And here is one to configure Pool Password (which I tend to prefer) :
Sorry for the typo in the last post, here is the correct URL for the pool password configuration:
Hope this helps!
Best regard
Todd
I havenât followed these recipes recently, but they did work for me in the past by pretty much cut-n-paste.
And I totally agree with you, it shouldnât be this hard to configure the SSL setup, definitely something we hope to improve this year (actually, we are moving towards a simpler token-based model).
Here is my setup, BTW
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
AUTH_SSL_CLIENT_CAFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_CLIENT_CERTFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_CLIENT_KEYFILE = /var/lib/condor/cndrsrvc.key
AUTH_SSL_SERVER_CAFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_SERVER_CERTFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_SERVER_KEYFILE = /var/lib/condor/cndrsrvc.key
CERTIFICATE_MAPFILE = /var/lib/condor/map
The map file is simple
SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor
Project/CN=Serviceâ condor
I am hoping the map file is the issue. I am open to troubleshooting this.
But, for now I like the password option.
On Mon, Jul 1, 2019 at 10:09 PM Bockelman, Brian
<BBockelman@xxxxxxxxxxxxx> wrote:
Hi Keith,
Sorry to hear that you have issues!
If you're going for a "simple, secure" setup, I would recommend using PASSWORD auth (slides 11-17 of the presentation you linked
https://indico.cern.ch/event/272794/contributions/614951/attachments/490442/677973/MillerZ-Securing.pdf).
There are some limitations for PASSWORD noted in the slides (namely: flocking multiple pools together and remote submission); it doesn't sound like you will hit those limitations currently. In 8.9.2, we have started to lift those
limitations (life will get easier in 8.9.3 and yet again in 8.9.4).
SSL is relatively complex because, well, setting up a public key infrastructure is relatively complex. 8.9.3 will provide a few sane defaults (less knobs to turn), but there's a limit to how simple it can go.
Any reason why you gravitate toward SSL instead of PASSWORD?
Thanks,
Brian
On Jul 1, 2019, at 8:46 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:
I have been a long time condor 6 & 7 user and decided to give v8 a try
in our lab. Installation was done thru a RPM, RHEL 7.6.
I have 2 nodes: r1 (COLLECTOR, MASTER, NEGOTIATOR, SCHEDD, STARTD). r2
(MASTER, STARTD). I am able to start everything up but on r2 I keep
seeing
07/01/19 21:35:14 SECMAN: FAILED: Received "DENIED" from server for
user unauthenticated@unmapped using method (no authentication).
07/01/19 21:35:14 ERROR: SECMAN:2010:Received "DENIED" from server for
user unauthenticated@unmapped using method (no authentication).
I am tempted to go "CLAIMTOBE" route. Instead, I looked into SSL
because that seems to be recommended but getting it to work is very
hard.
I have followed,
http://research.cs.wisc.edu/htcondor/CondorWeek2011/presentations/zmiller-ssl-tutorial.pdf
and
https://indico.cern.ch/event/272794/contributions/614951/attachments/490442/677973/MillerZ-Securing.pdf
https://www-auth.cs.wisc.edu/lists/htcondor-users/2010-January/msg00228.shtml
Is there an simplier version of the SSL setup? Has anyone gotten a
simple SSL setup to work?
The documention,https://htcondor.readthedocs.io/en/v8_8_3/admin-manual/security.html,
should include a quick start for SSL. Otherwise, I think everything
will go with claimedtobe and make instances insecure.
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}