Getting that all important grid certificate

Requesting a certificate

• Go to Certificate -> Request a Certificate -> User Certificate:
• Fill in the form with "Liverpool CSD" as your registration authority (RA)
  N.B. This is just a temporary pin and it will be seen by the RA so choose something unimportant!
• You will be asked to take some ID to Cliff Addison/Ian Smith in the CSD department (room 4.09 of the Chadwick tower)
• Then wait for "New Issued Certificate" email

Importing the certificate into your browser

• Go back to https://portal.ca.grid-support.ac.uk/caportal">GOSC -> Retrieve New Certificate and enter your serial number from the email
• To test if it is imported correctly go to Test Certificate on the same page. You should get something like:

     Variable                        Value Your Distinguished Name (DN)    /C=UK/O=eScience/OU=Liverpool/L=CSD/CN=carl gwilliam Client Authentication           SUCCESS From                            Feb 13 13:06:06 2007 GMT To                            Mar 14 13:06:06 2008 GMT 

Exporting the certificate from your browser

• This is browser specific:
  • Firefox: Go to Edit -> Preferences -> Advanced -> Certificates -> Manage Certificates -> Backup
  • Firefox 2: Go to Edit -> Preferences -> Advanced -> Encryption -> View Certificates ->Backup
  • Firefox 2.0.0.3 (Windows): Tools->Options->Advanced->Encryption->View Certificates->Your Certificates->Backup
  • Mozilla: Go to Edit -> Preferences... -> Privacy & Security -> Manage Certificates -> Backup
  • Feel free to add any other's
    N.B. Remember this password if you want to use the exported cetificate in the future

Converting the certificate from P12 to PEM format

• This is needed if you want to run grid jobs from the shell rather than just using the certificate in your browser
• If you don't want all the hassel below, this shell script should do all the work for you. Just do

  CertConvert.sh -pem infile.p12

• Make a userkey:

  openssl pkcs12 -nocerts -in Cert.p12 -out userkey.pem

• Make a usercert:

  openssl pkcs12 -clcerts -nokeys -in Cert.p12 -out usercert.pem

  N.B. The password you enter here is what you will need if you ever want to submit grid jobs, so keep it safe!
• Make a .globus directory and move them both there
• Set the permissions as follows:

  chmod 700 ${HOME}/.globus

  chmod 444 ${HOME}/.globus/usercert.pem

  chmod 400 ${HOME}/.globus/userkey.pem

  N.B. If you're using AFS don't forget to set the afs permissions too (fs setacl)
• To convert back at any point you can use:

  openssl pkcs12 -export -inkey ${HOME}/.globus/userkey.pem -in ${HOME}/.globus/usercert.pem -out Cert.p12 -name "Grid Certificate"

  or just re-export from your browser (which is useful if you forget the password you gave when exporting).

Testing the exported certificate

• To do this (or use the grid in general) you need to be logged into a User Interface (UI)
  • On LXPLUS just do

    source /afs/cern.ch/project/gd/LCG-share/new_3.2/etc/profile.d/grid_env.sh

  • At liverpool just log onto hepgrid1 (using your normal NFS password)
• You can verify your certificate via:

  openssl verify -CApath /etc/grid-security/certificates ${HOME}/.globus/usercert.pem

• You can get info on your certificate via:

  grid-cert-info

Getting a virtual organisation (VO) membership

• Go to the LCG User Registration page
• Click on ATLAS
• Click on Registration(Phase I) and fill in the form
• You must choose "Alessandro DeSalvo" as your representitive and it seems to need your CERN email address!
• Wait for a reply email
• Click on Registration(Phase II)
• Click the box marked "/atlas/uk" (leave all options/boxes unchanged) and submit your request
• Wait for an email confirming you VO membership. You're now ready to use the grid ...

Submitting ATLAS grid jobs

• See the ATLAS Workbook for how to start submitting grid jobs!