[DESY Home] [DESY IT Home] [DESY IT Physics Computing] [Grid Computing at DESY]

[DESY Computing Seminar]

[Imprint]

Grid Computing at DESY

[Home]

[Monitor]

[Grid@DESY] [Certs & VOs] [VOMS] [User Guide] [Install Guide] [Admin Guide]

[Talks & Posters]

[Glossary] [Documentation] [Links]

In order to ensure response in case of problems, use the Global Grid User Support (GGUS) and/or your VO support rather than private e-mail contacts or internal mailing lists.

Grid Certificates and VO Membership at DESY

FAQ

General Introduction

On order to access global Grid resources, users must hold a valid personal user certificate (authentication), AND users must be member of a Virtual Organization (authorization).
A valid user certificate is a prerequisite to request membership in a VO. Multiple VO membership is possible.
(A user certificate can be seen as an analogon to a passport, whereas the VO membership compares to a visa.)

You might be interested in reading an article on authorization of Jens Jensen (RAL) published in iSGTW on March 3rd, 2010.

User certificates are issued by a national Certification Authority (CA) of the user's home institute. The approval and verification of the request is handled by Registration Authorities (RA). The German CA is located at FZ Karlsruhe and is called GridKa. See GridKa usage rules. DESY runs a Registration Authority (RA) to approve certificate requests for people who are employed and located at DESY.
. Students please refer to the RA of their home institutes, e.g. HUB has a seperate RA.

Users who are not employed by DESY may refer to the RA List of GridKa or the international The International Grid Trust Federation.

A user certificate consists of a private key with a private password and a certified public key. The private key is exclusively possessed by the user and is not known to the RA or CA at any stage.
Lost private/public keys or the password can not be recovered by any means.

A certificate is valid for 1 year and can be renewed. Users get notified by e-mail 3 weeks before this date by the CA. It is strongly recommended to renew the certificate before its expiration.

[top]

Obtaining/Renewing a User Certificate at DESY

Step 0: Prerequisites (First request and renewal)

You MUST BE a member (employee, employee, ...) of DESY, or the University of Hamburg (Bahrenfeld Campus), or XFEL.
If this is not applicable, please get a certificate from your home institute. The following procedure then will not apply to you.

Step 1: Paperwork at DESY (First request only)

For the FIRST certificate request at DESY ONLY!: We have to know you and your identity! Therefore you needto:

Fill in the DESY IDENTIFICATION FORM
Get it signed by your namespace supervisor
Send the form or hand it in personally (not e-mail) to UCO
Proceed to the next step

Step 2: Electronic certificate request (First request and renewal)

This step is done electronically via browser, both for the first certificate request and for any subsequent renewals.

Note: The procedure below has proven to work for Firefox v3.0 or higher. Opera, MSIE, Safari or other browsers might cause problems.
Go to the GridKa CERT REQUEST PAGE
Make sure to fill in your DESY Email adress (see example below)
Make sure to fill in the right institute (DESY, UniHamburg or XFEL)

Final steps (First request and renewal)

Once we have confirmed your indentity (first request only), and you have requested a certificate with GridKa, the DESY Registration Authority will either accept or reject this request. No action from your side is requested, this is usually done within a couple of hours, and you will be notified.
Once the DESY Registration Authority has accepted the request, the Certification Authority (CA) at GridKa will proceed and sign your certificate request. You will be contacted once your certificate is ready for retrieval.
Follow the instructions contained in your notification email. Note: Use the browser used for the certificate request
You can now use the certificate to authenticate against web servers. For job submission or data management, you must convert your certificate and store it under the $HOME/.globus/ directory. Consult the GridKa help page [ in German / in English ], especially Exporting certificates from your browser and Converting certificates and keys

Questions?

Check the [FAQ]

[top]

Becoming a Member of a VO

If a user holds a valid user certificate, membership in VOs can be requested via the appropriate VOMRS/VOMS servers:

List of VO's VOMRS/VOMS servers

[top]

More Information

Please consider the page on Frequently Asked Questions:

German users which are not employed by DESY or the U Hamburg may find their RA at:

[RA List of GridKa]

Find list of all international CAs at:

[The International Grid Trust Federation]

CERN provides a test page to check whether your browser has a right installation of a certificate.

Check the expiration date of your current certificate:

  openssl x509 -subject -issuer -email -dates -noout -in ~/.globus/usercert.pem

Check whether the private key and public key match: The output of the following commands should be identical:

  openssl x509 -noout -modulus -in .globus/usercert.pem | openssl md5
  openssl rsa -noout -modulus -in .globus/userkey.pem | openssl md5

In Germany a second CA is run by the DFN at:

[DFN Grid Zertifikate]

The DFN maintains a list of RAs at:

[Grid-Registrierungsstellen (RAs) der DFN-PKI]