Grid Certificates
Grid certificates allow you to access NERSC (and other Grid enabled computing facilities) via grid interfaces. Grid certificates are credentials that must be initialized for use with grid tools. Once a certificate is initialized it is automatically used by the grid tools to authenticate the user to the grid resource.
Getting a Short Lived NERSC Certificate
The NERSC Online CA now offers a quick and painless way to obtain grid certificates. You can obtain a grid certificate with a single command using this method.
If you are on a NERSC system, load the globus module to set up your environment:
% module load osg
# or "module load globus" on PDSF
On the client system (assuming you have the globus binaries in your path), simply run:
% myproxy-logon [-T] -s nerscca.nersc.gov
# Do not use -T if you run this command on NERSC compute systems.
When prompted ("Enter MyProxy pass phrase:"), enter your NIM/LDAP password. You should now have a grid certificate that can be used to access NERSC systems.
The -T flag is optional, and only needs to be run the first time you issue this command. This flag will pick up the necessary trust anchors, so that your grid clients can trust NERSC certificates. The -T flag should not be used on the NERSC compute systems, where your client relies on a centrally managed trusted certificates area (/etc/grid-security/certificates).
You can also change the default lifetime of the certificate (12 hours) using the -t flag.
Useful Options:
| -l <username> | NERSC username |
| -s <servername> | Hostname for NERSC CA server |
| -t <hours> | Certificate lifetime in hours. Default is 12 hours. Maximum is 277 hours. |
| -T | Download trust anchors so that your clients trust NERSC certificates. Only need to do this the first time you get a certificate, or if your trust anchors are out of date. Do not use if your system has a centrally managed trusted certificates diretory (this includes all NERSC login nodes). |
You can view your certificate information at any time by logging into NIM, and clicking on the Grid certificates tab. All NERSC systems have already been pre-populated to accept these certificates, so you don't have to do anything additional in NIM.
How to obtain a DOEGrids certificate for use at NERSC
In order to use grid tools, users can also obtain and install DOEGrids user certificates. The DOE Grids web pages provide all the necessary details for the application and installation process.
The basic steps in this process are:
- Import DOEGrids CA certificates into your browser
- Request a user certificate
- Retrieve the certificate via your web browser
- Export the certificate into a pkcs12 (.p12) file
- Convert the exported file into a Globus usercert/key pair
Once you have your usercert.pem and a userkey.pem files, you can use your certificate with Globus.
In order to login to NERSC with your grid certificate, you will first need to register your certificate information with the NIM web interface, so that this can be propagated to the grid-mapfile on the host systems.
- Login to NIM, and click on the "Grid Certificates" tab.
- Click on the "Add existing Grid Certificate to NIM" link.
- Enter the appropriate information for the "Cert Subject" and "Cert Issuer" fields. You can get this information as follows:
Make sure you have your certificate/key pair installed in $HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem on a system that has Globus installed (such as Carver or PDSF).
Load the globus moduleGet the Cert Subject:% module load globuswhich yields something like:% grid-cert-info -subject/DC=org/DC=doegrids/OU=People/CN=Alfred E. Newman 123456Get the Cert Issuer:% grid-cert-info -issuerwhich yields:/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 - Make sure you enter the above fields in the exact format as that returned by the "grid-cert-info -subject" and "grid-cert-info -issuer" commands.
- Click on "Add Certificate"
- It will take up to 2 hours for the certificate to be approved and propagated to the various systems. You should receive confirmation when this has happened. You can now use your grid certificate to login to NERSC systems.
Storing Your certificate on a MyProxy server
NERSC provides a MyProxy service to conveniently store and access your grid certificate from multiple systems.
Instead of creating local copies of your usercert.pem and userkey.pem files on all the systems you wish to use, you can simply store a certificate on our myproxy server (myproxy.nersc.gov), and then access this proxy certificate (also called a delegated proxy credential) from any other machine without having to make local copies of your original certificate.
To store your proxy certificate, issue this command from a machine that has your original certificate key pair:
% myproxy-init -s myproxy.nersc.gov
Your identity: /DC=org/DC=doegrids/OU=People/CN=Joe User 123456
Enter GRID pass phrase for this identity:
Creating proxy ............................................Done
Proxy Verify OK
Your proxy is valid until: Tue Jul 24 13:47:44 2007
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user joeuser now exists on myproxy.nersc.gov.
This will prompt you for your local certificate password, and then ask you for a myproxy password. Your myproxy password will be used to pick up your delegated proxy from other machines. You can set this to anything you like as long as it meets the NERSC password requirements.
The above process stores a proxy certificate that is valid for 7 days on the myproxy.nersc.gov server under your default username. Other useful options include:
| -l <username> | specify an alternate user to store certificate under |
| -c <hours> | lifetime of certificate in hours. -c 0 will store a proxy certificate with the maximum possible lifetime i.e. the lifetime of the orginal certificate |
To download a proxy certificate for use, enter the following:
% myproxy-logon -s myproxy.nersc.gov -l joeuser
Enter MyProxy pass phrase:
A credential has been received for user joeuser in /tmp/x509up_u1234.
This will prompt you for the myproxy server password that you set above, and create up a short lived (12 hours) grid proxy certificate on your local machine. You may omit the -l flag if you used your default local username to store the certificate on the myproxy server.
In all the examples describing grid access, you can substitute the grid-proxy-init command with myproxy-logon. Instead of generating a proxy from a local certificate, it will download a proxy certificate from the myproxy server, but the end result is exactly the same.
The NERSC MyProxy server (myproxy.nersc.gov) can now accept renewable credentials.
This store long term renewable credentials:
% myproxy-init -A -k renewable -s myproxy.nersc.gov -c <HOURS>
(Set <HOURS> to 0 if you want the maximum lifetime of the cert)
To initialize the proxy:
% grid-proxy-init
(stores a proxy in /tmp/x509up_u$UID)
To renew them using a valid existing proxy as follows:
% myproxy-logon -a /tmp/x509up_u$UID -k renewable -s myproxy.nersc.gov
(where the /tmp/x509up_u$UID is the existing proxy file)
Setting Up Trusted Certificates in Your Web Browser
Most NERSC web servers (and many LBL and DOE servers) use server certificates signed by the DOEGrids CA. Since most common web-browsers don't trust these by default, you end up with a cryptic security warning.
The following section describes how to configure various popular web browsers (Firefox, IE, Safari) to trust NERSC / DOEGrids certificates, so that you can prevent such warning messages.
Firefox Certificate Setup
To set up firefox to trust doegrids certificates by default:
- Go to https://pki1.doegrids.org/ca/ (ignore initial warning)
- Click on the Retrieval Tab -> Import CA Certificate chain
- Select "Import the CA certificate chain into your browser" and submit
- Check all three boxes to say that you trust these CAs.
Safari Certificate Setup
Safari uses the keychain to store the trust roots. It is easier to use the TACAR repository to import these into your keychain
Importing from TACAR:
- Go to https://www.tacar.org/repos/ (ignore initial warning)
- Check the CAs you wish to trust. You should probably at least check the following:
- DOEGrids CA
- ESnet Root CA
- NERSC Online CA
- Make sure PKCS7 is checked and click Download (the file will be saved as tacar_certs.p7b)
- Open the Keychain application
- Go to File->Import Items
- Select the downloaded file (tacar_certs.p7b) withe the "login" keychain as your destination
- It will ask you if you trust the CA. Click on "Always Trust"
Safari will now automatically trust NERSC / DOE sites.
IE Certificate Setup
- Go to https://pki1.doegrids.org/ca/ (ignore initial warning)
- Click on the Retrieval Tab -> Import CA Certificate chain
- Select "Import the CA certificate chain into your browser" and submit
- Open the file when prompted (getCAChain*.cer)
- Install Certificate
- Select "Place all certificates in the following Store" -> Browse
- Select "Trusted Root Certification Authorities"
- Next -> Finish
Additional Firefox Tips
Alternate method:
- Got to https://www.tacar.org/repos/
- Click on CAs you wish to trust. For example
- DOEGrids CA
- ESnet Root CA
- NERSC Online CA
- Click install
- Check all three boxes to say that you trust these CAs.
Changing trust if CAs are already installed:
In case you've already set these up in Firefox earlier, but still seem to get the warnings, you may have to adjust your trust settings:
- In your firefox preferences go to: Advanced->Certificates->View Certificates"
- Click on the "Authorities" tab and scroll down to ESnet
- Select all the CAs under ESNet (DOEGrids and ESnet) and click edit
- Check all three boxes to say that you trust these CAs.
This should let you automatically trust all DOEGrids certs in the future without the annoying firefox warnings.
