When a client connects to a caGrid service, the client and service must both decide to trust each other. If that does not happen, the connection is terminated before the client gets the opportunity to request data or services.
The existence of a trust problem usually involves an error message that includes the words "Unknown CA" and happens at any time in the interaction of the client and service. If the problem occurs at a very early stage when a client is trying to connect to a service, the error message may include "java.lang.NullPointerException". Both of these circumstances point to a trust-related problem. However, it is not possible to determine the exact cause of the problem from the error messages that are produced.
The following sections of this page suggest options to correct the problem.
CaGrid is software that allows clients and services to trust each other because, among other things, the client and service host are able to exchanges certificates signed by a mutually trusted certificate-signing authority (CA). Not all hosts that run caGrid software are part of the same grid. If two hosts are part of the same grid, then they will trust the same CAs. If two hosts are part of different grids then they may not trust the same CAs.
Check your caGrid installation to verify that it is targeted for the right target grid. Reconfigure it to the correct grid if it is not.
Even if your caGrid installation is configured for the correct target grid, it may not have the current list of what CAs it should trust and which hosts it should not. You can get caGrid to update its copy of this list by syncing with the grid trust fabric.
A possible cause of trust problems is that the files that contain a host's certificate or private key are invalid. Check your host's certificate/key files and replace them if not valid.
If the clock time on a host is wrong, it can cause valid certificates to be treated as invalid when the time it indicates is before a certificate's start date or after its end date. Simply ensure that the host's clock is set to the correct time.
If a client gets "java.lang.NullPointerException" in an error message when it tries to connect to a service, the clock time on the service's host should be checked.
If a service does not trust clients and there appears to be nothing wrong on the client's end, the service's host should be checked for the same causes of trust problems. If none of these are found, the cause may be a bug that's cause is not yet understood.
This bug has been observed in services that run in a Tomcat container. The clear symptom of this bug is multiple Tomcat processes running the same service. Cease all of the Tomcat containers running the service and restart the Tomcat container.
If none of the preceding measures solve the problem, post a description of the problem to the caGrid Security Forum. Please include the full error message/stack trace along with what the circumstances that produced the error information. Other potentially helpful information:
- The operating system
- The version of caGrid
- The name/description of the grid
- The output from grid-cert-info
Including a trust report in the posting may also be helpful. To generate a trust report on Linux/Mac, issue this command:
To generate a trust report on Windows, issue this command:
The ant script that runs will ask for the name of a file for its output. Attach the file to your forum post.