UZH

Physik-Institut

CMS Wiki Pages

User Tools

Site Tools

Trace:
users:taarre:cert

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
users:taarre:cert [2014/05/06 18:57] taarreusers:taarre:cert [2019/10/24 17:18] (current) – [Installation of the certificate] iwn
Line 1: Line 1:
-====== Installation of the certificate ======+====== Getting a GRID certificate ====== 
 + 
 +==== Getting a Grid certificate ==== 
 +Follow the steps at [[https://twiki.cern.ch/twiki/bin/view/Main/CRABPrerequisitesGRIDCredentials|CRABPrerequisitesGRIDCredentials]] to get your certificate. To import the certificate to your Mac follow [[https://www.racf.bnl.gov/docs/howto/grid/osxcertmgmt|these guidelines]] (Another installation guide can be found at 
 +[[https://twiki.cern.ch/twiki/bin/viewauth/CMS/DQMGUIGridCertificate|Grid Certificate installation instructions ]]).\\ 
 + 
 +==== Getting a new Grid certificate when having an old one ==== 
 +  * Request new certificate [[https://gridca.cern.ch/gridca/user/Request.aspx| here]] (using Firefox) 
 +  * Install it in your browser with the link you get 
 +  * Backup by Preferences-->Advanced-->View certificates-->Backup. Save .p12 file in your home directory (see under, "Installation of the certificate). If you have an old from before don't delete it, but save the new one under a different name. 
 +  * If you have an existing cert+key pair in your .globus/ folder, rename the old ones as eg. userkey.pem_old and keep in the globus folder  
 +  * After having extracted cert+key, remember to copy your new certificates to where you need then (PSI, lxplus, private computer...) by copying the .globus/ folder. Remember to set the permissions again and rename the old .globus/ folder before copying the new one! 
 +  * To register the new certificate with the CMS vo registration, you need to use your old certificate in the browser. To use the old certificate you might need to do Preferences-->Privacy-->Clear History and Preferences-->Advanced--> Tick "Ask me everytime" for what do do when a server asks for your certificate. Close and reopen your browser and go to the [[https://lcg-voms.cern.ch:8443/vo/cms/vomrs?path=/RootNode | cms VO registration]]. When asked what certificate to use in the pop-up window, choose your old one. 
 +  * At [[https://lcg-voms.cern.ch:8443/vo/cms/vomrs?path=/RootNode | cms VO registration]], go to Member Info-->Certificates-->Add Certificate. You can get the new DN by doing voms-proxy-info at lxplus. 
 +  * Once the new certificate is approved, you can make it your primary certificate by going to Member Info-->Certificates-->Change Primary Certificate 
 + 
 + 
 +==== Installation of the certificate ====
  
 After the successful application, the certificate has to be installed in the user's home directory following these instructions: After the successful application, the certificate has to be installed in the user's home directory following these instructions:
-  - Export or 'backup' the certificate from the browser used for the application. The interface for this varies from browser to browser. The exported file will probably have the extension .p12 or .pfx. Guard this file carefully. Store it off your computer, or remove it once you are finished with this process. + 
-  Copy the file to the user's home directory. +Export or 'backup' the certificate from the browser used for the application. The interface for this varies from browser to browser. The exported file will probably have the extension .p12 or .pfx. Guard this file carefully. Store it off your computer, or remove it once you are finished with this process. 
-  Create a directory in the user's home directory:mkdir $HOME/.globus + 
-  -  +Copy the file to the user's home directory. 
-  - Extract the certificate creating a public and a private key file replacing YourCert.p12 with the filename chosen during step 1:openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem + 
-  openssl pkcs12 -in YourCert.p12 -nocerts -out $HOME/.globus/userkey.pem +Create a directory in the user's home directory 
-  - 
The user will be asked to define a passphrase during this step. This passphrase has to be entered every time a proxy is created from the certificate. For security reasons, an empty passphrase is not adviseable. +  mkdir $HOME/.globus 
-  Set the access mode on your userkey.pem and usercert.pem files:chmod 400 $HOME/.globus/userkey.pem +Extract the certificate creating a public and a private key file replacing YourCert.p12 with the filename chosen during step 1: 
-  chmod 600 $HOME/.globus/usercert.pem +  openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem 
-  -  +  openssl pkcs12 -in YourCert.p12 -nocerts -out $HOME/.globus/userkey.pem 
-  - Further protection of the $HOME/.globus directory is necessary to prevent everyone except the user to enter this directory:chmod go-rx $HOME/.globus +The user will be asked to define a passphrase during this step. This passphrase has to be entered every time a proxy is created from the certificate. For security reasons, an empty passphrase is not adviseable. 
-  -  + 
-  - If the $HOME/.globus directory holding the certificate resides in an afs home-directory, the directory has to be secured using afs-tools in addition to set the normal unix file access permissions:fs setacl -dir $HOME/.globus -acl system:anyuser l\\ +Set the access mode on your userkey.pem and usercert.pem files 
-The user's GRID certificate (usercert.pem and userkey.pem) can be copied to every other machine to access the GRID by transporting the$HOME/.globus directory. The security measures described above have to be repeated.\\ +  chmod 400 $HOME/.globus/userkey.pem  
-[[https://twiki.cern.ch/twiki/bin/view/Main/CRABPrerequisitesGRIDCredentials|CRABPrerequisitesGRIDCredentials]]+  chmod 600 $HOME/.globus/usercert.pem 
 +Further protection of the ''$HOME/.globus'' directory is necessary to prevent everyone except the user to enter this directory: 
 +  chmod go-rx $HOME/.globus 
 +If the ''$HOME/.globus'' directory holding the certificate resides in an afs home-directory, the directory has to be secured using afs-tools in addition to set the normal unix file access permissions 
 +  fs setacl -dir $HOME/.globus -acl system:anyuser l 
 +The user's GRID certificate (usercert.pem and userkey.pem) can be copied to every other machine to access the GRID by transporting the ''$HOME/.globus'' directory. The security measures described above have to be repeated.
users/taarre/cert.1399395429.txt.gz · Last modified: 2014/05/06 18:57 by taarre

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki