How to Use Proxy Certificates With SSL Authentication

These are instructions for upgrading from HTCondor-CE 5 (HTCondor 9.0) to HTCondor-CE 6 (HTCondor 10.X) while using X.509 proxies for authentication. In HTCondor 9.0, GSI authentication is used when the client has an X.509 proxy. This is not supported in HTCondor 10.0. Instead, plain SSL authentication can be used to authenticate a client' proxy. Once this upgrade process is complete, sites and VOs can work on transitioning to token authentication.

1. Both client and CE should upgrade to HTCondor 9.0.20. This new release adds a couple minor features to enable use of a proxy with plain SSL authentication. HTCondor 9.0.20 is a special release intended specifically to help CEs upgrade to HTCondor 10 with SSL authentication using proxies. It is hosted in a private repository.

To install on EL7-based distros:

  yum install -y
  yum install condor

To install on EL8-based distros:

  yum install -y
  dnf config-manager --set-enabled powertools
  yum install condor

On systems that already have an older version of HTCondor 9.0 installed, do 'update' instead of 'install'.

There are no new HTCondor-CE packages. Those can be installed from the existing repositories.

2. The CE client (e.g. the factory) should be configured to use a user proxy and grid CAs with SSL authentication. The following parameters should be set in the HTCondor configuration files.

  AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates

If the client has the htcondor-ce-client package installed, then you can put these parameters in the new file /etc/condor-ce/config.d/90-ssl-auth

If the client is submitting directly to the CE via condor_submit or the python bindings, then X509_USER_PROXY must be set in the environment. If the client is using the grid universe and a local schedd to submit jobs to the CE, then "x509userproxy" must be set in the HTCondor submit file that's used to submit the grid universe job to the local schedd.

3. The CE must be configured to accept proxy certificates and use grid credentials for SSL authentication. The following parameters should be set in the HTCondor-CE configuration files:


You can put these parameters in the new file /etc/condor-ce/config.d/90-ssl-auth

In addition, ensure the following parameters are uncommented in /etc/condor-ce/config.d/01-ce-auth.conf:

  AUTH_SSL_SERVER_CERTFILE = /etc/grid-security/hostcert.pem
  AUTH_SSL_SERVER_KEYFILE = /etc/grid-security/hostkey.pem
  AUTH_SSL_SERVER_CADIR = /etc/grid-security/certificates
  AUTH_SSL_CLIENT_CERTFILE = /etc/grid-security/hostcert.pem
  AUTH_SSL_CLIENT_KEYFILE = /etc/grid-security/hostkey.pem
  AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates

Finally, remove (or comment out) the following line in /usr/share/condor-ce/mapfiles.d/50-common-default.conf:

  SSL /\/CN=([.A-Za-z0-9\/=[:space:]-]+)/ \

4. The client's certificate subject must be added to HTCondor-CE's mapfiles by creating one or more files under /etc/condor-ce/mapfiles.d/. The format is similar to the traditional gridmapfile, but with some notable differences. The main difference is an additional field at the start of each line indicating the authentication method (SSL in this case).

Mapping a single certificate looks like this:

  SSL    "/O=condor/OU=CHTC Pool/CN=James Frey"    jfrey

You can also use a regular expression to map a set of certificates. To do this, put forward slashes around the subject instead of double quotes and escape any slashes or spaces in the subject field with backslashes. Here's an example:

  SSL    /\/O=condor\/OU=CHTC\ Pool\/CN=.*/    jfrey

5. To test SSL authentication, you can disable GSI authentication for either the client or the CE.

In the client configuration, set the following configuration parameter to disable GSI:


In the CE configuration, set the following configuration parameters to disable GSI:


If you want to keep GSI authentication as a fallback during testing, you can configure the CE to try SSL before GSI by setting the following parameters:


6. Once all of the peers of a given client or CE are authenticating successfully via SSL, you can upgrade to HTCondor-CE 6 and HTCondor 10.X. In order to use EGI Check-In tokens, the CE needs to be running HTCondor 10.4.0 or later.