1. Grid Access Procedure

Introduction

The procedure for accessing the IFIC computing grid infrastructures implies basically the following steps:

- Getting an account at the IFIC Computing resources GOG-IFIC
- Obtaining a personal Grid Digital Certificate.
- Registering to a Virtual Organization

1.- Getting an account at the IFIC Computing resources GOG-IFIC

After getting your AFS account, you may want to register for a GOG (Grupo de Ordenadores para Grid) account to access the computing resources of the IFIC GOG-Farm and the GRID. To do this, read first the GOG usage rules, then fill this application form and sign it; then give it to the IFIC secretariat. Once your application is accepted, you will be given access to a Grid User Interface where you can login using your AFS account and then accessing the Grid resources.

2.- Getting your Personal Grid Digital Certificate

As of 1st of May 2020, Digicert CA stopped providing user certificates for Terena and the grid community. The new contract was awarded to 'Comodo' CA which will provide host and user certificates for our users.

CSIC users

Unfortunately as of today it is still not possible to obtain user certificates, for different causes.

The current emitted certificates will be valid up to the expiration date ( 1 year at most). If your certificate has expired, please obtain a certificate from one of the CA in a institution you are registered, ie:

• CERN CA

UV users

Certificates valid for grid usage can be obtained accessing the Sectigo portal with you UV credentials.

There are several options for generating the certificates, but the most 'secure' is generating the certificate request and private key files locally, and submit it to the Sectigo portal to be signed. Follow the next instructions:

1. Create CSR (Certificate Signing Request) and private key files

Use the following script to create both files, it will ask for a "PASSWORD" that you will need later.

$ /afs/ific.uv.es/user/s/sanchezj/public/gen_CSR_UV_CERT.sh
Password para la clave privada: 
Comprobación: 
La petición de certificado está en: /afs/ific.uv.es/user/a/alferca/.globus/REQ/alferca_20200629.csr
y su correspondiente clave privada en: /afs/ific.uv.es/user/a/alferca/.globus/REQ/alferca_20200629.key

2. Access Sectigo portal

• Sectigo portal
• From the selecion box "Choose Your Institution" as "Universitat de Valencia"
• Select Certificate profile "GEANT IGTF-MICS Personal" and Private Key "UPLOAD CSR", as in following image:
  

for the Private Key "UPLOAD CSR" option, "Choose File" the .csr file that was generated in the first step, in this example:

 /afs/ific.uv.es/user/a/alferca/.globus/REQ/alferca_20200629.csr

REMEMBER TO UPLOAD CSR file, not private file that should always stay in your computer This procedure will download a file "certs.pem" that contain your valid public certificate. ( you can rename this file)

3. Copy Certificate and private Key files to GLOBUS directory

File names should match those generated:

cp ~/.globus/REQ/alferca_20200629.key  ~/globus/userkey.pem
cp  certs.pem ~/globus/usercert.pem

4. Generate P12 format to Import to Browser

Generate P12 file with correct format to import to browser. Will ask for previous password that was set in step 1.

$ openssl pkcs12 -export -out ~/.globus/user.p12 -inkey ~/.globus/userkey.pem -in ~/.globus/usercert.pem
Enter pass phrase for /afs/ific.uv.es/user/a/alferca/.globus/userkey.pem:
Enter Export Password:
Verifying - Enter Export Password:

Use this file located at "~/.globus/user.p12" to be imported within your browser.

3.- Import to Browser

You must import certificate in your browser to access services like registering to a Virtual Organization (Next Step), or any other Web Service that needs authentication.

You will need the certificate file generated in previous Step (as a .p12 file), and depending no your browser the instrutions are bit different. In Firefox enter in Preferences, and the Search for "Certificates", and the Import.

4.- Registering to a Virtual Organization (VO)

You must register to a Virtual Organization for being able to use their resources.

Even if you were already registered, with the new certificates signed by Terena/Digicert, their identification (DN) has changed so you should update your data in the corresponding Virtual Organization registration pages:

For IFIC vo: Register with the new certificate: https://swevo.ific.uv.es:8443/voms/ific/
For ATLAS VO: You can update with the new certificate at: https://lcg-voms2.cern.ch:8443/voms/atlas/
For LHCb VO: You can update with the new certificate at: https://lcg-voms2.cern.ch:8443/voms/lhcb

If you have a previously valid loaded certificate (Pkirisgrid), you can log in with that certificate and update with the new certificate (Digicert):

5.- Installing your Personal Certificate in your computer

This procedure has not changed and its valid for PkIrisgrid^? and Terena/Digicert certificates.

Once you have obtained your Personal Certificate, and want to use it with globus in order to access the Grid Computing Resources, you have to install it on your computer on the specific directory ~/.globus. Your certificate consists of two parts. A public key and a private key. It is very important that you save the private key with the adequate permissions to avoid access to it from other persons. Remember that for more security it is coded with the AFS password that you had when you applied for it. To install your certificate on your computer, complete the following instructions :

1- Backup your certificate from your browser to a temporal directory, let us say ~myusername/temp/, as follows (this example is done with Mozilla Firefox) :

Select in your browser Edit -> Preferences -> Advanced -> View Certificates Select your new certificate and click on Backup Save your certificate with a name you choose (for example "MyCertificate") into a directory of your choice, for example ~myusername/temp/. You will be asked for the password of your certificate.

2- Once you have your certificate "MyCertificate.p12" in the p12 format in your ~myusername/temp/ directory, login into a User Interface machine and execute the following script (you can do it on your PC if you have AFS as well) , from the ~myusername/temp/ directory, then follow the instructions (note: type Mycertificate without the .p12 extension) :

myhost:~/temp> /afs/ific.uv.es/user/s/sanchezj/public/p12toglobus.sh MyCertificate

This will OVERWRITE the files existing in your ~/.globus directory

3- Be sure that all has been done ok, then backup your MyCertificate^?.p12 file in a safe place and delete it from the ~myusername/temp/ directory.

If you need more help please visit the following page of PkIRISGrid ^?