Certificate User Guide

Introduction

The middleware used by the high-throughput computing service (HTC, aka computing grid) of the SCIGNE platform is based on the Globus toolkit, that uses Xi.509 certificates for authentication. This certificate permits to simplify (single sign-on technology) and makes more secure the use of the different components that are part of the world-wide computing grid.

This document details the procurement and the management of a certificate in the framework of the use of grid resources, be it the SCIGNE platform, the EGI or WLCG infrastructures.

Digital certificates

A digital certificate is like a digital id card, that permits:

  • to indicate the quality of the owner of the certificate (user, service or machine) and the limit of validity of the information contained;
  • to authenticate and obtain a certain number of privileges on a set of grid services;
  • to ensure the confidentiality of exchanges thanks to the encryption of data;
  • to ensure the non-repudiation and integrity of the data thanks to the digital signature.

The certificate is issued by a certification authority that acts as a trusted third party. For staff from French institutions (CEA, CNRS, INRAE, INRIA, INSERM, Universities, …), the certificates are issued by the Key Management Infrastructure (IGC) hosted by the French Ministry of National Education, through a service administered by RENATER.

Obtaining a certificate

To obtain a certificate that can be used with the high-throughput computing service, two steps are necessary. First, you have to ask for a certificate to the certificate authority, and then you must register the issued certificate with the vo.grand-est.fr virtual organization (VO) (or with vo.sbg.in2p3.fr for IPHC members).

Request for a certificate

The application for the certificate requires six steps. Please note that you should use Firefox 68 ESR browser to perform these steps, as most of the other browsers are not supported by the certificate platform. It can be downloaded from the Mozilla FTP site.

  1. Check the instructions for obtaining a GRID-FR certificate. This documentation is only available in French, please contact us if you need help to go through.
  2. Retrieve the certificate of the certification authority (CA) so that they are trusted by your browser when connecting to the GRID-FR CA website. Browsers do not integrate the GRID2-FR CA certificates by default. You must manually load them and tell your browser that they are trusted.
  3. Request a user certificate via the Request a Certificate tab, by filling out the online form. People from CNRS laboratories (UMR, …) must make their request by filling in their email address. If it is your first request, contact the support team of the SCIGNE platform to accompany you.
  4. Once the request is made, you will receive a confirmation request by email. It is necessary to confirm your request by replying to this email.
  5. Once your application is confirmed, it will be validated by the registration authority. You will receive an email message informing you of this validation, the creation of your certificate and the steps to follow to to retrieve it.
  6. Retrieve and save your certificate by following the procedure described in the Certificate management with Firefox section. Please note that you must use the same browser to retrieve your certificate as the one used to make the request.

Registration with a regional VO

In order to perform computations on the SCIGNE HTC service, it is necessary to register your certificate with the vo.grand-est.fr VO by going to the registration page. Registering with the VO will give you a set of of rights on the regional computing grid. Once the form is completed, you will receive an email message asking you to confirm your request. It is important to reply to this message, in order to to be able to join the regional VO.

For IPHC users, the vo.sbg.in2p3.fr VO is also available. To register for this VO, go to the registration page of this VO.

Once your application is validated, you can use your certificate to access the regional computing grid and perform calculations.

Registration with other VOs

Other VOs are available and allow access to more important computing and storage resources. Do not hesitate to contact the SCIGNE support team for more information on how to access them.

You will find below the list of supported VOs and the link to register:

The global list of existing VOs is available on the Operation Portal. If you would like the platform to support other VOs, please feel free to contact the SCIGNE team!

Certificate renewal

Each year, you will receive an email inviting you to renew your certificate, two months before its expiration. This is done by logging on to the site indicated in the message. The renewed certificate does not need to be re-registered with the regional VO.

Certificate management with Firefox

The certificate is used with your browser to access secure sites. This section describes how to import and export certificates from Firefox 68 ESR. More recent versions of Firefox and other browsers (i.e. Safari, Chrome), are unfortunatly not supported. Saving the certificate is important so that you can retrieve it if you need to reinstall your browser, or if you want to use it with other software (tools to access the HTC service, email client, etc).

Import a certificate

To import your digital certificate into Firefox, follow these steps:

  1. Go to the main menu and select Edit > Settings.
  2. Select the Privacy and Security tab and then in the security section, the View Certificates… button.
  3. In the Your certificates tab, click on the Import… button.
  4. A new window will show up and permit you to select a file to import. Once you have selected the file containing your certificate, a dialog box will appear and permit you to enter the Firefox Password Manager password and the another window asking your primary password.
  5. Once all the previous steps have been done successfully, the certificate appears in the certificate list.

Export a certificate

For exporting a certificate from Firefox, follow the steps below:

  1. Go the Edit > Settings menu entry and select Privacy and Security > View Certificates....
  2. In the Your certificates tab, select the certificate you want to export, and click on the Backup… button.
  3. Firefox will ask you for the file name to backup your certificate. It will be stored in the PKCS12 file format (.p12 extension).
  4. A dialog box will open and ask you for your primary password, and two times for the password that will be used to encrypt your certificate. You have to ensure that this password is strong enough and is stored in a secure location.
  5. Once the password are validated, Firefox will save your password at the given path.

Certificate management with the command line

The tools used to access the HTC service (job and storage management) require a valide certificate in X.509 format. This certificate is composed of two files placed in the $HOME/.globus directory:

  • userkey.pem – the private key
  • usercert.pem – the public key

These files are generated from the PKCS12 file that has been backed up from Firefox with the openssl command. In the following example, the backed up certificate is named cert.p12. The generation of the public and private keys is done with:

$ openssl pkcs12 -nocerts -in cert.p12 -out ~/.globus/userkey.pem
$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.globus/usercert.pem
$ chmod 400 ~/.globus/userkey.pem
$ chmod 400 ~/.globus/usercert.pem
$ ls ~/.globus
-r-------- 1 user group 1935 Feb 16  2010 usercert.pem
-r-------- 1 user group 1920 Feb 16  2010 userkey.pem

The chmod commmand is used to restrict the access to the certificate.

Further reading

The following documentations are available to obtain further information about X.509 certificates:

Voir aussi dans «SCIGNE Services Documentation»

OpenStack User Guide