r9 - 29 Jun 2020 - 11:16:22 - AlvaroFernandezYou are here: TWiki >  ECiencia Web  > GridAccessProcedure
  1. Grid Access Procedure

Introduction

The procedure for accessing the IFIC computing grid infrastructures implies basically the following steps:


- Getting an account at the IFIC Computing resources GOG-IFIC
- Obtaining a personal Grid Digital Certificate.
- Registering to a Virtual Organization

1.- Getting an account at the IFIC Computing resources GOG-IFIC

After getting your AFS account, you may want to register for a GOG (Grupo de Ordenadores para Grid) account to access the computing resources of the IFIC GOG-Farm and the GRID. To do this, read first the GOG usage rules, then fill this application form and sign it; then give it to the IFIC secretariat. Once your application is accepted, you will be given access to a Grid User Interface where you can login using your AFS account and then accessing the Grid resources.

2.- Getting your Personal Grid Digital Certificate

As of 1st of May 2020, Digicert CA stopped providing user certificates for Terena and the grid community. The new contract was awarded to 'Comodo' CA which will provide host and user certificates for our users.

CSIC users

Unfortunately as of today it is still not possible to obtain user certificates, for different causes.

The current emitted certificates will be valid up to the expiration date ( 1 year at most). If your certificate has expired, please obtain a certificate from one of the CA in a institution you are registered, ie:

UV users

Certificates valid for grid usage can be obtained accessing the Sectigo portal with you UV credentials.

There are several options for generating the certificates, but the most 'secure' is generating the certificate request and private key files locally, and submit it to the Sectigo portal to be signed. Follow the next instructions:

1. Create CSR (Certificate Signing Request) and private key files

Use the following script to create both files, it will ask for a "PASSWORD" that you will need later.

$ /afs/ific.uv.es/user/s/sanchezj/public/gen_CSR_UV_CERT.sh
Password para la clave privada: 
Comprobación: 
La petición de certificado está en: /afs/ific.uv.es/user/a/alferca/.globus/REQ/alferca_20200629.csr
y su correspondiente clave privada en: /afs/ific.uv.es/user/a/alferca/.globus/REQ/alferca_20200629.key
2. Access Sectigo portal
  • Sectigo portal
  • From the selecion box "Choose Your Institution" as "Universitat de Valencia"
  • Select Certificate profile "GEANT IGTF-MICS Personal" and Private Key "UPLOAD CSR", as in following image:
    Screenshot_2020-06-29_Sectigo_-_Web_Security_Company(2).png
for the Private Key "UPLOAD CSR" option, "Choose File" the .csr file that was generated in the first step, in this example:
 /afs/ific.uv.es/user/a/alferca/.globus/REQ/alferca_20200629.csr
REMEMBER TO UPLOAD CSR file, not private file that should always stay in your computer This procedure will download a file "certs.pem" that contain your valid public certificate. ( you can rename this file)

3. Copy Certificate and private Key files to GLOBUS directory

File names should match those generated:

cp ~/.globus/REQ/alferca_20200629.key  ~/globus/userkey.pem
cp  certs.pem ~/globus/usercert.pem

4. Import to Browser

Generate P12 file with correct format to import to browser. Will ask for previous password that was set in step 1.

$ openssl pkcs12 -export -out ~/.globus/user.p12 -inkey ~/.globus/userkey.pem -in ~/.globus/usercert.pem
Enter pass phrase for /afs/ific.uv.es/user/a/alferca/.globus/userkey.pem:
Enter Export Password:
Verifying - Enter Export Password:
Use this file located at "~/.globus/user.p12" to be imported within your browser.

3.- Registering to a Virtual Organization (VO)

You must register to a Virtual Organization for being able to use their resources.

Even if you were already registered, with the new certificates signed by Terena/Digicert, their identification (DN) has changed so you should update your data in the corresponding Virtual Organization registration pages:


For IFIC vo: Register with the new certificate: https://swevo.ific.uv.es:8443/voms/ific/
For ATLAS VO: You can update with the new certificate at: https://lcg-voms2.cern.ch:8443/voms/atlas/
For LHCb VO: You can update with the new certificate at: https://lcg-voms2.cern.ch:8443/voms/lhcb

If you have a previously valid loaded certificate (Pkirisgrid), you can log in with that certificate and update with the new certificate (Digicert):

VO_multiple_certs.png

4.- Installing your Personal Certificate in your computer

This procedure has not changed and its valid for PkIrisgrid? and Terena/Digicert certificates.

Once you have obtained your Personal Certificate, and want to use it with globus in order to access the Grid Computing Resources, you have to install it on your computer on the specific directory ~/.globus. Your certificate consists of two parts. A public key and a private key. It is very important that you save the private key with the adequate permissions to avoid access to it from other persons. Remember that for more security it is coded with the AFS password that you had when you applied for it. To install your certificate on your computer, complete the following instructions :

1- Backup your certificate from your browser to a temporal directory, let us say ~myusername/temp/, as follows (this example is done with Mozilla Firefox) :

Select in your browser Edit -> Preferences -> Advanced -> View Certificates Select your new certificate and click on Backup Save your certificate with a name you choose (for example "MyCertificate") into a directory of your choice, for example ~myusername/temp/. You will be asked for the password of your certificate.

2- Once you have your certificate "MyCertificate.p12" in the p12 format in your ~myusername/temp/ directory, login into a User Interface machine and execute the following script (you can do it on your PC if you have AFS as well) , from the ~myusername/temp/ directory, then follow the instructions (note: type Mycertificate without the .p12 extension) :

myhost:~/temp> /afs/ific.uv.es/user/s/sanchezj/public/p12toglobus.sh MyCertificate

This will OVERWRITE the files existing in your ~/.globus directory

3- Be sure that all has been done ok, then backup your MyCertificate?.p12 file in a safe place and delete it from the ~myusername/temp/ directory.

If you need more help please visit the following page of PkIRISGrid ?


toggleopenShow attachmentstogglecloseHide attachments
Topic attachments
I Attachment Action Size Date Who Comment
pngpng ventana1.png manage 34.0 K 07 Mar 2017 - 17:54 AlvaroFernandez Select your identity provider, writing: "CSIC - Consejo Superior de Investigaciones Cientificas"
pngpng ventana2.png manage 169.8 K 07 Mar 2017 - 17:55 AlvaroFernandez Authenticate with your CSIC credentials
pngpng ventana3.png manage 52.5 K 07 Mar 2017 - 17:58 AlvaroFernandez Request a Certificate selecting the "Grid Premium" product.
pngpng ventana4.png manage 91.4 K 07 Mar 2017 - 18:12 AlvaroFernandez You will receive an email with a temporary link. Visiting that link, your certificate will be generated and saved in the browser.
pngpng VO_multiple_certs.png manage 28.4 K 13 Mar 2017 - 11:41 AlvaroFernandez ultiple certificates with the same VirtualOrganization? account
pngpng Screenshot_2020-06-29_Sectigo_-_Web_Security_Company(2).png manage 57.1 K 29 Jun 2020 - 10:28 AlvaroFernandez Sectigo webportal
Edit | WYSIWYG | Attach | PDF | Raw View | Backlinks: Web, All Webs | History: r9 < r8 < r7 < r6 < r5 | More topic actions
 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback