question about an expired credential
Bartelt, Mark L.
I'm not very Globus-savvy, but I'm one of the sysadmins for
several of the clusters at Caltech. One of those clusters
(wheeler.caltech.edu) got set up as a Globus endpoint a few
years ago, and people have used it. But recently one of our
users reported that when he tried to connect to the wheeler
Globus endpoint, he got an error message:
Activation failed: Activate of endpoint '5ffdb946-57bb-11e8-9104-0a6d4e044368' failed: MyProxy credential is expired or doesn't meet minimum lifetime
So I wanted to ask: What exactly causes this sort of problem
and how does one fix it? For example, where does that MyProxy
credential (which is reported as expired) live, and what do we
need to do in order to un-expire it?
Karl Kornel
Hi Mark!
I found your Globus endpoint on the Globus web site (https://app.globus.org/file-manager/collections/5ffdb946-57bb-11e8-9104-0a6d4e044368/overview), and it looks like you’ve got a bit of work ahead of you.
For your specific error, the Globus folks would have to confirm, but I wonder if a certificate has expired.
It looks like you guys are using MyProxy authentication, as described here: https://docs.globus.org/security/authorization-authentication-v4/#transfer_tofrom_an_endpoint_using_myproxy
Notice steps 4 (“Globus establishes a TLS connection to the MyProxy server…”) and 6 (“If successful, a X.509 certificate with lifetime configured by the administrator of the endpoint is returned to Globus…”). Both of those things require certificates on your end (the MyProxy server end), and it’s possible those have expired.
The fix might be as simple as re-running the `globus-connect-server-setup` command on wheeler. That’s the command used to do endpoint setup, and to apply endpoint configuration changes. I wouldn’t be surprised if it’s smart enough to re-generate certificates that have expired.
In the medium term, you guys will need to migrate wheeler to Globus Connect Server version 5. You guys are on version 4, which is being deprecated on July 31, and will stop working entirely at the end of the calendar year. Personally, I suggest sending an email to sup...@globus.org to get the discussion started on that, as Globus has some robust migration tools that will be able to help you!
--
A. Karl Kornel | Info. Sys. Specialist
UIT Research Computing | Stanford University
--
You received this message because you are subscribed to the Google Groups "Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.
Mark Bartelt
Thanks for the reply. Your suggestions sound like they'll be quite
useful. Fingers crossed that a "globus-connect-server-setup" will
magically get things working again. If not, I'll start to dig into
the documentation to try to get myself up to speed on the things one
needs to do.
By the way, all files in /usr/lib64/globus-connect-server/globusonline
have a ctime of May 2, 2018. So that's presumably the date when Globus
software got installed on the wheeler cluster. Since that was slightly
over five years ago, it leads me to ask: Is five years how long Globus
certs are typically valid for before they expire?
Anyway, I might be back to pester you (and the other "Globus Discuss"
readers) with another question or two. Thanks again for your help!
Karl Kornel
Oof, 5 years sounds really suspicious! If you trawl through those files, you should be able to find some certificates (probably in PEM form), and a check with `openssl x509 -noout -text < cert_file.pem` will confirm if they’ve expired.
~ Karl