Re: [Condor-users] GSI auth in Windows

["Jewell, Chris" <C.P.Jewell@xxxxxxxxxxxx>]

> Perhaps at the next Condor week, I can do a Linux/Windows cross-platform
> tutorial for setting up SSL and/or Kerberos.  In the meantime, I would create
> your SSL certs on a Linux machine and then follow the configuration mentioned
> here:
>  http://research.cs.wisc.edu/condor/CondorWeek2011/presentations/zmiller-ssl-tutorial.pdf

Hi Zach,

Thanks for the info -- very useful.  I followed your advice, and ended up with a condor_config.local (Windows) like this:

---
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = ssl
SEC_CLIENT_AUTHENTICATION_METHODS = fs, password, ssl

GSI_DAEMON_DIRECTORY=$(LOCAL_DIR)\etc\grid-security
AUTH_SSL_SERVER_CERTFILE = $(GSI_DAEMON_DIRECTORY)/hostcert.pem
AUTH_SSL_CLIENT_CERTFILE = $(GSI_DAEMON_DIRECTORY)/hostcert.pem
AUTH_SSL_SERVER_KEYFILE = $(GSI_DAEMON_DIRECTORY)/hostkey.pem
AUTH_SSL_CLIENT_KEYFILE = $(GSI_DAEMON_DIRECTORY)/hostkey.pem
AUTH_SSL_SERVER_CAFILE = $(GSI_DAEMON_DIRECTORY)/cacerts/condor-ca.crt
AUTH_SSL_CLIENT_CAFILE = $(GSI_DAEMON_DIRECTORY)/cacerts/condor-ca.crt

CERTIFICATE_MAPFILE = $(GSI_DAEMON_DIRECTORY)/mapfile
---

My (test) user doesn't have a certificate, and so when I try to submit a job, I get:

C:\condor>condor_submit test.txt
ERROR: Failed to connect to local queue manager
AUTHENTICATE:1003:Failed to authenticate with any method

I was expecting the configuration to enable authentication between daemons, but not for the purposes of job submission/management (which I thought came under SEC_WRITE_AUTHENTICATION).  Is it not possible to remove the requirement to give my users certificates, thus falling back on the local auth on the submission host to control user access to the grid?

Thanks,

Chris