Using the Grid/Installing your certificate

From BiGGrid Wiki
Jump to: navigation, search

Intro

Once you have a requested a certificate you will need to install it on the user interface machine; this entails copying it to the .globus directory of your user interface account and setting the permissions correctly. Since you can get your certificate in different ways, you might need to separate your certificate into a public and private part.

Additional info:


NOTE:

We assume you have access to a machine on which the Grid Middleware is installed, most probably you will want to use: ui.grid.sara.nl. This machine is a so called User Interface (UI); a linux machine with the Glite Middleware on which you can login. You can be provided with access to the User Interface by sending a request to grid.support(at)sara.nl.


Applying for a certificate may take a day or two. It requires action by real human beings. Your new certificate will be sent to you by e-mail. You can simply save that mail as plain text in your home dir in the subdirectory .globus/usercert.pem, however it is easier to do the following:

So, first you have to login to the UI, if you have not done so already. In the mail which contains your certificate there is a link similar to this: http://ca.dutchgrid.nl/medium/details/newcerts/xxx.pem. To download and store the certificate as plain text type the following at the command prompt of the User Interface Server (and fill in the correct link):

Your private key should also be in this same directory. It should be called userkey.pem. This file was generated during the application procedure. If you've used JGridStart please consult the instructions<ref>http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/JGridstart/Help/Copy_certificate</ref> to export your private key. It should only be in your possesion and is password protected.

 cd $HOME/.globus
 wget -O usercert.pem http://ca.dutchgrid.nl/medium/details/newcerts/xxx.pem
 chmod 644 usercert.pem
 chmod 400 userkey.pem


The certificate and private key file should now be present in the .globus directory (notice the dot!) on the User Interface machine. Note that the the private key file should be read-only and only readable to you.

 $ cd $HOME/.globus
 $ ls -l
 total 24
 -rw -r --r --    1 demo07    demo            4499  Aug 10 13:47  usercert.pem
 -r --------      1 demo07    demo             963  Aug 10 13:43  userkey.pem

Note the protection set on your private key file userkey.pem. The permissions are very restrictive and are set this way for a reason: your possession of the private key is the only proof remote sites have that they are indeed talking to you. If you would give that key to someone else (or if it gets stolen), you will be held liable for any damage that may be done to the remote site! In any case, if the user key is world readable or worse, it will not be trusted by the Grid. In case the permission of this file is not read-only for the owner of the file only, please change it using:

 chmod 644 usercert.pem
 chmod 400 userkey.pem

The private key must also be protected with a pass phrase. You have given this pass phrase when you applied for a grid certificate. If the key gets stolen and you did not set a pass phrase anyone can pretend to be you. You can always see what is in a certificate using the openssl command. This is a toolkit for handling certificates, keys and requests. The table below lists a few useful commands:

 cd $HOME/.globus
 # show the contents of a certificate:
  openssl x509 -text -noout -in usercert.pem
 # show the contents of a certificate request:
  openssl req -text -noout -in userrequest.pem

NOTE: If you get the following error:

unable to load certificate 17714:error:0906D064:PEM routines:PEM_read_bio:bad base64
decode:pem_lib.c:781:

when you use the command "openssl x509 -text -noout -in usercert.pem" the email with the certificate wasn't saved properly as plain text (it included the Mime type for formatting). Do one of the following:

  1. save the email with your certificate as plain text
  2. copy/paste the contents of the email in a plain text editor, such as Notepad (Windows) or Vim (Linux) and save as plain text.
  3. download the certificate from the website and save as plain text.


To change your password:

  openssl rsa -in private_key_file -des3 -out new_private_key_file

NOTE: This only changes the password you use for your certificate. If you think your certificate is compromised, you HAVE to revoke your certificate!


In principle you are now ready to start with the exercises for working on the Grid (e.g. job submission, data management...). <references/>

Views
Personal tools