Grid certificates allow you to access NERSC (and other Grid enabled computing facilities) via grid interfaces. Grid certificates are credentials that must be initialized for use with grid tools. Once a certificate is initialized it is automatically used by the grid tools to authenticate the user to the grid resource.
Getting a Short Lived NERSC CA Certificate
The NERSC Online CA now offers a quick and painless way to obtain grid certificates. You can obtain a grid certificate with a single command using this method.
If you are on a NERSC system, load the globus module to set up your environment:
% module load globus
% module load osg
On the client system (assuming you have the globus binaries in your path), simply run:
% myproxy-logon [-T] -s nerscca.nersc.gov
# Do not use -T if you run this command on NERSC compute systems.
When prompted ("Enter MyProxy pass phrase:"), enter your NIM/LDAP password. You should now have a grid certificate that can be used to access NERSC systems.
The -T flag is optional, and only needs to be run the first time you issue this command. This flag will pick up the necessary trust anchors, so that your grid clients can trust NERSC certificates. The -T flag should not be used on the NERSC compute systems, where your client relies on a centrally managed trusted certificates area (/etc/grid-security/certificates).
You can also change the default lifetime of the certificate (12 hours) using the -t flag.
|-l <username>||NERSC username|
|-s <servername>||Hostname for NERSC CA server|
|-t <hours>||Certificate lifetime in hours.
Default is 12 hours. Maximum is 277 hours.
|-T||Download trust anchors so that your clients trust NERSC certificates.
Only need to do this the first time you get a certificate, or if your trust anchors are out of date.
Do not use if your system has a centrally managed trusted certificates diretory (this includes all NERSC login nodes).
You can view your certificate information at any time by logging into NIM, and clicking on the Grid certificates tab. All NERSC systems have already been pre-populated to accept these certificates, so you don't have to do anything additional in NIM.
Getting a Long Lived OSG Grid CA Certificate
In order to use grid tools, users can also obtain and install OSG Grid Certificates.
The basic steps in this process are:
- Request a user certificate
- Retrieve the certificate via your web browser
- Export the certificate into a pkcs12 (.p12) file
- Convert the exported file into a Globus usercert.pem and userkey.pem pair
Once you have your usercert.pem and a userkey.pem files, you can use your certificate with Globus.
In order to login to NERSC with your grid certificate, you will first need to register your certificate information with the NIM web interface, so that this can be propagated to the grid-mapfile on the host systems.
- Login to NIM, and click on the "Grid Certificates" tab.
- Click on the "Add existing Grid Certificate to NIM" link.
- Enter the appropriate information for the "Cert Subject" and "Cert Issuer" fields. You can get this information as follows:
Make sure you have your certificate/key pair installed in $HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem on a system that has Globus installed (such as Carver or PDSF).
Load the globus module
% module load globus
% grid-cert-info -subject
/DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=Alfred E. Newman 123456Get the Cert Issuer:
% grid-cert-info -issuerwhich yields:
/DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
- Make sure you enter the above fields in the exact format as that returned by the "grid-cert-info -subject" and "grid-cert-info -issuer" commands.
- Click on "Add Certificate"
- It will take up to 2 hours for the certificate to be approved and propagated to the various systems. You should receive confirmation when this has happened. You can now use your grid certificate to login to NERSC systems.