Certificates and VOs: Difference between revisions

Getting access the IIHE T2B

PageOutline

• In order to get access to grid and the Tier2 at the IIHE you need obtain a BEgrid Certificate and get access to the User Interfaces of the IIHE.
• BEgrid certificates are managed by BELNET
• The access to the IIHE UI's, called the Mx machines (x representing a number) is explained below, it is [#Mailing-listandaccesstoUIs part] of the First registration procedure.
• First registration: The registration procedure consist of several steps outlined below in the section [#Firstregistration:Outlineofregistrationprocedure First registration]
• Certificate Renewal: The procedure to renew your certificate is described in section [#Certificaterenewal:Updatecertificate Certificate Renewal]

Password advice

In the registration procedure that is described here, a number of passwords will be requested from you. Please choose good ones and don't share them with other people (or write them on post-its ;).

First registration: Outline of registration procedure

• First, a very important preliminary remark before going into the steps of the certificate request procedure : you can use Firefox or IE, but please DON'T USE CHROME and KEEP THE SAME BROWSER AND LAPTOP/PC DURING ALL THE PROCEDURE.
• If you request a certificate for the very first time, you can follow the procedure here. The section Get a BEgrid Certificate should provide you with a BEgrid certificate and should allow you to prepare your browser
  • Get a BEgrid certificate
  • Browser preparation

• The next step is to Join a Virtual organisation VO as described further on this page in the section Virtual Organisation. You can make several choices. If you intend to use the CMS grid infrastructure your VO is CMS. For BEgrid applications join beapps or betest.
• A summary of the steps you should take is given here:
  • VO CMS :
  • VO CMS registration
  • Send a email to the T2B grid-admins (grid_adminNOSPAM@listserv.vub.ac.be) to introduce yourself
  • Become a member of the group /cms/becms
  • VO BEAPPS :
  • VO BEAPPS registration
  • VO BETEST :
  • VO BETEST registration

• If you join the CMS VO you still need to do following steps as described in section Mailing-list and access to Mx-machines
  • Create your Hypernews account
  • Register your DN in SiteDB
  • Else CRAB will not work.
  • First, make a public certificate Instructions
  • Next, upload this public certificate in this page
  • After ~15 minutes, the changes should be reflected on this page
  • Register to T2B mailing-list
  • Finally you should send your SSH key to grid_adminNOSPAM@listserv.vub.ac.be to get acces to the tier2

Virtual Organisation

What VO should I join?

• Depending on your experiment or type of application, you have to choose a corresponding VO. If you have no clue which it is, ask your contact person. Unless you really know what your doing (but why are you reading this page?), don't join dteam or ops.

CMS

For all people that are in the CMS collaboration and that need access to something.

• You need to have your browsercertificate loaded.
• Go to: VO CMS registration
  • Phase I
  • fill in a valid email address
    • the email address must be known in the CERN database and in the CMS database (normally this is the address used when registering with CMS for the first time)
    • in case you have problems, try the CERN xwho database to find your known email address
  • select Marti Pimia as representative
  • fill in your first name and last name
  • wait for an email to go to Phase II
  • click on the link in the email. It will take you to the Phase II registration page.
  • fill in your personal information
  • pick any additional roles (if really needed). the default should be ok for lost people.
  • on the bottom: read the GRID Acceptable Use Policy and select ok
  • click to register
  • Also send an email to the admins [ grid_admin[AT]listserv.vub.ac.be ] to tell them who you are. Also put your team leader in CC, in this way we know that you are part of the Belgian collaborators (it is impossible for us to know all new members)
  • you now have to wait for approval of your request. this can take some time and you will notified by email.
  • at latest one day after this approval you will be able to use the CMS grid resources.
• After you are member of the VO cms, you need to join the group /cms/becms
  • Goto the Select Groups & Group Roles
  • Select the group /cms/becms
  • Press Submit at the bottom of the page
  • Image(cms-groups-becms.png, 50%)

BEapps

• Not needed if you are in CMS
• For all people that want to have their application running in BEgrid on a production level.
• You must have your browser certificate loaded.
• Go to: VO BEapps registration

BEtest

• Not needed if you are in CMS
• For all people that want to test their application running in BEgrid.
• You must have your browser certificate loaded.
• Go to: VO BEtest registration

Mailing-list

• HN account
  • New member info
  • If you have a lxplus account, you can register yourself
  • If not, you need to send an email to the cms hn admin.
  • Register HN account in SiteDB (instructions)
  • Else CRAB will not work.
  • First, make a public certificate Instructions
  • Next, upload this public certificate in this page
  • After ~15 minutes, the changes should be reflected on this page

• Once you have access to the UIs, you need to install your certificate on these machines. This procedure is described here under the section Install your certificate in your new Unix account

Certificate renewal: Update certificate

#comment
As the CA changed, users with a certificate made before November 2008 should ask for a new certificate. This is because the certificate authority changed.
*Certificate renewal for certificates delivered BEFORE November 2008 
**First follow the procedure as detailed in "Requesting a certificate for the very first time"
**Install your newly received certificate in a directory other than .globus, as you will use the old one while waiting for the new one to be approved by cms
**Then go to https://lcg-voms.cern.ch:8443/vo/cms/vomrs?path=/RootNode/MemberAction/MemberDNs/AddDN&action=execute&do=select
**Fill in your new Dn (you can obtain this by running the following command: 

#comment
openssl x509 -in usercert.pem -subject

#comment
**Your new DN starts with /C=BE
**Make sure when you copy, not to add any whitespace before or after the DN
**also change the CA (dropdown box) to : /C=BE/OU=BEGRID/O=BELNET/CN=BEgrid CA
***note that a similar one exists with an email address. Do NOT use the one with the email address.
**In the reasons box, fill in: "Change of CA"
**Wait until the new certificate is approved and then ...
**contact the admins to have your dcache acces mapped to your new DN (send us the DN via email)
**also change your DN into siteDB (https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB)

• Certificate renewal
  • Please DON'T USE CHROME and KEEP THE SAME BROWSER AND LAPTOP/PC DURING ALL THE PROCEDURE !
  • Go to the belnet site https://gridra.belnet.be/pub/
  • Go to request a new certificate based on an existing certificate (the renew function does not work on their site)
  • You can install your new certificate directly in your browser with the "Integrate" button (recommended) or download it as a file.
  • then, install your new certificate in your Unix account:
  • The certificate has to be copied on the User Interface server (and saved in a different format ...)
    • Export the certificate from your browser, into a 'p12' - file
    • for Firefox: Select Edit/Preferences->Advanced->Manage Certificates; Select the Certificate Click "Backup" give the requested password, then Save with file name "cert" (Will create file cert.p12)
    • for Internet Explorer Select Tools/Internet Options Select Content Select Certificates Select Personal Select the Certificate Click "Export" On Certificate Manager Export Wizard Select Next Select 'Yes, export the private key'
    • For MAC:

1. 1. 1. 1. Open the Keychain Access utility (Applications -> Utilities)

      2. Select your certificate or key from the Certificates or Keys category, and do one of the following:

1. 1. 1. 1. 1. Choose File -> Export items ...

        b. Right-click, and choose Export [your name]'s ID ...
      3. In the Save As field, enter cert.12 for the exported item, and click Save.  You will be prompted to enter a new export password for the item.

• • Select Personal Information Exchange PKCS#12 (.PFX) give the requested password, then Save with file name "cert".( will save cert.pfx, rename this to cert.p12 )
    • scp the file cert.p12 on the User Interface server.
    • login on the userinterface-server; The file cert.p12 should be in your homedirectory now. Execute fillowing commands (to transform the certificate and private key from the PFX-format into PEM format; they will ask for the passphrase you put on cert.p12 in order to read it, and will ask you for a new passphrase to put on the private key userkey.pem; You can take the same passphrase ... !)

 mkdir ~/.globus
 openssl pkcs12 -nocerts -in cert.p12 -out ~/.globus/userkey.pem
 openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.globus/usercert.pem
 chmod 400 ~/.globus/userkey.pem
 chmod 644 ~/.globus/usercert.pem

Questions and Remarks

Who is my local BEgrid contact person?

Good question. If you really don't know or you can't ask anybody else, you may always contact rosette.vandenbroucke@vub.ac.be with this question.

Some links

• www.alw.nih.gov
• www.auscert.org.au
• en.wikipedia.org
• pisa.belnet.be (dutch), (french)

Extra

Useful link for all detailed commands on certificates:

• http://goc.eu-eela.org/operations/certification-authority-and-virtual-organisation-operations/certificate-manipulation/

Problems

No certificate matches private key

When the conversion to .p12 fails with this message, a number of things might be wrong:

• Make sure that the request-key is the one matching the certificate (ie the download.cer file).
• Check the public modulus:
  • openssl rsa -noout -text -in <request_key>
  • openssl req -noout -text -in <newcert_request.pem>
  • openssl x509 -noout -text -in <download.cer>
• They should all have the same modulus, eg

  Modulus (2048 bit):
       00:a8:7d:e0:ec:c6:ba:0b:39:87:92:87:2e:1d:03:

• If this is not the case, something went wrong somewhere. You should contact gridcaNOSPAM@belnet.be and explain them your problem.

Troubleshooting check-list

This section gives a summary of the different steps of the registration procedure detailed on this page. You can use it as a check-list, e.g. to verify that you don't have missed a step.

- Browser preparation
- Get a BEgrid certificate
- Join a VO (CMS or BEAPPS or BETEST) :

• • VO CMS :
  • VO CMS registration
  • Send a email to the T2B grid-admins (grid_adminNOSPAM@listserv.vub.ac.be) to introduce yourself
  • Become a member of the group /cms/becms
  • Create your Hypernews account
  • Register your DN in SiteDB
  • Register to T2B mailing-list
  • VO BEAPPS :
  • VO BEAPPS registration
  • VO BETEST :
  • VO BETEST registration

- Send your SSH key to grid_adminNOSPAM@listserv.vub.ac.be

Certificates

BEgrid certificates are managed by BELNET

• Homepage of the BELNET CA
• Email your questions or remarks to gridcaNOSPAM@belnet.be

Browser preparation

Everybody has to do this at least once :

• Load the certificate authenticating the BEgrid CA by clicking on the appropriate link at https://gridra.belnet.be/
  • This may bring up a so-called Software Security Device that will manage your certifiactes in your browser.

 When this is the first time you use it, you'll need to configure it first. 
 Most probably this means setting a password to protect the device.

• • If nothing happens automagically, download the certificate from the above link and import it yourself
  • Mozilla/firefox/etc : Edit -> Preferences -> Advanced -> Manage certificates -> authorities -> import
• If your CA is CERN, to load the CA certificate go to the CERN CA homepage, and in the section Download CA certificates and CRLs click on both CERN Root CA certificate and CERN Trusted Certification Authority Certificate

If your certificate is no longer in your browser :

This can happen if you have changed from laptop or if you have reinstalled everything from scratch on your laptop without having restored a backup of your browser environment. In this case, if you still have access to our UIs, you can recreate the PKCS12 (*.p12) certificate from the usercert.pem and userkey.pem files located in your ~/.globus. Here is the procedure :

On a UI :
cd ~/.globus
openssl pkcs12 -export -out cert.p12 -inkey userkey.pem -in usercert.pem

It will prompt you to type the password of your userkey.pem, it is the one you use to submit crab jobs. To export the p12 use the same password. So just type 3 times the same password it is easier like that.

After that, copy the cert.p12 file back to your computer. Then you just have to import the certificate on your browser.

Example for Mozilla Firefox: Go to Preferences > Advanced > Encryption > View Certificates >Your certificates > Import

There you just have to choose the cert.p12 and it will ask you for the password you used before.

Template:TracNotice