Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication with WinXP

Date: Wed, 21 Mar 2007 14:37:35 -0000
From: "Smith, Ian" <I.C.Smith@xxxxxxxxxxxxxxx>
Subject: Re: [Condor-users] SSL authentication with WinXP

 

> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx 
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Ian Alderman
> Sent: 15 March 2007 17:26
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] SSL authentication with WinXP
> 
> On Thu, Mar 15, 2007 at 04:01:40PM +0100, Pascal Jermini wrote:
> > > but the big question is what I do with them. I can't work out 
> > > exactly what these parameters refer to
> > 
> > Here is the signification of these parameters (or at least what we 
> > believe is their signification):
> > 
> > > AUTH_SSL_SERVER_CA_FILE
> > > AUTH_SSL_CLIENT_CA_FILE
> > 
> > The public part of the root certificate. That would be the 
> file called 
> > root-ca.crt in the page you mentioned before [1] (we used for both 
> > parameters the same file)
> > 
> > > AUTH_SSL_SERVER_CA_DIR
> > > AUTH_SSL_CLIENT_CA_DIR
> > 
> > for these two I have no idea if they are really used. in 
> our setup we 
> > simply created a directory called c:\condor\grid-security\ and set 
> > these two parameters to point to these directories.
> 
> OpenSSL supports two methods for looking for CA chains: 
> putting the certificates in a directory or all in one file.  
> CAFILE is the former, and CADIR is the latter.
>  
> > > AUTH_SSL_SERVER_CA_KEYFILE
> > > AUTH_SSL_CLIENT_CA_KEYFILE
> > 
> > These two parameters should point to the two private keys you 
> > generated for your host. That would be for example the file 
> > host_nmi-redhat62-build.key or kosart.key from examples in [1]
> > 
> > > AUTH_SSL_SERVER_CA_CERTFILE
> > > AUTH_SSL_CLIENT_CA_CERTFILE
> > 
> > And finally these two parameters point to the *signed* 
> certificates, 
> > which are the files host_nmi-redhat62-build.crt or 
> kosart.crt from [1]
> > 
> > > Do I need to set these on the execute hosts and the 
> central manager 
> > > and submit host ?
> > 
> > Yes, you are supposed to create two certificates for each host that 
> > want to do SSL...in our case we wanted for all hosts, be it the 
> > Central manager, the submit machine or the compute nodes...
> > 
> > > Presumably I need to create one host cert per execute 
> host but how 
> > > do I tie it to that machine.
> > 
> > Actually that would be two certificates per host (as far as I 
> > understood the documentation), but I have no idea on how 
> you could tie 
> > a certificate to a specific host (beside setting the Common Name to 
> > the hostname during the cert request creation phase...but I don't 
> > really know if Condor is really that picky about the Common Name...)
> 
> I don't think we check that the CN is the same as the host 
> name; perhaps we should make this possible through another 
> configuration file setting.  
> 
> > > Surely someone could just copy it to another machine ?
> > 
> > Yes, apparently it is possible to simply copy a certificate 
> to another 
> > machine, but I don't remember if we already tested that case...
> > Anyway, to lower the possibility that someone just copy over the 
> > certificates and the related keys, we simply removed permissions to 
> > the key files, so that only administrators can read them (and the 
> > SYSTEM user, under which the Condor daemons run)
> > 
> > Anyway, I'm currently writing a more detailed documentation 
> about this 
> > (more like a step by step tutorial), but again, I'm not 
> sure that this 
> > is exactly the way the Condor dev team intended it to 
> be...all I can 
> > say is that it works in our configuration, but maybe we 
> overlooked something...
> > 
> > And one thing that really bothers me with the current SSL 
> > implementation in Condor, is the fact that apparently 
> nowhere there is 
> > the use of Certificates Revocation Lists in order to 
> centrally revoke 
> > a certificate and essentially kick out a compute node from 
> the pool by 
> > simply revoking its certificate..but this is yet another topic :)
> 
> This is a good suggestion for the next step with the SSL 
> authentication method.  
> 
> Cheers,
> 
> -Ian
> 
> > cheers,

I haven't managed to get this to work which is not really suprising
giving the complexity involved. When I make SSL REQUIRED on the winXP
execute/host and do a condor_reconfig it prompts me for the PEM password
(why ?). I tried the one for the root CA and the signing one but both
fail with

C:\condor>condor_reconfig
Enter PEM pass phrase:
ERROR
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL
Can't send Reconfig command to local master

So it can't authenticate with itself ????????

On the win host I have:

SEC_DEFAULT_AUTHENTICATION = PREFERRED
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL
#AUTH_SSL_SERVER_CAFILE =   c:\condor\ssl\ca\root-ca.crt
#AUTH_SSL_CLIENT_CAFILE =   c:\condor\ssl\ca\root-ca.crt

AUTH_SSL_SERVER_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt
AUTH_SSL_CLIENT_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt

AUTH_SSL_SERVER_CADIR =    c:\condor\ssl\ca
AUTH_SSL_CLIENT_CADIR =    c:\condor\ssl\ca

AUTH_SSL_SERVER_KEYFILE =
c:\condor\ssl\server\host_nmi-redhat62-build.key
AUTH_SSL_CLIENT_KEYFILE =  c:\condor\ssl\client\kosart.key

AUTH_SSL_SERVER_CERTFILE =
c:\condor\ssl\server\host_nmi-redhat62-build.crt
AUTH_SSL_CLIENT_CERTFILE = c:\condor\ssl\client\kosart.crt

(I tried the root CA and the signing CA).  On the central manager I have
the same kind of thing:

SEC_DEFAULT_AUTHENTICATION = OPTIONAL
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL,FS,GSI,KERBEROS,PASSWORD
#AUTH_SSL_SERVER_CAFILE =   /opt1/condor/ssl/ca/root-ca.crt
#AUTH_SSL_CLIENT_CAFILE =   /opt1/condor/ssl/ca/root-ca.crt

AUTH_SSL_SERVER_CAFILE =   /opt1/condor/ssl/ca/signing-ca-1.crt
AUTH_SSL_CLIENT_CAFILE =   /opt1/condor/ssl/ca/signing-ca-1.crt

AUTH_SSL_SERVER_CADIR =    /opt1/condor/ssl/ca
AUTH_SSL_CLIENT_CADIR =    /opt1/condor/ssl/ca

AUTH_SSL_SERVER_KEYFILE =
/opt1/condor/ssl/server/host_nmi-redhat62-build.key
AUTH_SSL_CLIENT_KEYFILE =  /opt1/condor/ssl/client/kosart.key

AUTH_SSL_SERVER_CERTFILE =
/opt1/condor/ssl/server/host_nmi-redhat62-build.crt
AUTH_SSL_CLIENT_CERTFILE = /opt1/condor/ssl/client/kosart.crt

The Condor log files don't really seem to shed any light on this - can
anyone
suggest anything.

many thanks,

-ian.

------------------------------
Dr Ian C. Smith
e-Science Team,
University of Liverpool,
Computing Services Department.

Follow-Ups:
- Re: [Condor-users] SSL authentication with WinXP
  - From: Ian Alderman

References:
- [Condor-users] SSL authentication with WinXP
  - From: Dr Ian Smith
- Re: [Condor-users] SSL authentication with WinXP
  - From: Pascal Jermini
- Re: [Condor-users] SSL authentication with WinXP
  - From: Smith, Ian
- Re: [Condor-users] SSL authentication with WinXP
  - From: Pascal Jermini
- Re: [Condor-users] SSL authentication with WinXP
  - From: Ian Alderman

Prev by Date: Re: [Condor-users] MPICH2 wrapper script (mpich2script) for parallel universe
Next by Date: Re: [Condor-users] SSL authentication with WinXP
Previous by thread: Re: [Condor-users] SSL authentication with WinXP
Next by thread: Re: [Condor-users] SSL authentication with WinXP
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] SSL authentication with WinXP