This wiki is obsolete, see the NorduGrid web pages for up to date information.

NG2011/Grid school/Certificates

From NorduGrid
Jump to navigationJump to search

What is grid certificates (security mechanism, etc.)

Certificates identify hosts and people. To access the Grid you need a personal certificate that identifies yourself, and all the resources that you access need host certificates. A certificate is useless without the corresponding private key. For personal certificates, the corresponding private key must be protected with a passphrase at all times.

One of the components of a certificate is the Distinguished Name, or DN. A DN of a user of a personal certificate typically looks like this:

/O=Grid/O=NorduGrid/ G. Jensen

Note that the CN (Common Name) identifies the person by name.

However, you rarely (if ever) expose your real user certificate while working in grid. A special thing called proxy-certificate is generated for this purposes. Basically, it is a short-lived certificate which is issued by your personal certificate (i.e. signed with your private key). The proxy also contains an unprotected private key. More precisely, the key is not protected by a passphrase, but it is stored in a file that is readable only by you (and root).

How to obtain your real personal certificate

Find your regional certification authority and read the guides on their web-page.

Find your CA in Europe: "Interactive map with Europeans CAs"

From InstantCA

For purposes of this school we have generated temporary user certificates that we can use for the time of the school.

We will distribute numbers across users. The user can then download the certificate and the key from here, selecting user$N folder, where $N -- the number the user got.

Password for the certificates is the same and will be shown on screen during the school.

Installation of the personal certificate

Linux and Mac: to use your personal certificates, the certificate and key must be installed in the following location: ~/.globus/usercert.pem and ~/.globus/userkey.pem. Change the permissions on the key:

chmod 600 ~/.globus/userkey.pem

Windows: go to Control panel->System->Special->Environment variables->System variables and set these variables pointing to the corresponding files:

  • X509_USER_CERT
  • X509_USER_KEY

It's not enough to have only personal certificate. You have to have also the root certificates of the CA that issued your certificate and the CAs that issued certificates to the clusters you want to use. We will install it later with the client installation.

The verification takes places after the installation of the client, when cert/proxy manipulation commands become available.