Project

General

Profile

Task #7709

Story #7605: MemberNodes not authorizing CN to harvest log records

IOE does not trust the CN certificate for log harvesting

Added by Robert Waltz over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Environment.Production
Target version:
Start date:
2016-04-06
Due date:
% Done:

100%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

receiving this error from IOE when attempting to harvest logs:

died: org.dataone.service.exceptions.NotAuthorized: Only the CN or admin is allowed to harvest logs from this node

History

#1 Updated by Mark Servilla over 5 years ago

Still receiving this error when using curl from cn-ucsb-1.dataone.org to access log content:

curl -s -E ./urn_node_CNUCSB1.pem -X GET https://data.rcg.montana.edu/catalog/d1/mn/v1/log
<?xml version="1.0" encoding="UTF-8"?>

Only the CN or admin is allowed to harvest logs from this node

#2 Updated by Mark Servilla over 5 years ago

Note to self (and anyone else who cares to know): this is a Metacat deployment - https://data.rcg.montana.edu/catalog/admin

#3 Updated by Chris Jones over 5 years ago

Can we confirm with IOE that Apache is configured correctly to trust the DataONE Production CA cert?

SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt

and that Apache is verifying client certs:

SSLVerifyClient optional

#4 Updated by Robert Waltz over 5 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • translation missing: en.field_remaining_hours set to 0.0

The problem was this:

SSLVerifyClient optional
SSLVerifyDepth 10

The SSLVerifyClient directive was only applied to metacat-metacat replication. Thomas Heetderks removed the Location directives, restarted apache and problem is now solved.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)