Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] SSL authentication with WinXP
- Date: Wed, 21 Mar 2007 16:36:44 -0000
- From: "Smith, Ian" <I.C.Smith@xxxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] SSL authentication with WinXP
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Ian Alderman
> Sent: 21 March 2007 15:05
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] SSL authentication with WinXP
>
> On Wed, Mar 21, 2007 at 02:37:35PM -0000, Smith, Ian wrote:
> ...
> >
> > I haven't managed to get this to work which is not really suprising
> > giving the complexity involved. When I make SSL REQUIRED on
> the winXP
> > execute/host and do a condor_reconfig it prompts me for the PEM
> > password (why ?). I tried the one for the root CA and the
> signing one
> > but both fail with
>
> Try removing the password from the client side. I'm not sure
> whether Condor is prepared to handle password protected keys,
> but maybe the OpenSSL API Condor uses provides this.
>
> Here's how to remove the password:
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31
OK that seems to have worked but I still get an authentication
error with condor_reconfig.
[snip]
> > AUTH_SSL_SERVER_CAFILE = c:\condor\ssl\ca\signing-ca-1.crt
> > AUTH_SSL_CLIENT_CAFILE = c:\condor\ssl\ca\signing-ca-1.crt
>
> This should point to a file containing both the root-ca and
signing-ca-1 certificates.
Does that mean I need to concatenate them into one file ?
>
> > AUTH_SSL_SERVER_CADIR = c:\condor\ssl\ca
> > AUTH_SSL_CLIENT_CADIR = c:\condor\ssl\ca
>
> Try verifying the certificates using openssl verify.
>
Not sure how I do that in a >expletive deleted< windows envrionment.
Are there any MS tools or do I near to go and get openssl.
[snip]
>
> If you've got the same keys on both the central manager and
> the execute host, this means the execute host can impersonate
> the central manager...
>
I can feel a migraine coming on now. SSL is hard enough to understand
but with Condor everything seems like a server and a client. Perhaps it
would be easier to say what I'm trying to do. On the production
service the Win machines should be execute only - end of story. If
the security mechanism makes them incapable of doing a condor_status or
anything else then so much the better. I'm not sure how this fits
with the client/server bit or how the certs tie to a particular host.
cheers,
-ian.