In order to setup your GRID Certificate, you need to have already completed the initial steps of requesting the certificate, registering for membership in the ATLAS VO, etc. See this BNL page
for detailed instructions.
NOTE: THIS LINK WAS UPDATED TO A NEW URL FOR DIGICERT ON MAY 19, 2015
You should use a browser with appropriate security, such as IE7 or Firefox v2.
The sections below are out-of-date.
Instead use the BNL pages at https://www.racf.bnl.gov/docs/howto/grid
After Obtaining Confirmation
The DOE will send you an e-mail with your GRID Certificate's serial number. DO NOT
enter the script commands, as you have most likely requested the certificate via a web browser. The next step is to import the certificate into the browser.
use the same browser to import & export your certificate that you used to request the certificate.
There is information on importing and exporting your certificate from your browser at http://docdb.fnal.gov/import-cert.html
but see if the instructions below work for you.
Importing Your Certificate
After receiving the e-mail with your certificate's serial number, follow these steps to import your certificate into your browser:
- Point your browser to the DOEgrid Subscriber Enrollment Site
- Navigate to the Retrieval tab at the top.
- Click List Certificates.
- Enter your serial number (from the e-mail) in the 'Lowest serial number' field.
- Click 'Find.'
- Locate your certificate's entry.
- Note: If you applied with other users, your name might be farther down the list...
- Click 'Details.'
- Scroll to the bottom of the page, and click 'Import Your Certificate.'
Now, your browser has your DOE GRID Certificate saved. From this point, you can export your certificate in order to generate your userkey.pem and usercert.pem files in order to make you eligible for GRID tasks.
Exporting Your Certificate
In order to perform GRID tasks, you need to export your certificate from the browser. To do so, follow the instructions for your respective browser:
- Select your certificate:
- In Firefox v2 (Linux): Click Edit -> Preferences, click Advanced, click the Encryption tab, and then click View Certificates.
- In Firefox v2 (Windows): Click Tools -> Options, click Advanced, click Encryption, and then click View Certificates.
- In Firefox v1.5 (Linux): Click Edit -> Preferences, click Advanced, click the Security tab, and then click View Certificates.
- In Firefox v1.5 (Windows): Click Tools -> Options, click Advanced, click Security, and then click View Certificates.
- In Internet Explorer v7, click Tools -> Internet Options, click the Content tab, and under Certificates, click the Certificates button.
- In Internet Explorer v6, click Tools -> Internet Options, click the Content tab, and under Certificates, click the Personal.
- Select your DOE certificate, click Backup (or Export), and store this file in a safe location on your computer, or in your home directory on any of the aglt2.org machines.
Now, with your *.pfx file (hereafter referred to as gridcert.pfx), you can convert your certificate to the relevant usercert.pem and userkey.pem files.
See Also: Installing Your Grid Certificate
Converting Your Certificate
This is the crucial part. Here, you're going to put your exported certificate on the aglt2.org server, convert them, and configure your directory structure so that you can perform your GRID tasks.
- If you have not already done so, using SFTP or some other file-transfer protocol, move your gridcert.pfx file to your home directory on umt3int02, or any machines on the aglt2.org cluster.
- Setup the relevant directories:
$ mkdir .globus
$ mkdir -p .private/.globus
- Convert gridcert.pfx to the relevant files using the
$ openssl pkcs12 -in [your-cert-file] -clcerts -nokeys -out .globus/usercert.pem
$ openssl pkcs12 -in [your-cert-file] -nocerts -out .private/.globus/userkey.pem
- This second command may prompt you for the password you created while exporting your certificate. Then, it will prompt you to create a password for your userkey.pem file, which you HOLD DEAR, for you will use this every time you access the GRID.
- VERY IMPORTANT: Never tell anyone your password, and make sure that your userkey.pem file is only readable by YOU, i.e., execute the following in your home directory:
$ chmod 400 .private/.globus/userkey.pem
- Next, you must set the appropriate access rights for these hidden directories. Only you should have any rights on your private directory, so execute the following command: (note, see here for alternate directions on setting up this afs .private directory protection)
$ fs listacl .private
- The output should look something like this:
- If there any rights given to other users (besides your username), such as
system:anyuser, you must remove these rights. Execute these commands:
$ fs setacl .private system\:administrators ""
$ fs setacl .private system\:anyuser ""
- If a
fs listacl .globus command reveals that
system:anyuser has more access than the simple "rl," do this:
$ fs setacl .globus system:\anyuser rl
- Now, make a softlink from your
.globus directory to your
$ cd .globus
$ ln -s ~/.private/.globus/userkey.pem userkey.pem
At this point, you are ready to use your GRID certificate for GRID tasks. See Bob's DQ2 Setup Instructions
for information about using DQ2.
Taken in whole from directions set up by Devin Harper, 23 July, 2007, on the Higgs Twiki of linat05.
- 15 Jan 2009