Universities and polytechnics > Getting a grid certificate
 
Sisältö
 
Tehdyt toimenpiteet
Tämä sivu suomeksi

Personal e-science (grid) certificate

Instructions for getting a personal eScience (grid) certificate via the Terena Certificate Service eScience portal

Grids provide computation and data resources to be shared in inter-organizational use. Finnish academic grid users can apply for a grid certificate and access to several grid networks (e.g. FGI, NorduGrid and PRACE) via CSC. Following these instructions, you should be able to get up and running in less than 30 minutes.

If you have any questions or problems with getting a grid certificate, please contact grid-support@csc.fi

Grid users are identified using X.509 certificates. Certificate requests need to be signed by a certification authority (CA) which acts as a trusted third party. CSC has a contract with TERENA (Trans-European Research and Education Networking Association), who will provide Finnish academic grid users with grid user certificates through the TERENA Certificate Service (TCS) portal. The certificates are valid for one year at a time.

The certificates are requested via a web interface, and are automatically installed in the users web browser. The user logs on to the service using their HAKA credentials (username and password in most cases). Every institution's identity provider must enable the TCS support for their users. Currently TCS has been confirmed to work for the following institutions

  • Aalto University
  • CSC - IT Center for Science Ltd.
  • Lappeenranta University of Technology
  • Tampere University of Technology
  • University of Eastern Finland
  • University of Helsinki
  • University of Jyväskylä
  • University of Oulu
  • University of Tampere
  • University of Turku *
  • Åbo Akademi University

* = You might need extra steps to get a certificate. Contact helpdesk if you are not succesful. We are working together with the universities to add the TCS support for more users.

Getting a grid certificate

Before you start!
PLEASE MAKE SURE YOU ARE NOT USING A PUBLIC COMPUTER. YOUR GRID IDENTITY WILL BE STORED IN THE BROWSER YOU USE FOR THIS.

Here are the step-by-step instructions for getting your own certificate:

1. Go to https://tcs-escience-portal.terena.org
2. Click "Login", select Finland as your country, and after that select our institution.
3. Login using your HAKA username and password
4. Depending on your institution, you might be asked to confirm to forward the information to the TCS portal.
5. Click "My Certificates" (on the left under certificates)
6. Click on "New Certificate", read the Acceptable Use Policy, and if if you agree with it, proceed to the next step
7. Now you are in the "Generate a CSR in the browser" menu Click next.
8. Now you should have a drop-down menu on the left. If the key length is not already set to 2048 bits, ensure that it is set to 2048 bits.
9. Click next. Your browser may ask you for your browser security password at this point
10. Wait until you get the new certificate. (2 minutes or less)
11. Now You need to click "Install to keystore" to install the certificate into your browser.

Exporting the certificate from the browser

To use your certificate on the command line (e.g. to submit grid jobs from the command line), you need to export your certificate. Instructions for doing this for some of the more common browsers below.

Firefox:

1. Select Edit -> Preferences
2. Go to Advanced -> Encryption -> View Certificates
3. Select your certificate and click Backup
4. Save the certificate as "usercert.p12". The browser will ask you for your password now, along with an export password. You MUST have a password here, you may not backup the certificate without a password!
5. See Common steps

Opera:

1. Select Menu -> Settings -> Preferences
2. Go to Advanced -> Security -> Manage Certificates
3. Select your certificate and click Export
4. Choose the "PKCS #12 (with private key)" filetype, and save the certificate as "usercert.p12". The browser will ask you for your password now, along with an export password. You MUST have a password here, you may not export the certificate without a password!
5. See Common steps

Internet Explorer:

Chrome

1. Open preferences (Under the Wrench)
2. Click "Under the Hood" on the left
3. Click the "Manage certificates" button
4. Select a certificate to export
5. Click "Export" and save the certificate as "usercert.p12"

Converting your certificate to PEM format

You will need to convert the certificate to a format the grid tools understand. The following commands work on Linux machines. If you are using the grid tools from another machine than your browser is on, you can transfer the "usercert.p12" file to that machine, and run these commands there. It's suggested that you use a secure tool like SCP to do this.

1. Create the certificate private key with "openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem". This will ask the old and the new key passwords (these can be the same).
2. Create the user certificate with "openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem".
3. You should now have two files, "usercert.pem" and "userkey.pem". Place these files in a ".globus" subdirectory under your home directory.
4. Finally run "chmod 400 ~/.globus/userkey.pem"

After this you should be able to use your new certificate with command line grid tools.

Certificate renewal

Your certificate is valid for one year at a time. After this you must request for a new certificate. The renewal procedure is exactly the same as requesting for a new certificate.