gLite > gLite 3.2 > glite-GLEXEC_wn > Update to glite-GLEXEC_wn 3.2.1-0  



gLite 3.2

glite-GLEXEC_wn - Update to version 3.2.1-0

Date 07.01.2010
Priority Normal



This patch introduces the glite-GLEXEC_wn metapackage for gLite 3.2.

YAIM update:

The YAIM module is capable of configuring multiple SCAS endpoints for fail-over and fault tolerance reasons.

Configure SCAS_ENDPOINTS as a whitespace delimited variable with multiple unwhitespaced values to setup multiple endpoints, example:


which results in lcmaps.db like:

scasclient = "lcmaps_scas_client.mod"
"-capath /etc/grid-security/certificates"
"-resourcetype wn"
"-actiontype execute-now" 

Verify Proxy:
Upgrading certificate chain depth limit to the depth of the certificate chain. The OpenSSL library seems to have a build in limit of
9 certificates. This means that the verify-proxy will fail when having to check more then 9 certificate (including the CA, 
personal/service and proxies). This limit has been raised to be equal then the certificate chain itself.

The new maximum amount of delegations used by verify-proxy (using gLExec as a frontend) is roughly 200 delegations when using 1024 keys.
The next upperlimit is the 1MB limit of a maximum proxy file size being read by gLExec. Which is quite a safe limit. Other tools might 
not provide this limitation and the verify-proxy should be able to check a certificate chain as big as the memory of a machine can hold it.

A problem surfaced with the code change and it could only handle single level CAs. CAs that have a subordinate or intermediate CA that perform
the EEC signing are now supported again.

When your proxy certificate's DNs grows too large due to the use of the expanding DNs with every delegation step, then the log messages could
overflow a buffer. This is solved by truncating the log message properly. This effect has shown to happen when testing the proxy verification
with more then ~35 proxy delegations. 

Platform support:

LCMAPS is available on all 32 and 64 bit platforms for SL4, SL5, debian4 and debian5.

saml2-xacml2-c-lib is able to be build on all 32 and 64 bit platforms for SL4, SL5 and debian4. The incompatibility for debian5 64bit will
be fixed in a next release). As a result, the SCAS client and SCAS service can't build on more platforms then these platforms.

The SCAS service and SCAS Client packages can be build on an equal amount of platforms as the saml2-xacml2-c-lib. Currently on all 32 and
64 bit platforms for SL4, SL5 and debian4*.

* Upstream build issues on the debian4 platform can't be resolved, but the nightly builds were successful on debian4 32 and 64 bit.


- Solved segmentation faults when a malformed proxy was provided by the calling library or application.

- When using the lcas_pem interface (used by gLExec, SCAS and third parties) a wrong individual certificate was selected. It was first
  delegation that was selected and not the final delegation of the certificate chain. This also disturbed the call to the voms-api from a
  plugin which use the certificate and certificate chain.

- The extraction of the user's subject DN has been replaced. The Globus code calculates the RDN count of the individual certificate and 
  strips of the amount of RDNs equal to the amount of delegations. This process is error prone, causes seg.faults when used in a wrong way,
  overly complex. It's replaced by a safer approach which has been used in LCMAPS for years.

LCAS & LCMAPS Syslog problem:
Not all information was written properly to Syslog. This is improved. It's still not fully the same. Big differences might still be noticed
between the two log destinations. A lot of interesting messages are now published in syslog. The information that is left in the gap will be
investigated, but the fix is should let the syslog contain sufficient information to be able to debug LCAS and LCMAPS failure conditions.
All the information that was masked to not be send to the syslog level '0' (zero, meaning a system broadcast) is prevented by restamping the
log severity to LOG_ERR.
This update fixes various bugs. For the full list of bugs, please see list below.

Fixed bugs

Number Description
 #37755 lcas & lcmaps & glexec should be able to be configured to log everything into syslog
 #38373 [ yaim-glexec-wn ] lcas/lcmaps configurations for glexec should only support voms proxies
 #47503 [ yaim-glexec-wn ] YAIM should support multiple SCAS servers
 #50912 [Glexec] No log from LCMAPS when log_destination is syslog
 #53667 YAIM misconfigures glexec-wn on 64bit platforms
 #57642 glite-security-lcmaps-plugins-verify-proxy , problem wtih sub-CAs

Updated rpms

Name Version Full RPM name Description
edg-mkgridmap 3.0.0-1 edg-mkgridmap-3.0.0-1.noarch.rpm A tool to build the grid-mapfile
glexec-wrapper-scripts 0.0.3-1 glexec-wrapper-scripts-0.0.3-1.noarch.rpm
glite-GLEXEC_wn 3.2.1-0 glite-GLEXEC_wn-3.2.1-0.x86_64.rpm gLite metapackage (glite-GLEXEC_wn)
glite-security-glexec 0.6.8-3.sl5 glite-security-glexec-0.6.8-3.sl5.x86_64.rpm R 0.6.8-3
glite-security-lcas-interface 1.3.11-1.sl5 glite-security-lcas-interface-1.3.11-1.sl5.x86_64.rpm v. 1.3.11-1
glite-security-lcas-plugins-basic 1.3.2-3.sl5 glite-security-lcas-plugins-basic-1.3.2-3.sl5.x86_64.rpm This package contains three basic authorization plugins for LCAS: 1) allow-user module (currently the gridmapfile is used) 2) ban-user module 3) timeslots availability module
glite-security-lcas-plugins-check-executable 1.2.1-3.sl5 glite-security-lcas-plugins-check-executable-1.2.1-3.sl5.x86_64.rpm This package contains the check-executable plugin for LCAS.
glite-security-lcas-plugins-voms 1.3.5-2.1.sl5 glite-security-lcas-plugins-voms-1.3.5-2.1.sl5.x86_64.rpm v. 1.3.5-2.1
glite-security-lcas 1.3.11-3.1.sl5 glite-security-lcas-1.3.11-3.1.sl5.x86_64.rpm v. 1.3.11-3.1
glite-security-lcmaps-plugins-basic 1.3.10-2.sl5 glite-security-lcmaps-plugins-basic-1.3.10-2.sl5.x86_64.rpm This package provides the timeslot (fabric openings hours), poolaccount selection, localaccount selection, LDAP enforcement and POSIX enforcement (changing the process ownership to the mapped user
glite-security-lcmaps-plugins-scas-client 0.2.9-1.sl5 glite-security-lcmaps-plugins-scas-client-0.2.9-1.sl5.x86_64.rpm LCMAPS plugin that functions as the PEP (client side) implementation to an Site Central authZ Service
glite-security-lcmaps-plugins-verify-proxy 1.4.6-1.sl5 glite-security-lcmaps-plugins-verify-proxy-1.4.6-1.sl5.x86_64.rpm v. R_1_4_6_1
glite-security-lcmaps-plugins-voms 1.3.7-5.1.sl5 glite-security-lcmaps-plugins-voms-1.3.7-5.1.sl5.x86_64.rpm This package provides the LCMAPS plugins for specialised VOMS handling: voms_localaccount, voms_localgroup, voms_poolgroup and voms_poolacount. (It is recommended to use the voms_localgroup and voms_poolaccount)
glite-security-lcmaps 1.4.8-5.sl5 glite-security-lcmaps-1.4.8-5.sl5.x86_64.rpm v. 1.4.8-5
glite-security-saml2-xacml2-c-lib 0.0.15-5.sl5 glite-security-saml2-xacml2-c-lib-0.0.15-5.sl5.x86_64.rpm This is the C implementation of the new SAML2-XACML2 library
glite-security-voms-api-cpp 1.8.12-2.sl5 glite-security-voms-api-cpp-1.8.12-2.sl5.x86_64.rpm v.
glite-security-voms-api-c 1.8.12-2.sl5 glite-security-voms-api-c-1.8.12-2.sl5.x86_64.rpm v.
glite-yaim-glexec-wn 1.0.0-4 glite-yaim-glexec-wn-1.0.0-4.noarch.rpm glexec configuration for the WN
gridsite-shared 1.5.10-1.sl5 gridsite-shared-1.5.10-1.sl5.x86_64.rpm gridsite-shared_R_1_5_10_1
vdt_globus_essentials VDT1.10.1x86_64_rhap_5-4 vdt_globus_essentials-VDT1.10.1x86_64_rhap_5-4.x86_64.rpm Virtual Data Toolkit

The RPMs can be updated using yum via

Service reconfiguration after update

Service must be reconfigured.

Service restart after update

Not needed.

How to apply the fix

  1. Update the RPMs (see above)
  2. Update configuration (see above)
  3. Restart the service if necessary (see above)