Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor-CE: cannot authenticate via Argus GSI PEP callout

Hello,
I've been "head-acking" with this same problem for a while.
It seems that it's a TLS version problem (thanks Brian Lin)

argus doesn't recognize TLS > 1.1
gsi doesn't accept TLS < 1.2

Newer HTC-CE versions come with newer gsi libs, hence the problem.
Argus developers are aware of the problem:

https://github.com/argus-authz/argus-pep-server/issues/25

Cheers,
Stefano


On 03/12/19 18:43, Stewart Martin-Haugh wrote:
Hi,

Not clear if this is a problem with our Argus configuration, or with our HTCondor-CE, but when trying to submit jobs to our HTCondor-CE remotely I see:

tail /var/log/condor-ce/SchedLog

12/03/19 17:41:45 (D_SECURITY) ZKM: 1: attempting to map 'DN'
12/03/19 17:41:45 (D_SECURITY) ZKM: 2: mapret: 0 included_voms: 1 canonical_user: GSS_ASSIST_GRIDMAP
12/03/19 17:41:45 (D_ALWAYS:2) ZKM: successful mapping to GSS_ASSIST_GRIDMAP
12/03/19 17:41:45 (D_SECURITY) Using Globus mapping result from the cache.
12/03/19 17:41:45 (D_SECURITY) Globus-based mapping failed; will use gsi@unmapped.
12/03/19 17:41:45 (D_SECURITY) ZKM: 1: attempting to map '/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=smh/CN=673716/CN=Stewart Martin-Haugh,/atlas/Role=NULL/Capability=NULL,/atlas/lcg1/Role=NULL/Capability=NULL,/atlas/uk/Role=NULL/Capability=NULL'
12/03/19 17:41:45 (D_SECURITY) ZKM: 2: mapret: 0 included_voms: 1 canonical_user: GSS_ASSIST_GRIDMAP
12/03/19 17:41:45 (D_ALWAYS:2) ZKM: successful mapping to GSS_ASSIST_GRIDMAP
12/03/19 17:41:45 (D_SECURITY) Using Globus mapping result from the cache.
12/03/19 17:41:45 (D_SECURITY) Globus-based mapping failed; will use gsi@unmapped.


With GSI_PEP_CALLOUT_DEBUG_LEVEL increased to 9:
2019-12-03 17:26:01 DEBUG: pep_authorize: PEP#1: encoding base64 output...
2019-12-03 17:26:01 ÂINFO: pep_authorize: PEP#1 sending XACML request to: https://argus.server:8154/authz
* About to connect() to argus.server port 8154 (#1)
* Â Trying 130.246.181.45...
* Connected to argus.server ($IP_ADDRESS) port 8154 (#1)
* failed to load '/etc/grid-security/certificates/c7cad089.signing_policy' from CURLOPT_CAPATH
...
* Â CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: /etc/grid-security/certificates
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Closing connection 1
2019-12-03 17:26:01 ERROR: pep_authorize: PEP#1 sending XACML request to https://argus.server:8154/authz failed: curl[58] Problem with the local SSL certificate.

Cheers,
Stewart

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/