trouble getting federation with ssl enabled

[Robert Verhagen]

Hi,

I can get federation between 2 zones working without ssl but not with ssl enabled. I can’t find any documentation on how to do that. Maybe someone has done this already?

To get federation working without ssl:

core.re:

acPreConnect(*OUT) { *OUT="CS_NEG_REFUSE"; }

irods_environment.json:

    "irods_client_server_negotiation": "off",

    "irods_client_server_policy": "CS_NEG_REFUSE",

The federation works as expected. I can browse through both zones and get/ put files between zones.

When I change to use our self signed certificates:

core .re:

acPreConnect(*OUT) { *OUT="CS_NEG_REQUIRE"; }

irods_environment.json:

    "irods_client_server_negotiation": "request_server_negotiation",

    "irods_client_server_policy": "CS_NEG_REQUIRE",

…

    "irods_ssl_certificate_chain_file": "/etc/irods/ssl/irods.crt",

    "irods_ssl_certificate_key_file": "/etc/irods/ssl/irods.key",

    "irods_ssl_dh_params_file": "/etc/irods/ssl/dhparams.pem",

    "irods_ssl_ca_certificate_file": "/etc/irods/ssl/irods.crt",

    "irods_ssl_verify_server": "cert"

server_config.json is the same in both configurations.

I can browse though the local zones but I get this error when I try to browse to the federated zone:

$ ils /

/:

  C- /zoneRemote

  C- /zoneLocal

$ ils /zoneLocal

/zoneLocal:

  C- /zoneLocal/home

  C- /zoneLocal/projects

  C- /zoneLocal/system

  C- /zoneLocal/trash

$ ils /zoneRemote

terminating with uncaught exception of type irods::experimental::filesystem::filesystem_error: cannot get status: Unknown error -1825000

Aborted

From the remote site to my local site gives this error:

libc++abi: terminating with uncaught exception of type irods::experimental::filesystem::filesystem_error: cannot get status: Unknown error -1825000

Aborted

On my local site I have irods 4.2.11 on my remote site 4.3.0.

Regards,

Robert Verhagen.

[Kory Draughn]

Hi Robert,

$ ierror -1825000

irods error: -1825000 SERVER_NEGOTIATION_ERROR

Please share the federation stanza in server_config.json of both servers (with sensitive data masked out).

Is there anything in the log files of the servers?

Thanks,

Kory Draughn

Chief Technologist

iRODS Consortium

--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
 
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/46f35866-9442-4c26-b02a-ebe713085f19n%40googlegroups.com.

[joris luijsterburg]

Robert,

I just got it to work in here. I read somewhere that I needed to disable the allowlist policy. I am not sure what it exactly means though, the docs says that with the enforced option you will expose some operations, but not what it exposes if you choose disabled, so I don't know exactly. 

Also, in another thread I saw that I first misinterpreted the negotiation_key that you need to fill in for a federation. This is not the negotiation_key already defined in the other instance, but a separate federation key that is the same in both zones.

Also see https://docs.irods.org/4.3.0/system_overview/configuration/#etcirodsserver_configjson

and look for 

"client_api_whitelist_policy"(<4.3.0) or  "client_api_allowlist_policy"(4.3.0)

Hope this helps!

Regards,

Joris

[Robert Verhagen]

Dear Kory,

Defined in zoneLocal:

    "zone_name": "zoneLocal",
    "zone_key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

    "negotiation_key": "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",

    "client_api_whitelist_policy": "disabled",

    "catalog_provider_hosts": [
        "server1"

    "federation": [
       {
        "catalog_provider_hosts": ["server2"],
        "zone_name": "zoneRemote",

        "zone_key": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",

        "negotiation_key": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",

        }
    ],

Defined in zoneRemote

    "zone_name": "zoneRemote",
    "zone_key": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",

    "negotiation_key": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",

    "catalog_provider_hosts": ["server2"],

    "client_api_allowlist_policy": "disabled",

    "federation": [

       {
        "catalog_provider_hosts": ["server1"],
        "zone_name": "zoneLocal",

        "zone_key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

        "negotiation_key": "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",

        }
    ],

The server1 logfile after trying to connect to the zoneRemote:

Mar 24 15:28:45 pid:22118 remote addresses: 127.0.0.1, 192.168.1.100, 192.168.1.110 ERROR: connectToRhost: error returned from host server2 status = -1825000 SERVER_NEGOTIATION_ERROR
Mar 24 15:28:45 pid:22118 remote addresses: 127.0.0.1, 192.168.1.100 ERROR: _rcConnect: connectToRhost error, server on server2:1247 is probably down status = -1825000 SERVER_NEGOTIATION_ERROR
Mar 24 15:28:45 pid:22118 NOTICE: getAndConnRcatHost: svrToSvrConnect to server2 failed
Mar 24 15:28:46 pid:22118 remote addresses: 127.0.0.1, 192.168.1.100, 192.168.1.110 ERROR: connectToRhost: error returned from host server2 status = -1825000 SERVER_NEGOTIATION_ERROR
Mar 24 15:28:46 pid:22118 remote addresses: 127.0.0.1, 192.168.1.100 ERROR: _rcConnect: connectToRhost error, server on server2:1247 is probably down status = -1825000 SERVER_NEGOTIATION_ERROR
Mar 24 15:28:46 pid:22118 NOTICE: getAndConnRcatHost: svrToSvrConnect to server2 failed
Mar 24 15:28:46 pid:22118 remote addresses: 127.0.0.1, 192.168.1.100 ERROR: [-] /repos/irods/server/core/src/rsApiHandler.cpp:542:int readAndProcClientMsg(rsComm_t *, int) :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']
[-] /repos/irods/lib/core/src/sockComm.cpp:198:irods::error readMsgHeader(irods::network_object_ptr, msgHeader_t *, struct timeval *) :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']
[-] /repos/irods/plugins/network/ssl/libssl.cpp:572:irods::error ssl_read_msg_header(irods::plugin_context &, void *, struct timeval *) :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [read 0 expected 4]

Mar 24 15:28:46 pid:22118 remote addresses: 127.0.0.1 ERROR: [-] /repos/irods/server/core/src/rodsAgent.cpp:566:int runIrodsAgentFactory(sockaddr_un) :  status [SSL_SHUTDOWN_ERROR]  errno [] -- message [failed to call 'agent stop']
[-] /repos/irods/lib/core/src/sockComm.cpp:160:irods::error sockAgentStop(irods::network_object_ptr) :  status [SSL_SHUTDOWN_ERROR]  errno [] -- message [failed to call 'agent stop']
[-] /repos/irods/plugins/network/ssl/libssl.cpp:952:irods::error ssl_agent_stop(irods::plugin_context &) :  status [SSL_SHUTDOWN_ERROR]  errno [] -- message [error completing shutdown of SSL connection]

Mar 24 15:28:46 pid:4384  ERROR: Agent process [22118] exited with status [64]

Regards,

Robert Verhagen.

Op maandag 20 maart 2023 om 17:39:10 UTC+1 schreef korydraughn.renci:

[Kory Draughn]

Is the config for zoneLocal correct? See catalog_provider_hosts and the opening/closing square brackets.

Kory Draughn

Chief Technologist

iRODS Consortium

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/91781fed-a9d6-4f57-8fec-dc7ddeab7dd4n%40googlegroups.com.

[Robert Verhagen]

Yes, sorry I didn't copy everything:

    "catalog_provider_hosts": [
        "server1"
    ],

The federation without ssl enabled works, so I think the server config is ok?

Only when I enable ssl (as described) federation fails.

Regards,
Robert Verhagen

Op vrijdag 24 maart 2023 om 16:36:05 UTC+1 schreef korydraughn.renci:

[Kory Draughn]

Your negotiation keys in the federation stanzas must be identical.

Within the federation stanza, the negotiation key is the pre-shared key between servers.

Please make them identical and try running with SSL again.

Kory Draughn

Chief Technologist

iRODS Consortium

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/f27f07ac-178d-46e1-9fc2-5f0381cc99a4n%40googlegroups.com.

[Robert Verhagen]

Dear Kory,

That works!

But why state the negotiation key in the federation stanza when it should be identical between zones?

If it is identical between servers of different zones it should be enough to state it ones?

Thank you for your help,

Regards,

Robert Verhagen.

Op vr 24 mrt 2023 om 17:07 schreef Kory Draughn <korydrau...@gmail.com>:

You received this message because you are subscribed to a topic in the Google Groups "iRODS-Chat" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/irod-chat/5zGIcDXW4uM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/CAA-7h7nkFeqHsaPi0tkW-NMu3GEn87gm8%2Bt7JqAPD4iRFoiJrw%40mail.gmail.com.

[Kory Draughn]

Excellent.

The top-level negotiation key (outside of the federation stanza) serves a different purpose than the ones found in the federation stanza.

The negotiation keys in the federation stanza are pre-shared keys. Two different organizations can decide on what those keys should be.

You can also federate with virtually any number of zones, which infers that the negotiation keys could be different for each remote zone.

Does that answer your question?

Kory Draughn

Chief Technologist

iRODS Consortium

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/CAJejgGD%2BHOXQkZYtvF4ZDa48S9txRo3Lrnkw6f9FNF9utitTdA%40mail.gmail.com.

[Robert Verhagen]

Yes,

Thank you.

Robert Verhagen.

Op vr 24 mrt. 2023 18:27 schreef Kory Draughn <korydrau...@gmail.com>:

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/CAA-7h7ktbmV5yFaC%2BgyAF9bLSy0TxA8bTi1Aq3KtQu0wS8ruWQ%40mail.gmail.com.

[Kory Draughn]

Glad we could help.

Thanks,

Kory Draughn

Chief Technologist

iRODS Consortium

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/CAJejgGCsNnWORy4tYERabvSJuidwozdZ6x%3Djzj5DS4HN3SQ7sg%40mail.gmail.com.