Personal Certificate

The basic steps to work with certificates in a Grid are always the same:

  1. Obtain a Grid X.509 certificate. There are several ways to do this, you only need one of them. They are described on this page.
  2. Connect the certificate with your LRZ account via the ID portal. This has to be done only once.
  3. Generate a proxy (a short-lived copy) of your certificate. You can do this with grid-proxy-init -bits 2048 or GSISSH-Term.
  4. Perform your work in the Grid (remote login, data transfer, job submission).

Requesting a Grid Certificate

Since the authentication and authorization of resources and people functioning in Grid-related areas, is performed by a Public Key Infrastructure (PKI), participation to Grid Computing requires a certificate that adheres to the specifications of the European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA). Due to the cooperation of the EUGridPMA and the corresponding american (TAGPMA) and Asia-Pacific (APGridPMA) associations, these certificates have a worldwide scope within the scientific field.

For Germany, members of the EUGridPMA are the DFN - German Research Network and the Karlsruhe Research center (FZK). The aforementioned organisations operate a so called Certification Authority (CA), which is commissioned to generate Certifications adhering to the EUGridPMA specifications. In order for an electronic certificate to be identified with one person or resource, it is necessary that the owner or the party responsible for the resource, respectively, appear personally to one of these CAs along with an appropriate document to verify his identity.

To simplify this process for the users, the so called Registration Authorities (RA) were established. Their function is to undertake this operation on behalf of the CA. LRZ is authorized to operate a DFN-PKI related RA, responsible for LRZ itself and for the three Universities in Munich.

Obtaining a Long Lived Credential

Generating a User Certificate Request

The first step to acquire a certificate is by generating a certificate request. The easiest way is to use a browser capable of handling certificate generation such as Firefox 3.0 or higher (3.5 recommended). The following steps are required:

Go to LRZ Grid RA . The "Zertifikate" tab should be chosen after the window has finished loading.

Click on the button named "Nutzerzertifikat". The following page contains a form where all the entries followed with a '*' should be filled in. The PIN is required in the case you want to lock your certificate.

certificate

It is important that you choose the proper department from the drop-down list between:

  • Leibniz-Rechenzentrum
  • Universität der Bundeswehr
  • Technischen Universität
  • Ludwig-Maximilians-Universität

When you are done click on the button 'Weiter' on the bottom of the page.

You will be presented with a page containing the details you have just inserted and asking you to verify if everything is correct. If you want to correct something you should click on the button 'Ändern' otherwise if you are certain that all details are correct click on the button 'Bestätigen'. You will the see a window like the one below:

CertGen

After the process is finished a new webpage will load. You should click on the button 'Zertifikatantrag anzeigen' to get a pdf form which you will have to print and fill-in. Save the form you then click on the button 'Beenden' to finish the session. You should present this form personally to the registration authority along with documents verifying your identity (passport, ID card) and affiliation (e.g. student ID). In order to arrange an appointment you can send an e-mail to grid-ra@lrz.de.

Shortly after you deliver the document, you will receive an e-mail verifying that your certificate was processed successfully and offering two links. The first will take you to a LRZ Grid RA webpage where you should choose to install the DFN certificates in your browser. Clicking on the second link gives access to your user certificate. You should click on the button 'Zertifikat importieren' to import your certificate in your browser.

It is recommended to protect the private key by setting a master password in the browser. For example in Firefox Preferences menu it is in Security tab. Given password will be asked once when the certificate used after browser restart. It will be asked also when doing a backup of the certificate in the browser.

LRZ needs to register the certificate's unique identification string and associate it with your user account.

Extracting your certificate

In order to do extract your certificate from the browser:

Go to firefox preferences and select the 'advanced' section. Then click on the 'View Certificates' button.

In the new window, select the tab named 'Your certificates'. There should be an entry with your name under the 'DFN-Verein' category as shown below:

FirefoxCert

Select the certificate and click on the 'Backup...' button. Save the certificate in a safe folder under the name usercert.p12. You will be asked for a password for your certificate which you should not lose.

The certificate is saved according to the PKCS12 specification which is supported by unicore.

Using the certificate with Globus

For this step you should open a terminal window and make sure you have installed OpenSSL which you can get from the OpenSSL Website. Go to the folder where you saved the usercert.p12 file and type the following commands:

To extract your certificate from the usercert.p12 file and save it to usercert.pem :

openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem

You will be asked for the usercert import password once (The one you provided when exporting from Firefox).

  • To extract your private key from the usercert.p12 file and save it to userkey.pem :
    • openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem

You will be asked for the usercert import password once and to for the new password for the PEM private key twice.

  • You should set permissions to the files generated as follows:
    • chmod 0400 userkey.pem
    • chmod 0600 usercert.pem

The files usercert.pem and userkey.pem should be saved in the .globus directory in your home directory in a unix machine. In a windows machine the corresponding folder would be under

\Documents and Settings\{Your Username}\.globus

For those who are using GSISSH-Term, apart from the userkey.pem, usercert.pem, authentication with the p12 keys and browser is also possible. If there is some need to convert pem into p12 files it can be done in following way:

openssl pkcs12 -export -inkey userkey.pem -out gsisshterm.p12 -name "Firstname Lastname" -in usercert.pem

Information on using the private key of a personal certificate

The role of the private key is to enable identify a person in the Grid. This means that a person who manages to get access to your private key will, as regards the grid, be identified with your person. It is important to make sure that the private key is accessible only by you. On Linux systems you should make sure that you remove all privileges from group and other users. Do not provide your private key password to other people and make sure it does not accidentally fall into the wrong hands.

The default validity period for DFN certificates is a year. Renewal of the certificate should be done as described. If the identification provided initially is still valid it need not be presented at the LRZ again.

For any further questions please contact the LRZ Grid Team

Apart from this, it is a good idea to familiarize oneself with the various PKI operations (Policies, CRLs, etc.). You can find general information about certificates and certification policies at the LRZ (Encryption, digital signatures, Certification) as well as the DFN (both in German).

LRZ MyProxy Certificate Authority

The LRZ MyProxy can issue a proxy certificate in case the user can not obtain a grid certificate. Please visit the LRZ MyProxy page for more details and for the limits of the service.