|Grid Computing at DESY|
|[Home]||[Mon/Admin]||[Grid@DESY] [Certs & VOs] [VOMS] [CVMFS] [User Guide] [Install Guide] [Notes]||[Talks & Posters]||[Glossary] [Documentation] [Links]|
In order to ensure response in case of problems, use the Global Grid User Support (GGUS) and/or your VO support rather than private e-mail contacts or internal mailing lists.
2018-02-01: Web browsers
Please use exclusive a firefox web browser for your request. Chrome, Opera, MSIE, Safari, and others do NOT work properly. See GridKa FAQ.
2017-05-23: Passport and/or ID card copies
Please do NOT send copies of your passport and/or ID card around.
Identification of users is carried out by the group admins who are supposed to authorize requests of their group members by checking ID cards and denoting the last digits of the ID number on the registration form (see below).
On order to access global Grid resources,
users must hold a valid personal user certificate (authentication),
AND users must be member of a Virtual Organization (authorization).
A valid user certificate is a prerequisite to request membership in a VO. Multiple VO membership is possible.
(A user certificate can be seen as an analogon to a passport, whereas the VO membership compares to a visa.)
You might be interested in reading an article on authorization of Jens Jensen (RAL) published in iSGTW on March 3rd, 2010.
User certificates are issued by a national Certification Authority (CA)
of the user's home institute.
The approval and verification of the request is handled by Registration Authorities (RA).
The German CA is located at FZ Karlsruhe and is called
(see usage rules).
DESY runs a Registration Authority (RA) to approve certificate requests
for people who are employed and located (phone book entry exists) at DESY.
Students please refer to the RA of their home institutes, e.g. HUB has a seperate RA!
Users who are NOT employed by DESY may refer to the RA List of GridKa or the international The International Grid Trust Federation (ITGF).
A user certificate
(of the format X509)
consists of a private key with a private password and
a certified public key.
The private key is exclusively possessed by the user and is not known to
the RA or CA at any stage.
Lost private/public keys or the password can not be recovered by any means.
A certificate is valid for 1 year and can be renewed. Users get notified by e-mail 3 weeks before this date by the CA. It is strongly recommended to renew the certificate before its expiration.
According to the policy of the German Certification Authority (CA) at GridKa, users must be member (e.g. employee) of and located at the institute or university of which they request a Grid user certificate from (via the Registration Authority (RA)). This is necessary to contact users in case of security issues and to prove identity. This applies also for renewals. If the user changes group, institute or university, the new RA is in charge of approving certificates.
For the FIRST certificate request at DESY ONLY!: We have to know you and your identity! Therefore you need to:
This step is done electronically via browser, both for the first certificate request and for any subsequent renewals. For your name, please do not use capital letters only.
Check the [FAQ]
If a user holds a valid user certificate, membership in VOs can be requested via the appropriate VOMS servers.
Please do NOT request VO membership to the VO 'desy'. This is a VO for internal use only. Usually you want to register with the VO of the experiment you are working with, e.g. 'atlas', 'belle', 'cms', or 'ilc'. See:
Please consider the page on Frequently Asked Questions:
German users which are not employed by DESY or the U Hamburg may find their RA at:
Find list of all international CAs at:
CERN provides a test page to check whether your browser has a right installation of a certificate.
Check the expiration date of your current certificate:
openssl x509 -subject -issuer -email -dates -noout -in ~/.globus/usercert.pemCheck whether the private key and public key match: The output of the following commands should be identical:
openssl x509 -noout -modulus -in .globus/usercert.pem | openssl md5 openssl rsa -noout -modulus -in .globus/userkey.pem | openssl md5
In Germany a second CA is run by the DFN at:
The DFN maintains a list of RAs at:
|Last modified: Fri Dec 9 16:33:35 MET 2005||by the DESY Grid Team: http://grid.desy.de/|