[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor 8.x and authentication woes



I put together a short presentation for HTCondor Week which gives
example directions and a configuration to install a pool using PASSWORD
authentication. Hopefully, you will find this useful.

https://agenda.hep.wisc.edu/event/1325/session/16/contribution/41

...Tim

On 7/1/19 9:41 PM, Bockelman, Brian wrote:
>
>> On Jul 1, 2019, at 9:15 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:
>>
>> Hi.
>>
>> I went with SSL because its a standard protocol used in HTTPs. Didn't
>> think it was this hard.
>>
> Ah - on the server-side, yes.  Have you ever setup client X509 auth though with a private CA?  Not particularly fun....
>
>> Here is my setup, BTW
>> SEC_DAEMON_AUTHENTICATION = REQUIRED
>> SEC_DAEMON_AUTHENTICATION_METHODS = SSL
> Ah - both the client and server must have the same protocol enabled (from the error message below, it appears there was no mutually agreed-upon protocol).  You have set the protocol for "DAEMON" (on the server) but not at the client.
>
> At least the first step to configuring is this:
>
> SEC_CLIENT_AUTHENTICATION_METHODS = SSL
>
> When the startd is advertising to the collector, for example, the startd refers to the "client" list and the the collector uses the "daemon" authentication list.
>
> (NOTE: adding "D_SECURITY,D_FULLDEBUG" to the daemon's logging configuration often helps with the debugging security problems.)
>
>>
>> AUTH_SSL_CLIENT_CAFILE = /var/lib/condor/cndrsrvc.crt
>> AUTH_SSL_CLIENT_CERTFILE = /var/lib/condor/cndrsrvc.crt
>> AUTH_SSL_CLIENT_KEYFILE = /var/lib/condor/cndrsrvc.key
>> AUTH_SSL_SERVER_CAFILE = /var/lib/condor/cndrsrvc.crt
>> AUTH_SSL_SERVER_CERTFILE = /var/lib/condor/cndrsrvc.crt
>> AUTH_SSL_SERVER_KEYFILE = /var/lib/condor/cndrsrvc.key
>> CERTIFICATE_MAPFILE = /var/lib/condor/map
>>
>> The map file is simple
>> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
>> --Madison/O=Computer Sciences Department/OU=HTCondor
>> Project/CN=Serviceâ condor
>>
>> I am hoping the map file is the issue. I am open to troubleshooting this.
>>
>> But, for now I like the password option.
>>
> Yup - honestly, we can probably figure out the SSL setup but PASSWORD seems more appropriate here.
>
> Brian
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

-- 
Tim Theisen
Release Manager
HTCondor & Open Science Grid
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736