Table of Contents
- 1. Introduction
- 2. Building and Installing
- 3. Configuring
- 3.1. Configuration overview
- 3.2. Loading the CAS service at start up
- 3.3. Changing the maximum assertion lifetime
- 3.4. Configuring database backend
- 3.5. Configuring security descriptor
- 3.6. Configuring with a GridFTP Server
- 3.7. CAS auto-registration with default WS MDS Index Service
- 3.8. Registering CAS manually with default WS MDS Index Service
- 4. Deploying
- 5. Testing
- 6. Example of CAS Server Administration
- 7. Security Considerations
- 8. Troubleshooting
This guide contains advanced configuration information for system administrators working with the Community Authorization Service (CAS). It provides references to information on procedures typically performed by system administrators, including installing, configuring, deploying, and testing the installation.
![[Important]](../../../../../docbook-images/important.gif) | Important |
|---|---|
This information is in addition to the basic Globus Toolkit prerequisite, overview, installation, security configuration instructions in the GT 4.0 System Administrator's Guide. Read through this guide before continuing! |
The CAS server and client are built and installed as part of a default GT 4.0 installation. For basic installation instructions, refer to the GT 4.0 System Administrator's Guide. No extra installation steps are required for this component.
The CAS client can be installed by itself. Please refer to Packaging details.
![[Note]](../../../../../docbook-images/note.gif) | Note |
|---|---|
Typically a single CAS server is run per VO and multiple client installations are done. This document contains information about deploying a CAS server and is not needed for a CAS client installation. Please refer to the documentation for CAS client install. |
The CAS service can be configured with a description of the VO the CAS service serves and the maximum lifetime of the assertions it can issue. Also, the service needs to be configured with information about the back end database it uses. Any database with a JDBC driver and reasonable SQL support can be used. That said, PostgreSQL was used for development and testing and we strongly recommend that you use it. The CAS database schema to be used with PostgreSQL has been provided in $GLOBUS_LOCATION/etc/globus_cas_service/casDbSchema/cas_pgsql_database_schema.sql.
Other than that, the security settings of the service can be modified in the security descriptor associated with the CAS service. It allows for configuring the credentials that will be used by the service, the type of authentication and message protection required as well as the authorization mechanism. By default, the following security configuration is installed:
- Credentials are determined by the container level security descriptor. If there is no container level security descriptor or if it does not specify which credentials to use then default credentials are used.
- Authentication and message integrity protection is enforced for all methods except queryResourceProperties and getResourceProperty. This means that you may use any of GSI Transport, GSI Secure Message or GSI Secure Conversation when interacting with the CAS service.
- The standard authorization framework is not used for authorization. Instead the the service uses the back end database to determine if the call is permitted.
| Note |
|---|---|
Changing required authentication and authorization methods will require matching changes to the clients that contact this service. |
| Important |
|---|---|
If the service is configured to use GSI Secure Transport, then container credentials are used for the handshake, irrespective of whether service level credentials are specified. |
By default, the CAS service is not loaded at start up. To change this behavior, uncomment the loadOnStartup property set in $GLOBUS_LOCATION/etc/globus_cas_service/server-config.wsdd as shown below.
Once the loadOnStartup property is uncommented, the following happens at start up:
- The CAS service is loaded.
- The database connection pool is initialized.
- The service registers itself to the default MDS Index Service.
<service name="CASService" provider="Handler" use="literal"
style="document">
<!-- Uncomment if the service needs to be initialized at startup -->
<parameter name="loadOnStartup" value="true"/>
<parameter name="allowedMethodsClass"
value="org.globus.cas.CASPortType"/>
.
.
.
</service>To change the maximum assertion lifetime and VO description, set the parameters maxAssertionLifetime
and voDescription in $GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml to the desired values.
To alter the configuration of the database back end edit the databaseConfiguration section of
$GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml as follows:
Table 1. Database parameters
| driver | The JDBC driver to be used |
| connectionURL | The JDBC connection url to be used when connecting to the database |
| userName | The user name to connect to the database as |
| password | The corresponding database password |
| activeConnections | The maximum number of active connections at any given instance |
| onExhaustAction | The action to perform when the connection pool is exhausted. If value is 0 then fail, if 1 then block and if 2 then grow the pool (get more connections) |
| maxWait | The maximum time in milliseconds that the pool will wait for a connection to be returned |
| idleConnections | The maximum number of idle connections at any given time |
To alter the security descriptor configuration refer to
Security Descriptors.
The file to be changed is $GLOBUS_LOCATION/etc/globus_cas_service/security-config.xml.
CAS is used to administer access rights to files and directories and the GridFTP server can be configured to enforce those rights.
For detailed information about configuring CAS for use with a GridFTP server, see http://www.globus.org/toolkit/docs/4.0/security/cas/WS_AA_CAS_HOWTO_Setup_GridFTP.html.
With a default GT 4.0.1 installation, CAS is automatically registered with the default WS MDS Index Service running in the same container for monitoring and discovery purposes.
| Note |
|---|---|
If you are using GT 4.0.0, we strongly recommend upgrading to 4.0.1 to take advantage of this capability. |
However, if must use GT 4.0.0, or if this registration was turned off and you want to turn it back on, this is how it is configured:
There is a jndi resource defined in $GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml as follows :
<resource name="mdsConfiguration"
type="org.globus.wsrf.impl.servicegroup.client.MDSConfiguration">
<resourceParams>
<parameter>
<name>reg</name>
<value>true</value>
</parameter>
<parameter>
<name>factory</name>
<value>org.globus.wsrf.jndi.BeanFactory</value>
</parameter>
</resourceParams>
</resource>
To configure the automatic registration of CAS to the default WS MDS Index Service, change the value of the parameter
<reg> as follows:
trueturns on auto-registration; this is the default in GT 4.0.1.falseturns off auto-registration; this is the default in GT 4.0.0.
By default, the VoDescription resource property (which describes the virtual organization relevant to the CAS Service) is sent to the default Index Service.
You can configure which resource properties are sent in the registration.xml file, $GLOBUS_LOCATION/etc/globus_cas_service/registration.xml.
The following is the relevant section of the file:
<Content xsi:type="agg:AggregatorContent"
xmlns:agg="http://mds.globus.org/aggregator/types">
<agg:AggregatorConfig xsi:type="agg:AggregatorConfig">
<agg:GetResourcePropertyPollType
xmlns:cas="http://www.globus.org/07/2004/cas">
<!-- Specifies that the index should refresh information
every 8 hours (28800000ms) -->
<agg:PollIntervalMillis>28800000</agg:PollIntervalMillis>
<!-- specifies that all Resource Properties should be
collected from the RFT factory -->
<agg:ResourcePropertyName>cas:VoDescription</agg:ResourcePropertyName>
</agg:GetResourcePropertyPollType>
</agg:AggregatorConfig>
<agg:AggregatorData/>
</Content>
If a third party needs to register an CAS service manually, see Registering with mds-servicegroup-add in the WS MDS Aggregator Framework documentation.
The CAS service is deployed as a part of a standard toolkit installation. Please refer to the System Administrator's Guide for details. Other than the steps described in the above guide, the following are needed to deploy the CAS service.
The CAS service can run with its own service specific credentials. Instructions for obtaining service credentials may be found here.
The standard administrator clients that come with the distribution by default use identity authorization to authorize the service they are running against (and expect that the CAS service has credentials that have the FQDN of the host the server is running on and the service name "cas" as part of DN). Command line options can be used to specify the identity of the CAS service, if the default identity is not used. The command in the above mentioned web page may be altered as follows to get credentials for the CAS server:
casadmin$ grid-cert-request -service cas -host FQDN
The certificate and private key are typically placed in /etc/grid-security/cas-cert.pem and /etc/grid-security/cas-key.pem,
respectively. In this document the locations of certificate and key files are
referred to as CAS_CERT_FILE and CAS_KEY_FILE, respectively.
The subject name in these credentials is expected by CAS clients by default.
CAS uses a back end database to store all user data. This section briefly describes the installation of such a database and the creation of the database using the schema required by the CAS back end.
While any database with a JDBC driver and support for a reasonable set of SQL may be used, PostgreSQL has been used for development and testing. The driver for the same is included in the distribution. If a different database is used, the corresponding driver should be added to $GLOBUS_LOCATION/lib.
Brief instructions on how to install a database (specifically PostgreSQL) can be found here. For more detailed instructions, please refer to documentation for the database you are installing.
The schema for the database that needs to be created for CAS can be found
at $GLOBUS_LOCATION/etc/globus_cas_service/casDbSchema/cas_pgsql_database_schema.sql
To create a database, for example casDatabase, on a PostgreSQL installation on a local machine run the following commands:
casadmin$ createdb casDatabase casadmin$ psql -U casadmin -d casDatabase -f \ $GLOBUS_LOCATION/etc/globus_cas_service/casDbSchema/cas_pgsql_database_schema.sql
You will see a list of notices on the screen. Unless any of them say "ERROR", these are just informational output.
The CAS database needs to be initialized with data specific to CAS and information about a super user to allow bootstrapping of CAS operations. The command line script cas-server-bootstrap can be used to achieve this.
cas-server-bootstrap [<options>] -d <dbPropFile> [ -implicit | -b <bootstrapFile> ]
Table 2. Command line options
-help
| Prints the help message. |
-debug
| Runs the script with debug trace. |
-d
|
File name with database properties as follows: dbDriver=
|
-b
| This option populates the database with super user data and points to a file with data to use for bootstrapping the database with a trust anchor and user configuration. A template file for this can be found at $GLOBUS_LOCATION/share/globus_cas_service/bootstrapTemplate and a sample file can be found at $GLOBUS_LOCATION/share/globus_cas_service/bootstrapSample. |
-implicit
| Populates the database with: a) CAS server implicit data—this adds the CAS server itself as a CAS object and implicit service/actions like enrolling users, objects and so on; and b) service/action and namespace relevant to FTP like read, write and so on. |
Sample bootstrap command:
To bootstrap the CAS database with both implicit and user data the following command can be used. Prior to running the command, the following files need to be created with appropriate values filled in.
$GLOBUS_LOCATION/share/globus_cas_service/casDbPropertiesdbDriver=org.postgresql.Driver dbConnectionURL=jdbc:postgresql://127.0.0.1/casDatabase dbUsername=tester dbPassword=foobar
$GLOBUS_LOCATION/share/globus_cas_service/bootstrapProperties. The bootstrap command adds a trust anchor and user to the database using direct SQL commands. This file is used to store configuration information about the trust anchor and user to add. Comments in the sample file shown below describe each property.# A nick name for trust anchor to add. The nickname used only with in the CAS #database. If X509 certificates are are used, a trust anchor is a CA ta-name=defaultTrustAnchor #The authentication method used by this trust anchor. For example, X509 ta-authMethod=X509 # Authentication Data. If X509 is used, it is typically the DN of the CA. ta-authData=/C=US/O=Globus/CN=Default CA # A user nickname. This user is given super user priviledges in the CAS # database user-name=superUser # The user subject, if X509 is used it is the DN from the user's credential. #Please note format of the DN (slashes are used as seprator) user-subject=/O=Grid/O=Globus/OU=something/CN=someone # A user group to add this user to go. Any user is this group is given super # user priviledges. userGroupname=superUserGroup
Command to run:
casadmin$ cd $GLOBUS_LOCATION casadmin$ bin/cas-server-bootstrap \ -d share/globus_cas_service/casDbProperties \ -implicit -b \ share/globus_cas_service/bootstrapProperties
Once the database has been created the CAS service needs to be configured to use it as described here.
CAS has been tested to work without any additional setup when deployed into Tomcat. Please follow these basic instructions to deploy GT4 services into Tomcat. Note that the Java WS Core module needs to be built and configured as described in the previous sections.
CAS has two sets of tests, one for the back end database access module and another set to test the service itself. To install both tests, install the CAS test package (gt4-cas-delegation-test-3.9-src_bundle.tar.gz) using GPT. FILLME: instructions into GLOBUS_LOCATION.
Assumptions:
- A back end database has been set up and configured.
- The CAS service and tests are installed in $GLOBUS_LOCATION.
The sample commands assume:
- The container is started up on localhost and port 8443.
- The database username is tester.
- The database name is casDatabase.
- The database is on host foo.bar.edu and the default port.
Run:
cd $GLOBUS_LOCATION
Populate the file
etc/globus_cas_unit_test/casTestPropertieswith the following database configuration information:Table 3. Test database properties
dbDriver The JDBC driver to be used dbConnectionURL The JDBC connection url to be used to connect to the database dbUsername The user name to use when connecting to the database dbPassword The password corresponding to the user name The database needs to be empty for these tests to work and will be deleted by this target. Run:
ant -f share/globus_cas_unit_test/cas-test-build.xml testDatabase
- Test reports are placed in
$GLOBUS_LOCATION/share/globus_cas_unit_test/cas-test-reports.
| Important |
|---|---|
The database bootstrap needs to be done again for the server to be ready to receive client requests. |
These tests can be set up so as to be able to test multiple user scenarios or can be configured to run as just a single identity. A file with configuration information needs to be setup for the tests to pick up parameters.
There are two test targets in the service tests. The first set of tests should be run with a set of credentials, where the user is given super user permissions on the CAS server. These tests also set the permissions for another user to run the second set of tests, without super user permissions. The first user DN is configured as property "user1SubjectDN" and the second user is configured as property "user2SubjectDN".
The test can be simplified to use same credentials for both tests. In such a scenario, the DN of credential used to run the tests should be configured as "user1SubjectDN" and the property "user2SubjectDN" can be set to any string.
All the configuration information for the test needs to be configured in the etc/globus_cas_unit_test/casTestProperties file.
The database section of the properties file needs to be configured as described here. In addition the following properties need to be configured to run the tests:
Table 4. Test properties
| user1SubjectDN | The DN of the user running the first set of tests. |
| user2SubjectDN | The DN of the user running the second set of tests. This DN has to be different from the value specified for user1SubjectDN. Note: Both tests can be run as the same user as long as the DN of the certificate being used to run the tests matches the value specified in user1SubjectDN. In this case, the value of user2SubjectDN can be set to a arbitrary string. |
| maxAssertionLifetime | Should match the value set in the service configuration as shown in Configuration Information. |
| host | Host on which the CAS service is running. |
| port | Port on which the CAS service is running. |
| securityType | This is an optional parameter indicating the security type to use. Can be set to message for Secure Message or conversation for Secure Conversation or transport for Secure Transport (the default configuration). |
| protType | This is an optional parameter indicating the protection type to use. Can be set to signature for integrity protection (the default configuration) or encryption for privacy protection. |
| serverDN | This should be set to the DN of the certificate used by the CAS server. Note that the DN should have "/" as delimiter rather than "," |
Steps for testing:
Run:
cd $GLOBUS_LOCATION
Source
$GLOBUS_LOCATION/etc/globus-devel-env.shor$GLOBUS_LOCATION/etc/globus-devel-env.cshor$GLOBUS_LOCATION/etc/globus-devel-env.batas appropriate for your environment.In the test properties file, set
user2SubjectDNto the subject in your regular proxy. The following returns the appropriate string:casadmin$ java org.globus.tools.CertInfo -subject -globus
Generate an independent proxy using the following command:
casadmin$ java org.globus.tools.ProxyInit -independent
Set the identity in the proxy generated from the above step as user1SubjectDN in the test properties file. The following command will return the relevant string:
casadmin$ java org.globus.tools.ProxyInfo -subject -globus
- Start the container on the port and host configured in Table 4, “Test properties”.
The following command runs the tests for self permissions and sets up the database for a user with subjectDN user2SubjectDN:
casadmin$ ant -f share/globus_cas_unit_test/cas-test-build.xml user1TestService
To test as the second user, generate a proxy for the subject DN specified for the second user:
casadmin$ java org.globus.tools.ProxyInit
The database needs to be empty for these tests to work and this target deletes all entries in database. Then run the following:
casadmin$ ant -f share/globus_cas_unit_test/cas-test-build.xml user2TestService
- Test reports are placed in
$GLOBUS_LOCATION/share/globus_cas_unit_test/cas-test-reports. After these tests, the CAS database needs to be reset. The following command will delete all entries from the database:
casadmin$ psql -U casadmin -d casDatabase -f $GLOBUS_LOCATION/etc/globus_cas_utils/database_delete.sql
| Important |
|---|---|
The database bootstrap needs to be done again for the server to be ready to receive client requests. |
The following contains an example of administering the CAS server policies using the CAS administrative clients described. FILLME: add link to admin command line when its done.
Alice, Bob and Carol are three members of a community who have set up a Community Authorization Service:
- Alice's role is primarily to administer the CAS server.
- Bob is an analyst who needs read access to much of the community data.
- Carol is a scientist who needs to be able to both read and write community data.
These examples show how:
- Alice adds the users Bob and Carol to the CAS server.
- Alice adds a FTP server with some data available to the community.
- Alice adds permissions for the users using the CAS administration clients.
These examples assume the following:
- Alice has installed the CAS server and bootstrapped the database with herself as super user. Please refer to previous chapters in this guide for details on setting up the server and bootstrapping with data.
- Alice's nickname on the CAS server is alice and at bootstrap she has created a user group, suGroup, which has super user permissions on the database.
- The CAS service URL is http://localhost:8080/wsrf/services/CASService.
- For all commands listed below the environment variable $GLOBUS_LOCATION has been set to point to the Globus Toolkit installation and the commands are run from $GLOBUS_LOCATION.
- The environment variable CAS_SERVER_URL has been set to point to the CAS server URL, http://localhost:8080/wsrf/services/CASService.
Since at the time of booting up the CAS server only the user group that has super user permissions on the CAS server is created, Alice will want to create another user group to which new users can be added and to which permissions on newly enrolled CAS entities may be given. This also eases the process of giving the same rights to many users. Given that there are two types of roles in the community she might want to create two groups, analysts and scientists.
Also, all permissions on the newly created group will be given to users of a particular user group. For example, Alice may want all users of the user group analysts to be able to manipulate the group.
To create a new user group Alice uses the cas-group-admin client. It requires a name for the new group being created, say analysts.
alice% cas-group-admin user create analysts analysts
This will create a user group analysts and give all users in that group the permission to manage the group (i.e add users, remove users and so on). She can similarly create a group called scientists.
Prior to adding Bob and Carol to the CAS server, Alice needs to ensure that the trust anchors for both have been added. If they share the trust anchor with Alice then this step can be skipped, since at bootstrap Alice's trust anchor would have been added to the database.
In our example Alice and Carol share a trust anchor different from Bob's. Therefore, Alice needs to add Bob's trust anchor by using the cas-enroll client with the trustAnchor option. She needs to provide details about the trust anchor such as the authentication method and authentication data used.
alice% cas-enroll trustAnchor analysts AbcTrust X509 "/C=US/O=some/CN=ABC CA"
The above will enroll a trust anchor with nickname AbcTrust that uses X509 as its authentication method and has the DN specified in the command. The members of the analysts user group are given all rights on this object. This implies that any user who has this trust anchor is assumed to present credentials signed by this trust anchor.
Now Alice can add Bob and Carol as users using the cas-enroll command with the user option. She needs to provide the user's subject DN and a reference to the trust anchor used by the user. As with any entity added to the CAS server, the admin needs to choose a user group whose members will have all permissions on that entity. In this example, Alice would like the members of the user group suUser to be able to manipulate the user entity Bob.
alice% cas-enroll user suUser bob "/O=Our Community/CN=Bob Foo" AbcTrust
Alice uses a similar command to add Carol to the CAS database.
The CAS server allows rights to be assigned only to user groups and not to individual users. Hence, before Alice can assign rights to Bob or Carol, she needs to add them to some user group. She does this by using the cas-group-add-entry client with the user option to indicate she is adding to a user group. This client requires the group name and the nickname of the user who needs to be added. To add Bob to the analysts group, the command would be:
alice% cas-group-add-entry user analysts bob
If a user group scientists was created, Carol could similarly be added as a member.
Alice now has the community users in the database. The next step is to add some resources. Because the community currently has the FTP server foo.bar.edu available to it she will add it to the CAS database.
Each resource or object in the CAS server has a namespace associated with it that defines certain features. For example, it can define the comparison algorithm that is to be used when the object's name is compared. It may also define the base URL that should be prefixed to objects that belong to this namespace. In this case, Alice chooses to use the FTPDirectoryTree namespace that is added to the CAS server at startup. She uses the cas-enroll client with the object option to add the FTP server to the CAS database:
alice% cas-enroll object suGroup ftp://foo.bar.edu/* FTPDirectoryTree
This command adds the FTP server as an object and gives all members of the suGroup rights to manipulate the object.
To be able to grant/revoke access on an individual directory, add an object for the directory. For example, if Alice would like to be able to manipulate the data directory on the server as a separate entity, the following command will add an object for that.
alice% cas-enroll object suGroup ftp://foo.bar.edu/data/* FTPDirectoryTree
Alice suspects that the community will end up with more directories containing data on other servers that will have polices identical with the ones on the /data directory on foo.bar.edu. To manage this she is going to create an object group called data and assign foo.bar.edu/data to this group. This will allow her to grant rights on this group and easily add other directories to this group later.
To create a group called data, she uses the cas-group-admin client with the group and create options:
alice% cas-group-admin object create suGroup data
This creates an object group called data and the members of suGroup get all rights on this group and hence should be able to add/remove members, grant rights to add/delete from this group to others and also delete this group.
Alice now can add foo.bar.edu/data to the data group. She can do this by using the cas-group-add-entry with the object option. To add the above object, ftp://foo.bar.edu/data/* in the namespace FooFTPNamespace, to the object group data Alice uses the following command:
alice% cas-group-add-entry object data object FooFTPNamespace ftp://foo.bar.edu/data/*
In the above command:
- the first object refers to the group type.
- data is the name of the object group.
- the second object refers to the type of CAS entity that is being added as a member.
- the last two parameters define the namespace and the object that needs to be added.
Alice now needs to add information about the kinds of rights that can be granted for these objects. These are stored as service types and relevant actions are mapped to these service types.
In this scenario, the kind of service types that Alice should add would be file, directory and so on. To do so the cas-enroll client with the serviceType option may be used. To add a service type called file and give members of suGroup all rights on this service type Alice uses the following command.
alice% cas-enroll serviceType suGroup file
The relevant action mappings to the above mentioned service types would be read, write and so on. Alice needs to add these mappings to the database so that she can grant rights that allow a user to have file/read or file/write permissions on some object.
To add action mappings to a service type, she uses the cas-action client
with the add option. The following command adds a mapping of action read to
service type file.
alice% cas-action add file add
Similarly, she can add other mappings, like write, to this service type.
Alice now has resources in the object group data and users in the user groups analysts and scientists. She now wants to grant permissions on the data group to the analysts and scientists, namely read permissions to the analysts and read and write permissions to the scientists.
To grant permissions Alice needs to use the cas-rights-admin with
the grant option. To give read permissions to the analysts group Alice
runs:
alice% cas-rights-admin grant analysts objectGroup data serviceAction file read
She similarly grants rights to scientists group.
- The database username/password is stored in the service configuration file and the test properties file. Ensure correct permissions to protect the information.
If the CAS service fails with following error:
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: org.apache.commons.dbcp.DbcpException: Connection
refused. Check t hat the hostname and port are correct and that the
postmaster is accepting TCP/I P connections.- Ensure the database properties (connectionURL, userName, password) in $GLOBUS_LOCATION/globus_cas_service/jndi-config.xml are correct.
- Ensure that the database is set up with permission to receive TCP/IP connections.
The following are some common problems that may cause clients or servers to report that credentials are invalid:
Use grid-proxy-info to check whether the proxy credential has actually expired. If it has, generate a new proxy with grid-proxy-init.
This may cause the server or client to conclude that a credential has expired.
8.2.3. Your end-user certificate may have expired
Use grid-cert-info to check your certificate's expiration date. If it has expired, follow your CA's procedures to get a new one.
If the permissions on your proxy file are too lax (for example, if others can read your proxy file), Globus Toolkit clients will not use that file to authenticate. You can "fix" this problem by changing the permissions on the file or by destroying it (with grid-proxy-destroy) and creating a new one (with grid-proxy-init). However, it is still possible that someone else has made a copy of that file during the time that the permissions were wrong. In that case, they will be able to impersonate you until the proxy file expires or your permissions or end-user certificate are revoked, whichever happens first.
If the permissions on your end user certificate private key file are too lax (for example, if others can read the file), grid-proxy-init will refuse to create a proxy certificate. You can "fix" this by changing the permissions on the private key file; however, you will still have a much more serious problem: it's possible that someone has made a copy of your private key file. Although this file is encrypted, it is possible that someone will be able to decrypt the private key, at which point they will be able to impersonate you as long as your end user certificate is valid. You should contact your CA to have your end-user certificate revoked and get a new one.
Verify that the remote system is configured to trust the CA that issued your end-entity certificate. See the Administrator's Guide for details.
Verify that your system is configured to trust the remote CA (or that your environment is set up to trust the remote CA). See the Administrator's Guide for details.
It is sometimes difficult to distinguish between errors reported by the remote service regarding your credentials and errors reported by the client interface regarding the remote service's credentials. If you can't find anything wrong with your credentials, check for the same conditions (or ask a remote administrator to do so) on the remote system.
openssl verify -CApath /etc/grid-security/certificates -purpose sslclient ~/.globus/usercert.pem
openssl s_client -ssl3 -cert ~/.globus/usercert.pem -key ~/.globus/userkey.pem -CApath /etc/grid-security/certificates -connect <host:port>
Here <host:port> denotes the server and port you connect to.
If it prints an error and puts you back at the command prompt, then it typically means that the server has closed the connection, i.e. that the server was not happy with the client's certificate and verification. Check the SSL log on the server.
If the command "hangs" then it has actually opened a telnet style (but secure) socket, and you can "talk" to the server.
You should be able to scroll up and see the subject names of the server's verification chain:
depth=2 /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
verify return:1
depth=1 /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
verify return:1
depth=0 /DC=org/DC=doegrids/OU=Services/CN=wiggum.mcs.anl.gov
verify return:1
In this case there were no errors. Errors would give you an extra line next to the subject name of the certificate that caused the error