Note! The information here is outdated and the pages will be removed. Please refer to our new Grid documentation page at: http://doc.grid.surfsara.nl/

Using the Grid/Installing your certificate

From SURFsara Grid pages
Jump to: navigation, search

Intro

Once you have a requested a certificate you will need to install it on the user interface machine; this entails copying it to the .globus directory of your user interface account and setting the permissions correctly. Since you can get your certificate in different ways, you might need to separate your certificate into a public and private part.

Additional info:


NOTE:

The User Interface is a machine on which you log in and from which you submit jobs to the grid.

If you are a Life Science Grid user, your research organization will probably have its own Local User Interface on which you can log in. To find out the host name of the user interface and the local administrators, go to the page Local User Interface.

Other users and users who do not have a local user interface use ui.grid.sara.nl.

If you need user inteface account, either contact your local administrator or send a request to grid.support(at)sara.nl.


  • If you have applied for a certificate supplied by Digicert CA, then you only need to create a .globus directory in your home ui account, copy your stored usercert.pem/userkey.pem credentials (see Browser export) in there and set the permissions properly. This is what you need to do:

Login to your ui login node (e.g. ui.grid.sara.nl):

 ssh <username>@ui.grid.sara.nl
 mkdir $HOME/.globus

Copy your credentials from your local machine (or from any other location where your credentials are stored) to your .globus ui directory:

 scp userkey.pem usercert.pem <username>@ui.grid.sara.nl:~/.globus

You must set the permissions from your ui login node:

 cd $HOME/.globus
 chmod 644 usercert.pem
 chmod 400 userkey.pem


  • If you have applied for a certificate supplied by Dutchgrid CA, this might take a day or two. It requires action by real human beings. Your new certificate will be sent to you by e-mail. You can simply save that mail as plain text in your home dir in the subdirectory .globus/usercert.pem, however it is easier to do the following:

So, first you have to login to the UI, if you have not done so already. In the mail which contains your certificate there is a link similar to this: http://ca.dutchgrid.nl/medium/details/newcerts/xxx.pem. To download and store the certificate as plain text type the following at the command prompt of the User Interface Server (and fill in the correct link):

Your private key should also be in this same directory. It should be called userkey.pem. This file was generated during the application procedure. If you've used JGridStart please consult the instructions[1] to export your private key. It should only be in your possession and is password protected.

 cd $HOME/.globus
 wget -O usercert.pem http://ca.dutchgrid.nl/medium/details/newcerts/xxx.pem
 chmod 644 usercert.pem
 chmod 400 userkey.pem



The certificate and private key file should now be present in the .globus directory (notice the dot!) on the User Interface machine. Note that the the private key file should be read-only and only readable to you.

 $ cd $HOME/.globus
 $ ls -l
 total 24
 -rw -r --r --    1 demo07    demo            4499  Aug 10 13:47  usercert.pem
 -r --------      1 demo07    demo             963  Aug 10 13:43  userkey.pem

Note the protection set on your private key file userkey.pem. The permissions are very restrictive and are set this way for a reason: your possession of the private key is the only proof remote sites have that they are indeed talking to you. If you would give that key to someone else (or if it gets stolen), you will be held liable for any damage that may be done to the remote site! In any case, if the user key is world readable or worse, it will not be trusted by the Grid. In case the permission of this file is not read-only for the owner of the file only, please change it using:

 chmod 644 usercert.pem
 chmod 400 userkey.pem

The private key must also be protected with a pass phrase. You have given this pass phrase when you applied for a grid certificate. If the key gets stolen and you did not set a pass phrase anyone can pretend to be you. You can always see what is in a certificate using the openssl command. This is a toolkit for handling certificates, keys and requests. The table below lists a few useful commands:

 cd $HOME/.globus
 # show the contents of a certificate:
  openssl x509 -text -noout -in usercert.pem
 # show the contents of a certificate request:
  openssl req -text -noout -in userrequest.pem

NOTE: If you get the following error:

unable to load certificate 17714:error:0906D064:PEM routines:PEM_read_bio:bad base64
decode:pem_lib.c:781:

when you use the command "openssl x509 -text -noout -in usercert.pem" the email with the certificate wasn't saved properly as plain text (it included the Mime type for formatting). Do one of the following:

  1. save the email with your certificate as plain text
  2. copy/paste the contents of the email in a plain text editor, such as Notepad (Windows) or Vim (Linux) and save as plain text.
  3. download the certificate from the website and save as plain text.


To change your password:

  openssl rsa -in private_key_file -des3 -out new_private_key_file

NOTE: This only changes the password you use for your certificate. If you think your certificate is compromised, you HAVE to revoke your certificate!


In principle you are now ready to start with the exercises for working on the Grid (e.g. job submission, data management...).

  1. http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/JGridstart/Help/Copy_certificate