[Go-essp-tech] Fwd: Fwd: RE: Correction: RE: And also RE: CMIP5 GFDL runs

Hans Vahlenkamp hans.vahlenkamp at noaa.gov
Wed Feb 15 16:33:02 MST 2012 

Hi Bob,

It looks like we are having this "HTTP Status 403 - Access Denied." problem
again with our THREDDS server.  For example, go to:

  http://esgdata.gfdl.noaa.gov/thredds/esgcet/1/cmip5.output1.NOAA-GFDL.GFDL-CM3.1pctCO2.mon.atmos.Amon.r1i1p1.v20110601.html?dataset=cmip5.output1.NOAA-GFDL.GFDL-CM3.1pctCO2.mon.atmos.Amon.r1i1p1.v20110601.ccb_Amon_GFDL-CM3_1pctCO2_r1i1p1_000601-001012.nc

and click on the HTTPServer link.  It fails after the OpenID password prompt.

Hans

-------- Original Message --------
Subject: RE: Correction: RE: And also RE: CMIP5 GFDL runs
Date: Tue, 22 Nov 2011 08:45:29 -0800
From: Drach, Bob <drach1 at llnl.gov>
To: Serguei Nikonov <Serguei.Nikonov at noaa.gov>
CC: Hans Vahlenkamp <Hans.Vahlenkamp at noaa.gov>

Hi Sergey,

Definitely things are looking better. I opened up access to the published
datasets, and will post a notice shortly.

I *think* we have a problem with our local LLNL proxy mucking up SSL connections
from pcmdi3, which causes problems with the openID stuff, which in turn affects
the direct thredds access. I'm seeing the problem with other data nodes besides
GFDL. We had a similar problem recently which was solved when the LLNL
reconfigured it's proxy server. Assuming this is the case,, the problem is on
our end, not yours.

Regards,

--Bob
________________________________________
From: Serguei Nikonov [Serguei.Nikonov at noaa.gov]
Sent: Tuesday, November 22, 2011 8:15 AM
To: Drach, Bob
Cc: Hans Vahlenkamp
Subject: Re: Correction: RE: And also RE: CMIP5 GFDL runs

Hi Bob,

It seems to me that local thredds server is working properly now. I can download
file through http link like
http://esgdata.gfdl.noaa.gov/thredds/fileServer/gfdl_dataroot/NOAA-GFDL/GFDL-HIRAM-C360/amip/day/landIce/day/r1i1p1/v20110601/snw/snw_day_GFDL-HIRAM-C360_amip_r1i1p1_19890101-19931231.nc.

Thanks a lot for you help.

I am in a process of republishing GFDL data on pcmdi gateway. So far so good.
Data is downloadable. Can you now open GFDL data on pcmdi server for public access.

Thanks,
Sergey


On 11/21/2011 01:22 PM, Drach, Bob wrote:
> Hi Hans, Sergey,
>
> Correction:
>
> You should *only* change the authorization filter parameter to
>
>       <init-param>
>         <param-name>authorizationServiceUrl</param-name>
>         <param-value>https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/authorizationService.htm</param-value>
>       </init-param>
>
> Leave the authentication filter as-is (pointing to the GFDL ORP).
>
> Then restart tomcat. Let me know when this is done, so we can test the THREDDS PKI access.
>
> Thanks,
>
> --Bob
> ________________________________________
> From: Drach, Bob
> Sent: Saturday, November 19, 2011 12:26 PM
> To: Serguei Nikonov
> Cc: Hans Vahlenkamp
> Subject: RE: And also RE: CMIP5 GFDL runs
>
> To be precise, the *existing* definitions in thredds web.xml should be changed to those below. Thanks. --Bob
> ________________________________________
> From: Serguei Nikonov [Serguei.Nikonov at noaa.gov]
> Sent: Saturday, November 19, 2011 7:08 AM
> To: Drach, Bob
> Cc: Hans Vahlenkamp
> Subject: Re: And also RE: CMIP5 GFDL runs
>
> Hans,
>
> can you insert these tags and restart tomcat. I can not restart it due to
> permission limitation.
>
> Thanks,
> Sergey
>
>
> On 11/18/2011 05:19 PM, Drach, Bob wrote:
>> In particular make sure that:
>>
>> - in authenticationFilter:
>>
>>       <init-param>
>>         <param-name>openidRelyingPartyUrl</param-name>
>>         <param-value>https://pcmdi3.llnl.gov/OpenidRelyingParty/home.htm</param-value>
>>       </init-param>
>>
>> - and in authorizationFilter:
>>
>>       <init-param>
>>         <param-name>authorizationServiceUrl</param-name>
>>         <param-value>https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/authorizationService.htm</param-value>
>>       </init-param>
>>
>> If not, change to the correct values and restart tomcat.
>>
>> --Bob
>> ________________________________________
>> From: Drach, Bob
>> Sent: Friday, November 18, 2011 12:19 PM
>> To: Serguei Nikonov
>> Cc: Hans Vahlenkamp
>> Subject: RE: CMIP5 GFDL runs
>>
>> ...
>> - Direct TDS access still gives 'Access denied'. Can  you check your tomcat logs and/or threddsServlet log for messages?
>>
>> Also, would you check in
>>
>> $CATALINA_HOME/webapps/thredds/WEB-INF/web.xml
>>
>> and send me the configuration for the following filters:
>>
>> authenticationFilter
>> authorizationFilter
>>
>> If those are misconfigured it could cause the 'Access denied'.
>>
>>
>>
>

More information about the GO-ESSP-TECH mailing list