[Condor-users] Close to getting SOAP HTTPS working

["David E. Konerding" <dekonerding@xxxxxxx>]

Hi,
I'm pretty close to getting SOAP HTTPS working.

Unfortunately the one bit of documentation on setting up the 
CANONICAL_MAPFILE and USER_MAPFILE is
really too vague to help me debug my problem. Specifically, I can't 
figure out how to adapt the examples in the Condor Week PPT
to my situation.

Here's my SOAP config:

NETWORK_INTERFACE = 131.243.2.15
CONDOR_HOST=oliver.lbl.gov
ENABLE_SOAP=TRUE
ENABLE_WEB_SERVER = TRUE
ALLOW_SOAP= */131.243.2.255
WEB_ROOT_DIR = /home/portnoy/dsd/Linux/condor/condor-6.8.1/lib/webservice
ALLOW_WRITE=*
QUEUE_ALL_USERS_TRUSTED=TRUE ## this is required for people to submit 
jobs via http
SCHEDD_DEBUG = D_FULLDEBUG
COLLECTOR_DEBUG = D_FULLDEBUG
SOAP_SSL_SERVER_KEYFILE = /var/condor/condor-6.8.1/private/key
SOAP_SSL_CA_DIR = /etc/condor/certificates
CERTIFICATE_MAPFILE = /etc/condor/canonical_map
USER_MAPFILE = /etc/condor/user_map
SEC_CANONICAL_MAPFILE = /etc/condor/canonical_map
SEC_USER_MAPFILE = /etc/condor/user_map
ENABLE_SOAP_SSL = TRUE

Now, I'm testing this using my Globus certificate, which has a subject:
DC=org, DC=doegrids, OU=People, CN=David E. Konerding 692119
and an extension, X509v3 Subject Alternative Name set to:
email:dekonerding@xxxxxxx


Whenever I try to make a request against the server (actually, not even 
attempting a real request, just using curl):
% curl --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem 
--capath /etc/grid-security/certificates https://oliver.lbl.gov:35103
I get:

Enter PEM pass phrase:
curl: (52) Empty reply from server

In the server logs I see:
9/25 16:18:54 SOAP SSL connection attempt from <131.243.2.15:60056> 
succeeded
9/25 16:18:54 SOAP SSL connection from <131.243.2.15:60056>, X509 
subject: /DC=org/DC=doegrids/OU=Peop
le/CN=David E. Konerding 692119
9/25 16:18:54 SOAP SSL connection rejected, no mapping in 
CERTIFICATE_MAPFILE

So obviously it's getting as far as the authentication step. Now, the 
trickiness comes in here:
I have no idea how to interpret the canonical mapfile format:
SSL .*emailAddress=(.*)@cs.wisc.edu.* \1

For example, what field in the X509 cert does "emailAddress" correspond 
to? What is the meaning of the regular expression "(.*)"
and the "\1"? The Condor Week PPT only has this to say:

> “SSL” is the authentication method, “.*emailAddress….*” is a pattern 
> to match against authenticated names, and “\1” is the canonical name, 
> in this case the username on the email in the principal
But that information is pretty vague. The (.*) and \1 syntax looks 
suspicously like standard regular-expression match subsitution syntax, where
the first (.*) that gets matched in the RE can be referred to later by 
using "\1".

Furthermore, any attempt I make to play with entries in the 
canonical_mapfile doesn't actually do anything. I've thrown catch-alls 
at it and always get the same failure message as above. I can't even 
tell if condor_collector is re-parsing the canonical_mapfile after I 
make changes through it, and
I don't want to restart condor every time I change the canonical mapfile.

Can you guys at least suggest a simple canonical mapfile and user 
mapfile that will work in the situation where the user name of the email
address is not the same as the principal (for example I am user 'dek' 
but my email is dekonerding@xxxxxxx). Or a super-simple one that at
least ?

Here's what I've got that doesn't work:

oliver:/etc/condor # cat canonical_map
SSL .*email.*=(.*)@lbl.gov.* dek

oliver:/etc/condor # cat user_map
dek dek



Dave