airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Akos Hajnal <akos.l.haj...@gmail.com>
Subject Re: Error retrieving credentials using certificates/private keys returned by OA4MP service
Date Thu, 03 Oct 2013 11:42:53 GMT
Dear Raminder,

I've tried the patched version together with bcprov16, but the same 
exception after redeploy.

Now  it seems that on tomcat removes class 
org.bouncycastle.jce.provider.X509CertificateObject on undeploy, and 
cannot re-load this class
on redeploy. If I put bcprov-jdk14-140.jar into tomcat/lib, 
X509CertificateObject is not unloaded, and it seems to work without 
exception.
I don't know why, and how to fix it.

I don't know Airavata. Maybe I search for it...

Regards, Akos Hajnal

ps.
//test proxy file exception
GlobusCredential cred = new GlobusCredential("x509up");
for (X509Certificate cert: cred.getCertificateChain()) {
                Class<? extends X509Certificate> c = cert.getClass();
                log.info(c.getName() + " class is from jar " + 
c.getResource('/'+ c.getName().replace('.', '/')+".class")); // <- see 
error below
                ...
}

Oct 03, 2013 1:20:03 PM org.apache.catalina.loader.WebappClassLoader 
findResourceInternal
INFO: Illegal access: this web application instance has been stopped 
already.  Could not load org/bouncycastle/jce/provider/X509CertificateO
bject.class.  The eventual following stack trace is caused by an error 
thrown for debugging purposes as well as to attempt to terminate the
thread which caused the illegal access, and has no functional impact.

Raminder Singh wrote:

> Hi Akos,
>
> I faced similar problem with cog-jglobus and patched a version of 
> cog-jglobus. You can be download patched version 
> from http://community.ucs.indiana.edu:9090/archiva/repository/ogce.m2.all/cog-jglobus/cog-jglobus/1.8.0_bc/
repository. 
> You need to update bouncycastle version to jdk1.6.1.46. I will not 
> recommend you to go this path. If you can use Airavata 0.9 release you 
> don't need cog-jgloubs. Airavata 0.9 and later uses Jglobus 2.0.6 and 
> is a better library to use to handle grid security and job submission. 
>
> <dependency>
>     <groupId>cog-jglobus</groupId>
>     <artifactId>cog-jglobus</artifactId>
>     <version>1.8.0_bc</version>
> </dependency>
> <dependency>
>     <groupId>org.bouncycastle</groupId>
>     <artifactId>bcprov-jdk16</artifactId>
>     <version>1.46</version>
> </dependency>
>
> Please let us know if you need any help with Airavata.  
> Thanks
> Raminder
>
> On Oct 2, 2013, at 8:44 AM, Marlon Pierce <marpierc@iu.edu 
> <mailto:marpierc@iu.edu>> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Akos--
>>
>> You may want to take this question to the Apache Airavata dev list:
>> dev@airavata.apache.org <mailto:dev@airavata.apache.org> (cc'd).
>>
>>
>> Marlon
>>
>> On 10/2/13 5:37 AM, Akos Hajnal wrote:
>>
>>> I don't know what "OA4MP" is, but I guess we use the
>>> same cog-jglobus-1.8.jar-bcprov-jdk14-140.jar libs (downloaded my 
>>> maven),
>>> and get
>>> the same Exception.
>>>
>>> What is amazing the exception is thrown
>>> in BouncyCastleUtil.getIdentity(X509Certificate cert), in a line
>>
>> silimar to
>>
>>>
>>>  if (! (cert instanceof
>>> org.bouncycastle.jce.provider.X509CertificateObject) ) {
>>> System.out.println(cert.getClass()); throw new Exception(); }
>>>
>>> and the classname printed is:
>>> "org.bouncycastle.jce.provider.X509CertificateObject". Another X-file...
>>>
>>> Regards, Akos Hajnal
>>>
>>>
>>>
>>> 2013. október 1., kedd 17:42:05 UTC+2 időpontban Jeff Gaynor a 
>>> következőt
>>> írta:
>>>
>>>>
>>>> What version of OA4MP are you using and where did you get it from?
>>>>
>>>> Jeff
>>>>
>>>> On 09/30/2013 08:43 AM, Akos Hajnal wrote:
>>>>
>>>> Dear Jeff,ďż˝
>>>> I tried:
>>>> Security.addProvider(new BouncyCastleProvider());
>>>> setProvider("BC");
>>>> installSecureRandomProvider();
>>>>
>>>> (the same as static code of�CertUtil)
>>>> at the very beginning when my webapp is deployed, but I get the same
>>>> exception.
>>>> Maybe something stucked earlier. On the first deploy it works without
>>>> exception, but never after redeploy.
>>>> I use v1.8.
>>>>
>>>> Regards, Akos Hajnal
>>>>
>>>> 2013. m�jus 22., szerda 22:58:39 UTC+2 id�pontban Jeff Gaynor a
>>>> k�vetkez�t �rta:
>>>>
>>>>>
>>>>> Hmmm. You might try the following two lines of code
>>>>>
>>>>> Security.addProvider(new
>>>>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>>> CertUtil.setCertFactory(CertificateFactory.getInstance("X.509", 
>>>>> "BC"));
>>>>>
>>>>> The first call is from java.security and the CertUtil is in OA4MP.ďż˝
>>>>> This will require that the bouncy castle provider be used. This
>>>>
>> should be
>>
>>>>> used as early in your code as possible, before any OA4MP calls.
>>>>>
>>>>> There is also a chance this might be a class loader issue, but it 
>>>>> would
>>>>> be good to check this possibility out first since it is easy.
>>>>>
>>>>> Jeff
>>>>>
>>>>>
>>>>> On 05/22/2013 03:26 PM, Amila Jayasekara wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> I am getting following error when trying to communicate with MyProxy
>>>>> server to create credentials.
>>>>>
>>>>> *An error occurred while retrieving credentials from credential store.
>>>>> But continuing with password credentials.ďż˝*
>>>>> *java.lang.IllegalArgumentException: [JGLOBUS-35] Unexpected
>>>>
>> certificate
>>
>>>>> type: "class sun.security.x509.X509CertImpl"*
>>>>> * at
>>>>>
>> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:453)
>>
>>>>> *
>>>>> * at
>>>>>
>> org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:470)
>>
>>>>> *
>>>>> * at
>>>>> org.globus.gsi.GlobusCredential.getIdentity(GlobusCredential.java:401)*
>>>>> * at
>>>>>
>> org.globus.gsi.gssapi.GlobusGSSCredentialImpl.<init>(GlobusGSSCredentialImpl.java:70)
>>
>>>>> *
>>>>> * at
>>>>>
>> org.apache.airavata.gfac.utils.MyProxyManager.getCredentialsFromStore(MyProxyManager.java:231)
>>
>>>>> *
>>>>> at
>>>>>
>> org.apache.airavata.gfac.context.security.GSISecurityContext.getGssCredentials(GSISecurityContext.java:82)
>>
>>>>> at
>>>>>
>> org.apache.airavata.gfac.handler.GramDirectorySetupHandler.invoke(GramDirectorySetupHandler.java:80)
>>
>>>>> at
>>>>> org.apache.airavata.gfac.GFacAPI.invokeInFlowHandlers(GFacAPI.java:132)
>>>>> at org.apache.airavata.gfac.GFacAPI.schedule(GFacAPI.java:63)
>>>>> at org.apache.airavata.gfac.GFacAPI.submitJob(GFacAPI.java:53)
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.invoker.EmbeddedGFacInvoker.invoke(EmbeddedGFacInvoker.java:334)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.handleWSComponent(WorkflowInterpreter.java:710)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.executeDynamically(WorkflowInterpreter.java:530)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.access$000(WorkflowInterpreter.java:89)
>>
>>>>> at
>>>>>
>> org.apache.airavata.xbaya.interpretor.WorkflowInterpreter$1.run(WorkflowInterpreter.java:197)
>>
>>>>>
>>>>> In�*org.apache.airavata.gfac.utils.MyProxyManager*�I have
>>>>
>> following
>>
>>>>> code;
>>>>>
>>>>>   X509Certificate[] certificates = new X509Certificate[1];
>>>>>  certificates[0] = <certificate from oa4mp>
>>>>>
>>>>>
>>>>>   GlobusCredential newCredential = new GlobusCredential(<privateKey
>>>>> from oa4mp>,
>>>>>  ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝
ďż˝ ďż˝ certificates);
>>>>>
>>>>>   return new GlobusGSSCredentialImpl(newCredential,
>>>>>  � � � � � � �GSSCredential.INITIATE_AND_ACCEPT);
>>>>>
>>>>>
>>>>> I debugged and confirmed that the assetResponse returned by OA4MP
>>>>> server has "*sun.security.x509.X509CertImpl" *object type.
>>>>>
>>>>> What am I doing wrong here ?
>>>>> Any help to resolve this issue is appreciated.
>>>>>
>>>>> Thanks in advance.
>>>>> Regards,
>>>>> Amilaďż˝
>>>>>
>>>>>  --
>>>>> You received this message because you are subscribed to the Google
>>>>
>> Groups
>>
>>>>> "science gateway security discussion" group.
>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>
>> send an
>>
>>>>> email to discuss+u...@sciencegatewaysecurity.org 
>>>>> <http://sciencegatewaysecurity.org>.
>>>>> Visit this group at
>>>>>
>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/?hl=en-US
>>
>>>>> .
>>>>> ďż˝
>>>>> ďż˝
>>>>>
>>>>>
>>>>>  --
>>>>
>>>> You received this message because you are subscribed to the Google
>>>
>> Groups
>>
>>>> "science gateway security discussion" group.
>>>> To unsubscribe from this group and stop receiving emails from it,
>>>
>> send an
>>
>>>> email to discuss+u...@sciencegatewaysecurity.org <javascript:>.
>>>> Visit this group at
>>>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>>>>
>>>>
>>>>
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJSTBUTAAoJEOEgD2XReDo5zskH/jebarHRrjMG2XBCB43PEH0A
>> 2MY+zfrS1YieGGeFggRUV1j10iirn2doDPtvIfek1P8hXWbzHd7AAX0vMwvaVi+4
>> 05J0Ydj3a+wGObGqd3h6rYmr535jmkWvgL7NhnSqvQfYbAi/0SxrUjW8fTadFNvg
>> d139jrKsmYEpnRg2gWxERfi1jqQoJw1ZrXgbvytoL7+nXNC4/z6YoEQy8EwwG3LC
>> oW6H480imcQGQOlCnW1ZrOIz8M2RecR/rvlt+0Cic1565e0GyzkUReHCnSgOPU5v
>> hi9+ZguHPl6oEFfwn+3BpoAhD/2+1evqzefm9rw2Bs9G2OiooqFKfmHFvzjVYQA=
>> =d026
>> -----END PGP SIGNATURE-----
>>
>> -- 
>> You received this message because you are subscribed to the Google 
>> Groups "science gateway security discussion" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to discuss+unsubscribe@sciencegatewaysecurity.org.
>> Visit this group at 
>> http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.
>
>


Mime
View raw message