Compliance tests and site configuration for experiments

FNAL dCache with tokens

• configured with ownership inheritance
• also export data with NFS

ATLAS XCache

• only for stage-in
• involve Ilija in discussion how to use tokens with root://xcache:1094//root://source:1094/path/file

Transfers with root:// protocol

With no bearer token and just X.509 VOMS proxy I get complains while trying to access dCache 8.2.10

$ xrdfs root://xrd.farm.particle.cz:1094 ls / > /dev/null
$ xrdfs root://dcache.farm.particle.cz:1094 ls / > /dev/null
security protocol 'ztn' disallowed for non-TLS connections.

while there is no such error message for XRootD server. Authentication send by

• dCache: &P=ztn,0:4096:&P=gsi,v:10400,c:ssl,ca:dec71a0b&P=unix
• XRootD: &P=ztn,0:4096:&P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0

XRootD client don't even try to find bearer token in dCache case and complain while in XRootD server case client just give up on ZTN after it realize there is no token available.

xrdfs client is asked by XRootD server to upgrade connection to TLS while dCache doesn't ask for this upgrade => first connection gets secured and that's why client doesn't show ztn security warning.

while trying to understand these differences we discovered an issue how dCache apply different xrootd.security.tls.mode configurations.