Re: [HTCondor-users] [SPAM] Re: job failed to submit to CE with SCIToken only

[JIANG Xiaowei <jiangxw@xxxxxxxxxx>]

Hi Brian,

The test you suggested is really helpful. ETF friends have found 
the clue with the log attached. It seems related to the version 
of ETF image. I am not clear what's the difference between the 
ETF images. But it looks like the htcondor version 10.0.3/10.0.5 
and OS version EL8/EL9 are involved in these images.

Besides, I have a stupid question that why the submission with 
scitoken is involving the SSL method. Thanks!

Cheers,
Xiaowei 


> -----ååéä-----
> åää: "Bockelman, Brian" <BBockelman@xxxxxxxxxxxxx>
> åéæé: 2023-06-14 20:41:11 (ææä)
> æää: "HTCondor-Users Mail List" <htcondor-users@xxxxxxxxxxx>
> æé: 
> äé: [SPAM] Re: [HTCondor-users] job failed to submit to CE with SCIToken only
> 
> Hi Xiaowei,
> 
> This is a completely different response - the token was passed to the server (authenticated) but the authorization was denied.
> 
> You may need to ask the ETF admins to try the test I suggested; it could be something in their hostâs configuration.
> 
> Brian
> 
> Sent from my iPhone
> 
> > On Jun 14, 2023, at 3:06 AM, JIANG Xiaowei <jiangxw@xxxxxxxxxx> wrote:
> > 
> > ïHi Brian, Todd, Maarten,
> > 
> > Thanks to all of you! Following your suggestion, I did some test with scitoken on CERN's lxplus node.
> > 
> > Using a cms user's scitoken with scopes (compute.read), run the command Brain suggested and the submit command Maarten's suggested, got the same log:
> > 
> > 06/14/23 09:22:35 SECMAN: received post-auth classad:
> > ReturnCode = "DENIED"
> > Sid = "condorce02:80306:1686727354:6858"
> > TriedAuthentication = true
> > User = "lhcb048@xxxxxxxxxxxxxxxxxx"
> > ValidCommands = "60007,457,60020,68,5,6,7,9,12,43,20,46,78,50,56,48,71,74"
> > 06/14/23 09:22:35 SECMAN: FAILED: Received "DENIED" from server for user lhcb048@xxxxxxxxxxxxxxxxxx using method SCITOKENS.
> > Error: communication error
> > SECMAN:2010:Received "DENIED" from server for user lhcb048@xxxxxxxxxxxxxxxxxx using method SCITOKENS.
> > Error: Couldn't contact the condor_collector on condorce02.ihep.ac.cn
> > 
> > The CE looks like successfully recoganize the token and mapping to the local user lhcb048 (it has improved better than my test before). And the allow_* and deny_* on CE side are (some configurations are temporary for debuging the issue):
> > ALLOW_ADMIN_COMMANDS = true
> > ALLOW_ADMINISTRATOR = $(SUPERUSERS)
> > ALLOW_CLIENT = *
> > ALLOW_DAEMON = $(FRIENDLY_DAEMONS)
> > ALLOW_NEGOTIATOR = $(SUPERUSERS)
> > ALLOW_OWNER = $(SUPERUSERS)
> > ALLOW_READ = *
> > ALLOW_WRITE = *
> > COLLECTOR.ALLOW_ADVERTISE_MASTER = $(FRIENDLY_DAEMONS)
> > COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(FRIENDLY_DAEMONS)
> > COLLECTOR.ALLOW_ADVERTISE_STARTD = $(UNMAPPED_USERS), $(USERS)
> > COLLECTOR.ALLOW_READ = *
> > SCHEDD.ALLOW_NEGOTIATOR = condor@xxxxxxxxxxxxxxxxxxx/$(FULL_HOSTNAME)
> > SCHEDD.ALLOW_WRITE = *
> > SCHEDD_ALLOW_LATE_MATERIALIZE = true
> > DENY_ADMINISTRATOR = anonymous@*, unmapped@*
> > DENY_CLIENT = anonymous@*, unmapped@*
> > DENY_DAEMON = anonymous@*, unmapped@*
> > DENY_NEGOTIATOR = anonymous@*, unmapped@*
> > DENY_OWNER = anonymous@*, unmapped@*
> > DENY_WRITE = anonymous@*, unmapped@* */134.158.151.140 */31.147.202.178
> > 
> > I don't know if the log "SECMAN:2010:Received "DENIED" from server for user lhcb048@xxxxxxxxxxxxxxxxxx using method SCITOKENS" is related to my allow/deny policy or scitoken's scopes. Is it possible to fix the 'DENIED' problem on the CE side in this case?
> > 
> > Besides, I am asking the CMS friends to run the similar test on the ETF host.
> > 
> > Regards,
> > Xiaowei
> > 
> > 
> > 
> >> -----ååéä-----
> >> åää: "Bockelman, Brian" <BBockelman@xxxxxxxxxxxxx>
> >> åéæé: 2023-06-14 09:47:47 (ææä)
> >> æää: "HTCondor-Users Mail List" <htcondor-users@xxxxxxxxxxx>
> >> æé: 
> >> äé: Re: [HTCondor-users] job failed to submit to CE with SCIToken only
> >> 
> >> Hi Xiaowei,
> >> 
> >> From the server-side logfile you share, the error is on the client side.  For both SSL/TLS and SCITOKENS authentication, the client sends a message that it's giving up prior to completing the SSL handshake.  Since it's that early, you can eliminate any current problems with the token itself or the authorization configuration.
> >> 
> >> I queried from a personal dev host and it seems to have given a reasonable response.
> >> 
> >> You may ask the administrator of etf-01.cern.ch to try sending you the output of the following:
> >> 
> >> _CONDOR_AUTH_SSL_CLIENT_CADIR=/etc/grid-security/certificates/ _CONDOR_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS _CONDOR_TOOL_DEBUG=D_SECURITY:2 condor_status -debug -pool condorce02.ihep.ac.cn:9619
> >> 
> >> and see if the client is producing more useful debug outputs at the higher logging level.
> >> 
> >> For example, if AUTH_SSL_CLIENT_CADIR is not set to /etc/grid-security/certificates (as suggested in Maarten's later link) then I can reproduce what you see rather easily.
> >> 
> >> Brian
> >> 
> >>>> On Jun 13, 2023, at 5:17 AM, JIANG Xiaowei <jiangxw@xxxxxxxxxx> wrote:
> >>> 
> >>> Dear Experts, 
> >>> 
> >>> I am facing a wierd problem that the cms sam job can not be submitted to our CE with only SCIToken.  
> >>> On sam schedd side, there are some errors like [1]. 
> >>> On my CE collector, the CollectorLog is posted in the attachment and no clue in SchedLog. 
> >>> The related configurations are like: 
> >>> [root@condorce02 config.d]# cat /etc/condor-ce/mapfiles.d/10-scitokens.conf
> >>> # CMS SAM ##
> >>> SCITOKENS /^https\:\/\/cms-auth\.web\.cern\.ch\/,08ca855e-d715-410e-a6ff-ad77306e1763$/ cmssgm006
> >>> ## ATLAS SAM ##
> >>> SCITOKENS /^https:\/\/atlas-auth\.web\.cern\.ch\/,5c5d2a4d-9177-3efa-912f-1b4e5c9fb660$/ atlassgm007
> >>> [root@condorce02 config.d]# condor_ce_config_val -dump Collector.SEC
> >>> COLLECTOR.SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,GSI,SSL
> >>> COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,GSI,SSL
> >>> COLLECTOR.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,GSI,SSL
> >>> The condor_versions are:  
> >>> [root@condorce02 config.d]# condor_ce_version
> >>> $HTCondorCEVersion: 5.1.6 $
> >>> $CondorVersion: 9.0.17 May 27 2023 BuildID: 649540 PackageID: 9.0.17-3 $
> >>> Hope to get help from your expert side! Thanks! 
> >>> 
> >>> Regards, 
> >>> Xiaowei 
> >>> 
> >>> [1] -  
> >>> 06/07/23 13:23:07 [117315] SECMAN: required authentication with collector at <202.122.33.23:9619> failed, so aborting command QUERY_SCHEDD_ADS. 06/07/23 13:23:07 [117315] ERROR: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS 06/07/23 13:23:07 [117315] Error locating schedd condorce02.ihep.ac.cn 06/07/23 13:23:07 [117315] Can't find address of queue manager 06/07/23 13:23:07 [117315] Error connecting to schedd condorce02.ihep.ac.cn: <collector.log>
> >>> _______________________________________________
> >>> HTCondor-users mailing list
> >>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> >>> subject: Unsubscribe
> >>> You can also unsubscribe by visiting
> >>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >>> 
> >>> The archives can be found at:
> >>> https://lists.cs.wisc.edu/archive/htcondor-users/
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> HTCondor-users mailing list
> >> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> >> subject: Unsubscribe
> >> You can also unsubscribe by visiting
> >> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >> 
> >> The archives can be found at:
> >> https://lists.cs.wisc.edu/archive/htcondor-users/
> > 
> > _______________________________________________
> > HTCondor-users mailing list
> > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> > 
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/htcondor-users/
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

OMD[etf]:~$ _CONDOR_SCITOKENS_FILE=/opt/omd/sites/etf/etc/nagios/globus/cms-ce.token _CONDOR_AUTH_SSL_CLIENT_CADIR=/etc/grid-security/certificates/ _CONDOR_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS _CONDOR_TOOL_DEBUG=D_SECURITY:2 condor_status -debug -pool condorce02.ihep.ac.cn:9619
06/15/23 07:46:22 KEYCACHE: created: 0x1f581d0
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission ALLOW
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission READ
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission WRITE
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission NEGOTIATOR
06/15/23 07:46:22 ipverify: NEGOTIATOR optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission ADMINISTRATOR
06/15/23 07:46:22 ipverify: ADMINISTRATOR optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission CONFIG
06/15/23 07:46:22 ipverify: CONFIG optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission DAEMON
06/15/23 07:46:22 ipverify: DAEMON optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission SOAP
06/15/23 07:46:22 ipverify: SOAP optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission DEFAULT
06/15/23 07:46:22 ipverify: DEFAULT optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission CLIENT
06/15/23 07:46:22 IPVERIFY: allow CLIENT: * (from config value ALLOW_CLIENT)
06/15/23 07:46:22 ipverify: CLIENT optimized to allow anyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission ADVERTISE_STARTD
06/15/23 07:46:22 ipverify: ADVERTISE_STARTD optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission ADVERTISE_SCHEDD
06/15/23 07:46:22 ipverify: ADVERTISE_SCHEDD optimized to deny everyone
06/15/23 07:46:22 IPVERIFY: Subsystem TOOL
06/15/23 07:46:22 IPVERIFY: Permission ADVERTISE_MASTER
06/15/23 07:46:22 ipverify: ADVERTISE_MASTER optimized to deny everyone
06/15/23 07:46:22 Initialized the following authorization table:
06/15/23 07:46:22 Authorizations yet to be resolved:
06/15/23 07:46:22 SECMAN: command 5 QUERY_STARTD_ADS to collector at <202.122.33.23:9619> from TCP port 2725 (blocking).
06/15/23 07:46:22 Filtering authentication methods (SCITOKENS) prior to offering them remotely.
06/15/23 07:46:22 SECMAN: no cached key for {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<5>}.
06/15/23 07:46:22 SECMAN: Security Policy:
AuthMethods = "SCITOKENS"
Authentication = "REQUIRED"
CryptoMethods = "AES,BLOWFISH,3DES"
ECDHPublicKey = "BOOFIm5DAscT4mCyq3UBFWnc6pnDVrST3uKWxGRlBd+vSZkgo64+9G5Oo655VsauUm0RzfQQmpnBnpjUfC2uBwo="
Enact = "NO"
Encryption = "REQUIRED"
Integrity = "REQUIRED"
NegotiatedSession = true
NewSession = "YES"
OutgoingNegotiation = "REQUIRED"
ServerPid = 875995
SessionDuration = "60"
SessionLease = 3600
Subsystem = "TOOL"
TrustDomain = "etf-01.cern.ch"
06/15/23 07:46:22 SECMAN: negotiating security for command 5.
06/15/23 07:46:22 SECMAN: sending DC_AUTHENTICATE command
06/15/23 07:46:22 SECMAN: sending following classad:
AuthMethods = "SCITOKENS"
Authentication = "REQUIRED"
Command = 5
ConnectSinful = "<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>"
CryptoMethods = "AES,BLOWFISH,3DES"
ECDHPublicKey = "BOOFIm5DAscT4mCyq3UBFWnc6pnDVrST3uKWxGRlBd+vSZkgo64+9G5Oo655VsauUm0RzfQQmpnBnpjUfC2uBwo="
Enact = "NO"
Encryption = "REQUIRED"
Integrity = "REQUIRED"
NegotiatedSession = true
NewSession = "YES"
OutgoingNegotiation = "REQUIRED"
RemoteVersion = "$CondorVersion: 10.0.5 2023-06-09 BuildID: 651398 PackageID: 10.0.5-1 $"
ServerPid = 875995
SessionDuration = "60"
SessionLease = 3600
Subsystem = "TOOL"
TrustDomain = "etf-01.cern.ch"
06/15/23 07:46:23 SECMAN: server responded with:
AuthMethods = "SCITOKENS"
AuthMethodsList = "SCITOKENS"
Authentication = "YES"
CryptoMethods = "AES"
CryptoMethodsList = "AES,BLOWFISH,3DES"
Enact = "YES"
Encryption = "YES"
Integrity = "YES"
IssuerKeys = "POOL"
RemoteVersion = "$CondorVersion: 9.0.17 May 27 2023 BuildID: 649540 PackageID: 9.0.17-3 $"
SessionDuration = "60"
SessionLease = 3600
TrustDomain = "condorce02.ihep.ac.cn:9619"
06/15/23 07:46:23 SECMAN: new session, doing initial authentication.
06/15/23 07:46:23 SECMAN: authenticating RIGHT NOW.
06/15/23 07:46:23 SECMAN: AuthMethodsList: SCITOKENS
06/15/23 07:46:23 SECMAN: Auth methods: SCITOKENS
06/15/23 07:46:23 AUTHENTICATE: setting timeout for <202.122.33.23:9619?alias=condorce02.ihep.ac.cn> to 20.
06/15/23 07:46:23 AUTHENTICATE: in authenticate( addr == '<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>', methods == 'SCITOKENS')
06/15/23 07:46:23 AUTHENTICATE: can still try these methods: SCITOKENS
06/15/23 07:46:23 HANDSHAKE: in handshake(my_methods = 'SCITOKENS')
06/15/23 07:46:23 HANDSHAKE: handshake() - i am the client
06/15/23 07:46:23 HANDSHAKE: sending (methods == 4096) to server
06/15/23 07:46:23 HANDSHAKE: server replied (method = 4096)
06/15/23 07:46:23 AUTHENTICATE: will try to use 4096 (SCITOKENS)
06/15/23 07:46:23 AUTHENTICATE: do_authenticate is 1.
06/15/23 07:46:23 CAFILE:     '/etc/pki/tls/certs/ca-bundle.crt'
06/15/23 07:46:23 CADIR:      '/etc/grid-security/certificates/'
06/15/23 07:46:23 CIPHERLIST: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
06/15/23 07:46:23 SCITOKENSFILE:   '/opt/omd/sites/etf/etc/nagios/globus/cms-ce.token'
06/15/23 07:46:23 SSL client host check: using host alias condorce02.ihep.ac.cn for peer 202.122.33.23
06/15/23 07:46:23 SSL Auth: Found a SciToken to use for authentication.
06/15/23 07:46:23 SSL Auth: Trying to connect.
06/15/23 07:46:23 Tried to connect: -1
06/15/23 07:46:23 SSL Auth: SSL: trying to continue reading.
06/15/23 07:46:23 Round 1.
06/15/23 07:46:23 Send message (2).
06/15/23 07:46:23 Status (c: 2, s: 0)
06/15/23 07:46:23 SSL Auth: Trying to connect.
06/15/23 07:46:23 Tried to connect: -1
06/15/23 07:46:23 SSL Auth: SSL: trying to continue reading.
06/15/23 07:46:23 Round 2.
06/15/23 07:46:23 SSL Auth: Receive message.
06/15/23 07:46:23 Received message (2).
06/15/23 07:46:23 Status (c: 2, s: 2)
06/15/23 07:46:23 SSL Auth: Trying to connect.
06/15/23 07:46:23 Tried to connect: -1
06/15/23 07:46:23 SSL Auth: SSL: trying to continue reading.
06/15/23 07:46:23 Round 3.
06/15/23 07:46:23 Send message (2).
06/15/23 07:46:23 Status (c: 2, s: 2)
06/15/23 07:46:23 SSL Auth: Trying to connect.
06/15/23 07:46:23 Tried to connect: -1
06/15/23 07:46:23 SSL Auth: SSL: trying to continue reading.
06/15/23 07:46:23 Round 4.
06/15/23 07:46:23 SSL Auth: Receive message.
06/15/23 07:46:23 Received message (4).
06/15/23 07:46:23 Status (c: 2, s: 4)
06/15/23 07:46:23 SSL Auth: Trying to connect.
06/15/23 07:46:23 Tried to connect: 1
06/15/23 07:46:23 Round 5.
06/15/23 07:46:23 Send message (4).
06/15/23 07:46:23 Status (c: 4, s: 4)
06/15/23 07:46:23 Client trying post connection check.
06/15/23 07:46:23 Cipher used: AES128-GCM-SHA256.
06/15/23 07:46:23 SSL Auth: post_connection_check.
06/15/23 07:46:23 SSL_get_peer_certificate returned data.
06/15/23 07:46:23 SSL host check: host alias condorce02.ihep.ac.cn matches certificate SAN condorce02.ihep.ac.cn.
06/15/23 07:46:23 SSL Auth: Server checks out; returning SSL_get_verify_result.
06/15/23 07:46:23 Client performs one last exchange of messages.
06/15/23 07:46:23 Reading round 1.
06/15/23 07:46:23 SSL Auth: SSL: continue read/write.
06/15/23 07:46:23 SSL Auth: Receive message.
06/15/23 07:46:23 Received message (4).
06/15/23 07:46:23 Status: c: 2, s: 4
06/15/23 07:46:23 Reading round 2.
06/15/23 07:46:23 SSL read has succeeded.
06/15/23 07:46:23 Send message (4).
06/15/23 07:46:23 Status: c: 4, s: 4
06/15/23 07:46:23 CRYPTO: New crypto state with protocol 3DES
06/15/23 07:46:23 Writing SciToken round 1.
06/15/23 07:46:23 SSL write is successful.
06/15/23 07:46:23 Send message (4).
06/15/23 07:46:23 SciToken exchange status: c: 4, s: 2
06/15/23 07:46:23 Writing SciToken round 2.
06/15/23 07:46:23 SSL write is successful.
06/15/23 07:46:23 SSL Auth: Receive message.
06/15/23 07:46:23 Received message (4).
06/15/23 07:46:23 SciToken exchange status: c: 4, s: 4
06/15/23 07:46:23 SSL authentication succeeded to
06/15/23 07:46:23 AUTHENTICATE: auth_status == 256 (SCITOKENS)
06/15/23 07:46:23 Authentication was a Success.
06/15/23 07:46:23 AUTHENTICATION: setting default map to scitokens@unmapped
06/15/23 07:46:23 AUTHENTICATION: post-map: current user is 'scitokens'
06/15/23 07:46:23 AUTHENTICATION: post-map: current domain is 'unmapped'
06/15/23 07:46:23 AUTHENTICATION: post-map: current FQU is 'scitokens@unmapped'
06/15/23 07:46:23 AUTHENTICATE: Exchanging keys with remote side.
06/15/23 07:46:23 AUTHENTICATE: Result of end of authenticate is 1.
06/15/23 07:46:23 SECMAN: about to enable encryption.
06/15/23 07:46:23 CRYPTO: New crypto state with protocol AES
06/15/23 07:46:23 SECMAN: successfully enabled encryption!
06/15/23 07:46:23 SECMAN: about to enable message authenticator with key type 3
06/15/23 07:46:23 SECMAN: because protocal is AES, not using other MAC.
06/15/23 07:46:23 SECMAN: successfully enabled message authenticator!
06/15/23 07:46:23 SECMAN: received post-auth classad:
ReturnCode = "AUTHORIZED"
Sid = "condorce02:80306:1686815183:15712"
TriedAuthentication = true
User = "cmssgm006@xxxxxxxxxxxxxxxxxx"
ValidCommands = "60007,457,60020,68,5,6,7,9,12,43,20,46,78,50,56,48,71,74"
06/15/23 07:46:23 SECMAN: policy to be cached:
AuthMethods = "SCITOKENS"
AuthMethodsList = "SCITOKENS"
Authentication = "YES"
Command = 5
ConnectSinful = "<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>"
CryptoMethods = "AES"
CryptoMethodsList = "AES,BLOWFISH,3DES"
Enact = "YES"
Encryption = "YES"
Integrity = "YES"
IssuerKeys = "POOL"
MyRemoteUserName = "cmssgm006@xxxxxxxxxxxxxxxxxx"
NegotiatedSession = true
OutgoingNegotiation = "REQUIRED"
RemoteVersion = "$CondorVersion: 9.0.17 May 27 2023 BuildID: 649540 PackageID: 9.0.17-3 $"
SessionDuration = "60"
SessionLease = 3600
Sid = "condorce02:80306:1686815183:15712"
Subsystem = "TOOL"
TrackState = true
TriedAuthentication = true
TrustDomain = "condorce02.ihep.ac.cn:9619"
UseSession = "YES"
User = "scitokens@unmapped"
ValidCommands = "60007,457,60020,68,5,6,7,9,12,43,20,46,78,50,56,48,71,74"
06/15/23 07:46:23 SESSION: client checking key type: 3
06/15/23 07:46:23 SESSION: fallback crypto method would be BLOWFISH.
06/15/23 07:46:23 SESSION: found list: AES,BLOWFISH,3DES.
06/15/23 07:46:23 SESSION: client duplicated AES to BLOWFISH key for UDP.
06/15/23 07:46:23 SECMAN: added session condorce02:80306:1686815183:15712 to cache for 60 seconds (3600s lease).
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<60007>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<457>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<60020>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<68>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<5>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<6>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<7>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<9>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<12>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<43>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<20>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<46>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<78>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<50>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<56>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<48>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<71>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: command {<202.122.33.23:9619?alias=condorce02.ihep.ac.cn>,<74>} mapped to session condorce02:80306:1686815183:15712.
06/15/23 07:46:23 SECMAN: startCommand succeeded.
06/15/23 07:46:23 Authorizing server 'scitokens@unmapped/202.122.33.23'.