Bug 4188 - trigger/container faisl on just expired proxy and can not recover
: trigger/container faisl on just expired proxy and can not recover
: Java WS Core
: 4.0.1
: All All
: P3 major
: ---
Assigned To:
  Show dependency treegraph
Reported: 2006-02-01 16:25 by
Modified: 2006-02-15 15:01 (History)

container log (33.31 KB, text/plain)
2006-02-01 16:57, mei-hui su
container log with HEAD GT (73.50 KB, text/plain)
2006-02-02 14:51, mei-hui su


You need to log in before you can comment on or make changes to this bug.

Description From 2006-02-01 16:25:18
  I have a small monitoring setup for esg that runs on X509_USER_PROXY instead
of the default host container cert/key. That proxy is being refreshed everyday
at the same time. It seems if container with trigger hit that time exactly 
right that it detects invalid proxy but even with that proxy being refreshed,
container never recovers. I have seen this on solaris 10 box using stock GT4.0.1
and also on a linux box (Using HEAD).

------- Comment #1 From 2006-02-01 16:57:01 -------
Created an attachment (id=836) [details]
container log

The proxy expired around 2006-01-24 16:12:09
replaced it with a long-live one around Jan 24 17:45
------- Comment #2 From 2006-02-02 14:51:55 -------
Created an attachment (id=839) [details]
container log with HEAD GT

the time when the proxy got renewed is:
Feb  2 12:35 x509_mei
------- Comment #3 From 2006-02-02 14:56:59 -------
  I installed a similar setup with HEAD. It looks like the problem
is not there anymore. So, I think there is no need to track this and
I just have to wait for a new release of GT.

------- Comment #4 From 2006-02-02 15:46:57 -------
So you only see this problem with GT 4.0.1 but not HEAD? It needs to be fixed 
either way.
------- Comment #5 From 2006-02-02 15:55:59 -------
Yes. only on stock 4.0.1 release. On HEAD, there are some MDS warnings coming
out after the recovery . Mike will be looking at them to make sure they
are harmless.


------- Comment #6 From 2006-02-06 15:05:55 -------
I just committed a potential fix to the 4.0 branch code. Can you please retest 
and see if you still see this error ?

------- Comment #7 From 2006-02-15 15:01:14 -------
This should be fixed now in trunk & globus_4_0_branch. The main reason for this 
bug was improper socket closing in case of expired credentials. This bug also 
uncovered a number of other issues in trunk & branch, all of them should be 
addressed now. 
The container code in branch was fixed to close the right socket in case of an 
credential error (trunk was ok). The JGlobus secure socket code was updated to 
automatically close the socket in case of error during authentication. 
Also, trunk & branch was made to behave in the same way when dealing with 
expired credentials and credential refresh. For example, if server has an 
expired credential, the client will now get a nice error message indicating so. 
Also the branch credential refresh code was improved to match trunk's.