Difference between revisions of "Requesting a grid certificate using the Terena eScience Portal"

From SNIC Documentation
Jump to: navigation, search
m (Clarify that clicking next is usually good enough.)
(Refer to dedicated pages instead of duplicating stuff)
Line 39: Line 39:
 
'''The resulting certificate Subject or DN should at this point start with "/DC=org/DC=terena/DC=tcs/". If it starts with "/C=SE/O=YOUR SITE/" then you have the wrong type of certificate. Please make sure you use the right portal above. If the problem persists, please contact support@swegrid.se before proceeding'''  
 
'''The resulting certificate Subject or DN should at this point start with "/DC=org/DC=terena/DC=tcs/". If it starts with "/C=SE/O=YOUR SITE/" then you have the wrong type of certificate. Please make sure you use the right portal above. If the problem persists, please contact support@swegrid.se before proceeding'''  
  
=== Exporting Terena certificate for use with Grid tools ===
+
=== Exporting the Terena certificate for use with Grid tools ===
  
To use the Terena certificates with the ARC grid client they have to be exported from the browser and converted into a suitable format. To export and convert a certificate installed the following procedure can be used:
+
To use the Terena certificates with the ARC grid client they have to be exported from the browser and converted into a suitable format.
  
1. Export the installed certificate in the PKCS12 format. On Mac OSX, select both the private key and the certificate by clicking them while holding the apple key, then right click one of them and select "Export 2 items..." and save as DELETE_ME.p12 in a good location. In Firefox this is accomplished from the '''Options -> Advanced -> Encryption''' or '''Edit -> Preferences -> Advanced -> Encryption''' Dialog (depending on OS/Version), shown below:
+
See [[Exporting a client certificate]] for detailed instructions on how to export a Terena certificate from the most popular browsers.
  
[[File:browser1.png|400px]]
+
See [[Preparing a client certificate]] for detailed instructions on how to prepare the exported certificate for use with grid tools.
 
 
To show all installed certificate click on the "View Certificates" buttton. This will shown the following dialog:
 
 
 
[[File:browser2.png|400px]]
 
 
 
To backup your newly created certificate select the Terena certificate and click on the "Backup" button in the previous dialog. This brings up a dialog for selecting a filename and location for the certificate. Save your certificate as DELETE_ME.p12 in a good location. The file with be given the extension .p12 indicating that it is a PKCS12 certificate. When the location has been selected another dialog is shown asking for a export password. This password will protect the certificate and private key. As shown in the next figure:
 
 
 
[[File:browser3.png|400px]]
 
 
 
Use the password quality meter to choose a strong password for the exported certificate and private key. In Chrome the procedure is pretty much identical except that the "Export..." button is found by going to the Chrome Settings, clicking "Under the Hood" in the sidebar and then the "Manage Certificates..." button.
 
 
 
2. Converting the PKCS12 certificate to a format suitable for use with grid clients (PEM)
 
 
 
Create a directory, .globus, in your home directory.
 
 
 
Linux / Unix:
 
 
 
$ cd ~
 
$ mkdir .globus
 
$ cd .globus
 
 
 
In windows
 
 
 
C:\...\>cd C:\Users\<username>
 
C:\...\>mkdir .globus
 
C:\...\>cd .globus
 
 
 
Using the "openssl" command we now convert the exported certifcate to the correct format. '''Windows users:''' OpenSSL for Windows is available [http://www.openssl.org/related/binaries.html here].
 
 
 
The first step is to convert the private key. The openssl command will first ask for the password chosen when the certificate was exported ("Enter Import Password:"). In the next step the pass phrase for the exported private key is chosen ("Enter PEM pass phrase:"). Please choose a strong passphrase.
 
 
 
openssl pkcs12 -nocerts -in DELETE_ME.p12 -out userkey.pem
 
Enter Import Password:
 
MAC verified OK
 
Enter PEM pass phrase:
 
Verifying - Enter PEM pass phrase:
 
 
 
In the next step the certificate is converted. In the same way as with the private key we have to specify the export password again ("Enter Import Password:").
 
 
 
openssl pkcs12 -clcerts -nokeys -in DELETE_ME.p12 -out usercert.pem
 
Enter Import Password:
 
MAC verified OK
 
 
 
Before we can use the private key with or client tools the permissions on the private key file (userkey.pem) has to changed to a more restrictive setting (Linux/Unix):
 
 
 
chmod 400 userkey.pem
 
 
 
Do not forget to delete DELETE_ME.p12 when you are done.
 

Revision as of 14:32, 22 May 2013

< Grid certificates


The Terena eScience Portal is an effort to provide users with a tool for requesting grid-certificates using the credentials from their home-institution or university.

To request a Terena eScience Certificate go to the following URL: https://tcs-escience.sunet.se

It's vital that you DON'T use https://tcs-personal.sunet.se. This is a very similar portal, but you will not get a certificate that is usable in the grid community like DEISA, Swegrid and Swestore.

A screencast version of this instruction is available here.

The detailed procedure is as follows:

1. Click "Login"

2. If requested, click on Sweden on the map.

3. Choose your identity provider in the drop down box. This is usually your home university.

4. Login using your credentials from your identity provider (your university).

You should now arrive to a "home" page that shown below:

Terena1.png

5. Click on the "My certificates" link in the top left side of the page. You should then arrive to a page from which you will create and manage your certificates.

Terena2.png


6. To create a new certificate, click on the "New certificate" link. Follow the instructions, clicking next where possible (the defaults are usually OK). When the process is completed your certificate will be listed on the same page.

7. Install the signed certificate in your browser by clicking on the "Install in keystore" link. This will install the certificate in the key-store of your browser. On Mac OSX, most browsers (except Firefox) will instead offer to save the certificate file by default, and in order to use it you must import it to your keychain. You can for example do this by double clicking it in the finder.

The resulting certificate Subject or DN should at this point start with "/DC=org/DC=terena/DC=tcs/". If it starts with "/C=SE/O=YOUR SITE/" then you have the wrong type of certificate. Please make sure you use the right portal above. If the problem persists, please contact support@swegrid.se before proceeding

Exporting the Terena certificate for use with Grid tools

To use the Terena certificates with the ARC grid client they have to be exported from the browser and converted into a suitable format.

See Exporting a client certificate for detailed instructions on how to export a Terena certificate from the most popular browsers.

See Preparing a client certificate for detailed instructions on how to prepare the exported certificate for use with grid tools.