Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] CondorCE: testing SSL based submission with CE client tools?

Hallo Thomas,
we could try this from a client host that is known to work for that use case.
I will contact you privately and we can see.


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Thomas Hartmann <thomas.hartmann@xxxxxxx>
Sent: Monday, April 29, 2024 3:37 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] CondorCE: testing SSL based submission with CE client tools?
 
Hi all,

as we are moving all our resources to Condor23/EL9 [1] and only tokens
will be available for authz, we have been asked to add SSL authz for
some of our users, who are not token ready yet.

To do so, I had enabled client SSL [2] and added mapping rules for my
user DN (tried also to wildcard DN tail as to catch also proxy DNs
derived from the user proxies)

On the client side, I exported the envvars [4] to prepare the condor-ce
client. Unfortunately, condor_ce_{ping,trace} are failing after
unlocking my cert/key and I have not been able to authz myself against
the CE via SSL.
AFAIS, the DN is known and mapped [7]. But even with `SCHEDD_DEBUG =
$(SCHEDD_DEBUG) D_CAT D_SECURITY:2` set, I do not find hints of my SSL
authz attempts in the SchedLog or so.

Maybe somebody has an idea, how to use with SSL authz a user cert/key
for tests/submissions to a CondorCE23?

Cheers and thanks,
   Thomas

[1]
condor-23.0.8-1.el9.x86_64
condor-stash-plugin-6.12.1-1.x86_64
htcondor-ce-23.0.8-1.el9.noarch
htcondor-ce-bdii-23.0.8-1.el9.noarch
htcondor-ce-client-23.0.8-1.el9.noarch
htcondor-ce-condor-23.0.8-1.el9.noarch
python3-condor-23.0.8-1.el9.x86_64

[2]
 > cat /etc/condor-ce/config.d/99_SSLauthz_hartmath_testing.conf
AUTH_SSL_ALLOW_CLIENT_PROXY = True
AUTH_SSL_REQUIRE_CLIENT_MAPPING = True


[3]
 > tail -n1 /etc/condor-ce/mapfiles.d/99_ZZ_SSLauthz_hartmath_testing.conf
SSL "/DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches Elektronen-Synchrotron
DESY/CN=Thomas Hartmann hartmath@xxxxxxx" desyusr004

coming from

 > openssl x509 -in ~/.globus/usercert.pem -noout -subject
subject= /DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches
Elektronen-Synchrotron DESY/CN=Thomas Hartmann hartmath@xxxxxxx

[4]
 > export _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SSL
 > export _condor_AUTH_SSL_CLIENT_KEYFILE=~/.globus/userkey.pem
 > export _condor_AUTH_SSL_CLIENT_CADIR=/etc/grid-security/certificates
 > export _condor_AUTH_SSL_CLIENT_CERTFILE=~/.globus/usercert.pem

(tried also to point CERTFILE to a valid proxy's X509_USER_PROXY path,
i.e., `/tmp/x509up_u${UID}`)

[5]
 > condor_ce_ping -verbose -type SCHEDD -name
grid-htc-ce04.desy.de:9619 WRITE
Enter PEM pass phrase:
WRITE failed!
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL

[6]
 > condor_ce_ping -verbose -type SCHEDD -name
grid-htc-ce04.desy.de:9619 WRITE
Enter PEM pass phrase:
WRITE failed!
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL


[7]
04/29/24 14:56:31 (D_ALWAYS:2) MapFile: Canonicalization File:
method='SSL' principal='/DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches
Elektronen-Synchrotron DESY/CN=Thomas Hartmann hartmath@xxxxxxx'
canonicalization='desyusr004'