|
|
(84 intermediate revisions by 9 users not shown) |
Line 1: |
Line 1: |
− | [[Category:Grid computing]] | + | #REDIRECT[[Swestore Documentation Moved]] |
− | [[Category:SweGrid user guide]]
| |
− | [[Category:SweStore]]
| |
− | [[Category:SweStore user guide]]
| |
− | [[Getting started with SweGrid|< Getting started with SweGrid]]<br>
| |
− | [[SweStore|< SweStore]]
| |
− | | |
− | =Introduction to certificates=
| |
− | | |
− | In order to get access to computer and storage resources on the grid or [[SweStore]] you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.
| |
− | | |
− | A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.
| |
− | | |
− | A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.
| |
− | | |
− | For more information regarding certificates and public key cryptography:
| |
− | | |
− | [http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]
| |
− | | |
− | [http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]
| |
− | | |
− | [http://www.nordugrid.org/documents/certificate_howto.html http://www.nordugrid.org/documents/certificate_howto.html]
| |
− | | |
− | * The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:
| |
− | usercert.pem
| |
− | userkey.pem
| |
− | * The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
| |
− | * The certificate is valid for 13 month and should be renewed yearly.
| |
− | * The private key should be handled with great care. It should only be readable by you (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
| |
− | * The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
| |
− | * You should not share the certificate with someone. It's personal.
| |
− | | |
− | For more information regarding certificates and public key cryptography:
| |
− | | |
− | [http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]
| |
− | [http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]
| |
− | | |
− | = Requesting a certificate =
| |
− | | |
− | Certificates are issued by a Certificate Authority or CA. For Swedish users there are two relevant CA:s that can issue grid certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.
| |
− | | |
− | Recommended procedure for each university:
| |
− | | |
− | {| class="wikitable"
| |
− | | University
| |
− | | CA
| |
− | | Info
| |
− | |-
| |
− | | LU
| |
− | | Terena CA
| |
− | | -
| |
− | |-
| |
− | | LiU
| |
− | | Terena CA
| |
− | | -
| |
− | |-
| |
− | | CTH
| |
− | | NorduGrid CA
| |
− | | [http://snicdocs.nsc.liu.se/wiki/Chalmers_Certificate_Instructions]
| |
− | |-
| |
− | | UU
| |
− | | Terena CA
| |
− | | -
| |
− | |-
| |
− | | KTH
| |
− | | Terena CA
| |
− | | [http://snicdocs.nsc.liu.se/wiki/KTH_Certificate_Information Instructions...]
| |
− | |-
| |
− | | SU
| |
− | | NorduGrid CA
| |
− | | [http://snicdocs.nsc.liu.se/wiki/SU_Certificate_Information Instructions...]
| |
− | |-
| |
− | | KI
| |
− | | NorduGrid CA
| |
− | | [http://snicdocs.nsc.liu.se/wiki/KI_Certificate_Information Instructions...]
| |
− | |-
| |
− | | UmU
| |
− | | Terena
| |
− | | -
| |
− | |}
| |
− | | |
− | | |
− | [[Requesting a grid certificate using the Terena eScience Portal|Instructions for the Terena CA]]
| |
− | | |
− | [[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA]]
| |
− | | |
− | = Requesting membership in the SweGrid VO =
| |
− | | |
− | SweGrid and SweStore resources are currently being allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid or SweStore resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required. To apply for membership, make sure that the NorduGrid root CA certificate and your personal certificate is installed in the browser.
| |
− | | |
− | The NorduGrid CA cert can be installed by clicking on the following link:
| |
− | | |
− | [http://ca.nordugrid.org/cacrt.crt http://ca.nordugrid.org/cacrt.crt]
| |
− | | |
− | Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.
| |
− | | |
− | | |
− | [[File:certinstall.png]]
| |
− | | |
− | | |
− | When certificates have been installed in the browser go to the following URL:
| |
− | | |
− | [https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]
| |
− | | |
− | and follow the instructions. In a couple of hours you will be added to the SweGrid VO.
| |
− | | |
− | To be added to the correct SweGrid project send a mail to [mailto:support@swegrid.se support@swegrid.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which SNIC-project to be added to.
| |
− | | |
− | To be added to the correct Swestore allocation send a mail to [mailto:swestore-support@snic.vr.se swestore-support@snic.vr.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which Swestore allocation to be added to.
| |
− | | |
− | = Proxy certificates =
| |
− | | |
− | Authentication on the grid is done using special short lived ''proxy'' certificates. There are several tools available for creating, checking and destroying these proxy certificates.
| |
− |
| |
− | == Creating a proxy certificate ==
| |
− | | |
− | To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:
| |
− | | |
− | $ arcproxy
| |
− | Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
| |
− | Enter pass phrase for /home/kalle/.globus/userkey.pem:
| |
− | .++++++
| |
− | .....++++++
| |
− | Proxy generation succeeded
| |
− | Your proxy is valid until: 2011-03-11 03:00:14
| |
− | | |
− | The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.
| |
− | | |
− | In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:
| |
− | | |
− | $ arcproxy --constraint="validityPeriod=24H"
| |
− | Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
| |
− | Enter pass phrase for /home/kalle/.globus/userkey.pem:
| |
− | ....++++++
| |
− | .....++++++
| |
− | Proxy generation succeeded
| |
− | Your proxy is valid until: 2011-03-11 15:03:19
| |
− | | |
− | == Checking proxy lifetime ==
| |
− | | |
− | The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.
| |
− | | |
− | $ arcproxy --info
| |
− | Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
| |
− | Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
| |
− | Time left for proxy: 11 hours 55 minutes
| |
− | Proxy path: /tmp/x509up_u500
| |
− | Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy
| |
− | | |
− | In this example the proxy certificate is valid for 11 hours 55 minutes more.
| |
− | | |
− | == Destroying a proxy certificate ==
| |
− | | |
− | A proxy can be destroyed with the '''-r''' or '''--remove''' switch.
| |
− | | |
− | $ arcproxy -r
| |
− | | |
− | or
| |
− | | |
− | $ arcproxy --remove
| |
− | | |
− | = VOMS certificates =
| |
− | | |
− | As long as you are a member of only one VO or VO group, you can
| |
− | authenticate to a grid service with the regular grid proxy certificate
| |
− | as defined in the previous section. If you are a member of more than
| |
− | one VO or VO group you may want to select which membership you want to
| |
− | be authenticated as. For example, if you are a member of
| |
− | ''swegrid.se:/swegrid.se/ops'' (operations staff) and
| |
− | ''swegrid.se:/swegrid.se/bils'' and want to write a file, who should
| |
− | be the owner? Ops or bils? You need to provide some additional
| |
− | information. In the grid world this is done with a voms proxy
| |
− | certificate which basically is a regular proxy certificate but with a
| |
− | so called voms extension that contains a list of your VO group
| |
− | memberships (and roles and attributes, which we don't use in
| |
− | Swegrid/Swestore at the moment).
| |
− | | |
− | '''Please note, if you only have one membership you can skip this section!'''
| |
− | | |
− | The voms extension of the certificate is signed by the virtual
| |
− | organization management server, or VOMS server. The same VOMS server
| |
− | you used when applying for the swegrid.se VO membership in the first
| |
− | place. To enable this signing process you need to add a few
| |
− | configuration files to your system. First add this to the file
| |
− | '''/etc/vomses''':
| |
− | | |
− | "swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"
| |
− | | |
− | Next create the necessary directories and the file
| |
− | '''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the
| |
− | following contents:
| |
− | | |
− | /O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
| |
− | /O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority
| |
− | | |
− | == Creating a VOMS proxy ==
| |
− | | |
− | VOMS proxies in ARC1 can be created using the '''arcproxy''' command
| |
− | and the '''-S''' or '''--voms''' switches as shown in the following
| |
− | example (if you are a member of the /swegrid.se/ops group. Adjust as
| |
− | necessary):
| |
− | | |
− | $ arcproxy -S swegrid.se:/swegrid.se/ops
| |
− | Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
| |
− | Enter pass phrase for /home/kalle/.globus/userkey.pem:
| |
− | .....++++++
| |
− | ............++++++
| |
− | Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
| |
− | Proxy generation succeeded
| |
− | Your proxy is valid until: 2011-03-10 23:33:06
| |