guide:Certificates

From Dgiref

User certificates

Before compute resources and storage resources may be requested, a valid Grid-user certificate should be requested. In D-Grid Gid-user certificates issued by the DFN-Association(http://www.dfn.de/pki/grid) or by the Research Center Karlsruhe (http://grid.fzk.de/ca) are used. To apply for a grid-user certificate, you must contact the relevant Grid Registration Authority (grid-RA) for your institution. The following Registration Authorities of the core D-Grid partners accept certificate applications for the D-Grid project:

• Forschungszentrum Jülich, FZJ/ZAM
• Forschungszentrum Karlsruhe, FZK/IWR
• Leibniz Rechenzentrum München, LRZ
• Max-Planck-Gesellschaft, MPG
• RWTH Aachen, RWTH/RZ
• Paderborn Center for Parallel Computing, PC2
• TU Dresden, TUD/ZIH

Lists of additional Grid-RAs:

• DFN-Verein.
• Research Center Karlsruhe.

If you need a grid-user certificate, check to see which of the following apply to you:

1. If your institution operates a grid RA, please contact this RA.
2. If you are already a user of one of the computing centers listed above. Then please contact the Registration Authority of your computing center.
3. f your institution has not established a RA yet, the Grid Certificate Authorities will consult you, where you can obtain a grid user certificate. For this, please send an e-mail to zertifikate<nospam>d-grid.de.

Important: Renewing user certificates If you want to renew an expired Grid user certificate, please be sure that the Distinguished Name (DN) of the new certificate is identical with the old one. That means that in all similar fields for the new DN have the same information as in the old one. Only then you have access with the new certificate to all Grid resources as previously.

Server certificates

Before compute and storage resources may become accessible in D-Grid, a valid Grid-server certificate should be available. The server certificate should be applied for by the administrator of the corresponding resources. The D-Grid project uses certificates issued by the following two CAs:

• GermanGrid CA.
• DFN-Verein

If you need a grid-server certificate, please chose the case which applies to you:

1. If your institution is a Registration Authority (RA) for the GermanGrid (GridKA) CA go to Certificates/server/GridKA.
2. If your institution is a RA for the DFN-Verein CA go to Certificates/server/DFN.
3. Else, please get in contact with D-Grid's certificates helpdesk zertifikate<nospam>d-grid.de.

Important: Renewing server certificates If you want to renew an expired Grid server certificate, please be sure that the Distinguished Name (DN) of the new certificate is identical with the old one. That means that in all similar fields for the new DN have the same information as in the old one.

server certificates from GridKA

server certificates from DFN

Certificates allocation

You need a host certificate and at least one user certificate to deploy / use the middleware (globus, glite, unicore) services. For more information about how to get a certificate please see:

• user certificate
• server certificate

mv hostkey.pem protectedkey.pem 
openssl rsa -in protectedkey.pem -out hostkey.pem

CAs

The directory /etc/grid-security/certificates contains the CA certificates.

Current procedure to install the CAs certificates is the follow:

1. download the repo file from http://dgiref.d-grid.de/downloads/yum.repo
2. to update/install the CAs cleaning yum cache with the command: yum clean cache metadata
3. install CA rpms with yum

There are some options for CA certificates, consider:

• to install only the LCG CAs use lcg-CA repository
• to install more then LCG CAs use EUGridPMA repository

It is not necessary to install CA packages into the CE nodes, while they have already. But to use CAs certificates on another server (e.g. cfengine master host) do:

lcg-CA

su
wget -O /etc/yum.repos.d/lcg-CA.repo http://svn.rz.uni-karlsruhe.de/svn/dgiref/PROD/repl/root/etc/yum.repos/lcg-CA.repo
yum -y install lcg-CA

EUGridPMA

su
wget -O /etc/yum.repos.d/eugridpma.repo http://dgiref.d-grid.de/downloads/yum.repo/eugridpma.repo
yum install ca_policy_igtf-classic ca_policy_igtf-slcs

Host certificates

The host certificate will be copied as root to the directory /etc/grid-security and will be used as a certificate for the Globus container (as root execute):

cd /etc/grid-security
cp yourhostkey.pem hostkey.pem
cp yourhostcert.pem hostcert.pem
cp hostkey.pem containerkey.pem
cp hostcert.pem containercert.pem
chown  globus.globus container*.pem

Access Rights

The access rights to the various certificate files should be adapted:

chmod 400 *key.pem
chmod 644 *cert.pem

User certificates

The grid users will need their certificates in their home directory. Set up as follows:

su $USER              # grid user
cd ~/.globus
cp yourusercert.pem usercert.pem
cp youruserkey.pem userkey.pem
chmod 400 *key.pem
chmod 644 *cert.pem

To assign a host certificate in .pem format to truststore with java keytool can be the similar error: "Do not a x509 certificate". The solution can be to delete the header in the certificate till the == BEGIN == section.