Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
Hallo Thomas,
we could try this from a client host that is known to work for that use case.
I will contact you privately and we can see.
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Thomas Hartmann <thomas.hartmann@xxxxxxx>
Sent: Monday, April 29, 2024 3:37 PM To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx> Subject: [HTCondor-users] CondorCE: testing SSL based submission with CE client tools? Hi all,
as we are moving all our resources to Condor23/EL9 [1] and only tokens will be available for authz, we have been asked to add SSL authz for some of our users, who are not token ready yet. To do so, I had enabled client SSL [2] and added mapping rules for my user DN (tried also to wildcard DN tail as to catch also proxy DNs derived from the user proxies) On the client side, I exported the envvars [4] to prepare the condor-ce client. Unfortunately, condor_ce_{ping,trace} are failing after unlocking my cert/key and I have not been able to authz myself against the CE via SSL. AFAIS, the DN is known and mapped [7]. But even with `SCHEDD_DEBUG = $(SCHEDD_DEBUG) D_CAT D_SECURITY:2` set, I do not find hints of my SSL authz attempts in the SchedLog or so. Maybe somebody has an idea, how to use with SSL authz a user cert/key for tests/submissions to a CondorCE23? Cheers and thanks, Thomas [1] condor-23.0.8-1.el9.x86_64 condor-stash-plugin-6.12.1-1.x86_64 htcondor-ce-23.0.8-1.el9.noarch htcondor-ce-bdii-23.0.8-1.el9.noarch htcondor-ce-client-23.0.8-1.el9.noarch htcondor-ce-condor-23.0.8-1.el9.noarch python3-condor-23.0.8-1.el9.x86_64 [2] > cat /etc/condor-ce/config.d/99_SSLauthz_hartmath_testing.conf AUTH_SSL_ALLOW_CLIENT_PROXY = True AUTH_SSL_REQUIRE_CLIENT_MAPPING = True [3] > tail -n1 /etc/condor-ce/mapfiles.d/99_ZZ_SSLauthz_hartmath_testing.conf SSL "/DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches Elektronen-Synchrotron DESY/CN=Thomas Hartmann hartmath@xxxxxxx" desyusr004 coming from > openssl x509 -in ~/.globus/usercert.pem -noout -subject subject= /DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches Elektronen-Synchrotron DESY/CN=Thomas Hartmann hartmath@xxxxxxx [4] > export _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SSL > export _condor_AUTH_SSL_CLIENT_KEYFILE=~/.globus/userkey.pem > export _condor_AUTH_SSL_CLIENT_CADIR=/etc/grid-security/certificates > export _condor_AUTH_SSL_CLIENT_CERTFILE=~/.globus/usercert.pem (tried also to point CERTFILE to a valid proxy's X509_USER_PROXY path, i.e., `/tmp/x509up_u${UID}`) [5] > condor_ce_ping -verbose -type SCHEDD -name grid-htc-ce04.desy.de:9619 WRITE Enter PEM pass phrase: WRITE failed! AUTHENTICATE:1003:Failed to authenticate with any method AUTHENTICATE:1004:Failed to authenticate using SSL [6] > condor_ce_ping -verbose -type SCHEDD -name grid-htc-ce04.desy.de:9619 WRITE Enter PEM pass phrase: WRITE failed! AUTHENTICATE:1003:Failed to authenticate with any method AUTHENTICATE:1004:Failed to authenticate using SSL [7] 04/29/24 14:56:31 (D_ALWAYS:2) MapFile: Canonicalization File: method='SSL' principal='/DC=org/DC=terena/DC=tcs/C=DE/O=Deutsches Elektronen-Synchrotron DESY/CN=Thomas Hartmann hartmath@xxxxxxx' canonicalization='desyusr004' |