Software Links
Getting Started
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide
- Migrating Guides
Reference
Manuals
Common Runtime
Security
- GSI C
- GSI Java
- Java WS A&A
- C WS A&A (coming soon)
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
Data Mgt
WS MDS
Execution Mgt
Table A.1. C WS A&A Errors
| Error Code | Definition | Possible Solutions |
|---|---|---|
ERROR: Couldn't read user key: Bad passphrase key file location: /Users/bester/.globus/userkey.pem globus_credential: Error reading user credential: Can't read credential's private key from PEM OpenSSL Error: pem_lib.c:423: in library: PEM routines, function PEM_do_header: bad decrypt OpenSSL Error: evp_enc.c:509: in library: digital envelope routines, function EVP_DecryptFinal: bad decrypt Use -debug for further information. | Unable to decrypt private key | Rerun grid-proxy-init with the correct password. |
globus_gsi_gssapi: Error with gss credential handle globus_credential: Valid credentials could not be found in any of the possible locations specified by the credential search order. Valid credentials could not be found in any of the possible locations specified by the credential search order. Attempt 1 globus_credential: Error reading host credential globus_sysconfig: Error with certificate filename globus_sysconfig: Error with certificate filename globus_sysconfig: File is not owned by current user: /etc/grid-security/hostcert.pem is not owned by current user Attempt 2 globus_credential: Error reading proxy credential globus_sysconfig: Could not find a valid proxy certificate file location globus_sysconfig: Error with key filename globus_sysconfig: File does not exist: /tmp/x509up_u501 is not a valid file Attempt 3 globus_credential: Error reading user credential globus_credential: Key is password protected: GSI does not currently support password protected private keys. OpenSSL Error: pem_lib.c:401: in library: PEM routines, function PEM_do_header: bad password read | No user proxy could be found |
|
globus_gsi_gssapi: Error with GSI credential
globus_gsi_gssapi: Error with gss credential handle
globus_credential: Error with credential: The proxy credential:
/tmp/x509up_u1499
with subject: /DC=org/DC=example/DC=grid/OU=People/CN=Joe
User/CN=1235439010
expired 44 minutes ago. | Proxy has expired. | Run grid-proxy-init to generate a new proxy. |
globus_xio: The GSI XIO driver failed to establish a secure connection. The failure occured during a handshake read. globus_xio: An end of file occurred | Communication disrupted during SSL handshake | Verify with the service administrator that your certificate is signed by a certificate authority that is trusted by the service. |
globus_gsi_gssapi: Unable to verify
remote side's credentials
globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't verify
the remote certificate
OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
| Unable to verify remote certificate. Often a clock-synchronization problem where the service clock is behind that of the client. | Verify that the client and service hosts have accurate time of day clocks. Use a NTP daemon if possible. |
OpenSSL Error: s3_clnt.c:894: in
library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: The certificate is not yet valid: Cert with
subject: /DC=org/DC=example/DC=grid/OU=People/CN=Joe User/CN=464555355 is not
yet valid- check clock skew between hosts.
| Unable to verify remote certificate. Often a clock-synchronization problem where the client clock is behind that of the service. | Verify that the client and service hosts have accurate time of day clocks. Use a NTP daemon if possible. |
globus_gsi_callback_module: Error with signing policy globus_sysconfig: Error getting signing policy file globus_sysconfig: File does not exist: /etc/grid-security/certificates/2b0e42b2.signing_policy is not a valid file | The service's certificate is not trusted by the client | Determine if the certificate authority used by the server is worth trusting. If so, retrieve the CA certificate and signing policy and place them in the client's trusted certificate directory. |
globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Error with signing policy globus_gsi_callback_module: Error in OLD GAA code: CA policy violation: <no reason given> | Service certificate is not trusted because the CA signing policy does not trust the CA to sign the subject name of the certificate. | Verify with the service administrator that the certificate is valid. Verify that the signing policy file is up-to-date |
Error: globus_soap_message_module: SOAP Fault Fault code: Client Fault string: globus_handler_ws_secure_message: Server Request handling failed globus_handler_ws_secure_message: Failed to verify the message: Unable to get Security header element from message attributes. | The client sent a request to a service which message security without properly invoking the security handlers | Invoke the client program with the WS-SecureMessage handler.
Typically this is done by add -m msg to the
command-line. |
Error: globus_soap_message_module: SOAP Fault
Fault code: Client
Fault string: globus_soap_message_module: Loaded message handlers do not
understand required header element:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
Security | The client sent a request protected with message-level security but the server did not understand the required security headers | Disable WS-SecureMessage on the client |