[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Encrypted X.509 private key support in Condor

Hello everyone,

I've been trying out SSL authentication/encryption/integrity, and after some work I've got it to work just fine across my 2-node Windows+Linux pool (Linux master, Windows submit/execute node).

However, I haven't been able to use encrypted private keys: when I've tried to use them by setting AUTH_SSL_CLIENT_KEYFILE and AUTH_SSL_SERVER_KEYFILE, and then tried running condor_status, I have indeed been asked the PEM password, but if I later look at the collector log, I get this:

8/18 00:52:19 DC_AUTHENTICATE: received DC_AUTHENTICATE from <>
8/18 00:52:19 DC_AUTHENTICATE: generating 3DES key for session cmaster:4933:1187391139:35...
8/18 00:52:19 SECMAN: new session, doing initial authentication.
8/18 00:52:19 HANDSHAKE: in handshake(my_methods = 'SSL,FS')
8/18 00:52:19 HANDSHAKE: handshake() - i am the server
8/18 00:52:19 HANDSHAKE: client sent (methods == 260)
8/18 00:52:19 HANDSHAKE: i picked (method == 256)
8/18 00:52:19 HANDSHAKE: client received (method == 256)
8/18 00:52:19 CAFILE:     '/etc/ssl/certs/demoCA.pem'
8/18 00:52:19 CERTFILE:   '/etc/apache2/ssl/server.crt'
8/18 00:52:19 KEYFILE:    '/etc/apache2/ssl/server_3des.key'
8/18 00:52:19 Error loading private key from file
8/18 00:52:19 Error initializing server security context
8/18 00:52:19 Error creating SSL context
8/18 00:52:21 SSL Authentication fails, terminating
8/18 00:52:21 AUTHENTICATE: method 256 (SSL) failed.

So far as I can see, Condor is somehow not able to read the encrypted private key. In fact, if I switch to an unencrypted one, it works just fine. I don't like very much the idea of having unencrypted files around: though maybe I could restrict read permissions, the data is still in the open in the case of a security breach.

Has anyone had any success on this part? I've tried using 3DES and DES encrypted RSA private keys. I'd be very happy to provide more information in case it's necessary.

On a related note: is there any other way to provide Condor with the PEM password than dumping it through the condor_* command line tools' stdin? I'd like to let programs send jobs and the like, offering a sort of password dialog.

Thank you in advance,
Antonio Garcia