Page History

Turn Off History

How to enable SSL authentication

This is assuming that you already have certificates. If you are using puppet, they may already exist in the /var/lib/puppet/ssl/ directory.

If you need to generate your own certificates, there is a basic tutorial available.

You need to specify a certificate for the daemons to use when acting as a client and also as a server. Often, these are the same certificate. You also need to specify the root of trust, where the CA certificate(s) live. The below example is again assuming the puppet default.

Add the following to your condor_config.local file: 

# Require SSL for daemon-to-daemon communications
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = SSL

# If you have a mapfile, set this to the HTCondor canonical name instead
ALLOW_DAEMON = ssl@unmapped

# SSL cert and key locations
SSL_DIR = /var/lib/puppet/ssl
AUTH_SSL_CLIENT_CAFILE = $(SSL_DIR)/certs/ca.pem
AUTH_SSL_CLIENT_CERTFILE = $(SSL_DIR)/certs/$(FULL_HOSTNAME).pem
AUTH_SSL_CLIENT_KEYFILE = $(SSL_DIR)/private_keys/$(FULL_HOSTNAME).pem
AUTH_SSL_SERVER_CAFILE = $(SSL_DIR)/certs/ca.pem
AUTH_SSL_SERVER_CERTFILE = $(SSL_DIR)/certs/$(FULL_HOSTNAME).pem
AUTH_SSL_SERVER_KEYFILE = $(SSL_DIR)/private_keys/$(FULL_HOSTNAME).pem

# For Windows:
SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, SSL

# For Linux:
SEC_CLIENT_AUTHENTICATION_METHODS = FS, SSL

Finally, reconfigure your pool to have the new settings take effect: 

condor_reconfig -all