Please note: This documentation is for OSG 1.2. While we still provide critical security updates for OSG Software 1.2, we recommend you use OSG Software 3 for any new or updated installations. We are considering May 31, 2013 as possible OSG 1.2 End of Life (EOL).

ReleaseDocumentation
GetHostServiceCertificates
Reviewed Passed
by BrianBockelman
Test Passed
by
Released
by JamesBarlow

Get Host Service Certificates


Included topic: Get Host Service Certificates

About this Document

hand This document is for system administrators. After reading this document you should be able to apply for and install a grid certificate on a grid resource. This document does not explain how to apply for a grid user certificate. To apply for a grid user certificate click here instead!

Requirements

Before requesting a new host or service certificate, you should check if a certificate is not installed already using openssl. In this case you may safely skip this document:

[user@host ~]$ openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout
subject= /DC=org/DC=doegrids/OU=Services/CN=host.opensciencegrid.org
issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
notBefore=Jan  4 21:08:09 2010 GMT
notAfter=Jan  4 21:08:09 2011 GMT

We recommend to read background information on grid certificates which can be found here. In order to proceed you will also need:

  • a Pacman installation
  • the fully qualified domain name of the host you need a grid certificate for
  • the purpose of the certificate that explains your request to the Certificate Authority
  • the full name of the administrator responsible for the host
  • the e-mail address of the administrator
  • the telephone number of the administrator
  • the name of the Certificate Authority your project is affiliated with
  • the name of the Virtual Organization affiliated with the Certificate Authority

Install the Certificate Scripts Package (Optional)

The Certificate Scripts Package is distributed by the Virtual Data Toolkit and is installed on every Compute Element, Storage Element and comes with every OSG Client. By looking for the vdt-ca-manage program you can check if the package is already installed:

[user@host ~]$ cd $VDT_LOCATION
[user@host /opt/osg-1.2.32]$ . $VDT_LOCATION/setup.sh
[user@host /opt/osg-1.2.32]$ which vdt-ca-manage
/opt/osg-1.2.32/vdt/bin/vdt-ca-manage

HELP NOTE
You may safely skip the next step if the program vdt-ca-manage has been found!

Pacman is used to install the Certificate Scripts Package from the Virtual Data Toolkit. First create a new directory where the Certificate Scripts Package will be installed and change to it:

[user@host ~]$ mkdir /opt/osg-1.2.32
[user@host ~]$ cd /opt/osg-1.2.32

Next use Pacman to install the Certificate Scripts Package:

[user@host /opt/osg-1.2.32]$ pacman -get http://vdt.cs.wisc.edu/vdt_200_cache:PPDG-Cert-Scripts

[user@host /opt/osg-1.2.32]$ pacman -get http://vdt.cs.wisc.edu/vdt_200_cache:PPDG-Cert-Scripts

Do you want to add [http://vdt.cs.wisc.edu/vdt_200_cache] to [trusted.caches]? (y/n/yall): yall
Beginning VDT prerequisite checking script vdt-common/vdt-prereq-check... 

The VDT installs a variety of software, each with its own license.
In order to continue, you must agree to the licenses.
You can view the licenses online at:

    http://vdt.cs.wisc.edu/licenses/

After the installation has completed, you will also be able to
view the licenses in the "licenses" directory.

Do you agree to the licenses? [y/n]
y
All prerequisite checks are satisfied.
                                                        
========== IMPORTANT ==========
Most of the software installed by the VDT *will not work* until you install
certificates.  To complete your CA certificate installation, see the notes
in the post-install/README file.

In case you have never used Pacman before, you will be asked to agree to its license. If you also agreed to add http://vdt.cs.wisc.edu/vdt_200_cache to the list of trusted caches, you should see the directory /opt/osg-1.2.32 populated. Finally update the environment for the changes to take effect:

[user@host /opt/osg-1.2.32]$ source setup.sh

For c/tc shell change setup.sh to setup.csh.

Setup Initial Certificate Authority (CA) Package

Next we will use the vdt-ca-manage program to install the initial set of certificate authorities:

[user@host /opt/osg-1.2.32]$ vdt-ca-manage setupCA --location local --url osg

Setting CA Certificates for VDT installation at '/opt/osg-1.2.32'
Setup completed successfully.

This command is used for the initial setup of the CA package. The option --location local is used to define a location below your current directory (/opt/osg-1.2.32/globus/share/certificates). Alternatively you can use --location root to install the certificates into their standard location (/etc/grid-security/certificates).

Request a Host Certificate

Every resource or service contributing to the grid needs a certificate issued by one of the trusted Certificate Authorities. To proceed you will need following information at hand:

  • the fully qualified domain name of the host you need a grid certificate for
  • the purpose of the certificate that explains your request to the Certificate Authority
  • the full name of the administrator responsible for the host
  • the e-mail address of the administrator
  • the telephone number of the administrator
  • the name of the Certificate Authority your project is affiliated with
  • the name of the Virtual Organization affiliated with the Certificate Authority

Next we will use cert-request to generate a request which will be sent to the Certificate Authority you specified:

[user@host /opt/osg-1.2.32]$ cert-request -ou s -dir . -label host.opensciencegrid.org

[user@host /opt/osg-1.2.32]$ cert-request -ou s -dir . -label host.opensciencegrid.org

checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
Processing OU=Services request.
Give reason (1 line) you qualify for certificate, such as
  member of CMS experiment    or
  collaborating with Condor team,  etc.
 reason: <The purpose why the cetificate is needed.>
input server administrator's name: First Last
input full hostname: host.opensciencegrid.org
Generating a 2048 bit RSA private key
..............+++
.........................................................................................................................................................................................................................+++
writing new private key to './host.opensciencegrid.orgkey.pem'
-----
input your email address: admin e-mail here
input your complete phone number: admin phone here
Choose a registration authority to which you are affiliated.
If nothing else applies, pick OSG.
_Enter__this____for this registration authority
	ANL	 Argonne National Lab
	ESG	 Earth System Grid
	ESnet	 DOE Science network
	FNAL	 Fermilab host and service certificates
	FusionGRID	 National Fusion Collaboratory Project
	LBNL	 Berkeley Lab
	LCG	 LHC Computing Grid Catchall
	NERSC	 computer center
	ORNL	 Oak Ridge National Lab
	OSG	 Open Science Grid (choose this if nothing else applies)
	PNNL	 Pacific Northwest National Lab
(choose from left column): OSG
osg
OSG
Choose a virtual organization under your OSG affiliation:
  ALICE:	ALICE collaboration
  ATLAS:	United States ATLAS Collaboration
  BNL:	Brookhaven lab researchers
  CDF:	Collider Detector at Fermilab
  CIGI:	CyberInfrastructure and Geospatial Information Laboratory
  CMS:	Compact Muon Solenoid
  CompBioGrid:	CompBioGrid
  DayaBay:	Daya Bay Reactor Neutrino Experiment
  DES:	Dark Energy Survey
  DOSAR:	Distributed Organization for Scientific and Academic Research
  DZero:	D0 Experiment at Fermilab
  Engage:	Engagement
  Fermilab:	Fermi National Accelerator Laboratory
  FermilabAccelerator:	Fermilab/Accelerator
  FermilabArgoneut:	Fermi T-962 Liquid Argon Time Projection chamber
  FermilabAstro:	Fermilab/Astro
  FermilabCdms:	Fermilab/Cdms
  FermilabGrid:	fermilab VO grid group
  FermilabHypercp:	Fermilab/Hypercp
  FermilabKTeV:	Fermilab/KTeV
  FermilabLbne:	Fermilab/Lbne
  FermilabMinerva:	Fermilab/Minerva
  FermilabMiniboone:	Fermilab/Miniboone
  FermilabMinos:	Fermilab/Minos
  FermilabMipp:	Fermilab/Mipp
  FermilabMu2e:	Fermilab/Mu2e
  FermilabNova:	Fermilab/Nova
  FermilabNumi:	Fermilab/Numi
  FermilabPatriot:	Fermilab/Patriot
  FermilabTest:	Fermilab/Fgtest
  FermilabTheory:	Fermilab/Theory
  Geant4:	Geant4 Software Toolkit
  GLOW:	Grid Laboratory of Wisconsin
  Gluex:	Gluex experiment at Jefferson Lab
  GPN:	Great Plains Network
  GRASE:	Group Researching Advances in Software Engineering at University of New York at Buffalo
  GridUNESP:	S?o Paulo State University Grid
  GROW:	Grid Research and Education Group at Iowa
  I2u2:	Interactions in Understanding the Universe Initiative
  IceCube:	IceCube Neutrino Telescope
  ILC:	International Linear Collider
  JDEM:	Joint Dark Energy Mission
  JLab:	Jefferson Lab researchers
  LIGO:	Laser Interferometer Gravitational-Wave Observatory
  Mariachi:	Mixed Apparatus for Radar Investigation of Cosmic-rays of  High Ionization Experiment
  MIS:	OSG Monitoring Information System
  NanoHUB:	nanoHUB Network for Computational Nanotechnology (NCN)
  NEBioGrid:	New England Biomedical Grid
  NWICG:	Northwest Indiana Computational Grid
  NYSGRID:	NYSGRID
  Ops:	WLCG Operations Group
  OSG:	Open Science Grid
  OSGEDU:	OSG Education Activity
  SBGrid:	Structural Biology Grid
  SLAC:	SLAC National Accelerator Laboratory researchers
  STAR:	Solenoidal Tracker at RHIC
(Choose from left column; pick osg if nothing else applies): OSG
OSG:OSG
You must agree to abide by the DOEGrids policies,
at http://www.doegrids.org/Docs/CP-CPS.pdf
and you assert that you are authorized to request and install this
certificate on the specified host.
Do you agree (y,N): y

Your Certificate Request has been successfully submitted
Your Certificate Request id: <id>

        You will receive a notification email from the CA when your certificate
        has been issued. Please disregard the instructions to download your
        certificate though a web browser and use the cert-retrieve script instead.

At this point cert-request has created some files in the directory you specified and an e-mail has been sent to the Certificate Authority containing your request. The files will be needed again once you receive a reply from the Certificate Authority asking you to retrieve the certificate.

Retrieve and Install the Host Certificate

Once the certificate has been approved by the Certificate Authority you will receive an e-mail which includes the serial number in the format 0xYYYY. The serial number will be needed to retrieve the certificate.

To retrieve the host certificate change to the installation directory of the Certificate Scripts Package and update your environment:

[user@host ~]$ cd /opt/osg-1.2.32
[user@host /opt/osg-1.2.32]$ source setup.sh 

For c/tc shell change setup.sh to setup.csh. Next we will use the serial number of the certificate and the previous values for -label and -dir to retrieve the certificate executing cert-retrieve:

[user@host /opt/osg-1.2.32]$ cert-retrieve  -serial 0xYYYY -label host.opensciencegrid.org -dir . -prefix host.opensciencegrid.org
checking CertLib version, V2-5,  This is latest version, released 24 Aug 2007.
 using CA OSG
Checking that the usercert and ./host.opensciencegrid.orgkey.pem match
writing RSA key
./host.opensciencegrid.orgcert.pem and ./host.opensciencegrid.orgkey.pem now contain your Globus credential

The certificate consists of two files (host.opensciencegrid.orgcert.pem and host.opensciencegrid.orgkey.pem) which have been placed into the current directory. Note, If you did not use the -prefix option the default value user will be used and the resulting certificate will consist of the two files (usercert.pem and userkey.pem).

warning Please note that these files represent a public and a private and should be treated accordingly!

Please take a moment to verify that the certificate matches the hostname of the resource where you intend to install it before you proceed:

[user@host /opt/osg-1.2.32]$ grid-cert-info -file ./hostcert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=host.opensciencegrid.org

[user@host /opt/osg-1.2.32]$ hostname -f
host.opensciencegrid.org

Finally, install the certificate in the default location /etc/grid-security/:

[root@host /opt/osg-1.2.32]$ cp ./host.opensciencegrid.orgcert.pem /etc/grid-security/hostcert.pem
[root@host /opt/osg-1.2.32]$ chmod 444 /etc/grid-security/hostcert.pem
[root@host /opt/osg-1.2.32]$ cp ./host.opensciencegrid.orgkey.pem /etc/grid-security/hostkey.pem
[root@host /opt/osg-1.2.32]$ chmod 400 /etc/grid-security/hostkey.pem

Request a Service Certificate

Web services on the grid require a Service Certificate to establish their identity with the grid user accessing the service. Please do not reuse your host certificate as a service certificate!

A Service Certificate can be requested in the same way as a host certificate. To proceed you will need following information at hand:

  • the fully qualified domain name of the host you need a service certificate for
  • the purpose of the certificate that explains your request to the Certificate Authority
  • the full name of the administrator responsible for the host
  • the e-mail address of the administrator
  • the telephone number of the administrator
  • the name of the Certificate Authority your project is affiliated with
  • the name of the Virtual Organization affiliated with the Certificate Authority

Next we will use cert-request to generate a request which will be sent to the Certificate Authority you specified:

[user@host /opt/osg-1.2.32]$ cert-request -ou s -service http -host host.opensciencegrid.org -dir . -label host.opensciencegrid.org-http

[user@host /opt/osg-1.2.32]$ cert-request -ou s -service http -host host.opensciencegrid.org -dir . -label host.opensciencegrid.org-http

checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
Processing OU=Services request.
Give reason (1 line) you qualify for certificate, such as
  member of CMS experiment    or
  collaborating with Condor team,  etc.
 reason: <The purpose why the cetificate is needed.>              
input server administrator's name: First Last
Generating a 2048 bit RSA private key
..............+++
...................................................+++
writing new private key to './host.opensciencegrid.org-httpkey.pem'
-----
input your email address: admin e-mail here
input your complete phone number: admin phone here
Choose a registration authority to which you are affiliated.
If nothing else applies, pick OSG.
_Enter__this____for this registration authority
	ANL	 Argonne National Lab
	ESG	 Earth System Grid
	ESnet	 DOE Science network
	FNAL	 Fermilab host and service certificates
	FusionGRID	 National Fusion Collaboratory Project
	LBNL	 Berkeley Lab
	LCG	 LHC Computing Grid Catchall
	NERSC	 computer center
	ORNL	 Oak Ridge National Lab
	OSG	 Open Science Grid (choose this if nothing else applies)
	PNNL	 Pacific Northwest National Lab
(choose from left column): OSG
osg
OSG
Choose a virtual organization under your OSG affiliation:
  ALICE:	ALICE collaboration
  ATLAS:	United States ATLAS Collaboration
  BNL:	Brookhaven lab researchers
  CDF:	Collider Detector at Fermilab
  CIGI:	CyberInfrastructure and Geospatial Information Laboratory
  CMS:	Compact Muon Solenoid
  CompBioGrid:	CompBioGrid
  DayaBay:	Daya Bay Reactor Neutrino Experiment
  DES:	Dark Energy Survey
  DOSAR:	Distributed Organization for Scientific and Academic Research
  DZero:	D0 Experiment at Fermilab
  Engage:	Engagement
  Fermilab:	Fermi National Accelerator Laboratory
  FermilabAccelerator:	Fermilab/Accelerator
  FermilabArgoneut:	Fermi T-962 Liquid Argon Time Projection chamber
  FermilabAstro:	Fermilab/Astro
  FermilabCdms:	Fermilab/Cdms
  FermilabGrid:	fermilab VO grid group
  FermilabHypercp:	Fermilab/Hypercp
  FermilabKTeV:	Fermilab/KTeV
  FermilabLbne:	Fermilab/Lbne
  FermilabMinerva:	Fermilab/Minerva
  FermilabMiniboone:	Fermilab/Miniboone
  FermilabMinos:	Fermilab/Minos
  FermilabMipp:	Fermilab/Mipp
  FermilabMu2e:	Fermilab/Mu2e
  FermilabNova:	Fermilab/Nova
  FermilabNumi:	Fermilab/Numi
  FermilabPatriot:	Fermilab/Patriot
  FermilabTest:	Fermilab/Fgtest
  FermilabTheory:	Fermilab/Theory
  Geant4:	Geant4 Software Toolkit
  GLOW:	Grid Laboratory of Wisconsin
  Gluex:	Gluex experiment at Jefferson Lab
  GPN:	Great Plains Network
  GRASE:	Group Researching Advances in Software Engineering at University of New York at Buffalo
  GridUNESP:	S?o Paulo State University Grid
  GROW:	Grid Research and Education Group at Iowa
  HCC:	Holland Computing Center at the University of Nebraska.
  I2u2:	Interactions in Understanding the Universe Initiative
  IceCube:	IceCube Neutrino Telescope
  ILC:	International Linear Collider
  JDEM:	Joint Dark Energy Mission
  JLab:	Jefferson Lab researchers
  LIGO:	Laser Interferometer Gravitational-Wave Observatory
  Mariachi:	Mixed Apparatus for Radar Investigation of Cosmic-rays of  High Ionization Experiment
  MIS:	OSG Monitoring Information System
  NanoHUB:	nanoHUB Network for Computational Nanotechnology (NCN)
  NEBioGrid:	New England Biomedical Grid
  NWICG:	Northwest Indiana Computational Grid
  NYSGRID:	NYSGRID
  Ops:	WLCG Operations Group
  OSG:	Open Science Grid
  OSGEDU:	OSG Education Activity
  SBGrid:	Structural Biology Grid
  SLAC:	SLAC National Accelerator Laboratory researchers
  STAR:	Solenoidal Tracker at RHIC
(Choose from left column; pick osg if nothing else applies): OSG
OSG:OSG
You must agree to abide by the DOEGrids policies,
at http://www.doegrids.org/Docs/CP-CPS.pdf
and you assert that you are authorized to request and install this
certificate on the specified host.
Do you agree (y,N): y

Your Certificate Request has been successfully submitted
Your Certificate Request id: <id>

        You will receive a notification email from the CA when your certificate
        has been issued. Please disregard the instructions to download your
        certificate though a web browser and use the cert-retrieve script instead.

At this point cert-request has created some files in the directory you specified and an e-mail has been sent to the Certificate Authority containing your request. The files will be needed again once you receive a reply from the Certificate Authority asking you to retrieve the certificate.

Retrieve and Install the Service Certificate

Once the service certificate has been approved by the Certificate Authority you will receive an e-mail which includes the serial number in the format 0xYYYY. The serial number will be needed to retrieve the certificate.

To retrieve the new certificate change to the installation directory of the Certificate Scripts Package and update your environment:

[user@host ~]$ cd /opt/osg-1.2.32
[user@host /opt/osg-1.2.32]$ source setup.sh 

For c/tc shell change setup.sh to setup.csh. Next we will use the serial number of the certificate and the previous values for --label and --dir to retrieve the certificate executing cert-retrieve:

[user@host /opt/osg-1.2.32]$ cert-retrieve  -serial 0xYYYY -label host.opensciencegrid.org-http -dir . -prefix host.opensciencegrid.org-http
checking CertLib version, V2-5,  This is latest version, released 24 Aug 2007.
 using CA OSG
Checking that the usercert and ./host.opensciencegrid.orgkey.pem match
writing RSA key
./host.opensciencegrid.orgcert.pem and ./host.opensciencegrid.orgkey.pem now contain your Globus credential

The certificate consists of two files (host.opensciencegrid.org-httpcert.pem and host.opensciencegrid.org-httpkey.pem) which have been placed into the current directory. Note, If you did not use the -prefix option the default value user will be used and the resulting certificate will consist of the two files (usercert.pem and userkey.pem).

warning Please note that these files represent a public and a private and should be treated accordingly!

The Service Certificate should be installed under a subdirectory in /etc/grid-security indicating the name of the service. The next step will install the service certificate in the default location /etc/grid-security/http:

[root@host /opt/osg-1.2.32]$ cp ./host.opensciencegrid.org-httpcert.pem /etc/grid-security/http/httpcert.pem
[root@host /opt/osg-1.2.32]$ chmod 444 /etc/grid-security/http/httpcert.pem
[root@host /opt/osg-1.2.32]$ cp ./host.opensciencegrid.org-httpkey.pem /etc/grid-security/http/httpkey.pem
[root@host /opt/osg-1.2.32]$ chmod 400 /etc/grid-security/http/httpkey.pem

warning Please note that the service certificate must also be owned by the unix user who runs the service. For Apache/Tomcat this is the daemon user:

[root@host /opt/osg-1.2.32]$ chown daemon.daemon /etc/grid-security/http/httpcert.pem
[root@host /opt/osg-1.2.32]$ chown daemon.daemon /etc/grid-security/http/httpkey.pem

Frequently Asked Questions

Can I use any host to request a certificate for a different host?

YES, you can use any host to create a certificate request as long as the hostname for the certificate is a fully qualified domain name.

Can I not just reuse my host certificate as a service certificate?

NO! For security reasons, please do not use clones of your host certificate for additional certificates even though it's technically possible.

May I reuse my host certificate for the web service implementation of GRAM?

YES, this is the only exception to reuse your host certificate for another service. In this case the OSG configuration software will copy your host certificate to /etc/grid-security/container(cert|key).pem and change the owner to the globus or daemon user. Choose the username that executes the globus container.

I get a "GSS authentication failure" when users try to authenticate with my site?

You likely used an alias for the host instead of the fully qualified domain name when you generated the certificate request. This can cause the GSS authentication failures similar to the following when a user tries to authenticate to the host after your certificate is installed:

GSS authentication failure 
GSS Major Status: General failure 
GSS Minor Status Error Chain: 
accept_sec_context.c:gss_accept_sec_context:403: 
Error during delegation: Delegation protocol violation 
Failure: GSS failed Major:000d0000 Minor:00000001 Token:00000000 

How can I check if I have a host certificate installed already?

By default the host certificate key pair will be installed in /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem. You can use openssl to access basic information about the certificate:

[root@osg-se robert]# openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout
subject= /DC=org/DC=doegrids/OU=Services/CN=host.opensciencegrid.org
issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
notBefore=Jan  4 21:08:41 2010 GMT
notAfter=Jan  4 21:08:41 2011 GMT

How can I check the expiration time of my installed host certificate?

If you installed the Certificates Script Package? you can use grid-cert-info to retrieve information about the certificate:

[root@osg-se robert]# grid-cert-info -file /etc/grid-security/hostcert.pem -startdate -enddate
Jan  4 21:08:41 2010 GMT
Jan  4 21:08:41 2011 GMT

Alternatively you can use openssl:

[root@osg-se robert]# openssl x509 -in /etc/grid-security/hostcert.pem -dates -noout
notBefore=Jan  4 21:08:41 2010 GMT
notAfter=Jan  4 21:08:41 2011 GMT

Comments

  • A second thing I was confused about which I put below. Sometimes the argument to -prefix and -label must be different or you get a question when you issue cert-retrieve. Other times, it appears it is okay. If in general the uses and abuses of -prefix and -label could be made clearer in this document I think that would help. -- DavidSaltzberg - 21 Jul 2010 - 12:56

Topic revision: r82 - 15 Feb 2012 - 21:00:09 - KyleGross
Hello, TWikiGuest
Register

Introduction

Installation and Update Tools

Clients

Compute Element

Storage Element

Other Site Services

VO Management

Software and Caches

Central OSG Services

Additional Information

Community
linkedin-favicon_v3.icoLinkedIn
FaceBook_32x32.png Facebook
campfire-logo.jpgChat
 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..