[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication with WinXP



> but the big question is what I do with them. I can't work out exactly
> what these
> parameters refer to

Here is the signification of these parameters (or at least what we believe
is their signification):

> AUTH_SSL_SERVER_CA_FILE
> AUTH_SSL_CLIENT_CA_FILE

The public part of the root certificate. That would be the file called
root-ca.crt in the page you mentioned before [1] (we used for both
parameters the same file)

> AUTH_SSL_SERVER_CA_DIR
> AUTH_SSL_CLIENT_CA_DIR

for these two I have no idea if they are really used. in our setup we
simply created a directory called c:\condor\grid-security\ and set these
two parameters to point to these directories.

> AUTH_SSL_SERVER_CA_KEYFILE
> AUTH_SSL_CLIENT_CA_KEYFILE

These two parameters should point to the two private keys you generated
for your host. That would be for example the file
host_nmi-redhat62-build.key or kosart.key from examples in [1]

> AUTH_SSL_SERVER_CA_CERTFILE
> AUTH_SSL_CLIENT_CA_CERTFILE

And finally these two parameters point to the *signed* certificates,
which are the files host_nmi-redhat62-build.crt or kosart.crt from [1]

> Do I need to set these on the execute hosts and the central manager and
> submit
> host ? 

Yes, you are supposed to create two certificates for each host that want
to do SSL...in our case we wanted for all hosts, be it the Central
manager, the submit machine or the compute nodes...

> Presumably I need to create one host cert per execute host but
> how do
> I tie it to that machine.

Actually that would be two certificates per host (as far as I understood
the documentation), but I have no idea on how you could tie a certificate
to a specific host (beside setting the Common Name to the hostname during
the cert request creation phase...but I don't really know if Condor is
really that picky about the Common Name...)

> Surely someone could just copy it to another machine ?

Yes, apparently it is possible to simply copy a certificate to another
machine, but I don't remember if we already tested that case...
Anyway, to lower the possibility that someone just copy over the
certificates and the related keys, we simply removed permissions to the
key files, so that only administrators can read them (and the SYSTEM user,
under which the Condor daemons run)

Anyway, I'm currently writing a more detailed documentation about this
(more like a step by step tutorial), but again, I'm not sure that this is
exactly the way the Condor dev team intended it to be...all I can say is
that it works in our configuration, but maybe we overlooked something...

And one thing that really bothers me with the current SSL implementation
in Condor, is the fact that apparently nowhere there is the use of
Certificates Revocation Lists in order to centrally revoke a certificate
and essentially kick out a compute node from the pool by simply revoking
its certificate..but this is yet another topic :)

cheers,

Pascal

[1]
http://www.cs.wisc.edu/~alderman/ca_chain_directions/staff_ca_chain_setup_notes.html