https://docs.snic.se/w/api.php?action=feedcontributions&user=Jens+Larsson+%28NSC%29&feedformat=atomSNIC Documentation - User contributions [en]2024-03-28T18:20:09ZUser contributionsMediaWiki 1.31.10https://docs.snic.se/w/index.php?title=SweGrid/GridWorkshopNSC2011&diff=8029SweGrid/GridWorkshopNSC20112023-02-14T13:20:37Z<p>Jens Larsson (NSC): Redirected page to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Chalmers_Certificate_Instructions&diff=8028Chalmers Certificate Instructions2023-02-14T13:20:01Z<p>Jens Larsson (NSC): Redirected page to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SLU_Certificate_Instructions&diff=8027SLU Certificate Instructions2023-02-14T13:19:32Z<p>Jens Larsson (NSC): Redirected page to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=UU_Certificate_Instructions&diff=8026UU Certificate Instructions2023-02-14T13:19:13Z<p>Jens Larsson (NSC): Redirected page to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Using_swegrid_resources&diff=8025Using swegrid resources2023-02-14T10:25:26Z<p>Jens Larsson (NSC): Changed redirect target from Using SweGrid resources to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Swestore_national_storage&diff=8024Swestore national storage2023-02-14T10:25:16Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SNIC_Storage&diff=8023SNIC Storage2023-02-14T10:25:07Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Swestore/National_Storage&diff=8022Swestore/National Storage2023-02-14T10:24:55Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SnicStorage&diff=8021SnicStorage2023-02-14T10:24:47Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SweStore_introduction&diff=8020SweStore introduction2023-02-14T10:24:39Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SNIC_storage&diff=8019SNIC storage2023-02-14T10:24:26Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Swestore_National_Storage&diff=8018Swestore National Storage2023-02-14T10:24:15Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SweStore_national_storage&diff=8017SweStore national storage2023-02-14T10:24:07Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Swegrid&diff=8015Swegrid2023-02-14T10:22:42Z<p>Jens Larsson (NSC): Changed redirect target from SweGrid to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Getting_Access_to_SweStore_National_storage&diff=8014Getting Access to SweStore National storage2023-02-14T10:22:33Z<p>Jens Larsson (NSC): Changed redirect target from Swestore to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=GridWorkshopNSC2011&diff=8013GridWorkshopNSC20112023-02-14T10:21:55Z<p>Jens Larsson (NSC): Changed redirect target from Introduction to SweGrid (NSC 2011) to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Accessing_SweStore_national_storage_with_lftp&diff=8012Accessing SweStore national storage with lftp2023-02-14T10:21:38Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with lftp to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Accessing_SweStore_national_storage_with_globus-url-copy&diff=8011Accessing SweStore national storage with globus-url-copy2023-02-14T10:21:28Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with globus-url-copy to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Mounting_SweStore_National_Storage_via_WebDav&diff=8010Mounting SweStore National Storage via WebDav2023-02-14T10:21:20Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with davfs2 to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SweStore/National_Storage/Mounting_via_WebDav&diff=8009SweStore/National Storage/Mounting via WebDav2023-02-14T10:21:06Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with davfs2 to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Mounting_SweStore_national_storage_via_WebDAV&diff=8008Mounting SweStore national storage via WebDAV2023-02-14T10:20:57Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with davfs2 to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Mounting_Swestore_national_storage_via_WebDAV&diff=8007Mounting Swestore national storage via WebDAV2023-02-14T10:20:45Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with davfs2 to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=How_to_Mount_SweStore_National_Storage_via_WebDav&diff=8006How to Mount SweStore National Storage via WebDav2023-02-14T10:20:35Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with davfs2 to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Accessing_SweStore_national_storage_with_cURL&diff=8005Accessing SweStore national storage with cURL2023-02-14T10:20:25Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with cURL to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Accessing_SweStore_national_storage_with_the_cURL&diff=8004Accessing SweStore national storage with the cURL2023-02-14T10:19:54Z<p>Jens Larsson (NSC): Changed redirect target from Accessing Swestore with cURL to Swestore Documentation Moved</p>
<hr />
<div>#REDIRECT[[Swestore Documentation Moved]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7928Requesting a grid certificate using the Sectigo SSO Portal2022-12-15T07:32:13Z<p>Jens Larsson (NSC): </p>
<hr />
<div>{{#externalredirect: https://docs.swestore.se/access/certificates/sectigo/}} <br />
<br />
== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below).<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck.<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side.<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal ('''very important''').<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = Key Generation.<br />
* Select Key Type with appropriate key length. "RSA-2048" is usually good enough.<br />
* Provide a password that will be used to encrypt the PKCS#12 file you get back.<br />
* Check the "I have read and agree to the terms of the EULA" checkbox.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side.<br />
* If there is a technical reason that needs the key to be genereated locally.<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal ('''very important''').<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = CSR.<br />
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.<br />
* Check the "I have read and agree to the terms of the EULA" checkbox.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=MediaWiki:Sidebar&diff=7927MediaWiki:Sidebar2022-12-13T15:13:57Z<p>Jens Larsson (NSC): </p>
<hr />
<div>* <br />
** mainpage|mainpage-description<br />
** Research areas|Research areas<br />
** Centres|Centres<br />
** Software|Software<br />
** Training|Training<br />
** Swestore|Swestore<br />
** Projects|Projects<br />
** Support|Support<br />
* People<br />
**Application experts|Application experts<br />
**Systems experts|Systems experts<br />
* For Staff<br />
** help:Editing policies|Editing policies<br />
** Help:Management|Management<br />
** https://sonc.swegrid.se/wiki/|Internal<br />
* SEARCH<br />
* TOOLBOX<br />
* LANGUAGES</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=MediaWiki:Sidebar&diff=7926MediaWiki:Sidebar2022-12-13T14:59:42Z<p>Jens Larsson (NSC): </p>
<hr />
<div>* <br />
** mainpage|mainpage-description<br />
** Research areas|Research areas<br />
** Centres|Centres<br />
** Software|Software<br />
** Training|Training<br />
** https://docs.swestore.se/|Swestore<br />
** Projects|Projects<br />
** Support|Support<br />
* People<br />
**Application experts|Application experts<br />
**Systems experts|Systems experts<br />
* For Staff<br />
** help:Editing policies|Editing policies<br />
** Help:Management|Management<br />
** https://sonc.swegrid.se/wiki/|Internal<br />
* SEARCH<br />
* TOOLBOX<br />
* LANGUAGES</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=MediaWiki:Sidebar&diff=7925MediaWiki:Sidebar2022-12-13T14:59:05Z<p>Jens Larsson (NSC): </p>
<hr />
<div>* <br />
** mainpage|mainpage-description<br />
** Research areas|Research areas<br />
** Centres|Centres<br />
** Software|Software<br />
** Training|Training<br />
** Swestore|https://docs.swestore.se/<br />
** Projects|Projects<br />
** Support|Support<br />
* People<br />
**Application experts|Application experts<br />
**Systems experts|Systems experts<br />
* For Staff<br />
** help:Editing policies|Editing policies<br />
** Help:Management|Management<br />
** https://sonc.swegrid.se/wiki/|Internal<br />
* SEARCH<br />
* TOOLBOX<br />
* LANGUAGES</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Swestore&diff=7868Swestore2022-03-10T08:37:55Z<p>Jens Larsson (NSC): /* Swestore */</p>
<hr />
<div>In scientific areas such as high energy physics (the Large Hadron Collider at CERN), climate modelling, bioinformatics, bioimaging etc., the demands for research data storage and research data services are increasing dramatically. To serve these and other user communities, SNIC has appointed this working group to design a storage strategy, taking into account the research community needs. <br />
For more information please contact [https://supr.snic.se/support/ Swestore Support]<br />
<br />
=Swestore=<br />
Swestore is Research Data Storage Infrastructure, intended for active research data and operated by the Swedish National Infrastructure for Computing (SNIC). <br />
<br />
The resources provided by Swestore are made available through open procedures such that the best Swedish research is supported and new research is facilitated. The purpose of Swestore allocations, granted by Swedish National Allocations Committee (SNAC), is to provide large scale data storage for “live” or “working” research data, also known as active research data. <br />
<br />
The aim of this nationally accessible storage (Swestore) is to build a robust, flexible and expandable system that can be used in most cases where access to large scale storage is needed. To the user, each resource should appear as a single large system, while it is desirable that some parts of the system are deployed and distributed across SNIC centres to benefit from the advantages of, among other things, locality and redundancy effects. We continuously investigate new technologies that are suitable to implement Swestore. This storage solution is intended as a versatile short and medium term storage (one to four years allocations), for large-scale research data. It is intended and best suitable for so called “warm” data that is not analysed or processed right now but it is still relevant for the active research project. Project allocations are usually not backed up unless agreed differently and all files, i.e. digital objects, exist in two replicas in two geographically different locations. The main purpose of this type of storage is to offload the fast storage (Center Storage) during the active research phase and to move data from and to SNIC Centers. <br />
<br />
Today, Swestore is available as a resource built on [https://www.dcache.org/ dCache] '''Swestore-dCache'''.<br />
<br />
There was a resource based on the [https://irods.org/ iRODS] technology, but this was decommissioned in the end of 2021 ('''Swestore-iRODS''').<br />
<br />
= Getting access to Swestore=<br />
Before you can access Swestore you need to be a member of a storage project.<br />
<br />
== Apply for storage (for the PI) ==<br />
All Swestore project allocations are managed using the [https://supr.snic.se SNIC User and Project Repository portal, SUPR]. Please follow the instructions on the [http://www.snic.se/resources/swestore/ Apply for storage on Swestore] page to apply for storage.<br />
<br />
== Apply for project membership (for all users) ==<br />
<br />
All project members must register in [https://supr.snic.se SUPR], sign [https://supr.snic.se/public/user_agreement/ SNIC User Agreement], if they did not do it previously, and be added to the approved project by the PI. This can happen in multiple ways:<br />
<br />
* The PI can add you to a project<br />
* You can request membership to a project:<br />
** Log in to [https://supr.snic.se SUPR]<br />
** Click on the ''Projects'' heading in the left hand menu.<br />
** In the ''Request Membership in Project'' section of the page, fill in a project search criteria according to the on-page instructions and click '''Search for Project'''<br />
** Locate the project and click '''Request''' button in the ''Request Membership'' column.<br />
** The PI and any Co-PI will be notified of your request and approve/deny as they deem appropriate.<br />
<br />
When your project membership is approved by the PI the Swestore system will map an account for you and add access to the project storage directory. Please wait for up to 10 minutes for this information to be distributed to Swestore.<br />
<br />
== Finding the project storage directory name (for all users)==<br />
<br />
All SNIC storage projects, including Swestore, are assigned a unique directory name, this is used to locate your storage area.<br />
<br />
To find the directory name for a storage project:<br />
<br />
* Log in to [https://supr.snic.se SUPR]<br />
* Click on the project ID in the left hand menu.<br />
* The project ''Directory Name'' is shown in the Basic Information section on top of the page.<br />
<br />
The project storage area is available in the path '''/snic/directory_name/''' in Swestore-dCache and in the path '''/snic.se/projects/directory_name''' in Swestore-iRODS.<br />
<br />
== Set your Swestore password (for users accessing with username/password authentication) ==<br />
<br />
The username/password access method works for both dCache and iRODS. It requires you to set a password on your Swestore account.<br />
<br />
Follow the instruction on the page [[Setting your Swestore password]].<br />
<br />
For dCache there are other options, including certificates, please check the [[Swestore-dCache]] documentation for further details.<br />
<br />
= Using your storage area =<br />
<br />
After having performed the basic steps above you are ready to start using your storage area.<br />
<br />
Proceed to the technology-specific documentation:<br />
<br />
[[Swestore-dCache]]<br />
<br />
or<br />
<br />
[[Swestore-iRODS]]<br />
<br />
as appropriate.<br />
<br />
If you are unsure of the technology used by your storage project, you can find out:<br />
<br />
* Log in to [https://supr.snic.se SUPR]<br />
* Click on the project ID in the left hand menu.<br />
* Scroll down to the ''Storage'' section.<br />
* The ''Resource'' column shows the storage technology for the storage project.<br />
<br />
= Support and Help Desk =<br />
If you have any issues using Swestore, please do not hesitate to contact [https://supr.snic.se/support/ Swestore Support].<br />
<br />
Support and Help Desk services are available during the regular office hours of operation (i.e. 09-17), except when the SNIC partner centers are closed due to Holidays, Administrative Closing, or Inclement Weather. Support service may have better service hours as defined above. However, outside of service hours Swestore Support providers do not guarantee the presence of personnel able to handle service requests or able to solve incidents.<br />
<br />
=Glossary=<br />
; Active (Research) data<br />
: is data that is being worked on as part of research project and therefore subject to change. The files containing data will need to be accessed and amended or updated as new data is gathered or processed.<br />
; Static (Research) data: is data that is no longer in the process of change and it can be prepared for preservation and reuse.<br />
; Backup<br />
: is a copy of the digital data to be stored and used as a replacement in case the main copy is either deleted or corrupted.<br />
; Archive<br />
:is a service to record, organise, and store (digital) items in optimal conditions, with standardised labelling to ensure their longevity and continued access. The service is based on application of metadata, archiving policies, records management, and digital preservation actions. Archivists make decisions on selection and retention of items which are usually governed by supporting policies.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Accessing_Swestore_with_rclone&diff=7717Accessing Swestore with rclone2021-02-15T15:51:02Z<p>Jens Larsson (NSC): /* Configuration */</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
<br />
[[Swestore|< Swestore]]<br />
<br />
This guide describes how to use the [https://rclone.org/webdav/ Rclone] ''WebDAV'' client for storing and retrieving files from Swestore. Rclone is versatile and supports many protocols through a simple command line interface (CLI).<br />
<br />
= Requirements =<br />
To access Swestore using the rclone you need to be a member of a Swestore storage project, see [[Swestore#Getting access to Swestore]].<br />
<br />
To install rclone on your own computer, please follow your systems instructions at the official rclone documentation pages [https://rclone.org/install/ here].<br />
<br />
= Quickstart =<br />
<br />
== Swestore access URL ==<br />
<br />
The WebDAV access URL for Swestore should be specified for <code>rclone</code> as;<br />
<br />
:: https://webdav.swestore.se<br />
<br />
== Basic commands ==<br />
: <code>rclone config</code> - configure rclone. See [https://rclone.org/docs/#configure Rclone configuration] for details.<br />
: <code>rclone ls</code> - for listing files. Works similarly to <code>ls</code>. See [https://rclone.org/commands/rclone_ls/ Rclone ls].<br />
: <code>rclone copyto</code> - for copying directories or separate files. Works similarly to <code>cp</code> with wildcards. See [https://rclone.org/commands/rclone_copyto/ Rclone copyto].<br />
: <code>rclone copy</code> - for copying contents of directories. Works similarly to <code>cp -R path/*</code>. See [https://rclone.org/commands/rclone_copy/ Rclone copy].<br />
: <code>rclone mkdir</code> - for creating directories. Works similarly to <code>mkdir -p</code>. See [https://rclone.org/commands/rclone_mkdir/ Rclone mkdir].<br />
: <code>rclone deletefile</code> - for removing specific files. Works similarly to <code>rm</code>. See [https://rclone.org/commands/rclone_deletefile/ Rclone deletefile].<br />
:: More powerful removal functions are available, but '''be careful''' with these;<br />
::: <code>rclone delete</code> - for removing all files under path - i.e. '''you loose your data'''. Works similarly to <code>find path -type f | xargs rm</code>. See [https://rclone.org/commands/rclone_delete/ Rclone delete].<br />
::: <code>rclone rmdir</code> - removing path if empty. Works similarly to <code>rm -d</code>. See [https://rclone.org/commands/rclone_rmdir/ Rclone rmdir].<br />
::: <code>rclone rmdirs</code> - removing all empty directories under path. Works similarly to <code>find path -type d | awk '{ print length, $0 }' | sort -nsr | cut -d" " -f2- | xargs rm -d</code> (example modified from [https://stackoverflow.com/a/5917762 stackoverflow]). See [https://rclone.org/commands/rclone_rmdirs/ Rclone rmdirs].<br />
::: <code>rclone purge</code> - removing all data under path, including path - i.e. '''you loose your data'''. Works similarly to <code>rm -rf</code>. See [https://rclone.org/commands/rclone_purge/ Rclone purge].<br />
<br />
Use <code>man</code> and <code>--help</code> to get more info on rclone and its commands. Examples: <code>man rclone</code>, <code>rclone --help</code> or <code>rclone copy --help</code> .<br />
<br />
== Paths ==<br />
The rclone commands supports multiple storage protocols. Given that you have configured <code><nowiki>https://webdav.swestore.se</nowiki></code> as the <code>swestore</code> remote, we recommend using WebDAV with paths on the form <code><nowiki>swestore:/snic/YOUR_PROJECT_DIR/...</nowiki></code> .<br />
<br />
= Configuration =<br />
<br />
You have to configure rclone with your access protocol, URL and user login credentials for it to work. Simply issue the following configuration command to interactively configure rclone;<br />
<br />
$ rclone config<br />
<br />
For configuring WebDAV, this amounts to answering something along the lines;<br />
<br />
: <code>n</code> for '''New remote'''<br />
: <code>swestore</code> for '''name'''<br />
: <code>37</code> for '''Storage''' (Or what ever number is Webdav, this changes between releases)<br />
: <code><nowiki>https://webdav.swestore.se</nowiki></code> for '''url'''<br />
: <code>4</code> for '''vendor''' (Other)<br />
: <code>yourusername</code> for '''user''', should be on the format <code>s_user</code><br />
: <code>y</code> for '''Yes type in my own password'''<br />
:: then enter your swestore password twice<br />
: Just press <code><nowiki><Enter></nowiki></code> for '''bearer_token'''<br />
: <code>n</code> for '''Edit advanced config?'''<br />
: <code>y</code> if you think the resulting config is correct, otherwise <code>e</code> to edit again.<br />
: <code>q</code> to '''Quit config'''<br />
<br />
To see your configuartion afterwards, run<br />
<br />
$ cat ~/.config/rclone/rclone.conf<br />
<br />
You can also list your configured remotes by issuing<br />
<br />
$ rclone listremotes<br />
<br />
In the following sections, we are assuming your swestore remote is named <code>swestore</code><br />
<br />
= Copying files = <br />
<br />
Copying files to and from resources is accomplished using the rclone '''copy''' and '''copyto''' command. <br />
<br />
== Copying single files ==<br />
<br />
Copying single files is accomplished in the same way as using the<br />
normal '''cp''' command as shown in the following example:<br />
<br />
$ rclone copyto archive.tar.gz swestore:/snic/YOUR_PROJECT_DIR/archive.tar.gz<br />
<br />
You can also use '''copyto''' in order to rename the file in the process of copying it to the destination, by specifying a different filename on the remote.<br />
<br />
== Recursive copying ==<br />
<br />
Recursive copying of a directory is accomplished using the '''copy''' command. The command will only copy files that have changed on the source compared to the destination, which is determined by checksums and timestamps. Observe that the source directory is not copied over, only its contents. Also, empty directories are omitted.<br />
<br />
Example:<br />
<br />
$ rclone copy /path/to/src swestore:/snic/YOUR_PROJECT_DIR/DESTINATION_DIRECTORY<br />
<br />
The option '''--no-traverse''' can be used to not list files on the destination (good for huge directories). '''--max-age''' can be used to select the most recently modified files for transfer, and '''-P''' gives you status on progress.<br />
<br />
Example, copying the last days modifications, with progress:<br />
<br />
$ rclone copy --max-age 24h --no-traverse -P /path/to/src swestore:/snic/YOUR_PROJECT_DIR/DESTINATION_DIRECTORY<br />
<br />
'''NOTE:''' The above example will copy all files in the directory <code>src</code> into <br />
the destination directory <code>DESTINATION_DIRECTORY</code>. If you want the directory <code>src</code><br />
to be part of the destination path you have to explicitly supply it as shown in the example below:<br />
<br />
$ rclone copy /path/to/src swestore:/snic/YOUR_PROJECT_DIR/DESTINATION_DIRECTORY/src<br />
<br />
= Listing =<br />
<br />
Rclone supports listing all files under a path; you can list recursively with the '''-R''' flag.<br />
<br />
Listing files and directories on a resources is done using the '''ls'''<br />
or one of the '''ls*''' commands (see below). The simple '''ls''' command<br />
only lists objects and their sizes;<br />
<br />
$ rclone ls swestore:/snic/YOUR_PROJECT_DIR<br />
<br />
Further functionality can be be achieved from using any of the the following '''ls*''' commands;<br />
<br />
: <code>lsl</code> long listing with additional info<br />
: <code>lsd</code> list only directories<br />
: <code>lsf</code> list objects and directories, in a fashion good for scripting<br />
: <code>lsjson</code> gives advanced output in JSON format<br />
<br />
Example:<br />
<br />
$ rclone lsl swestore:/snic/YOUR_PROJECT_DIR<br />
<br />
= Creating directories = <br />
<br />
Directories are generally created on demand. If you copy a file with the destination /snic/YOUR_PROJECT_DIR/newdir/dummyfile the newdir directory will be created if missing. But you can explicitly create directories using the '''mkdir''' command.<br />
<br />
$ rclone mkdir swestore:/snic/YOUR_PROJECT_DIR/newdir<br />
<br />
= Removing files or directories =<br />
<br />
'''Beware''' that the command '''delete''' will recursively delete all file objects under specified path!<br />
<br />
To remove the file <code>dummyfile</code> under <code>/snic/YOUR_PROJECT_DIR/newdir</code>,<br />
<br />
$ rclone deletefile swestore:/snic/YOUR_PROJECT_DIR/newdir/dummyfile<br />
<br />
To remove a directory, they have to be empty, and you use the command<br />
<br />
$ rclone rmdir swestore:/snic/YOUR_PROJECT_DIR/newdir/<br />
<br />
To remove '''all''' empty directories under a path, use<br />
<br />
$ rclone rmdirs swestore:/snic/YOUR_PROJECT_DIR/newdir/<br />
<br />
To recursively remove '''all''' files under <code>/snic/YOUR_PROJECT_DIR/newdir</code>, leaving the empty directory structure in place, '''be careful''';<br />
<br />
$ rclone delete swestore:/snic/YOUR_PROJECT_DIR/newdir/<br />
<br />
'''Do not use''' the command purge, as that will '''delete everything''' under the path specified.<br />
<br />
= FAQ =<br />
<br />
'''Q''': I used <code>rclone purge</code> or <code>rclone delete</code> and have now deleted all my files; can I get them back somehow?<br />
: '''A''': '''No'''. Swestore does not currently support recovery of data for which the user has explicably requested to be deleted from the system, be it intentionally or by mistake. Therefore '''caution''' is advised while using powerful tools such as <code>rclone</code>.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Accessing_Swestore_with_rclone&diff=7716Accessing Swestore with rclone2021-02-15T13:32:08Z<p>Jens Larsson (NSC): /* Configuration */</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
<br />
[[Swestore|< Swestore]]<br />
<br />
This guide describes how to use the [https://rclone.org/webdav/ Rclone] ''WebDAV'' client for storing and retrieving files from Swestore. Rclone is versatile and supports many protocols through a simple command line interface (CLI).<br />
<br />
= Requirements =<br />
To access Swestore using the rclone you need to be a member of a Swestore storage project, see [[Swestore#Getting access to Swestore]].<br />
<br />
To install rclone on your own computer, please follow your systems instructions at the official rclone documentation pages [https://rclone.org/install/ here].<br />
<br />
= Quickstart =<br />
<br />
== Swestore access URL ==<br />
<br />
The WebDAV access URL for Swestore should be specified for <code>rclone</code> as;<br />
<br />
:: https://webdav.swestore.se<br />
<br />
== Basic commands ==<br />
: <code>rclone config</code> - configure rclone. See [https://rclone.org/docs/#configure Rclone configuration] for details.<br />
: <code>rclone ls</code> - for listing files. Works similarly to <code>ls</code>. See [https://rclone.org/commands/rclone_ls/ Rclone ls].<br />
: <code>rclone copyto</code> - for copying directories or separate files. Works similarly to <code>cp</code> with wildcards. See [https://rclone.org/commands/rclone_copyto/ Rclone copyto].<br />
: <code>rclone copy</code> - for copying contents of directories. Works similarly to <code>cp -R path/*</code>. See [https://rclone.org/commands/rclone_copy/ Rclone copy].<br />
: <code>rclone mkdir</code> - for creating directories. Works similarly to <code>mkdir -p</code>. See [https://rclone.org/commands/rclone_mkdir/ Rclone mkdir].<br />
: <code>rclone deletefile</code> - for removing specific files. Works similarly to <code>rm</code>. See [https://rclone.org/commands/rclone_deletefile/ Rclone deletefile].<br />
:: More powerful removal functions are available, but '''be careful''' with these;<br />
::: <code>rclone delete</code> - for removing all files under path - i.e. '''you loose your data'''. Works similarly to <code>find path -type f | xargs rm</code>. See [https://rclone.org/commands/rclone_delete/ Rclone delete].<br />
::: <code>rclone rmdir</code> - removing path if empty. Works similarly to <code>rm -d</code>. See [https://rclone.org/commands/rclone_rmdir/ Rclone rmdir].<br />
::: <code>rclone rmdirs</code> - removing all empty directories under path. Works similarly to <code>find path -type d | awk '{ print length, $0 }' | sort -nsr | cut -d" " -f2- | xargs rm -d</code> (example modified from [https://stackoverflow.com/a/5917762 stackoverflow]). See [https://rclone.org/commands/rclone_rmdirs/ Rclone rmdirs].<br />
::: <code>rclone purge</code> - removing all data under path, including path - i.e. '''you loose your data'''. Works similarly to <code>rm -rf</code>. See [https://rclone.org/commands/rclone_purge/ Rclone purge].<br />
<br />
Use <code>man</code> and <code>--help</code> to get more info on rclone and its commands. Examples: <code>man rclone</code>, <code>rclone --help</code> or <code>rclone copy --help</code> .<br />
<br />
== Paths ==<br />
The rclone commands supports multiple storage protocols. Given that you have configured <code><nowiki>https://webdav.swestore.se</nowiki></code> as the <code>swestore</code> remote, we recommend using WebDAV with paths on the form <code><nowiki>swestore:/snic/YOUR_PROJECT_DIR/...</nowiki></code> .<br />
<br />
= Configuration =<br />
<br />
You have to configure rclone with your access protocol, URL and user login credentials for it to work. Simply issue the following configuration command to interactively configure rclone;<br />
<br />
$ rclone config<br />
<br />
For configuring WebDAV, this amounts to answering something along the lines;<br />
<br />
: <code>n</code> for '''New remote'''<br />
: <code>swestore</code> for '''name'''<br />
: <code>33</code> for '''Storage''' (Or what ever number is Webdav, this changes between releases)<br />
: <code><nowiki>https://webdav.swestore.se</nowiki></code> for '''url'''<br />
: <code>4</code> for '''vendor''' (Other)<br />
: <code>yourusername</code> for '''user''', should be on the format <code>s_user</code><br />
: <code>y</code> for '''Yes type in my own password'''<br />
:: then enter your swestore password twice<br />
: Just press <code><nowiki><Enter></nowiki></code> for '''bearer_token'''<br />
: <code>n</code> for '''Edit advanced config?'''<br />
: <code>y</code> if you think the resulting config is correct, otherwise <code>e</code> to edit again.<br />
: <code>q</code> to '''Quit config'''<br />
<br />
To see your configuartion afterwards, run<br />
<br />
$ cat ~/.config/rclone/rclone.conf<br />
<br />
You can also list your configured remotes by issuing<br />
<br />
$ rclone listremotes<br />
<br />
In the following sections, we are assuming your swestore remote is named <code>swestore</code><br />
<br />
= Copying files = <br />
<br />
Copying files to and from resources is accomplished using the rclone '''copy''' and '''copyto''' command. <br />
<br />
== Copying single files ==<br />
<br />
Copying single files is accomplished in the same way as using the<br />
normal '''cp''' command as shown in the following example:<br />
<br />
$ rclone copyto archive.tar.gz swestore:/snic/YOUR_PROJECT_DIR/archive.tar.gz<br />
<br />
You can also use '''copyto''' in order to rename the file in the process of copying it to the destination, by specifying a different filename on the remote.<br />
<br />
== Recursive copying ==<br />
<br />
Recursive copying of a directory is accomplished using the '''copy''' command. The command will only copy files that have changed on the source compared to the destination, which is determined by checksums and timestamps. Observe that the source directory is not copied over, only its contents. Also, empty directories are omitted.<br />
<br />
Example:<br />
<br />
$ rclone copy /path/to/src swestore:/snic/YOUR_PROJECT_DIR/DESTINATION_DIRECTORY<br />
<br />
The option '''--no-traverse''' can be used to not list files on the destination (good for huge directories). '''--max-age''' can be used to select the most recently modified files for transfer, and '''-P''' gives you status on progress.<br />
<br />
Example, copying the last days modifications, with progress:<br />
<br />
$ rclone copy --max-age 24h --no-traverse -P /path/to/src swestore:/snic/YOUR_PROJECT_DIR/DESTINATION_DIRECTORY<br />
<br />
'''NOTE:''' The above example will copy all files in the directory <code>src</code> into <br />
the destination directory <code>DESTINATION_DIRECTORY</code>. If you want the directory <code>src</code><br />
to be part of the destination path you have to explicitly supply it as shown in the example below:<br />
<br />
$ rclone copy /path/to/src swestore:/snic/YOUR_PROJECT_DIR/DESTINATION_DIRECTORY/src<br />
<br />
= Listing =<br />
<br />
Rclone supports listing all files under a path; you can list recursively with the '''-R''' flag.<br />
<br />
Listing files and directories on a resources is done using the '''ls'''<br />
or one of the '''ls*''' commands (see below). The simple '''ls''' command<br />
only lists objects and their sizes;<br />
<br />
$ rclone ls swestore:/snic/YOUR_PROJECT_DIR<br />
<br />
Further functionality can be be achieved from using any of the the following '''ls*''' commands;<br />
<br />
: <code>lsl</code> long listing with additional info<br />
: <code>lsd</code> list only directories<br />
: <code>lsf</code> list objects and directories, in a fashion good for scripting<br />
: <code>lsjson</code> gives advanced output in JSON format<br />
<br />
Example:<br />
<br />
$ rclone lsl swestore:/snic/YOUR_PROJECT_DIR<br />
<br />
= Creating directories = <br />
<br />
Directories are generally created on demand. If you copy a file with the destination /snic/YOUR_PROJECT_DIR/newdir/dummyfile the newdir directory will be created if missing. But you can explicitly create directories using the '''mkdir''' command.<br />
<br />
$ rclone mkdir swestore:/snic/YOUR_PROJECT_DIR/newdir<br />
<br />
= Removing files or directories =<br />
<br />
'''Beware''' that the command '''delete''' will recursively delete all file objects under specified path!<br />
<br />
To remove the file <code>dummyfile</code> under <code>/snic/YOUR_PROJECT_DIR/newdir</code>,<br />
<br />
$ rclone deletefile swestore:/snic/YOUR_PROJECT_DIR/newdir/dummyfile<br />
<br />
To remove a directory, they have to be empty, and you use the command<br />
<br />
$ rclone rmdir swestore:/snic/YOUR_PROJECT_DIR/newdir/<br />
<br />
To remove '''all''' empty directories under a path, use<br />
<br />
$ rclone rmdirs swestore:/snic/YOUR_PROJECT_DIR/newdir/<br />
<br />
To recursively remove '''all''' files under <code>/snic/YOUR_PROJECT_DIR/newdir</code>, leaving the empty directory structure in place, '''be careful''';<br />
<br />
$ rclone delete swestore:/snic/YOUR_PROJECT_DIR/newdir/<br />
<br />
'''Do not use''' the command purge, as that will '''delete everything''' under the path specified.<br />
<br />
= FAQ =<br />
<br />
'''Q''': I used <code>rclone purge</code> or <code>rclone delete</code> and have now deleted all my files; can I get them back somehow?<br />
: '''A''': '''No'''. Swestore does not currently support recovery of data for which the user has explicably requested to be deleted from the system, be it intentionally or by mistake. Therefore '''caution''' is advised while using powerful tools such as <code>rclone</code>.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7685Requesting a grid certificate using the Sectigo SSO Portal2020-12-18T12:47:40Z<p>Jens Larsson (NSC): /* Organization Support */</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below)<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Generate RSA<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side<br />
* If there is a technical reason that needs the key to be genereated locally<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Upload CSR<br />
* Use "Choose File" to upload the usercert_request.pem file you created above<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7684Requesting a grid certificate using the Sectigo SSO Portal2020-12-18T12:47:21Z<p>Jens Larsson (NSC): </p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below)<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Generate RSA<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side<br />
* If there is a technical reason that needs the key to be genereated locally<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Upload CSR<br />
* Use "Choose File" to upload the usercert_request.pem file you created above<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verifikation<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Support&diff=7642Support2020-11-16T13:32:03Z<p>Jens Larsson (NSC): </p>
<hr />
<div>Support alternatives:<br />
<br />
; Guides<br />
: This site has a number of guides on a variety of subjects, see [[:Category:Guide]].<br />
<br />
; Centre, Swestore and SUPR support<br />
: Go to [http://supr.snic.se/support http://supr.snic.se/support]. If you can login to SUPR you can use a support form that helps you fill in a good support request. If you cannot login you will get a list of email addresses to use for your support request.<br />
: This is by far the quickest way of getting your problems solved, and this is where you should address all your support questions. In case an issue cannot be immediately solved by these support queues it will be forwarded to the right place for you. <br />
<br />
; Application support<br />
: e-mail: [mailto:application-support@snic.se application-support@snic.se]<br><br />
: This mail address can be used if you have support questions that are not directly regarding how to run a given application on a specific SNIC HPC resource, but regarding how to use the application itself or how to solve an issue with the application that is not specific to running it on a certain resource. <br><br />
: The application-support queue is monitored by all the application experts, who are distributed over all the six SNIC HPC centers, so there is a good chance that someone who knows the given application will see the support request and help answer your questions or solve your issue. <br><br />
: If you don’t know whether or not to use the application-support address for your support request, then just send your request to the support address at the HPC center where you run your jobs. Then someone monitoring that support queue will in turn move your support request to the application-support queue if they find that your request is better handled there.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Swestore-irods&diff=7641Swestore-irods2020-11-16T13:29:41Z<p>Jens Larsson (NSC): Redirected page to Swestore-iRODS</p>
<hr />
<div>#REDIRECT [[Swestore-iRODS]]<br />
<br />
<br />
= National Storage using iRODS =<br />
[[Category:Storage]]<br />
[[Category:iRODS]]<br />
<br />
<font size="5" color="red"> NOTA: THIS PAGE IS OUT OF DATE! </font><br><br />
<br />
== Getting access ==<br />
; Apply for storage<br />
: Please follow the instructions on the [[Apply for storage on SweStore]] page.<br />
<br />
;iRODS user authentication<br />
:SweStore's iRODS system uses [http://www.yubico.com/products/yubikey-hardware/yubikey/ Yubikey] one-time passwords (OTP). With a simple touch of a button, a 44 character one-time password is generated and sent to the system. The user will be provided with a SweStore yubikey.<br />
:Yubikey has a status as pilot now. It can be changed in the future.<br />
<br />
; iRODS usage <span style="color:#FF0000"> Pilot. </span><br> - How to acquire a SweStore yubikey<br />
:Please send an email to [mailto:support@swestore.se?subject=Yubikey support@swestore.se] and provide the shipping address to where the yubikey should be sent.<br><br />
:Yubikey has a status as pilot now. It can be changed in the future.<br />
<br />
== Support == <br />
<br />
If you have any issues using SweStore please do not hesitate to contact [mailto:support@swestore.se support@swestore.se].<br />
<br />
<span style="color:#FF0000"> Better not to use filename with single quotes. (There were problems with these but they had been fixed.</span><br><br />
<br />
== Usage monitoring ==<br />
* [http://status.swestore.se/munin/monitor/monitor/ Per Project Monitoring of Swestore usage]<br />
<br />
== Supported clients ==<br />
<br />
: iDrop web - Point your Web browser to [https://iweb.swestore.se iweb.swestore.se]<br />
: E-iRODS iCommands 3.0 - Command line client [ftp://ftp.renci.org/pub/irods/releases/3.0.1 Download E-iRODS icommands]<br />
<br />
SweStore iRODS uses PAM authentication and SweStore yubikeys. With a simple touch of a button, a 44 character one-time password is generated and sent to the system.<br />
<br />
<br />
=== Web GUI (iDrop web) ===<br />
Please see the specific documentation for [[iDrop web]].<br />
<br />
=== Community iRODS version 3.3 ===<br />
The community iRODS client version 3.3 also should work, with PAM authentication.<br><br />
It is available from [http://irods.sdsc.edu/download.html SDSC].<br />
Please install the OpenSSL include files and libraries:<br />
<pre><br />
$ sudo apt-get install libssl-dev (debian based system)<br />
# yum install openssl-devel (redhat-based systems)<br />
</pre><br />
Download irods 3.3 from http://irods.sdsc.edu/download.html and unpack the tar.gz archive.<br />
<br />
Please enable the following defines in the Makefile iRODS/config/config.mk.in<br />
<pre><br />
PAM_AUTH = 1<br />
PAM_AUTH_NO_EXTEND = 1<br />
USE_SSL = 1 <br />
</pre><br />
Please run irodssetup to compile the irods community client with PAM authentication.<br />
<br />
== SweStore iRODS usage documentation ==<br />
<br />
To use the system you need to have the E-iRODS command line client installed or using iDROP web. <br />
<br />
=== Command line client ===<br />
<br />
For Linux systems the iRODS command line client is available as an installable package for various<br />
Linux platforms from the e-iRODS website downloads section.<br />
<br />
The command line client is natural to use for Unix users.<br />
There are versions of the usual ls, rm, mv, mkdir, pwd, rsync<br />
commands prefixed with an i for iRODS, i.e. irm, imv, imkdir etc.<br />
<br />
As expected iput and iget move files to and from the irods system.<br />
All these commands print short help when using the -h option.<br />
<br />
==== iCommands environment file ====<br />
<br />
There is an environment file .irodsEnv in the .irods subdirectory<br />
of the home directory ($HOME/.irods/.irodsEnv) which contains information where and how<br />
to access the iRODS metadata (iCAT) server.<br />
<br />
It looks like (placeholders are in <>):<br />
<pre><br />
irodsHost 'irods.swestore.se'<br />
irodsPort 1247<br />
irodsDefResource 'snicdefResc'<br />
irodsHome '/snicZone/proj/<PROJECT_NAME>'<br />
irodsCwd '/snicZone/proj/<PROJECT_NAME>'<br />
irodsUserName '<USERNAME>'<br />
irodsZone 'snicZone'<br />
irodsAuthScheme 'PAM'<br />
</pre><br />
<br />
The iCAT server is irods.swestore.se.<br />
The default irods zone name is snicZone.<br />
The default resource is snicdefResc.<br />
It is best to set the home directory to the same as the<br />
project directory, which would be a subdirectory under<br />
the /snicZone/proj directory tree.<br />
<br />
==== Yubikey instructions ====<br />
<br />
Prerequisite: A correct iCommands environment file, see above for instructions.<br />
<br />
# Insert the yubikey in an available USB-slot in your computer.<br />
# Type iinit<br />
# Touch the conductive surface on the yubikey to send an one-time password to the system. <br />
<br />
<pre><br />
<br />
$ iinit<br />
Enter your current PAM (system) password:<br />
$ ils<br />
/snicZone/proj/<projectname>:<br />
$<br />
</pre><br />
<br />
After that we can use the usual iCommands for 8 hours.<br />
<br />
More details on the iCommands are available at<br />
https://www.irods.org/index.php/icommands<br />
<br />
==== iCommands ====<br />
<br />
Having initialized the session as described above we can use tie iRODS versions<br />
of the basic Unix commands. The project directory is under /snicZone/proj, all<br />
members of the project should have write access to this directory. We can use<br />
the command<br />
<pre><br />
icd /snicZone/proj/projectname<br />
</pre><br />
to move to the project directory, or to change to an another project directory<br />
when we are members of more than one project.<br />
<br />
All commands give short help when invoked with the -h flag.<br />
<br />
To put files files into the iRODS system we can use:<br />
<pre><br />
iput localfile irodsfile<br />
</pre><br />
or, to put a whole directory tree:<br />
<pre><br />
iput -r localdirectory irodscollection<br />
</pre><br />
<br />
To load large amout of data it might be more advantageous to use<br />
<pre><br />
irsync -r localdirectory irodscollection<br />
</pre><br />
It might be a good idea to use -K so then checksums will be computed,<br />
stored and checked.<br />
<br />
To create directories (collections in iRODSspeak) we use:<br />
<pre><br />
imkdir collection<br />
</pre><br />
as it would be expected.<br />
<br />
To get those files back we can use<br />
<pre><br />
iget irodsfile localfile<br />
</pre><br />
or<br />
<pre><br />
irsync -r irodscollection localdirectory<br />
</pre><br />
<br />
To remove files we use:<br />
<pre><br />
irm<br />
</pre><br />
or<br />
<pre><br />
irm -r<br />
</pre><br />
<br />
Removing files like that would put the files into the trashcan (path: /snicZone/trash/).<br />
Time to time we would need to empty the trashcan, using<br />
<pre><br />
irmtrash<br />
</pre><br />
<br />
==== Using iCommands on SNIC HPC clusters ====<br />
<br />
On SNIC-clusters the icommands command line tools are either available in the PATH or by adding the irods module, e.g.<br />
: module load irods<br />
:If the irods commands are not available at the SNIC HPC cluster, please contact support@swestore.se<br />
We also need to setup the iCommands environment file $HOME/.irods/.irodsEnv<br />
<br />
=== Storage Project directory structure ===<br />
<br />
Your storage project is available at /snicZone/proj/<PROJECT NAME><br />
<br />
/snicZone/home/<USERNAME> is just a small home directory.<br />
<br />
=== iDROP web client ===<br />
<br />
See the [[iDrop web]] specific page.<br />
<br />
=== Upstream documentation ===<br />
Detailed documentation, papers and resources are available from<br />
the [http://www.eirods.org E-iRODS web site]<br />
<br />
[http://www.irods.org Community iRODS]<br />
<br />
[https://groups.google.com/d/forum/irod-chat User forum]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Talk:Swestore&diff=7640Talk:Swestore2020-11-16T13:22:57Z<p>Jens Larsson (NSC): Blanked the page</p>
<hr />
<div></div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SNIC_Storage&diff=7639SNIC Storage2020-11-16T13:22:28Z<p>Jens Larsson (NSC): Redirected page to Swestore</p>
<hr />
<div>#REDIRECT [[Swestore]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=SnicStorage&diff=7638SnicStorage2020-11-16T13:22:10Z<p>Jens Larsson (NSC): Redirected page to Swestore</p>
<hr />
<div>#REDIRECT [[Swestore]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Add_client_certificate_to_keychain_on_macOS&diff=7637Add client certificate to keychain on macOS2020-11-16T13:19:43Z<p>Jens Larsson (NSC): </p>
<hr />
<div>= General =<br />
<br />
Most applications on ''macOS'' (previously named ''OS X'') uses ''Keychain'', the operating system certificate store, to avoid forcing users to add/import the certificate in all applications where it's used.<br />
<br />
This procedure describes how to add a client certificate to the login Keychain using the ''Keychain Access'' utility.<br />
<br />
The common reason for having to do this is having used the ''Firefox'' web browser to obtain a client certificate and you wish to make it available to other applications (for example ''Safari'' and ''Cyberduck'').<br />
<br />
As an alternative to export from Firefox and adding the exported certificate to the Keychain you can simply request an additional certificate using the ''Safari'' web browser, which stores it directly into the Keychain.<br />
<br />
= Instructions =<br />
<br />
* Launch '''Keychain Access''' by opening '''Finder''' and navigating '''Applications -> Utilities -> Keychain Access'''<br />
<br />
* Make sure the '''login''' keychain is selected.<br />
<br />
[[File:MacOS-Keychain-add-1.png|600px]]<br />
<br />
* '''Import Items...''' on File menu.<br />
<br />
[[File:MacOS-Keychain-add-2.png]]<br />
<br />
* Locate the certificate backup made from Firefox or other web browser.<br />
<br />
[[File:MacOS-Keychain-add-3.png|600px]]<br />
<br />
* Enter the password chosen backup time which protected the certficate and key backup.<br />
<br />
[[File:MacOS-Keychain-add-4.png]]<br />
<br />
* If successful, the imported certificate should appear in the list of certificates for the login keychain.<br />
<br />
[[File:MacOS-Keychain-add-5.png|600px]]<br />
<br />
<br />
<br />
[[Requesting a grid certificate using the Sectigo SSO Portal|< Requesting a grid certificate using the Sectigo SSO Portal]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Add_client_certificate_to_keychain_on_macOS&diff=7636Add client certificate to keychain on macOS2020-11-16T13:16:40Z<p>Jens Larsson (NSC): </p>
<hr />
<div>= General =<br />
<br />
Most applications on ''macOS'' (previously named ''OS X'') uses ''Keychain'', the operating system certificate store, to avoid forcing users to add/import the certificate in all applications where it's used.<br />
<br />
This procedure describes how to add a client certificate to the login Keychain using the ''Keychain Access'' utility.<br />
<br />
The common reason for having to do this is having used the ''Firefox'' web browser to obtain a client certificate and you wish to make it available to other applications (for example ''Safari'' and ''Cyberduck'').<br />
<br />
As an alternative to export from Firefox and adding the exported certificate to the Keychain you can simply request an additional certificate using the ''Safari'' web browser, which stores it directly into the Keychain.<br />
<br />
= Instructions =<br />
<br />
* Launch '''Keychain Access''' by opening '''Finder''' and navigating '''Applications -> Utilities -> Keychain Access'''<br />
<br />
* Make sure the '''login''' keychain is selected.<br />
<br />
[[File:MacOS-Keychain-add-1.png|600px]]<br />
<br />
* '''Import Items...''' on File menu.<br />
<br />
[[File:MacOS-Keychain-add-2.png]]<br />
<br />
* Locate the certificate backup made from Firefox or other web browser.<br />
<br />
[[File:MacOS-Keychain-add-3.png|600px]]<br />
<br />
* Enter the password chosen backup time which protected the certficate and key backup.<br />
<br />
[[File:MacOS-Keychain-add-4.png]]<br />
<br />
* If successful, the imported certificate should appear in the list of certificates for the login keychain.<br />
<br />
[[File:MacOS-Keychain-add-5.png|600px]]<br />
<br />
<br />
<br />
[[Requesting a grid certificate using the Sectigo SSO Portal|< Requesting a grid certificate using the Digicert SSO Portal]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Exporting_a_client_certificate&diff=7635Exporting a client certificate2020-11-16T13:15:55Z<p>Jens Larsson (NSC): </p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
<br />
[[Getting started with SweGrid|< Getting started with SweGrid]]<br />
<br />
[[Swestore|< Swestore]]<br />
<br />
[[Requesting a grid certificate using the Sectigo SSO Portal|< Requesting a grid certificate using the Sectigo SSO Portal]]<br />
<br />
<br />
In order to use your client certificate for tasks other than authenticating your browser sessions, you might need to export it to a protected file which you can then import into browsers on other machines, import into other browsers, and upload to SNIC resources where it can be used to generate proxy certificates for use with client tools.<br />
<br />
'''NOTE''': When possible, it is generally preferred (and easier) to obtain a new (additional) certificate in web browsers rather than transfer certificates between browsers/machines.<br />
<br />
The export process differs between operating systems and browsers, the following links outline the process for the common browsers and operating systems, resulting in a '''.p12''' or '''.pfx''' file.<br />
<br />
* [[Exporting_a_client_certificate_on_Windows|Exporting on Windows (Chrome and Internet Explorer)]]<br />
* [[Exporting_a_client_certificate_on_macOS|Exporting on macOS (OS X) (Chrome and Safari)]]<br />
* [[Exporting_a_client_certificate_from_Firefox|Exporting a client certificate from Firefox]]<br />
* [[Exporting_a_client_certificate_from_Chrome|Exporting a client certificate from Chrome (Linux and other operating systems)]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7634Requesting a grid certificate using the Sectigo SSO Portal2020-11-16T13:13:59Z<p>Jens Larsson (NSC): Reverted edits by Jens Larsson (NSC) (talk) to last revision by Niklas Edmundsson (HPC2N)</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below)<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Generate RSA<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side<br />
* If there is a technical reason that needs the key to be genereated locally<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Upload CSR<br />
* Use "Choose File" to upload the usercert_request.pem file you created above<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7633Requesting a grid certificate using the Sectigo SSO Portal2020-11-16T13:12:46Z<p>Jens Larsson (NSC): Redirected page to Requesting a grid certificate using the Sectigo SSO Portal</p>
<hr />
<div>#REDIRECT [[Requesting a grid certificate using the Sectigo SSO Portal]]<br />
<br />
== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below)<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Generate RSA<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side<br />
* If there is a technical reason that needs the key to be genereated locally<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Upload CSR<br />
* Use "Choose File" to upload the usercert_request.pem file you created above<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Terena_eScience_Portal&diff=7632Requesting a grid certificate using the Terena eScience Portal2020-11-16T13:12:16Z<p>Jens Larsson (NSC): Redirected page to Requesting a grid certificate using the Sectigo SSO Portal</p>
<hr />
<div>#REDIRECT [[Requesting a grid certificate using the Sectigo SSO Portal]]</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Grid_certificates&diff=7631Grid certificates2020-11-16T13:09:32Z<p>Jens Larsson (NSC): /* VOMS proxy certificates */</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
[[Getting started with SweGrid|< Getting started with SweGrid]]<br><br />
[[Swestore|< Swestore]]<br />
<br />
= Introduction =<br />
<br />
In order to access to [[Swestore]] using certificate authentication or grid resources a valid eScience client certificate is required. A certificate is similar to an electronic key card in real-life, in the same manner that you must swipe a key card in the lock/reader, the application you are using) must present a certificate. Not having a certificate is similar to not having a key-card, just entering the PIN code is usually not enough.<br />
<br />
Keep your certificate safe, just like a physical key or key card. Store them in a safe place, utilizing secure credential store, browser master password, private directories and file permissions as appropriate.<br />
<br />
Most importantly, always use a unique passphrase to protect certificates whenever possible.<br />
<br />
= Requesting a certificate =<br />
<br />
In order to use certificate authentication you need a valid certificate.<br />
<br />
Certificates are issued by a Certificate Authority or CA. The certificate needed for accessing the Swestore or other grid resources should have the ''IGTF'', ''eScience'' or ''Grid'' type, not all CA:s are certified by [http://www.igtf.net/ The International Grid Trust Federation] to issue these.<br />
<br />
For users residing in the Nordics there are two relevant CA:s that can issue grid/eScience/e-Science certificates: ''Sectigo'' and ''Nordugrid''. The Sectigo CA is preferred if it is available for your university or research group, but some institutions has not enabled this service yet. The Nordugrid CA can also be used but requires more manual labor by all parties.<br />
<br />
[[Requesting a grid certificate using the Sectigo SSO Portal|Instructions for the Sectigo CA]]<br />
<br />
[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use this only if Sectigo isn't available at your site)]]<br />
<br />
An eScience certificate is valid for 13 months and thus needs to be renewed yearly.<br />
<br />
If you have acquired a certificate as part of new-user setup, return to the documentation that referred you here.<br />
<br />
= Proxy certificates =<br />
<br />
Authentication to Swestore can by done using your client certificate directly (as done with your web browser). But on the command line it's usually good practice to use a special short lived ''proxy'' certificate. When using other grid resources you must use proxy certificates or other similar mechanisms.<br />
<br />
A proxy certificate is bascially a new short lived certificate you issue yourself and then sign using your reglar certificate (or rather your secret key). If you lose this proxy certificate it will shortly expire and then be useless for bad guys. In many grid applications you upload your proxy certificate to the grid resource (the compute element might need your credentials for accessing a storage element as you) and if stolen it can be used to authenticate as you on alla resources you have access to. <br />
<br />
There are several tools available for creating, checking and destroying these proxy certificates.<br />
The examples below demonstrates the '''arcproxy''' command from the ARC software suite. Another common tool is the grid-proxy-init from the globus packages.<br />
<br />
== Creating a proxy certificate ==<br />
<br />
This example requires that the certificate is available for use with grid tools. This is the default with '''Nordugrid certificates''', although you might need to transfer the certificate to the resource where you are using the grid tools.<br />
<br />
For '''Digicert certificates''' you must first [[Exporting_a_client_certificate|export the certificate]], transfer it to the resource where you are using the grid tools if needed and [[Preparing_a_client_certificate|prepare it for use with grid tools]].<br />
ARC can use the Firefox certificate store directly, as described in the next section.<br />
<br />
To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:<br />
<br />
$ arcproxy<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
.++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2016-03-11 03:00:14<br />
<br />
The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.<br />
<br />
In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:<br />
<br />
$ arcproxy --constraint="validityPeriod=24H"<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
....++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2011-03-11 15:03:19<br />
<br />
== Creating a proxy certificate using the Firefox/Thunderbird credential store ==<br />
<br />
Using the ARC client tools it is possible to generate a proxy certificate directly from the Firefox or Thunderbird credential stores. To do this the '''-F''' flag is used as shown in the following example:<br />
<br />
$ arcproxy -F<br />
There are 2 NSS base directories where the certificate, key, and module datbases live<br />
Number 1 is: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default<br />
Number 2 is: /Users/lindemann/Library/Thunderbird/Profiles/7abb733v.default<br />
Please choose the NSS database you would use (1-2): 1<br />
<br />
Here ARC finds the available Firefox and Thunderbird profile in which the credential stores are stored. Next the passphrase for the credential store is used to unlock the stored credentials:<br />
<br />
NSS database to be accessed: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default<br />
Enter Password or Pin for "internal (software)":<br />
<br />
If the passphrase was correct, ARC will list the available certificates in the credential store and ask you for which you would like to use.<br />
<br />
There are 2 user certificates existing in the NSS database<br />
Number 1 is with nickname: Jonas Lindemann xxxxx@lu.se's TERENA ID (Jonas Lindemann xxxxx@lu.se)<br />
expiration time: 2013-06-04 01:59:59<br />
Number 2 is with nickname: Imported Certificate (Jonas Lindemann)<br />
expiration time: 2014-01-18 16:55:52<br />
Please choose the one you would use (1-2): 1<br />
Certificate to use is: Jonas Lindemann xxxxxx@lu.se's TERENA ID<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2013-05-01 04:11:37<br />
<br />
== Checking proxy lifetime ==<br />
<br />
The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.<br />
<br />
$ arcproxy --info<br />
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803<br />
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Time left for proxy: 11 hours 55 minutes<br />
Proxy path: /tmp/x509up_u500<br />
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy<br />
<br />
In this example the proxy certificate is valid for 11 hours 55 minutes more.<br />
<br />
== Destroying a proxy certificate ==<br />
<br />
A proxy can be destroyed with the '''-r''' or '''--remove''' switch.<br />
<br />
$ arcproxy -r<br />
<br />
or<br />
<br />
$ arcproxy --remove<br />
<br />
= Requesting membership in the SweGrid VO =<br />
<br />
'''This was previously needed for Swestore, but Swestore users are now managed in the [https://supr.snic.se SUPR] portal.<br />
'''<br />
== Introduction ==<br />
<br />
SweGrid resources are allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required.<br />
<br />
== Preparations ==<br />
<br />
To apply for membership, make sure that the NorduGrid root CA 2015 certificate and your personal certificate is installed in the browser. <br />
<br />
The NorduGrid CA certificate can be installed by clicking on the following link:<br />
<br />
[http://ca.nordugrid.org/NorduGrid-2015.crt http://ca.nordugrid.org/NorduGrid-2015.crt]<br />
<br />
Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.<br />
<br />
<br />
[[File:certinstall.png]]<br />
<br />
== Step 1 - Apply for VO membership ==<br />
<br />
When the NorduGrid CA certificate have been installed in the browser go to the following URL:<br />
<br />
[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]<br />
<br />
and follow the instructions. After a manual review, normally within a couple of hours, you will be added to the SweGrid VO.<br />
<br />
== Step 2 - Request group membership ==<br />
<br />
After being added to the Swegrid VO you need to be added to the correct project/allocation group to use that allocation. Use the '''Request membership''' function in the '''Your groups and roles section''' of your VOMS homepage at https://voms.ndgf.org:8443/voms/swegrid.se/user/home.action as shown in the following screenshot, selecting the project in the dropdown box and clicking the '''Request membership''' button. No further actions need to be taken on that page after requesting the membership.<br />
<br />
[[File:request-vo-membership.png]]<br />
<br />
The request is handled manually, usually within a few hours. Allow for a couple more hours for the membership to propagate to Swestore.<br />
<br />
== If it doesn't work ==<br />
<br />
If things doesn't work for some reason, contact SweGrid support at [mailto:support@swegrid.se support@swegrid.se] or Swestore support at [mailto:support@swestore.se support@swestore.se] as appropriate.<br />
<br />
= More information =<br />
<br />
A certificate consist of a public key, some user information and the signature of the CA. In addition to the certificate you have a corresponding private key. The private key is secret and should be kept as secure as possible.<br />
<br />
The grid certificate and private key is stored in your web browser and/or in your home directory on the host where you will be accessing the resource. Standard file names are:<br />
~/.globus/usercert.pem<br />
~/.globus/userkey.pem<br />
<br />
The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.<br />
<br />
The private key should be handled with great care. It should only be readable by you and not by the group or others (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).<br />
<br />
On shared file systems make sure that ~/.globus is not readable by everybody:<br />
chmod 700 ~/.globus<br />
and on AFS:<br />
fs sa ~/.globus system:anyuser none<br />
<br />
The private key should be encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away or share the certificate, passphrase or the unencrypted key to someone else.<br />
<br />
For more information regarding certificates and public key cryptography:<br />
<br />
* http://en.wikipedia.org/wiki/Public-key_cryptography<br />
* http://en.wikipedia.org/wiki/Public_key_certificate<br />
* http://www.nordugrid.org/documents/certificate_howto.html<br />
<br />
= VOMS =<br />
Before SUPR was created the users and projects where managed in a system called VOMS (The Virtual Organization Membership Service). This service is of 2020-11-13 no longer used by Swestore.<br />
<br />
= Signing your e-mail with your certificate =<br />
<br />
First, you will need your grid certificate in PKCS12 format:<br />
== How to transform your certificate from PEM format into PKCS#12 format ==<br />
<br />
This is how you transform your cert into PKCS12 format that can be used within your web browser or email program:<br />
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus<br />
<br />
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12 <br />
<br />
First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12 contains your private key, and is therefore as valuable as userkey.pem'''. See also [[#More information]]. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.<br />
<br />
Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.<br />
<br />
<br />
=== Thunderbird ===<br />
<br />
Mozilla Thunderbird is a graphical email program available for many platforms. More information at https://www.mozilla.org/thunderbird<br />
<br />
<br />
In Thunderbird, Navigate ''options->security->digitally sign this message''.<br />
<br />
If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.<br />
<br />
In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.<br />
<br />
Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.<br />
<br />
Don't forget to actually check that you then really sign the corresponding mail.<br />
<br />
=== Mew ===<br />
<br />
Mew is a mail reader for Emacs. More information at https://www.mew.org/<br />
<br />
Mew uses gpgsm. <br />
<br />
<pre><br />
1. Import the nordugrid root cert<br />
<br />
1.1. get 1f0e8352.0 from nordugrid web<br />
<br />
1.2. gpgsm --import 1f0e8352.0<br />
<br />
1.2. Make it trusted:<br />
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRINT-YOU-WANT >> .gnupg/trustlist.txt<br />
<br />
2. Add your own key from the cert+key.p12 file in this case<br />
<br />
2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys<br />
<br />
2.2. gpgsm --import tmp.pem ; rm tmp.pem<br />
<br />
2.3. Tell gpgsm not to use revocation lists (bad bad security)<br />
echo disable-crl-checks >> .gnupg/gpgsm.conf<br />
<br />
3. Test<br />
gpgsm --detach-sign file > sign # should ask for passphrase and give some kind of sign file<br />
<br />
4. Use:<br />
C-uC-cC-s then enter your email address (must match email in cert) and passphrase<br />
<br />
</pre></div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7623Requesting a grid certificate using the Sectigo SSO Portal2020-10-19T07:34:37Z<p>Jens Larsson (NSC): /* Requesting a certificate */</p>
<hr />
<div>== Organization Support ==<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".<br />
<br />
FIXME: Discuss error messages you can get at this point.<br />
<br />
FIXME: Add text about ssocheck at the https://cert-manager.com/customer/sunet/ssocheck<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Generate RSA<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side<br />
* If there is a technical reason that needs the key to be genereated locally<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Upload CSR<br />
* Use "Choose File" to upload the usercert_request.pem file you created above<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7622Requesting a grid certificate using the Sectigo SSO Portal2020-10-19T07:32:37Z<p>Jens Larsson (NSC): /* Organization Support */</p>
<hr />
<div>== Organization Support ==<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".<br />
<br />
FIXME: Discuss error messages you can get at this point.<br />
<br />
FIXME: Add text about ssocheck at the https://cert-manager.com/customer/sunet/ssocheck<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side<br />
* If there is a technical reason that needs the key to be genereated locally<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Upload CSR<br />
* Use "Choose File" to upload the usercert_request.pem file you created above<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Generate RSA<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.</div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Grid_certificates&diff=7621Grid certificates2020-10-19T07:29:11Z<p>Jens Larsson (NSC): /* Requesting a certificate */</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
[[Getting started with SweGrid|< Getting started with SweGrid]]<br><br />
[[Swestore|< Swestore]]<br />
<br />
= Introduction =<br />
<br />
In order to access to [[Swestore]] using certificate authentication or grid resources a valid eScience client certificate is required. A certificate is similar to an electronic key card in real-life, in the same manner that you must swipe a key card in the lock/reader, the application you are using) must present a certificate. Not having a certificate is similar to not having a key-card, just entering the PIN code is usually not enough.<br />
<br />
Keep your certificate safe, just like a physical key or key card. Store them in a safe place, utilizing secure credential store, browser master password, private directories and file permissions as appropriate.<br />
<br />
Most importantly, always use a unique passphrase to protect certificates whenever possible.<br />
<br />
= Requesting a certificate =<br />
<br />
In order to use certificate authentication you need a valid certificate.<br />
<br />
Certificates are issued by a Certificate Authority or CA. The certificate needed for accessing the Swestore or other grid resources should have the ''IGTF'', ''eScience'' or ''Grid'' type, not all CA:s are certified by [http://www.igtf.net/ The International Grid Trust Federation] to issue these.<br />
<br />
For users residing in the Nordics there are two relevant CA:s that can issue grid/eScience/e-Science certificates: ''Sectigo'' and ''Nordugrid''. The Sectigo CA is preferred if it is available for your university or research group, but some institutions has not enabled this service yet. The Nordugrid CA can also be used but requires more manual labor by all parties.<br />
<br />
<br />
Recommended procedure for each university:<br />
<br />
{| class="wikitable"<br />
!style="text-align:left;"|University<br />
! Recommended CA<br />
! Specific instructions<br />
|-<br />
| Chalmers University of Technology (CTH)<br />
| Digicert<br />
| https://www.c3se.chalmers.se/documentation/personal_certificates/<br />
|-<br />
| University of Gothenburg (GU)<br />
| NorduGrid<br />
| [[GU_Certificate_Instructions|more...]]<br />
|-<br />
| Karolinska Institutet (KI)<br />
| Digicert<br />
| https://internwebben.ki.se/sv/personliga-certifikat<br />
|-<br />
| KTH Royal Institute of Technology (KTH)<br />
| Digicert<br />
| [[KTH_Certificate_Information|more...]]<br />
|-<br />
| Linköping University (LiU)<br />
| Sectigo<br />
| [[Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal|Digicert]]<br />
|-<br />
| Luleå University of Technology (LTU)<br />
| NorduGrid<br />
| [[Requesting_a_grid_certificate_from_the_Nordugrid_CA|Nordugrid CA]]<br />
|-<br />
| Lund University (LU)<br />
| Digicert<br />
| http://www.ldc.lu.se/tjanster/it-sakerhet/certifikat<br />
|-<br />
| Sveriges Lantbruksuniversitet (SLU)<br />
| Digicert<br />
| [[Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal|Digicert]]<br />
|-<br />
| Stockholm University (SU)<br />
| Digicert<br />
| [[SU_Certificate_Information|more...]]<br />
|-<br />
| Umeå University (UmU)<br />
| Digicert<br />
| [[UmU_Certificate_Information|more...]]<br />
|-<br />
| University of Borås (UB)<br />
| Digicert<br />
| [[Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal|Digicert]]<br />
|-<br />
| Uppsala University (UU)<br />
| Digicert<br />
| [[UU_Certificate_Instructions|more...]]<br />
|-<br />
|}<br />
<br />
<br />
[[Requesting a grid certificate using the Sectigo SSO Portal|Instructions for the Sectigo CA]]<br />
<br />
[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use this only if Sectigo isn't available at your site)]]<br />
<br />
An eScience certificate is valid for 13 months and thus needs to be renewed yearly.<br />
<br />
If you have acquired a certificate as part of new-user setup, return to the documentation that referred you here ([[Certificate Setup for Swestore]] for example).<br />
<br />
= Proxy certificates =<br />
<br />
Authentication to Swestore can by done using your client certificate directly (as done with your web browser). But on the command line it's usually good practice to use a special short lived ''proxy'' certificate. When using other grid resources you must use proxy certificates or other similar mechanisms.<br />
<br />
A proxy certificate is bascially a new short lived certificate you issue yourself and then sign using your reglar certificate (or rather your secret key). If you lose this proxy certificate it will shortly expire and then be useless for bad guys. In many grid applications you upload your proxy certificate to the grid resource (the compute element might need your credentials for accessing a storage element as you) and if stolen it can be used to authenticate as you on alla resources you have access to. <br />
<br />
There are several tools available for creating, checking and destroying these proxy certificates.<br />
The examples below demonstrates the '''arcproxy''' command from the ARC software suite. Another common tool is the grid-proxy-init from the globus packages.<br />
<br />
== Creating a proxy certificate ==<br />
<br />
This example requires that the certificate is available for use with grid tools. This is the default with '''Nordugrid certificates''', although you might need to transfer the certificate to the resource where you are using the grid tools.<br />
<br />
For '''Digicert certificates''' you must first [[Exporting_a_client_certificate|export the certificate]], transfer it to the resource where you are using the grid tools if needed and [[Preparing_a_client_certificate|prepare it for use with grid tools]].<br />
ARC can use the Firefox certificate store directly, as described in the next section.<br />
<br />
To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:<br />
<br />
$ arcproxy<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
.++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2016-03-11 03:00:14<br />
<br />
The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.<br />
<br />
In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:<br />
<br />
$ arcproxy --constraint="validityPeriod=24H"<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
....++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2011-03-11 15:03:19<br />
<br />
== Creating a proxy certificate using the Firefox/Thunderbird credential store ==<br />
<br />
Using the ARC client tools it is possible to generate a proxy certificate directly from the Firefox or Thunderbird credential stores. To do this the '''-F''' flag is used as shown in the following example:<br />
<br />
$ arcproxy -F<br />
There are 2 NSS base directories where the certificate, key, and module datbases live<br />
Number 1 is: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default<br />
Number 2 is: /Users/lindemann/Library/Thunderbird/Profiles/7abb733v.default<br />
Please choose the NSS database you would use (1-2): 1<br />
<br />
Here ARC finds the available Firefox and Thunderbird profile in which the credential stores are stored. Next the passphrase for the credential store is used to unlock the stored credentials:<br />
<br />
NSS database to be accessed: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default<br />
Enter Password or Pin for "internal (software)":<br />
<br />
If the passphrase was correct, ARC will list the available certificates in the credential store and ask you for which you would like to use.<br />
<br />
There are 2 user certificates existing in the NSS database<br />
Number 1 is with nickname: Jonas Lindemann xxxxx@lu.se's TERENA ID (Jonas Lindemann xxxxx@lu.se)<br />
expiration time: 2013-06-04 01:59:59<br />
Number 2 is with nickname: Imported Certificate (Jonas Lindemann)<br />
expiration time: 2014-01-18 16:55:52<br />
Please choose the one you would use (1-2): 1<br />
Certificate to use is: Jonas Lindemann xxxxxx@lu.se's TERENA ID<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2013-05-01 04:11:37<br />
<br />
== Checking proxy lifetime ==<br />
<br />
The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.<br />
<br />
$ arcproxy --info<br />
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803<br />
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Time left for proxy: 11 hours 55 minutes<br />
Proxy path: /tmp/x509up_u500<br />
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy<br />
<br />
In this example the proxy certificate is valid for 11 hours 55 minutes more.<br />
<br />
== Destroying a proxy certificate ==<br />
<br />
A proxy can be destroyed with the '''-r''' or '''--remove''' switch.<br />
<br />
$ arcproxy -r<br />
<br />
or<br />
<br />
$ arcproxy --remove<br />
<br />
= Requesting membership in the SweGrid VO =<br />
<br />
'''This was previously needed for Swestore, but Swestore users are now managed in the [https://supr.snic.se SUPR] portal.<br />
'''<br />
== Introduction ==<br />
<br />
SweGrid resources are allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required.<br />
<br />
== Preparations ==<br />
<br />
To apply for membership, make sure that the NorduGrid root CA 2015 certificate and your personal certificate is installed in the browser. <br />
<br />
The NorduGrid CA certificate can be installed by clicking on the following link:<br />
<br />
[http://ca.nordugrid.org/NorduGrid-2015.crt http://ca.nordugrid.org/NorduGrid-2015.crt]<br />
<br />
Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.<br />
<br />
<br />
[[File:certinstall.png]]<br />
<br />
== Step 1 - Apply for VO membership ==<br />
<br />
When the NorduGrid CA certificate have been installed in the browser go to the following URL:<br />
<br />
[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]<br />
<br />
and follow the instructions. After a manual review, normally within a couple of hours, you will be added to the SweGrid VO.<br />
<br />
== Step 2 - Request group membership ==<br />
<br />
After being added to the Swegrid VO you need to be added to the correct project/allocation group to use that allocation. Use the '''Request membership''' function in the '''Your groups and roles section''' of your VOMS homepage at https://voms.ndgf.org:8443/voms/swegrid.se/user/home.action as shown in the following screenshot, selecting the project in the dropdown box and clicking the '''Request membership''' button. No further actions need to be taken on that page after requesting the membership.<br />
<br />
[[File:request-vo-membership.png]]<br />
<br />
The request is handled manually, usually within a few hours. Allow for a couple more hours for the membership to propagate to Swestore.<br />
<br />
== If it doesn't work ==<br />
<br />
If things doesn't work for some reason, contact SweGrid support at [mailto:support@swegrid.se support@swegrid.se] or Swestore support at [mailto:support@swestore.se support@swestore.se] as appropriate.<br />
<br />
= More information =<br />
<br />
A certificate consist of a public key, some user information and the signature of the CA. In addition to the certificate you have a corresponding private key. The private key is secret and should be kept as secure as possible.<br />
<br />
The grid certificate and private key is stored in your web browser and/or in your home directory on the host where you will be accessing the resource. Standard file names are:<br />
~/.globus/usercert.pem<br />
~/.globus/userkey.pem<br />
<br />
The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.<br />
<br />
The private key should be handled with great care. It should only be readable by you and not by the group or others (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).<br />
<br />
On shared file systems make sure that ~/.globus is not readable by everybody:<br />
chmod 700 ~/.globus<br />
and on AFS:<br />
fs sa ~/.globus system:anyuser none<br />
<br />
The private key should be encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away or share the certificate, passphrase or the unencrypted key to someone else.<br />
<br />
For more information regarding certificates and public key cryptography:<br />
<br />
* http://en.wikipedia.org/wiki/Public-key_cryptography<br />
* http://en.wikipedia.org/wiki/Public_key_certificate<br />
* http://www.nordugrid.org/documents/certificate_howto.html<br />
<br />
= VOMS proxy certificates =<br />
<br />
As long as you are a member of only one VO or VO group, you can<br />
authenticate to a grid service with the regular grid proxy certificate<br />
as defined in the previous section. If you are a member of more than<br />
one VO or VO group you may want to select which membership you want to<br />
be authenticated as. For example, if you are a member of<br />
''swegrid.se:/swegrid.se/ops'' (operations staff) and<br />
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should<br />
be the owner? Ops or bils? You need to provide some additional<br />
information. In the grid world this is done with a voms proxy<br />
certificate which basically is a regular proxy certificate but with a<br />
so called voms extension that contains a list of your VO group<br />
memberships (and roles and attributes, which we don't use in<br />
Swegrid/Swestore at the moment).<br />
<br />
'''Please note, if you only have one membership you can skip this section!'''<br />
<br />
The voms extension of the certificate is signed by the virtual<br />
organization management server, or VOMS server. The very same VOMS server<br />
you used when applying for the swegrid.se VO membership in the first<br />
place. To enable this signing process you need to add a few<br />
configuration files to your system. First add this to the file<br />
'''~/.arc/vomses''' or '''/etc/vomses''': <br />
<br />
"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"<br />
<br />
<strike><br />
Next create the necessary directories and the file<br />
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the<br />
following contents:<br />
<br />
/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org<br />
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority 2015<br />
</strike><br />
== Creating a VOMS proxy ==<br />
<br />
VOMS proxies in ARC1 can be created using the '''arcproxy''' command<br />
and the '''-S''' or '''--voms''' switches as shown in the following<br />
example (if you are a member of the /swegrid.se/ops group. Adjust as<br />
necessary):<br />
<br />
$ arcproxy -S swegrid.se:/swegrid.se/ops<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
.....++++++<br />
............++++++<br />
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2015-12-10 23:33:06<br />
<br />
= Signing your e-mail with your certificate =<br />
<br />
First, you will need your grid certificate in PKCS12 format:<br />
== How to transform your certificate from PEM format into PKCS#12 format ==<br />
<br />
This is how you transform your cert into PKCS12 format that can be used within your web browser or email program:<br />
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus<br />
<br />
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12 <br />
<br />
First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12 contains your private key, and is therefore as valuable as userkey.pem'''. See also [[#More information]]. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.<br />
<br />
Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.<br />
<br />
<br />
=== Thunderbird ===<br />
<br />
Mozilla Thunderbird is a graphical email program available for many platforms. More information at https://www.mozilla.org/thunderbird<br />
<br />
<br />
In Thunderbird, Navigate ''options->security->digitally sign this message''.<br />
<br />
If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.<br />
<br />
In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.<br />
<br />
Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.<br />
<br />
Don't forget to actually check that you then really sign the corresponding mail.<br />
<br />
=== Mew ===<br />
<br />
Mew is a mail reader for Emacs. More information at https://www.mew.org/<br />
<br />
Mew uses gpgsm. <br />
<br />
<pre><br />
1. Import the nordugrid root cert<br />
<br />
1.1. get 1f0e8352.0 from nordugrid web<br />
<br />
1.2. gpgsm --import 1f0e8352.0<br />
<br />
1.2. Make it trusted:<br />
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRINT-YOU-WANT >> .gnupg/trustlist.txt<br />
<br />
2. Add your own key from the cert+key.p12 file in this case<br />
<br />
2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys<br />
<br />
2.2. gpgsm --import tmp.pem ; rm tmp.pem<br />
<br />
2.3. Tell gpgsm not to use revocation lists (bad bad security)<br />
echo disable-crl-checks >> .gnupg/gpgsm.conf<br />
<br />
3. Test<br />
gpgsm --detach-sign file > sign # should ask for passphrase and give some kind of sign file<br />
<br />
4. Use:<br />
C-uC-cC-s then enter your email address (must match email in cert) and passphrase<br />
<br />
</pre></div>Jens Larsson (NSC)https://docs.snic.se/w/index.php?title=Grid_certificates&diff=7620Grid certificates2020-10-19T07:27:38Z<p>Jens Larsson (NSC): /* Requesting a certificate */</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
[[Getting started with SweGrid|< Getting started with SweGrid]]<br><br />
[[Swestore|< Swestore]]<br />
<br />
= Introduction =<br />
<br />
In order to access to [[Swestore]] using certificate authentication or grid resources a valid eScience client certificate is required. A certificate is similar to an electronic key card in real-life, in the same manner that you must swipe a key card in the lock/reader, the application you are using) must present a certificate. Not having a certificate is similar to not having a key-card, just entering the PIN code is usually not enough.<br />
<br />
Keep your certificate safe, just like a physical key or key card. Store them in a safe place, utilizing secure credential store, browser master password, private directories and file permissions as appropriate.<br />
<br />
Most importantly, always use a unique passphrase to protect certificates whenever possible.<br />
<br />
= Requesting a certificate =<br />
<br />
In order to use certificate authentication you need a valid certificate.<br />
<br />
Certificates are issued by a Certificate Authority or CA. The certificate needed for accessing the Swestore or other grid resources should have the ''IGTF'', ''eScience'' or ''Grid'' type, not all CA:s are certified by [http://www.igtf.net/ The International Grid Trust Federation] to issue these.<br />
<br />
For users residing in the Nordics there are two relevant CA:s that can issue grid/eScience/e-Science certificates: ''Sectigo'' and ''Nordugrid''. The Sectigo CA is preferred if it is available for your university or research group, but some institutions has not enabled this service yet. The Nordugrid CA can also be used but requires more manual labor by all parties.<br />
<br />
<br />
Recommended procedure for each university:<br />
<br />
{| class="wikitable"<br />
!style="text-align:left;"|University<br />
! Recommended CA<br />
! Specific instructions<br />
|-<br />
| Chalmers University of Technology (CTH)<br />
| Digicert<br />
| https://www.c3se.chalmers.se/documentation/personal_certificates/<br />
|-<br />
| University of Gothenburg (GU)<br />
| NorduGrid<br />
| [[GU_Certificate_Instructions|more...]]<br />
|-<br />
| Karolinska Institutet (KI)<br />
| Digicert<br />
| https://internwebben.ki.se/sv/personliga-certifikat<br />
|-<br />
| KTH Royal Institute of Technology (KTH)<br />
| Digicert<br />
| [[KTH_Certificate_Information|more...]]<br />
|-<br />
| Linköping University (LiU)<br />
| Digicert<br />
| [[Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal|Digicert]]<br />
|-<br />
| Luleå University of Technology (LTU)<br />
| NorduGrid<br />
| [[Requesting_a_grid_certificate_from_the_Nordugrid_CA|Nordugrid CA]]<br />
|-<br />
| Lund University (LU)<br />
| Digicert<br />
| http://www.ldc.lu.se/tjanster/it-sakerhet/certifikat<br />
|-<br />
| Sveriges Lantbruksuniversitet (SLU)<br />
| Digicert<br />
| [[Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal|Digicert]]<br />
|-<br />
| Stockholm University (SU)<br />
| Digicert<br />
| [[SU_Certificate_Information|more...]]<br />
|-<br />
| Umeå University (UmU)<br />
| Digicert<br />
| [[UmU_Certificate_Information|more...]]<br />
|-<br />
| University of Borås (UB)<br />
| Digicert<br />
| [[Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal|Digicert]]<br />
|-<br />
| Uppsala University (UU)<br />
| Digicert<br />
| [[UU_Certificate_Instructions|more...]]<br />
|-<br />
|}<br />
<br />
<br />
[[Requesting a grid certificate using the Sectigo SSO Portal|Instructions for the Sectigo CA]]<br />
<br />
[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use this only if Sectigo isn't available at your site)]]<br />
<br />
An eScience certificate is valid for 13 months and thus needs to be renewed yearly.<br />
<br />
If you have acquired a certificate as part of new-user setup, return to the documentation that referred you here ([[Certificate Setup for Swestore]] for example).<br />
<br />
= Proxy certificates =<br />
<br />
Authentication to Swestore can by done using your client certificate directly (as done with your web browser). But on the command line it's usually good practice to use a special short lived ''proxy'' certificate. When using other grid resources you must use proxy certificates or other similar mechanisms.<br />
<br />
A proxy certificate is bascially a new short lived certificate you issue yourself and then sign using your reglar certificate (or rather your secret key). If you lose this proxy certificate it will shortly expire and then be useless for bad guys. In many grid applications you upload your proxy certificate to the grid resource (the compute element might need your credentials for accessing a storage element as you) and if stolen it can be used to authenticate as you on alla resources you have access to. <br />
<br />
There are several tools available for creating, checking and destroying these proxy certificates.<br />
The examples below demonstrates the '''arcproxy''' command from the ARC software suite. Another common tool is the grid-proxy-init from the globus packages.<br />
<br />
== Creating a proxy certificate ==<br />
<br />
This example requires that the certificate is available for use with grid tools. This is the default with '''Nordugrid certificates''', although you might need to transfer the certificate to the resource where you are using the grid tools.<br />
<br />
For '''Digicert certificates''' you must first [[Exporting_a_client_certificate|export the certificate]], transfer it to the resource where you are using the grid tools if needed and [[Preparing_a_client_certificate|prepare it for use with grid tools]].<br />
ARC can use the Firefox certificate store directly, as described in the next section.<br />
<br />
To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:<br />
<br />
$ arcproxy<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
.++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2016-03-11 03:00:14<br />
<br />
The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.<br />
<br />
In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:<br />
<br />
$ arcproxy --constraint="validityPeriod=24H"<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
....++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2011-03-11 15:03:19<br />
<br />
== Creating a proxy certificate using the Firefox/Thunderbird credential store ==<br />
<br />
Using the ARC client tools it is possible to generate a proxy certificate directly from the Firefox or Thunderbird credential stores. To do this the '''-F''' flag is used as shown in the following example:<br />
<br />
$ arcproxy -F<br />
There are 2 NSS base directories where the certificate, key, and module datbases live<br />
Number 1 is: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default<br />
Number 2 is: /Users/lindemann/Library/Thunderbird/Profiles/7abb733v.default<br />
Please choose the NSS database you would use (1-2): 1<br />
<br />
Here ARC finds the available Firefox and Thunderbird profile in which the credential stores are stored. Next the passphrase for the credential store is used to unlock the stored credentials:<br />
<br />
NSS database to be accessed: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default<br />
Enter Password or Pin for "internal (software)":<br />
<br />
If the passphrase was correct, ARC will list the available certificates in the credential store and ask you for which you would like to use.<br />
<br />
There are 2 user certificates existing in the NSS database<br />
Number 1 is with nickname: Jonas Lindemann xxxxx@lu.se's TERENA ID (Jonas Lindemann xxxxx@lu.se)<br />
expiration time: 2013-06-04 01:59:59<br />
Number 2 is with nickname: Imported Certificate (Jonas Lindemann)<br />
expiration time: 2014-01-18 16:55:52<br />
Please choose the one you would use (1-2): 1<br />
Certificate to use is: Jonas Lindemann xxxxxx@lu.se's TERENA ID<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2013-05-01 04:11:37<br />
<br />
== Checking proxy lifetime ==<br />
<br />
The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.<br />
<br />
$ arcproxy --info<br />
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803<br />
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Time left for proxy: 11 hours 55 minutes<br />
Proxy path: /tmp/x509up_u500<br />
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy<br />
<br />
In this example the proxy certificate is valid for 11 hours 55 minutes more.<br />
<br />
== Destroying a proxy certificate ==<br />
<br />
A proxy can be destroyed with the '''-r''' or '''--remove''' switch.<br />
<br />
$ arcproxy -r<br />
<br />
or<br />
<br />
$ arcproxy --remove<br />
<br />
= Requesting membership in the SweGrid VO =<br />
<br />
'''This was previously needed for Swestore, but Swestore users are now managed in the [https://supr.snic.se SUPR] portal.<br />
'''<br />
== Introduction ==<br />
<br />
SweGrid resources are allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required.<br />
<br />
== Preparations ==<br />
<br />
To apply for membership, make sure that the NorduGrid root CA 2015 certificate and your personal certificate is installed in the browser. <br />
<br />
The NorduGrid CA certificate can be installed by clicking on the following link:<br />
<br />
[http://ca.nordugrid.org/NorduGrid-2015.crt http://ca.nordugrid.org/NorduGrid-2015.crt]<br />
<br />
Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.<br />
<br />
<br />
[[File:certinstall.png]]<br />
<br />
== Step 1 - Apply for VO membership ==<br />
<br />
When the NorduGrid CA certificate have been installed in the browser go to the following URL:<br />
<br />
[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]<br />
<br />
and follow the instructions. After a manual review, normally within a couple of hours, you will be added to the SweGrid VO.<br />
<br />
== Step 2 - Request group membership ==<br />
<br />
After being added to the Swegrid VO you need to be added to the correct project/allocation group to use that allocation. Use the '''Request membership''' function in the '''Your groups and roles section''' of your VOMS homepage at https://voms.ndgf.org:8443/voms/swegrid.se/user/home.action as shown in the following screenshot, selecting the project in the dropdown box and clicking the '''Request membership''' button. No further actions need to be taken on that page after requesting the membership.<br />
<br />
[[File:request-vo-membership.png]]<br />
<br />
The request is handled manually, usually within a few hours. Allow for a couple more hours for the membership to propagate to Swestore.<br />
<br />
== If it doesn't work ==<br />
<br />
If things doesn't work for some reason, contact SweGrid support at [mailto:support@swegrid.se support@swegrid.se] or Swestore support at [mailto:support@swestore.se support@swestore.se] as appropriate.<br />
<br />
= More information =<br />
<br />
A certificate consist of a public key, some user information and the signature of the CA. In addition to the certificate you have a corresponding private key. The private key is secret and should be kept as secure as possible.<br />
<br />
The grid certificate and private key is stored in your web browser and/or in your home directory on the host where you will be accessing the resource. Standard file names are:<br />
~/.globus/usercert.pem<br />
~/.globus/userkey.pem<br />
<br />
The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.<br />
<br />
The private key should be handled with great care. It should only be readable by you and not by the group or others (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).<br />
<br />
On shared file systems make sure that ~/.globus is not readable by everybody:<br />
chmod 700 ~/.globus<br />
and on AFS:<br />
fs sa ~/.globus system:anyuser none<br />
<br />
The private key should be encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away or share the certificate, passphrase or the unencrypted key to someone else.<br />
<br />
For more information regarding certificates and public key cryptography:<br />
<br />
* http://en.wikipedia.org/wiki/Public-key_cryptography<br />
* http://en.wikipedia.org/wiki/Public_key_certificate<br />
* http://www.nordugrid.org/documents/certificate_howto.html<br />
<br />
= VOMS proxy certificates =<br />
<br />
As long as you are a member of only one VO or VO group, you can<br />
authenticate to a grid service with the regular grid proxy certificate<br />
as defined in the previous section. If you are a member of more than<br />
one VO or VO group you may want to select which membership you want to<br />
be authenticated as. For example, if you are a member of<br />
''swegrid.se:/swegrid.se/ops'' (operations staff) and<br />
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should<br />
be the owner? Ops or bils? You need to provide some additional<br />
information. In the grid world this is done with a voms proxy<br />
certificate which basically is a regular proxy certificate but with a<br />
so called voms extension that contains a list of your VO group<br />
memberships (and roles and attributes, which we don't use in<br />
Swegrid/Swestore at the moment).<br />
<br />
'''Please note, if you only have one membership you can skip this section!'''<br />
<br />
The voms extension of the certificate is signed by the virtual<br />
organization management server, or VOMS server. The very same VOMS server<br />
you used when applying for the swegrid.se VO membership in the first<br />
place. To enable this signing process you need to add a few<br />
configuration files to your system. First add this to the file<br />
'''~/.arc/vomses''' or '''/etc/vomses''': <br />
<br />
"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"<br />
<br />
<strike><br />
Next create the necessary directories and the file<br />
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the<br />
following contents:<br />
<br />
/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org<br />
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority 2015<br />
</strike><br />
== Creating a VOMS proxy ==<br />
<br />
VOMS proxies in ARC1 can be created using the '''arcproxy''' command<br />
and the '''-S''' or '''--voms''' switches as shown in the following<br />
example (if you are a member of the /swegrid.se/ops group. Adjust as<br />
necessary):<br />
<br />
$ arcproxy -S swegrid.se:/swegrid.se/ops<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula<br />
Enter pass phrase for /home/kalle/.globus/userkey.pem:<br />
.....++++++<br />
............++++++<br />
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2015-12-10 23:33:06<br />
<br />
= Signing your e-mail with your certificate =<br />
<br />
First, you will need your grid certificate in PKCS12 format:<br />
== How to transform your certificate from PEM format into PKCS#12 format ==<br />
<br />
This is how you transform your cert into PKCS12 format that can be used within your web browser or email program:<br />
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus<br />
<br />
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12 <br />
<br />
First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12 contains your private key, and is therefore as valuable as userkey.pem'''. See also [[#More information]]. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.<br />
<br />
Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.<br />
<br />
<br />
=== Thunderbird ===<br />
<br />
Mozilla Thunderbird is a graphical email program available for many platforms. More information at https://www.mozilla.org/thunderbird<br />
<br />
<br />
In Thunderbird, Navigate ''options->security->digitally sign this message''.<br />
<br />
If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.<br />
<br />
In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.<br />
<br />
Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.<br />
<br />
Don't forget to actually check that you then really sign the corresponding mail.<br />
<br />
=== Mew ===<br />
<br />
Mew is a mail reader for Emacs. More information at https://www.mew.org/<br />
<br />
Mew uses gpgsm. <br />
<br />
<pre><br />
1. Import the nordugrid root cert<br />
<br />
1.1. get 1f0e8352.0 from nordugrid web<br />
<br />
1.2. gpgsm --import 1f0e8352.0<br />
<br />
1.2. Make it trusted:<br />
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRINT-YOU-WANT >> .gnupg/trustlist.txt<br />
<br />
2. Add your own key from the cert+key.p12 file in this case<br />
<br />
2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys<br />
<br />
2.2. gpgsm --import tmp.pem ; rm tmp.pem<br />
<br />
2.3. Tell gpgsm not to use revocation lists (bad bad security)<br />
echo disable-crl-checks >> .gnupg/gpgsm.conf<br />
<br />
3. Test<br />
gpgsm --detach-sign file > sign # should ask for passphrase and give some kind of sign file<br />
<br />
4. Use:<br />
C-uC-cC-s then enter your email address (must match email in cert) and passphrase<br />
<br />
</pre></div>Jens Larsson (NSC)