Certificates

From SNIC Documentation
Revision as of 14:50, 27 October 2011 by Jens Larsson (NSC) (talk | contribs)
Jump to: navigation, search

Certificates

Introduction

In order to get access to computel and storage resources on the grid, you must have a valid grid client certificate. This certificate is used instead of a regular password as the authentication mechanism when accessing the resource. There is no need for a special account/username, everything is resolved through the unique certificate id.

IMPORTANT

  • The grid certificate consists of 2 files located at ~/.globus at the host(s) from where you will be accessing resources:
     usercert.pem -- grid certificate
     userkey.pem -- the private key, be careful with this file.
  • The certificate is personal and only bound to you as a person (it consists of a name, organisation and an e-mail address). It is not bound to a specific machine or a user name.
  • The certificate is valid for 1 year only, after that it must be renewed again.
  • The private key is encrypted using a password of your choice. Anyone that can decrypt this private key will be able to authenticate as you wherever this grid certificate is used as authentication (the public key, on the other hand, is public, and may be readable by others).
  • The private key should therefore be handled with great care. On every machine that it exists it must only be readable by you (i.e. ``chmod 400 userkey.pem). Any transferring of the private key between computers must only be done using encryption (such as scp, sftp, rsync over ssh, etc.).
  • You must choose a strong password for the private key. This password must not be used anywhere else and should not be easily cracked. You must never ever give away the password to somebody else.

For more information regarding certificates and public key cryptography:

http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public_key_certificate

Getting a certificate

For details: http://ca.nordugrid.org

For many details: http://www.nordugrid.org/documents/certificate_howto.html

Another description: http://www.nsc.liu.se/systems/storage.html#Getting%20a%20Grid%20Certificate