[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Condor SSL




It may help to add D_SECURITY and D_FULLDEBUG to your debug options (e.g. ALL_DEBUG). This will give a more verbose description of the security negotiation phase. Specifically, it should show which authentication methods the client and server say they support. Perhaps SSL is not in the client authentication methods, since you have only configured DAEMON authorization level to use it. SSL is not included in the authentication methods by default for any authorization level. You could consider adding it to SEC_DEFAULT_AUTHENTICATION_METHODS.

--Dan

Manikanta Swamy Kattamuri wrote:
Hi,

I am trying to set up SSL security in condor, but am presently stuk as
of how to proceed.
The configurations are

for the host:
given user name : gridprime.domain.com
given mail : xxxx@xxxxxxxx

openssl req -newkey rsa:1024 -keyout griprime.key -nodes -config
openssl.cnf -out gridprime.req
for the user condor
openssl req -newkey rsa:1024 -keyout condor.key -nodes -config
openssl.cnf -out condor.req after signing the certificates using openssl ca -config openssl.cnf -out gridprime.crt -infiles gridprime.req
openssl ca -config openssl.cnf -out condor.crt -infiles condor.req

moved the .key files and .crt file to certs/ folder.

configurations in condor_config.local

SEC_DEFAULT_AUTHENTICATION =REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS =SSL
ALLOW_DAEMON = ssl@unmappeduser

AUTH_SSL_CLIENT_CADIR=/root/CondorSigningCA1/ca.db.certs/
AUTH_SSL_SERVER_CADIR=/root/CondorSigningCA1/ca.db.certs/

AUTH_SSL_CLIENT_CAFILE = /root/certs/root-ca.crt
AUTH_SSL_CLIENT_CERTFILE = /root/certs/gridprime.crt
AUTH_SSL_CLIENT_KEYFILE = /root/certs/gridprime.key

AUTH_SSL_SERVER_CAFILE = /root/certs/root-ca.crt
AUTH_SSL_SERVER_CERTFILE = /root/certs/gridprime.crt
AUTH_SSL_SERVER_KEYFILE = /root/certs/gridprime.key

When i am using this set up, i get a
Master Log: Removed some entries.

12/30 16:05:25 ******************************************************
12/30 16:05:25 ** condor_master (CONDOR_MASTER) STARTING UP
12/30 16:05:25 ** /opt/condor-7.2.0/sbin/condor_master
12/30 16:05:25 ** SubsystemInfo: name=MASTER type=MASTER(2)
class=DAEMON(1)
12/30 16:05:25 ** Configuration: subsystem:MASTER local:<NONE>
class:DAEMON
12/30 16:05:25 ** $CondorVersion: 7.2.3 May 11 2009 BuildID: 151729 $
12/30 16:05:25 ** $CondorPlatform: I386-LINUX_RHEL5 $
12/30 16:05:25 ** PID = 20966
12/30 16:05:25 ** Log last touched 12/30 16:05:18
12/30 16:05:25 ******************************************************
12/30 16:05:25 Using config source: /opt/condor-7.2.0/etc/condor_config
12/30 16:05:25 Using local config sources:
12/30 16:05:25    /var/local.gridprime/condor_config.local
12/30 16:05:25 Running as root.  Enabling specialized core dump routines
12/30 16:05:28 ProcAPI::buildFamily() Found daddypid on the system:
20967
12/30 16:05:28 AUTHENTICATE: no available authentication methods
succeeded, failing!
12/30 16:05:28 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to authenticate with any method
12/30 16:05:28 ProcAPI::buildFamily() Found daddypid on the system:
20968
12/30 16:05:28 Initialized the following authorization table:
12/30 16:05:28 Authorizations yet to be resolved:
12/30 16:05:28 allow WRITE:  */* */10.201.*
12/30 16:05:28 allow NEGOTIATOR:  */192.168.111.5 */192.168.111.6
*/gridprime.pesgrid.wipro.com */gridbackup.pesgrid.wipro.com
12/30 16:05:28 allow ADMINISTRATOR:  */192.168.111.5 */192.168.111.6
*/gridprime.pesgrid.wipro.com */gridbackup.pesgrid.wipro.com
12/30 16:05:28 allow OWNER:  */192.168.111.5 */192.168.111.5
*/192.168.111.6 */gridprime.pesgrid.wipro.com
*/gridprime.pesgrid.wipro.com */gridbackup.pesgrid.wipro.com
12/30 16:05:28 allow DAEMON:  ssl@unmappeduser/* */* */10.201.*
12/30 16:05:28 allow SOAP:  */cloudapp.cloud.wipro.com
*/cloudapp2.pesgrid.wipro.com */192.168.111.25 */192.168.111.9
*/192.168.111.11 */cloudapp1.pesgrid.wipro.com
*/cloudapp.pesgrid.wipro.com
12/30 16:05:28 allow ADVERTISE_STARTD:  ssl@unmappeduser/* */*
*/10.201.*
12/30 16:05:28 allow ADVERTISE_SCHEDD:  ssl@unmappeduser/* */*
*/10.201.*
12/30 16:05:28 allow ADVERTISE_MASTER:  ssl@unmappeduser/* */*
*/10.201.*
12/30 16:05:28 Adding to resolved authorization table:
daemon@xxxxxxxxxxxxxxxxx/192.168.111.5: ADMINISTRATOR
12/30 16:05:28 Got admin command (492) and allowing it.
12/30 16:05:28 Handling daemon-specific command for "NEGOTIATOR"
12/30 16:05:28 Handling StopFast for NEGOTIATOR myself
12/30 16:05:28 AUTHENTICATE: no available authentication methods
succeeded, failing!
12/30 16:05:28 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to authenticate with any method
12/30 16:05:30 ProcAPI::buildFamily() Found daddypid on the system:
20972
12/30 16:05:33 AUTHENTICATE: no available authentication methods
succeeded, failing!
12/30 16:05:33 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to authenticate with any method
12/30 16:05:33 enter Daemons::UpdateCollector
12/30 16:05:33 ERROR: SECMAN:2004:Failed to create security session to
<192.168.111.6:9618> with TCP.|SECMAN:2003:TCP connection to
<192.168.111.6:9618> failed.
12/30 16:05:33 Failed to start non-blocking update to
<192.168.111.6:9618>.
12/30 16:05:33 AUTHENTICATE: no available authentication methods
succeeded, failing!
12/30 16:05:33 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to authenticate with any method
12/30 16:05:33 AUTHENTICATE: no available authentication methods
succeeded, failing!
12/30 16:05:33 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to authenticate with any method
12/30 16:05:38 AUTHENTICATE: no available authentication methods
succeeded, failing!
12/30 16:05:38 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1003:Failed to authenticate with any method


Schedd Log: Removed some entries taught to be unnecessary.

 ******************************************************
12/30 16:00:55 (pid:20827) ** condor_schedd (CONDOR_SCHEDD) STARTING UP
12/30 16:00:55 (pid:20827) ** /opt/condor-7.2.0/sbin/condor_schedd
12/30 16:00:55 (pid:20827) ** SubsystemInfo: name=SCHEDD type=SCHEDD(5)
class=DAEMON(1)
12/30 16:00:55 (pid:20827) ** Configuration: subsystem:SCHEDD
local:<NONE> class:DAEMON
12/30 16:00:55 (pid:20827) ** $CondorVersion: 7.2.3 May 11 2009 BuildID:
151729 $
12/30 16:00:55 (pid:20827) ** $CondorPlatform: I386-LINUX_RHEL5 $
12/30 16:00:55 (pid:20827) ** PID = 20827
12/30 16:00:55 (pid:20827) ** Log last touched 12/30 15:54:36
12/30 16:00:55 (pid:20827)
******************************************************
12/30 16:00:55 (pid:20827) Using config
source: /opt/condor-7.2.0/etc/condor_config
12/30 16:00:55 (pid:20827) Using local config sources:
12/30 16:00:55 (pid:20827)    /var/local.gridprime/condor_config.local
12/30 16:00:55 (pid:20827) Running as root.  Enabling specialized core
dump routines
12/30 16:00:55 (pid:20827) No PLUGIN_DIR config option, no plugins
loaded
12/30 16:00:55 (pid:20827) Using name: gridprime.pesgrid.wipro.com
12/30 16:00:55 (pid:20827) No Accountant host specified in config file
12/30 16:00:55 (pid:20827) Queue Management Super Users:
12/30 16:00:55 (pid:20827)      root
12/30 16:00:55 (pid:20827)      condor
12/30 16:00:55 (pid:20827)      daemon
12/30 16:00:55 (pid:20827) NOTE: QUEUE_ALL_USERS_TRUSTED=TRUE - all
queue access checks disabled!
12/30 16:00:55 (pid:20827) CronMgr: Constructing 'schedd'
12/30 16:00:55 (pid:20827) CronMgr: Setting name to 'schedd'
12/30 16:00:55 (pid:20827) CronMgr: Setting parameter base to 'schedd'
12/30 16:00:55 (pid:20827) CronMgr: Doing config (initial)
12/30 16:00:55 (pid:20827) DaemonCore: in SendAliveToParent()
12/30 16:00:58 (pid:20827) AUTHENTICATE: no available authentication
methods succeeded, failing!
12/30 16:00:58 (pid:20827) ERROR: SECMAN:2004:Failed to create security
session to <192.168.111.5:11177> with TCP.|AUTHENTICATE:1003:Failed to
authenticate with any method
12/30 16:00:58 (pid:20827) DaemonCore: startCommand() to
<192.168.111.5:11177> failed. SendAliveToParent() failed.
12/30 16:00:58 (pid:20827) Failed to send alive to
<192.168.111.5:11177>, will try again...
12/30 16:01:03 (pid:20827) AUTHENTICATE: no available authentication
methods succeeded, failing!
12/30 16:01:03 (pid:20827) ERROR: SECMAN:2004:Failed to create security
session to <192.168.111.5:11177> with TCP.|AUTHENTICATE:1003:Failed to
authenticate with any method
12/30 16:01:03 (pid:20827) DaemonCore: startCommand() to
<192.168.111.5:11177> failed. SendAliveToParent() failed.
12/30 16:01:03 (pid:20827) Failed to send alive to
<192.168.111.5:11177>, will try again...
12/30 16:01:08 (pid:20827) AUTHENTICATE: no available authentication
methods succeeded, failing!


As by the logs i find that the authentication is not succeeding.
i tried by creating certificate's using combinations
daemon@<hostname>
schedd@<hostname> etc but was not successful in starting the daemons.
Logs are always the same as above.

Am i missing any configurations else where? followed the
http://pages.cs.wisc.edu/~zmiller/ca-howto/ when setting this up.

what do i need to do for setting this up.

Manikanta.




Thanks & Regards
Manikanta Swamy K | Bangalore | +919986991495


Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/