| [DESY Home] [DESY IT Home] [DESY IT Physics Computing] [Grid Computing at DESY] | [DESY Computing Seminar] | [Imprint] |
| Grid Computing at DESY | |
|---|
| [Home] |
[Monitor ]
|
[Grid@DESY]
[Certs & VOs]
[VOMS]
[User Guide]
[FAQ]
[Install Guides]
[Admin Guide]
| [Talks & Conferences] | [Glossary] [Documentation] [Links] |
In order to ensure response in case of problems, use the
Global Grid User Support (GGUS)
and/or your VO support rather than private e-mail contacts or internal mailing lists.
On order to access global Grid resources,
users must hold a valid personal user certificate (authentication),
AND users must be member of a Virtual Organization (authorization).
A valid user certificate is a prerequisite to request membership in a VO.
Multiple VO membership is possible.
(A user certificate can be seen as an analogon to a passport,
whereas the VO membership compares to a visa.)
You might be interested in reading an article on authorization of Jens Jensen (RAL) published in iSGTW on March 3rd, 2010.
User certificates are issued by a national Certification Authority (CA) of the user's home institute. The approval and verification of the request is handled by Registration Authorities (RA). The German CA is located at FZ Karlsruhe and is called GridKa. Usage rules can be found there. DESY runs a Registration Authority (RA) to approve certificate requests for people who are employed by DESY.
Users who are not employed by DESY may refer to the RA List of GridKa or the international CA list.
A user certificate consists of a private key with a private password and
a certified public key.
The private key is exclusively possessed by the user and is not known to
the RA or CA at any stage.
Lost private/public keys or the password can not be recovered by any means.
A certificate is valid for 1 year and can be renewed. Users get notified by e-mail 3 weeks before this date by the CA. It is strongly recommended to renew the certificate before its expiration.
[top]
Technically, user certificates for DESY employees are requested electronically to the
CA at Gridka via a web portal.
The responsible RA must then verify and approve the user's cert request.
the DESY RA will do this for DESY and U Hamburg employees (with valid DESY accounts).
Not: Renewal of expired certificates will only be done for DESY employees.
If you have left DESY, please get a new certificate via your home institute.
Therefore users are asked to identify themselves (once) to the DESY RA by filling the
form and adding a copy of their ID or passport.
Both must sent (not e-mailed) to NOBODY ELSE than the DESY IT secretary
where the forms are collected:
Please note: The form and the copy of ID or passport are absolutely mandatory prerequisites for the identification procedure as well as the signature of your local DESY group boss.
This identification procedure is needed ONLY ONCE per user, also for extensions and even if a new certificate is requested from GridKa after expiration of the old one. In the latter case you must remove your expired certificate from your browser!
You will NOT be notified upon the arrival of the form. Just go on!
The user certificate has then to be requested electronically via the a web portal at FZK (Gridka). (It has turned out that the web browsers 'OPERA' and 'MSIE' may cause problems. Firefox (v3.0 or higher) works fine though):
Please note: Spawn the request ONLY ONCE in the portal!
Check information on supported browser at the
GridKa-CA Help page.
We recommend Firefox (v3.0 or higher).
The user will be notified by GridKa via e-mail as soon as the certificate is ready for download from the portal. In order to use the certificate in for Grid and/or NAF authentication it must be converted and stored in $HOME/.globus/. For details, please also refer to the GridKa help pages. In particular see 'Exporting certificates from your browser'.
Again, it is strongly recommended to refer to the GridKa help pages at:
[top]
If a user holds a valid user certificate, membership in VOs can be requested via the appropriate VOMRS/VOMS servers:
[top]
Please consider the page on Frequently Asked Questions:
German users which are not employed by DESY or the U Hamburg may find their RA at:
Find list of all international CAs at:
Check the expiration date of your current certificate:
openssl x509 -subject -issuer -email -dates -noout -in ~/.globus/usercert.pemCheck whether the private key and public key match: The output of the following commands should be identical:
openssl x509 -noout -modulus -in .globus/usercert.pem | openssl md5 openssl rsa -noout -modulus -in .globus/userkey.pem | openssl md5
In Germany a second CA is run by the DFN at:
The DFN maintains a list of RAs at:
See also
and[top]
| Last modified: Fri Dec 9 16:33:35 MET 2005 | by the DESY Grid Team: http://grid.desy.de/ |