Getting a User Certificate via Web interface

Please send feedback on the documentation or ask questions about the process to the Grid Operations Center.

About This Document

This document contains some general instructions on how a scientist can obtain an electronic credentials that allow the use of the Open Science Grid (OSG). Getting these credentials is part of the process of becoming a new grid user. The steps are:

  1. Getting what's called a certificate as described below in this document.
  2. Registering this certificate with a type of organization known as a VO that is authorized to use computers on the grid. This is explained further down in this document.

These instructions are mainly for users who do not have credentials. If you already have a certificate, you probably want to instead renew or replace it.

Requirements

You first need to know the VO you should join. If you're not sure, this list may help, or please email the Grid Operations Center.

From your VO you should find out

  1. Whether to use these instructions or some VO specific ones instead;
  2. Who to use as your sponsor for the certificate;
  3. The URL for applying for VO membership, the sponsor to use, and what group, if any, to request; and
  4. What machine you can use to submit jobs to OSG. The VO may need to make you an account on that machine.

These instructions were written for Firefox although the basic steps are similar for other browsers.

Setting the Master Password (Optional)

To help protect the certificate, it's best to set Firefox's master password. First, go to the Security submenu under Options/Preferences, which is reachable under Tools -> Options for Windows, Firefox -> Preferences for Macs, and Edit -> Preferences for Linux. Then click on the "Use a master password" button and set a password when prompted. Screenshot Hide
set_master_password1.png
The browser will later ask you for this password when you use your certificate.

There is more information about protecting grid credentials here?.

Downloading Certifying Authority certificate files for OSG CILogon-based certificates

Here you will find the location from which you can download the CILogon OSG CA root cert that is needed to be added to the OS X Keychain (for example) or to the trusted issuer stores in the various browsers.

The following is a sample of the page.

CA_web.png

Installing Certifying Authority certificates into a web browser

To import the CA certificates into your browser, download the cilogon-osg.pem file and then follow these instructions. These instructions are for Firefox but most browsers have something similar.

  1. Go to Preferences -> Advanced -> Certificates -> View Certificates -> Authorities:

    CA_absent.png

  2. Click "Import" and select the certificate just downloaded.

    CA_import.png

  3. After you select the certificate, this window will be shown

    CA_trust.png

    Click on the first two "Trust" boxes and click "OK" to save it.
  4. Successful import will show the new CA as follows

    CA_present.png

Requesting a New User Certificate

  1. Start your browser and go to https://oim.grid.iu.edu/oim/certificaterequestuser.
  2. Select the appropriate VO from the drop down menu.

    select_vo.png

  3. After having read through the OSG Policy Agreement, check the "I AGREE" box and click on Submit.

    CA_agreement.png

VO Registration

In most cases, you will have to separately apply for VO membership. For that, you will likely use VOMS-Admin server. It requires that you have your certificate before applying.

Find out the URL of your VOMS-Admin server either from your VO administrator, or the list at MyOSG.

Registration Using a VOMS-Admin Server

  1. Go to the voms-admin URL for your VO. Make sure that the DN listed is the one for the certificate that you just got, then fill out the form and click "register". If you should belong to a particular group, either send an email to the VO administrator or, if there is a comments box on the page, mention that there. Screenshot Hide
    vomsadmin_initialB.png
  2. Wait for the email from the VOMS-Admin server, and click on the URL in it to complete the request. Screenshot Hide
    vomsadmin_request_confirmedB.png
  3. Wait for an email triggered by a human, the VO administrator, saying that you are approved.

Verification Hide
To confirm this step, visit the VOMS-Admin server again and check that you get a page like this:
vomsadmin_doneB.png

Exporting the Certificate to Disk

To export your certificate,

  1. Open the certificate manager: Options/Preferences -> Advanced -> Certificates -> View Certificates. Select the certificate that you would like to export, and press "Backup".
    user_cert.png
  2. When prompted, type in the name of the file to hold the new certificate. If you name it "usercred.p12" then grid programs can automatically recognize it.
  3. When prompted, set a password for the certificate. You'll need this to be able to use the certificate later.
  4. After pressing OK, you should see:
    cert_export_acknowledgement.png

Transferring the Certificate to the Submit Host

You next need to transfer your certificate to the machine from which you'll be submitting jobs, the submit host.

  1. Find out from your VO the name of a submit host.
  2. One way to do the transfer is with the /scp/ program.
       $ scp -p usercred.p12 YOUR_USERNAME@SUBMIT_HOSTNAME:
       usercred.p12                                   100% 5084     5.0KB/s   00:00
    Here you should replace YOUR_USERNAME with your user id on the submit host, and SUBMIT_HOSTNAME with the name of the submit host. The "@" and ":" symbols are important. Another way to do the transfer is with a GUI scp/sftp client.
  3. Log into the remote host:
       $ ssh YOUR_USERNAME@SUBMIT_HOSTNAME 
  4. Generate .pem files needed by globus
      openssl pkcs12 -in usercred.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
      openssl pkcs12 -in usercred.p12 -nocerts -out $HOME/.globus/userkey.pem
  5. Make sure that the permissions are correct:
       $ chmod 400 usercred.p12
  6. Make a directory called ".globus", and move the certificate into that directory:
       $ mkdir .globus 
       $ mv usercred.p12 .globus/

Next Steps

The next steps are to run a test job, and then real jobs.

Topic attachments
I Attachment Action Size Date Who Comment
pngpng Agreement.png manage 211.1 K 26 Apr 2016 - 15:17 NehaSharma  
pngpng CA_Add.png manage 65.8 K 26 Apr 2016 - 14:50 NehaSharma  
pngpng CA_agreement.png manage 140.8 K 02 May 2016 - 16:08 NehaSharma  
pngpng DigiCert_Repository_root_SHA-2_CA.png manage 369.4 K 01 Sep 2015 - 22:33 JenyTeheran  
pngpng selectVO.png manage 152.0 K 26 Apr 2016 - 15:18 NehaSharma  
pngpng select_vo.png manage 141.2 K 02 May 2016 - 16:05 NehaSharma  
pngpng user_cert.png manage 140.1 K 02 May 2016 - 16:10 NehaSharma  
pngpng usercert.png manage 126.3 K 26 Apr 2016 - 15:35 NehaSharma  
Topic revision: r58 - 01 Dec 2016 - 20:52:59 - KyleGross
Hello, TWikiGuest!
Register

 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..