Menu
▾
▴
Re: [Unity-idm-discuss] issue with certificates after updating unity from 2.4.2 to 2.8.2
|
From: Sander A. <sa....@fz...> - 2019-12-12 12:33:50
|
Dear Krzysztof,
sorry for the noise, but I found the reason for it. Unity still uses
the Grid certificate infrastructure. The problem was that the user used
and outdated certificate. In past it worked for the SSL handshake but
now it does not work for the SSL handshake anymore. Using a valid Grid
certificate works.
The change is positive, but for (stupid) users it looks like the
services has an error.
Best regards,
Sander
On Thu, 2019-12-12 at 13:04 +0100, Sander Apweiler wrote:
> Dear Krzysztof,
>
> I updated unity from 2.4.2 to 2.8.2. I know that this version is old
> too. But we are not ready to update to unity 3.
>
> After the update I have an issue with certificates.
>
> If you select a grid certificate for authentication, it is rejected
> and
> you get a "Secure Connection Failed" error with "SSL peer had some
> unspecified issue with the certificate it received." It seems that
> unity does not like the Grid cert infrastructure any more. When I use
> a
> global certificate everything went well.
>
> The pki truststore config is the same like in 2.4.2:
> unity.pki.truststores.MAIN.type=directory
> unity.pki.truststores.MAIN.allowProxy=DENY
> unity.pki.truststores.MAIN.directoryLocations.1=/usr/local/unity/cert
> s/*
> unity.pki.truststores.MAIN.directoryLocations.2=/etc/grid-
> security/certificates/*.pem
> unity.pki.truststores.MAIN.crlLocations.1=/etc/grid-
> security/certificates/*.crl
> unity.pki.truststores.MAIN.directoryEncoding=PEM
> unity.pki.truststores.MAIN.crlUpdateInterval=400
>
> unity.pki.truststores.WEB.type=directory
> unity.pki.truststores.WEB.allowProxy=DENY
> unity.pki.truststores.WEB.directoryLocations.1=/usr/local/unity/certs
> /*
> unity.pki.truststores.WEB.crlLocations.1=/etc/grid-
> security/certificates/*.crl
> unity.pki.truststores.WEB.directoryEncoding=PEM
> unity.pki.truststores.WEB.crlUpdateInterval=400
>
> The authenticator configuration in unityServer.conf was adjusted to
> have only one single certificate configuration:
> unityServer.core.authenticators.cert.authenticatorName=cert
> unityServer.core.authenticators.cert.authenticatorType=certificate
> unityServer.core.authenticators.cert.localCredential=Certificate
> credential
> unityServer.core.authenticators.cert.configurationFile=${CONF}/authen
> ticators/certificateRetrieval.properties
>
> Do you have any clue why it is not working anymore? There is no error
> in the logs about it.
>
> Cheers,
> Sander
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
