SNIC Documentation - User contributions [en]

PRACE Sweden F2F 160524

2016-05-09T11:44:09Z

Michaela Barth (PDC): /* Agenda */

PRACE Sweden F2F meeting on May 24th at PDC

Timing: 9:30 - 15:30 to allow for travelling.

Location: Room 304 (3rd floor), Teknikringen 14, Stockholm, KTH
If you are there much earlier, wait in the PDC kitchen on the 4th floor.

=Agenda=

* (Coffee, Tea and some fruits serves from 9:00)
* 9.30 Welcome ([[User:Michaela_Barth_(PDC)|Michaela]])
* 9:40 Information on (past and upcoming) PRACE calls and DECI ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:00 PRACE Social Media Statistics and Promotion of useful services in PRACE ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:20 SHAPE overview ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:35 SHAPE progress ([[User:Jing_Gong_(PDC)|Jing]])
* 10:50 PRACE EUDAT connections (MoU, HiResClimate) ([[User:Dejan_Vitlacil_(PDC)|Dejan]])
* 11:15 Status PRACE operations ([[User:Cristian_Cira_(PDC)|Cristian]])

Lunchbuffé at Hyllan, Restaurang Q, Osquldas väg 4 ("I lunchbuffén ingår varmrätt, soppa, grönsaker, smör & bröd samt 1 mineralvatten eller 1 lättöl, kaffe/té och liten sötsak")

* 12:55 Grouppicture
* 13:00 BioExcel CoE ([[User:Rossen_Apostolov_(PDC)|Rossen]])
* 13:30 Planningstatus for the Spring School 2017 ([[User:Rossen_Apostolov_(PDC)|Rossen]] & [[User:Michaela_Barth_(PDC)|Michaela]])
* 13:40 SNIC update and news (Jacko Koster)
* 14:00 PRACE-5IP outlook ([[User:Michaela_Barth_(PDC)|Michaela]])
* 14:15 WP5 in a nutshell ([[User:Gert_Svensson(PDC)|Gert]], [[User:Andreas_Johansson_NSC)|Andreas]])
* 14:30 WP7 exchange session: [[User:Chandan_Basu_(NSC)|Chandan]], [[User:Mikael_R%C3%A4nnar_(HPC2N)|Mikael]], [[User:Michael_Schliephake_(PDC)|Michael]] (10mins each)
* 15:00 Open discussion
* 15:30 End

=Participants=
-> 11 people (http://doodle.com/poll/bc8x7ftvgpggyqrw)

PRACE Sweden F2F 160524

2016-04-22T09:01:32Z

Michaela Barth (PDC):

PRACE Sweden F2F meeting on May 24th at PDC

Timing: 9:30 - 15:30 to allow for travelling.

Location: Room 304 (3rd floor), Teknikringen 14, Stockholm, KTH
If you are there much earlier, wait in the PDC kitchen on the 4th floor.

=Agenda=

* (Coffee, Tea and some fruits serves from 9:00)
* 9.30 Welcome ([[User:Michaela_Barth_(PDC)|Michaela]])
* 9:40 Information on (past and upcoming) PRACE calls and DECI ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:00 PRACE Social Media Statistics and Promotion of useful services in PRACE ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:20 SHAPE overview ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:35 SHAPE progress ([[User:Jing_Gong_(PDC)|Jing]])
* 10:50 PRACE EUDAT connections (MoU, HiResClimate) ([[User:Dejan_Vitlacil_(PDC)|Dejan]])
* 11:15 Status PRACE operations ([[User:Cristian_Cira_(PDC)|Cristian]])

Lunchbuffé at Hyllan, Restaurang Q, Osquldas väg 4 ("I lunchbuffén ingår varmrätt, soppa, grönsaker, smör & bröd samt 1 mineralvatten eller 1 lättöl, kaffe/té och liten sötsak")

* 13:00 BioExcel CoE ([[User:Rossen_Apostolov_(PDC)|Rossen]])
* 13:30 Planningstatus for the Spring School 2017 ([[User:Rossen_Apostolov_(PDC)|Rossen]] & [[User:Michaela_Barth_(PDC)|Michaela]])
* 13:40 SNIC update and news (Jacko Koster)
* 14:00 PRACE-5IP outlook ([[User:Michaela_Barth_(PDC)|Michaela]])
* 14:15 WP5 in a nutshell ([[User:Gert_Svensson(PDC)|Gert]], [[User:Andreas_Johansson_NSC)|Andreas]])
* 14:30 WP7 exchange session: [[User:Chandan_Basu_(NSC)|Chandan]], [[User:Mikael_R%C3%A4nnar_(HPC2N)|Mikael]], [[User:Michael_Schliephake_(PDC)|Michael]] (10mins each)
* 15:00 Open discussion
* 15:30 End

=Participants=
-> 11 people (http://doodle.com/poll/bc8x7ftvgpggyqrw)

PRACE Sweden F2F 160524

2016-04-22T05:55:08Z

Michaela Barth (PDC):

PRACE Sweden F2F meeting on May 24th at PDC

Timing: 9:30 - 15:30 to allow for travelling.

Location: Room 304 (3rd floor), Teknikringen 14, Stockholm, KTH
If you are there much earlier, wait in the PDC kitchen on the 4th floor.

=Agenda=

* 9.30 Welcome ([[User:Michaela_Barth_(PDC)|Michaela]])
* 9:40 Information on (past and upcoming) PRACE calls and DECI ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:00 PRACE Social Media Statistics and Promotion of useful services in PRACE ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:20 SHAPE overview ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:35 SHAPE progress ([[User:Jing_Gong_(PDC)|Jing]])
* 10:50 PRACE EUDAT connections (MoU, HiResClimate) ([[User:Dejan_Vitlacil_(PDC)|Dejan]])
* 11:15 Status PRACE operations ([[User:Cristian_Cira_(PDC)|Cristian]])

Lunch Break

* 13:00 BioExcel CoE ([[User:Rossen_Apostolov_(PDC)|Rossen]])
* 13:30 Planningstatus for the Spring School 2017 ([[User:Rossen_Apostolov_(PDC)|Rossen]] & [[User:Michaela_Barth_(PDC)|Michaela]])
* 13:40 SNIC update and news (Jacko Koster)
* 14:00 PRACE-5IP outlook ([[User:Michaela_Barth_(PDC)|Michaela]])
* 14:15 WP5 in a nutshell ([[User:Gert_Svensson(PDC)|Gert]], [[User:Andreas_Johansson_NSC)|Andreas]])
* 14:30 WP7 exchange session: [[User:Chandan_Basu_(NSC)|Chandan]], [[User:Mikael_R%C3%A4nnar_(HPC2N)|Mikael]], [[User:Michael_Schliephake_(PDC)|Michael]] (10mins each)
* 15:00 Open discussion
* 15:30 End

=Participants=
-> 11 people (http://doodle.com/poll/bc8x7ftvgpggyqrw)

PRACE Sweden F2F 160524

2016-04-15T16:21:26Z

Michaela Barth (PDC):

PRACE Sweden F2F meeting on May 25th at PDC

Timing: 9:30 - 15:30 to allow for travelling.

Location: Room 304 (3rd floor), Teknikringen 14, Stockholm, KTH
If you are there much earlier, wait in the PDC kitchen on the 4th floor.

=Agenda=

* 9.30 Welcome ([[User:Michaela_Barth_(PDC)|Michaela]])
* 9:40 Information on (past and upcoming) PRACE calls and DECI ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:00 PRACE Social Media Statistics and Promotion of useful services in PRACE ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:20 SHAPE overview ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:35 SHAPE progress ([[User:Jing_Gong_(PDC)|Jing]])
* 10:50 PRACE EUDAT connections (MoU, HiResClimate) ([[User:Dejan_Vitlacil_(PDC)|Dejan]])
* 11:15 Status PRACE operations ([[User:Cristian_Cira_(PDC)|Cristian]])

Lunch Break

* 13:00 BioExcel CoE ([[User:Rossen_Apostolov_(PDC)|Rossen]])
* 13:30 Planningstatus for the Spring School 2017 ([[User:Rossen_Apostolov_(PDC)|Rossen]] & [[User:Michaela_Barth_(PDC)|Michaela]])
* 13:40 SNIC update and news (Jacko Koster)
* 14:00 PRACE-5IP outlook ([[User:Michaela_Barth_(PDC)|Michaela]])
* 14:15 WP5 in a nutshell ([[User:Gert_Svensson(PDC)|Gert]], [[User:Andreas_Johansson_NSC)|Andreas]])
* 14:30 WP7 exchange session: [[User:Chandan_Basu_(NSC)|Chandan]], [[User:Mikael_R%C3%A4nnar_(HPC2N)|Mikael]], [[User:Michael_Schliephake_(PDC)|Michael]] (10mins each)
* 15:00 Open discussion
* 15:30 End

=Participants=
-> 11 people (http://doodle.com/poll/bc8x7ftvgpggyqrw)

PRACE Sweden F2F 160524

2016-04-15T12:12:29Z

Michaela Barth (PDC): /* Agenda */

PRACE Sweden F2F meeting on May 25th at PDC

Timing: 9:30 - 15:30 to allow for travelling.

Location: Room 304 (3rd floor), Teknikringen 14, Stockholm, KTH
If you are there much earlier, wait in the PDC kitchen on the 4th floor.

=Agenda=

* 9.30 Welcome ([[User:Michaela_Barth_(PDC)|Michaela]])
* 9:40 Information on (past and upcoming) PRACE calls and DECI ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:00 PRACE Social Media Statistics and Promotion of useful services in PRACE ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:20 SHAPE overview ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:35 SHAPE progress ([[User:Jing_Gong_(PDC)|Jing]])
* 10:50 PRACE EUDAT connections (MoU, HiResClimate) ([[User:Dejan_Vitlacil_(PDC)|Dejan]])
* 11:15 Status PRACE operations ([[User:Cristian_Cira_(PDC)|Cristian]])

Lunch Break

* 13:00 BioExcel CoE ([[User:Rossen_Apostolov_(PDC)|Rossen]])
* 13:30 Planningstatus for the Spring School 2017 ([[User:Rossen_Apostolov_(PDC)|Rossen]] & [[User:Michaela_Barth_(PDC)|Michaela]])
* 13:40 SNIC update and news (Ann-Charlotte Sonnhammer/Jacko Koster)
* 14:00 PRACE-5IP outlook ([[User:Michaela_Barth_(PDC)|Michaela]])
* 14:15 WP5 in a nutshell ([[User:Gert_Svensson(PDC)|Gert]], [[User:Andreas_Johansson_NSC)|Andreas]])
* 14:30 WP7 exchange session: [[User:Chandan_Basu_(NSC)|Chandan]], [[User:Mikael_R%C3%A4nnar_(HPC2N)|Mikael]], [[User:Michael_Schliephake_(PDC)|Michael]] (10mins each)
* 15:00 Open discussion
* 15:30 End

=Participants=
-> 11 people (http://doodle.com/poll/bc8x7ftvgpggyqrw)

PRACE Sweden F2F 160524

2016-04-15T12:03:04Z

Michaela Barth (PDC): Created page with "PRACE Sweden F2F meeting on May 25th at PDC Timing: 9:30 - 15:30 to allow for travelling. Location: Room 304 (3rd floor), Teknikringen 14, Stockholm, KTH If you are there muc..."

PRACE Sweden F2F meeting on May 25th at PDC

Timing: 9:30 - 15:30 to allow for travelling.

Location: Room 304 (3rd floor), Teknikringen 14, Stockholm, KTH
If you are there much earlier, wait in the PDC kitchen on the 4th floor.

=Agenda=

* 9.30 Welcome ([[User:Michaela_Barth_(PDC)|Michaela]])
* 9:40 Information on (past and upcoming) PRACE calls and DECI ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:00 PRACE Social Media Statistics and Promotion of useful services in PRACE ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:20 SHAPE overview ([[User:Michaela_Barth_(PDC)|Michaela]])
* 10:35 SHAPE progress ([[User:Jing_Gong_(PDC)|Jing]])
* 10:50 PRACE EUDAT connections (MoU, HiResClimate) ([[User:Dejan_Vitlacil_(PDC)|Dejan]])
* 11:15 Status PRACE operations ([[User:Cristian_Cira_(PDC)|Cristian]])

Lunch Break

* 13:00 BioExcel CoE ([[User:Rossen_Apostolov_(PDC)|Rossen]])
* 13:30 Planningstatus for the Spring School 2017 ([[User:Rossen_Apostolov_(PDC)|Rossen]] & [[User:Michaela_Barth_(PDC)|Michaela]])
* 13:40 SNIC update and news (Ann-Charlotte Sonnhammer/Jacko Koster)
* 14:00 PRACE-5IP status update ([[User:Michaela_Barth_(PDC)|Michaela]])
* 14:15 WP5 in a nutshell ([[User:Gert_Svensson(PDC)|Gert]], [[User:Andreas_Johansson_NSC)|Andreas]])
* 14:30 WP7 exchange session: [[User:Chandan_Basu_(NSC)|Chandan]], [[User:Mikael_R%C3%A4nnar_(HPC2N)|Mikael]], [[User:Michael_Schliephake_(PDC)|Michael]] (10mins each)
* 15:00 Open discussion
* 15:30 End

=Participants=
-> 11 people (http://doodle.com/poll/bc8x7ftvgpggyqrw)

PRACE

2016-04-15T11:35:14Z

Michaela Barth (PDC):

[http://www.prace-ri.eu/ The Partnership for Advanced Computing in Europe] prepares the creation of a persistent pan-European HPC service, consisting several Tier-0 centres providing European researchers with access to capability computers and forming the top level of the European HPC ecosystem. It is a part of European FP7 (Framework Programme) project and consists of several IPs (Implementation Phases) which are individually scheduled for about 2 years periods.

*PRACE1IP (2010-07-01 until 2012-07-01)
*PRACE2IP (2011-0701/resp. 2011-09-01 until 2013-09-01)
*PRACE 2IP Extension (2013-09-01 until 2014-08-31)
*PRACE3IP (2012-07-01 until 2014-06-30)
*PRACE4IP (2015-02-01 until 2017-04-30)

Meetings:
*[[PRACE Sweden F2F 160524]]

PRACE

2016-04-15T11:32:57Z

Michaela Barth (PDC):

PRACE

2016-04-15T11:32:47Z

Michaela Barth (PDC):

[http://www.prace-ri.eu/ The Partnership for Advanced Computing in Europe] prepares the creation of a persistent pan-European HPC service, consisting several Tier-0 centres providing European researchers with access to capability computers and forming the top level of the European HPC ecosystem. It is a part of European FP7 (Framework Programme) project and consists of several IPs (Implementation Phases) which are individually scheduled for about 2 years periods.

*PRACE1IP (2010-07-01 until 2012-07-01)
*PRACE2IP (2011-0701/resp. 2011-09-01 until 2013-09-01)
PRACE 2IP Extension (2013-09-01 until 2014-08-31)
*PRACE3IP (2012-07-01 until 2014-06-30)
*PRACE4IP (2015-02-01 until 2017-04-30)

User:Michaela Barth (PDC)

2016-04-15T11:28:42Z

Michaela Barth (PDC): Created page with "[http://www.kth.se/profile/caela/]"

[http://www.kth.se/profile/caela/]

Grid certificates

2013-04-25T15:00:33Z

Michaela Barth (PDC): /* Introduction to certificates */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Getting started with SweGrid|< Getting started with SweGrid]]<br>
[[SweStore|< SweStore]]

=Introduction to certificates=

In order to get access to computer and storage resources on the grid or [[SweStore]] you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.

A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.

A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]

[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

[http://www.nordugrid.org/documents/certificate_howto.html http://www.nordugrid.org/documents/certificate_howto.html]

* The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:
usercert.pem
userkey.pem
* The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
* The certificate is valid for 13 month and should be renewed yearly.
* The private key should be handled with great care. It should only be readable by you and not by the group or others (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
* On shared file systems make sure that ~/.globus is not readible by everybody:
chmod 700 ~/.globus
and on AFS:
fs sa ~/.globus system:anyuser none
* The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
* You should not share the certificate with someone. It's personal.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]
[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

= Requesting a certificate =

Certificates are issued by a Certificate Authority or CA. For Swedish users there are two relevant CA:s that can issue grid/eScience certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.

Recommended procedure for each university:

{| class="wikitable"
| University
| CA
| Specific instructions
|-
| LU
| Terena CA
| [[LU_Certificate_Information|more...]]
|-
| LiU
| Terena CA
| [[LiU_Certificate_Instructions|more...]]
|-
| CTH
| NorduGrid CA
| [[Chalmers_Certificate_Instructions|more...]]
|-
| GU
| NorduGrid CA
| [[GU_Certificate_Instructions|more...]]
|-
| UU
| Terena CA
| [[UU_Certificate_Instructions|more...]]
|-
| KTH
| Terena CA
| [[KTH_Certificate_Information|more...]]
|-
| SU
| NorduGrid CA
| [[SU_Certificate_Information|more...]]
|-
| KI
| NorduGrid CA
| [[KI_Certificate_Information|more...]]
|-
| UmU
| Terena CA
| [[UmU_Certificate_Information|more...]]
|-
|}

[[Requesting a grid certificate using the Terena eScience Portal|Instructions for the Terena CA]]

[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use only if Terena eScience isn't available at your site)]]

= Requesting membership in the SweGrid VO =

SweGrid and SweStore resources are currently being allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid or SweStore resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required. To apply for membership, make sure that the NorduGrid root CA certificate and your personal certificate is installed in the browser.

The NorduGrid CA cert can be installed by clicking on the following link:

[http://ca.nordugrid.org/cacrt.crt http://ca.nordugrid.org/cacrt.crt]

Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.

[[File:certinstall.png]]

When certificates have been installed in the browser go to the following URL:

[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]

and follow the instructions. In a couple of hours you will be added to the SweGrid VO.

To be added to the correct SweGrid project send a mail to [mailto:support@swegrid.se support@swegrid.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which SNIC-project to be added to.

To be added to the correct Swestore allocation send a mail to [mailto:swestore-support@snic.vr.se swestore-support@snic.vr.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which Swestore allocation to be added to.

= Proxy certificates =

Authentication on the grid is done using special short lived ''proxy'' certificates. There are several tools available for creating, checking and destroying these proxy certificates.

== Creating a proxy certificate ==

To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:

$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.

In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:

$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19

== Checking proxy lifetime ==

The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

In this example the proxy certificate is valid for 11 hours 55 minutes more.

== Destroying a proxy certificate ==

A proxy can be destroyed with the '''-r''' or '''--remove''' switch.

$ arcproxy -r

or

$ arcproxy --remove

= VOMS certificates =

As long as you are a member of only one VO or VO group, you can
authenticate to a grid service with the regular grid proxy certificate
as defined in the previous section. If you are a member of more than
one VO or VO group you may want to select which membership you want to
be authenticated as. For example, if you are a member of
''swegrid.se:/swegrid.se/ops'' (operations staff) and
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should
be the owner? Ops or bils? You need to provide some additional
information. In the grid world this is done with a voms proxy
certificate which basically is a regular proxy certificate but with a
so called voms extension that contains a list of your VO group
memberships (and roles and attributes, which we don't use in
Swegrid/Swestore at the moment).

'''Please note, if you only have one membership you can skip this section!'''

The voms extension of the certificate is signed by the virtual
organization management server, or VOMS server. The same VOMS server
you used when applying for the swegrid.se VO membership in the first
place. To enable this signing process you need to add a few
configuration files to your system. First add this to the file
'''/etc/vomses''':

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next create the necessary directories and the file
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the
following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

== Creating a VOMS proxy ==

VOMS proxies in ARC1 can be created using the '''arcproxy''' command
and the '''-S''' or '''--voms''' switches as shown in the following
example (if you are a member of the /swegrid.se/ops group. Adjust as
necessary):

$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06

= Signing your e-mail with your certificate =

First, you will need your grid certificate in PKCS12 format:
== How to transform your certificate from PEM format into PKCS#12 format ==

This is how you transform your cert into PKCS12 format that can be used within your webbrowser or email send program:
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12

First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12 contains your private key, and is therefore 'lika känslig' as userkey.pem'''. See also [[#Introduction to certificates]]. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.

Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.

=== Signing in mew ===

Mew uses gpgsm.

<pre>
1. Import the nordugrid root cert

1.1. get 1f0e8352.0 from nordugrid web

1.2. gpgsm --import 1f0e8352.0

1.2. Make it trusted:
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRIT-YOU-WANT >> .gnupg/trustlist.txt

2. Add your own key from the cert+key.p12 file in this case

2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys

2.2. gpgsm --import tmp.pem ; rm tmp.pem

2.3. Tell gpgsm not to use revocation lists (bad bad security)
echo disable-crl-checks >> .gnupg/gpgsm.conf

3. Test
gpgsm --detach-sign file > sign # should ask for passphrase and give some kind of sign file

4. Use:
C-uC-cC-s then enter your email address (must match email in cert) and passphrase

</pre>

=== Signing in thunderbird ===
In thunderbird: options/security/digitally sign this message.

If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.

In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.

Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.

Don't forget to actually check that you then really sign the corresponding mail.

Grid certificates

2013-04-25T14:55:52Z

Michaela Barth (PDC): /* How to transform your certificate from PEM format into PKCS#12 format */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Getting started with SweGrid|< Getting started with SweGrid]]<br>
[[SweStore|< SweStore]]

=Introduction to certificates=

In order to get access to computer and storage resources on the grid or [[SweStore]] you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.

A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.

A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]

[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

[http://www.nordugrid.org/documents/certificate_howto.html http://www.nordugrid.org/documents/certificate_howto.html]

* The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:
usercert.pem
userkey.pem
* The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
* The certificate is valid for 13 month and should be renewed yearly.
* The private key should be handled with great care. It should only be readable by you (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
* The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
* You should not share the certificate with someone. It's personal.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]
[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

= Requesting a certificate =

Certificates are issued by a Certificate Authority or CA. For Swedish users there are two relevant CA:s that can issue grid/eScience certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.

Recommended procedure for each university:

{| class="wikitable"
| University
| CA
| Specific instructions
|-
| LU
| Terena CA
| [[LU_Certificate_Information|more...]]
|-
| LiU
| Terena CA
| [[LiU_Certificate_Instructions|more...]]
|-
| CTH
| NorduGrid CA
| [[Chalmers_Certificate_Instructions|more...]]
|-
| GU
| NorduGrid CA
| [[GU_Certificate_Instructions|more...]]
|-
| UU
| Terena CA
| [[UU_Certificate_Instructions|more...]]
|-
| KTH
| Terena CA
| [[KTH_Certificate_Information|more...]]
|-
| SU
| NorduGrid CA
| [[SU_Certificate_Information|more...]]
|-
| KI
| NorduGrid CA
| [[KI_Certificate_Information|more...]]
|-
| UmU
| Terena CA
| [[UmU_Certificate_Information|more...]]
|-
|}

[[Requesting a grid certificate using the Terena eScience Portal|Instructions for the Terena CA]]

[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use only if Terena eScience isn't available at your site)]]

= Requesting membership in the SweGrid VO =

SweGrid and SweStore resources are currently being allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid or SweStore resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required. To apply for membership, make sure that the NorduGrid root CA certificate and your personal certificate is installed in the browser.

The NorduGrid CA cert can be installed by clicking on the following link:

[http://ca.nordugrid.org/cacrt.crt http://ca.nordugrid.org/cacrt.crt]

Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.

[[File:certinstall.png]]

When certificates have been installed in the browser go to the following URL:

[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]

and follow the instructions. In a couple of hours you will be added to the SweGrid VO.

To be added to the correct SweGrid project send a mail to [mailto:support@swegrid.se support@swegrid.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which SNIC-project to be added to.

To be added to the correct Swestore allocation send a mail to [mailto:swestore-support@snic.vr.se swestore-support@snic.vr.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which Swestore allocation to be added to.

= Proxy certificates =

Authentication on the grid is done using special short lived ''proxy'' certificates. There are several tools available for creating, checking and destroying these proxy certificates.

== Creating a proxy certificate ==

To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:

$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.

In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:

$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19

== Checking proxy lifetime ==

The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

In this example the proxy certificate is valid for 11 hours 55 minutes more.

== Destroying a proxy certificate ==

A proxy can be destroyed with the '''-r''' or '''--remove''' switch.

$ arcproxy -r

or

$ arcproxy --remove

= VOMS certificates =

As long as you are a member of only one VO or VO group, you can
authenticate to a grid service with the regular grid proxy certificate
as defined in the previous section. If you are a member of more than
one VO or VO group you may want to select which membership you want to
be authenticated as. For example, if you are a member of
''swegrid.se:/swegrid.se/ops'' (operations staff) and
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should
be the owner? Ops or bils? You need to provide some additional
information. In the grid world this is done with a voms proxy
certificate which basically is a regular proxy certificate but with a
so called voms extension that contains a list of your VO group
memberships (and roles and attributes, which we don't use in
Swegrid/Swestore at the moment).

'''Please note, if you only have one membership you can skip this section!'''

The voms extension of the certificate is signed by the virtual
organization management server, or VOMS server. The same VOMS server
you used when applying for the swegrid.se VO membership in the first
place. To enable this signing process you need to add a few
configuration files to your system. First add this to the file
'''/etc/vomses''':

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next create the necessary directories and the file
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the
following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

== Creating a VOMS proxy ==

VOMS proxies in ARC1 can be created using the '''arcproxy''' command
and the '''-S''' or '''--voms''' switches as shown in the following
example (if you are a member of the /swegrid.se/ops group. Adjust as
necessary):

$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06

= Signing your e-mail with your certificate =

First, you will need your grid certificate in PKCS12 format:
== How to transform your certificate from PEM format into PKCS#12 format ==

This is how you transform your cert into PKCS12 format that can be used within your webbrowser or email send program:
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12

First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12 contains your private key, and is therefore 'lika känslig' as userkey.pem'''. See also [[#Introduction to certificates]]. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.

Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.

=== Signing in mew ===

Mew uses gpgsm.

<pre>
1. Import the nordugrid root cert

1.1. get 1f0e8352.0 from nordugrid web

1.2. gpgsm --import 1f0e8352.0

1.2. Make it trusted:
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRIT-YOU-WANT >> .gnupg/trustlist.txt

2. Add your own key from the cert+key.p12 file in this case

2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys

2.2. gpgsm --import tmp.pem ; rm tmp.pem

2.3. Tell gpgsm not to use revocation lists (bad bad security)
echo disable-crl-checks >> .gnupg/gpgsm.conf

3. Test
gpgsm --detach-sign file > sign # should ask for passphrase and give some kind of sign file

4. Use:
C-uC-cC-s then enter your email address (must match email in cert) and passphrase

</pre>

=== Signing in thunderbird ===
In thunderbird: options/security/digitally sign this message.

If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.

In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.

Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.

Don't forget to actually check that you then really sign the corresponding mail.

Grid certificates

2013-04-25T14:54:38Z

Michaela Barth (PDC):

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Getting started with SweGrid|< Getting started with SweGrid]]<br>
[[SweStore|< SweStore]]

=Introduction to certificates=

In order to get access to computer and storage resources on the grid or [[SweStore]] you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.

A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.

A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]

[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

[http://www.nordugrid.org/documents/certificate_howto.html http://www.nordugrid.org/documents/certificate_howto.html]

* The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:
usercert.pem
userkey.pem
* The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
* The certificate is valid for 13 month and should be renewed yearly.
* The private key should be handled with great care. It should only be readable by you (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
* The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
* You should not share the certificate with someone. It's personal.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]
[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

= Requesting a certificate =

Certificates are issued by a Certificate Authority or CA. For Swedish users there are two relevant CA:s that can issue grid/eScience certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.

Recommended procedure for each university:

{| class="wikitable"
| University
| CA
| Specific instructions
|-
| LU
| Terena CA
| [[LU_Certificate_Information|more...]]
|-
| LiU
| Terena CA
| [[LiU_Certificate_Instructions|more...]]
|-
| CTH
| NorduGrid CA
| [[Chalmers_Certificate_Instructions|more...]]
|-
| GU
| NorduGrid CA
| [[GU_Certificate_Instructions|more...]]
|-
| UU
| Terena CA
| [[UU_Certificate_Instructions|more...]]
|-
| KTH
| Terena CA
| [[KTH_Certificate_Information|more...]]
|-
| SU
| NorduGrid CA
| [[SU_Certificate_Information|more...]]
|-
| KI
| NorduGrid CA
| [[KI_Certificate_Information|more...]]
|-
| UmU
| Terena CA
| [[UmU_Certificate_Information|more...]]
|-
|}

[[Requesting a grid certificate using the Terena eScience Portal|Instructions for the Terena CA]]

[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use only if Terena eScience isn't available at your site)]]

= Requesting membership in the SweGrid VO =

SweGrid and SweStore resources are currently being allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid or SweStore resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required. To apply for membership, make sure that the NorduGrid root CA certificate and your personal certificate is installed in the browser.

The NorduGrid CA cert can be installed by clicking on the following link:

[http://ca.nordugrid.org/cacrt.crt http://ca.nordugrid.org/cacrt.crt]

Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.

[[File:certinstall.png]]

When certificates have been installed in the browser go to the following URL:

[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]

and follow the instructions. In a couple of hours you will be added to the SweGrid VO.

To be added to the correct SweGrid project send a mail to [mailto:support@swegrid.se support@swegrid.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which SNIC-project to be added to.

To be added to the correct Swestore allocation send a mail to [mailto:swestore-support@snic.vr.se swestore-support@snic.vr.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which Swestore allocation to be added to.

= Proxy certificates =

Authentication on the grid is done using special short lived ''proxy'' certificates. There are several tools available for creating, checking and destroying these proxy certificates.

== Creating a proxy certificate ==

To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:

$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.

In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:

$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19

== Checking proxy lifetime ==

The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

In this example the proxy certificate is valid for 11 hours 55 minutes more.

== Destroying a proxy certificate ==

A proxy can be destroyed with the '''-r''' or '''--remove''' switch.

$ arcproxy -r

or

$ arcproxy --remove

= VOMS certificates =

As long as you are a member of only one VO or VO group, you can
authenticate to a grid service with the regular grid proxy certificate
as defined in the previous section. If you are a member of more than
one VO or VO group you may want to select which membership you want to
be authenticated as. For example, if you are a member of
''swegrid.se:/swegrid.se/ops'' (operations staff) and
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should
be the owner? Ops or bils? You need to provide some additional
information. In the grid world this is done with a voms proxy
certificate which basically is a regular proxy certificate but with a
so called voms extension that contains a list of your VO group
memberships (and roles and attributes, which we don't use in
Swegrid/Swestore at the moment).

'''Please note, if you only have one membership you can skip this section!'''

The voms extension of the certificate is signed by the virtual
organization management server, or VOMS server. The same VOMS server
you used when applying for the swegrid.se VO membership in the first
place. To enable this signing process you need to add a few
configuration files to your system. First add this to the file
'''/etc/vomses''':

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next create the necessary directories and the file
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the
following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

== Creating a VOMS proxy ==

VOMS proxies in ARC1 can be created using the '''arcproxy''' command
and the '''-S''' or '''--voms''' switches as shown in the following
example (if you are a member of the /swegrid.se/ops group. Adjust as
necessary):

$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06

= Signing your e-mail with your certificate =

First, you will need your grid certificate in PKCS12 format:
== How to transform your certificate from PEM format into PKCS#12 format ==

This is how you transform your cert into PKCS12 format that can be used within your webbrowser or email send program:
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12

First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12
contains your private key, and is therefore 'lika känslig' as userkey.pem'''. See also [[#Introduction to certificates]]. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.

Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.

=== ... in mew ===

Mew uses gpgsm.

<pre>
1. Import the nordugrid root cert

1.1. get 1f0e8352.0 from nordugrid web

1.2. gpgsm --import 1f0e8352.0

1.2. Make it trusted:
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRIT-YOU-WANT >> .gnupg/trustlist.txt

2. Add your own key from the cert+key.p12 file in this case

2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys

2.2. gpgsm --import tmp.pem ; rm tmp.pem

2.3. Tell gpgsm not to use revocation lists (bad bad security)
echo disable-crl-checks >> .gnupg/gpgsm.conf

3. Test
gpgsm --detach-sign file > sign # should ask for passphrase and give some kind of sign file

4. Use:
C-uC-cC-s then enter your email address (must match email in cert) and passphrase

</pre>

=== .. in thunderbird ===
In thunderbird: options/security/digitally sign this message.

If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.

In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.

Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.

Don't forget to actually check that you then really sign the corresponding mail.

Grid certificates

2013-04-25T14:49:20Z

Michaela Barth (PDC):

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Getting started with SweGrid|< Getting started with SweGrid]]<br>
[[SweStore|< SweStore]]

=Introduction to certificates=

In order to get access to computer and storage resources on the grid or [[SweStore]] you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.

A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.

A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]

[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

[http://www.nordugrid.org/documents/certificate_howto.html http://www.nordugrid.org/documents/certificate_howto.html]

* The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:
usercert.pem
userkey.pem
* The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
* The certificate is valid for 13 month and should be renewed yearly.
* The private key should be handled with great care. It should only be readable by you (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
* The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
* You should not share the certificate with someone. It's personal.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]
[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

= Requesting a certificate =

Certificates are issued by a Certificate Authority or CA. For Swedish users there are two relevant CA:s that can issue grid/eScience certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.

Recommended procedure for each university:

{| class="wikitable"
| University
| CA
| Specific instructions
|-
| LU
| Terena CA
| [[LU_Certificate_Information|more...]]
|-
| LiU
| Terena CA
| [[LiU_Certificate_Instructions|more...]]
|-
| CTH
| NorduGrid CA
| [[Chalmers_Certificate_Instructions|more...]]
|-
| GU
| NorduGrid CA
| [[GU_Certificate_Instructions|more...]]
|-
| UU
| Terena CA
| [[UU_Certificate_Instructions|more...]]
|-
| KTH
| Terena CA
| [[KTH_Certificate_Information|more...]]
|-
| SU
| NorduGrid CA
| [[SU_Certificate_Information|more...]]
|-
| KI
| NorduGrid CA
| [[KI_Certificate_Information|more...]]
|-
| UmU
| Terena CA
| [[UmU_Certificate_Information|more...]]
|-
|}

[[Requesting a grid certificate using the Terena eScience Portal|Instructions for the Terena CA]]

[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use only if Terena eScience isn't available at your site)]]

= Requesting membership in the SweGrid VO =

SweGrid and SweStore resources are currently being allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid or SweStore resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required. To apply for membership, make sure that the NorduGrid root CA certificate and your personal certificate is installed in the browser.

The NorduGrid CA cert can be installed by clicking on the following link:

[http://ca.nordugrid.org/cacrt.crt http://ca.nordugrid.org/cacrt.crt]

Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.

[[File:certinstall.png]]

When certificates have been installed in the browser go to the following URL:

[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]

and follow the instructions. In a couple of hours you will be added to the SweGrid VO.

To be added to the correct SweGrid project send a mail to [mailto:support@swegrid.se support@swegrid.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which SNIC-project to be added to.

To be added to the correct Swestore allocation send a mail to [mailto:swestore-support@snic.vr.se swestore-support@snic.vr.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which Swestore allocation to be added to.

= Proxy certificates =

Authentication on the grid is done using special short lived ''proxy'' certificates. There are several tools available for creating, checking and destroying these proxy certificates.

== Creating a proxy certificate ==

To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:

$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.

In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:

$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19

== Checking proxy lifetime ==

The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

In this example the proxy certificate is valid for 11 hours 55 minutes more.

== Destroying a proxy certificate ==

A proxy can be destroyed with the '''-r''' or '''--remove''' switch.

$ arcproxy -r

or

$ arcproxy --remove

= VOMS certificates =

As long as you are a member of only one VO or VO group, you can
authenticate to a grid service with the regular grid proxy certificate
as defined in the previous section. If you are a member of more than
one VO or VO group you may want to select which membership you want to
be authenticated as. For example, if you are a member of
''swegrid.se:/swegrid.se/ops'' (operations staff) and
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should
be the owner? Ops or bils? You need to provide some additional
information. In the grid world this is done with a voms proxy
certificate which basically is a regular proxy certificate but with a
so called voms extension that contains a list of your VO group
memberships (and roles and attributes, which we don't use in
Swegrid/Swestore at the moment).

'''Please note, if you only have one membership you can skip this section!'''

The voms extension of the certificate is signed by the virtual
organization management server, or VOMS server. The same VOMS server
you used when applying for the swegrid.se VO membership in the first
place. To enable this signing process you need to add a few
configuration files to your system. First add this to the file
'''/etc/vomses''':

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next create the necessary directories and the file
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the
following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

== Creating a VOMS proxy ==

VOMS proxies in ARC1 can be created using the '''arcproxy''' command
and the '''-S''' or '''--voms''' switches as shown in the following
example (if you are a member of the /swegrid.se/ops group. Adjust as
necessary):

$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06

= Signing your e-mail with your certificate =

First, you will need your grid certificate in PKCS12 format:
== How to transform your certificate from PEM format into PKCS#12 format ==

This is how you transform your cert into PKCS12 format that can be used within your webbrowser or email send program:
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12

First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12
contains your private key, and is therefore 'lika känslig' as userkey.pem'''. See also [[#Secure_handling_of_certificates]].

Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.

=== ... in mew ===

Mew uses gpgsm.

<pre>
1. Import the nordugrid root cert

1.1. get 1f0e8352.0 from nordugrid web

1.2. gpgsm --import 1f0e8352.0

1.2. Make it trusted:
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRIT-YOU-WANT >> .gnupg/trustlist.txt

2. Add your own key from the cert+key.p12 file in this case

2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys

2.2. gpgsm --import tmp.pem ; rm tmp.pem

2.3. Tell gpgsm not to use revocation lists (bad bad security)
echo disable-crl-checks >> .gnupg/gpgsm.conf

3. Test
gpgsm --detach-sign file > sign # should ask for passphrase and give some kind of sign file

4. Use:
C-uC-cC-s then enter your email address (must match email in cert) and passphrase

</pre>

=== .. in thunderbird ===
In thunderbird: options/security/digitally sign this message.

If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.

In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.

Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.

Don't forget to actually check that you then really sign the corresponding mail.

Requesting a grid certificate from the Nordugrid CA

2013-04-25T14:41:11Z

Michaela Barth (PDC): /* Renewing a NorduGrid user certificate = */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Grid_certificates|< Grid certificates]]

The first step in acquiring a certificate from the nordugrid CA is to create a certificate request.

== Creating a certificate request using the ARC tools ==

This is done using the '''grid-cert-request -int''' command. (The -int options means interactive usage). When issued, the tool will generate a certificate request and a private key. The tool will also ask for a password to protect the private key. Note, if the password is lost a new certificate must be obtained. The process is shown below:

First the private key is generated:

<pre>$ grid-cert-request -int
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.

Using configuration from /etc/grid-security/globus-user-ssl.conf
Generating a 1024 bit RSA private key
.....................................++++++
....................++++++
writing new private key to '/home/jonas/.globus/userkey.pem'</pre>

To protect the private key from unauthorized access it is encrypted using a pass phrase. If this pass phrase is empty, anyone with access to your private key and certificate can gain access to the resources you have been granted. The pass phrase should also be different from your normal login password, so if your local system has been compromised the private key is still protected.:

<pre>-----
You are about to be asked to enter information that will be
incorporated into your certificate request. What you are about to
enter is what is called a Distinguished Name or a DN. There are
quite a few fields but you can leave some blank For some fields
there will be a default value, If you enter '.', the field will be
left blank.
-----
Level 0 Organization Name (do not modify) [Grid]:
Level 1 Organization Name (do not modify) [NorduGrid]:</pre>

The following questions regards your affiliation domain and your email. It is important that your domain and the domain in the email address is the same.:

<pre>Your Domain [example.org]:mydomain.org
Name (e.g., Hans Christian Andersen) []:Joe User
Email address (e.g., h.c.andersen@example.org) []:joe.user@
mydomain.org</pre>

Finally the private key and a certificate request are generated.:

<pre>A private key and a certificate request has been generated with
the subject:

/O=Grid/O=NorduGrid/OU=mydomain.org/CN=Joe User/Email=joe.user@
mydomain.org

If the CN=Joe User/Email=joe.user@mydomain.org is not appropriate,
rerun this script with the -force -cn "Common Name" options.

Your private key is stored in /home/joe/.globus/userkey.pem
Your request is stored in /home/joe/.globus/usercert_request.pem

Please e-mail the request to the NorduGrid Certification Authority
ca@nbi.dk You may use a command similar to the following:

cat /home/jonas/.globus/usercert_request.pem | mail ca@nbi.dk

Only use the above if this machine can send AND receive e-mail. if
not, please mail using some other method.

Your certificate will be mailed to you within two working days. If
you receive no response, contact NorduGrid Certification Authority
at ca@nbi.dk</pre>

== Creating a certificate request using openssl ==

If grid-proxy-init isn't available you can use ''openssl'' to create a certificate request and a private key. Openssl will ask for a password to protect the private key. Note, if the password or private key is lost, a new certificate must be obtained. The process is shown below:

$ mkdir -p ~/.globus
$ openssl req -new -newkey rsa:2048 \
-out ~/.globus/usercert_request.pem \
-keyout ~/.globus/userkey.pem \
-subj "/O=Grid/O=NorduGrid/OU=nsc.liu.se/CN=Kalle Kula/emailAddress=kalle@nsc.liu.se"
Generating a 2048 bit RSA private key
.........+++
.....................+++
writing new private key to '~/.globus/userkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

Modify OU, CN and emailAddress as necessary. It is probably important that your OU and the domain in the email address are the same.

== Sending the certificate request to the Nordugrid CA ==

When the certificate request is created there will be 2 files, '''userkey.pem''' and '''usercert_request.pem''', in a subdirectory called '''.globus''' in your home directory. The '''userkey.pem''' is your private key and should not be world readable. This can be achieved by using '''chmod 400 ~/.globus/userkey.pem'''.

The contents of the '''usercert_request.pem''' should be sent by mail to you neareast Registration Authority (RA). The RA will verify your request and verify your identity. This can involve meeting with the RA and proving your identity with a passport or equivalent documents. The current list of RA:s can be found at the following page:

[http://ca.nordugrid.org/ra.html http://ca.nordugrid.org/ra.html]

== Installing the certificate in your home directory ==

When certificate request is signed by the CA you will receive a mail with the certificate.

The important parts of the mail are shown below::

<pre>-----BEGIN CERTIFICATE-----
MIIDKDCCApGgAwIBAgICFAgwDQYJKoZIhvcNAQEFBQAwTzENMAsGA1UEChMER3Jp
ZDESMBAGA1UEChMJTm9yZHVHcmlkMSowKAYDVQQDEyFOb3JkdUdyaWQgQ2VydGlm
...
-----END CERTIFICATE-----</pre>

Copy the part shown above into the file '''usercert.pem''' in the '''.globus''' directory in your home directory.

== Installing the certificate in your browser ==

To use the requested certificate in your browser it has to be converted to pkcs12 format. This can be done using the following commands (on a linux/unix based system):

<pre>
$ cd ~/.globus
$ openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out DELETE_ME.p12
</pre>

First openssl ask for your passphrase for your private key.

<pre>
Enter pass phrase for userkey.pem:
</pre>

As the pkcs12 file will consist of both your public and private key, the generated file is protected by an additional passphrase which openssl asks for:
<pre>
Enter Export Password:
Verifying - Enter Export Password:
</pre>

The generated file, DELETE_ME.p12, can then be imported into your web browser.

To import the certificate in Firefox, open the "Advanced" tab in the Preferences dialog, and select the "Encryption" tab. Click the "Certificates" button and then the "Import..." button. Select your generated DELETE_ME.p12 file, and Firefox will then ask you for the export passphrase to entered in the openssl command. In Chrome, the procedure is pretty much the same, except you have to go to "Settings" and click "Under the Hood" in the sidebar and then the "Manage certificates..." button to find the "Import..." button.

On Mac OSX most browsers (except Firefox) use the keychain to store certificates, and you can import DELETE_ME.p12 to the keychain by double clicking it in the finder.

Do not forget to delete DELETE_ME.p12 when you are done.

== Renewing a NorduGrid user certificate ==

Go into your .globus directory. There you can make a new directory and jump into it to create your new certificates, while still be able to to use the old ones as long as they are valid.

<pre>
mkdir new`date +%y%m%d`
cd new`date +%y%m%d`
openssl req -newkey rsa:2048 -keyout newuserkey.pem -subj "/O=Grid/O=NorduGrid/OU=pdc.kth.se/CN=Firstname Lastname/emailAddress=your-email@pdc.kth.se" -new -out usercert_request.pem
chmod 400 newuserkey.pem
</pre>

Note: Firstname Lastname do not need to be uppercase. If you change case/spelling/email-address in your certificate when renewing a certificate, then RT-systems, web-servers, wiki et cetera will likely not recognize you, as it is often done through plain character string matching! So check what your had in your old cert in beforehand.

''Update'': For user certificates it is no longer necessary to create a signaturefile, but this is how you would have done it:
openssl dgst -binary -sign ../userkey.pem < usercert_request.pem > req.sig

=== Mailing your renewal request ===
You will have to send an email with the *_request.pem file inline and the eventual sigfile attached.
For human readability and faster responsetime it can be recommended to also paste the output of
openssl req -in usercert_request.pem -noout -text
into the body of the email. Another appreciated information is the time when your current certificate will expire.
The recipient of your email is generally your RA (the one you used when asking for your previous cert, see above) who will control, sign and forward it for you to ca@nordugrid.org.

If you are able to [[Grid_certificates#Signing_your_e-mail_with_your_certificate| sign the mail]] '''(signing doesn't mean attaching!!!)''' with the still valid old certificate in PKCS12 format you can send it directly to the CA at ca@nordugrid.org
In that case you don't need to give the information of when your current certificate will expire since it is obvious. It is still recommended though that you CC your RA who can then inform you of any expected delays and could point out if your signature doesn't look valid.

Requesting a grid certificate from the Nordugrid CA

2013-04-25T14:40:50Z

Michaela Barth (PDC):

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Grid_certificates|< Grid certificates]]

The first step in acquiring a certificate from the nordugrid CA is to create a certificate request.

== Creating a certificate request using the ARC tools ==

This is done using the '''grid-cert-request -int''' command. (The -int options means interactive usage). When issued, the tool will generate a certificate request and a private key. The tool will also ask for a password to protect the private key. Note, if the password is lost a new certificate must be obtained. The process is shown below:

First the private key is generated:

<pre>$ grid-cert-request -int
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.

Using configuration from /etc/grid-security/globus-user-ssl.conf
Generating a 1024 bit RSA private key
.....................................++++++
....................++++++
writing new private key to '/home/jonas/.globus/userkey.pem'</pre>

To protect the private key from unauthorized access it is encrypted using a pass phrase. If this pass phrase is empty, anyone with access to your private key and certificate can gain access to the resources you have been granted. The pass phrase should also be different from your normal login password, so if your local system has been compromised the private key is still protected.:

<pre>-----
You are about to be asked to enter information that will be
incorporated into your certificate request. What you are about to
enter is what is called a Distinguished Name or a DN. There are
quite a few fields but you can leave some blank For some fields
there will be a default value, If you enter '.', the field will be
left blank.
-----
Level 0 Organization Name (do not modify) [Grid]:
Level 1 Organization Name (do not modify) [NorduGrid]:</pre>

The following questions regards your affiliation domain and your email. It is important that your domain and the domain in the email address is the same.:

<pre>Your Domain [example.org]:mydomain.org
Name (e.g., Hans Christian Andersen) []:Joe User
Email address (e.g., h.c.andersen@example.org) []:joe.user@
mydomain.org</pre>

Finally the private key and a certificate request are generated.:

<pre>A private key and a certificate request has been generated with
the subject:

/O=Grid/O=NorduGrid/OU=mydomain.org/CN=Joe User/Email=joe.user@
mydomain.org

If the CN=Joe User/Email=joe.user@mydomain.org is not appropriate,
rerun this script with the -force -cn "Common Name" options.

Your private key is stored in /home/joe/.globus/userkey.pem
Your request is stored in /home/joe/.globus/usercert_request.pem

Please e-mail the request to the NorduGrid Certification Authority
ca@nbi.dk You may use a command similar to the following:

cat /home/jonas/.globus/usercert_request.pem | mail ca@nbi.dk

Only use the above if this machine can send AND receive e-mail. if
not, please mail using some other method.

Your certificate will be mailed to you within two working days. If
you receive no response, contact NorduGrid Certification Authority
at ca@nbi.dk</pre>

== Creating a certificate request using openssl ==

If grid-proxy-init isn't available you can use ''openssl'' to create a certificate request and a private key. Openssl will ask for a password to protect the private key. Note, if the password or private key is lost, a new certificate must be obtained. The process is shown below:

$ mkdir -p ~/.globus
$ openssl req -new -newkey rsa:2048 \
-out ~/.globus/usercert_request.pem \
-keyout ~/.globus/userkey.pem \
-subj "/O=Grid/O=NorduGrid/OU=nsc.liu.se/CN=Kalle Kula/emailAddress=kalle@nsc.liu.se"
Generating a 2048 bit RSA private key
.........+++
.....................+++
writing new private key to '~/.globus/userkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

Modify OU, CN and emailAddress as necessary. It is probably important that your OU and the domain in the email address are the same.

== Sending the certificate request to the Nordugrid CA ==

When the certificate request is created there will be 2 files, '''userkey.pem''' and '''usercert_request.pem''', in a subdirectory called '''.globus''' in your home directory. The '''userkey.pem''' is your private key and should not be world readable. This can be achieved by using '''chmod 400 ~/.globus/userkey.pem'''.

The contents of the '''usercert_request.pem''' should be sent by mail to you neareast Registration Authority (RA). The RA will verify your request and verify your identity. This can involve meeting with the RA and proving your identity with a passport or equivalent documents. The current list of RA:s can be found at the following page:

[http://ca.nordugrid.org/ra.html http://ca.nordugrid.org/ra.html]

== Installing the certificate in your home directory ==

When certificate request is signed by the CA you will receive a mail with the certificate.

The important parts of the mail are shown below::

<pre>-----BEGIN CERTIFICATE-----
MIIDKDCCApGgAwIBAgICFAgwDQYJKoZIhvcNAQEFBQAwTzENMAsGA1UEChMER3Jp
ZDESMBAGA1UEChMJTm9yZHVHcmlkMSowKAYDVQQDEyFOb3JkdUdyaWQgQ2VydGlm
...
-----END CERTIFICATE-----</pre>

Copy the part shown above into the file '''usercert.pem''' in the '''.globus''' directory in your home directory.

== Installing the certificate in your browser ==

To use the requested certificate in your browser it has to be converted to pkcs12 format. This can be done using the following commands (on a linux/unix based system):

<pre>
$ cd ~/.globus
$ openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out DELETE_ME.p12
</pre>

First openssl ask for your passphrase for your private key.

<pre>
Enter pass phrase for userkey.pem:
</pre>

As the pkcs12 file will consist of both your public and private key, the generated file is protected by an additional passphrase which openssl asks for:
<pre>
Enter Export Password:
Verifying - Enter Export Password:
</pre>

The generated file, DELETE_ME.p12, can then be imported into your web browser.

To import the certificate in Firefox, open the "Advanced" tab in the Preferences dialog, and select the "Encryption" tab. Click the "Certificates" button and then the "Import..." button. Select your generated DELETE_ME.p12 file, and Firefox will then ask you for the export passphrase to entered in the openssl command. In Chrome, the procedure is pretty much the same, except you have to go to "Settings" and click "Under the Hood" in the sidebar and then the "Manage certificates..." button to find the "Import..." button.

On Mac OSX most browsers (except Firefox) use the keychain to store certificates, and you can import DELETE_ME.p12 to the keychain by double clicking it in the finder.

Do not forget to delete DELETE_ME.p12 when you are done.

== Renewing a NorduGrid user certificate ===

Go into your .globus directory. There you can make a new directory and jump into it to create your new certificates, while still be able to to use the old ones as long as they are valid.

<pre>
mkdir new`date +%y%m%d`
cd new`date +%y%m%d`
openssl req -newkey rsa:2048 -keyout newuserkey.pem -subj "/O=Grid/O=NorduGrid/OU=pdc.kth.se/CN=Firstname Lastname/emailAddress=your-email@pdc.kth.se" -new -out usercert_request.pem
chmod 400 newuserkey.pem
</pre>

Note: Firstname Lastname do not need to be uppercase. If you change case/spelling/email-address in your certificate when renewing a certificate, then RT-systems, web-servers, wiki et cetera will likely not recognize you, as it is often done through plain character string matching! So check what your had in your old cert in beforehand.

''Update'': For user certificates it is no longer necessary to create a signaturefile, but this is how you would have done it:
openssl dgst -binary -sign ../userkey.pem < usercert_request.pem > req.sig

=== Mailing your renewal request ===
You will have to send an email with the *_request.pem file inline and the eventual sigfile attached.
For human readability and faster responsetime it can be recommended to also paste the output of
openssl req -in usercert_request.pem -noout -text
into the body of the email. Another appreciated information is the time when your current certificate will expire.
The recipient of your email is generally your RA (the one you used when asking for your previous cert, see above) who will control, sign and forward it for you to ca@nordugrid.org.

If you are able to [[Grid_certificates#Signing_your_e-mail_with_your_certificate| sign the mail]] '''(signing doesn't mean attaching!!!)''' with the still valid old certificate in PKCS12 format you can send it directly to the CA at ca@nordugrid.org
In that case you don't need to give the information of when your current certificate will expire since it is obvious. It is still recommended though that you CC your RA who can then inform you of any expected delays and could point out if your signature doesn't look valid.