Page History
- 2024-May-24 15:24 tannenba
- 2024-May-24 11:25 jfrey
- 2024-May-24 11:24 jfrey
- 2023-Nov-16 16:09 jfrey
- 2023-Nov-16 12:57 jfrey
- 2023-Nov-10 13:49 jfrey
- 2023-Nov-10 13:44 jfrey
- 2023-Jul-05 10:54 jfrey
- 2023-Jun-22 15:55 jfrey
- 2023-Jun-15 10:58 jfrey
- 2023-Jun-15 09:16 jfrey
- 2023-Jun-15 09:14 jfrey
- 2023-Jun-14 17:03 jfrey
How to Use Proxy Certificates With SSL Authentication
These are instructions for upgrading from HTCondor-CE 5 (HTCondor 9.0) to HTCondor-CE 6 (HTCondor 10.X) while using X.509 proxies for authentication. In HTCondor 9.0, GSI authentication is used when the client has an X.509 proxy. This is not supported in HTCondor 10.0. Instead, plain SSL authentication can be used to authenticate a client' proxy. Once this upgrade process is complete, sites and VOs can work on transitioning to token authentication.
1. Both client and CE should upgrade to HTCondor 9.0.18. This new release adds a couple minor features to enable use of a proxy with plain SSL authentication. HTCondor 9.0.18 is available in these repositories: <repo/install details>
2. The CE client (e.g. the factory) should be configured to use a user proxy and grid CAs with SSL authentication. The following parameters should be set in the HTCondor configuration files.
AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR = True AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates
If the client has the htcondor-ce-client package installed, then you can put these parameters in the new file /etc/condor-ce/config.d/90-ssl-auth
If the client is submitting directly to the CE via condor_submit or the python bindings, then X509_USER_PROXY must be set in the environment. If the client is using the grid universe and a local schedd to submit jobs to the CE, then "x509userproxy" must be set in the HTCondor submit file that's used to submit the grid universe job to the local schedd.
3. The CE must be configured to accept proxy certificates and use grid credentials for SSL authentication. The following parameter should be set in the HTCondor-CE configuration files:
AUTH_SSL_ALLOW_CLIENT_PROXY = True
You can put this parameter in the new file /etc/condor-ce/config.d/90-ssl-auth
In addition, ensure the following parameters are uncommented in /etc/condor-ce/config.d/01-ce-auth.conf:
AUTH_SSL_SERVER_CERTFILE = /etc/grid-security/hostcert.pem AUTH_SSL_SERVER_KEYFILE = /etc/grid-security/hostkey.pem AUTH_SSL_SERVER_CADIR = /etc/grid-security/certificates AUTH_SSL_CLIENT_CERTFILE = /etc/grid-security/hostcert.pem AUTH_SSL_CLIENT_KEYFILE = /etc/grid-security/hostkey.pem AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates
4. The client's certificate subject must be added to HTCondor-CE's mapfiles by creating one or more files under /etc/condor-ce/mapfiles.d/. The format is similar to the traditional gridmapfile, but with some notable differences. The main difference is an additional field at the start of each line indicating the authentication method (SSL in this case).
Mapping a single certificate looks like this:
SSL "/O=condor/OU=CHTC Pool/CN=James Frey" jfrey
You can also use a regular expression to map a set of certificates. To do this, put forward slashes around the subject instead of double quotes and escape any slashes or spaces in the subject field with backslashes. Here's an example:
SSL /\/O=condor\/OU=CHTC\ Pool\/CN=.*/ jfrey
5. To test SSL authentication, you can disable GSI authentication for either the client or the CE.
In the client configuration, set the following configuration parameter to disable GSI:
SEC_CLIENT_AUTHENTICATION_METHODS = FS, TOKEN, SCITOKENS, SSL
In the CE configuration, set the following configuration parameters to disable GSI:
SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
If you want to keep GSI authentication as a fallback during testing, you can configure the CE to try SSL before GSI by setting the following parameters:
SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL,GSI SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL,GSI
6. Once all of the peers of a given client or CE are autheneticating successfully via SSL, you can upgrade to HTCondor-CE 6 and HTCondor 10.0.
