Hi Ros,
Yes sorry, even after regenerating the credential using:
$UMDIR/bin/onlineca-get-cert-wget.sh -U https://slcs.jasmin.ac.uk/certificate/ -l jmw240 -o /work/n02/n02/jweber/cred.jasmin,
globes commands that end with / fail while those without / seem to pass.
Cheers,
James
Hi Ros,
Were Jasmin able to suggest any changes I should make?
Cheers,
James
Hi James,
Sorry for the delay.
They have suggested it might be worth deleting your ~/.globus/certificates directory on ARCHER2 and re-bootstrapping the trust roots, then regenerate the cred file and try again.
Cheers,
Ros.
Hi Ros,
I deleted the ~/.globus/certificates and repeated the steps in Configuring PPTransfer for bootstrapping the trust roots and regenerated the cred file.
However, u-cu408 reached on retrying again with the same error.
[WARN] file:atmospp.nl: skip missing optional source: namelist:moose_arch
[WARN] file:nemocicepp.nl: skip missing optional source: namelist:moose_arch
[WARN] file:atmospp.nl: skip missing optional source: namelist:script_arch
[WARN] file:nemocicepp.nl: skip missing optional source: namelist:script_arch
[WARN] [SUBPROCESS]: Command: globus-url-copy -vb -cd -r -cc 4 -verify-checksum -sync -cred /work/n02/n02/jweber/cred.jasmin /work/n02/n02/jweber/archive/u-cu408/20320101T0000Z/ gsiftp://gridftp1.jasmin.ac.uk/gws/nopw/j04/sheffield/jweber/mass_extracts/from_archer2/u-cu408/20320101T0000Z/
[SUBPROCESS]: Error = 1:
error: Unable to list destination directory for sync: gsiftp://gridftp1.jasmin.ac.uk/gws/nopw/j04/sheffield/jweber/mass_extracts/from_archer2/u-cu408/20320101T0000Z/
globus_ftp_client: the server responded with an error
500 500-Command failed. : an authentication operation failed
500-globus_gsi_callback_module: Could not verify credential
500-globus_gsi_callback_module: Error with signing policy
500-globus_gsi_callback_module: Error in OLD GAA code: The subject of the certificate “/DC=uk/DC=ac/DC=jasmin/O=STFC RAL/CN=JASMIN” does not match the signing policies defined in /home/users/jmw240/.globus/certificates/7ed47087.signing_policy
500 End.
[WARN] Transfer command failed: globus-url-copy -vb -cd -r -cc 4 -verify-checksum -sync -cred /work/n02/n02/jweber/cred.jasmin /work/n02/n02/jweber/archive/u-cu408/20320101T0000Z/ gsiftp://gridftp1.jasmin.ac.uk/gws/nopw/j04/sheffield/jweber/mass_extracts/from_archer2/u-cu408/20320101T0000Z/
[ERROR] transfer.py: Unknown Error - Return Code=1
[FAIL] Command Terminated
[FAIL] Terminating PostProc…
[FAIL] transfer.py <<‘STDIN’
[FAIL]
[FAIL] ‘STDIN’ # return-code=1
I also tried globus-url-copy -cred /work/n02/n02/jweber/cred.jasmin -vb -list gsiftp://gridftp1.jasmin.ac.uk/home/users/jmw240/ again and this failed with the “could not verify credential error”.
It is odd that some data files are being transferred successfully before it fails and there doesn’t appear to be a consistent pattern about which files are making it across.
Should I try regenerating the certificates on Jasmin?
Cheers,
James
Hi James,
I don’t know what else to suggest. The certificates have to generated on ARCHER2 so trying it on JASMIN isn’t going to help.
I’ve just tried setting up my blank test account on ARCHER2 to use gridftp; the bootstrapping and globus-url-copy -cred /work/n02/n02/rosn02/cred.jasmin -vb -list gsiftp://gridftp1.jasmin.ac.uk/home/users/rshatcher/ works as expected.
Can you confirm that you have access to the JASMIN high performance transfer service? You can check this in the JASMIN accounts portal.
Assuming that’s good I’d suggest raising this with JASMIN and maybe link to this ticket.
Cheers,
Ros.
Hi Ros,
I have access to the hpxfer and xfer-sp servers - are these the right ones?
I have just confirmed I can login to hpxfer1.jasmin.ac.uk and hpxfer2.jasmin.ac.uk on Jasmin.
Cheers,
James
Hi James (Matt from JASMIN here).
Can you confirm the exact command you used to generate your cred.jasmin file please (there are a couple of options).
Thanks
Hi Matt,
Thanks for your help on this. For the bootstrapping I ran
$UMDIR/bin/onlineca-get-trustroots-wget.sh -U https://slcs.jasmin.ac.uk/trustroots/ -b
For the credential I used the command:
$UMDIR/bin/onlineca-get-cert-wget.sh -U https://slcs.jasmin.ac.uk/certificate/ -l jmw240 -o ./cred.jasmin
following Configuring PPTransfer
Thanks,
James
Hi James,
A few questions for you:
I gather you deleted your ~/.globus/certificates directory before retrying the get-trustroots operation? Can you just confirm that was at the ARCHER2 end (not the JASMIN end …which shouldn’t matter in this case, I think)
Can you paste here please the output of the following commands (or send to me at support@jasmin.ac.uk if you prefer …but let me know which)
ls -l ~/.globus/certificates
ls -l ~/cred.jasmin
more ~/.globus/certificates/7ed47087.signing_policy
openssl x509 -noout -in ~/.globus/certificates/7ed47087.0 -text
openssl x509 -noout -in ~/cred.jasmin -text
Thanks,
Matt
Hi Matt,
I deleted the whole ~/.globus directory on Archer2 but haven’t touched the ~/.globus directory on Jasmin. I realise now that Ros meant just delete the certificates subdirectory - I hope deleting the whole thing wouldn’t cause a problem.
Below are the output from the commands:
-rw-r–r-- 1 jweber n02 1923 Mar 1 15:45 064e0aa9.0
-rw-r–r-- 1 jweber n02 195 Mar 1 15:45 064e0aa9.signing_policy
-rw-r–r-- 1 jweber n02 174 Mar 1 15:45 09746c1d.signing_policy
-rw-r–r-- 1 jweber n02 1923 Mar 1 15:45 4042bcee.0
-rw-r–r-- 1 jweber n02 1367 Mar 1 15:45 530f7122.0
-rw-r–r-- 1 jweber n02 212 Mar 1 15:45 530f7122.signing_policy
-rw-r–r-- 1 jweber n02 1281 Mar 1 15:45 7ed47087.0
-rw-r–r-- 1 jweber n02 489 Mar 1 15:45 7ed47087.signing_policy
-rw-r–r-- 1 jweber n02 1411 Mar 1 15:45 8175c1cd.0
-rw-r–r-- 1 jweber n02 59 Mar 1 15:45 8175c1cd.crl_url
-rw-r–r-- 1 jweber n02 391 Mar 1 15:45 8175c1cd.info
-rw-r–r-- 1 jweber n02 509 Mar 1 15:45 8175c1cd.namespaces
-rw-r–r-- 1 jweber n02 627 Mar 1 15:45 8175c1cd.signing_policy
-rw-r–r-- 1 jweber n02 1387 Mar 1 15:45 adcbc9ef.0
-rw-r–r-- 1 jweber n02 57 Mar 1 15:45 adcbc9ef.crl_url
-rw-r–r-- 1 jweber n02 403 Mar 1 15:45 adcbc9ef.info
-rw-r–r-- 1 jweber n02 593 Mar 1 15:45 adcbc9ef.signing_policy
ls: cannot access ‘/home/n02/n02/jweber/cred.jasmin’: No such file or directory
– I definitely created the cred.jasmin file following the command:
$UMDIR/bin/onlineca-get-cert-wget.sh -U https://slcs.jasmin.ac.uk/certificate/ -l jmw240 -o ./cred.jasmin
I do have a cred.jasmin file but it is in my /work/n02/n02/jweber directory, not my home, which makes sense as the above command was run in my /work/n02/n02/jweber directory following the first instruction of Configuring PPTransfer. Could the location of cred.jasmin be the problem?
When I run ls -l cred.jasmin in my work directory, I get
-rw------- 1 jweber n02 4186 Mar 1 15:45 cred.jasmin
access_id_CA X509 ‘/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root’
pos_rights globus CA:sign
cond_subjects globus ‘“/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA” “/C=UK/O=eScienceSLCSHierarchy/OU=Authority/CN=SL
CS Top Level CA” “/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2A” “/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2
B” “/DC=uk/DC=ac/DC=jasmin/O=STFC RAL/CN=JASMIN” “/DC=uk/DC=ac/DC=ceda/O=STFC RAL/CN=Centre for Environmental Data Analysis”’
access_id_CA X509 ‘/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root’
pos_rights globus CA:sign
cond_subjects globus ‘“/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA” “/C=UK/O=eScienceSLCSHierarchy/OU=Authority/CN=SL
CS Top Level CA” “/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2A” “/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2
B” “/DC=uk/DC=ac/DC=jasmin/O=STFC RAL/CN=JASMIN” “/DC=uk/DC=ac/DC=ceda/O=STFC RAL/CN=Centre for Environmental Data Analysis”’
jweber@ln01:/work/n02/n02/jweber> openssl x509 -noout -in ~/.globus/certificates/7ed47087.0 -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = UK, O = eScienceRoot, OU = Authority, CN = UK e-Science Root
Validity
Not Before: Oct 30 09:00:00 2007 GMT
Not After : Oct 30 09:00:00 2027 GMT
Subject: C = UK, O = eScienceRoot, OU = Authority, CN = UK e-Science Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cd:ce:46:d9:a6:50:7a:2d:c0:34:df:00:7e:7f:
78:89:68:df:e0:4a:a0:49:43:79:a7:8d:e5:28:36:
96:13:ee:d2:56:8f:72:1e:e9:1c:a4:b3:96:ac:87:
99:91:ac:93:77:d9:6f:c8:41:98:ed:25:0f:8f:7e:
74:a9:c0:df:5c:cb:53:a9:28:06:37:b5:4c:7a:9d:
ac:66:4f:72:34:e6:d2:58:5c:fd:28:f3:b0:1b:56:
9b:8a:02:fd:ba:58:04:00:a5:88:1f:70:6b:77:92:
b9:4e:11:aa:ae:f5:9f:bf:b8:27:e5:8e:2a:f6:83:
1e:f6:93:75:16:04:de:9c:a2:7b:65:de:e5:04:c8:
f0:25:de:74:23:21:d7:cf:84:74:5b:f0:95:5e:fd:
76:59:8d:44:d6:3d:dd:95:94:bb:a3:ce:2f:a7:7e:
2d:aa:50:91:49:9a:b1:72:e3:ca:33:73:72:83:d7:
80:3c:86:6a:e1:ce:aa:6c:aa:c6:e3:f1:e2:d0:d3:
b0:2d:b9:9c:aa:fe:ec:ae:64:dd:3f:a5:a6:52:7f:
8c:c9:10:97:f4:07:82:a9:c0:04:15:d0:20:bc:f3:
ae:dd:1a:f2:74:1d:33:c3:8d:03:e6:e1:b7:ef:2c:
cb:87:8d:ff:4c:cc:ba:53:63:f2:40:33:ae:eb:64:
84:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
5E:F8:1B:48:A6:77:6B:29:3C:2E:00:53:33:2B:63:A2:7B:7E:93:C0
X509v3 Authority Key Identifier:
keyid:5E:F8:1B:48:A6:77:6B:29:3C:2E:00:53:33:2B:63:A2:7B:7E:93:C0
Signature Algorithm: sha1WithRSAEncryption
93:d1:ad:24:70:4f:28:55:8c:e3:4c:6a:dd:e5:ac:af:38:8f:
af:6d:d8:98:30:6e:ff:d9:5d:9c:20:b2:88:b6:ce:c3:35:d2:
2b:10:8a:27:95:5d:02:c3:de:a9:41:28:63:45:12:22:cd:21:
c6:e5:e1:f5:90:b2:5c:6c:af:c3:a6:05:fa:42:e3:d1:5a:15:
91:e7:00:c9:e2:f6:b3:d2:a4:e6:52:9c:04:a6:c4:fd:9a:6c:
9e:86:11:db:8a:8f:c4:b1:83:3b:2d:eb:12:70:9a:ce:da:98:
83:d8:17:fa:a4:55:0c:47:52:c2:b1:c0:2a:37:b7:d3:5c:94:
a0:e8:c8:fa:b4:e8:69:5a:93:f0:33:d5:92:c1:09:fc:b0:34:
e0:2f:42:a4:ae:35:4e:55:a7:89:c2:5c:8d:c8:47:d4:a4:9b:
85:22:04:e5:ac:49:e4:5e:a8:56:43:aa:33:02:b0:e8:9c:1e:
15:1e:57:b0:e9:ea:88:19:ac:56:07:fc:96:30:db:d8:e4:af:
9b:d6:3e:5f:75:c3:1e:97:30:38:e5:b1:6e:70:e7:f5:02:0f:
a8:74:18:2c:19:96:a1:a4:58:0e:a8:ab:c1:ba:f4:ab:93:ff:
3e:89:ef:08:d8:25:58:c1:3e:3c:ea:93:e7:6f:92:45:80:78:
14:7d:9a:3c
x509: Cannot open input file /home/n02/n02/jweber/cred.jasmin, No such file or directory
x509: Use -help for summary.
Cheers,
James
Thanks, the location of the cred.jasmin file isn’t significant, as long as you’re referencing where it exists.
So please also do
openssl x509 -noout -in cred.jasmin -text
(or /work/n02/n02/jweber/cred.jasmin in your case perhaps?)
or wherever the file happens to be. Same applies to all the commands I gave you really.
Next question:
Thanks,
Matt
Hi Matt,
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = uk, DC = ac, DC = jasmin, O = STFC RAL, CN = JASMIN
Validity
Not Before: Mar 1 15:45:46 2023 GMT
Not After : Mar 31 15:45:46 2023 GMT
Subject: DC = uk/DC=ac/DC=jasmin, O = STFC RAL, CN = jmw240
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:10:eb:ad:bd:a1:38:a5:0d:08:30:5d:75:05:
ba:66:1d:a6:a4:fd:bd:8d:31:6f:54:1c:58:3b:8d:
21:c8:48:92:a5:f2:28:eb:56:04:85:03:51:41:2d:
73:3c:41:20:34:59:79:14:56:ee:e2:2e:70:00:96:
f3:d7:5b:ab:f1:4f:b0:8d:cd:55:90:b3:ec:4d:c5:
b7:3a:b8:b4:a3:6d:6b:7b:8b:e9:f4:32:43:46:08:
59:fa:cd:b9:61:09:b2:e2:d8:f8:d3:f8:9b:d5:a6:
eb:f3:f7:0a:ae:13:c6:92:09:b6:d7:8b:56:1d:c9:
9c:e8:6f:05:14:60:9f:85:cb:a1:58:ca:bd:9c:c8:
09:0f:75:6c:3a:96:8d:f5:91:e6:df:c8:af:e0:01:
01:bc:6a:e7:49:af:12:66:4d:c7:26:0d:a3:bb:16:
b8:66:90:b9:9f:03:36:d7:3e:ab:0b:97:fd:4b:45:
44:8a:54:48:ec:4c:8a:63:89:51:e2:e9:e9:11:16:
6b:2e:56:f9:4f:b0:1c:df:59:63:5f:80:d9:66:5a:
7a:c6:2e:c1:a6:a6:57:fd:02:6a:d9:14:a2:55:f9:
46:ed:70:c5:8a:df:f9:94:5f:ac:49:cf:a6:db:e9:
7f:5e:ea:20:05:79:c1:c7:4a:a4:80:69:16:5d:49:
fc:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
be:c6:0c:f0:a4:da:9c:f1:3e:78:09:27:60:84:42:62:3f:bf:
93:f4:37:8c:f5:de:03:f6:bb:14:87:2f:dc:ea:8c:e9:9c:68:
d3:09:79:f7:80:b9:c7:50:ed:71:99:48:d1:b3:60:bd:b2:b4:
13:72:24:a9:56:1f:9c:79:7a:dd:22:c2:56:87:0e:0f:c0:09:
60:f4:58:04:b3:77:30:57:88:99:3c:91:0c:43:0a:8a:7b:56:
3d:37:a5:c3:b3:92:86:81:e0:ea:6a:c5:2f:5b:8f:fa:bf:1c:
f1:ab:b3:a5:78:03:ba:d1:ed:8e:ce:b6:56:97:42:be:28:52:
ac:3b:e9:6b:77:e0:ba:92:0d:79:0d:cc:0b:e0:45:a0:9f:3b:
9b:d3:7c:ab:df:83:61:56:4b:78:52:be:39:07:fd:81:8d:52:
48:ae:df:ac:40:6d:d5:15:75:1d:bf:7e:37:33:fd:95:a9:fa:
bf:d4:50:96:3b:33:3b:89:fd:d9:b6:c2:91:ad:03:6a:72:55:
ae:ce:7c:a5:94:79:f7:fb:59:b8:21:1e:f4:80:11:a9:4f:05:
8c:3c:e3:5a:e6:3c:c5:eb:8d:c3:04:a1:69:da:e5:26:47:c9:
04:ba:fb:95:dc:4b:62:a2:7b:d5:2b:84:f2:90:0d:ad:fa:d8:
d7:33:ce:ae
I don’t have a .globus directory in /work/n02/n02/jweber.
Thanks,
James
Thanks, no quick answer I’m afraid but i’ll keep thinking…
Thanks, Matt.
Please let me know if you need any more info.
James
Hi Ros,
In light of the problems I’m having regarding the automatic transfer of files to Jasmin, would be it be possible to have my Archer2 storage quota increased so that I can continue to run, even just temporarily? I will continue to do manual data transfers to Jasmin and then remove the data from Archer2 but a larger storage quota would allow me to do longer periods of running in between data transfers. At present I am running 1 year stints which is quite time consuming given I have to regenerate all the initialisation files etc.
Cheers,
James
Hi James,
I’ve increased your ARCHER2 quota.
I’m not quite sure what you mean about having to regenerate all the initialisation files after each year. You should be able to just restart/extend the suite as normal.
Cheers,
Ros.
Thanks, Ros.
Right, perhaps I misunderstood. In terms of regenerate the initialisation files, I thought I had to run the rebuild_nemo scripts on the NEMOhist output in the cylc-run/suite-id/share/data/History_Data/NEMOhist directory and then point the suite to use these along with the new atmospheric and CICE dump files. Is that not necessary?
Is there another way to restart/extend the suite once a run has finished?
Cheers,
James
Hi James,
No, you don’t need to rebuild the NEMO files or change the suite to point to the new start files.
Just change the run length in the GUI and do a rose suite-run --restart. The suite will then pick up where it left off.
See example in our training docs: Restarting a suite - extending a run
Cheers,
Ros.
Hi Ros,
For some reason I’d never realised that, many thanks for highlighting this. I assume rebuilding the NEMO files and using these and the CICE and atmosphere dump files as I have done in the past would have the same effect?
Cheers,
James
Hi Ros, I’ve tried some other options but haven’t been able to get the transfer to work. Is there any chance of getting an increase to my Archer2 storage quota?
Cheers,
James