[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication with WinXP


> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx 
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Ian Alderman
> Sent: 21 March 2007 15:05
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] SSL authentication with WinXP
> On Wed, Mar 21, 2007 at 02:37:35PM -0000, Smith, Ian wrote:
> ...
> > 
> > I haven't managed to get this to work which is not really suprising 
> > giving the complexity involved. When I make SSL REQUIRED on 
> the winXP 
> > execute/host and do a condor_reconfig it prompts me for the PEM 
> > password (why ?). I tried the one for the root CA and the 
> signing one 
> > but both fail with
> Try removing the password from the client side.  I'm not sure 
> whether Condor is prepared to handle password protected keys, 
> but maybe the OpenSSL API Condor uses provides this.
> Here's how to remove the password:
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31

OK that seems to have worked but I still get an authentication
error with condor_reconfig.


> > AUTH_SSL_SERVER_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt
> > AUTH_SSL_CLIENT_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt
> This should point to a file containing both the root-ca and
signing-ca-1 certificates. 

Does that mean I need to concatenate them into one file ?

> > AUTH_SSL_SERVER_CADIR =    c:\condor\ssl\ca
> > AUTH_SSL_CLIENT_CADIR =    c:\condor\ssl\ca
> Try verifying the certificates using openssl verify.

Not sure how I do that in a >expletive deleted< windows envrionment.
Are there any MS tools or do I near to go and get openssl.


> If you've got the same keys on both the central manager and 
> the execute host, this means the execute host can impersonate 
> the central manager... 

I can feel a migraine coming on now. SSL is hard enough to understand
but with Condor everything seems like a server and a client. Perhaps it
would be easier to say what I'm trying to do. On the production
service the Win machines should be execute only - end of story. If
the security mechanism makes them incapable of doing a condor_status or
anything else then so much the better. I'm not sure how this fits
with the client/server bit or how the certs tie to a particular host.