Cloud Browser PAM Authentication

79 views
Skip to first unread message

Alex MacLean

unread,
Jun 2, 2016, 11:28:55 AM6/2/16
to iRODS-Chat
Hello, I am able to authenticate with PAM on the command line and login to the Cloud Browser with iRODS accounts but when I try to login to CB with PAM it is unsuccessful.

Here is my rodsLog:

Jun  2 15:13:10 pid:6679 NOTICE: Agent process 6713 started for puser=macleanal and cuser=macleanal from 127.0.0.1

Jun  2 15:13:10 pid:6713 ERROR: sslAccept: error calling SSL_accept. SSL error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Jun  2 15:13:10 pid:6713 ERROR: sslAccept failed in agentMain with status -2103000

Jun  2 15:13:10 pid:6713 ERROR: [-]     iRODS/server/core/src/rsApiHandler.cpp:470:readAndProcClientMsg :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message []

       [-]     iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']

               [-]     libtcp.cpp:256:tcp_read_msg_header :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [header length is out of range: 1464880390 expected >= 0 and < 1088]


Should I be focusing on the header that is out of range or something else?

Thanks,

Alex


Mike Conway

unread,
Jun 2, 2016, 11:36:22 AM6/2/16
to iRODS-Chat


Subject: Re: [iROD-Chat:15163] Cloud Browser PAM Authentication
Date: Thu, 2 Jun 2016 11:30:30 -0400
From: Mike Conway <mco...@unc.edu>
To: irod...@googlegroups.com


this looks like a JVM level issue.  Can you try a test with JDK 1.8?

I suspect that the underlying issue is an older JVM that doesn't support higher TLS levels.  iRODS needs the latest due to prior vulnerabilities in SSL.
--
--
"iRODS: the Integrated Rule-Oriented Data-management System; A community driven, open source, data grid software solution" https://www.irods.org
 
iROD-Chat: http://groups.google.com/group/iROD-Chat

---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



Alex MacLean

unread,
Jun 2, 2016, 11:40:43 AM6/2/16
to iRODS-Chat
Hi Mike, so I originally deployed my current instance with Java 7 and then updated to Java 8 after I read that the update fixed this problem for some people. I still experienced the same issue though afterwards. Would it be worth trying a fresh deployment with Java 8 from the start?

Alex

Alex MacLean

unread,
Jun 2, 2016, 1:17:16 PM6/2/16
to iRODS-Chat
On a fresh installation with Java 8 I'm getting a different SSL error now:

Jun  2 17:15:29 pid:26536 ERROR: sslAccept: error calling SSL_accept. SSL error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

Jun  2 17:15:29 pid:26536 ERROR: sslAccept failed in agentMain with status -2103000

Jun  2 17:15:29 pid:26536 ERROR: [-]    iRODS/server/core/src/rsApiHandler.cpp:470:readAndProcClientMsg :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message []

       [-]     iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']

               [-]     libtcp.cpp:240:tcp_read_msg_header :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [read 0 expected 4]

Alex MacLean

unread,
Jun 2, 2016, 2:45:31 PM6/2/16
to iRODS-Chat
I am using a self-signed certificate, generated like so:

openssl genrsa -out server.key 1024
openssl req -new -x509 -key server.key -out chain.pem -days 3650 -config /etc/irods/cert.cfg
openssl dhparam -2 -out dhparams.pem 2048

And then I installed ca-certificates-java and added the certificate to the keystore:

keytool -import -storepass changeit -noprompt -file /etc/irods/chain.pem -keystore /etc/ssl/certs/java/cacerts

And here's the relevant portion of my irods_environment.json:

   

   "irods_authentication_scheme": "PAM",  

   "irods_ssl_ca_certificate_file": "/etc/irods/chain.pem",

   "irods_ssl_certificate_chain_file": "/etc/irods/chain.pem",

   "irods_ssl_certificate_key_file": "/etc/irods/server.key",

   "irods_ssl_dh_params_file": "/etc/irods/dhparams.pem",

   "irods_ssl_verify_server": "cert",

Mike Conway

unread,
Jun 2, 2016, 3:35:35 PM6/2/16
to irod...@googlegroups.com
This happens because your self-signed certificate is unknown to your Tomcat server.  The JRE you are running on has a keystore that must contain the public key of your self-signed cert.

There are some tips here: https://github.com/DICE-UNC/jargon/wiki/Setting-up-PAM

But that is your issue, and having the public key imported into the correct keystore should have you set to go.

Cheers
MC

Alex MacLean

unread,
Jun 2, 2016, 3:58:35 PM6/2/16
to iRODS-Chat
Excellent thanks Mike! 

As soon as I added my certificate to /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts I was able to login to Cloud Browser with PAM.

That wiki page was very helpful. I thought it would be great if it was more visible to people looking to setup Cloud Browser so I added a page to the wiki referring to it: https://github.com/DICE-UNC/irods-cloud-browser/wiki/Authentication

Alex
Reply all
Reply to author
Forward
0 new messages