[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication with WinXP



 

> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx 
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of 
> Matthew Farrellee
> Sent: 21 March 2007 19:24
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] SSL authentication with WinXP
> 
> 
> On Mar 21, 2007, at 11:36 AM, Smith, Ian wrote:
> 
> > [snip]
> >
> >>> AUTH_SSL_SERVER_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt
> >>> AUTH_SSL_CLIENT_CAFILE =   c:\condor\ssl\ca\signing-ca-1.crt
> >>
> >> This should point to a file containing both the root-ca and
> > signing-ca-1 certificates.
> >
> > Does that mean I need to concatenate them into one file ?
> 
> Yes.
> 
> 
> >>> AUTH_SSL_SERVER_CADIR =    c:\condor\ssl\ca
> >>> AUTH_SSL_CLIENT_CADIR =    c:\condor\ssl\ca
> >>
> >> Try verifying the certificates using openssl verify.
> >
> > Not sure how I do that in a >expletive deleted< windows envrionment.
> > Are there any MS tools or do I near to go and get openssl.
> 
> At least for now I think you should use the CAFILE param and 
> ignore the CADIR. The CADIR needs all sorts of special maintenance...
> 
> 	
> http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
> 
> [snip]
> 
> 
> matt

Things are looking a bit more promising. I got the daemons to start
on the Win box and reconfigured it so that SSL is REQUIRED. 
condor_q -global and condor_status work OK although I'm not really
concerned about them. I can't get a job to run from the central manager
though ( SSL is OPTIONAL on the central manager/submit host). The win
machine goes into the matched -> claimed state but then the SSL auth
fails.
Presumably this is when the input file staging is attempted. I can't
work
out what's the server and what's the client in this case.

The StartLog looks like:

3/22 14:02:09 Received match <138.253.103.161:2273>#1174570081#9
3/22 14:02:09 State change: match notification protocol successful
3/22 14:02:09 Changing state: Unclaimed -> Matched
3/22 14:02:09 DaemonCore: Command received via TCP from ssl from host
<138.253.1
00.178:48099>
3/22 14:02:09 DaemonCore: received command 442 (REQUEST_CLAIM), calling
handler
(command_request_claim)
3/22 14:02:09 Request accepted.
3/22 14:02:09 Remote owner is smithic@xxxxxxxxxxxxxxx
3/22 14:02:09 State change: claiming protocol successful
3/22 14:02:09 Changing state: Matched -> Claimed
3/22 14:02:16 SSL Authentication fails, terminating
3/22 14:02:16 AUTHENTICATE: no available authentication methods
succeeded, faili
ng!
3/22 14:02:16 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to
authenticate with any method|AUTHENTICATE:1004:Failed to authenticate
using SSL
3/22 14:02:16 SSL Authentication fails, terminating
3/22 14:02:16 AUTHENTICATE: no available authentication methods
succeeded, faili
ng!
3/22 14:02:16 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to
authenticate with any method|AUTHENTICATE:1004:Failed to authenticate
using SSL
3/22 14:02:16 DaemonCore: Command received via UDP from ssl from host
<138.253.1
00.178:60986>
3/22 14:02:16 DaemonCore: received command 443 (RELEASE_CLAIM), calling
handler
(command_release_claim)
3/22 14:02:16 State change: received RELEASE_CLAIM command
3/22 14:02:16 Changing state and activity: Claimed/Idle ->
Preempting/Vacating
3/22 14:02:16 State change: No preempting claim, returning to owner
3/22 14:02:16 Changing state and activity: Preempting/Vacating ->
Owner/Idle
3/22 14:02:16 State change: IS_OWNER is false
3/22 14:02:16 Changing state: Owner -> Unclaimed
3/22 14:02:16 DaemonCore: Command received via UDP from ssl from host
<138.253.1
00.178:60987>
3/22 14:02:16 DaemonCore: received command 443 (RELEASE_CLAIM), calling
handler
(command_release_claim)
3/22 14:02:16 Warning: can't find resource with ClaimId
(<138.253.103.161:2273>#
1174570081#9)

cheers,

-ian.