1. Summary
  2. Files
  3. Support
  4. Report Spam
  5. Create account
  6. Log in

How to configure OGSA-DAI 3 GT with transport-level security

After one of our users encountered a number of problems trying to deploy OGSA-DAI 3 GT on Tomcat with transport-level security enabled I tried to do it myself. The problem with configuring GT security is that there are a number of options available at each stage e.g. transport-level security or message-level security, encryption or integrity etc. So this is just one path through these.

Important note about Globus versions:

These instructions are for GT 4.0. GT security configuration is different for GT 4.2 and is not covered by this page. If you try to use GT 4.0 security configuration in GT4.2 you will be wasting your time.

Important note about Tomcat versions:

These instructions are for Tomcat 5.0. GT security configuration is different for Tomcat 5.5. I include the differences for Tomcat 5.5 at the bottom of the page. At the relevant points in the page I'll say when the instructions differ for Tomcat 5.5. Do not mix and match Tomcat 5.0 and Tomcat 5.5 configuration as you will end up having to restart from scratch!

Setting up my enviroment

Using Tomcat 5.0 and GT 4.0.8 Web services core I set their locations.

$ export CATALINA_HOME=/home/michaelj/test/tomcat/
$ export GLOBUS_LOCATION=/home/michaelj/Packages/globus/ws-core-4.0.8
$ export OGSADAI_HOME=/home/michaelj/Packages/ogsadai3.1/ogsadai-3.1-gt-4.0.8-bin

Deploying GT onto Tomcat

So, as recommended in

http://www.ogsadai.org.uk/documentation/ogsadai3.1/ogsadai3.1-gt/DeployGT.html

I now go to:

http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch09.html#javawscore-admin-tomcat-deploying

And follow their instructions.

$ cd $GLOBUS_LOCATION
$ ant -f share/globus_wsrf_common/tomcat/tomcat.xml deploySecureTomcat
  -Dtomcat.dir=$CATALINA_HOME 
Buildfile: share/globus_wsrf_common/tomcat/tomcat.xml
deploySecureTomcat:
_baseTomcatDeploy:
    [mkdir] Created dir: /home/michaelj/test/tomcat/webapps/wsrf
     [copy] Copying 90 files to /home/michaelj/test/tomcat/webapps/wsrf
    [mkdir] Created dir: /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF
     [copy] Copying 30 files to /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF
    [chmod] Skipping fileset for directory /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF. It is empty.
    [mkdir] Created dir: /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF/classes
     [copy] Copying 1 file to /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF/classes
     [copy] Copying 1 file to /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF/classes
    [mkdir] Created dir: /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF/lib
     [copy] Copying 1 file to /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF
     [copy] Warning: Could not find file /home/michaelj/Packages/globus/ws-core-4.0.8/lib/xalan.jar to copy.
     [copy] Copying 50 files to /home/michaelj/test/tomcat/webapps/wsrf/WEB-INF/lib
     [copy] Copying 8 files to /home/michaelj/test/tomcat/common/lib
     [copy] Copying 1 file to /home/michaelj/test/tomcat/server/lib
BUILD SUCCESSFUL
Total time: 4 seconds

If using GT 4.0.8 there is a bug and you'll have to manually copy a JAR into Tomcat - see the note about GT 4.0.8 deployment onto Tomcat at the bottom of the page.

Configuring Tomcat 5.0

Now as stated in the Globus doc since I'm using Tomcat 5.0. I need to:

Add a HTTPS Connector lt;Service name="Catalina"> section and update the parameters appropriately with your local configuration:

<Connector
   className="org.globus.tomcat.coyote.net.HTTPSConnector"
   port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
   autoFlush="true"
   disableUploadTimeout="true" scheme="https"
   enableLookups="true" acceptCount="10" debug="0"
   proxy="/path/to/proxy/file"
   cert="/path/to/certificate/file"
   key="/path/to/private/key/file"
   cacertdir="/path/to/ca/certificates/directory"/>

In the above the proxy, cert, key and cacertdir attributes are optional. Furthermore, the proxy and the combination of cert and key attributes are mutually exclusive.

But it says that

The credentials and certificate configuration is used only by the connector and is not used by the rest of the web services stack in Globus Toolkit. To configure credentials for use in the toolkit, refer to Security Descriptor.

So I originally tried:

<Connector
   className="org.globus.tomcat.coyote.net.HTTPSConnector"
   port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
   autoFlush="true"
   disableUploadTimeout="true" scheme="https"
   enableLookups="true" acceptCount="10" debug="0"/>

But when I tried to contact Tomcat the logs had:

SEVERE: Endpoint
ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443] ignored
exception: org.globus.common.ChainedIOException: Failed to init GSS
context [Caused by: Defective credential detected [Caused by: Proxy
file (/tmp/x509up_u505) not found.]] 

So maybe it's looking for certificate information. So I add this to my Connector:

  cert="/home/michaelj/security/coalcert.pem"
  key="/home/michaelj/security/coalkey.pem"/>

To get:

<Connector
   className="org.globus.tomcat.coyote.net.HTTPSConnector"
   port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
   autoFlush="true"
   disableUploadTimeout="true" scheme="https"
   enableLookups="true" acceptCount="10" debug="0"
   cert="/home/michaelj/security/coalcert.pem"
   key="/home/michaelj/security/coalkey.pem"/>

Where coalcert.pem and coalkey.pem are the certificate and key for my host. [I don't use /etc/grid-security as I don't have permission to access the pem files in that]

So this configuration is the one that worked for me. For my Tomcat 5.5 version of this Connector please see the notes on Tomcat 5.5 at the bottom of the page.

And I also have to

Add a HTTPS Valve in the <Engine name="Catalina" ... > section:

 <Valve className="org.globus.tomcat.coyote.valves.HTTPSValve"/>

so I add:

<Valve className="org.globus.tomcat.coyote.valves.HTTPSValve"/>

For my Tomcat 5.5 version of this Valve please see the notes on Tomcat 5.5 at the bottom of the page.

Deploy OGSA-DAI

So now I'm ready to deploy OGSA-DAI onto GT/Tomcat as described in:

http://www.ogsadai.org.uk/documentation/ogsadai3.1/ogsadai3.1-gt/DeployCH.html

$ cd OGSADAI_HOME
$ ant -Dgt.dir=$GLOBUS_LOCATION -Dtomcat.dir=$CATALINA_HOME
  -Ddai.host=coal.epcc.ed.ac.uk -Ddai.port=8443 buildAndDeployGARTomcat 

Setup GT security for OGSA-DAI

Now I'm ready to set up OGSA-DAI GT 4.0 security:

http://www.ogsadai.org.uk/documentation/ogsadai3.1/ogsadai3.1-gt/AdminSecurityGT40.html

As described in section 38.1 first I need to configure certificates.

I write a file global_security_descriptor.xml:

<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">http://www.globus.org">
    <credential>
        <key-file value="/home/michaelj/security/coalkey.pem"/>
        <cert-file value="/home/michaelj/security/coalcert.pem"/>
    </credential>
</securityConfig>

As requested, I now save this file to:

$CATALINA_HOME/webapps/wsrf/WEB-INF/etc/globus_wsrf_core/global_security_descriptor.xml

As requested, I now edit the container's global configuration:

$CATALINA_HOME/webapps/wsrf/WEB-INF/etc/globus_wsrf_core/server-config.wsdd

and add the following lines to the <globalConfiguration> element.

<parameter name="containerSecDesc"
           value="/home/michaelj/test/tomcat/webapps/wsrf/WEB-INF/etc/globus_wsrf_core/global_security_descriptor.xml"/>

I now configure the CAs as described in 38.2. I put these in

/etc/grid-security/certificates

which, as described in the doc, is one of the standard places where Globus Toolkit looks for these.

$ ls /etc/grid-security/certificates/
01621954.0               8175c1cd.0               e11e2ba8.0
01621954.signing_policy  8175c1cd.signing_policy 
19de5f16.0               98ef0ee5.0              
19de5f16.signing_policy  98ef0ee5.signing_policy 
2dcb767f.0               adcbc9ef.0              
2dcb767f.signing_policy  adcbc9ef.signing_policy 
367b75c3.0               bad2c094.0              
367b75c3.signing_policy  bad2c094.signing_policy 
42864e48.0              
42864e48.signing_policy 

Now I'm ready to configure authentication methods and levels as described in 38.3.

I am interested in using transport level security using HTTPS and with privacy (encryption) protection. So I write a security descriptor:

<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">
   <auth-method>
     <GSITransport>
        <protection-level>
          <privacy/>
        </protection-level>
     </GSITransport>
   </auth-method>
   <authz value="none"/>
</securityConfig>

I will not do anything about authorization - determining who can access and do what.

I'll put this in the place recommended in the user doc:

$CATALINA_HOME/webapps/wsrf/WEB-INF/etc/dai/

And call it mike_security_descriptor.xml

Now, as described in the doc, I need to link the OGSA-DAI services to the security descriptor. And so I edit:

$CATALINA_HOME/webapps/wsrf/WEB-INF/etc/dai/server-config.wsdd

And for each <service> element (there are six, corresponding to the six types of OGSA-DAI service) I add a reference to my descriptor:

<parameter
 name="securityDescriptor"
 value="/home/michaelj/test/tomcat/webapps/wsrf/WEB-INF/etc/dai/mike_security_descriptor.xml"/>

Do a quick test

So now I startup Tomcat

$ cd $CATALINA_HOME
$ ./bin/startup.sh

I did an optional test by visiting:

https://localhost:8443/

And a browser dialog box appeared asking me to select a certificate which I did. I was then taken to the standard Tomcat front-page. This relies on you having a certificate signed by one of the CAs you've setup earlier.

Deploy an OGSA-DAI data resource

Now I deploy an OGSA-DAI data resource:

http://www.ogsadai.org.uk/documentation/ogsadai3.1/ogsadai3.1-gt/DeployRelationalResource.html

Create a tmp directory for the driver JAR:

$ mkdir tmp
$ cp /home/michaelj/ogsa-dai-cvs/packages/databases/mysql/mysql5.0.4/lib/mysql-connector-java-5.0.4-bin.jar tmp 
Create a file - my.resource.config
dai.resource.id=MySQLDB
dai.product.name=MySQL
dai.product.vendor=MySQL
dai.product.version=5.0
dai.db.uri=jdbc:mysql://XXXXXX:3306/daitest
dai.db.driver=org.gjt.mm.mysql.Driver
dai.dn=/C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=mike jackson
dai.user=XXXXXX
dai.password=XXXXXX
dai.resource.jar.dir=tmp

Note dai.dn - this is my credential from my certificate.

And deploy:

$ ant -propertyfile my.resource.config -Dtomcat.dir=$CATALINA_HOME deployRelationalResource 

Now I restart Tomcat

$ ./bin/shutdown.sh
$ rm logs/*
$ ./bin/startup.sh

Run an OGSA-DAI secure client

Now I run the secure client:

http://www.ogsadai.org.uk/documentation/ogsadai3.1/ogsadai3.1-gt/GTSecureSQLClient.html

$ java uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient 
  -u https://localhost:8443/wsrf/services/dai
  -d MySQLDB -q "SELECT * FROM littleblackbook WHERE id < 10;" -tls 
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10;
Transport level security with integrity
Exception in thread "main"
uk.org.ogsadai.client.toolkit.exception.ServerURLInvalidException: A
problem occured initialising the server. 
        at uk.org.ogsadai.client.toolkit.ServerFactory.getWSDL(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerFactory.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getDataRequestExecutionResource(Unknown Source)
        at uk.org.ogsadai.client.toolkit.example.SQLClient.execute(Unknown Source)
        at uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient.main(Unknown Source)
Caused by: org.globus.common.ChainedIOException: Failed to init GSI
context [Caused by: Defective credential detected [Caused by: Proxy
file (/tmp/x509up_u505) not found.]] 
        at org.globus.net.GSIHttpURLConnection.connect(GSIHttpURLConnection.java:107)
        at org.globus.net.GSIHttpURLConnection.getInputStream(GSIHttpURLConnection.java:151)
        at java.net.URL.openStream(URL.java:913)
        ... 6 more

Of course it fails because I as a client haven't created my proxy certificate! So:

$ cd $GLOBUS_LOCATION
$ ./bin/grid-proxy-init
Your identity: C=UK,O=eScience,OU=Edinburgh,L=NeSC,CN=mike jackson
Enter GRID pass phrase for this identity:        
Creating proxy, please wait...
Proxy verify OK
Your proxy is valid until Thu Mar 26 00:15:54 GMT 2009

Try again:

$ java uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient 
  -u https://localhost:8443/wsrf/services/dai
  -d MySQLDB -q "SELECT * FROM littleblackbook WHERE id < 10;" -tls 
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10;
Transport level security with integrity
Exception in thread "main"
uk.org.ogsadai.client.toolkit.exception.ServerURLInvalidException: A
problem occured initialising the server. 
        at uk.org.ogsadai.client.toolkit.ServerFactory.getWSDL(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerFactory.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getDataRequestExecutionResource(Unknown Source)
        at uk.org.ogsadai.client.toolkit.example.SQLClient.execute(Unknown Source)
        at uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient.main(Unknown Source)
Caused by: java.io.IOException: Internal Server Error
        at
org.globus.net.GSIHttpURLConnection.getInputStream(GSIHttpURLConnection.java:176) 
        at java.net.URL.openStream(URL.java:913)
        ... 6 more

Of course this time it fails because I'm using TLS + Integrity but the server enforces TLS + Privacy (as I requested in mike_security_descriptor.xml)

$ java uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient 
  -u https://localhost:8443/wsrf/services/dai
  -d MySQLDB -q "SELECT * FROM littleblackbook WHERE id < 10;" -tls encrypt
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10;
Transport level security with encryption
uk.org.ogsadai.resource.request.status.COMPLETED
| id | name              | address                           | phone       |
| 1  | Ally Antonioletti | 826 Hume Crescent, Southampton    | 01670061244 |
| 2  | Amy Atkinson      | 583 Atkinson Drive, Southampton   | 06312054624 |
| 3  | Andrew Borley     | 354 Jackson Road, Edinburgh       | 01057075166 |
| 4  | Charaka Chue Hong | 750 Pearson Crescent, Southampton | 09945916393 |
| 5  | Dave Hardman      | 079 Borley Gardens, Winchester    | 06725558505 |
| 6  | George Hicken     | 398 Magowan Street, Winchester    | 09066873297 |
| 7  | James Hume        | 801 Laws Gardens, Edinburgh       | 00246566355 |
| 8  | Malcolm Jackson   | 743 Krause Lane, Edinburgh        | 04333719273 |
| 9  | Mario Krause      | 026 Atkinson Gardens, Winchester  | 01922093483 |

Success!

Note about GT4.0.8 deployment onto Tomcat

I tried with GT 4.0.8 and Tomcat gave a:

Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/Logger

This is because deploySecureTomcat in ws-core-4.0.8/share/globus_wsrf_common/tomcat/tomcat.xml copies log4j-1.2.8.jar except GT 4.0.8 actually bundles log4j-1.2.15.jar so it fails. You can just do

$ cp $GLOBUS_LOCATION/lib/log4j-1.2.15.jar $CATALINA_HOME/common/lib

This has been reported to Globus as a bug:

http://bugzilla.globus.org/globus/show_bug.cgi?id=6704

Tomcat 5.5 Connector and Valve

I also tested using Tomcat 5.5. The only difference is the additions to the Tomcat conf/server.xml file. For 5.5 these were:

<Connector
  className="org.globus.tomcat.coyote.net.HTTPSConnector"
  port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
  autoFlush="true"
  disableUploadTimeout="true" scheme="https"
  enableLookups="true" acceptCount="10" debug="0"
  protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol"
  socketFactory="org.globus.tomcat.catalina.net.BaseHTTPSServerSocketFactory"
  cert="/home/michaelj/security/coalcert.pem"
  key="/home/michaelj/security/coalkey.pem"/>

and

<Valve className="org.globus.tomcat.coyote.valves.HTTPSValve55"/>

Example errors, symptoms and cures

Server says proxy file is not found

If Tomcat doesn't start propertly then this might be the problem. You may see the following message in the Tomcat logs:

SEVERE: Endpoint
ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443] ignored
exception: org.globus.common.ChainedIOException: Failed to init GSS
context [Caused by: Defective credential detected [Caused by: Proxy
file (/tmp/x509up_u505) not found.]] 

This could be because you haven't specified certificate and key information in the Connector in the $CATALINA_HOME/conf/server.xml file e.g.:

<Connector
   className="org.globus.tomcat.coyote.net.HTTPSConnector"
   port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
   autoFlush="true"
   disableUploadTimeout="true" scheme="https"
   enableLookups="true" acceptCount="10" debug="0"/>

So you could add this information e.g.:

<Connector
   className="org.globus.tomcat.coyote.net.HTTPSConnector"
   port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
   autoFlush="true"
   disableUploadTimeout="true" scheme="https"
   enableLookups="true" acceptCount="10" debug="0"
   cert="/home/michaelj/security/coalcert.pem"
   key="/home/michaelj/security/coalkey.pem"/>

Server says Tomcat's secure port cannot access CA certificate directory

This could be manifested by a client as:

A problem has occured...
[1241167679100:0] uk.org.ogsadai.client.tookit.RESOURCE_COMMS_ERROR :
https://daiisi.epcc.
ed.ac.uk:8443/wsrf/services/dai/DataRequestExecutionService/DataRequestExecu
tionResource
; nested exception is:
       java.net.SocketException: Connection reset
Connection reset

This can arise if the CA certificates are not in /etc/grid-security (the default location) or are not in the directory named in the cacert entry of the Connector added to Tomcat's $CATALINA_HOME/conf/server.xml file.

...
 cacertdir="/etc/grid-security/"
...

If specifying this value the exact directory name must be given. If you put your CA certificates in /etc/grid-security/certauthorities for example then this is the directory you would need to cite. There is no support for automatically searching the path for sub-directories.

Client raises a readHandshakeToken exception

For example:

$ java uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient -u
https://localhost:8443/wsrf/services/dai -d MySQLDB -q "SELECT * FROM
littleblackbook WHERE id < 10" -tls encrypt
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10
Transport level security with privacy
Exception in thread "main" uk.org.ogsadai.client.toolkit.exception.ServerURLInvalidException: A problem occured initialising the server.
        at uk.org.ogsadai.client.toolkit.ServerFactory.getWSDL(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerFactory.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getDataRequestExecutionResource(Unknown Source)
        at uk.org.ogsadai.client.toolkit.example.SQLClient.execute(Unknown Source)
        at uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient.main(Unknown Source)
Caused by: java.io.EOFException
        at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:56)

This could be because you are using Tomcat 5.5 but have added a Tomcat 5.0 Connector and Valve to the $CATALINA_HOME/conf/server.xml file.

Client says that proxy file is not found

This can arise if running a client. For example:

$ java uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient 
  -u https://localhost:8443/wsrf/services/dai
  -d MySQLDB -q "SELECT * FROM littleblackbook WHERE id < 10;" -tls 
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10;
Transport level security with integrity
Exception in thread "main"
uk.org.ogsadai.client.toolkit.exception.ServerURLInvalidException: A
problem occured initialising the server. 
        at uk.org.ogsadai.client.toolkit.ServerFactory.getWSDL(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerFactory.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getDataRequestExecutionResource(Unknown Source)
        at uk.org.ogsadai.client.toolkit.example.SQLClient.execute(Unknown Source)
        at uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient.main(Unknown Source)
Caused by: org.globus.common.ChainedIOException: Failed to init GSI
context [Caused by: Defective credential detected [Caused by: Proxy
file (/tmp/x509up_u505) not found.]] 
        at org.globus.net.GSIHttpURLConnection.connect(GSIHttpURLConnection.java:107)
        at org.globus.net.GSIHttpURLConnection.getInputStream(GSIHttpURLConnection.java:151)
        at java.net.URL.openStream(URL.java:913)
        ... 6 more

This is usually because a proxy certificate hasn't been created for the client to use. One can be created using Globus's grid-proxy-init command:

$ cd $GLOBUS_LOCATION
$ ./bin/grid-proxy-init
Your identity: C=UK,O=eScience,OU=Edinburgh,L=NeSC,CN=mike jackson
Enter GRID pass phrase for this identity:        
Creating proxy, please wait...
Proxy verify OK
Your proxy is valid until Thu Mar 26 00:15:54 GMT 2009

Client says that there is no client transport named HTTPS

This can arise if running a client. For example:

java uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient -u https://localhost:8443/wsrf/services/dai -d MySQLDB  -q "SELECT * FROM littleblackbook WHERE id < 10" -tls encrypt
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10
Transport level security with encryption
A problem has occured...
[1241105122782:0] uk.org.ogsadai.client.tookit.RESOURCE_COMMS_ERROR : https://localhost:8443/wsrf/services/dai/DataRequestExecutionService/DataRequestExecutionResource
No client transport named 'https' found!

This is caused when the file client-config.wsdd, which the client needs when communicating with an OGSA-dAI web service, is not available in the CLASSPATH.

You should have set your CLASSPATH by running setenv.bat or setenv.sh in $OGSADAI_HOME. And you should have ended up with the directory $OGSADAI_HOME/deploy/ in your CLASSPATH.

If using Eclipse you should configure it to include the directory $OGSADAI_HOME/deploy/ in your CLASSPATH.

Client says that the server URL is invalid

This can arise if running a client. For example:

$ java uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient 
  -u https://localhost:8443/wsrf/services/dai
  -d MySQLDB -q "SELECT * FROM littleblackbook WHERE id < 10;" -tls 
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10;
Transport level security with integrity
Exception in thread "main"
uk.org.ogsadai.client.toolkit.exception.ServerURLInvalidException: A
problem occured initialising the server. 
        at uk.org.ogsadai.client.toolkit.ServerFactory.getWSDL(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerFactory.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getServer(Unknown Source)
        at uk.org.ogsadai.client.toolkit.ServerProxy.getDataRequestExecutionResource(Unknown Source)
        at uk.org.ogsadai.client.toolkit.example.SQLClient.execute(Unknown Source)
        at uk.org.ogsadai.client.toolkit.gt.example.GTSecureSQLClient.main(Unknown Source)
Caused by: java.io.IOException: Internal Server Error
        at
org.globus.net.GSIHttpURLConnection.getInputStream(GSIHttpURLConnection.java:176) 
        at java.net.URL.openStream(URL.java:913)
        ... 6 more

One cause for this could be if you have secured your server to expect TLS and privacy (encryption) but your client settngs are for TLS and integrity.

You should ensure your client is set for TLS and privacy too.

Client says GSI Transport (encryption only) authentication is required

This can arise if running a client. For example:

java uk.org.ogsadai.client.toolkit.gt. example.GTSecureSQLClient -u https://localhost:8443/wsrf/services/dai -d MySQLDB  -q "SELECT * FROM littleblackbook WHERE id < 10" -tls
DRER ID: DataRequestExecutionResource
Data Resource ID: MySQLDB
Base Services URL: https://localhost:8443/wsrf/services/dai
SQLQuery: SELECT * FROM littleblackbook WHERE id < 10
Transport level security with integrity
A problem has occured...
[1241105083360:0] uk.org.ogsadai.client.tookit.RESOURCE_COMMS_ERROR : https://localhost:8443/wsrf/services/dai/DataRequestExecutionService/DataRequestExecutionResource
GSI Transport (encryption only) authentication required for "{http://ogsadai.org.uk/namespaces/2007/04/service/execution}execute" operation.
Activity: uk.org.ogsadai.SQLQuery
  Status: null
Activity: uk.org.ogsadai.TupleToWebRowSetCharArrays
  Status: null
Activity: uk.org.ogsadai.CharArraysResize
  Status: null
Activity: uk.org.ogsadai.DeliverToRequestStatus
  Status: null

One cause for this could be if you have secured your server to expect TLS and privacy (encryption) but your client settngs are for TLS and integrity.

You should ensure your client is set for TLS and privacy too.