Once this upgrade process is complete, sites and VOs can work on transitioning to token authentication. -1. Both client and CE should upgrade to HTCondor 9.0.19. This new release +1. Both client and CE should upgrade to HTCondor 9.0.20. This new release adds a couple minor features to enable use of a proxy with plain SSL authentication. -HTCondor 9.0.19 is a special release intended specifically to help CEs upgrade +HTCondor 9.0.20 is a special release intended specifically to help CEs upgrade to HTCondor 10 with SSL authentication using proxies. It is hosted in a private repository. @@ -48,12 +48,13 @@ that's used to submit the grid universe job to the local schedd. 3. The CE must be configured to accept proxy certificates and use grid -credentials for SSL authentication. The following parameter should be set +credentials for SSL authentication. The following parameters should be set in the HTCondor-CE configuration files: AUTH_SSL_ALLOW_CLIENT_PROXY = True + AUTH_SSL_REQUIRE_CLIENT_MAPPING = True -You can put this parameter in the new file +You can put these parameters in the new file /etc/condor-ce/config.d/90-ssl-auth In addition, ensure the following parameters are uncommented in @@ -107,12 +108,6 @@ SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL,GSI SCHEDD.AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE = True -Note that when using GSI as a fallback, a client should not be configured -to use proxies with SSL authentication until the HTCondor-CE's mapfile has -been updated to map the client's DNs. Otherwise, the SSL authentication -will succeed with a mapped identity of 'unmapped@ssl', which will not be -authorized. - 6. Once all of the peers of a given client or CE are authenticating successfully via SSL, you can upgrade to HTCondor-CE 6 and HTCondor 10.X. In order to use EGI Check-In tokens, the CE needs to be running HTCondor 10.4.0 or later.
