[Condor-users] SSL help

["Michael O'Donnell" <odonnellm@xxxxxxxx>]

I am trying to set up an SSL authentication
with condor, and I am having a difficult time figuring out the error messages.
There appears to be an error with the SSL library, but I am guessing it
has to do with generating the keys. I am suing a multi-level approach and
acceptable hash (md5) and encryption methods (des3).

My Condor testing pool consists of 3
machines and all Windows XP. I am using release 7.4.

The possible source of error could be
one of the following (or maybe something else):
config files
mapfile (format)
generation of keys (using openssl and
python)

I generated RSA certificates using md5
hash. I have a CA-root, CA-signing, and host paired keys. I am using the
common name in the key to assign the host name. Because I am new to all
this, I am pretty clueless to what my error may be related to. Below is
a subset of my configuration files and the negotiatorlog file. Essentially
the negotiator and scheduler daemons die as soon as the machine is booted
or the service is restarted. The master daemon does not die.



#Global config settings
SEC_DEFAULT_AUTHENTICATION = REQUIRED
 
SEC_DEFAULT_AUTHENTICATION_METHODS =
SSL

SEC_DEFAULT_INTEGRITY = REQUIRED  

SEC_DEFAULT_NEGOTIATION = REQUIRE

SEC_DEFAULT_ENCRYPTION = REQUIRED 
SEC_DEFAULT_INTEGRITY_METHODS = MD5

SEC_DEFAULT_ENCRYPTION_METHODS = 3DES


CERTIFICATE_MAPFILE = Path\Condor_mapfile.txt
#Mapfile looks like this:
#SSL (.*) \1



#Local config settings
### SSL key/cert multi-level authentication.
AUTH_SSL_CLIENT_CADIR = Path\Server
AUTH_SSL_CLIENT_CERTFILE = Path\MachineName.cert
AUTH_SSL_CLIENT_KEYFILE = Path\MachineName.key
#
AUTH_SSL_SERVER_CADIR = Path\Server
AUTH_SSL_SERVER_CERTFILE = Path\MachineName.cert
AUTH_SSL_SERVER_KEYFILE = Path\MachineName.key



NegotiatorLog
01/26 15:40:11 Trying to connect.
01/26 15:40:11 SSL: trying to continue
reading.
01/26 15:40:11 Trying to connect.
01/26 15:40:11 SSL: trying to continue
reading.
01/26 15:40:11 Receive message.
01/26 15:40:11 Trying to connect.
01/26 15:40:11 SSL: library failure.
 see error queue?
01/26 15:40:11 SSL Authentication failed
01/26 15:40:11 AUTHENTICATE: no available
authentication methods succeeded, failing!
01/26 15:40:11 ERROR: SECMAN:2004:Failed
to create security session to <159.189.162.73:1052> with TCP.|AUTHENTICATE:1003:Failed
to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate
using SSL
01/26 15:40:11 Failed to send alive
to <159.189.162.73:1052>, will try again...
01/26 15:40:16 Trying to connect.
01/26 15:40:16 SSL: trying to continue
reading.
01/26 15:40:16 Trying to connect.
01/26 15:40:16 SSL: trying to continue
reading.
01/26 15:40:16 Receive message.
01/26 15:40:16 Trying to connect.
01/26 15:40:16 SSL: library failure.
 see error queue?
01/26 15:40:16 SSL Authentication failed
01/26 15:40:16 AUTHENTICATE: no available
authentication methods succeeded, failing!
01/26 15:40:16 ERROR: SECMAN:2004:Failed
to create security session to <159.189.162.73:1052> with TCP.|AUTHENTICATE:1003:Failed
to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate
using SSL
01/26 15:40:16 Failed to send alive
to <159.189.162.73:1052>, will try again...
01/26 15:40:21 Trying to connect.
01/26 15:40:21 SSL: trying to continue
reading.
01/26 15:40:21 Trying to connect.
01/26 15:40:21 SSL: trying to continue
reading.
01/26 15:40:21 Receive message.
01/26 15:40:21 Trying to connect.
01/26 15:40:21 SSL: library failure.
 see error queue?
01/26 15:40:21 SSL Authentication failed
01/26 15:40:21 AUTHENTICATE: no available
authentication methods succeeded, failing!
01/26 15:40:21 ERROR: SECMAN:2004:Failed
to create security session to <159.189.162.73:1052> with TCP.|AUTHENTICATE:1003:Failed
to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate
using SSL
01/26 15:40:21 ERROR "FAILED TO
SEND INITIAL KEEP ALIVE TO OUR PARENT <159.189.162.73:1052>"
at line 9310 in file ..\src\condor_daemon_core.V6\daemon_core.cpp


Thank you for your help,
Mike