[Planetlab-users] Questions on SFA configuration -- ConnectionKeyGIDMismatch

Liu, Xuan (UMKC-Student) xuan.liu at mail.umkc.edu
Mon Jan 24 11:52:14 EST 2011 

Hi Xuan,

No problem. The issue you were having is actually pretty common, I should have thought of it sooner. Feel free to contact me with any further questions.

Regards,
Tony

----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Saturday, January 22, 2011 11:47:25 AM
Subject: RE: Questions on SFA configuration



Hi Tony,

Thanks for helping me for troubleshooting. It did help a lot! Now it works! I didn't realize the multiple key under one account was an issue. I added them long time ago.


I will go ahead to configure it so that we can create topology via sfi tool. I might have more questions on the federation part later.



Thanks for your kind help and support.


Xuan Liu
Department of Computer Science & Electrical Engineering
University of Missouri - Kansas city
xl9f2 at mail.umkc.edu
________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Friday, January 21, 2011 7:18 PM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

I created my account and was able to make the following calls:

$ ./sfi.py -v list plc.gpeni
INFO Contacting Registry at: http://myvini-test.umkc.gpeni.net:12345/
INFO Connecting to xmlrpcserver at http://myvini-test.umkc.gpeni.net:12345/ (with verbose=False)
INFO Contacting Slice Manager at: http://myvini-test.umkc.gpeni.net:12345/
INFO Connecting to xmlrpcserver at http://myvini-test.umkc.gpeni.net:12345/ (with verbose=False)
INFO Command=list
INFO Calling xml-rpc method:List
plc.gpeni.umkc (authority)
plc.gpeni.ku (authority)
plc.gpeni.unl (authority)
plc.gpeni.ksu (authority)
plc.gpeni.gpeni (authority)


I took a look at your account and I think I know what the problem is. You have multiple public keys under you MyVINI account:

>>> GetPersons('xl9f2 at umkc.edu', ['email', 'key_ids'])
[{'key_ids': [1, 4, 5, 9, 10], 'email': u'xl9f2 at umkc.edu'}]

The GID in your SFA account only contains 1 certificate, which is generated from only 1 of your MyVINI public keys. The certificate used by your client is probably not the same as the certificate in your GID because sfa-import-plc.py chose to generate your cert from the first public key it found in your MyPLC account and thats not the cert your client is configured to use. The only way around this is to have only 1 public key in your MyVINI account and make sure your SFI is configured to use the appropriate private key.

Let me know if this helps.

Tony


----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Friday, January 21, 2011 3:28:22 PM
Subject: RE: Questions on SFA configuration

Hi Tony,

If you are going to create an account, please choose 'umkc' as your site.

Thanks,

Xuan
________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Friday, January 21, 2011 11:57 AM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

This is a strange issue and leads me to believe there's issues with your server's disk. Let me know if there is anything I can do to help you troubleshoot.

Regards,
Tony

----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Friday, January 21, 2011 2:14:36 AM
Subject: RE: Questions on SFA configuration



Hi Tony,


Our MyVINI server is a guest system on the host system running CentOS 5.4. The MyVINI server it self is running fedora 8

[myvini7] ~ # uname -a
Linux myvini-test.umkc.gpeni.net 2.6.22.19-vs2.3.0.34.1 #1 SMP Mon Mar 17 05:32:04 EDT 2008 i686 i686 i386 GNU/Linux



Initially, we installed myplc 4.3-rc9 due to some compatible issue, now I upgraded it up to myplc-4.3-rc18 and then upgrade it to myplc 5.0. The version of sfa I installed is as following:

[myvini7] ~ # rpm -q sfa
sfa-1.0-11.planetlab
[myvini7] ~ # rpm -q sfa-plc
sfa-plc-1.0-11.planetlab
[myvini7] ~ # rpm -q sfa-sfatables
sfa-sfatables-1.0-11.planetlab
[myvini7] ~ #
[Xuan at localhost .sfi]$ rpm -q sfa-client
sfa-client-1.0-11.planetlab



Here is what I got from your suggestion:
[myvini7] /tmp # ls
plc.gpeni.umkc.xl9f2.gid secring.gpg xl9f2.cert
[myvini7] /tmp # python
Python 2.5.1 (r251:54863, Jul 10 2008, 17:24:48)
[GCC 4.1.2 20070925 (Red Hat 4.1.2-33)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from sfa.trust.certificate import *
>>> from sfa.trust.gid import *
>>> gid = GID(filename='plc.gpeni.umkc.xl9f2.gid')
>>> cert =Certificate(filename='x19f2.cert')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.5/site-packages/sfa/trust/certificate.py", line 286, in __init__
self.load_from_file(filename)
File "/usr/lib/python2.5/site-packages/sfa/trust/certificate.py", line 348, in load_from_file
file = open(filename)
IOError: [Errno 2] No such file or directory: 'x19f2.cert'
>>> cert.is_pubkey(gid.get_pubkey())
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
NameError: name 'cert' is not defined

I got an IOError when run " cert =Certificate(filename='x19f2.cert') ", although the file xl9f2.cert is in /tmp/, it still saying that No such file or directory.

If I run command ls -al, it shows:

[myvini7] /tmp # ls -al
total 16
drwxrwxrwt 2 root root 140 2011-01-21 00:50 .
drwxr-xr-x 23 root root 4096 2010-11-01 20:17 ..
-rw-r--r-- 1 root root 2341 2011-01-21 00:04 plc.gpeni.umkc.xl9f2.gid
-rw------- 1 apache apache 0 2011-01-20 11:42 secring.gpg
srwxrwxrwx 1 postgres postgres 0 2011-01-21 00:19 .s.PGSQL.5432
-rw------- 1 postgres postgres 26 2011-01-21 00:19 .s.PGSQL.5432.lock
-rw-r--r-- 1 root root 993 2011-01-21 00:04 xl9f2.cert



This is remindes me another error I saw from sfa.daemon under /var/log/:

server's public key not found in /var/lib/sfa/authorities/plc/gpeni/gpeni.pkey
generating a random server key pair
Traceback (most recent call last):
File "/usr/bin/sfa-server.py", line 209, in <module>
main()
File "/usr/bin/sfa-server.py", line 182, in main
init_server_key(server_key_file, server_cert_file, config, hierarchy)
File "/usr/bin/sfa-server.py", line 86, in init_server_key
key.save_to_file(server_key_file)
File "/usr/lib/python2.5/site-packages/sfa/trust/certificate.py", line 101, in save_to_file
open(filename, 'w').write(self.as_pem())
IOError: [Errno 2] No such file or directory: '/var/lib/sfa/authorities/server.key'

But the file exists there:

[myvini7] /var/lib/sfa/authorities/plc/gpeni # ls -al
total 40
.............

drwxr-xr-x 2 root root 4096 2011-01-20 12:21 gpeni
-rw-r--r-- 1 root root 147 2011-01-20 12:21 gpeni.dbinfo
-rw-r--r-- 1 root root 753 2011-01-20 12:21 gpeni.gid
-rw-r--r-- 1 root root 887 2011-01-20 12:21 gpeni.pkey
...........



[myvini7] /var/lib/sfa/authorities # ls -al
total 20
.........

-rw-r--r-- 1 root root 753 2011-01-20 12:21 server.cert
-rw-r--r-- 1 root root 887 2011-01-20 12:21 server.key




I'm not sure if the IOError might be an issue in my case.



Thanks a lot!



Xuan Liu
Department of Computer Science & Electrical Engineering
University of Missouri - Kansas city
xl9f2 at mail.umkc.edu
________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Thursday, January 20, 2011 6:02 PM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

Yes, our servers were moved to a new rack this morning so many PlanetLab services were offline until 12pm today. The URL should be available now.

Btw, I'm still trying to determine the cause of your error. The error you are getting usually occurs when the client's certificate doesn't match the certificate in the GID of your Registry record. We can manually verify this by doing the following:

# copy your user certificate onto your SFA server
$ scp ~/.sfi/xl9f2.cert USER at SFA_SERVER_HOST:/tmp/

# Go to your SFA server and export the GID for your user record
$ ssh USER at SFA_SEVER_HOST
$ cd /tmp/
$ sfa-ca.py --export plc.gpeni.umkc.xl9f2

# go into the python interactive shell and execute the following commands
$ python
>>> from sfa.trust.certificate import *
>>> from sfa.trust.gid import *
>>> gid = GID(filename='plc.gpeni.umkc.xl9f2.gid')
>>> cert = = Certificate(filename='x19f2.cert')
>>> cert.is_pubkey(gid.get_pubkey())


The last command should return True. If it returns False then your client's certificate is not in sync with the GID in your registry record. This means the public key in you MyVINI account was not generated by the private key used by your SFI client.

Let me know what your results are.

Regards,
Tony





Which version of SFA are you running btw?

----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "tmack at cs.princeton.edu" <tmack at CS.Princeton.EDU>
Sent: Thursday, January 20, 2011 4:35:06 PM
Subject: RE: Questions on SFA configuration



Hi Tony,

I just found that the URL: http://build.planet-lab.org/planetlab/f8/pl-f8-i386-4.3-k22-latest/RPMS/ is not available now. Are planetlab developers updating the repository?

Thanks,


Xuan


From: tmack at cs.princeton.edu [tmack at CS.Princeton.EDU]
Sent: Thursday, January 20, 2011 11:41 AM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration



Are there any errors in your sfa_import.log ?

----- Reply message -----
From: "Liu, Xuan (UMKC-Student)" <xuan.liu at mail.umkc.edu>
Date: Thu, Jan 20, 2011 12:18 pm
Subject: Questions on SFA configuration
To: "Tony Mack" <tmack at CS.Princeton.EDU>

Hi Tony,

I tried these steps, but I'm still getting the same error.

Thanks,

Xuan

________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Thursday, January 20, 2011 9:12 AM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

Can you try taking the following steps and let me know how it goes.

1. Remove Registry records
$ sfa-nuke-plc.py

2. Remove cached Registry keys
$ rm -Rf /var/lib/sfa/*

3. Remove stale trusted cert
$ rm /etc/sfa/trusted_roots/gpeni.gid

4. Re-import Registry records
$ sfa-import-plc.py


----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Thursday, January 20, 2011 2:09:33 AM
Subject: RE: Questions on SFA configuration



Hi Tony,

I have installed sfa all over again. This time I did first upgrade myplc to myplc 4.3-rc18, and then jump to myplc-5.0.

When I configured the sfa server, I notice that one document from GEC9 tutorial ( http://groups.geni.net/geni/wiki/GeniApiInstallationMyPlc#InstallSFA)saying:
"SFA_INTERFACE_HRN: This should be 'plc.gpotest'. In general it is plc.X where X is your PLC slice prefix from above "

In our myplc configuration, the PLC_SLICE_PREFIX is gpeni, so this time in sfa-config-tty I set
SFA_INTERFACE_HRN : plc.gpeni
SFA_REGISTRY_ROOT_AUTH: plc
....

According this, I modified my sfi_config:
SFI_AUTH="plc.gpeni.umkc"
SFI_USER="plc.gpeni.umkc.xl9f2"
....

However, i'm still getting the same error that "sfa.util.xmlrpcprotocol.ServerException: : GetSelfCredential: Connection Key GID mismatch: plc.gpeni.umkc.xl9f2"



Here is what I found in /var/log/sfa.log

2011-01-20 00:36:49,984 - ERROR - Method GetSelfCredential raised an exception BEG TRACEBACK
Traceback (most recent call last):
File "/usr/lib/python2.5/site-packages/sfa/util/method.py", line 90, in __call__
result = self.call(*args, **kwds)
File "/usr/lib/python2.5/site-packages/sfa/methods/GetSelfCredential.py", line 75, in call
raise ConnectionKeyGIDMismatch(gid.get_subject())
ConnectionKeyGIDMismatch: u'plc.gpeni.umkc.xl9f2'
2011-01-20 00:36:49,984 - ERROR - Method GetSelfCredential raised an exception END TRACEBACK


More information in /var/log/sfa.daemon

server's public key not found in /var/lib/sfa/authorities/plc/gpeni/gpeni.pkey
generating a random server key pair
Traceback (most recent call last):
File "/usr/bin/sfa-server.py", line 209, in <module>
main()
File "/usr/bin/sfa-server.py", line 182, in main
init_server_key(server_key_file, server_cert_file, config, hierarchy)
File "/usr/bin/sfa-server.py", line 86, in init_server_key
key.save_to_file(server_key_file)
File "/usr/lib/python2.5/site-packages/sfa/trust/certificate.py", line 101, in save_to_file
open(filename, 'w').write(self.as_pem())
IOError: [Errno 2] No such file or directory: '/var/lib/sfa/authorities/server.key'


I checked the directories: the files are there, respectively [myvini7] /var/lib/sfa/authorities # ls
plc server.cert server.key
[myvini7] /var/lib/sfa/authorities # cd plc/
[myvini7] /var/lib/sfa/authorities/plc # ls
gpeni plc.dbinfo plc.gid plc.pkey
[myvini7] /var/lib/sfa/authorities/plc # cd gpeni/
[myvini7] /var/lib/sfa/authorities/plc/gpeni # ls
gpeni gpeni.dbinfo gpeni.gid gpeni.pkey ksu ku umkc unl




On the sfa-client side:

my sfi_config file is:

[Xuan at localhost .sfi]$ vi sfi_config
SFI_AUTH='plc.gpeni.umkc'
SFI_USER='plc.gpeni.umkc.xl9f2'
SFI_REGISTRY=' https://myvini-test.umkc.gpeni.net:12345/ '
SFI_SM=' https://myvini-test.umkc.gpeni.net:12347/ '


Following is the error I got by running sfi.py -v list plc.gpeni.umkc [Xuan at localhost .sfi]$ rm xl9f2.cert
[Xuan at localhost .sfi]$ sfi.py -v list plc.gpeni.umkc
INFO Writing self-signed certificate to /home/Xuan/.sfi/xl9f2.cert
INFO Contacting Registry at: https://myvini-test.umkc.gpeni.net:12345 /
INFO Connecting to xmlrpcserver at https://myvini-test.umkc.gpeni.net:12345 / (with verbose=False)
INFO Contacting Slice Manager at: https://myvini-test.umkc.gpeni.net:12347 /
INFO Connecting to xmlrpcserver at https://myvini-test.umkc.gpeni.net:12347 / (with verbose=False)
INFO Command=list
INFO Calling xml-rpc method:GetSelfCredential
Traceback (most recent call last):
File "/usr/bin/sfi.py", line 1014, in <module>
Sfi().main()
File "/usr/bin/sfi.py", line 1006, in main
self.dispatch(command, cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 556, in dispatch
return getattr(self, command)(cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 564, in list
user_cred = self.get_user_cred().save_to_string(save_parents=True)
File "/usr/bin/sfi.py", line 434, in get_user_cred
return self.get_cred(file, 'user', self.user)
File "/usr/bin/sfi.py", line 457, in get_cred
cred_str = self.registry.GetSelfCredential(cert_string, hrn, "user")
File "/usr/lib/python2.5/xmlrpclib.py", line 1150, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python2.5/xmlrpclib.py", line 1440, in __request
verbose=self.__verbose
File "/usr/lib/python2.5/xmlrpclib.py", line 1204, in request
return self._parse_response(h.getfile(), sock)
File "/usr/lib/python2.5/xmlrpclib.py", line 1343, in _parse_response
return u.close()
File "/usr/lib/python2.5/site-packages/sfa/util/xmlrpcprotocol.py", line 21, in close
raise ServerException(e.faultString)
sfa.util.xmlrpcprotocol.ServerException: : GetSelfCredential: Connection Key GID mismatch: plc.gpeni.umkc.xl9f2




I really appreciate for your help.



Thanks,


Xuan Liu
Department of Computer Science & Electrical Engineering
University of Missouri - Kansas city
xl9f2 at mail.umkc.edu
________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Wednesday, January 19, 2011 2:22 PM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

That document accurately describes the process.

Regards,
Tony

----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Wednesday, January 19, 2011 3:06:07 PM
Subject: RE: Questions on SFA configuration

Hi Tony,

Here is the link where I referred about database migration.
https://svn.planet-lab.org/wiki/Migration43to50

Xuan
________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Wednesday, January 19, 2011 1:36 PM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

No problem.

PlanetLab and VINI are currently running MyPLC 4.3 rc18 (although we plan to upgrade to the latest 5.0 rc very soon). That being said, SFA is supported under 4.3 and 5.0 so we should be able to get your SFA working no matter what which versions you end up choosing.

Regarding the upgrade issues you were having. I'm not sure this is documented anywhere, but you cannot directly upgrade to MyPLC 5.0 from an old 4.3 rc. You have to upgraded to the latest 4.3 rc (rc18) before upgrading to 5.0. So now that you are upgraded to rc18 you should be able to make the jump to a 5.0 rc. Hope this helps.

Keep me posted.

Regards,
Tony

----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Wednesday, January 19, 2011 2:17:48 PM
Subject: RE: Questions on SFA configuration

Hi Tony,

Thanks for your help yesterday. I messed up the server somehow yesterday, so I plan to re-install it all over again.

I still suspect there are some issues on the server side. The other thing might be considered is our original myvini server stays with myplc-rc9 version due to a previous compatible issue.

When I install sfa on that, I replace the baseurl with http://build.planet-lab.org/planetlab/f8/pl-f8-i386-4.3-k22-latest/RPMS/, which point to myplc-5.0 version.

I'm not quite sure if there might be some compatiable issue when I upgrade myplc-rc9 directly to myplc 5.0. The only problem I had was the database migration. I manually run the command:
# curl -O http://svn.planet-lab.org/svn/PLCAPI/tags/PLCAPI-4.3-31/migrations/001-up-site-and-person-tags.sql
# psql -U pgsqluser -f 001-up-site-and-person-tags.sql planetlab5

I have checked the public vini, which is running myplc-rc18 version. So I plan to upgrade to myplc-rc18 instead this time, and try to configure everything again.

After I run yum update to upgrade myplc to rc18, I don't have the database migration problem I had before.

I would check the /var/log/sfa.log to see if there are anything reported, and I will let you know.

Thank you very much for your kind help!

Xuan Liu
Department of Computer Science & Electrical Engineering
University of Missouri - Kansas city
xl9f2 at mail.umkc.edu
________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Wednesday, January 19, 2011 1:02 PM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

Hrm, not sure why you are getting that error. Your client configuration looks good. Can you check /var/log/sfa.log and see if there is anything reported when you make requests? You should either see your request logged or a stack trace from the exception thats generated.

Regards,
Tony

----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Tuesday, January 18, 2011 6:22:48 PM
Subject: RE: Questions on SFA configuration



Hi Tony,

Thanks for explaining how sfa-ca.py works.

Please discard my previous email. I tested my planetlab account again to make sure it worked. When I changed sfi_config back for gpeni server, i forget to change my user account back to gpeni user account in SFI_USER.

I did what you suggested in your previous email and run sfa-import-plc.py again, and this time I got

(Here umkc is one site of gpeni network.)


[Xuan at localhost .sfi]$ sfi.py list gpeni.umkc
Traceback (most recent call last):
File "/usr/bin/sfi.py", line 1014, in <module>
Sfi().main()
File "/usr/bin/sfi.py", line 1006, in main
self.dispatch(command, cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 556, in dispatch
return getattr(self, command)(cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 564, in list
user_cred = self.get_user_cred().save_to_string(save_parents=True)
File "/usr/bin/sfi.py", line 434, in get_user_cred
return self.get_cred(file, 'user', self.user)
File "/usr/bin/sfi.py", line 457, in get_cred
cred_str = self.registry.GetSelfCredential(cert_string, hrn, "user")
File "/usr/lib/python2.5/xmlrpclib.py", line 1150, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python2.5/xmlrpclib.py", line 1440, in __request
verbose=self.__verbose
File "/usr/lib/python2.5/xmlrpclib.py", line 1194, in request
headers
xmlrpclib.ProtocolError: <ProtocolError for myvini-test.umkc.gpeni.net:12345/: -1 >


My configuration is

SFI_AUTH='gpeni.umkc'
SFI_USER='gpeni.umkc.xl9f2'
SFI_REGISTRY=' https://myvini-test.umkc.gpeni.net:12345/ '
SFI_SM=' https://myvini-test.umkc.gpeni.net:12347/ '


Thanks a lot!


Xuan Liu
Department of Computer Science & Electrical Engineering
University of Missouri - Kansas city
xl9f2 at mail.umkc.edu
________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Tuesday, January 18, 2011 4:52 PM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

Your certificate (gpeni.gid) is already self signed so there is no need to sign it again using sfa-ca.py. You do not have to perform this step for your setup. You would only use sfa-ca.py if you wanted to sign the cert of another authority.

Aside from this, it looks like your error is related to a misconfiguration somewhere. The command you are executing:

$ sfi.py list gpeni.umkc

attempting to look up the records under gpeni.umkc. But your error states that you don't have access to plc.

sfa.util.xmlrpcprotocol.ServerException: : List: Insufficient rights: Access denied: <class 'sfa.util.faults.CertMissingParent'> -- u'plc'

It seems either your client is configured to talk to plc's SFA interface, but since your cert isn't signed by plc you are getting access denied. Can you verify that your ~/.sfi/sfi_config is configured to talk to your MyVINI SFA interface.

Regards,
Tony


----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Tuesday, January 18, 2011 5:34:09 PM
Subject: RE: Questions on SFA configuration



Hi Tony,

Thanks for your help. I think I figured out where I did wrong, I was running command:

sfa-ca.py --sign gpeni.gid -o signed-gpeni.gid



I think I should give the same name as gpeni.gid when I run --sign, so I run it again:

sfa-ca.py --sign gpeni.gid -o gpeni.gid



When I run sfi.py --list gpeni.umkc, the old error is gone, but I have a new error as following:



[Xuan at localhost .sfi]$ sfi.py list gpeni.umkc
Traceback (most recent call last):
File "/usr/bin/sfi.py", line 1014, in <module>
Sfi().main()
File "/usr/bin/sfi.py", line 1006, in main
self.dispatch(command, cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 556, in dispatch
return getattr(self, command)(cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 566, in list
list = self.registry.List(hrn, user_cred)
File "/usr/lib/python2.5/xmlrpclib.py", line 1150, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python2.5/xmlrpclib.py", line 1440, in __request
verbose=self.__verbose
File "/usr/lib/python2.5/xmlrpclib.py", line 1204, in request
return self._parse_response(h.getfile(), sock)
File "/usr/lib/python2.5/xmlrpclib.py", line 1343, in _parse_response
return u.close()
File "/usr/lib/python2.5/site-packages/sfa/util/xmlrpcprotocol.py", line 21, in close
raise ServerException(e.faultString)
sfa.util.xmlrpcprotocol.ServerException: : List: Insufficient rights: Access denied: <class 'sfa.util.faults.CertMissingParent'> -- u'plc'


Thanks,



Xuan

________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Tuesday, January 18, 2011 2:06 PM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

Your configuration looks ok to me. Just to be sure:

$ sfa-config-tty
SFA_INTERFACE_HRN=gpeni
SFA_REGISTRY_ROOT_AUTH=gpeni
...

and in your ~/.sfi/sfi_config:

SFA_AUTH=gpeni.umkc
SFI_USER=gpeni.umkc.xl9f2


Then you should have the following private key:
~/.sfi/x19f2.pkey

Since we know you PlanetLab SFA account works lets just use the same key pair you are using at PlanetLab. So the following must be true:

1. your PlanetLab public key should match your MyVINI public key
2. ~/.sfi/x19f2.pkey should be identical to ~/.sfi/xuan_liu.pkey

If all of this is correct then your Registry and it still isn't working then you Registry probably need to be destroyed and re-imported. You can do so using the following steps:

1. Remove Registry records
$ sfa-nuke-plc.py

2. Remove cached Registry keys
$ rm -Rf /var/lib/sfa/*

3. Remove stale trusted cert
$ rm /etc/sfa/trusted_roots/gpeni.gid

4. Re-import Registry records
$ sfa-import-plc.py


Now try again after this. Note that you do not have to bother with sub authority certificate signing. That only intended to be used by root authorities that want to accept another remote authority under its domain. For example, if PLC wanted to accept gpeni as a sub authority (you'd have to change the name to plc.gpeni as well). But this step isn't required, so skip it for now.

Let me know how it goes.

Regards,
Tony

----- Original Message -----
From: "Xuan Liu (UMKC-Student)" <xuan.liu at mail.umkc.edu>
To: "Tony Mack" <tmack at CS.Princeton.EDU>
Sent: Tuesday, January 18, 2011 2:27:28 PM
Subject: RE: Questions on SFA configuration



Hi Tony,

Thanks for your quick reply. I did upload my public key to my user account, and I used the correct public key as well, but I still have the same error.


In the tutorial, I found following: Getting a Sub Authority's GID Signed by a root ?


First, the sub authority has to obtain a copy of its gid and send it to the root authority. The sub can usually find its gid in /etc/sfa/trusted_roots/plc.sub.gid), or alternatively export it directly from the registry.



At the sub authority sfa-ca.py --export plc.sub

Once the root has the sub's gid, the root can sign it using the sfa-ca.py tool



At the root authority sfa-ca.py --sign plc.sub.gid -o signed-plc.sub.gid

Once the sub has the signed gid, it can import the gid which will update all of the necessary records in the subs registry.

At the sub authority sfa-ca.py --import signed-plc.sub.gid

The gid can also be inspected using the sfa-ca.py tool to verify that it has been signed. sfa-ca.py --display signed-plc.sub.gid



I uploaded my public key again, and run following commands on our server:

[myvini7] / # sfa-import-plc.py

[myvini7] /etc/sfa/trusted_roots # ls
gpeni.gid



Since in our server, the /etc/sfa/trusted_roots/plc.sub.gid is 'gpeni.gid', so I assume I should replace all plc.sub with gpeni, but not quite sure about it.



[myvini7] / # sfa-ca.py --export gpeni
[myvini7] / # sfa-ca.py --sign gpeni.gid -o signed-gpeni.gid
[myvini7] / # sfa-ca.py --import signed-gpeni.gid
[myvini7] / # sfa-ca.py --display signed-gpeni.gid
GID
hrn:gpeni
urn:urn:publicid:IDN+gpeni+authority+sa
uuid:208515470808315410364097116779308030457
Filename /signed-gpeni.gid
parent:
GID
hrn:gpeni
urn:urn:publicid:IDN+gpeni+authority+sa
uuid:208515470808315410364097116779308030457
parent:
GID
hrn:gpeni
urn:urn:publicid:IDN+gpeni+authority+sa
uuid:208515470808315410364097116779308030457

[myvini7] / #


Is there any other possible reason for this error? Like the ~/.sfi/sfi_config file? I'm not sure if I should set SFI_AUTH as gpeni.umkc, and set SFI_USER as gpeni.umkc.xl9f2



According to the tutorial, since my email account to myvini is xl9f2 at umkc.edu , I should copy the original ssh private key (id_rsa) to a sfa key and name it as xl9f2.pkey.



Thank you!


Xuan



________________________________________
From: Tony Mack [tmack at CS.Princeton.EDU]
Sent: Tuesday, January 18, 2011 10:33 AM
To: Liu, Xuan (UMKC-Student)
Subject: Re: Questions on SFA configuration

Hi Xuan,

Thank you for the detailed description of your problem. That error means that the cert used by your client isn't in sync with the cert in GID of your Registry record. I'm guessing that your MyVINI user account doesn't have a public key associated with it or the public key is out of sync. Please verify:

1. Your MyVINI user account has a public key
2. Your SFI client is configured to use the correct private key

Your GID is based on the public key of your MyVINI user account. If you add a public key to your MyVINI account, or upload a different one, you will have to update your SFA Registry record by running the sfa-import-plc.py script.

Let me know if this fixes the problem for you.

Regards,
Tony


----- Original Message -----
From: "Xuan Liu" <xuan.liu at mail.umkc.edu>
To: tmack at CS.Princeton.EDU
Sent: Tuesday, January 18, 2011 2:23:49 AM
Subject: Questions on SFA configuration

Hi Tony,

This is Xuan Liu from University of Missouri - Kansas City. We are on part of GpENI project, MyVINI testbed. We have set up a private VINI testbed, which is running the same software as public VINI, and now we would like to do the federation. On our test server, we have installed SFA, and we installed sfa-client on one separate system.

During the installation process, we faced some issues. Andy has suggested us how to configure MyVINI, and he said we might want to talk to you regarding the federation part.


On the sfa-client side, first I gave a try by creating sfi_config as (my email account on planet-lab is xuan.liu at mail.umkc.edu ):
SFI_AUTH='plc.umkc'
SFI_USER='plc.umkc.xuan_liu'
SFI_REGISTRY=' http://www.planet-lab.org:12345 / '
SFI_SM=' http://www.vini-veritas.net:12346 / '

It's running properly.

However, when I modified sfi_config to following, which I'm not sure if it's correct (My email account on myvini is xl9f2 at umkc.edu ):

SFI_AUTH='gpeni.umkc'
SFI_USER='gpeni.umkc.xl9f2'
SFI_REGISTRY=' https://myvini-test.umkc.gpeni.net:12345 / '
SFI_SM=' https://myvini-test.umkc.gpeni.net:12347 / '

(My email account on myvini is xl9f2 at umkc.edu )
Then, I run sfi.py list gpeni, I got following error:

[Xuan at localhost .sfi]$ sfi.py list gpeni
Traceback (most recent call last):
File "/usr/bin/sfi.py", line 1014, in <module>
Sfi().main()
File "/usr/bin/sfi.py", line 1006, in main
self.dispatch(command, cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 556, in dispatch
return getattr(self, command)(cmd_opts, cmd_args)
File "/usr/bin/sfi.py", line 564, in list
user_cred = self.get_user_cred().save_to_string(save_parents=True)
File "/usr/bin/sfi.py", line 434, in get_user_cred
return self.get_cred(file, 'user', self.user)
File "/usr/bin/sfi.py", line 457, in get_cred
cred_str = self.registry.GetSelfCredential(cert_string, hrn, "user")
File "/usr/lib/python2.5/xmlrpclib.py", line 1150, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python2.5/xmlrpclib.py", line 1440, in __request
verbose=self.__verbose
File "/usr/lib/python2.5/xmlrpclib.py", line 1204, in request
return self._parse_response(h.getfile(), sock)
File "/usr/lib/python2.5/xmlrpclib.py", line 1343, in _parse_response
return u.close()
File "/usr/lib/python2.5/site-packages/sfa/util/xmlrpcprotocol.py", line 21, in close
raise ServerException(e.faultString)
sfa.util.xmlrpcprotocol.ServerException: : GetSelfCredential: Connection Key GID mismatch: gpeni.umkc.xl9f2

I searched both planetlab mailing list and vini mailing list, and I did remove xl9f2.cert and re-run the command, but I got the same error. I suspect maybe the sfa-config-tty is not correct. Here is my servier-side configuration, and I did this by referring the STEP 4B in http://groups.geni.net/geni/wiki/SfaInstallGEC9Demos#Step8:ConfigurehostfirewalltoallowSFA :

(NOTE: I'm not quite sure if I did right on this server-side configuration)

Enter command (u for usual changes, w to save, ? for help) u
== SFA_INTERFACE_HRN : [gpeni]
== SFA_REGISTRY_ROOT_AUTH : [gpeni]
== SFA_REGISTRY_HOST : [ myvini-test.umkc.gpeni.net ]
== SFA_AGGREGATE_HOST : [ myvini-test.umkc.gpeni.net ]
== SFA_SM_HOST : [ myvini-test.umkc.gpeni.net ]
== SFA_PLC_USER : [ root at myvini.net ]
== SFA_PLC_PASSWORD : [myvini2996]
== SFA_PLC_DB_HOST : [ myvini-test.umkc.gpeni.net ]
== SFA_PLC_DB_USER : [postgres]
== SFA_PLC_DB_PASSWORD : [1b4df9de-2439-45c3-9fea-4de1fbc67a4c]
== SFA_PLC_URL : [ https://localhost:443/PLCAPI / ]

the myplc configuration on our test server is:
[myvini7] / # plc-config-tty
Enter command (u for usual changes, w to save, ? for help) u
== PLC_NAME : [MyVINI at GpENI]
== PLC_SHORTNAME : [MyVINI]
== PLC_SLICE_PREFIX : [gpeni]
== PLC_ROOT_USER : [ root at myvini.net ]
== PLC_ROOT_PASSWORD : [myvini2996]
== PLC_MAIL_ENABLED : [true]
== PLC_MAIL_SUPPORT_ADDRESS : [ vini.gpeni.umkc at gmail.com ]
== PLC_DB_HOST : [ myvini-test.umkc.gpeni.net ]
== PLC_API_HOST : [ myvini-test.umkc.gpeni.net ]
== PLC_WWW_HOST : [ myvini-test.umkc.gpeni.net ]
== PLC_BOOT_HOST : [ myvini-test.umkc.gpeni.net ]
== PLC_NET_DNS1 : [129.237.125.220]
== PLC_NET_DNS2 : [164.113.31.235]

How should I set SFA_INTERFACE_HRN, SFA_REGISTRY_ROOT_AUTH, SFA_REGISTRY_HOST and SFA_AGGREGATE_HOST and SFA_SM_HOST, if we would like to federate our aggregate?

Attachment is a copy of the sfa_config on our test server. Please let me know if you need any more details.

Any suggestion and help would be very appreciated! Thank you in advance.

Xuan Liu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.planet-lab.org/pipermail/users/attachments/20110124/a9f0cc56/attachment-0001.html

More information about the Users mailing list