Need 5 new config parameters added to the base db for Aviary SSL support. The paths shown are the standard directories for openssl on Fedora and RHEL. AVIARY_SSL = False AVIARY_SSL_SERVER_CERT = /etc/pki/tls/certs/server.crt AVIARY_SSL_SERVER_KEY = /etc/pki/tls/certs/server.key AVIARY_SSL_CA_DIR = /etc/pki/tls/certs AVIARY_SSL_CA_FILE = /etc/pki/tls/certs/ca-bundle.crt
AVIARY_SSL conflicts = none default_val = False depends = none description = "Enable HTTPS mutual authentication in Aviary" kind = boolean level = ? must_change = no needs_restart = yes
Changes to the db: Parameter "AVIARY_SSL": Name: AVIARY_SSL Type: Boolean Default: False Description: Enable HTTPS mutual authentication in Aviary MustChange: False VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_SERVER_CERT": Name: AVIARY_SSL_SERVER_CERT Type: String Default: Description: Path to Aviary SSL server certificate MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_SERVER_KEY": Name: AVIARY_SSL_SERVER_KEY Type: String Default: Description: Path to Aviary SSL server private key MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_CA_DIR": Name: AVIARY_SSL_CA_DIR Type: String Default: Description: Path to Aviary SSL CA directory MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_CA_FILE": Name: AVIARY_SSL_CA_FILE Type: String Default: Description:Parameter "AVIARY_SSL": Name: AVIARY_SSL Type: Boolean Default: False Description: Enable HTTPS mutual authentication in Aviary MustChange: False VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_SERVER_CERT": Name: AVIARY_SSL_SERVER_CERT Type: String Default: Description: Path to Aviary SSL server certificate MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_SERVER_KEY": Name: AVIARY_SSL_SERVER_KEY Type: String Default: Description: Path to Aviary SSL server private key MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_CA_DIR": Name: AVIARY_SSL_CA_DIR Type: String Default: Description: Path to Aviary SSL CA directory MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Parameter "AVIARY_SSL_CA_FILE": Name: AVIARY_SSL_CA_FILE Type: String Default: Description: Path to Aviary SSL CA file MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Feature "SecureAviaryScheduler": Feature ID: 47 Name: SecureAviaryScheduler Included Parameters: AVIARY_SSL_CA_FILE = AVIARY_SSL_SERVER_CERT = AVIARY_SSL_CA_DIR = /etc/pki/tls/certs AVIARY_SSL = True AVIARY_SSL_SERVER_KEY = Included Features: 0: AviaryScheduler Conflicts: Dependencies: Path to Aviary SSL CA file MustChange: True VisibilityLevel: 0 RequiresRestart: True Dependencies: Conflicts: Feature "SecureAviaryScheduler": Feature ID: 47 Name: SecureAviaryScheduler Included Parameters: AVIARY_SSL_CA_FILE = (uses default) AVIARY_SSL_SERVER_CERT = (uses default) AVIARY_SSL_CA_DIR = /etc/pki/tls/certs AVIARY_SSL = True AVIARY_SSL_SERVER_KEY = (uses default) Included Features: 0: AviaryScheduler Conflicts: Dependencies:
Updated: Feature "SecureAviaryScheduler": Feature ID: 47 Name: SecureAviaryScheduler Included Parameters: AVIARY_SSL_CA_FILE = (uses default) AVIARY_SSL_SERVER_CERT = (uses default) AVIARY_SSL_CA_DIR = (uses default) AVIARY_SSL = True AVIARY_SSL_SERVER_KEY = (uses default) Included Features: 0: AviaryScheduler Conflicts: Dependencies:
Pushed upstream on branch: BZ733481-Aviary-SSL
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: C: Configuration of secure communications for aviary and query server using remote configuration C: Parameters and features would need to be added to be database by the user. F: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db R: Configuration of secure communications for aviary and query server through remote configuration is easily accomplished.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1,4 @@ C: Configuration of secure communications for aviary and query server using remote configuration C: Parameters and features would need to be added to be database by the user. -F: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db +C: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db R: Configuration of secure communications for aviary and query server through remote configuration is easily accomplished.
Verified on RHEL 5.7 i386 on condor-wallaby-base-db-1.16-2: SSLEnabledAviaryScheduler and SSLEnabledQueryServer with config parameters AVIARY_SSL, AVIARY_SSL_SERVER_CERT, AVIARY_SSL_SERVER_KEY, AVIARY_SSL_CA_DIR and AVIARY_SSL_CA_FILE was added to base-db. # condor_configure_store -l -f SSLEnabledAviaryScheduler,SSLEnabledQueryServer Feature "SSLEnabledAviaryScheduler": Feature ID: 34 Name: SSLEnabledAviaryScheduler Included Parameters: SCHEDD.AVIARY_SSL = True SCHEDD.AVIARY_SSL_SERVER_CERT = SCHEDD.AVIARY_SSL_CA_DIR = SCHEDD.AVIARY_SSL_CA_FILE = SCHEDD.AVIARY_SSL_SERVER_KEY = Included Features: 0: AviaryScheduler Conflicts: Dependencies: Feature "SSLEnabledQueryServer": Feature ID: 2 Name: SSLEnabledQueryServer Included Parameters: QUERY_SERVER.AVIARY_SSL = True QUERY_SERVER.AVIARY_SSL_CA_FILE = QUERY_SERVER.AVIARY_SSL_CA_DIR = QUERY_SERVER.AVIARY_SSL_SERVER_KEY = QUERY_SERVER.AVIARY_SSL_SERVER_CERT = Included Features: 0: QueryServer Conflicts: Dependencies: # condor_configure_pool -n $(hostname) -a -f SSLEnabledAviaryScheduler Apply these changes [Y/n] ? y The following parameters need to be set for this configuration to be valid. SCHEDD.AVIARY_SSL_CA_DIR SCHEDD.AVIARY_SSL_CA_FILE SCHEDD.AVIARY_SSL_SERVER_CERT SCHEDD.AVIARY_SSL_SERVER_KEY Set these parameters now ? [y/N] y SCHEDD.AVIARY_SSL_CA_DIR: /etc/pki/tls/certs SCHEDD.AVIARY_SSL_CA_FILE: /etc/pki/tls/certs/ca-bundle.crt SCHEDD.AVIARY_SSL_SERVER_CERT: /etc/pki/tls/certs/server.crt SCHEDD.AVIARY_SSL_SERVER_KEY: /etc/pki/tls/certs/server.key Configuration applied Create a named snapshot of this configuration [y/N] ? Activate the changes [y/N] ? y Activating configuration. This may take a while, please be patient The configuration is not valid Node: dhcp-37-137.lab.eng.brq.redhat.com Unsatisfied feature dependencies: BaseJobExecuter BaseScheduler Master NodeAccess Configuration not activated # condor_configure_pool -n $(hostname) -a -f BaseJobExecuter,BaseScheduler,Master,NodeAccess Apply these changes [Y/n] ? y The following parameters need to be set for this configuration to be valid. ALLOW_READ ALLOW_WRITE CONDOR_HOST Set these parameters now ? [y/N] y ALLOW_READ: * ALLOW_WRITE: * CONDOR_HOST: dhcp-37-137.lab.eng.brq.redhat.com Configuration applied Create a named snapshot of this configuration [y/N] ? Activate the changes [y/N] ? y Activating configuration. This may take a while, please be patient Configuration activated Configuration saved # condor_config_val SCHEDD.AVIARY_SSL True # condor_config_val SCHEDD.AVIARY_SSL_SERVER_CERT /etc/pki/tls/certs/server.crt # condor_config_val SCHEDD.AVIARY_SSL_CA_DIR /etc/pki/tls/certs # condor_config_val SCHEDD.AVIARY_SSL_CA_FILE /etc/pki/tls/certs/ca-bundle.crt # condor_config_val SCHEDD.AVIARY_SSL_SERVER_KEY /etc/pki/tls/certs/server.key Output on RHEL 5.7 x86_64, RHEL 6.1 i386 and RHEL 6.1 x86_64 and with feature SSLEnabledQueryServer is similar. >>> VERIFIED
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1 @@ -C: Configuration of secure communications for aviary and query server using remote configuration +Previously, configuration scheme of secure communications for the Aviary web service and the query server using remote configuration required users to add new parameters and features to the database manually. With this update, the SSLEnabledAviaryScheduler and SSLEnabledQueryServer components have been added in the base-db and configuration for secure communication in Aviary and query server through remote configuration is now easily accomplished.-C: Parameters and features would need to be added to be database by the user. -C: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db -R: Configuration of secure communications for aviary and query server through remote configuration is easily accomplished.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -Previously, configuration scheme of secure communications for the Aviary web service and the query server using remote configuration required users to add new parameters and features to the database manually. With this update, the SSLEnabledAviaryScheduler and SSLEnabledQueryServer components have been added in the base-db and configuration for secure communication in Aviary and query server through remote configuration is now easily accomplished.+Previously, configuration scheme of secure communications for the Aviary web service and the query server using remote configuration required users to add new parameters and features to the database manually. With this update, the SSLEnabledAviaryScheduler and SSLEnabledQueryServer features have been added to the base-db and configuration for secure communication in Aviary and query server through remote configuration is now easily accomplished.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-0045.html