How to Use Proxy Certificates With SSL Authentication

These are instructions for upgrading from HTCondor-CE 5 (HTCondor 9.0) to HTCondor-CE 6 (HTCondor 10.X) and beyond while using X.509 proxies for authentication. In HTCondor 9.0, GSI authentication is used when the client has an X.509 proxy. This is not supported in HTCondor 10.0 and beyond. Instead, plain SSL authentication can be used to authenticate a client's (e.g. a pilot factory) proxy. Once this upgrade process is complete, sites and VOs can work on transitioning to token authentication.

1. Both client and CE should upgrade to HTCondor 9.0.20. This new release adds a couple features to enable use of a proxy with plain SSL authentication. HTCondor 9.0.20 is a special release intended specifically to help CEs upgrade to HTCondor 10 with SSL authentication using proxies. It is hosted in a private repository.

To install on EL7-based distros:

  yum install -y https://research.cs.wisc.edu/htcondor/repo-private/9.0/htcondor-private-release-current.el7.noarch.rpm
  yum install condor

To install on EL8-based distros:

  yum install -y https://research.cs.wisc.edu/htcondor/repo-private/9.0/htcondor-private-release-current.el8.noarch.rpm
  dnf config-manager --set-enabled powertools
  yum install condor

On systems that already have an older version of HTCondor 9.0 installed, do 'update' instead of 'install'.

There are no new HTCondor-CE packages. Those can be installed from the existing repositories.

2. The CE client (e.g. the factory) should be configured to use a user proxy and grid CAs with SSL authentication. The following parameters should be set in the HTCondor configuration files.

  AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR = True
  AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates

If the client has the htcondor-ce-client package installed, then you can put these parameters in the new file /etc/condor-ce/config.d/90-ssl-auth

If the client is submitting directly to the CE via condor_submit or the python bindings, then X509_USER_PROXY must be set in the environment. If the client is using the grid universe and a local schedd to submit jobs to the CE, then "x509userproxy" must be set in the HTCondor submit file that's used to submit the grid universe job to the local schedd.

3. The CE must be configured to accept proxy certificates and use grid credentials for SSL authentication. The following parameters should be set in the HTCondor-CE configuration files:

  AUTH_SSL_ALLOW_CLIENT_PROXY = True
  AUTH_SSL_REQUIRE_CLIENT_MAPPING = True
  COLLECTOR.ALLOW_ADVERTISE_STARTD = $(UNMAPPED_USERS), $(USERS), ssl@unmapped

You can put these parameters in the new file /etc/condor-ce/config.d/90-ssl-auth

In addition, ensure the following parameters are uncommented in /etc/condor-ce/config.d/01-ce-auth.conf:

  AUTH_SSL_SERVER_CERTFILE = /etc/grid-security/hostcert.pem
  AUTH_SSL_SERVER_KEYFILE = /etc/grid-security/hostkey.pem
  AUTH_SSL_SERVER_CADIR = /etc/grid-security/certificates
  AUTH_SSL_CLIENT_CERTFILE = /etc/grid-security/hostcert.pem
  AUTH_SSL_CLIENT_KEYFILE = /etc/grid-security/hostkey.pem
  AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates

Finally, remove (or comment out) the following line in /usr/share/condor-ce/mapfiles.d/50-common-default.conf:

  SSL /\/CN=([.A-Za-z0-9\/=[:space:]-]+)/ \1@unmapped.htcondor.org

4. The client's certificate subject must be added to HTCondor-CE's mapfiles by creating one or more files under /etc/condor-ce/mapfiles.d/. The format is similar to the traditional gridmapfile, but with some notable differences. The main difference is an additional field at the start of each line indicating the authentication method (SSL in this case).

Mapping a single certificate looks like this:

  SSL    "/O=condor/OU=CHTC Pool/CN=James Frey"    jfrey

You can also use a regular expression to map a set of certificates. To do this, put forward slashes around the subject instead of double quotes and escape any slashes or spaces in the subject field with backslashes. Here's an example:

  SSL    /\/O=condor\/OU=CHTC\ Pool\/CN=.*/    jfrey

5. To test SSL authentication, you can disable GSI authentication for either the client or the CE.

In the client configuration, set the following configuration parameter to disable GSI:

  SEC_CLIENT_AUTHENTICATION_METHODS = FS, TOKEN, SCITOKENS, SSL

In the CE configuration, set the following configuration parameters to disable GSI:

  SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
  SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL

If you want to keep GSI authentication as a fallback during testing, you can configure the CE to try SSL before GSI by setting the following parameters:

  SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL,GSI
  SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL,GSI
  SCHEDD.AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE = True

6. Once all of the peers of a given client or CE are authenticating successfully via SSL, you can upgrade to HTCondor-CE 6 and HTCondor 10.X or higher. In order to use EGI Check-In tokens, the CE needs to be running HTCondor 10.4.0 or later.

VOMS Attributes

In HTCondor 23.5.2 and later, the CE can use VOMS attributes from the client's X.509 proxy in the mapfiles. The attributes will be appended to the end of the certificate subject, separated with commas, when looking for matches in the mapfiles. To enable this optional behavior, set the following configuration parameter:

  USE_VOMS_ATTRIBUTES = True

This will also cause some job attributes to be set containing the VOMS attributes. If you want the VOMS attributes to be added to the job ad but not be used in the mapfiles, then set the following configuration parameter as well:

  AUTH_SSL_USE_VOMS_IDENTITY = False