Grid-Ireland closure on 31 December 2012. Please note that all Grid-Ireland service will be shut down. Grid services CA

Getting a Grid-Ireland User Certificate

Introduction

Grid-Ireland uses a public key infrastructure for authentication of users, resources and services. According to the basics of public-key cryptography (or asymmetric cryptography), each user and resource on the Grid has a key pair, comprising a public and a private key. The public key is made public while the private key must be kept secret. Encryption and authentication is performed using the public key while decryption and digital signature is performed with the private key. It is important to notice that generating a key pair does not automatically provide access to the Grid resources. A Certificate Authority (CA), trusted by the users and resource owners, must first sign the key pair to confirm identity. This signing procedure of the CA is referred to as issuing a certificate. Even then this does not grant authority to access grid resources — this requires authorization from the owner of each resource. A key pair simply allows authentication of identity.

Certificates issued by the Grid-Ireland CA are accepted in many European and international grid projects. As an accredited member of the European Policy Management Authority for Grid Authentication in e-Science the Grid-Ireland CA meets standards agreed with other CAs and with the relying parties.

Compatible Web Browsers

To apply for a certificate through the Grid-Ireland CA Public Server you need to run one of the following browsers.

These browsers are available for download from their websites, and current versions are often included with Linux distributions. The Grid-Ireland Certification Authority does not support Microsoft Internet Explorer, Opera, Safari or any other browsers at this time.

Trusting the Grid-Ireland CA

The very first step in applying for Grid-Ireland certificate is to tell your browser that you want to trust the Grid-Ireland CA. To do this you must install the Grid-Ireland CA root certificate. On the CA Public Server page, follow the Get CA Certificate link. Your browser will ask you if you want to trust the Grid-Ireland Certification Authority. You should at least agree to trust the CA to identify web sites and you may also want to agree to trust the CA to identify people (software developers and email senders) although this is not required to access Grid-Ireland.

You can read about how the CA is operated in its Certificate Policy and Certification Practise Statement.

Applying for a User Certificate

Once you have accepted the Grid-Ireland CA you are ready to apply online for a certificate to identify you on the grid by filling in the user certificate request form.

Given Name & Family Name

These fields are for your forename and surname (in that order).

Organizational Unit

What is required here is the most specific DNS domain name that describes the research group, department, faculty or organisation you work for. For example, someone working in the Computer Science department of the fictional Grid-Ireland University has an email address someone@giu.ie and their website has an address of http://www.cs.giu.ie/~someone. In this case cs.giu.ie is the most specific DNS domain name that describes where they work. If another faculty had finer subdivisions (e.g. http://cosmic.physics.giu.ie/~another/) then the more specific name should be used. This isn’t an exact algorithm: if in doubt use the domain part of your email address after the @-sign.

Country

The two-letter code for the country in which your institution is situated. This will typically be IE for Irish institutions. Users from some UK institutions in Northern Ireland may also be eligible for certificates.

Email Address

Your preferred email address at your institution.

Registration Authority

You need to find your closest available Registration Authority (RA) in order to have your identity verified in person. When meeting the RA you should bring some photographic identification such as a staff or student identity card for your institution, a passport or driver’s licence.

Grid-Ireland currently has three RAs:

Due to technical difficulties or for other reasons not all of the Grid-Ireland RAs may be available at any one time. If your nearest RA is unavailable at present you can choose to wait until they become available again or you can agree to meet another RA at some other location. Currently the status of the RAs is as follows:

Request Certificate Type

Must be “User Certificate”.

PIN

You must enter a code or password of 10 or more characters here. The value entered should not be easy to guess: e.g. 6uPth56SOn or yowBXImgAD. It is very important that you do not enter a valuable password such as the password for your email account or for the administrator account on your computer. Please keep a note of what you enter here as the Registration Authority may ask you to supply this value in order to verify your request.

Once these details have been entered you can click Continue….

Check Your Details

On the next page you will be asked to check your details. Confirm that your Name, Organizational Unit, Country, Email address, Registration and Certificate Type are correct.

Certificate Key Size

Select 2048 (High Grade) for the key size. While 1024 bits will provide strong protection there is little reason, given current computing power, not to use the stronger protection offered by a key of 2048 bits.

When you have checked your details and chosen the appropriate key size click Continue… to generate your key. This will open a dialogue box while the key generation is in progress and then a “Thank You” page.

This page refers to a “pending requests list”. However this list is not currently available to those without a valid certificate. Instead you should wait until the CA contacts you to inform you that your certificate is ready.

Getting a Requested Certificate

When your certificate request has been approved by the RA and the certificate issued by the CA, the CA will send an email to inform you. The email will contain one vital piece of information about your certificate: the serial number which is a two- or three-digit hexadecimal code that uniquely identifies your certificate in the Grid-Ireland CA records. Using the same web browser you used to request your certificate, follow the Get Requested Certificates link on the CA Public Server page. On that page, enter the serial number shown in the email (letters should be in upper case), select “Get User Certificate to Browser” and click “Continue” to download the certificate. The browser may not give any visible indication that a new certificate has been downloaded, but you will find out when you perform the next step: backing up your certificate.

Exporting Your Certificate

These instructions describe how to export your certificate from your browser. This is necessary for two reasons: firstly, you will want to have a backup of your certificate and private key in case anything happens to the copy stored in your browser: for example, some versions of some browsers may not preserve keys when upgrading to a newer version. Hard disk errors, or careless “spring cleaning” could also lead to lost keys. A backup allows you to continue to use your grid certificate in these cases. Backups should be kept securely, preferably in a safe. The passphrase for the backup should also be kept securely, in a sealed envelope, in case it is forgotten.

Secondly, it is necessary to export your certificate and private key pair in order to use them on the Grid-Ireland user interface to access grid resources. The instructions below describe how to extract the certificate and key pair as a bundle in PKCS#12 format, which is usually stored with a .p12 extension.

Mozilla-based Browsers

First, you need to go to the Certificate Manager component. The instructions below explain how to get there in several Mozilla-based Browsers.

Mozilla

Firefox

Galeon

Then, once the Certificate Manager has opened:

Then the backup should be created with the name you specified.

Netscape 4.8

Then the backup should be created with the name you specified.

General Notes

The System Security Device password is entirely local to your browser and will have been set by you or your system administrator in the past. If you don’t have this password then unfortunately we can’t help you to export your certificate.

As mentioned above, the Grid-Ireland Certification Authority does not support Microsoft Internet Explorer, Opera, Safari or any other browsers except recent versions of Mozilla and Netscape 4.8. It should be possible to import the .p12 backup of your certificate and private key into an unsupported browser to access secure web pages.

Importing Your Certificate to the Grid-Ireland User Interface

Before you will be able to import your certificate to your account on a Grid-Ireland User Interface (UI) you will need to apply for an account. Once you have been setup with an account you need to copy the .p12 file containing your certificate and private key to the UI. This must be done using scp (secure copy). Under Linux, Mac OS X, BSD or other Unix-like environments, this can be done from the command line:

scp backup.p12 username@gridui:

Windows users can use the scp command provided with Cygwin, PSCP from the makers of PuTTY, or a graphical tool such as WinSCP.

Once the backup has been uploaded, the private key and certificate can be extracted with the following commands:

mkdir .globus
umask 0277
openssl pkcs12 -nocerts -in backup.p12 -out .globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in backup.p12 -out .globus/usercert.pem

Remember to reset the umask to a sensible value once the key has been extracted. Otherwise any files or directories you create will have very restricted permissions.

umask 0022

It is important that nobody else can read your private key as this would allow them to take a copy and attempt to decrypt it. The permissions on the keys should be as follows:

-r--r--r--    1 username usergrp     1817 Dec 16  2004 usercert.pem
-r--------    1 username usergrp     1913 Dec 16  2004 userkey.pem

If the permissions on the files are not correct then they can be reset:

chmod 0444 usercert.pem
chmod 0400 userkey.pem

Using Your Certificate

Once you have extracted your certificate and key as described above you will be able to “log in” to the grid by getting a short-term proxy credential.

The basic proxy is created with the grid-proxy-init command:

$ grid-proxy-init
Your identity: /C=IE/O=Grid-Ireland/OU=cs.tcd.ie/L=RA-TCD/CN=Grid User
Enter GRID pass phrase for this identity:
Creating proxy ..................................................... Done
Your proxy is valid until: Thu Dec 16 01:02:55 2004

Next Steps

In order to work on the Grid-Ireland resources you will need to join one of the supported Virtual Organisations (VOs). The VO manager and the resource owners will then be able to authorize you for access to their resources.

Once you have been authorized, it will be possible to submit jobs and manage data on the grid. For more information see Using Grid-Ireland.

Last modified Tue 21 February 2012 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.1.21