Getting a User Certificate via Web interface
Please send feedback on the documentation or ask questions about the process to the Grid Operations Center
About This Document
This document contains some general instructions on how a scientist can obtain an electronic credentials that allow
the use of the Open Science Grid
(OSG). Getting these credentials
is part of the process of becoming a new grid user
The steps are:
- Getting what's called a certificate as described below in this document.
- Registering this certificate with a type of organization known as a VO that is authorized to use computers on the grid. This is explained further down in this document.
These instructions are mainly for users who do not have credentials.
If you already have a certificate, you probably want to
instead renew or replace it
You first need to know the VO you should join. If you're not sure,
may help, or please email the Grid Operations Center
From your VO you should find out
- Whether to use these instructions or some VO specific ones instead;
- Who to use as your sponsor for the certificate;
- The URL for applying for VO membership, the sponsor to use, and what group, if any, to request; and
- What machine you can use to submit jobs to OSG. The VO may need to make you an account on that machine.
These instructions were written for Firefox although
the basic steps are similar for other browsers.
Setting the Master Password (Optional)
To help protect the certificate, it's best to set
Firefox's master password
. First, go to the Security
submenu under Options/Preferences, which is reachable under
Tools -> Options
Firefox -> Preferences
for Macs, and
Edit -> Preferences
Then click on the "Use a master password" button
and set a password when prompted.
The browser will later ask you for this password
when you use your certificate.
There is more information about protecting grid
Downloading CA certificate files for new OSG DigiCert-based certificates
you will find the location from which you can download the Digicert root and intermediate CA certs that are needed to add to the OS X Keychain (for example) or to the trusted issuer stores in the various browsers.
The following is a sample of the page and file needed to be downloaded and imported.
Installing into a Web Browser
To import the CA certificates into your browser, download both the Root
PEM format files and then go into the Certificate Manager of your browser and use the Import function. Make sure your import these certificates as Authorities.
Requesting a New User Certificate
- Start your browser and go to https://oim.grid.iu.edu/oim/certificaterequestuser.
- Select the appropriate VO from the drop down menu.
- After having read through the OSG Policy Agreement, check the "I AGREE" box and click on Submit.
SHA-2 Certificate Solutions DigiCert SHA-256 SSL
SHA-2 certificate is currently only available in OIM-ITB (http://oim-itb.grid.iu.edu/oim/certificate
). The process in which to obtain a SHA-2 certificate is the exact same process as
previously outlined. The change from SHA-1 to SHA-2 certificate is transparent.
The following are a few methods to verifying that your newly downloaded user certificate is SHA-2 certificate.
- Open up your "Keychain Access"
- Locate and highlight the Digicert certificate that you have imported into your Keychain
- Right click the certificate and select "Get Info"
- Scroll down to "Signature Algorithm" and it should say something similar to "SHA-256 with RSA Encryption ( 1 2 840 113549 1 1 11 )"
- Open up your Firefox browser
- Drill down on the "Firefox" menu and select "Preferences…"
- Select the "Certificates" tab and click on "View Certificates"
- Locate and highlight the Digicert certificate that you have imported into your browser
- Click on the "View…" button and another window will come up containing the certificate's information
- Click on the "Details" tab and scroll down the "Certificates Fields" section to "Certificate Signature Algorithm"
- In the "Field Value" sections you should see "PKCS #1 SHA-256 With RSA Encryption"
- Convert your .p12 file to a .pem file
- Execute openssl to obtain details of your certificate
In most cases, you will have to separately apply for
VO membership. Depending on your VO, you will most
likely use either a VOMRS server
or a VOMS-Admin server
. Both require that you have your certificate
Find out the URL of your VO's VOMRS or VOMS-Admin
server either from your VO administrator, or the list at MyOSG
- Go to the VOMRS URL. When the browser asks for a certificate, select the one we just got. The bottom left corner of the page should have some red text that says "You are logged in as ...", with your name after "CN=". Screenshot Hide
- Click on "Registration (Phase I)" in the left-hand menu bar, and follow the directions there. For "Application", write the program that you plan to use most often. You should probably contact the representative to let them know about this request.
- When you get an email from the server, click on the enclosed URL and then wait for the representative to approve you.
To confirm this step, return to the VOMRS server,
select your new certificate when prompted, and you
should see a page like this:
The certificate information shown in red at the
bottom of the page should correspond to the
certificate that you registered. Also, the "[+]
Member Info" line in the menu at the top left of the
page should be present.
Next click on the "[+] Member Info" line, click on
all the check boxes in the page that comes up, and
click "Search". This should bring up all the
information that the VO has about you.
- Go to the voms-admin URL for your VO. Make sure that the DN listed is the one for the certificate that you just got, then fill out the form and click "register". If you should belong to a particular group, either send an email to the VO administrator or, if there is a comments box on the page, mention that there. Screenshot Hide
- Wait for the email from the VOMS-Admin server, and click on the URL in it to complete the request. Screenshot Hide
- Wait for an email triggered by a human, the VO administrator, saying that you are approved.
To confirm this step, visit the
VOMS-Admin server again and check that you get a
page like this:
Exporting the Certificate to Disk
To export your certificate,
- Open the certificate manager: Options/Preferences -> Advanced -> Encryption -> View Certificates. Select the certificate that you would like to export, and press "Backup".
- When prompted, type in the name of the file to hold the new certificate. If you name it "usercred.p12" then grid programs can automatically recognize it.
- When prompted, set a password for the certificate. You'll need this to be able to use the certificate later.
- After pressing OK, you should see:
Transferring the Certificate to the Submit Host
You next need to transfer your certificate to the
machine from which you'll be submitting jobs, the
- Find out from your VO the name of a submit host.
- One way to do the transfer is with the /scp/ program.
$ scp -p usercred.p12 YOUR_USERNAME@SUBMIT_HOSTNAME:
usercred.p12 100% 5084 5.0KB/s 00:00 Here you should replace YOUR_USERNAME with your user id on the submit host, and SUBMIT_HOSTNAME with the name of the submit host. The "@" and ":" symbols are important. Another way to do the transfer is with a GUI scp/sftp client.
- Log into the remote host:
$ ssh YOUR_USERNAME@SUBMIT_HOSTNAME
- Generate .pem files needed by globus
openssl pkcs12 -in usercred.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in usercred.p12 -nocerts -out $HOME/.globus/userkey.pem
- Make sure that the permissions are correct:
$ chmod 400 usercred.p12
- Make a directory called ".globus", and move the certificate into that directory:
$ mkdir .globus
$ mv usercred.p12 .globus/
The next steps are to run a test job
and then real jobs