[Go-essp-tech] Fwd: Fwd: Fwd: RE: Correction: RE: And also RE: CMIP5 GFDL runs

Hans Vahlenkamp hans.vahlenkamp at noaa.gov
Tue Feb 21 18:19:55 MST 2012 

Hi Bob,

Restarting our TDS does not help with this local access problem.  After you
restarted the pcmdi3 gateway, it seemed to work for us for a while but now
it is a problem again.  I'm wondering if it is not just a load issue on the
pcmdi3 machine, but perhaps also related to what you suggested in your e-mail
from 11/22 (see below)?  Is something occurring with the LLNL proxy which
affects OpenID authorization for us?  I'm not sure what further debugging we
could do at our end.

Regards,

Hans


-------- Original Message --------
Subject: Fwd: Fwd: RE: Correction: RE: And also RE: CMIP5 GFDL runs
Date: Wed, 15 Feb 2012 18:33:02 -0500
From: Hans Vahlenkamp <hans.vahlenkamp at noaa.gov>
To: Bob Drach <drach at llnl.gov>
CC: go-essp-tech at ucar.edu <go-essp-tech at ucar.edu>

Hi Bob,

It looks like we are having this "HTTP Status 403 - Access Denied." problem
again with our THREDDS server.  For example, go to:

  http://esgdata.gfdl.noaa.gov/thredds/esgcet/1/cmip5.output1.NOAA-GFDL.GFDL-CM3.1pctCO2.mon.atmos.Amon.r1i1p1.v20110601.html?dataset=cmip5.output1.NOAA-GFDL.GFDL-CM3.1pctCO2.mon.atmos.Amon.r1i1p1.v20110601.ccb_Amon_GFDL-CM3_1pctCO2_r1i1p1_000601-001012.nc

and click on the HTTPServer link.  It fails after the OpenID password prompt.

Hans

-------- Original Message --------
Subject: RE: Correction: RE: And also RE: CMIP5 GFDL runs
Date: Tue, 22 Nov 2011 08:45:29 -0800
From: Drach, Bob <drach1 at llnl.gov>
To: Serguei Nikonov <Serguei.Nikonov at noaa.gov>
CC: Hans Vahlenkamp <Hans.Vahlenkamp at noaa.gov>

Hi Sergey,

Definitely things are looking better. I opened up access to the published
datasets, and will post a notice shortly.

I *think* we have a problem with our local LLNL proxy mucking up SSL connections
from pcmdi3, which causes problems with the openID stuff, which in turn affects
the direct thredds access. I'm seeing the problem with other data nodes besides
GFDL. We had a similar problem recently which was solved when the LLNL
reconfigured it's proxy server. Assuming this is the case,, the problem is on
our end, not yours.

Regards,

--Bob
________________________________________
From: Serguei Nikonov [Serguei.Nikonov at noaa.gov]
Sent: Tuesday, November 22, 2011 8:15 AM
To: Drach, Bob
Cc: Hans Vahlenkamp
Subject: Re: Correction: RE: And also RE: CMIP5 GFDL runs

Hi Bob,

It seems to me that local thredds server is working properly now. I can download
file through http link like
http://esgdata.gfdl.noaa.gov/thredds/fileServer/gfdl_dataroot/NOAA-GFDL/GFDL-HIRAM-C360/amip/day/landIce/day/r1i1p1/v20110601/snw/snw_day_GFDL-HIRAM-C360_amip_r1i1p1_19890101-19931231.nc.

Thanks a lot for you help.

I am in a process of republishing GFDL data on pcmdi gateway. So far so good.
Data is downloadable. Can you now open GFDL data on pcmdi server for public access.

Thanks,
Sergey


On 11/21/2011 01:22 PM, Drach, Bob wrote:
> Hi Hans, Sergey,
>
> Correction:
>
> You should *only* change the authorization filter parameter to
>
>       <init-param>
>         <param-name>authorizationServiceUrl</param-name>
>         <param-value>https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/authorizationService.htm</param-value>
>       </init-param>
>
> Leave the authentication filter as-is (pointing to the GFDL ORP).
>
> Then restart tomcat. Let me know when this is done, so we can test the THREDDS PKI access.
>
> Thanks,
>
> --Bob
> ________________________________________
> From: Drach, Bob
> Sent: Saturday, November 19, 2011 12:26 PM
> To: Serguei Nikonov
> Cc: Hans Vahlenkamp
> Subject: RE: And also RE: CMIP5 GFDL runs
>
> To be precise, the *existing* definitions in thredds web.xml should be changed to those below. Thanks. --Bob
> ________________________________________
> From: Serguei Nikonov [Serguei.Nikonov at noaa.gov]
> Sent: Saturday, November 19, 2011 7:08 AM
> To: Drach, Bob
> Cc: Hans Vahlenkamp
> Subject: Re: And also RE: CMIP5 GFDL runs
>
> Hans,
>
> can you insert these tags and restart tomcat. I can not restart it due to
> permission limitation.
>
> Thanks,
> Sergey
>
>
> On 11/18/2011 05:19 PM, Drach, Bob wrote:
>> In particular make sure that:
>>
>> - in authenticationFilter:
>>
>>       <init-param>
>>         <param-name>openidRelyingPartyUrl</param-name>
>>         <param-value>https://pcmdi3.llnl.gov/OpenidRelyingParty/home.htm</param-value>
>>       </init-param>
>>
>> - and in authorizationFilter:
>>
>>       <init-param>
>>         <param-name>authorizationServiceUrl</param-name>
>>         <param-value>https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/authorizationService.htm</param-value>
>>       </init-param>
>>
>> If not, change to the correct values and restart tomcat.
>>
>> --Bob
>> ________________________________________
>> From: Drach, Bob
>> Sent: Friday, November 18, 2011 12:19 PM
>> To: Serguei Nikonov
>> Cc: Hans Vahlenkamp
>> Subject: RE: CMIP5 GFDL runs
>>
>> ...
>> - Direct TDS access still gives 'Access denied'. Can  you check your tomcat logs and/or threddsServlet log for messages?
>>
>> Also, would you check in
>>
>> $CATALINA_HOME/webapps/thredds/WEB-INF/web.xml
>>
>> and send me the configuration for the following filters:
>>
>> authenticationFilter
>> authorizationFilter
>>
>> If those are misconfigured it could cause the 'Access denied'.
>>
>>
>>
>

More information about the GO-ESSP-TECH mailing list