Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] SSL authentication - location of user certificates

Hey,
 
we stumbled upon a problem regarding the user authentication using SSL. The (daemon to daemon) host authentication seems to work flawlessly (ssl_status, adding worker nodes). 
However user authentication appears to fail. For instance submitting jobs using condor_submit results in the following error in the SCHEDLOG:
 
"
04/11/14 07:47:19 (pid:9530) DC_AUTHENTICATE: authentication of <10.0.38.23:50961> did not result in a valid mapped user name, which is required for this command (1112 QMGMT_WRITE_CMD), so aborting.
"
 
Our mapfile looks as follows:
 
"
SSL CN=USER johndoe
"
 
What we tried to do is mapping the user certificate (generated as described on http://pages.cs.wisc.edu/~zmiller/ca-howto/ ) with the common name "johndoe" to the corresponding (Linux) user johndoe who is the owner of the process condor_submit, resulting in the error mentioned above.
 
On the other hand we tried the following mapping:
 
"
SSL CN=HOST johndoe
"
 
whereat HOST is the common name of the certificate used for host authentication. Funnily enough this appears to work hence we can submit jobs using this mapfile.
 
What we suspect is that HTCondor cant find the users certificate respectively its location. Is there any need to specify the certificates location like mentioned for GSI in the manual (Chapter 3.6.3.1, GSI Authentication)?
 
Best regards,
OC
 
PS : The corresponding settings in the local configuration file are:
 
"
AUTH_SSL_CLIENT_CAFILE = /home/condor/signing-ca-1.pem
AUTH_SSL_CLIENT_CERTFILE = /home/condor/host_omega.pem
AUTH_SSL_CLIENT_KEYFILE = /home/condor/host_omega.key
AUTH_SSL_SERVER_CAFILE = /home/condor/signing-ca-1.pem
AUTH_SSL_SERVER_CERTFILE = /home/condor/host_omega.pem
AUTH_SSL_SERVER_KEYFILE = /home/condor/host_omega.key
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL
AUTH_SSL_SERVER_CADIR = /home/condor/
CERTIFICATE_MAPFILE = /home/condor/CERTIFICATE_MAPFILE
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_CRYPTO_METHODS = BLOWFISH
SEC_DEFAULT_INTEGRITY = REQUIRED
"