The Grid user certificate proves the identity of the holder - similar to a passport. User usually only hold/need one Grid user certificate.
The VO membership is a kind of visa to utilize Grid resources. A user can be member of many VOs with their certificate.
If you do not have your Grid user certificate, start from the section 1.
If you have already obtained your Grid user certificate but have not imported it into the browser, go to section 2.
If you have already imported your Grid user certificate into your browser but do not have belle VO membership yet, go to section 4.
1. Obtain a Grid certificate
If you have already obtained your Grid user certificate, go to the section 2.
- If you are US Belle II member, please follow insgrucitons here: https://confluence.desy.de/display/BI/Grid+certificates+for+US+Belle+II+members
- You need to obtain a Grid user certificate from your local certification authority (CA).
- The procedure may be different in each country. If you are not familiar with it, please ask someone who has already requested a Grid user certificate.
- Up-to-date information on the CAs of the various regions / countries world-wide can be found from the IGTF web page.
- If you cannot find the proper Grid CA in your country in the table, please contact the Belle II computing coordinator (takanori.hara_AT_kek.jp).
- The password you type in when requesting a Grid user certificate will be needed later. Since it is private, only you know it, please note it!
2. After you obtained a Grid user certificate
Depending on the CA, you may get your Grid user certificate in one of the following formats;
- A pair of PEM files (e.g. usercert.pem and userkey.pem)
- A PKCS12 file (eg. MyCert.p12 or ca.cer)
- If the cert is sent to you by e-mail, copy the cert part to a file such as mycert.cer and import this into your browser
- The certificate is retrieved via the browser and is therefore then already in your web browser
In case your certificate is provided in PEM format, you need* to convert it to PKCS12 format (e.g. KEK Grid CA case)
*but you will also need it in PEM format for grid membership!
- log in KEKCC (work server) or some server which you can use "openssl" command.
- In your home directory, make a directory .globus (don't forget the full stop)
- Put the public part of your certificate (usually usercert.pem ) as ~/.globus/usercert.pem :
e.g. mv usercert.pem ~/.globus/usercert.pem
- Put the private part of the certificate (usually userkey.pem ) as ~/.globus/userkey.pem and make sure that the file is readable only by yourself and it is readonly :
e.g. mv usercert.pem ~/.globus/userkey.pem ; chmod 400 ~/.globus/userkey.pem
- Use OpenSSL to convert the certificate from PEM to PKCS12 format
openssl pkcs12 -export -in ~/.globus/usercert.pem -inkey ~/.globus/userkey.pem -out ~/usercert.p12 ; chmod 400 ~/usercert.p12
- Follow the section 3 to load the PKCS12 onto your web browser
In case your certificate is provided in PKCS12 format, follow section 3 to load it into you web browser
In case your certificate is already installed in your browser, follow section 4 to get your belle VO membership.
3. Load your certificate into the web browser
If you already have your certificate loaded into your web browser, you can skip this section.
You need to load your grid user certificate into your web browser if it is obtained in a file format and not automatically loaded onto the browser.
Now you must have your certificate in PKCS12 (.p12) format, you can import it into your web browser. The way to import it depends on the browser. This page can help you.
If you get your certificate from KEK GRID CA, please follow this instructions.
Some further information how to work with certificates can for example be found here.
4. Get the belle VO (Virtual Organization) membership
First, make your browser trust the KEK GRID CA:
- download the KEK GRID CA certificate file from KEK-Grid-CA.cer.
- Import the downloaded file KEK-Grid-CA.cer to your Web browser as a "Certificate Authority".
- The procedure is very much similar to loading your PKCS12 certificate, but select "Authorities" instead of "Your Certificates".
- Check the expiration date of the KEK GRID CA certificate installed on the browser. It should be 2025/11/25.
Then, go to the VOMS page: https://voms.cc.kek.jp:8443/voms/belle (NOT 'belle2.org')
- If you are new to VOMS, you should see the registration page
- Click Registration (Phase I) and fill out the form.
- You will receive an email - click the confirmation link.
- Fill out and submit the Phase II form.
- Your request will be approved by an administrator & you will receive an email.
- If you have already been registered in the belle VO in the past with the same Distinguished Name (DN), you should see your registered information.
- If your DN has changed with your new certificate, then you should:
- first use the old certificate to visit the VOMS page, and add your new DN by clicking the button "Request new certificate".
inform the DIRAC admin that your DN was replaced (find the instructions here (red letter): Computing GettingStarted#6.FindyourDistinguishedName(DN))
If you cannot connect to the VOMS page, check if you can connect to http://voms.cc.kek.jp
If you cannot connect to the VOMS page with some security error (e.g. "Secure Connection Failed"), please verify that the KEK GRID CA certificate is installed to your browser as a Certificate Authority, and its expiration date is 2025/11/25. You may get more information if you need more help from the computing coordinator (takanori.hara_AT_kek.jp)
- Unfortunately there is a VO 'belle2.org' which is obsolete. Please do NOT register with the VO 'ebbel2'org' but with 'belle' at https://voms.cc.kek.jp:8443/voms/belle .
- Errors such as "SSL_ERROR_HANDSHAKE_FAILURE_ALERT" indicate missing certificates in your browser. Please make sure that you have a valid Grid user certificate in your browser:
- Firefox: Preferences / Advanced / Certificates / View Certificates / Your Certificate