>Organization:         O=NMSU   
>>>>>>Organizational unit:  OU=Biology   
>>>>>>CA email address:    
>>
>>emailAddress=cngo at nmsu.edu   
>>
>>>>>>  
>>>>>>Do you want to use these data (y/n) [y] >> y   
>>>>>>  
>>>>>>Creating RANDFILE in
>>>
>>>/var/sgeCA/sge_commd/default/private/rand.seed<   
>>>
>>>>>>Creating CA certificate and private key   
>>>>>>Using configuration from /tmp/sge_ca121018.tmp 
>>
>> 
>>
>>>>>>Generating a 1024 bit RSA private key   
>>>>>>....................++++++   
>>>>>>...............++++++   
>>>>>>writing new private key to 
>>>
>>>'/var/sgeCA/sge_commd/default/private/cakey.pem'  
>>>
>>>>> 
>>>>>
>>>>>
>>>>>>-----   
>>>>>>problems making Certificate Request   
>>>>>>11222:error:0B083077:x509 certificate   
>>>>>>routines:X509_NAME_ENTRY_create_by_txt:invalid
>>
>>field nam                   
>>
>>>  
>>>
>>>>>                           
>>>>>
>>>>>
>>>>>>e:x509name.c:285:name=userId   
>>>>>>  
>>>>>>Command failed:
>>
>>/usr/pkg/sge/utilbin/nbsd-i386/openssl req -md5
>>-nodes  
>>
>>>>>-config   
>>>>>
>>>>>
>>>>>>/tmp/sge_ca1210                                
>>
>>             18.tmp -new 
>>
>>> 
>>>
>>>>>-x509   
>>>>>
>>>>>
>>>>>>-keyout
>>
>>/var/sgeCA/sge_commd/default/private/cakey.pem -out 
>>
>>
>>>>>/usr/pkg/sge/def                                
>>
>>               
>>
>>>>>>ault/common/sgeCA/cacert.pem   
>>>>>>  
>>>>>>Probably a permission problem. Please check
>>
>>file access permissions.   
>>
>>>>>>Check root read/write permission. Check if SGE
>>
>>daemons are running.   
>>
>>>>>>  
>>>>>>---------------   
>>>>>>  
>>>>>>Here is the files created by sgeCA:   
>>>>>>  
>>>>>>---------   
>>>>>>  
>>>>>>acacia# pwd   
>>>>>>/usr/pkg/sge/default/common/sgeCA   
>>>>>>acacia# ll   
>>>>>>total 5   
>>>>>>drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6
>>
>>09:14 certs   
>>
>>>>>>drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6
>>
>>09:14 crl   
>>
>>>>>>-rw-r--r--  1 sgeadmin  sgeadmin   34 Oct  6
>>
>>09:15 dn.info   
>>
>>>>>>-rw-r--r--  1 sgeadmin  sgeadmin    0 Oct  6
>>
>>09:14 index.txt   
>>
>>>>>>drwxr-xr-x  2 sgeadmin  sgeadmin  512 Oct  6
>>
>>09:14 newcerts   
>>
>>>>>>-rw-r--r--  1 sgeadmin  sgeadmin    3 Oct  6
>>
>>09:14 serial   
>>
>>>>>>acacia#   
>>>>>>  
>>>>>>acacia# pwd   
>>>>>>/var/sgeCA/sge_commd/default/private   
>>>>>>acacia# ll   
>>>>>>total 2   
>>>>>>-rw-------  1 sgeadmin  wheel   887 Oct  6
>>
>>09:15 
> 
> === message truncated ===
> 
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We finish.
> http://promotions.yahoo.com/new_mail 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
> 

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Andre Alefeld                Phone: ++49 (0)941 3075-255
Software Engineering         Fax:   ++49 (0)941 3075-222
Sun Microsystems GmbH
Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com
D-93049 Regensburg           http://www.sun.com/grid


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list