On May 19, 2023, at 4:58 PM, Todd Tannenbaum via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
5. With SciTokens or WLCG IAM I think the server must have a valid host/server certificate also if the client has already the token. Is this because it relies on an external verification system?
IIRC,
this is correct, and thus the SciTokens authentication method in HTCSS uses/requires SSL as the transport layer (unlike IDTOKENS, which does not require SSL) .
Yes, this is correct. SSL is used to authenticate the server to the client and establish a secure channel, so the server needs an SSL certificate issued by a CA trusted by the client.
Does the client need a trusted certificate as well? Only when requesting a token?
With
SciTokens, not sure, probably depends on the issuer.
The client does not need an SSL credential as part of SciTokens authentication. They just need the token.
- Jaime
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}