Re: [Condor-users] SSL authentication with WinXP

[Ian Alderman <alderman@xxxxxxxxxxx>]

On Thu, Mar 15, 2007 at 04:01:40PM +0100, Pascal Jermini wrote:
> > but the big question is what I do with them. I can't work out exactly
> > what these
> > parameters refer to
> 
> Here is the signification of these parameters (or at least what we believe
> is their signification):
> 
> > AUTH_SSL_SERVER_CA_FILE
> > AUTH_SSL_CLIENT_CA_FILE
> 
> The public part of the root certificate. That would be the file called
> root-ca.crt in the page you mentioned before [1] (we used for both
> parameters the same file)
> 
> > AUTH_SSL_SERVER_CA_DIR
> > AUTH_SSL_CLIENT_CA_DIR
> 
> for these two I have no idea if they are really used. in our setup we
> simply created a directory called c:\condor\grid-security\ and set these
> two parameters to point to these directories.

OpenSSL supports two methods for looking for CA chains: putting the
certificates in a directory or all in one file.  CAFILE is the former,
and CADIR is the latter.
 
> > AUTH_SSL_SERVER_CA_KEYFILE
> > AUTH_SSL_CLIENT_CA_KEYFILE
> 
> These two parameters should point to the two private keys you generated
> for your host. That would be for example the file
> host_nmi-redhat62-build.key or kosart.key from examples in [1]
> 
> > AUTH_SSL_SERVER_CA_CERTFILE
> > AUTH_SSL_CLIENT_CA_CERTFILE
> 
> And finally these two parameters point to the *signed* certificates,
> which are the files host_nmi-redhat62-build.crt or kosart.crt from [1]
> 
> > Do I need to set these on the execute hosts and the central manager and
> > submit
> > host ? 
> 
> Yes, you are supposed to create two certificates for each host that want
> to do SSL...in our case we wanted for all hosts, be it the Central
> manager, the submit machine or the compute nodes...
> 
> > Presumably I need to create one host cert per execute host but
> > how do
> > I tie it to that machine.
> 
> Actually that would be two certificates per host (as far as I understood
> the documentation), but I have no idea on how you could tie a certificate
> to a specific host (beside setting the Common Name to the hostname during
> the cert request creation phase...but I don't really know if Condor is
> really that picky about the Common Name...)

I don't think we check that the CN is the same as the host name; perhaps
we should make this possible through another configuration file
setting.  

> > Surely someone could just copy it to another machine ?
> 
> Yes, apparently it is possible to simply copy a certificate to another
> machine, but I don't remember if we already tested that case...
> Anyway, to lower the possibility that someone just copy over the
> certificates and the related keys, we simply removed permissions to the
> key files, so that only administrators can read them (and the SYSTEM user,
> under which the Condor daemons run)
> 
> Anyway, I'm currently writing a more detailed documentation about this
> (more like a step by step tutorial), but again, I'm not sure that this is
> exactly the way the Condor dev team intended it to be...all I can say is
> that it works in our configuration, but maybe we overlooked something...
> 
> And one thing that really bothers me with the current SSL implementation
> in Condor, is the fact that apparently nowhere there is the use of
> Certificates Revocation Lists in order to centrally revoke a certificate
> and essentially kick out a compute node from the pool by simply revoking
> its certificate..but this is yet another topic :)

This is a good suggestion for the next step with the SSL authentication
method.  

Cheers,

-Ian

> cheers,
> 
> Pascal
> 
> [1]
> http://www.cs.wisc.edu/~alderman/ca_chain_directions/staff_ca_chain_setup_notes.html
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> 
> The archives can be found at either
> https://lists.cs.wisc.edu/archive/condor-users/
> http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR