|
Set this in the HTCondor configuration on the userâs machine:
AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR = True
Then, put both of the userâs certificate and private key in a single file. Make sure thereâs no passphrase encrypting the private key and the file has appropriate restricted permissions. Then, ensure that the following is set in the userâs environment:
X509_USER_PROXY = /path/to/ssl-file
You may also want to set the following config parameter on all machines:
AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE = True
Otherwise, SSL authentication can succeed without the client providing a credential (only the server need be authenticated). In that case, the userâs identity is "ssl@unmappedâ and job submissions will fail.
If you installed HTCondor using the get_htcondor script, you will also need to add these configuration settings:
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL, $(SEC_DEFAULT_AUTHENTICATION_METHODS)
SEC_READ_AUTHENTICATION_METHODS = SSL, $(SEC_READ_AUTHENTICATION_METHODS)
SEC_CLIENT_AUTHENTICATION_METHODS = SSL, $(SEC_CLIENT_AUTHENTICATION_METHODS)
- Jaime
On Aug 9, 2024, at 2:13âPM, Rita <rmorgan466@xxxxxxxxx> wrote:
Jaime,
Thanks for the response.
I don't want to use FS authentication because I plan to submit jobs to a remote scheduler. I have been SSL thru the tutorial numerous times and I got the hang of SSL authentication so I want to stick to it. I am at the point where I can create a separate SSL
certificate for a user. I already have a few. But, I am not sure how a user can say, "use this certificate"...
Letâs back up a step.
I assumed you already had separate SSL certificates for each of your users, which you wanted them to use to authenticate to HTCondor when submitting jobs. It sounds like that is not the situation, in which case I would recommend a different authentication
method. If the users are logged into the machine running the condor_schedd, then the FS authentication method is ideal. It doesnât require any additional configuration.
If the users will be submitting jobs from a remote machine, then I recommend the IDTOKENS authentication method. You would create an IDToken for each user and place it in their home directory (under ~/.condor/tokens.d/). No configuration changes are required.
- Jaime
I can create multiple user certificates from a CSR. Such as this
openssl ca -config openssl.cnf -out zmiller.crt -infiles zmiller.req
I can inspect zmiller.crt. But how exactly do I use zmiller.crt (its signed also)?
In your example, you have only one user (jfrey). Do you have an example with multiple users?
The mapfile is how you tell HTCondor what user each SSL certificate should be mapped to. It can't define a $REMOTE_USER variable, as it doesnât have any information to determine a value.
You will probably have to add an entry in the mapfile for each userâs SSL certificate, providing the os account that certificate should be mapped to. Hereâs an example:
SSL "/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=jafrey/CN=647245/CN=James Freyâ jfrey
If your usersâ SSL DNs contain the os account name (e.g. if the DN include the userâs email address for your organization), you can use regular _expression_ rules to extract that and derive the os account name.
- Jaime
> On Aug 9, 2024, at 8:15âAM, Rita <rmorgan466@xxxxxxxxx> wrote:
>
> I have a mapfile which is using SSL. I have 30 odd users. At the moment, I have
> SSL (.*) usera
>
> All jobs are going in as usera which isn't correct. Is it possible to pass
> SSL (*.) $REMOTE_USER
>
> or something like that?
--
--- Get your facts first, then you can distort them as you please.--
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}