NERSCPowering Scientific Discovery Since 1974

Grid Certificates

| Tags: Grid

Grid certificates allow you to access NERSC (and other Grid enabled computing facilities) via grid interfaces. Grid certificates are credentials that must be initialized for use with grid tools. Once a certificate is initialized it is automatically used by the grid tools to authenticate the user to the grid resource.

Getting a Short Lived NERSC CA Certificate

The NERSC Online CA now offers a quick and painless way to obtain grid certificates. You can obtain a grid certificate with a single command using this method.

If you are on a NERSC system, load the globus module to set up your environment:

% module load globus 

or

% module load osg

On the client system (assuming you have the globus binaries in your path), simply run:

% myproxy-logon [-T] -s nerscca.nersc.gov
# Do not use -T if you run this command on NERSC compute systems.

 

When prompted ("Enter MyProxy pass phrase:"), enter your NIM/LDAP password. You should now have a grid certificate that can be used to access NERSC systems.

The -T flag is optional, and only needs to be run the first time you issue this command. This flag will pick up the necessary trust anchors, so that your grid clients can trust NERSC certificates. The -T flag should not be used on the NERSC compute systems, where your client relies on a centrally managed trusted certificates area (/etc/grid-security/certificates).

You can also change the default lifetime of the certificate (12 hours) using the -t flag.

Useful Options:

-l <username> NERSC username
-s <servername> Hostname for NERSC CA server
-t <hours> Certificate lifetime in hours.
Default is 12 hours. Maximum is 277 hours.
-T Download trust anchors so that your clients trust NERSC certificates.
Only need to do this the first time you get a certificate, or if your trust anchors are out of date.
Do not use if your system has a centrally managed trusted certificates diretory (this includes all NERSC login nodes).

You can view your certificate information at any time by logging into NIM, and clicking on the Grid certificates tab. All NERSC systems have already been pre-populated to accept these certificates, so you don't have to do anything additional in NIM.

Getting a Long Lived OSG Grid CA Certificate

In order to use grid tools, users can also obtain and install OSG Grid Certificates.

The basic steps in this process are:

  • Request a user certificate
  • Retrieve the certificate via your web browser
  • Export the certificate into a pkcs12 (.p12) file
  • Convert the exported file into a Globus usercert.pem and userkey.pem pair

Please visit the OSG OIM site to request a certificate. Click on the "User Certificates->Request New" to get started. More information on how to obtain an OSG user certificate can be found here.

Once you have your usercert.pem and a userkey.pem files, you can use your certificate with Globus.

In order to login to NERSC with your grid certificate, you will first need to register your certificate information with the NIM web interface, so that this can be propagated to the grid-mapfile on the host systems.

  • Login to NIM, and click on the "Grid Certificates" tab.
  • Click on the "Add existing Grid Certificate to NIM" link.
  • Enter the appropriate information for the "Cert Subject" and "Cert Issuer" fields. You can get this information as follows:

    Make sure you have your certificate/key pair installed in $HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem on a system that has Globus installed (such as Carver or PDSF).
    Load the globus module
     % module load globus
    Get the Cert Subject:
     % grid-cert-info -subject 
    which yields something like:
    /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=Alfred E. Newman 123456 
    Get the Cert Issuer:
     % grid-cert-info -issuer 
    which yields:
     /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
  • Make sure you enter the above fields in the exact format as that returned by the "grid-cert-info -subject" and "grid-cert-info -issuer" commands.
  • Click on "Add Certificate"
  • It will take up to 2 hours for the certificate to be approved and propagated to the various systems. You should receive confirmation when this has happened. You can now use your grid certificate to login to NERSC systems.