GGUS-Ticket-ID: #158702 "ASSIGNED" "ARGUS" "can not start argus pepd process after update of IGTF certs"

2 views
Skip to first unread message

help...@ggus.org

unread,
Sep 2, 2022, 8:52:38 AM9/2/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Zdenek Salvet
PUBLIC DIARY:
Added Known errors database entry EGIKEDB-17.


*********************************************************************
This is an automated mail. When replying don't change the subject line!
S T R I P   P R E V I O U S   M A I L S   please!!
*********************************************************************

help...@ggus.org

unread,
Sep 2, 2022, 9:25:40 AM9/2/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Mischa Salle
PUBLIC DIARY:
The error is actually thrown by cANL-java: https://github.com/eu-emi/canl-java/blob/master/src/main/java/eu/emi/security/authn/x509/impl/OpensslNameUtils.java#L135
and is due to it incorrectly trying to establish whether it's openssl or ldap format. A , is a valid character, see e.g. https://www.ogf.org/documents/GFD.125.pdf

And unfortunately removing ca_policy_igtf-slcs is not sufficient. It's also pulled in by mics (e.g. for the old TCS-3, the TCS-4 no longer uses DigiCert) and classic.

help...@ggus.org

unread,
Sep 2, 2022, 10:13:41 AM9/2/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Zdenek Salvet
PUBLIC DIARY:
There two different bugs, both in Argus, IMO.
Please note the error from canl-java says it does not like DN starting
with "Inc.", i.e. half of the actual DN split by Argus.

help...@ggus.org

unread,
Sep 2, 2022, 10:28:42 AM9/2/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Mischa Salle
PUBLIC DIARY:
Hmm, that is a good point. It could be the combination of , and space actually.
It would probably be good to see a stack trace from the pepd logs to see where the code is going wrong.
 

help...@ggus.org

unread,
Sep 2, 2022, 10:34:42 AM9/2/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Mischa Salle
PUBLIC DIARY:

I'm wondering if https://github.com/argus-authz/argus-pep-server/blame/1_7/src/main/java/org/glite/authz/pep/obligation/dfpmap/X509MatchStrategy.java#L59-L62 might be having to do with it...
Probably good to indeed let the Argus developers sort this out.

help...@ggus.org

unread,
Sep 2, 2022, 10:52:43 AM9/2/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Zdenek Salvet
PUBLIC DIARY:
Argus reads the raw value using Java property code, splits subjectdn value 
using \s*,\s* separator, then removes remaining (possibly nonmatching) quotes.
Not good enough and and impossible to workaround so the DN with comma works :-(
argus-pep-server/src/main/java/org/glite/authz/pep/pip/provider/authnprofilespip/AuthenticationProfileUtils.java

Reply all
Reply to author
Forward
0 new messages