From: Wasef Masood (masood@mcs.anl.gov)
Date: Fri Apr 12 2002 - 08:20:04 PDT
The mail below hopefully clarifies the globus proxy time issue on the
Workers section web page. Please let me know if you have more questions.
Wasef Masood
masood@mcs.anl.gov
Distributed Systems Laboratory
Mathematics and Computer Science Division
Argonne National Laboratory
At 11:03 AM 4/11/2002 -0500, you wrote:
>________________________________________________________________________
>Local time and time zones
>Grid proxy certificate - how are time zones handled?
>Do we want a unified time server for all Grid users?
>
>
>Qian's laptop time was having trouble. When her time was a day behind, her
>certificate was rejected as expired. When her laptop was set too early,
>her certificate was rejected as not "yet" valid.
>
>
>More user friendly and informative error message when proxy certificate
>has expired or is not yet valid
>
>________________________________________________________________________
---------- Forwarded message ----------
Date: Fri, 12 Apr 2002 09:29:35 -0500
From: Von Welch <welch@mcs.anl.gov>
To: Wasef Masood <masood@mcs.anl.gov>
Subject: Re: Proxy Timestamps
In a nutshell, in order to use certificates all systems involved need to
have (1) the correct local time and (2) the correct local timezone. This
allows the system to properly determine GMT which is what is used to encode
all the times in the certificates.
The reason for this is that when ever a user creates a proxy a lifetime is
embedded into the proxy certificate. This lifetime is encoded as a starting
time (the current time) and a expiration time (current time plus e.g. 8
hours). All these times are encoded as GMT, so if it's midnight in
Greenland any proxy certificates created anywhere in the world will have
the same times encoded in them as the starting time.
For example a user in Chicago (Central Time = GMT - 6 hours) creates a
proxy certificate with a lifetime of 8 hours at 8 am. The start time and
end times encoded in the certificate will be 2pm GMT (8am + 6 hours for TZ)
and 10pm GMT (8am + 8 hours of lifetime + 6 hours for TZ) respectively.
If that user then tried to use that proxy in California where it's 6am PT
(Pacific Time = GMT - 8 hours), it would work because 6am PT + 8 hours for
TZ = 2pm GMT time which falls in the proxy certificates 2pm-10pm GMT
lifetime (we allow +/- 5 minutes to account for clock inaccuracies).
So if a user's local clock was a day behind, all the proxy certificates
created on that system would appear to have been created yesterday and
(assuming their lifetime was < 24 hours) have already expired. (I just show
times in my examples above but the times encoded in the certificates
include the date as well.)
Can you give me more information on your comment about the error message.
What message did you receive, from what application and how could it have
been inproved?
HTH,
Von
This archive was generated by hypermail 2.1.4 : Mon Apr 15 2002 - 23:30:56 PDT