Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Condor SSL

I have solved the problem, i did not define the CERTIFICATE_MAPFILE macro.

As stated below config. I have a machine called gridprime which acts as the Master machine and submitter machine.

Host certificates are:
host gridprime.*
user idealgrid@gridprime.*

security policy
SEC_DEFAULT_ENCRYPTION = PREFERRED
SEC_DEFAULT_INTEGRITY = PREFERRED
SEC_DEFAULT_NEGOTIATION = PREFERRED
SEC_DEFAULT_AUTHENTICATION = REQUIRED

SEC_DEFAULT_AUTHENTICATION_METHODS = SSL
SEC_DEFAULT_INTEGRITY_METHODS = MD5
SEC_DEFAULT_ENCRYPTION_METHODS = 3DES, BLOWFISH

CERTIFICATE_MAPFILE = /root/mapfile

AUTH_SSL_CLIENT_CAFILE = /root/certs/root-ca.crt
AUTH_SSL_CLIENT_CERTFILE = /root/certs/d_gridprime.crt
AUTH_SSL_CLIENT_KEYFILE = /root/certs/d_gridprime.key

AUTH_SSL_SERVER_CAFILE = /root/certs/root-ca.crt
AUTH_SSL_SERVER_CERTFILE = /root/certs/d_gridprime.crt
AUTH_SSL_SERVER_KEYFILE = /root/certs/d_gridprime.key

ALLOW_OWNER           = *@pesgrid.wipro.com/gridprime.pesgrid.wipro.com
ALLOW_READ            = *@pesgrid.wipro.com/*.pesgrid.wipro.com
ALLOW_WRITE           = *@pesgrid.wipro.com/*.pesgrid.wipro.com
ALLOW_ADMINISTRATOR   = root@xxxxxxxxxxxxxxxxx/gridprime.pesgrid.wipro.com,gridbackup.pesgrid.wipro.com
ALLOW_CONFIG          = root@xxxxxxxxxxxxxxxxx/gridprime.pesgrid.wipro.com,gridbackup.pesgrid.wipro.com
ALLOW_NEGOTIATOR      = *@pesgrid.wipro.com/gridprime.pesgrid.wipro.com,gridbackup.pesgrid.wipro.com
ALLOW_DAEMON          = *@pesgrid.wipro.com,192.168.111.*/*.pesgrid.wipro.com

when i start the master everything goes fine and detects the pool which is configured accordingly.

Certificate locations:
/root/certs contain daemon and host certificates.

and /home/idealgrid contain the idealgrid user certificates.

Submit file:
universe = PVM
executable = master_sum
input = in_sum
output = out_sum
error = err_sum
machine_count = 1..1
owner = idealgrid
queue

when i submit the job from idealgrid user it reports
Submitting job(s)1/6 11:57:32 SECMAN: command 1111 QMGMT_CMD to schedd at <192.168.111.5:10509> from TCP port 11321 (blocking).
1/6 11:57:32 SECMAN: new session, doing initial authentication.
1/6 11:57:32 SECMAN: Auth methods: SSL
1/6 11:57:32 HANDSHAKE: in handshake(my_methods = 'SSL')
1/6 11:57:32 HANDSHAKE: handshake() - i am the client
1/6 11:57:32 HANDSHAKE: sending (methods == 256) to server
1/6 11:57:32 HANDSHAKE: server replied (method = 256)
1/6 11:57:32 CAFILE:     '/root/certs/root-ca.crt'
1/6 11:57:32 CERTFILE:   '/root/certs/d_gridprime.crt'
1/6 11:57:32 KEYFILE:    '/root/certs/d_gridprime.key'
1/6 11:57:32 CIPHERLIST: 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
1/6 11:57:32 Error loading CA file and/or directory
1/6 11:57:32 Error initializing client security context
1/6 11:57:32 Error creating SSL context
1/6 11:57:32 SSL Authentication fails, terminating
1/6 11:57:32 AUTHENTICATE: method 256 (SSL) failed.
1/6 11:57:32 HANDSHAKE: in handshake(my_methods = '')
1/6 11:57:32 HANDSHAKE: handshake() - i am the client
1/6 11:57:32 HANDSHAKE: sending (methods == 0) to server
1/6 11:57:32 HANDSHAKE: server replied (method = 0)
1/6 11:57:32 AUTHENTICATE: no available authentication methods succeeded, failing!

ERROR: Failed to connect to local queue manager
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL


Can anyone tell me why the host machine certificates are being used but not the idealgrid certificates. I tried supplying the user certificates by
x509Directory = /home/idealgrid/.condorcerts which is the location of idealgrid certificates.

is there any other  way of specifying the user certs?

Manikanta.

On Mon, 2010-01-04 at 14:38 -0600, Dan Bradley wrote: 
It may help to add D_SECURITY and D_FULLDEBUG to your debug options 
(e.g. ALL_DEBUG).  This will give a more verbose description of the 
security negotiation phase.  Specifically, it should show which 
authentication methods the client and server say they support.  Perhaps 
SSL is not in the client authentication methods, since you have only 
configured DAEMON authorization level to use it.  SSL is not included in 
the authentication methods by default for any authorization level.  You 
could consider adding it to SEC_DEFAULT_AUTHENTICATION_METHODS.

--Dan

Manikanta Swamy Kattamuri wrote:
> Hi,
>
> I am trying to set up SSL security in condor, but am presently stuk as
> of how to proceed.
> The configurations are 
>
>
> for the host:
> given user name : gridprime.domain.com
> given mail : xxxx@xxxxxxxx
>
> openssl req -newkey rsa:1024 -keyout griprime.key -nodes -config
> openssl.cnf -out gridprime.req 
>
> for the user condor
> openssl req -newkey rsa:1024 -keyout condor.key -nodes -config
> openssl.cnf -out condor.req 
>
> after signing the certificates using 
> openssl ca -config openssl.cnf -out gridprime.crt -infiles gridprime.req
> openssl ca -config openssl.cnf -out condor.crt -infiles condor.req
>
> moved the .key files and .crt file to certs/ folder.
>
> configurations in condor_config.local
>
> SEC_DEFAULT_AUTHENTICATION =REQUIRED
> SEC_DAEMON_AUTHENTICATION_METHODS =SSL
> ALLOW_DAEMON = ssl@unmappeduser
>
> AUTH_SSL_CLIENT_CADIR=/root/CondorSigningCA1/ca.db.certs/
> AUTH_SSL_SERVER_CADIR=/root/CondorSigningCA1/ca.db.certs/
>
> AUTH_SSL_CLIENT_CAFILE = /root/certs/root-ca.crt
> AUTH_SSL_CLIENT_CERTFILE = /root/certs/gridprime.crt
> AUTH_SSL_CLIENT_KEYFILE = /root/certs/gridprime.key
>
> AUTH_SSL_SERVER_CAFILE = /root/certs/root-ca.crt
> AUTH_SSL_SERVER_CERTFILE = /root/certs/gridprime.crt
> AUTH_SSL_SERVER_KEYFILE = /root/certs/gridprime.key
>
> When i am using this set up, i get a 
>
> Master Log: Removed some entries.
>
> 12/30 16:05:25 ******************************************************
> 12/30 16:05:25 ** condor_master (CONDOR_MASTER) STARTING UP
> 12/30 16:05:25 ** /opt/condor-7.2.0/sbin/condor_master
> 12/30 16:05:25 ** SubsystemInfo: name=MASTER type=MASTER(2)
> class=DAEMON(1)
> 12/30 16:05:25 ** Configuration: subsystem:MASTER local:<NONE>
> class:DAEMON
> 12/30 16:05:25 ** $CondorVersion: 7.2.3 May 11 2009 BuildID: 151729 $
> 12/30 16:05:25 ** $CondorPlatform: I386-LINUX_RHEL5 $
> 12/30 16:05:25 ** PID = 20966
> 12/30 16:05:25 ** Log last touched 12/30 16:05:18
> 12/30 16:05:25 ******************************************************
> 12/30 16:05:25 Using config source: /opt/condor-7.2.0/etc/condor_config
> 12/30 16:05:25 Using local config sources:
> 12/30 16:05:25    /var/local.gridprime/condor_config.local
> 12/30 16:05:25 Running as root.  Enabling specialized core dump routines
> 12/30 16:05:28 ProcAPI::buildFamily() Found daddypid on the system:
> 20967
> 12/30 16:05:28 AUTHENTICATE: no available authentication methods
> succeeded, failing!
> 12/30 16:05:28 DC_AUTHENTICATE: authenticate failed:
> AUTHENTICATE:1003:Failed to authenticate with any method
> 12/30 16:05:28 ProcAPI::buildFamily() Found daddypid on the system:
> 20968
> 12/30 16:05:28 Initialized the following authorization table:
> 12/30 16:05:28 Authorizations yet to be resolved:
> 12/30 16:05:28 allow WRITE:  */* */10.201.*
> 12/30 16:05:28 allow NEGOTIATOR:  */192.168.111.5 */192.168.111.6
> */gridprime.pesgrid.wipro.com */gridbackup.pesgrid.wipro.com
> 12/30 16:05:28 allow ADMINISTRATOR:  */192.168.111.5 */192.168.111.6
> */gridprime.pesgrid.wipro.com */gridbackup.pesgrid.wipro.com
> 12/30 16:05:28 allow OWNER:  */192.168.111.5 */192.168.111.5
> */192.168.111.6 */gridprime.pesgrid.wipro.com
> */gridprime.pesgrid.wipro.com */gridbackup.pesgrid.wipro.com
> 12/30 16:05:28 allow DAEMON:  ssl@unmappeduser/* */* */10.201.*
> 12/30 16:05:28 allow SOAP:  */cloudapp.cloud.wipro.com
> */cloudapp2.pesgrid.wipro.com */192.168.111.25 */192.168.111.9
> */192.168.111.11 */cloudapp1.pesgrid.wipro.com
> */cloudapp.pesgrid.wipro.com
> 12/30 16:05:28 allow ADVERTISE_STARTD:  ssl@unmappeduser/* */*
> */10.201.*
> 12/30 16:05:28 allow ADVERTISE_SCHEDD:  ssl@unmappeduser/* */*
> */10.201.*
> 12/30 16:05:28 allow ADVERTISE_MASTER:  ssl@unmappeduser/* */*
> */10.201.*
> 12/30 16:05:28 Adding to resolved authorization table:
> daemon@xxxxxxxxxxxxxxxxx/192.168.111.5: ADMINISTRATOR
> 12/30 16:05:28 Got admin command (492) and allowing it.
> 12/30 16:05:28 Handling daemon-specific command for "NEGOTIATOR"
> 12/30 16:05:28 Handling StopFast for NEGOTIATOR myself
> 12/30 16:05:28 AUTHENTICATE: no available authentication methods
> succeeded, failing!
> 12/30 16:05:28 DC_AUTHENTICATE: authenticate failed:
> AUTHENTICATE:1003:Failed to authenticate with any method
> 12/30 16:05:30 ProcAPI::buildFamily() Found daddypid on the system:
> 20972
> 12/30 16:05:33 AUTHENTICATE: no available authentication methods
> succeeded, failing!
> 12/30 16:05:33 DC_AUTHENTICATE: authenticate failed:
> AUTHENTICATE:1003:Failed to authenticate with any method
> 12/30 16:05:33 enter Daemons::UpdateCollector
> 12/30 16:05:33 ERROR: SECMAN:2004:Failed to create security session to
> <192.168.111.6:9618> with TCP.|SECMAN:2003:TCP connection to
> <192.168.111.6:9618> failed.
> 12/30 16:05:33 Failed to start non-blocking update to
> <192.168.111.6:9618>.
> 12/30 16:05:33 AUTHENTICATE: no available authentication methods
> succeeded, failing!
> 12/30 16:05:33 DC_AUTHENTICATE: authenticate failed:
> AUTHENTICATE:1003:Failed to authenticate with any method
> 12/30 16:05:33 AUTHENTICATE: no available authentication methods
> succeeded, failing!
> 12/30 16:05:33 DC_AUTHENTICATE: authenticate failed:
> AUTHENTICATE:1003:Failed to authenticate with any method
> 12/30 16:05:38 AUTHENTICATE: no available authentication methods
> succeeded, failing!
> 12/30 16:05:38 DC_AUTHENTICATE: authenticate failed:
> AUTHENTICATE:1003:Failed to authenticate with any method
>
>
> Schedd Log: Removed some entries taught to be unnecessary.
>
>  ******************************************************
> 12/30 16:00:55 (pid:20827) ** condor_schedd (CONDOR_SCHEDD) STARTING UP
> 12/30 16:00:55 (pid:20827) ** /opt/condor-7.2.0/sbin/condor_schedd
> 12/30 16:00:55 (pid:20827) ** SubsystemInfo: name=SCHEDD type=SCHEDD(5)
> class=DAEMON(1)
> 12/30 16:00:55 (pid:20827) ** Configuration: subsystem:SCHEDD
> local:<NONE> class:DAEMON
> 12/30 16:00:55 (pid:20827) ** $CondorVersion: 7.2.3 May 11 2009 BuildID:
> 151729 $
> 12/30 16:00:55 (pid:20827) ** $CondorPlatform: I386-LINUX_RHEL5 $
> 12/30 16:00:55 (pid:20827) ** PID = 20827
> 12/30 16:00:55 (pid:20827) ** Log last touched 12/30 15:54:36
> 12/30 16:00:55 (pid:20827)
> ******************************************************
> 12/30 16:00:55 (pid:20827) Using config
> source: /opt/condor-7.2.0/etc/condor_config
> 12/30 16:00:55 (pid:20827) Using local config sources:
> 12/30 16:00:55 (pid:20827)    /var/local.gridprime/condor_config.local
> 12/30 16:00:55 (pid:20827) Running as root.  Enabling specialized core
> dump routines
> 12/30 16:00:55 (pid:20827) No PLUGIN_DIR config option, no plugins
> loaded
> 12/30 16:00:55 (pid:20827) Using name: gridprime.pesgrid.wipro.com
> 12/30 16:00:55 (pid:20827) No Accountant host specified in config file
> 12/30 16:00:55 (pid:20827) Queue Management Super Users:
> 12/30 16:00:55 (pid:20827)      root
> 12/30 16:00:55 (pid:20827)      condor
> 12/30 16:00:55 (pid:20827)      daemon
> 12/30 16:00:55 (pid:20827) NOTE: QUEUE_ALL_USERS_TRUSTED=TRUE - all
> queue access checks disabled!
> 12/30 16:00:55 (pid:20827) CronMgr: Constructing 'schedd'
> 12/30 16:00:55 (pid:20827) CronMgr: Setting name to 'schedd'
> 12/30 16:00:55 (pid:20827) CronMgr: Setting parameter base to 'schedd'
> 12/30 16:00:55 (pid:20827) CronMgr: Doing config (initial)
> 12/30 16:00:55 (pid:20827) DaemonCore: in SendAliveToParent()
> 12/30 16:00:58 (pid:20827) AUTHENTICATE: no available authentication
> methods succeeded, failing!
> 12/30 16:00:58 (pid:20827) ERROR: SECMAN:2004:Failed to create security
> session to <192.168.111.5:11177> with TCP.|AUTHENTICATE:1003:Failed to
> authenticate with any method
> 12/30 16:00:58 (pid:20827) DaemonCore: startCommand() to
> <192.168.111.5:11177> failed. SendAliveToParent() failed.
> 12/30 16:00:58 (pid:20827) Failed to send alive to
> <192.168.111.5:11177>, will try again...
> 12/30 16:01:03 (pid:20827) AUTHENTICATE: no available authentication
> methods succeeded, failing!
> 12/30 16:01:03 (pid:20827) ERROR: SECMAN:2004:Failed to create security
> session to <192.168.111.5:11177> with TCP.|AUTHENTICATE:1003:Failed to
> authenticate with any method
> 12/30 16:01:03 (pid:20827) DaemonCore: startCommand() to
> <192.168.111.5:11177> failed. SendAliveToParent() failed.
> 12/30 16:01:03 (pid:20827) Failed to send alive to
> <192.168.111.5:11177>, will try again...
> 12/30 16:01:08 (pid:20827) AUTHENTICATE: no available authentication
> methods succeeded, failing!
>
>
> As by the logs i find that the authentication is not succeeding.
> i tried by creating certificate's using combinations 
>
> daemon@<hostname>
> schedd@<hostname> etc but was not successful in starting the daemons.
> Logs are always the same as above.
>
> Am i missing any configurations else where? followed the
> http://pages.cs.wisc.edu/~zmiller/ca-howto/ when setting this up.
>
> what do i need to do for setting this up.
>
> Manikanta.
>
>
>
>
> Thanks & Regards
> Manikanta Swamy K | Bangalore | +919986991495
>
>
> Please do not print this email unless it is absolutely necessary. 
>
> The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 
>
> WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 
>
> www.wipro.com
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/condor-users/
>   
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/
Thanks & Regards
Manikanta Swamy K | Bangalore | +919986991495

Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com