Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] mixing versions and authentication issues

Hi Rita,

A few thoughts:

1.  You can increase the log level.  e.g., ALL_DEBUG=D_SECURITY:2 is where I usually start.
2.  HTCondor sets the server and client settings separately.  You probably need an AUTH_SSL_SERVER_* equivalent to the client settings below.
3.  Your "openssl req" command looks valid for a self-signed certificate but it's not clear if you're setting the CA bits as well.  I'm unsure if this will cause errors (never tried that approach personally).
4.  Once the certificate *authenticates*, you may need to map it to an identity (such as "condor@xxxxxxxxxxxx") and adjust ALLOW_* settings.

The setup can certainly be made to work -- but some of the other techniques (particularly, IDTOKENS) might be simpler to setup if that's a concern of yours.

Brian

On Jun 23, 2023, at 7:50 AM, Rita <rmorgan466@xxxxxxxxx> wrote:

I will go with 10.x .I will use ssl authentication
I generate my certs/keys like this.

openssl req -x509 -newkey rsa:1024 -sha256 -days 365 -nodes -keyout node.key -out node.crt -subj '/CN=condor pool'

I then copy the node.key and node.crt to all my nodes. I then put 

AUTH_SSL_CLIENT_CAFILE = /usr/local/condor/node.crt
AUTH_SSL_CLIENT_CERTFILE = /usr/local/condor/node.crt
AUTH_SSL_CLIENT_KEYFILE = /usr/local/condor/node.key

I believe this should work.  Howeer, I am getting 
Failed to authenticate using SSL. Is there a way to get more verbose messages?


On Mon, Apr 24, 2023 at 2:51âPM Greg Thain via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

On 4/19/2023 4:20 PM, Rita wrote:
> even if I run 8.8 on both collector and startd node I get this. I
> dont understand.
>

Hi Rita:

Would it be possible to upgrade both sides to 10.x?  8.8 hasn't been
supported for a while, and I don't think that it had IDTokens support.

-greg

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


--
--- Get your facts first, then you can distort them as you please.--
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/