search

irods-contrib / metalnx-web

Metalnx Web Application
https://metalnx.github.io/
BSD 3-Clause "New" or "Revised" License
36 stars 36 forks source link

Metalnx Authentication Error #2

Closed ghost closed 7 years ago

ghost commented 7 years ago

When you start up Metalnx for the first time, you see an authentication error like this:

metalnx-web-ui-invalid-username

First, double check your username and password. You might have a typo in one of those two fields that is causing the error.

If your credentials seem to be correct, there is also a change that your database is not accessible by the Metalnx UI. Either the firewall is blocking access, you typed the wrong database credentials when you run the setup script or even the database itself is not allowing Metalnx to open up a connection.

If you have a similiar problem, please check our document on How to Configure the Metalnx Database. We have updated it to explain in more details what has to be done to configure the DB properly. Also, check the Accessing Metalnx section for other important details about DB credentials.

felipegutierrez commented 7 years ago

Hello, So did you get to login into metalnx-web? I am trying to install and I am stuck at the point to connect to the MySQL DB. I already did created the database by hand and also created the metalnx user.

[*] Executing config_database (7/13)
   - It will configure database access
Enter the Metalnx Database type (mysql, postgresql) [mysql]: 
Enter Metalnx Database Host [localhost]: 
Enter Metalnx Database Port [3306]: 
Enter Metalnx Database Name [metalnx]: 
Enter Metalnx Database User [root]: metalnx
Enter Metalnx Database Password (it will not be displayed): 
    * No DB connection test modules detected. Skiping DB connection test.
    * Notice that if your DB params are incorrect, Metalnx will not work as expected.
    * To change these parameters, execute the configuration script again.
ghost commented 7 years ago

@felipegutierrez these warnings do not necessarily mean that you cannot connect to the database.

The Metalnx setup script uses two python libraries to test the db connection: psycopg2 (for Postgres) and MySQLdb (for MySQL).

When none of those packages are available, the script displays these warnings to tell you that it is not going to test the db params you provided.

If you want to get rid of them, simply install the MySQLdb package (click here to find instructions on how to do that).

If you do not want to install any package in your environment, just proceed until the end of the script. But make sure you have the correct DB credentials, otherwise you'll get an authentication error on the UI.

felipegutierrez commented 7 years ago

Hi @ajguerra . I already installed the packages (yum install MySQL-python). But even going forward with the script I receive an error that I cannot connect to the iRODS. Through the terminal I can connect to iRODS and do icommands normaly. I wonder to know if my problem is because my iRODS authentication is made by SSL+PAM with my user "felipe". But when I try to connect using rods user, my iRODS just use SSL.However I didn't configure anything about SSL at the metalnx.

[*] Executing config_irods (8/13)
   - It will configure iRODS access
Enter iRODS Host [localhost]: 
Enter iRODS Port [1247]: 
Enter iRODS Zone [tempZone]: 
Enter Authentication Schema (STANDARD, GSI, PAM, KERBEROS) [STANDARD]: 
Enter iRODS Admin User [rods]: 
Enter iRODS Admin Password (it will not be displayed): 
    * Testing iRODS connection...
[ERROR]: Metalnx was not able to contact iRODS server. Check your parameters and try again.
ghost commented 7 years ago

Have you tried using PAM authentication in the script?

Your iRODS is setup to authenticate users using PAM and within the script you are setting STANDARD authentication.

felipegutierrez commented 7 years ago

yes, I tested with PAM but I had the same error. I wonder if there is some error log or other commands I could use to test what is wrong with my system. Since my iRods is working well.... Please, look what I tryied and also the error of the jar file

root@fedora20 emc]# java -jar /opt/emc/test-connection.jar localhost 1247 felipe 123456 tempZone PAM
[main] INFO  connection.IRODSSimpleProtocolManager  - creating simple protocol manager
[main] INFO  pub.IRODSFileSystem  - IRODSfileSystem is initialized
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()
[main] WARN  connection.IRODSSession  - closing session that is already closed, silently ignore
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:PAM
[main] INFO  connection.AuthenticationFactoryImpl  - using PAM auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:-1825000
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400
[main] INFO  connection.AuthMechanism  - startSSL for PAM auth
[main] ERROR connection.AbstractConnection  - read length is set to zero
[main] ERROR connection.AbstractIRODSMidLevelProtocol  - io exception
java.io.IOException: read length is set to zero
    at org.irods.jargon.core.connection.AbstractConnection.read(AbstractConnection.java:555)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol.readHeader(AbstractIRODSMidLevelProtocol.java:1011)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol.readMessage(AbstractIRODSMidLevelProtocol.java:646)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol.readMessage(AbstractIRODSMidLevelProtocol.java:629)
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:231)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol.irodsFunction(AbstractIRODSMidLevelProtocol.java:174)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol.irodsFunction(AbstractIRODSMidLevelProtocol.java:571)
    at org.irods.jargon.core.connection.PAMAuth.processAuthenticationAfterStartup(PAMAuth.java:44)
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:81)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:255)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:103)
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:146)
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:69)
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:448)
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:337)
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.authenticateIRODSAccount(IRODSAccessObjectFactoryImpl.java:80)
    at com.emc.metalnx.irods.connection.MlxIRODSConnectionTest.main(MlxIRODSConnectionTest.java:38)
[main] WARN  connection.AbstractIRODSMidLevelProtocol  - partial connection, not authenticated, forcefully shut down the socket
ghost commented 7 years ago

I tested the jar file here, and look what we usually get when something is wrong with PAM authentication.

# java -jar test-connection.jar localhost 1247 rods rods tempZone PAM
[main] INFO  connection.IRODSSimpleProtocolManager  - creating simple protocol manager
[main] INFO  pub.IRODSFileSystem  - IRODSfileSystem is initialized
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()
[main] WARN  connection.IRODSSession  - closing session that is already closed, silently ignore
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:PAM
[main] INFO  connection.AuthenticationFactoryImpl  - using PAM auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:0
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:20040
   reconnAddr:tpa-eld6142
   cookie:830592773
[main] INFO  connection.AuthMechanism  - startSSL for PAM auth
[main] ERROR connection.AuthMechanism  - ssl exception in handshake
java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(SocketInputStream.java:209)
        at java.net.SocketInputStream.read(SocketInputStream.java:141)
        at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
        at sun.security.ssl.InputRecord.read(InputRecord.java:503)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at org.irods.jargon.core.connection.PAMAuth.processAuthenticationAfterStartup(PAMAuth.java:86)
        at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:81)
        at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:255)
        at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:103)
        at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:146)
        at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:69)
        at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:448)
        at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:337)
        at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.authenticateIRODSAccount(IRODSAccessObjectFactoryImpl.java:80)
        at com.emc.metalnx.irods.connection.MlxIRODSConnectionTest.main(MlxIRODSConnectionTest.java:38)

You have some log entries that differ from the ones I got. You also get a -1825000 response status, which is a SERVER_NEGOTIATION_ERROR.

I know that read length is set to zero does not help us very much, Jargon throws it for many different types of errors (sometimes restarting the iRODS service gets rid of it, but if your iRODS is in production a service restart would not be desired).

Give me a little more time to debug that and I'll get back to you as soon as I find a solution or the reason why this is happening.

felipegutierrez commented 7 years ago

Hello @ajguerra , is there anything I can do to help on this issue? For example, if you pass the java project I can deploy on my machine ant test it in my environment. If it is possible. If not, do not worry, so I wait... thanks

ghost commented 7 years ago

Hi @felipegutierrez, I'm sorry for replying you only now. Too many things going on.

Anyways, I just posted the code that tests the connection with iRODS (used by the Metalnx setup script).

Check it out this new repo.

ghost commented 7 years ago

@felipegutierrez I managed to authenticate myself to iRODS using the test connection jar file.

It is not very straightforward to set up PAM authentication in iRODS. So, make sure you have it really operational. There are some greate resources you can check out:

SSL and PAM - UGM 2016 Setting up iRODS - PAM Authentication iRODS Pam Documentation

I'll write down all I had to do to make it work and how my config files look like.

First, I created a unix user arthur with password arthur by running:

   $ sudo useradd arthur
   $ sudo passwd arthur

arthur will be the user I will use to authenticate in iRODS.

iRODS configuration

This user still needs to be added to the iRODS database. I did that by running

    $ iadmin mkuser arthur rodsuser

I also changed the irods_environment.json file. I added the following line:

   "irods_authentication_scheme": "PAM"

iRODS comes with a tool used for testing basic PAM authentication. You can run it to check if you are able to authenticate:

   iRODS/server/bin/PamAuthCheck arthur

Note that this program waits for you to type the password without any prompt. So, after running the command above ensure that you type your password correctly. This tool returns Authenticated or Not Authenticated.

iRODS PAM file

Next, I had to configure the iRODS PAM file. To do that, I created a file in /etc/pam.d/ named irods. 

   sudo su - root -c 'echo "auth sufficient pam_unix.so" > /etc/pam.d/irods'

In this case, I used the pam_unix.so module for traditional password authentication.

Double checking...

   $ cat /etc/pam.d/irods
   auth sufficient pam_unix.so

Certificates

After setting up the PAM file. It is time to work with certificates. I placed both my certifcate and secret key in /etc/irods/ssl.

   $ mkdir /etc/irods/ssl
   $ cd /etc/irods/ssl
   $ openssl genrsa -out server.key                                     # generate an RSA key
   $ openssl req -new -x509 -key server.key -out server.crt -days 365   # Generate self-signed certificate

The steps above were used to create the private key and a self-signed certificate. The iRODS documentation recommends the creation of a chain file, but since we I did not have my certificate issued by a CA, I just renamed my crt file to chain.pem only for consistency.

Then, I generated Diffie-Hellman parameters:

  $ openssl dhparam -2 -out dhparams.pem 2048

/etc/irods/ssl shoud be:

$ ls -l /etc/irods/ssl
total 12
-rw-rw-r-- 1 irods irods 1277 Dec 13 01:48 chain.pem
-rw-rw-r-- 1 irods irods  424 Dec 13 01:50 dhparams.pem
-rw-rw-r-- 1 irods irods 1675 Dec 13 01:46 server.key

irods_environment.json

With my certificate and private key ready, I modified the irods_environment.json file

{
    "irods_host": "tpa-eld6020",
    "irods_port": 1247,
    "irods_default_resource": "demoResc",
    "irods_home": "/pamZone/home/arthur",
    "irods_cwd": "/pamZone/home/arthur",
    "irods_user_name": "arthur",
    "irods_zone_name": "pamZone",
    "irods_authentication_scheme": "PAM",
    "irods_client_server_negotiation": "request_server_negotiation",
    "irods_client_server_policy": "CS_NEG_REQUIRE",
    "irods_encryption_key_size": 32,
    "irods_encryption_salt_size": 8,
    "irods_encryption_num_hash_rounds": 16,
    "irods_encryption_algorithm": "AES-256-CBC",
    "irods_default_hash_scheme": "SHA256",
    "irods_match_hash_policy": "compatible",
    "irods_server_control_plane_port": 1248,
    "irods_server_control_plane_key": "TEMPORARY__32byte_ctrl_plane_key",
    "irods_server_control_plane_encryption_num_hash_rounds": 16,
    "irods_server_control_plane_encryption_algorithm": "AES-256-CBC",
    "irods_maximum_size_for_single_buffer_in_megabytes": 32,
    "irods_default_number_of_transfer_threads": 4,
    "irods_transfer_buffer_size_for_parallel_transfer_in_megabytes": 4,
    "irods_ssl_certificate_chain_file": "/etc/irods/ssl/chain.pem",
    "irods_ssl_certificate_key_file": "/etc/irods/ssl/server.key",
    "irods_ssl_dh_params_file": "/etc/irods/ssl/dhparams.pem",
    "irods_ssl_ca_certificate_file": "/etc/irods/ssl/chain.pem"
}

Restart the iRODS service:

./iRODS/irodsctl restart

Log in iRODS

After all that configuration, I tried to iinit a new session in iRODS as arthur:

$ iinit 
Enter your current PAM password:
$ ils
/pamZone/home/arthur

If you are able to log in, that's great.

Java

Now, you need to make the Metalnx test connection jar work with PAM. Since Metalnx test connection is developed in Java, we need to tell the JVM to trust our certifcate. I think that is the part you are missing.

I did that by running the following command:

keytool -import -alias irodscertificate -file /etc/irods/ssl/chain.pem -keystore irodskeystore

The command above will create a keystore called irodskeystore. This keystore is trusted by Java. From now on, we just need to specify where this keystore in order for the Metalnx test connection work.

You can do that by running java -jar command with the -Djavax.net.ssl.trustStore parameter.

java -Djavax.net.ssl.trustStore=path/to/irodskeystore -jar metalnx-test-connection.jar tpa-eld6020 1247 arthur arthur pamZone PAM

pam_metalnx-test-connection pam_metalnx-test-connection2

felipegutierrez commented 7 years ago

Hi @ajguerra , so I see some differences between out configuration and also did some things different that you asked. On the end it still not working, but I will describe the differences here.

First I am using iRODS 4.1.9, I saw you are using iRODS 4.1.8 and I am not sure if it influences a lot.

I could only compile this test connection project with 4.1.10.0-SNAPSHOT</jargon.version>. So I generated metalnx-connection-test-1.0-SNAPSHOT-jar-with-dependencies.jar and I copied this file to /opt/emc/test-connection.jar.

My PAM config file was different, but it was working with these configuration.

cat /etc/pam.d/irods
auth        required      pam_env.so
auth        sufficient    pam_unix.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

However I changed to be like yours.

Before to execute the installation again I did like you said to test. It looks like I still have the status -1825000 that is different of your.

[root@fedora20 ~]# java -Djavax.net.ssl.trustStore=/etc/irods/ssl/irodskeystore -jar /opt/emc/metalnx-connection-test-1.0-SNAPSHOT-jar-with-dependencies.jar fedora20.ebioscience.amc.nl 1247 felipe 123456 tempZone PAM
[main] INFO  connection.IRODSSimpleProtocolManager  - creating simple protocol manager
[main] INFO  connection.IRODSSession  - setting system prop for TLS...
[main] INFO  connection.IRODSSession  - checkInitTrustManager()
[main] INFO  pub.IRODSFileSystem  - IRODSfileSystem is initialized
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()
[main] WARN  connection.IRODSSession  - closing session that is already closed, silently ignore
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=NO_NEGOTIATION]
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:PAM
[main] INFO  connection.AuthenticationFactoryImpl  - using PAM auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - sendStartupPacket()
[main] INFO  connection.AuthMechanism  - clientServerNegotiationHook()
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:-1825000
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400
[main] INFO  connection.AuthMechanism  - will wrap commands with ssl
[main] INFO  connection.AuthMechanism  - not ssl wrapped, use an SSL connection for the pam auth
[main] INFO  connection.SslConnectionUtilities  - startSSL for PAM auth
[main] WARN  connection.IRODSSession  - discarding irods session for: irods://felipe@fedora20.ebioscience.amc.nl:1247
[main] WARN  connection.IRODSSession  - discarding session that is already closed, silently ignore
[main] WARN  connection.AbstractIRODSMidLevelProtocol  - partial connection, not authenticated, forcefully shut down the socket
[root@fedora20 ~]# 
[root@fedora20 ~]# 
[root@fedora20 ~]# 
[root@fedora20 ~]# java -Djavax.net.ssl.trustStore=/etc/irods/ssl/irodskeystore -jar /opt/emc/metalnx-connection-test-1.0-SNAPSHOT-jar-with-dependencies.jar fedora20.ebioscience.amc.nl 1247 rods 123456 tempZone STANDARD
[main] INFO  connection.IRODSSimpleProtocolManager  - creating simple protocol manager
[main] INFO  connection.IRODSSession  - setting system prop for TLS...
[main] INFO  connection.IRODSSession  - checkInitTrustManager()
[main] INFO  pub.IRODSFileSystem  - IRODSfileSystem is initialized
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()
[main] WARN  connection.IRODSSession  - closing session that is already closed, silently ignore
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=NO_NEGOTIATION]
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:STANDARD
[main] INFO  connection.AuthenticationFactoryImpl  - using standard auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - sendStartupPacket()
[main] INFO  connection.AuthMechanism  - clientServerNegotiationHook()
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:-1825000
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400
[main] INFO  connection.StandardIRODSAuth  - authenticate
[main] INFO  connection.StandardIRODSAuth  - sending standard irods password
[main] ERROR connection.AuthMechanism  - io exception
java.net.SocketException: Broken pipe
    at java.net.SocketOutputStream.socketWrite0(Native Method)
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:113)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:159)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.irods.jargon.core.connection.AbstractConnection.flush(AbstractConnection.java:532)
    at org.irods.jargon.core.connection.AuthMechanism.sendAuthRequestAndGetChallenge(AuthMechanism.java:262)
    at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:43)
    at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:132)
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:217)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:241)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:103)
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:146)
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:69)
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:511)
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:400)
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.authenticateIRODSAccount(IRODSAccessObjectFactoryImpl.java:80)
    at com.emc.metalnx.irods.connection.MlxIRODSConnectionTest.main(MlxIRODSConnectionTest.java:55)
java.net.SocketException: Broken pipe
    at java.net.SocketOutputStream.socketWrite0(Native Method)
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:113)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:159)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.irods.jargon.core.connection.AbstractConnection.flush(AbstractConnection.java:532)
    at org.irods.jargon.core.connection.AuthMechanism.sendAuthRequestAndGetChallenge(AuthMechanism.java:262)
    at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:43)
    at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:132)
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:217)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:241)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:103)
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:146)
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:69)
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:511)
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:400)
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.authenticateIRODSAccount(IRODSAccessObjectFactoryImpl.java:80)
    at com.emc.metalnx.irods.connection.MlxIRODSConnectionTest.main(MlxIRODSConnectionTest.java:55)
ghost commented 7 years ago

What happens when you run iRODS/server/bin/PamAuthCheck felipe? Do you get an Authenticated response back? Is init working for the user felipe?

Can you paste here your iRODS irods_environment.json file?

felipegutierrez commented 7 years ago 
bash-4.2$ iRODS/server/bin/PamAuthCheck felipe
123456
Authenticated
bash-4.2$ iinit 
Enter your current PAM password:
bash-4.2$ ils
/tempZone/home/felipe:
  .DS_Store
  ._.DS_Store
  report-2016-12-7.out
  C- /tempZone/home/felipe/amc
  C- /tempZone/home/felipe/Pictures
  C- /tempZone/home/felipe/util
bash-4.2$ cat .irods/irods_environment.json
{
    "irods_host": "fedora20.ebioscience.amc.nl",
    "irods_port": 1247,
    "irods_home": "/tempZone/home/felipe",
    "irods_cwd": "/tempZone/home/felipe",
    "irods_user_name": "felipe",
    "irods_zone_name": "tempZone",
    "irods_authentication_scheme": "PAM",
    "irods_client_server_negotiation": "request_server_negotiation",
    "irods_client_server_policy": "CS_NEG_REQUIRE",
    "irods_encryption_key_size": 32,
    "irods_encryption_salt_size": 8,
    "irods_encryption_num_hash_rounds": 16,
    "irods_encryption_algorithm": "AES-256-CBC",
    "irods_default_hash_scheme": "SHA256",
    "irods_match_hash_policy": "compatible",
    "irods_server_control_plane_port": 1248,
    "irods_server_control_plane_key": "TEMPORARY__32byte_ctrl_plane_key",
    "irods_server_control_plane_encryption_num_hash_rounds": 16,
    "irods_server_control_plane_encryption_algorithm": "AES-256-CBC",
    "irods_maximum_size_for_single_buffer_in_megabytes": 32,
    "irods_default_number_of_transfer_threads": 4,
    "irods_transfer_buffer_size_for_parallel_transfer_in_megabytes": 4,
    "irods_ssl_certificate_chain_file": "/etc/irods/ssl/chain.pem",
    "irods_ssl_certificate_key_file": "/etc/irods/ssl/server.key",
    "irods_ssl_dh_params_file": "/etc/irods/ssl/server.pem",
    "irods_ssl_ca_certificate_file": "/etc/irods/ssl/chain.pem"
}

I got this INFO: [main] INFO connection.AbstractConnection - using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=NO_NEGOTIATION] and you [main] INFO connection.AbstractConnection - opening irods socket

ghost commented 7 years ago

I do not think the iRODS version is the issue. I just run the test connection JAR against an iRODS 4.1.9 instance and it worked fine.

# java -Djavax.net.ssl.trustStore=/etc/irods/ssl/irodskeystore -jar metalnx-connection-test-1.0-SNAPSHOT-jar-with-dependencies.jar tpa-eld6400.tpa-eld.localdomain 1247 arthur arthur tempZone PAM
[main] INFO  connection.IRODSSimpleProtocolManager  - creating simple protocol manager
[main] INFO  connection.IRODSSession  - setting system prop for TLS...
[main] INFO  connection.IRODSSession  - checkInitTrustManager()
[main] INFO  pub.IRODSFileSystem  - IRODSfileSystem is initialized
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()
[main] WARN  connection.IRODSSession  - closing session that is already closed, silently ignore
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=NO_NEGOTIATION]
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:PAM
[main] INFO  connection.AuthenticationFactoryImpl  - using PAM auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - sendStartupPacket()
[main] INFO  connection.AuthMechanism  - clientServerNegotiationHook()
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:0
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400
[main] INFO  connection.AuthMechanism  - will wrap commands with ssl
[main] INFO  connection.AuthMechanism  - not ssl wrapped, use an SSL connection for the pam auth
[main] INFO  connection.SslConnectionUtilities  - startSSL for PAM auth
[main] INFO  connection.AuthMechanism  - creating secure protcol connection layer
[main] INFO  connection.AuthMechanism  - carrying over startup pack with server info
[main] INFO  connection.AuthMechanism  - using eirods pluggable pam auth request
[main] INFO  connection.AuthMechanism  - have the temporary password to use to log in via pam
sending sslEnd...
[main] INFO  connection.AuthMechanism  - have the temporary password to use to log in via pam
sending sslEnd...
[main] INFO  connection.AuthMechanism  - derived and logging in with temporary password from a new agent:irods://arthur@tpa-eld6400.tpa-eld.localdomain:1247
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=NO_NEGOTIATION]
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:STANDARD
[main] INFO  connection.AuthenticationFactoryImpl  - using standard auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - sendStartupPacket()
[main] INFO  connection.AuthMechanism  - clientServerNegotiationHook()
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:0
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400
[main] INFO  connection.StandardIRODSAuth  - authenticate
[main] INFO  connection.StandardIRODSAuth  - sending standard irods password
[main] INFO  connection.StandardIRODSAuth  - auth was successful
[main] INFO  connection.StandardIRODSAuth  - auth response was:org.irods.jargon.core.connection.auth.AuthResponse@14899482
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ..authenticated...now decorate and return...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - decorate()
[main] INFO  connection.EnvironmentalInfoAccessor  - getting irods server properties
[main] INFO  connection.DiscoveredServerPropertiesCache  - now retriving server properties from cache with zone:tempZone
[main] INFO  connection.EnvironmentalInfoAccessor  - server response obtained
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - org.irods.jargon.core.connection.IRODSServerProperties@7a7b0070
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ..authenticated...now decorate and return...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - decorate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - org.irods.jargon.core.connection.IRODSServerProperties@7a7b0070
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authResponse:org.irods.jargon.core.connection.auth.AuthResponse@39a054a5
[main] INFO  connection.IRODSMidLevelProtocol  - preDisconnectAction()

I also run it against iRODS 4.1.10 and the authentication still succeeded.

ghost commented 7 years ago

What version of Java is running in your system?

The logs I posted before were taken from a VM running Java 8 (to be more specific: 1.8.0_111).

Older versions of Java seem to have issues with newer security algorithm versions. Check out this link for more information.

Try upgrading your system to Java 8, if it is not already. Let's see if it changes something for you.

felipegutierrez commented 7 years ago

I think it is another thing, not related to PAM SSL, because when I try to test the connection with rods user, that uses STANDARD mode, I got an error on the org.irods.jargon.core.connection.AbstractConnection.flush(AbstractConnection.java:532). And also the status -1825000. I upgraded my Java to 1.8.0_111. I was using Java 1.7. The error is a SERVER_NEGOTIATION_ERROR.

bash-4.2$ cat .irods/irods_environment.json
{
    "irods_host": "fedora20.ebioscience.amc.nl",
    "irods_port": 1247,
    "irods_default_resource": "storageVault1",
    "irods_home": "/tempZone/home/rods",
    "irods_cwd": "/tempZone/home/rods",
    "irods_user_name": "rods",
    "irods_zone_name": "tempZone",
    "irods_client_server_negotiation": "request_server_negotiation",
    "irods_client_server_policy": "CS_NEG_REQUIRE",
    "irods_encryption_key_size": 32,
    "irods_encryption_salt_size": 8,
    "irods_encryption_num_hash_rounds": 16,
    "irods_encryption_algorithm": "AES-256-CBC",
    "irods_default_hash_scheme": "SHA256",
    "irods_match_hash_policy": "compatible",
    "irods_server_control_plane_port": 1248,
    "irods_server_control_plane_key": "TEMPORARY__32byte_ctrl_plane_key",
    "irods_server_control_plane_encryption_num_hash_rounds": 16,
    "irods_server_control_plane_encryption_algorithm": "AES-256-CBC",
    "irods_maximum_size_for_single_buffer_in_megabytes": 32,
    "irods_default_number_of_transfer_threads": 4,
    "irods_transfer_buffer_size_for_parallel_transfer_in_megabytes": 4,
    "irods_ssl_certificate_chain_file": "/etc/irods/ssl/irods.crt",
    "irods_ssl_certificate_key_file": "/etc/irods/ssl/irods.key",
    "irods_ssl_dh_params_file": "/etc/irods/ssl/dhparams.pem",
    "irods_ssl_ca_certificate_file": "/etc/irods/ssl/irods.crt"
}
bash-4.2$ iinit 
Enter your current iRODS password:
bash-4.2$ ils
/tempZone/home/rods:
  protocol.csv
  protocol.pdf
  protocol.tag
  C- /tempZone/home/rods/Pictures
bash-4.2$ java -Djavax.net.ssl.trustStore=/etc/irods/ssl/serverkeystore -jar /opt/emc/metalnx-connection-test-1.0-SNAPSHOT-jar-with-dependencies.jar fedora20.ebioscience.amc.nl 1247 rods 123456 tempZone STANDARD
[main] INFO  connection.IRODSSimpleProtocolManager  - creating simple protocol manager
[main] INFO  connection.IRODSSession  - setting system prop for TLS...
[main] INFO  connection.IRODSSession  - checkInitTrustManager()
[main] INFO  pub.IRODSFileSystem  - IRODSfileSystem is initialized
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()
[main] WARN  connection.IRODSSession  - closing session that is already closed, silently ignore
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=NO_NEGOTIATION]
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:STANDARD
[main] INFO  connection.AuthenticationFactoryImpl  - using standard auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - sendStartupPacket()
[main] INFO  connection.AuthMechanism  - clientServerNegotiationHook()
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:-1825000
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400
[main] INFO  connection.StandardIRODSAuth  - authenticate
[main] INFO  connection.StandardIRODSAuth  - sending standard irods password
[main] ERROR connection.AuthMechanism  - io exception
java.net.SocketException: Broken pipe (Write failed)
    at java.net.SocketOutputStream.socketWrite0(Native Method)
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:153)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.irods.jargon.core.connection.AbstractConnection.flush(AbstractConnection.java:532)
    at org.irods.jargon.core.connection.AuthMechanism.sendAuthRequestAndGetChallenge(AuthMechanism.java:262)
    at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:43)
    at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:132)
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:217)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:241)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:103)
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:146)
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:69)
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:511)
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:400)
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.authenticateIRODSAccount(IRODSAccessObjectFactoryImpl.java:80)
    at com.emc.metalnx.irods.connection.MlxIRODSConnectionTest.main(MlxIRODSConnectionTest.java:55)
java.net.SocketException: Broken pipe (Write failed)
    at java.net.SocketOutputStream.socketWrite0(Native Method)
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:153)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.irods.jargon.core.connection.AbstractConnection.flush(AbstractConnection.java:532)
    at org.irods.jargon.core.connection.AuthMechanism.sendAuthRequestAndGetChallenge(AuthMechanism.java:262)
    at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:43)
    at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:132)
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:217)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:241)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:103)
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:146)
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:69)
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:511)
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:400)
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.authenticateIRODSAccount(IRODSAccessObjectFactoryImpl.java:80)
    at com.emc.metalnx.irods.connection.MlxIRODSConnectionTest.main(MlxIRODSConnectionTest.java:55)
ghost commented 7 years ago

@felipegutierrez I notice you run the jar file using STANDARD as an argument. Try using PAM as you did before.

felipegutierrez commented 7 years ago

same error, I just did with STANDARD to show that the error is not related with the SSL+PAM.

ghost commented 7 years ago

@felipegutierrez I could finally reproduce your error.

I'd like to ask you if you can check out your /etc/irods/core.re file and see if the rule acPreConnect is set to CS_NEG_REQUIRE.

If it is, I want you to change this rule to acPreConnect(*OUT) { *OUT="CS_NEG_DONT_CARE"; } and try executing our jar with PAM once again. It will probably work and you'll be able to authenticate.

CS_NEG_REQUIRE is telling iRODS to force the client to use SSL for every connection, while CS_NEG_DONT_CARE will let the server decide if the connection will use SSL or not.

So, if you are able to authenticate successfully, it means that our jar file cannot handle SSL connection and we will need to update it.

felipegutierrez commented 7 years ago

Awesome @ajguerra ! you shot the target! I didn't remember that because I configured SSL+PAM 2 months ago. So now I can connect with rods user that does not use SSL+PAM, with metalnx-connection-test-1.0-SNAPSHOT-jar-with-dependencies.jar. And I cannot connect with felipe user because it indeed uses SSL+PAM and core.re is now configured to acPreConnect(OUT) { OUT="CS_NEG_DONT_CARE"; }. But the error changed, this is good. The stack trace is below. If you need other things that I can help you just say ok. Thanks.

# java -Djavax.net.ssl.trustStore=/etc/irods/ssl/serverkeystore -jar /opt/emc/metalnx-connection-test-1.0-SNAPSHOT-jar-with-dependencies.jar localhost 1247 felipe 123456 tempZone PAM
[main] INFO  connection.IRODSSimpleProtocolManager  - creating simple protocol manager
[main] INFO  connection.IRODSSession  - setting system prop for TLS...
[main] INFO  connection.IRODSSession  - checkInitTrustManager()
[main] INFO  pub.IRODSFileSystem  - IRODSfileSystem is initialized
[main] INFO  pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()
[main] WARN  connection.IRODSSession  - closing session that is already closed, silently ignore
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - instance() method...calling connection life cycle
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - create connection....
[main] INFO  connection.IRODSTCPConnectionFactoryImpl  - instance()
[main] INFO  connection.AbstractConnection  - AbstractConnection()
[main] INFO  connection.AbstractConnection  - using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=NO_NEGOTIATION]
[main] INFO  connection.AbstractConnection  - opening irods socket
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - ...have connection, now authenticate given the auth scheme in the iRODS account...
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate()
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - get auth mechanism
[main] INFO  connection.AuthenticationFactoryImpl  - instanceAuthMechanism()
[main] INFO  connection.AuthenticationFactoryImpl  - authScheme:PAM
[main] INFO  connection.AuthenticationFactoryImpl  - using PAM auth
[main] INFO  connection.AbstractIRODSMidLevelProtocolFactory  - authenticate...
[main] INFO  connection.AuthMechanism  - sendStartupPacket()
[main] INFO  connection.AuthMechanism  - clientServerNegotiationHook()
[main] INFO  connection.AuthMechanism  - startup response:StartupResponseData:
   status:0
   relVersion:rods4.1.9
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400
[main] INFO  connection.AuthMechanism  - will wrap commands with ssl
[main] INFO  connection.AuthMechanism  - not ssl wrapped, use an SSL connection for the pam auth
[main] INFO  connection.SslConnectionUtilities  - startSSL for PAM auth
[main] ERROR connection.SslConnectionUtilities  - ssl exception in handshake
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at org.irods.jargon.core.connection.SslConnectionUtilities.createSslSocketForProtocol(SslConnectionUtilities.java:166)
    at org.irods.jargon.core.connection.PAMAuth.establishSecureConnectionForPamAuth(PAMAuth.java:164)
    at org.irods.jargon.core.connection.PAMAuth.processAuthenticationAfterStartup(PAMAuth.java:50)
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:217)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:241)
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:103)
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:146)
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:69)
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:511)
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:400)
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.authenticateIRODSAccount(IRODSAccessObjectFactoryImpl.java:80)
    at com.emc.metalnx.irods.connection.MlxIRODSConnectionTest.main(MlxIRODSConnectionTest.java:55)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 25 more
ghost commented 7 years ago

After playing with it for a little bit, I was not expecting SSL to work. We need to change the code in order for it to accept SSL connections too. I'll take a look at that and post any news here.

ghost commented 7 years ago

@felipegutierrez I was looking at your last stacktrace and I it says unable to find valid certification path to requested target. I was wondering if you are missing a keystore file.

You need to pass an extra parameter to the JVM telling where your certificate is, so your command should be something like 

java -Djavax.net.ssl.trustStore=path/to/irodskeystore -jar param1 param2 ... paramN

There are more instructions about certificates in one of my previous posts.

I am still working on the code to make it work when iRODS is set to always use SSL (CS_NEG_REQUIRE in the core.re file), but I think if I think if you pass the keystore path to the JVM will get rid of the error you are seeing (as long as your core.re file is set to CS_NEG_DONT_CARE).

felipegutierrez commented 7 years ago

strange, I generated again the irodskeystore and it works. Before I was also using the irodskeystore, but my file name was serverkeystore and it didn't work. Now, my core.re file is configured with "CS_NEG_DONT_CARE" and I am logging with users authenticated with SSL+PAM, but I also configured its password in iRODS. So, through terminal I use SSL+PAM and I thing MetaLnx-web is using the password from iCAT (they are the same). Also another thing strange is that I cannot have access permissions to see my own collections on the browser. When I click in the collection button shows this message "You do not have permissions to access information in the target collection or for the selected object.". Therefore, I think this is a message related to the bug. But here I am trying to see my own collections.

ghost commented 7 years ago

You are right, Metalnx is probably using passwords from iCAT. In order to use PAM you need to do tell tomcat to trust your irodskeystore too. Please refer to this link for further information.

Now, it is weird to me that you can't access your own folder. Did the logs tell you anything? Can you post both iRODS and Metalnx logs here?

felipegutierrez commented 7 years ago

Hi @ajguerra , sorry for the late. I only have logs at my irods log file.

Jan  5 08:56:26 pid:2692 NOTICE: Agent process 2947 started for puser=rods and cuser=rods from 127.0.0.1
Jan  5 08:56:27 pid:2947 NOTICE: readAndProcClientMsg: received disconnect msg from client
Jan  5 08:56:27 pid:2947 NOTICE: Warning, pending SQL at cllDisconnect, count: 6
Jan  5 08:56:27 pid:2947 NOTICE: Warning, pending SQL: begin ...
Jan  5 08:56:27 pid:2947 NOTICE: Warning, pending SQL: SET SESSION autocommit=0 ...
Jan  5 08:56:27 pid:2947 NOTICE: Warning, pending SQL: SET SESSION sql_mode='ANSI,ST ...
Jan  5 08:56:27 pid:2947 NOTICE: Warning, pending SQL: SET character_set_client = ut ...
Jan  5 08:56:27 pid:2947 NOTICE: Warning, pending SQL: SET character_set_results = u ...
Jan  5 08:56:27 pid:2947 NOTICE: Agent exiting with status = 0
Jan  5 08:56:27 pid:2692 NOTICE: Agent process 2947 exited with status 0
Jan  5 08:56:27 pid:2692 NOTICE: Agent process 2953 started for puser=rods and cuser=rods from 127.0.0.1
Jan  5 08:56:27 pid:2692 NOTICE: Agent process 2954 started for puser=rods and cuser=rods from 127.0.0.1
Jan  5 08:56:27 pid:2953 NOTICE: bindVar[1]=/tempZone/home/rods
Jan  5 08:56:27 pid:2953 NOTICE: bindVar[2]=rods
Jan  5 08:56:27 pid:2953 NOTICE: cllExecSqlWithResult: SQLExecDirect error: -1, sql:SELECT R_USER_MAIN.user_name, R_USER_MAIN.user_id, R_OBJT_ACCESS.access_type_id, R_USER_MAIN.user_type_name, R_USER_MAIN.zone_name, R_COLL_MAIN.coll_name, USER_GROUP_MAIN.user_name, R_COLL_MAIN.coll_name FROM R_USER_MAIN AS USER_GROUP_MAIN JOIN R_USER_GROUP JOIN R_USER_MAIN ON R_USER_GROUP.user_id = R_USER_MAIN.user_id ON USER_GROUP_MAIN.user_id = R_USER_GROUP.group_user_id JOIN R_OBJT_ACCESS ON R_USER_GROUP.group_user_id = R_OBJT_ACCESS.user_id JOIN R_COLL_MAIN ON R_OBJT_ACCESS.object_id = R_COLL_MAIN.coll_id WHERE R_COLL_MAIN.coll_name = ? AND R_USER_MAIN.user_name = ? ORDER BY R_COLL_MAIN.coll_name, R_USER_MAIN.user_name, R_OBJT_ACCESS.access_type_id DESC
Jan  5 08:56:27 pid:2953 NOTICE: SQLSTATE: 37000
Jan  5 08:56:27 pid:2953 NOTICE: SQLCODE: 1064
Jan  5 08:56:27 pid:2953 NOTICE: SQL Error message: [MySQL][ODBC 5.3(a) Driver][mysqld-5.6.34]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ON USER_GROUP_MAIN.user_id = R_USER_GROUP.group_user_id JOIN R_OBJT_ACCESS ON R_' at line 1
Jan  5 08:56:27 pid:2953 NOTICE: chlSpecificQuery cmlGetFirstRowFromSql failure -806000
Jan  5 08:56:27 pid:2953 NOTICE: _rsSpecificQuery: specificQuery status = -806000
Jan  5 08:56:27 pid:2953 NOTICE: rsSpecificQuery: rcSpecificQuery failed, status = -806000
Jan  5 08:56:28 pid:2953 NOTICE: bindVar[1]=/tempZone/home/rods/%
Jan  5 08:56:28 pid:2953 NOTICE: bindVar[2]=/tempZone/home/rods
Jan  5 08:56:28 pid:2953 NOTICE: cllExecSqlWithResult: SQLExecDirect error: -1, sql:WITH searchMatchForCollections AS ( select   c.coll_id,  c.coll_name,  c.parent_coll_name,  c.coll_owner_name,  c.coll_owner_zone,  c.coll_inheritance,  c.coll_type,  c.r_comment,  c.create_ts,  c.modify_ts from   R_COLL_MAIN c where   c.coll_name ILIKE ?    and   c.parent_coll_name = ? ) SELECT COUNT(*) FROM searchMatchForCollections 
Jan  5 08:56:28 pid:2953 NOTICE: SQLSTATE: 37000
Jan  5 08:56:28 pid:2953 NOTICE: SQLCODE: 1064
Jan  5 08:56:28 pid:2953 NOTICE: SQL Error message: [MySQL][ODBC 5.3(a) Driver][mysqld-5.6.34]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'searchMatchForCollections AS ( select   c.coll_id,  c.coll_name,  c.parent_coll_' at line 1
Jan  5 08:56:28 pid:2953 NOTICE: chlSpecificQuery cmlGetFirstRowFromSql failure -806000
Jan  5 08:56:28 pid:2953 NOTICE: _rsSpecificQuery: specificQuery status = -806000
Jan  5 08:56:28 pid:2953 NOTICE: rsSpecificQuery: rcSpecificQuery failed, status = -806000
ghost commented 7 years ago

@felipegutierrez FYI, I openened an issue on Jargon about our PAM authentication problem and it looks like we have a bug there - check out this issue.