Re: [thredds] Authentication problems with the TDS and pydap

  • To: Christian Skarby <christians@xxxxxx>
  • Subject: Re: [thredds] Authentication problems with the TDS and pydap
  • From: Jim Fluke <james.fluke@xxxxxxxxxxxxx>
  • Date: Tue, 30 Jul 2024 17:37:52 -0600
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=colostate.edu; dmarc=pass action=none header.from=colostate.edu; dkim=pass header.d=colostate.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UGTtggIEtx6CahScKVjMMyVqWHX/OFw+O4kjejJHcUQ=; b=O1IuotR45TTQIcfLFIEyy3xWmuxwn8+kL4ZUy7GPSMdf53kco+ToI73YLqeuuertPkVbVpdszv9aw7hWwC75cWoBTbTmY2Ld1E0kVr2ADseH3A/0rZ4YBtzGHP6kPMZT94VT+UV6ygQGY0b/BqvuhfFH7oDTZnRCnRa+JtRYmAdjAmcYuuQkJfrB2gORyVuEtMeqHdhjPw/lXZSvQ4B/dSYYNPC2mnuMB5saTmykWptw2bH8VwEVlqR7b3ykwRBFzyWOq8So4MmgZQ1fFKqBYk/ccDGKIyusj0bProZuXStLPzJ0umst16jp/N+oT4s2IwYkrBeJGTAUNZYeaUGi6w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=iZ7GApONrUIaGxy+txFeRcy+fU4YgTp8PoxQdElUVscrIh4cyVT4qqi1nlCWsOfg2WgxY7COaVPIveislglSinn3yQoWp+Aa2x4Kvy7fBOIUjnTyFlaarWq76Jeo1Qc3frSr/lTrn5jgDAocF2509GaGIZoEMXoL/WtS1DF8bj2yeg39lZJ3Hfldn9mmqkXUKK7L2Ypjjc9lG50u3tYo+lBbSb9Qqr7sHJYZDsF3T7+QgALckCuutdKtQB36FO7Pqh8SOTeQekWhZemmcntKE6D6NslwFJzy0w35WlkQTcvoh+QrGVyY1fcXaR55YUsG5Eo65fUzdfmo68vSGod7qQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=colostate.edu;
<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
    Okay, we are trying to install an &quot;official&quot; certificate using
    Certbot. Apparently, using Certbot is now the required way to
    install certificates at CSU, and we have done this successfully for
    Apache and ngnix running on the host. The problem is that we are
    having trouble creating a Certbot configuration that works for the
    TDS running in a container (<a 
href="https://github.com/Unidata/thredds-docker";>thredds-docker</a>).
    Has anyone done this? If so, can you share your Certbot
    configuration?<br>
    <br>
    Thanks,<br>
    Jim <br>
    <br>
    <div class="moz-cite-prefix">On 7/12/24 03:45, Christian Skarby
      wrote:<br>
    </div>
    <blockquote type="cite" 
cite="mid:CA+2oyABNf-E3L7Fa8EbE4Hn4u2_TP4=0OD+ROcwscwuo=_h-EA@xxxxxxxxxxxxxx">
      
      <div>
        <p><span style="background-color: #feec97; color: #000;"><strong>**
              Caution: EXTERNAL Sender **</strong></span></p>
      </div>
      <div>
        <div dir="ltr"><b>The easiest and best is usually to get a
            certificate from one of the renowned suppliers generally
            included in the trust store of big browsers and operating
            systems.<br>
          </b><br>
          Check out <a href="https://letsencrypt.org/"; 
originalsrc="https://letsencrypt.org/"; 
shash="G5ynLOfckf9DkJs4bFlKl1AI0/9qaXB4Xc5WksMdAvSUeZARFvwEWF36WtnHgZPtiodzkCxZyMwbrHsK/tT8QM1cYE1H8UNpbqn1XKs1C9/pd2zwXsaMlGD2gxmaK4pRhSlEukfm31zmxVC0m1hIPQW7ja7GrbTyiL58lnpoH2U="
 moz-do-not-send="true">https://letsencrypt.org/</a> which
          provides certificates for free.<br>
          If it is possible to expose the http-port (tcp/80) of your
          server to the internet, that is an easy way to start using
          Let's Encrypt - and if necessary they also provides other ways
          to identify ownership of hostnames, e.g. by providing
          DNS-records.
          <div><br>
            If you really would like to make your own test certificates,
            you could check out&nbsp;<a 
href="https://github.com/OpenVPN/easy-rsa"; 
originalsrc="https://github.com/OpenVPN/easy-rsa"; 
shash="BIVFHEkGtHEguGg3KK6hRPSAAnA4nIXjudxEkEEnXaKo/yEoD01dpaWc+nry/TpZksRgBpDlCotqKgCCF6ZHyS5P2YhYDNEf6zAqKTsC6H+x0+q4HLv4+TxHKpzcDGziJS/OCiFfpmbyQhs5d55dsOFDw46LvB9kPSw0uyye20U="
 moz-do-not-send="true">https://github.com/OpenVPN/easy-rsa</a>&nbsp;<br>
            The certificates are regular SSL/TLS-certificates, and can
            be used for any protocol encrypted with TLS.<br>
            Read through&nbsp;<a 
href="https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md"; 
originalsrc="https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md";
 
shash="CwVXWsVhKRaIZ5eD3WrNG/P3RHIulSd3wKBMuCwFkWZSAnZTnPr32KrJN/f5diG8bZjFhXQMBrrlhJPSmg57U0xYiDdM65VkpiB5CG9AbvLwgv0VMXirWfH3NFo/pewgZ5xJIySH9yQrrI2WkvXn8ZnREJnQLFbNF2dszu71jos="
 
moz-do-not-send="true">https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md</a>
            which is an introduction to public key infrastructure.<br>
            Your users must also understand the risk of giving you super
            powers: Certificate Authorities (CA) are trusted&nbsp;entities in
            your operating system/browser, and could issue certificates
            for any hostname. If they trust your CA, you could in theory
            make certificates for any existing (or non-existing domain
            name) and make their browser/application trust that site as
            you provide a valid certificate issued by one of their
            trusted CAs. Operating a CA also requires understanding of
            the trust model and to keep track of the different
            certificate expiry dates within the certificate chain from
            your root certificate and down to the service certificate.<br>
            <br>
            Again, if possible - always use certificates from official
            providers. Rolling your own CA is a big responsibility, and
            not for the faint of heart</div>
          <div>
            <div>
              <div dir="ltr" class="gmail_signature" 
data-smartmail="gmail_signature">
                <div dir="ltr"><br>
                  --<br>
                  Best Regards,<br>
                  <br>
                  Christian Skarby<br>
                  MET Norway</div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">fre. 12. juli 2024 kl. 00:04
            skrev Jim Fluke &lt;<a href="mailto:james.fluke@xxxxxxxxxxxxx"; 
moz-do-not-send="true" 
class="moz-txt-link-freetext">james.fluke@xxxxxxxxxxxxx</a>&gt;:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div>Pols,<br>
              <br>
              Well, by actually reading the rest of the instructions in
              the <a 
href="https://docs.unidata.ucar.edu/tds/current/userguide/enable_tls_encryption.html";
 
originalsrc="https://docs.unidata.ucar.edu/tds/current/userguide/enable_tls_encryption.html";
 
shash="ijqDZ3n7RU9n+LnzTkGlTeFPt2dJeCvk2pX4LhBzbSEjj/RoN5bpC1yGmtH+lFZa8v7dGGEZs9LWUijEFRH8UHLOjZdVOOS3/XMzwCG9dA/kWIXKZMkr7tQOhew4jxUTmuppDup32C4gwDi2ZUb45eGVLZ+sQaEahVBhgnbSJss="
 target="_blank" moz-do-not-send="true">
                TDS documentation</a> I was able to set the<span 
style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
                certificateKeystorePassword, which fixed this problem.
                At least for website access if I push though the
                self-signed certificate warnings.<br>
                <br>
                But, pydap is failing due to the self-signed certificate
                and I haven't found a way around it yet:<br>
              </span><span style="font-family:monospace"><span 
style="color:rgb(0,0,0);background-color:rgb(255,255,255)">ssl.SSLCertVerificationError:
                  [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
                  failed: self-signed certificate (_ssl.c:1000)</span><br>
              </span><br>
              If anyone knows a way around that please let me know.<br>
              <br>
              Thanks,<br>
              Jim<br>
              <br>
              On 7/11/24 11:47, Jim Fluke wrote:<br>
              <blockquote type="cite">Pols,<br>
                <br>
                I created a self-signed certificate since it's just for
                testing right now. So far I can't get it to work though.
                Here are the errors I get at TDS start up:<br>
                <span style="font-family:monospace"><span 
style="color:rgb(0,0,0);background-color:rgb(255,255,255)">10-Jul-2024
                    15:26:16.372 SEVERE [main]
                    
org.apache.catalina.util.LifecycleBase.handleSubClassException
                    Failed to initialize component
                    [Connector[&quot;https-openssl-nio-8443&quot;]]
                  </span><br>
                  
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;org.apache.catalina.LifecycleException:
                  Protocol handler initialization failed<br>
                  &nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .<br>
                  &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; .<br>
                  &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; .<br>
                  &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; </span><span 
style="font-family:monospace"><span 
style="color:rgb(0,0,0);background-color:rgb(255,255,255)">Caused by:
                    java.lang.IllegalArgumentException: Keystore was
                    tampered with, or password was incorrect</span></span><span 
style="font-family:monospace"><span 
style="color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
                    &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; .<br>
                    &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; .<br>
                    &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; .<br>
                    &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; Caused by:
                    java.security.UnrecoverableKeyException: Password
                    verification failed</span></span><span 
style="font-family:monospace"><span 
style="color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
                  </span></span><br>
                And, I am still using 8443. Also because this is a test
                environment.<br>
                <br>
                Do you have any idea where I can change the password. If
                that really is the problem.<br>
                <br>
                Thanks,<br>
                Jim<br>
                <br>
                <div>On 7/10/24 01:33, Pols, Maarten wrote:<br>
                </div>
                <blockquote type="cite">
                  <div>
                    <p><span 
style="background-color:rgb(254,236,151);color:rgb(0,0,0)"><strong>**
                          Caution: EXTERNAL Sender **</strong></span></p>
                  </div>
                  <div>
                    <div>
                      <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">Dear
                          Jim,</span></p>
                      <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                      <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">I
                          think you are right, first setup a SSL
                          certificate, I’m also using the thredds docker
                          image, together with a nginx proxy server.</span></p>
                      <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                      <div>
                        <div>
                          <p class="MsoNormal"><b><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">M.J. (Maarten)
                                Pols</span></b><b><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif"><br>
                              </span></b><b><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Producten en
                                services</span></b><b><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif"><br>
                              </span></b><b><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Systeem- en
                                applicatiebeheerder</span></b><b><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">
                              </span></b></p>
                        </div>
                        <p class="MsoNormal">&nbsp;</p>
                        <div>
                          <table cellpadding="0" border="0">
                            <tbody>
                              <tr>
                                <td style="padding:0.75pt">
                                  <p class="MsoNormal"><img style="width: 
1.8437in; height: 0.6354in;" id="m_9035996778467414347Afbeelding_x0020_2" 
src="cid:part1.3tAwF0TF.q2OiUoe9@colostate.edu" class="" width="177" 
height="61"></p>
                                </td>
                                <td style="padding:0.75pt">
                                  <div>
                                    <p class="MsoNormal" 
style="margin-bottom:12pt"><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Botter 11-29,
                                        8232 JN Lelystad (tevens
                                        postadres)</span><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif"><br>
                                      </span><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Berkenweg 7,
                                        Amersfoort | Informaticalaan 8,
                                        Delft</span></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Telefoon 0320
                                        294292</span><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">
                                        <br>
                                      </span><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Internet</span><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">
                                        <u><a href="http://www.hkv.nl/"; 
originalsrc="http://www.hkv.nl/"; 
shash="T+W/J28NlaeywMjV2wxu3mBRY8mkwPMO+SXP4pBPQPlJ1sgXlqORPXTagDntLtugaowjGULJSw2e+zKc5mRYcCqdQ7p3fE4/Jny5OVBZKRQ5/dLbRqXvUertneWtGTzC8v+9edcPOsey5xh25Q1AYDRMGCaD9tjlVRALoygyn3Q="
 target="_blank" moz-do-not-send="true">www.hkv.nl</a></u>
                                      </span></p>
                                  </div>
                                </td>
                              </tr>
                            </tbody>
                          </table>
                        </div>
                        <div>
                          <p class="MsoNormal">&nbsp;&nbsp; </p>
                        </div>
                      </div>
                      <p class="MsoNormal"><span 
style="font-size:6pt;font-family:Verdana,sans-serif" lang="NL">HKV, de
                          kennisondernemer voor water en veiligheid
                        </span><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="NL"></span></p>
                      <div>
                        <div 
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt 
solid rgb(225,225,225);padding:3pt 0cm 0cm">
                          <p class="MsoNormal"><b><span 
style="font-size:11pt;font-family:Calibri,sans-serif" 
lang="NL">Van:</span></b><span 
style="font-size:11pt;font-family:Calibri,sans-serif" lang="NL"> Jim
                              Fluke
                              <a href="mailto:james.fluke@xxxxxxxxxxxxx"; 
target="_blank" moz-do-not-send="true">&lt;james.fluke@xxxxxxxxxxxxx&gt;</a>
                              <br>
                              <b>Verzonden:</b> Tuesday, 9 July 2024
                              19:45<br>
                              <b>Aan:</b> Pols, Maarten <a 
href="mailto:M.Pols@xxxxxx"; target="_blank" 
moz-do-not-send="true">&lt;M.Pols@xxxxxx&gt;</a>;
                              <a href="mailto:thredds@xxxxxxxxxxxxxxxx"; 
target="_blank" moz-do-not-send="true" 
class="moz-txt-link-freetext">thredds@xxxxxxxxxxxxxxxx</a><br>
                              <b>Onderwerp:</b> Re: [thredds]
                              Authentication problems with the TDS and
                              pydap</span></p>
                        </div>
                      </div>
                      <p class="MsoNormal">&nbsp;</p>
                      <table style="width:100%" width="100%" cellspacing="0" 
cellpadding="0" border="0" align="left">
                        <tbody>
                          <tr>
                            <td 
style="background:rgb(166,166,166);padding:5.25pt 1.5pt"><br>
                            </td>
                            <td 
style="width:100%;background:rgb(234,234,234);padding:5.25pt 3.75pt 5.25pt 
11.25pt" width="100%">
                              <div>
                                <p class="MsoNormal"><span 
style="font-size:9pt;font-family:&quot;Segoe 
UI&quot;,sans-serif;color:rgb(33,33,33)">##
                                    Let op: deze mail is afkomstig van
                                    een externe afzender.</span><span 
style="color:black">
                                    <a 
href="https://aka.ms/LearnAboutSenderIdentification"; target="_blank" 
moz-do-not-send="true"><span style="font-size:9pt;font-family:&quot;Segoe 
UI&quot;,sans-serif">Meer
                                        informatie over waarom dit
                                        belangrijk is</span></a>
                                  </span></p>
                              </div>
                            </td>
                            <td 
style="width:56.25pt;background:rgb(234,234,234);padding:5.25pt 3.75pt" 
width="75">
                              <br>
                            </td>
                          </tr>
                        </tbody>
                      </table>
                      <p class="MsoNormal" style="margin-bottom:12pt"><br>
                        <br>
                      </p>
                      <div>
                        <p class="MsoNormal" 
style="margin-bottom:12pt">Pols,<br>
                          <br>
                          Thank you for your response!<br>
                          <br>
                          But, it still does not work. I think I
                          probably need this, or something like it, but
                          it's not enough.<br>
                          <br>
                          Now the web browser authentication fails with
                          this message:<br>
                          <span style="font-family:&quot;Courier 
New&quot;">Secure
                            Connection Failed<br>
                            <br>
                            An error occurred during a connection to
                            localhost. PR_END_OF_FILE_ERROR<br>
                            <br>
                            Error code: PR_END_OF_FILE_ERROR<br>
                            <br>
                            &nbsp;&nbsp;&nbsp; The page you are trying to view 
cannot
                            be shown because the authenticity of the
                            received data could not be verified.<br>
                            &nbsp;&nbsp;&nbsp; Please contact the website 
owners to
                            inform them of this problem.</span><br>
                          <br>
                          And the pydap authentication fails with this
                          message:<br>
                          <span style="font-family:&quot;Courier 
New&quot;;color:black;background:white">ssl.SSLEOFError:
                            [SSL: UNEXPECTED_EOF_WHILE_READING] EOF
                            occurred in violation of protocol
                            (_ssl.c:1000)</span><br>
                          <br>
                          Which seems to indicate that I need to add an
                          SSL certificate, which I have not done. Again,
                          I am using the thredds-docker image, which
                          does not have a certificate by default. And
                          the port forwarding that it does might be an
                          issue as well.<br>
                          <br>
                          I'll try the certificate, but other
                          suggestions would be very welcome.<br>
                          <br>
                          Jim</p>
                        <div>
                          <p class="MsoNormal">On 7/9/24 00:35, Pols,
                            Maarten wrote:</p>
                        </div>
                        <blockquote style="margin-top:5pt;margin-bottom:5pt">
                          <div>
                            <p><strong><span 
style="font-family:Aptos,sans-serif;color:black;background:rgb(254,236,151)">**
                                  Caution: EXTERNAL Sender 
**</span></strong></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">Dear
                                Jim,</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">This
                                problem cost me months to cover. It was
                                working in previous versions of thredds
                                but after een upgrade it broke my python
                                scripts.</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">First
                                of all, don’t upgrade to the latest
                                numpy packages, it will break pydap,
                                latest working version is 1.26.x</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">Than
                                to solve this issue, you need to change
                                applicationContext.xml file, this file
                                is in webapps -&gt; thredds -&gt;
                                WEB-INF</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">You
                                need to change line 112 and 113:</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;
                                  &lt;bean
                                  id=&quot;restrictedDatasetAuthorizer&quot;
                                  
class=&quot;thredds.servlet.restrict.TomcatAuthorizer&quot;&gt;</span></i></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                                  &lt;property name=&quot;useSSL&quot;
                                  value=&quot;false&quot;/&gt;</span></i></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                                  &lt;property name=&quot;sslPort&quot;
                                  value=&quot;8443&quot;/&gt;</span></i></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;
                                  &lt;/bean&gt;</span></i></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">Into
                              </span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;
                                  &lt;bean
                                  id=&quot;restrictedDatasetAuthorizer&quot;
                                  
class=&quot;thredds.servlet.restrict.TomcatAuthorizer&quot;&gt;</span></i></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                                  &lt;property name=&quot;useSSL&quot; 
value=&quot;<b>true</b>&quot;/&gt;</span></i></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                                  &lt;property name=&quot;sslPort&quot; 
value=&quot;<b>443</b>&quot;/&gt;</span></i></p>
                            <p class="MsoNormal"><i><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;&nbsp;&nbsp;
                                  &lt;/bean&gt;</span></i></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" lang="EN-US">This
                                was solving the issue in my case, and I
                                hope it will help you.</span></p>
                            <p class="MsoNormal"><span 
style="font-size:10pt;font-family:Tahoma,sans-serif" 
lang="EN-US">&nbsp;</span></p>
                            <div>
                              <div>
                                <div>
                                  <div>
                                    <p class="MsoNormal"><b><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">M.J. (Maarten)
                                          Pols<br>
                                          Products and Services<br>
                                          System and application
                                          administrator </span></b></p>
                                  </div>
                                  <p class="MsoNormal">&nbsp;</p>
                                  <div>
                                    <table cellpadding="0" border="0">
                                      <tbody>
                                        <tr>
                                          <td style="padding:0.75pt">
                                            <p class="MsoNormal"><img 
style="width: 1.8541in; height: 0.6354in;" 
id="m_9035996778467414347Afbeelding_x0020_1" 
src="cid:part2.E5OTUT8r.xjGixCWC@colostate.edu" class="" width="178" 
height="61" border="0"></p>
                                          </td>
                                          <td style="padding:0.75pt">
                                            <div>
                                              <p class="MsoNormal" 
style="margin-bottom:12pt"><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Botter 11-29,
                                                  8232 JN Lelystad, The
                                                  Netherlands (also
                                                  postal address)
                                                  <br>
                                                  Berkenweg 7,
                                                  Amersfoort |
                                                  Informaticalaan 8,
                                                  Delft</span></p>
                                            </div>
                                            <div>
                                              <p class="MsoNormal"><span 
style="font-size:7.5pt;font-family:Verdana,sans-serif">Telephone +31
                                                  (0)320 294292
                                                  <br>
                                                  Internet <u><a 
href="http://www.hkv.nl/en/"; originalsrc="http://www.hkv.nl/en/"; 
shash="oS2GF3Szr8tPwVZsUwbOfO+d8mFoNLm3eoyLb4HVbYvX8huwkyo7eZ2GOznArFuv+dMGIWLAigC0sdAmmCEYSuN3M2AJQySiMaQoR7HsHDf5oHXq8GgJQE5rjIaNd92ab1P0fTdRB4LdFwB6wwV349kao84sRwq49I7CiF0HJy8="
 target="_blank" moz-do-not-send="true">www.hkv.nl/en/</a></u>
                                                </span></p>
                                            </div>
                                          </td>
                                        </tr>
                                      </tbody>
                                    </table>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">&nbsp;&nbsp; </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span 
style="font-size:6pt;font-family:Verdana,sans-serif" lang="EN-US">HKV,
                                        knowledge entrepreneurs in flood
                                        risk and water resources
                                        management
                                      </span></p>
                                  </div>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div 
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt 
solid rgb(225,225,225);padding:3pt 0cm 0cm">
                                <p class="MsoNormal"><b><span 
style="font-size:11pt;font-family:Calibri,sans-serif" 
lang="NL">Van:</span></b><span 
style="font-size:11pt;font-family:Calibri,sans-serif" lang="NL"> thredds
                                    <a 
href="mailto:thredds-bounces@xxxxxxxxxxxxxxxx"; target="_blank" 
moz-do-not-send="true">&lt;thredds-bounces@xxxxxxxxxxxxxxxx&gt;</a>
                                    <b>Namens </b>Jim Fluke<br>
                                    <b>Verzonden:</b> Tuesday, 9 July
                                    2024 00:04<br>
                                    <b>Aan:</b> <a 
href="mailto:thredds@xxxxxxxxxxxxxxxx"; target="_blank" moz-do-not-send="true" 
class="moz-txt-link-freetext">thredds@xxxxxxxxxxxxxxxx</a><br>
                                    <b>Onderwerp:</b> [thredds]
                                    Authentication problems with the TDS
                                    and pydap</span></p>
                              </div>
                            </div>
                            <p class="MsoNormal">&nbsp;</p>
                            <table style="width:100%" width="100%" 
cellspacing="0" cellpadding="0" border="0" align="left">
                              <tbody>
                                <tr>
                                  <td 
style="background:rgb(166,166,166);padding:5.25pt 1.5pt"><br>
                                  </td>
                                  <td 
style="width:100%;background:rgb(234,234,234);padding:5.25pt 3.75pt 5.25pt 
11.25pt" width="100%">
                                    <div>
                                      <p class="MsoNormal"><span 
style="font-size:9pt;font-family:&quot;Segoe 
UI&quot;,sans-serif;color:rgb(33,33,33)">##
                                          Let op: deze mail is afkomstig
                                          van een externe afzender.</span><span 
style="color:black">
                                          <a 
href="https://aka.ms/LearnAboutSenderIdentification"; target="_blank" 
moz-do-not-send="true"><span style="font-size:9pt;font-family:&quot;Segoe 
UI&quot;,sans-serif">Meer
                                              informatie over waarom dit
                                              belangrijk is</span></a>
                                        </span></p>
                                    </div>
                                  </td>
                                  <td 
style="width:56.25pt;background:rgb(234,234,234);padding:5.25pt 3.75pt" 
width="75">
                                    <br>
                                  </td>
                                </tr>
                              </tbody>
                            </table>
                            <p class="MsoNormal" style="margin-bottom:12pt"><br>
                              <br>
                              <br>
                            </p>
                            <div>
                              <p class="MsoNormal">Hello,<br>
                                <br>
                                I'm now trying to get user
                                authentication working with our
                                thredds-docker based TDS. I'm pretty
                                sure I have the configuration set up to
                                enable authentication as described in
                                the TDS manual's &quot;<span 
style="color:black;background:white"><a 
href="https://docs.unidata.ucar.edu/tds/current/userguide/restict_access_to_tds.html#restrict-access-by-dataset-in-tds-catalogs";
 
originalsrc="https://docs.unidata.ucar.edu/tds/current/userguide/restict_access_to_tds.html#restrict-access-by-dataset-in-tds-catalogs";
 
shash="g6HxN6T8nKM8ISaUVxNntez2KC6u1sr3tE42kcA61oA5EJsIKAbAl/QbtSNNldJ0TsBLoGRdGN/QzT+3pRmrlp1iYPCEoUQ1qSliViB+G0vWuMUXtOhrVF9n+0fgyPSMPp1iQ+kzotvqVGV4Q/XOibnnSY+N5IoOIgPaP4Avk2I="
 target="_blank" moz-do-not-send="true">Restrict
                                    Access To The TDS</a>&quot; page</span>.
                                And I have verified this by accessing
                                the TDS from a browser and having the
                                credentials entry pop-up window display
                                and work correctly.<br>
                                <br>
                                But, I can't get the authentication to
                                work in Python with pydap. According to
                                the pydap documentation the credentials
                                should be added to the URL this way:<br>
                                <br>
                                <span style="font-family:&quot;Courier 
New&quot;;color:black;background:white">&gt;&gt;&gt;
                                  from pydap.client import open_url
                                </span><span style="font-family:&quot;Courier 
New&quot;"><br>
                                  &gt;&gt;&gt; dataset = open_url('<a 
href="http://username:password@xxxxxxxxxxxxxxxxxx/path/to/dataset"; 
originalsrc="http://username:password@xxxxxxxxxxxxxxxxxx/path/to/dataset"; 
shash="SLA18x3beMgOfUqRwWimEz1//6VxKfjHzUnpR3hgX4RXKnUSEiUsLHjd/xmVS02QqtZvN5K6H84Ez/NvO9owEWg+tZtQgKW1dFx7Gey7IrNBkVU1sNFHH4kSsYi2funkATzipHz7FcfO7md0c2Vped2XBKfgdhI7G+aK03CXujs="
 target="_blank" 
moz-do-not-send="true">http://username:password@xxxxxxxxxxxxxxxxxx/path/to/dataset</a>')<br>
                                </span><br>
                                But because <a 
href="https://docs.unidata.ucar.edu/tds/current/userguide/digested_passwords.html";
 
originalsrc="https://docs.unidata.ucar.edu/tds/current/userguide/digested_passwords.html";
 
shash="bRKz8APUXRAKVZoeB1xPsvrcpklA++MjNX9tiF1dTYa7F0mIfpzZLKX1tQbQUk14BrhCx2od6Vems/639w3bq277mOkJ9aUhSpD2DxQUtQEoeQnXMigrtx/oYLZ0iw0Yo/izqqUwnFqmLBnqBkGJfEagfTXwmAneU0XdCE3Y0Xc="
 target="_blank" moz-do-not-send="true">
                                  Digested Passwords</a> are enabled for
                                our TDS, it seems clear that I should
                                use the digested password, so this is
                                what I tried:<br>
                                <br>
                                <span style="font-family:&quot;Courier 
New&quot;;color:black;background:white">&gt;&gt;&gt;
                                  from pydap.client import open_url
                                </span><span style="font-family:&quot;Courier 
New&quot;"><br>
                                  &gt;&gt;&gt; dataset = open_url('<span 
style="color:black;background:white">http://fluke:d1ef3ce7e7c41de74192a362524ad0a460692a222d9dd796ee383b56e446d749$1$d03ce0f88475505a68bd0eb37fa570df8120e59ccf62a4f580a55ad612f695c0e385893fe7205f7c181b221ab49bc817d4a33a2b</span><br>
                                  <a 
href="mailto:2bb727fdc0ee3420e7e5b99e@localhost:7000/thredds/dodsC/cloudsat-data/2B-GEOPROF.P1_R05/2008/366/2008366031107_14239_CS_2B-GEOPROF_GRANULE_P1_R05_E02_F00.hdf";
 target="_blank" moz-do-not-send="true" 
class="moz-txt-link-freetext">2bb727fdc0ee3420e7e5b99e@localhost:7000/thredds/dodsC/cloudsat-data/2B-GEOPROF.P1_R05/2008/366/2008366031107_14239_CS_2B-GEOPROF_GRANULE_P1_R05_E02_F00.hdf</a><br>
                                  ')<br>
                                </span><br>
                                But it does not work. Here is the
                                output:<br>
                                <br>
                                <span style="font-family:&quot;Courier 
New&quot;;color:black;background:white">@
~/devRepos/thredds-dpc-gh-actual/tests$ docker-compose run --rm
                                  test_opendap
                                </span><span style="font-family:&quot;Courier 
New&quot;"><br>
                                  url: <a 
href="http://fluke:d1ef3ce7e7c41de74192a362524ad0a460692a222d9dd796ee383b56e446d749$1$d03ce0f88475505a68bd0eb37fa570df8120e59ccf62a4f580a55ad612f695c0e385893fe7205f7c181b221ab49bc817d4a33a2b";
 target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">
http://fluke:d1ef3ce7e7c41de74192a362524ad0a460692a222d9dd796ee383b56e446d749$1$d03ce0f88475505a68bd0eb37fa570df8120e59ccf62a4f580a55ad612f695c0e385893fe7205f7c181b221ab49bc817d4a33a2b</a><br>
                                  <a 
href="mailto:2bb727fdc0ee3420e7e5b99e@localhost:7000/thredds/dodsC/cloudsat-data/2B-GEOPROF.P1_R05/2008/366/2008366031107_14239_CS_2B-GEOPROF_GRANULE_P1_R05_E02_F00.hdf";
 target="_blank" moz-do-not-send="true" 
class="moz-txt-link-freetext">2bb727fdc0ee3420e7e5b99e@localhost:7000/thredds/dodsC/cloudsat-data/2B-GEOPROF.P1_R05/2008/366/2008366031107_14239_CS_2B-GEOPROF_GRANULE_P1_R05_E02_F00.hdf</a>
                                  <br>
                                  <br>
                                  Traceback (most recent call last): <br>
                                  &nbsp;File &quot;/app/opendap_pydap.py&quot;, 
line 8,
                                  in &lt;module&gt; <br>
                                  &nbsp;&nbsp;&nbsp;dataset = open_url(url) <br>
                                  
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;^^^^^^^^^^^^^
 <br>
                                  &nbsp;File
                                  
&quot;/opt/conda/lib/python3.12/site-packages/pydap/client.py&quot;,
                                  line 68, in open_url
                                  <br>
                                  &nbsp;&nbsp;&nbsp;handler =
                                  pydap.handlers.dap.DAPHandler(url,
                                  application, session, output_grid,
                                  <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                  <br>
                                  &nbsp;File
                                  
&quot;/opt/conda/lib/python3.12/site-packages/pydap/handlers/dap.py&quot;,
                                  line 71, in __init__
                                  <br>
                                  &nbsp;&nbsp;&nbsp;self.make_dataset() <br>
                                  &nbsp;File
                                  
&quot;/opt/conda/lib/python3.12/site-packages/pydap/handlers/dap.py&quot;,
                                  line 96, in make_dataset
                                  <br>
                                  &nbsp;&nbsp;&nbsp;self.dataset_from_dap2() 
<br>
                                  &nbsp;File
                                  
&quot;/opt/conda/lib/python3.12/site-packages/pydap/handlers/dap.py&quot;,
                                  line 109, in dataset_from_dap2
                                  <br>
                                  
&nbsp;&nbsp;&nbsp;pydap.net.raise_for_status(r) <br>
                                  &nbsp;File
                                  
&quot;/opt/conda/lib/python3.12/site-packages/pydap/net.py&quot;,
                                  line 38, in raise_for_status
                                  <br>
                                  &nbsp;&nbsp;&nbsp;raise HTTPError( <br>
                                  webob.exc.HTTPError: 401 Unauthorized
                                  <br>
                                  &lt;!doctype html&gt;&lt;html
                                  
lang=&quot;en&quot;&gt;&lt;head&gt;&lt;title&gt;HTTP
                                  Status 401 –
                                  Unauthorized&lt;/title&gt;&lt;style
                                  type=&quot;text/css&quot;&gt;body
                                  {font-family:Tahoma,Arial,sans-serif;}
                                  h1, h2, h3, b
                                  {color:white;background-co<br>
                                  lor:#525D76;} h1 {font-size:22px;} h2
                                  {font-size:16px;} h3 {font-size:14px;}
                                  p {font-size:12px;} a {color:black;}
                                  .line
{height:1px;background-color:#525D76;border:none;}&lt;/style&gt;&lt;/head&gt;&lt;bod<br>
                                  y&gt;&lt;h1&gt;HTTP Status 401 –
                                  Unauthorized&lt;/h1&gt;&lt;hr
                                  class=&quot;line&quot;
                                  /&gt;&lt;p&gt;&lt;b&gt;Type&lt;/b&gt;
                                  Status
                                  
Report&lt;/p&gt;&lt;p&gt;&lt;b&gt;Description&lt;/b&gt;
                                  The request has not been applied to
                                  the target resource because it lacks
                                  va<br>
                                  lid authentication credentials for
                                  that resource.&lt;/p&gt;&lt;hr
                                  class=&quot;line&quot; /&gt;&lt;h3&gt;Apache
                                  
Tomcat&lt;/h3&gt;&lt;/body&gt;&lt;/html&gt;<br>
                                  <br>
                                </span>So, am I right to be using the
                                digested password? Do you see anything
                                else that could be wrong? Why does this
                                work for the browser but not for pydap?<br>
                                <br>
                                I will add that the algorithm for the <span 
style="color:black;background:white">
                                  CredentialHandler is 
&quot;sha-</span><b><span 
style="color:rgb(255,84,84);background:white">512</span></b>&quot; in the
                                ~tomcat/conf/server.xml file inside the
                                container, so that is why the digested
                                password is an sha512 digest. And the
                                clear text password is &quot;flukeTmp&quot;. 
I'll
                                be changing that for our production
                                system.<br>
                                <br>
                                And, all of this - the TDS configuration
                                and the test python script with the
                                above URL - are now checked in to our
                                <a 
href="https://github.com/JimFluke/thredds-dpc/tree/master"; 
originalsrc="https://github.com/JimFluke/thredds-dpc/tree/master"; 
shash="alRJH5usvgXzx9Qft892sjHaPJqo6yEQBeDHRcQ32yrj0n+AR1O48F2d69cSPohkM7JA6aL9qRQW3ybC7XwVf9NtuMR3tqaRVKGqTiMrRhcocsuXAWNsdN1HVzhDI4MSjOZwag0beC3Kzw02vGFbIWzleUfTt3T9ucgs2v2jAhI="
 target="_blank" moz-do-not-send="true">thredds-dpc</a>
                                repository on GitHub so you can look at
                                the details there.<br>
                                <br>
                                Any help would be greatly appreciated.<br>
                                <br>
                                Thanks,<br>
                                Jim</p>
                            </div>
                          </div>
                        </blockquote>
                        <p class="MsoNormal">&nbsp;</p>
                      </div>
                    </div>
                  </div>
                </blockquote>
                <br>
              </blockquote>
              <br>
            </div>
            _______________________________________________<br>
            NOTE: All exchanges posted to Unidata maintained email lists
            are<br>
            recorded in the Unidata inquiry tracking system and made
            publicly<br>
            available through the web.&nbsp; Users who post to any of the
            lists we<br>
            maintain are reminded to remove any personal information
            that they<br>
            do not want to be made public.<br>
            <br>
            <br>
            thredds mailing list<br>
            <a href="mailto:thredds@xxxxxxxxxxxxxxxx"; target="_blank" 
moz-do-not-send="true" 
class="moz-txt-link-freetext">thredds@xxxxxxxxxxxxxxxx</a><br>
            For list information or to unsubscribe,&nbsp; visit: <a 
href="https://www.unidata.ucar.edu/mailing_lists/"; 
originalsrc="https://www.unidata.ucar.edu/mailing_lists/"; 
shash="PCTxPO2UbHanPxx4OZxG6w295i3kxcTxMKNQqpy+yCXpkBTu+Dq/RCuNHscH5QggYYg+d1xBl5WwWn9Q5PcQ3SGgXjfCYnKoPVCNLEBrfMf4HuMdAQDzUPLtfqCdrw44gEqlt7p4Lx2hMrSgfLilWj3KBZYVe2rfxJFcVD4mfyc="
 rel="noreferrer" target="_blank" moz-do-not-send="true">
              https://www.unidata.ucar.edu/mailing_lists/</a> <br>
          </blockquote>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>

JPEG image

JPEG image

  • 2024 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: