Not fully verified yet.

{file: central-manager.config}
use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

CONDOR_HOST = <this machine's external IP address>

use role : CentralManager

# Enable IDTOKENS' promiscuous mode.
COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*
{endfile}

{file: submit.config}
use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

CONDOR_HOST = <central manager's external IP address>

use role : submit

# Allow any local user to submit jobs.
ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)

# Enable IDTOKENS' promiscuous mode.  (Do ANONYMOUS last to keep `condor_q` working.)
SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
{endfile}

{file: execute.config}
use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

CONDOR_HOST = <central manager's external IP address>

use role : execute

# Enable IDTOKENS' promiscuous mode.  (Do ANONYMOUS last to keep `condor_q` working.)
SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
{endfile}