Grid : Grid User Certificates Old

Created by Andreas Gellrich on Feb 22, 2022 18:43

This page is OBSOLETE. Please visit Grid User Certificates New.


The GridKa CA at KIT in Karlsruhe will cease operation on 11 June 2023. Therefore a new CA was established. Please see Grid User Certificates New.

News

2022

The GridKa CA ceases operation on 11 June 2023. Form May 2022 on the lifetime of Grid user certs will be shortened to less than 13 month. The German HEP community is looking for a CA successor!

2021

Always use firefox  to request certificates. We regularly see problems with other browsers. GridKa provides help to save the private key!

2020

GridKa denotes:

"Please be aware that from now on GridKa-CA certificates will be issued only on Monday, Wednesday and Friday afternoon."

Application is possible any time!

See also GridKa News and GridKa FAQ.

Note

Contact: grid-ra@desy.de

Please consider the help to save the private key of your request as this is the main source pf problems. If you can not see your private key in your browser after sending the request, contact us immediately. We will then remove your (invalid) request to allow for a new one.

The Grid user certificate request procedure stores the private key (which YOU AND ONLY YOU possess) in the internal database of your browser. The private key MUST NOT get lost because it can not be recovered.

Please make sure that your Firefox browser is NOT UPDATED or reinstalled during the request/retrieval procedure!

Please NEVER ever spawn a SECOND request in the GridKa portal unless you are asked to do so!

Every new request generates work at GridKa because every single certificate request must be processed manually at a secure computer outside any network.

The DESY RA can be reached via grid-ra@desy.de.

Introduction

On order to access global Grid resources, users must hold a valid personal Grid user certificate (authentication) AND users must be member of a Virtual Organization (VO) (authorization).
A valid Grid user certificate is a prerequisite to request membership in a VO. Users usually have one Grid user certificate. Multiple VO membership is possible.

A Grid user certificate (format X509) consists of a private key with a private password and a certified public key. The private key and the password is exclusively possessed by the user and is NOT known to the Registration Authority (RA) or Certification Authority (CA) at any stage.

A certificate is valid for one (1) year and can be renewed. Users get notified by the CA via email three (3) weeks before the expiration date. It is strongly recommended to renew the certificate before its expiration.

The certificate can/should be copied to all devices/browsers which need it.

The most frequent user issues for requests are:

  1. Non-DESY users chose DESY rather than their home institution.
  2. The paper-based DESY IDENTIFICATION FORM has not been handed in yet (NOT needed for prolongations of certificates).
  3. A non-working browser is used (Konquerer and Microsoft Edge are NOT supported).
  4. The browser which was used for requesting the cert is not used for retrieving the issued cert.

A Grid user certificate can be seen as an analogy to a passport, whereas the VO membership compares to a visa.

If you observe problems to obtain a proxy via 'voms-proxy-init', inspect your certificate as described at the bottom of this pages.

Authorities

In Germany Grid user certificates are issued by the GermanGrid Certification Authority (CA) at GridKa in Karlsruhe. The GridKa CA is part of the The International Grid Trust Federation (IGTF) hence Grid user certificates are accepted by all Grid sites in WLCG. In order to facilitate the request procedure, many institutions in Germany operated Registration Authorities (RA) which take over the necessary paper-work on behalf of the CA.

According to the GridKa policy, a user must be member (e.g. employee) of and located at the institute or university of which they request a Grid user certificate from (via the RA). This is necessary to contact users in case of security issues and to prove identity. This applies also for renewals. If the user changes group, institute or university, the new RA is in charge of approving certificates.

In the past the DESY RA  approved Grid user certificate request also for guest scientist permanently located at DESY because their home institutions/countries did not have CAs. Since all institutions/countries do have CAs, please refer to The International Grid Trust Federation (IGTF) to find the relevant CA of your home institution.

Non-DESY users in Germany might find their responsible RA in the RA List of GridKa.

Users with non-German home institutions refer to IGTF.

Procedure

Step 0: Prerequisites (New request and renewal)

  • You must be a member (registered employee and DESY email address) of DESY, the University of Hamburg (Campus Bahrenfeld), or the European XFEL.  The support staff will check the DESY Identity and Access Management (IAM) system for your name.
  • If this is not applicable, please request the certificate from your home institute; also students! The following procedure then will not apply to you.

Step 1: Paperwork at DESY (First request only)

For the FIRST certificate request at DESY ONLY!: We have to know you and your identity! Therefore you need to:

  • Fill in the DESY IDENTIFICATION FORM and have it signed by your DESY group supervisor.
  • (Only if you have changed our home institute or group - even within DESY or from DESY to U Hamburg or XFEL or vice-versa - we need a new ID-Form!)
  • Send the form or hand it in personally (not by email) to UCO.
  • You will NOT be notified of the arrival of the form, so immediately proceed to the next step.

Step 2: Electronic certificate request (First request and renewal)

This step is done electronically via browser, both for the first certificate request and for any subsequent renewals. For your name, please do not use capital letters only.

  • Note: The procedure below has proven to work for many recent browsers. Konquerer and Microsoft Edge are NOT supported.
  • Go to the GridKa CERT REQUEST PAGE.
  • Make sure to fill in your DESY email address (see example below).
  • Make sure to fill in the right institute (Organization: DESY, U Hamburg or XFEL).

Final steps (First request and renewal)

  • Once we have confirmed your identity (first request only), and you have requested a certificate to GridKa, the DESY Registration Authority will either accept or reject this request. You will be notified by email about the approval or disapproval of your request.  No action from your side is requested at that point.
  • Once the DESY Registration Authority has accepted the request, the Certification Authority (CA) at GridKa will proceed and sign your certificate request. You will then be contacted once your certificate is ready for retrieval.
  • Follow the instructions contained in your notification email. Note: Use the browser used for the certificate request.
  • You can now use the certificate to authenticate against web servers. For job submission or data management, you must convert your certificate and store it under the $HOME/.globus/ directory. Consult the GridKa help page [ in German / in English ], especially Exporting certificates from your browser and Converting certificates and keys.

Please use a DESY email address (first.last@desy.de)!

Please use a recent browser. Konquerer and Microsoft Edge are NOT supported. See GridKa FAQ.

Please do NOT send copies of your passport and/or ID card around.
Identification of users is carried out by the group admins who are supposed to authorize requests of their group members by checking ID cards and denoting the last digits of the ID number on the registration form (see below).

Please do not issue a second certificate request in the GridKa portal unless you are asked to do so, e.g. because  your request is erroneous.

In case you extend your certificate please make sure you chose the same DN, as the current one is probably already registered with a VO. A changed DN requires to re-register with the VO(s).

Links

Robot Certificates

For some special cases such as regularly running services, which need authentication/authorization though proxies, a so-called robot certificate can be used. This is clearly a non-standard case for experts only!

Robot certificates can be requested via the GridKa portal as 'Host/ Service/ Robot Zertifikate' by a user. Make sure they contain the word 'Robot' in the CN, e.g.:

/C=DE/O=GermanGrid/OU=DESY/CN=Robot: blablabla


Technicalities

Technically a new private/public key pair is created with every renewal.

Finding certificates in Firefox browser

Preferences -> Privacy & Security -> Certificates -> View Certificates -> Your Certificates (-> Backup)

Inspecting Grid user certificates

Please make sure your public (usercert.pem) and private (userkey.pem) keys are:

  • in the correct directory,
  • have the correct permissions,
  • show your DN,
  • are valid,
  • match each other (have the same md5sum),
  • your remember the password.


 > cd ~/.globus

 > ls -l ~/.globus
-r--r--r-- 1 xxx yyy  1728  8. Apr 09:36 usercert.pem
-r-------- 1 xxx yyy  2012  8. Apr 09:36 userkey.pem

 > openssl x509 -subject -issuer -dates -noout -in usercert.pem
subject= /C=DE/O=GermanGrid/OU=DESY/CN=NNNN
issuer= /C=DE/O=GermanGrid/CN=GridKa-CA
notBefore=Mar 29 16:32:00 2019 GMT
notAfter=Apr 27 16:32:00 2020 GMT

 > openssl x509 -noout -modulus -in usercert.pem | openssl md5
 > openssl rsa -noout -modulus -in userkey.pem | openssl md5

The private key is created by the browser when the request is issued on the GridKa portal page and is therefore stored in that particular browser. Hence the certified public key must be  retrieved from GridKa with the same browser which was used for the request.

Lost private/public keys or the password can NOT be recovered by any means by the CA or RA.

It is the 'usercert.p12' which you distribute to your browsers of choice even on other hosts.

The two extracted '~/.globus/user*.pem' files must be present on all hosts you use Grid commands on!

Known issues

  • Make sure to export the certificate from the browser you requested and retrieved it with in as 'usercert.p12'.
  • Make sure you remember the pass-phrase for the key and for the export.
  • Make sure your have 'usercert.pem' and 'userkey.pem' in the direcory ~/.globus/
  • Make sure the access permissions to 'usercert.pem' and 'userkey.pem' are correct.
  • We found that a cert did now work with 'voms-proxy-init' although everything had been checked. Only a new extraction from  the exported cert 'usercert.p12' helped.

Special Cases

In very rare cases users may need a second Grid user certificate, e.g. for test and/or development purposes:

  • Use a separate browser without your first cert!
  • The request procedure is similar. In the request form edit the name (CN=), e.g. by adding a number.
  • Inform the DESY RA (grid-ra@desy.de) about your special case.
  • After  retrieving your second cert export it to  'usercert2.p12' and generate in '.~/.globus/' 'usercert2.pem' and 'userkey2.pem'.
  • The voms/dirac proxy generation should then be done using 'usercert2.pem' and 'userkey2.pem'.


Attachments:

DESY-RA-identification-form_V1.2.pdf (application/pdf)