[HTCondor-users] CondorCE: testing SSL based submission with CE client tools?

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

Hi all,

as we are moving all our resources to Condor23/EL9 [1] and only tokens 
will be available for authz, we have been asked to add SSL authz for 
some of our users, who are not token ready yet.

To do so, I had enabled client SSL [2] and added mapping rules for my 
user DN (tried also to wildcard DN tail as to catch also proxy DNs 
derived from the user proxies)

On the client side, I exported the envvars [4] to prepare the condor-ce 
client. Unfortunately, condor_ce_{ping,trace} are failing after 
unlocking my cert/key and I have not been able to authz myself against 
the CE via SSL.
AFAIS, the DN is known and mapped [7]. But even with `SCHEDD_DEBUG = 
$(SCHEDD_DEBUG) D_CAT D_SECURITY:2` set, I do not find hints of my SSL 
authz attempts in the SchedLog or so.

Maybe somebody has an idea, how to use with SSL authz a user cert/key 
for tests/submissions to a CondorCE23?

Cheers and thanks,
  Thomas

[1]
condor-23.0.8-1.el9.x86_64
condor-stash-plugin-6.12.1-1.x86_64
htcondor-ce-23.0.8-1.el9.noarch
htcondor-ce-bdii-23.0.8-1.el9.noarch
htcondor-ce-client-23.0.8-1.el9.noarch
htcondor-ce-condor-23.0.8-1.el9.noarch
python3-condor-23.0.8-1.el9.x86_64

[2]
> cat /etc/condor-ce/config.d/99_SSLauthz_hartmath_testing.conf
AUTH_SSL_ALLOW_CLIENT_PROXY = True
AUTH_SSL_REQUIRE_CLIENT_MAPPING = True


[3]
> tail -n1 /etc/condor-ce/mapfiles.d/99_ZZ_SSLauthz_hartmath_testing.conf
SSL "/DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches Elektronen-Synchrotron 
DESY/CN=Thomas Hartmann hartmath@xxxxxxx" desyusr004

coming from

> openssl x509 -in ~/.globus/usercert.pem -noout -subject
subject= /DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches 
Elektronen-Synchrotron DESY/CN=Thomas Hartmann hartmath@xxxxxxx

[4]
> export _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SSL
> export _condor_AUTH_SSL_CLIENT_KEYFILE=~/.globus/userkey.pem
> export _condor_AUTH_SSL_CLIENT_CADIR=/etc/grid-security/certificates
> export _condor_AUTH_SSL_CLIENT_CERTFILE=~/.globus/usercert.pem

(tried also to point CERTFILE to a valid proxy's X509_USER_PROXY path, 
i.e., `/tmp/x509up_u${UID}`)

[5]
> condor_ce_ping -verbose -type SCHEDD -name 
grid-htc-ce04.desy.de:9619 WRITE
Enter PEM pass phrase:
WRITE failed!
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL

[6]
> condor_ce_ping -verbose -type SCHEDD -name 
grid-htc-ce04.desy.de:9619 WRITE
Enter PEM pass phrase:
WRITE failed!
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL


[7]
04/29/24 14:56:31 (D_ALWAYS:2) MapFile: Canonicalization File: 
method='SSL' principal='/DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches 
Elektronen-Synchrotron DESY/CN=Thomas Hartmann hartmath@xxxxxxx' 
canonicalization='desyusr004'

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature