Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
We donât recommend that people set up their own CA and issue user certificates just for authentication with HTCondor. We donât have any recent documentation on how to setup and maintain such a system.
For groups that donât have an existing authentication infrastructure for users (e.g. X.509, kerberos), we recommend IDTokens. This a a light-weight authentication method based on JWTs (JSON Web Tokens) thatâs specific to HTCondor.Â- Jaime
On Aug 16, 2024, at 9:43âAM, Rita <rmorgan466@xxxxxxxxx> wrote:
Yea, the permissions look good.Â
Besides,Âhttps://htcondor.readthedocs.io/en/latest/admin-manual/security.html#ssl-authentication, there isn't any formal documentation on how to create keys. Besides Zach's doc (https://pages.cs.wisc.edu/~zmiller/ca-howto/) , can you recommend alternatives?Â
On Wed, Aug 14, 2024 at 2:48âPM Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
The permissions you want on the file are 600.
Sadly, it looks like HTCondor isnât extracting a detailed error message from the openssl library, so we donât know why itâs unhappy about reading the file. We should fix that.
Can you try settingÂAUTH_SSL_CLIENT_CERTFILE and AUTH_SSL_CLIENT_KEYFILE to the two separate files (and not setting environment variable X509_USER_PROXY) and see if that works?
Â- Jaime
On Aug 10, 2024, at 10:45âAM, Rita <rmorgan466@xxxxxxxxx> wrote:
Not sure why this is happening. Here is how I verify SSL
openssl verify -CAfile $(condor_config_val AUTH_SSL_CLIENT_CAFILE) mypemOK
On Fri, Aug 9, 2024 at 5:42âPM Rita <rmorgan466@xxxxxxxxx> wrote:
I created the combines pem.Â
cat user.crt user.key > mypemexport X509_USER_PROXY=$(pwd)/mypemWhen I submit I get an error saying...SSL AUTH: Error loading certificate from fileSSL AUTH: Error initializing client securityÂcontext
I tried 2 different perms, 777 and 600. Still the sameÂerror.
On Fri, Aug 9, 2024 at 5:03âPM Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
You combine one matching key/cert pair into a file for a given user:Â cat user1cert.pem user1key.pem >user1creds.pem
Or you can keep the files separate and use theÂAUTH_SSL_CLIENT_KEYFILE andÂAUTH_SSL_CLIENT_CERTFILE parameters.
In either case, the files need to be owned and readable only by the user.Â- Jaime
On Aug 9, 2024, at 3:50âPM, Rita <rmorgan466@xxxxxxxxx> wrote:
How exactly do I combine the certs and private keys? cat key0 key1 >> keys and cat cert0 cert1Â>> certs?Is this mentioned anywhere in the manual or condor presentations?
On Fri, Aug 9, 2024 at 4:45âPM Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
You can use these parameters instead of the AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR and X509_USER_PROXY variables I describe in my other email.
Â- Jaime
On Aug 9, 2024, at 2:16âPM, Rita <rmorgan466@xxxxxxxxx> wrote:
I am pretty sure I need these,Âhttps://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html#AUTH_SSL_CLIENT_KEYFILEandÂhttps://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html#AUTH_SSL_CLIENT_CERTFILE
But these are system level knobs. There must be some environment variable I can tune to allow it to use user's cert and key.
On Fri, Aug 9, 2024 at 3:13âPM Rita <rmorgan466@xxxxxxxxx> wrote:
Jaime,ÂThanks for the response.ÂI don't want to use FS authentication because I plan to submit jobs to a remote scheduler. I have been SSL thru the tutorial numerous times and I got the hang of SSL authenticationÂso I want to stick to it. I am at the point where I can create a separateÂSSL certificate for a user. I already have a few. But, I am not sure how a user can say, "use this certificate"...
On Fri, Aug 9, 2024 at 3:05âPM Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
Letâs back up a step.I assumed you already had separate SSL certificates for each of your users, which you wanted them to use to authenticate to HTCondor when submitting jobs. It sounds like that is not the situation, in which case I would recommend a different authentication method. If the users are logged into the machine running the condor_schedd, then the FS authentication method is ideal. It doesnât require any additional configuration.If the users will be submitting jobs from a remote machine, then I recommend the IDTOKENS authentication method. You would create an IDToken for each user and place it in their home directory (under ~/.condor/tokens.d/). No configuration changes are required.
Â- Jaime
On Aug 9, 2024, at 1:04âPM, Rita <rmorgan466@xxxxxxxxx> wrote:
I can create multiple user certificates from a CSR. Such as this
openssl ca -config openssl.cnf -out zmiller.crt -infiles zmiller.req
I can inspect zmiller.crt. But how exactly do I use zmiller.crtÂ(its signed also)?Â
On Fri, Aug 9, 2024 at 1:56âPM Rita <rmorgan466@xxxxxxxxx> wrote:
I am not following how a user can use their certificate. There is only 1 certificate for the pool. According to the tutorial (https://research.cs.wisc.edu/htcondor/CondorWeek2011/presentations/zmiller-ssl-tutorial.pdf), there is only 1 certificate.Â
On Fri, Aug 9, 2024 at 1:53âPM Rita <rmorgan466@xxxxxxxxx> wrote:
In your example, you have onlyÂone user (jfrey). Do you have an example with multiple users?Â
On Fri, Aug 9, 2024 at 10:58âAM Jaime Frey via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
The mapfile is how you tell HTCondor what user each SSL certificate should be mapped to. It can't define a $REMOTE_USER variable, as it doesnât have any information to determine a value.
You will probably have to add an entry in the mapfile for each userâs SSL certificate, providing the os account that certificate should be mapped to. Hereâs an example:
SSL "/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=jafrey/CN=647245/CN=James Freyâ jfrey
If your usersâ SSL DNs contain the os account name (e.g. if the DN include the userâs email address for your organization), you can use regular _expression_ rules to extract that and derive the os account name.
Â- Jaime
> On Aug 9, 2024, at 8:15âAM, Rita <rmorgan466@xxxxxxxxx> wrote:
>Â
> I have a mapfile which is using SSL. I have 30 odd users. At the moment, I have
> SSL (.*)Â usera
>Â
> All jobs are going in as usera which isn't correct. Is it possible to pass
> SSL (*.) $REMOTE_USER
>Â
> or something like that?
--Â
---ÂGet your facts first, then you can distort them as you please.--
--Â
---ÂGet your facts first, then you can distort them as you please.--
--Â
---ÂGet your facts first, then you can distort them as you please.--
--Â
---ÂGet your facts first, then you can distort them as you please.--
--Â
---ÂGet your facts first, then you can distort them as you please.--
--Â
---ÂGet your facts first, then you can distort them as you please.--