Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] GSI how-to using outdated digest algorithm

Hi,

I'm trying to set up a GSI test environment following the instructions in your wiki https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=WisdomGsiSetup. All HTCondor daemons spawn correctly but the communication between the daemons doesn't work.

According to MasterLog the reason is that Globus won't verify the credentials due to "unknown message digest algorithm". It seems that the outdated MD5 algorithm was used to create the sample certificates and newer OpenSSL versions do no longer support MD5 as a signature algorithm. I was wondering if

  1. you're aware of some easy way to re-enable MD5 in OpenSSL.
  2. you could update the TAR archive in your wiki using the recommended SHA-256 algorithm instead of MD5.

Best regards,
Lukas

04/05/18 10:22:25 SECMAN: command 2 UPDATE_MASTER_AD to collector tux-vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-blocking).
04/05/18 10:22:25 SECMAN: waiting for TCP connection to collector tux-vbox.iehk.rwth-aachen.de:9618?sock=collector.
04/05/18 10:22:25 SECMAN: resuming command 2 UPDATE_MASTER_AD to collector tux-vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-blocking).
04/05/18 10:22:25 SECMAN: resuming command 2 UPDATE_MASTER_AD to collector tux-vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-blocking).
04/05/18 10:22:25 SECMAN: new session, doing initial authentication.
04/05/18 10:22:25 SECMAN: Auth methods: GSI
04/05/18 10:22:25 AUTHENTICATE: setting timeout for <137.226.129.230:9618?alias=tux-vbox.iehk.rwth-aachen.de&sock=collector> to 20.
04/05/18 10:22:25 HANDSHAKE: in handshake(my_methods = 'GSI')
04/05/18 10:22:25 HANDSHAKE: handshake() - i am the client
04/05/18 10:22:25 HANDSHAKE: sending (methods == 32) to server
04/05/18 10:22:25 HANDSHAKE: server replied (method = 32)
04/05/18 10:22:25 Condor GSI authentication failure
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Could not verify credential: certificate signature failure
OpenSSL Error: a_verify.c:206: in library: asn1 encoding routines, function ASN1_item_verify: unknown message digest algorithm
04/05/18 10:22:25 AUTHENTICATE: method 32 (GSI) failed.
04/05/18 10:22:25 HANDSHAKE: in handshake(my_methods = '')
04/05/18 10:22:25 HANDSHAKE: handshake() - i am the client
04/05/18 10:22:25 HANDSHAKE: sending (methods == 0) to server
04/05/18 10:22:25 HANDSHAKE: server replied (method = 0)
04/05/18 10:22:25 SECMAN: required authentication with collector tux-vbox.iehk.rwth-aachen.de:9618?sock=collector failed, so aborting command UPDATE_MASTER_AD.
04/05/18 10:22:25 ERROR: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using GSI|GSI:5004:Failed to authenticate.  Globus is reporting error (655360:1583)
04/05/18 10:22:25 Failed to start non-blocking update to <137.226.129.230:9618>.