Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
fPreparations for grid usageon bwGRiD resources
Requesting grid user certificate, VO b i t ti (f )VO member registration (for users)
Approve VO membersApprove VO members(for VO representatives)
Jochen Buchholz, HLRSb hh l @hl d
Ministerium für Wissenschaft,Forschung und Kunst
Forschung und KunstBaden-Württemberg
Projektförderung durch:
Content
• Preferences Overview• How to get the grid user certificateHow to get the grid user certificate• Requesting VO membership
• Certificate Handling (import/export, ..)• Membership approval (for VO representatives)• Membership approval (for VO representatives)
2 Last updated 2012-03-29
Preferences Overview
To use the bwGRiD resources your need:• A Grid User certificate according to EUGridPMAA Grid User certificate according to EUGridPMA
This requirement is common to alle D-Grid resourcesand allows a certain level of proven identityp y
• To be a member of any D-Grid VO i.e. „bwGRiD“• Import your certificate in your Grid Middlewarep y y
(Unicore, Globus, ..)• Add the site‘s access point to your middleware
configuration
3
REQUESTING CERTIFICATES
4
Request certificate
• Two CAs (certification authority) issueGrid certificates in GermanyyDFN-Grid-CA perated by DFN (german research network, www.dfn.de)GridKa-CA operated by FZK (research center Karlsruhe, www.fzk.de)
• Certificate requests accepted by many registrationCertificate requests accepted by many registrationauthorities (RA) throughout Germany
• CAs give a list of all their RAs and responsibleCAs give a list of all their RAs and responsiblepersons.
• Each CA has a Certificate Policy (CP) each user has y ( )to accept and a Certificate Practice Statement (CPS) on their operation
5
Request certificate
DFN-Grid-CA GridKA-CA
Website http://www pki dfn de/ http://grid fzk de/caWebsite http://www.pki.dfn.de/ http://grid.fzk.de/ca
List of RAs https://info.pca.dfn.de/grid-ras html
http://grid.fzk.de/ca/RA.htmlrid-ras.html html
Policy Overview http://www.pki.dfn.de/index.php?id=policies
http://grid.fzk.de/caSection CP/CPS
Certificate Policy http://www.pki.dfn.de/fileadmin/PKI/DFN-PKI_grid-cp_v14.pdf
http://grid.fzk.de/ca/gridka-cps.pdf
6
Request certificate
Entity name Organisational Unit ID RA responsible
University FreiburgG idKA DFN G id
/OU=UniFreiburg (FZK) or/OU Uni ersitaet Freib rg (DFN)
133 Jan Erik SundermannB h d B ßh dtGridKA, DFN-Grid /OU=Universitaet Freiburg (DFN) Bernhard Bußhardt
University Heidelberg /OU=Universitaet Heidelberg 143 Matthias Melcher
University Karlsruhe /OU=KIT (former OU=FZK or Guenter Quasty (/OU=Uni Karlsruhe Tobias Dussa
University Konstanz /OU=Universitaet Konstanz 182 Sebastian Graf
University Mannheim /OU=Universitaet Mannheim 166 Edith Petermann Marcus BickelUniversity Mannheim /OU Universitaet Mannheim 166 Edith Petermann, Marcus Bickel
University Stuttgart /OU=Universitaet Stuttgart 123 Thomas Beisel, Martin Hecht, Jochen Buchholz
University Tübingen /OU=Universitaet Tuebingen 110 Jörg HeitzenrötherUniversity Tübingen /OU=Universitaet Tuebingen 110 Jörg Heitzenröther
University Ulm /OU=Universitaet Ulm 172 Christian Mosch
University Hohenheim /OU=Universitaet Hohenheim 181 Dr. Steffen Büchelery /OU U e s taet o e e 8 Ste e üc e e
University of AppliedScience Esslingen
/OU=Hochschule Esslingen 173 Martin Schmid
Most entities in bwGRiD use certificates issued by the DFN-PKI with the DN prefix „/C=DE/O=GridGermany“.
7Page updated : March, 18th, 2010
y p yKarlsruhe and Freiburg normally uses certificates issued by GermanGrid-CA with the DN prefix„/O=GermanGrid“, IDs are used on next page
Request Certificate
• You need to install the Grid RootCA certificate as instructed.
• After that you can request yourown certificate by selecting„Nutzerzertifikat“ from the second menu linemenu line.
• On the next page you have to fillyour certificate details (email, name, department).name, department).
• Remark: You have to use thesame browser for this request and at the point where you receive thecertificate in the end becauseotherwise the request and issuedthe certificate can‘t be merged.
• Windows 7 + IE causes problems• Windows 7 + IE causes problemsjoining VO
https://pki pca dfn de/grid-root-ca/cgi-bin/pub/pki?cmd=getStaticPage&name=index&RA ID=123
8
https://pki.pca.dfn.de/grid root ca/cgi bin/pub/pki?cmd getStaticPage&name index&RA_ID 123Exemplary request for users from HLRS, the screenshots may differ for other entities slightly. For other RAs simply change the number in the link according to the table on the previous page
Request Certificate
The key length selection might be available forFor the department specification as part of the DN y g gsome entities. You need to use the browser whereyou want to install the certificate since the keypaisis generated in this registration process.
p p pthere might be some restrictions for your entity. If there are none you might enter the name of your institute or faculty be aware that this would be part of your DN (distinguished name) and is therefore not changeable The User data section is used for
9
changeable. The User data section is used for contacting you if there are problems with the certificate generation etc.
Request Certificate
This page varies for each entity. But still has the same intention. It collect
10
p g ythe necessary information to identify you.
Request Certificate
• Print out the upper form and sign it.• Visit yout local RA contact person (it is essential to make an
appointment ). Carry with you the printed form and your ID cardor passport.
• The RA responsible checks your identity fills out the identity• The RA responsible checks your identity, fills out the identityinformation on the form if not yet done.
• He creates the certificate (not necessarily instantly)• Your are being informed by email when your certificate is ready.
It will be also attached to that email.• Visiting the link in the email the certificate will automaticallyVisiting the link in the email, the certificate will automatically
beinstalled in the browser (if you use the same browser as forrequesting).Remarks: Requesting the certifikate with IE on Windows 7 mayRemarks: Requesting the certifikate with IE on Windows 7 maycause misleading error messages if you import the certificatemore than once or interrupt the import and try again. In the
d tifi t t b lsecond case your certificate seems to be useless.11
REQUEST VO MEMBERSHIP
12
Request VO mebership
The process joining a VO includes several steps• Visit the D-Grid Site (http://www D-Grid de)Visit the D-Grid Site (http://www.D-Grid.de)
- follow „DGI 2“- select „Benutzerportal“ on the left sidep- follow „VO-Mitgliedschaft“ on the left side and- follow the Link
• Select your VO (in most cases bwGRiD)• Phase I: Fill out your personal information• Validate email address• Phase II: Select your subVO / location and agree to
the policy.• Being approved by the VO Admin• Receive approval
13
Request VO mebership
Follwing the link on thispage your certificate will beused to identify youused to identify you.
If you cannot reach thispage it might be a firewallp g gissue please try the link in the following pages to directly access bwgrid VO.
For IE on Windows 7: Itseems that with correctlyinstalled certificate you can‘taccess this page even ifthere is no firewall problem. If the link to the bwgrid VO also does not work you canalso does not work you cantry using another browserand copy the certificatethere.
14
https://dispatch.fz-juelich.de:8814/D-Grid-VO-Member
Request VO mebership
Here you can see all VOsavailable in D-Grid and up to two representatives for eachtwo representatives for eachVO. You select yourrepresentative later.
15
Request VO mebership
The bottom lineshows your identitytaken from yourcertificate.
Proceed with Phase I
16
https://vomrs.zam.kfa-juelich.de:8443/vo/bwgrid/vomrs Take this link!
Request VO mebership
Select yourrepresentative.
Please fill in your personal contact details. This simplifiesthe registration process if youare not personally known to p ythe VO representatives. Otherwise we need more time to check if you are reallyauthorized to be member of the VOthe VO.
17
Request VO mebership
After yousuccessfully sentthe form an emailthe form an emailwill be sent to youto validate theemail address.Following the link in this email youwill be forwardedto Phase IIto Phase II.
18
Request VO mebership
In Phase II you canselect the subVOsyou want to be partyou want to be partof. This will raisean email to therepresentative to papprove yourchanges.
You have to acceptYou have to acceptthe AcceptibleUsage Policy(AUP) for gridusage. Doing thiswill sent yourrequest to the VO adminsadmins.
19
Request VO mebership
20
Request VO mebership
When the representative has accepted or denied yourt j i i bVO ill b i f d b il drequest joining subVOs you will be informed by email and
you can see the new status on the website („Approved“).
21
CERTIFICATE HANDLING
22
Certificate handling
• Export certificate from browser• Import certificate in browserImport certificate in browser• Import certificate in Unicore• Certificate transformation• Certificate transformation• Import certificate in Globus
23
Firefox
From the Menu select Tools -> Settings (Extras -> Einstellungen)
24
Firefox
After selecting one of the shown entriesyou can see the certificate details (clickyou can see the certificate details (clickon details) or export the selectedcertificate including the private key(click on backup). The certificate will bestored in PKCS12 format. Additionallyyou can import further certificates.
25
Unicore: Add your identity
From the menu select Settings -> Keystore Editor.
You can see there is no key availablebut initially some certificates areyalready imported, like DFN, GridKA or the Unicore developer‘s CA.
26
Unicore: Add your certificate/key
By selecting Actions -> Import certificate you can addadditional certificates i.e. additional resource providers.
Your personal certificatetogether with your private key in PKCS#12 format is handled asPKCS#12 format is handled as certificate store. Therefore youhave to select Actions -> Import keystore and select yourkeystore and select yourfilename.p12. Only in case of an error you receive any message. Otherwise the identity is addedOtherwise the identity is addedsuccessfully.
27
Transform certificate for Globus
Extract key and certificate out of #pkcs12 file (exported from your browser)(OpenSSL needed)
user@host:~> openssl pkcs12 -in GermanGridCert.p12 -out userkey.pem -nocertsEnter Import Password: ********MAC verified OKEnter PEM pass phrase: ********Enter PEM pass phrase: ********Verifying - Enter PEM pass phrase: ********user@host:~>
@h t > l k 12 i G G idC t 12 t t l t kuser@host:~> openssl pkcs12 -in GermanGridCert.p12 -out usercert.pem -clcerts -nokeysEnter Import Password: ********MAC verified OKuser@host:~>
28
Openssl is also available for Windows i.e. http://www.slproweb.com/products/Win32OpenSSL.html
Globus: integrate key/certificates
Move the resulting files to your ~/.globus directory and set access privilegesuser@host:~> mkdir -p ~/.globususer@host:~> mv usercert.pem ~/.globus/user@host:~> mv userkey.pem ~/.globus/user@host:~> chmod 700 ~/.globususer@host:~> chmod 600 ~/.globus/*
Integrate CA certificates(you should intergrate the Chain of Trust of the EUGridPMA to work in D-Grid)Therefore download the tarball with all necessary CA certificatesTherefore download the tarball with all necessary CA certificatesuser@host:~> mkdir -p ~/.globus/certificatesuser@host:~> cd ~/.globus/certificatesuser@host:~/.globus/certificates> wget
http://dist.eugridpma.info/distribution/igtf/current/accredited/igtf-p // g p / / g / / / gpreinstalled-bundle-classic.tar.gz
...user@host:~/.globus/certificates> tar xvf certificates.tar...
For Windows users the corresponding directory is„C:\Documents and Settings\{username}\.globus\“
29
Questions
• https://wickie hlrs de/dgrid/• https://wickie.hlrs.de/dgrid/• [email protected]• Subject „Subscribe“ to dgridsysnews-
Only for VO Representatives
APPROVE VO MEMBERSHIPOnly for VO Representatives
31
Approve VO membership
The representativewill be informedwhen any newwhen any newuser requestsmembership orwant to join a jsubVO (in bwGRiDthe different universities.)
The following screenshorts were made when the VO bwGRiD was not yet
32
g ycreated. Instead the VO InGRiD was used.
Approve VO membership
Following the links in the email youwill directly bewill directly beforwarded to thesearch form
33
Approve VO membership
You can select many output fields and search criterias PayYou can select many output fields and search criterias. Payattention that the seach button is not at the bottom but in the center of the page. Below the button the search resultsare displayed and the possibility to approve/deny therequests.
34
Approve VO membership
When a user isalready a meber of the VO and want tothe VO and want to change his subVOthis changes canbe made in the„Select Groups & Group Roles“ entryin the menu or byfollowing the link infollowing the link in the notificationemail when theuser requests anychanges.
35
Approve VO membership
After you haveapprove/deniedany changes theany changes thepage shown a success message.
36