Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication with WinXP

Date: Wed, 21 Mar 2007 10:04:51 -0500
From: Ian Alderman <alderman@xxxxxxxxxxx>
Subject: Re: [Condor-users] SSL authentication with WinXP

On Wed, Mar 21, 2007 at 02:37:35PM -0000, Smith, Ian wrote:
...
> 
> I haven't managed to get this to work which is not really suprising
> giving the complexity involved. When I make SSL REQUIRED on the winXP
> execute/host and do a condor_reconfig it prompts me for the PEM password
> (why ?). I tried the one for the root CA and the signing one but both
> fail with

Try removing the password from the client side.  I'm not sure whether
Condor is prepared to handle password protected keys, but maybe the
OpenSSL API Condor uses provides this.

Here's how to remove the password:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31

It looks like you followed these directions, which aren't really
intended for the SSL authentication method:
http://www.cs.wisc.edu/~alderman/ca_chain_directions/staff_ca_chain_setup_notes.html

Although these directions describe how to set up a CA for use with GSI,
they should work for SSL; however, the client side in SSL is more like a
host in GSI than like a user.

> C:\condor>condor_reconfig
> Enter PEM pass phrase:
> ERROR
> AUTHENTICATE:1003:Failed to authenticate with any method
> AUTHENTICATE:1004:Failed to authenticate using SSL
> Can't send Reconfig command to local master
> 
> So it can't authenticate with itself ????????

The condor_master daemon is the server, and condor_reconfig is the
client, and needs to authenticate, even if it is running on the same
host.

This actually looks like it's the configuration rather than the
password. 

> On the win host I have:
> 
> SEC_DEFAULT_AUTHENTICATION = PREFERRED
> SEC_DEFAULT_AUTHENTICATION_METHODS = SSL
> #AUTH_SSL_SERVER_CAFILE =   c:\condor\ssl\ca\root-ca.crt
> #AUTH_SSL_CLIENT_CAFILE =   c:\condor\ssl\ca\root-ca.crt
> 
> AUTH_SSL_SERVER_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt
> AUTH_SSL_CLIENT_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt

This should point to a file containing both the root-ca and signing-ca-1
certificates.  

> AUTH_SSL_SERVER_CADIR =    c:\condor\ssl\ca
> AUTH_SSL_CLIENT_CADIR =    c:\condor\ssl\ca

Try verifying the certificates using openssl verify.

> AUTH_SSL_SERVER_KEYFILE =
> c:\condor\ssl\server\host_nmi-redhat62-build.key
> AUTH_SSL_CLIENT_KEYFILE =  c:\condor\ssl\client\kosart.key
> 
> AUTH_SSL_SERVER_CERTFILE =
> c:\condor\ssl\server\host_nmi-redhat62-build.crt
> AUTH_SSL_CLIENT_CERTFILE = c:\condor\ssl\client\kosart.crt
> 
> (I tried the root CA and the signing CA).  On the central manager I have
> the same kind of thing:
> 
> SEC_DEFAULT_AUTHENTICATION = OPTIONAL
> SEC_DEFAULT_AUTHENTICATION_METHODS = SSL,FS,GSI,KERBEROS,PASSWORD
> #AUTH_SSL_SERVER_CAFILE =   /opt1/condor/ssl/ca/root-ca.crt
> #AUTH_SSL_CLIENT_CAFILE =   /opt1/condor/ssl/ca/root-ca.crt
> 
> AUTH_SSL_SERVER_CAFILE =   /opt1/condor/ssl/ca/signing-ca-1.crt
> AUTH_SSL_CLIENT_CAFILE =   /opt1/condor/ssl/ca/signing-ca-1.crt
> 
> AUTH_SSL_SERVER_CADIR =    /opt1/condor/ssl/ca
> AUTH_SSL_CLIENT_CADIR =    /opt1/condor/ssl/ca
> 
> AUTH_SSL_SERVER_KEYFILE =
> /opt1/condor/ssl/server/host_nmi-redhat62-build.key
> AUTH_SSL_CLIENT_KEYFILE =  /opt1/condor/ssl/client/kosart.key

If you've got the same keys on both the central manager and the execute
host, this means the execute host can impersonate the central
manager... 

> AUTH_SSL_SERVER_CERTFILE =
> /opt1/condor/ssl/server/host_nmi-redhat62-build.crt
> AUTH_SSL_CLIENT_CERTFILE = /opt1/condor/ssl/client/kosart.crt
> 
> The Condor log files don't really seem to shed any light on this - can
> anyone
> suggest anything.
> 
> many thanks,
> 
> -ian.

Cheers,

-Ian

> 
> ------------------------------
> Dr Ian C. Smith
> e-Science Team,
> University of Liverpool,
> Computing Services Department.
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> 
> The archives can be found at either
> https://lists.cs.wisc.edu/archive/condor-users/
> http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR

Follow-Ups:
- Re: [Condor-users] SSL authentication with WinXP
  - From: Smith, Ian

References:
- Re: [Condor-users] SSL authentication with WinXP
  - From: Ian Alderman
- Re: [Condor-users] SSL authentication with WinXP
  - From: Smith, Ian

Prev by Date: Re: [Condor-users] SSL authentication with WinXP
Next by Date: Re: [Condor-users] SSL authentication with WinXP
Previous by thread: Re: [Condor-users] SSL authentication with WinXP
Next by thread: Re: [Condor-users] SSL authentication with WinXP
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] SSL authentication with WinXP