|
We donât recommend that people set up their own CA and issue user certificates just for authentication with HTCondor. We donât have any recent documentation on how to setup and maintain such a system.
For groups that donât have an existing authentication infrastructure for users (e.g. X.509, kerberos), we recommend IDTokens. This a a light-weight authentication method based on JWTs (JSON Web Tokens) thatâs specific to HTCondor.
- Jaime
On Aug 16, 2024, at 9:43âAM, Rita <rmorgan466@xxxxxxxxx> wrote:
Yea, the permissions look good.
The permissions you want on the file are 600.
Sadly, it looks like HTCondor isnât extracting a detailed error message from the openssl library, so we donât know why itâs unhappy about reading the file. We should fix that.
Can you try setting AUTH_SSL_CLIENT_CERTFILE and AUTH_SSL_CLIENT_KEYFILE to the two separate files (and not setting environment variable X509_USER_PROXY) and see if that works?
- Jaime
Not sure why this is happening. Here is how I verify SSL
openssl verify -CAfile $(condor_config_val AUTH_SSL_CLIENT_CAFILE) mypem
OK
I created the combines pem.
cat user.crt user.key > mypem
export X509_USER_PROXY=$(pwd)/mypem
When I submit I get an error saying
...
SSL AUTH: Error loading certificate from file
SSL AUTH: Error initializing client security context
I tried 2 different perms, 777 and 600. Still the same error.
You combine one matching key/cert pair into a file for a given user:
cat user1cert.pem user1key.pem >user1creds.pem
Or you can keep the files separate and use the AUTH_SSL_CLIENT_KEYFILE and AUTH_SSL_CLIENT_CERTFILE parameters.
In either case, the files need to be owned and readable only by the user.
- Jaime
How exactly do I combine the certs and private keys? cat key0 key1 >> keys and cat cert0 cert1 >> certs?
Is this mentioned anywhere in the manual or condor presentations?
You can use these parameters instead of the AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR and X509_USER_PROXY variables I describe in my other email.
- Jaime
Jaime,
Thanks for the response.
I don't want to use FS authentication because I plan to submit jobs to a remote scheduler. I have been SSL thru the tutorial numerous times and I got the hang of SSL authentication so I want to stick to it. I am at the point where I can create a separate SSL
certificate for a user. I already have a few. But, I am not sure how a user can say, "use this certificate"...
Letâs back up a step.
I assumed you already had separate SSL certificates for each of your users, which you wanted them to use to authenticate to HTCondor when submitting jobs. It sounds like that is not the situation, in which case I would recommend a different authentication
method. If the users are logged into the machine running the condor_schedd, then the FS authentication method is ideal. It doesnât require any additional configuration.
If the users will be submitting jobs from a remote machine, then I recommend the IDTOKENS authentication method. You would create an IDToken for each user and place it in their home directory (under ~/.condor/tokens.d/). No configuration changes are required.
- Jaime
I can create multiple user certificates from a CSR. Such as this
openssl ca -config openssl.cnf -out zmiller.crt -infiles zmiller.req
I can inspect zmiller.crt. But how exactly do I use zmiller.crt (its signed also)?
In your example, you have only one user (jfrey). Do you have an example with multiple users?
The mapfile is how you tell HTCondor what user each SSL certificate should be mapped to. It can't define a $REMOTE_USER variable, as it doesnât have any information to determine a value.
You will probably have to add an entry in the mapfile for each userâs SSL certificate, providing the os account that certificate should be mapped to. Hereâs an example:
SSL "/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=jafrey/CN=647245/CN=James Freyâ jfrey
If your usersâ SSL DNs contain the os account name (e.g. if the DN include the userâs email address for your organization), you can use regular _expression_ rules to extract that and derive the os account name.
- Jaime
> On Aug 9, 2024, at 8:15âAM, Rita <rmorgan466@xxxxxxxxx> wrote:
>
> I have a mapfile which is using SSL. I have 30 odd users. At the moment, I have
> SSL (.*) usera
>
> All jobs are going in as usera which isn't correct. Is it possible to pass
> SSL (*.) $REMOTE_USER
>
> or something like that?
--
--- Get your facts first, then you can distort them as you please.--
--
--- Get your facts first, then you can distort them as you please.--
--
--- Get your facts first, then you can distort them as you please.--
--
--- Get your facts first, then you can distort them as you please.--
--
--- Get your facts first, then you can distort them as you please.--
--
--- Get your facts first, then you can distort them as you please.--
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}