Proxy file handling in gLExec

From PDP/Grid Wiki
Revision as of 17:04, 7 February 2010 by Okoeroo@nikhef.nl (talk | contribs)
Jump to navigationJump to search

gLExec uses four environment variables for various reasons. This section is intended to explain what they do in a pragmatic way so that you should be able to work with them.

The environment variables of interest are:

  • GLEXEC_CLIENT_CERT
  • GLEXEC_SOURCE_PROXY
  • GLEXEC_TARGET_PROXY
  • X509_USER_PROXY

GLEXEC_CLIENT_CERT

gLExec needs a (proxy) certificate as input to know who to authorize and to which account you must be mapped. The mapping and authorization decision will be based primarily on this file.

The GLEXEC_CLIENT_CERT

  • Contains a file path from the root to the file. Note: "/dir/subdir/../subdir2/proxy" is allowed.
  • Must contain a public and private key pair in this one file.
  • Must be readable by the user account calling gLExec
  • Variable must be accessible by gLExec to read.
    • Typically that means to export it into the current shell.
  • Must be set before calling gLExec.

Troubleshooting hints

When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with gLExec's input, in particular the absence of a usable GLEXEC_CLIENT_CERT: 

glexec[10301]: LCAS authorization request
glexec[10301]: lcas.mod-lcas_run_va(): Cannot find certificate chain in pem string(failure)
glexec[10301]: lcas.mod-lcas_run_va(): failed

As a result of not being able to present tokens to be authorized, the gLExec tool will exit with a 203 exit code. This indicates that the authorization of the user has failed. For more information on the gLExec exit code, please visit:

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=Proxy_file_handling_in_gLExec&oldid=4046"