National Partnership for Advanced Computational Infrastructure: Archives

These pages are a copy of the original www.npaci.edu website, and should be used for historical reference only.
Please select an item from the toolbar below to be taken to the latest information on that subject.
[ SDSC | User Services | Applications | Allocations | Consulting | SAC | Datastar | Training ]

NPACI Grid: Certificates

ABOUT NPACI Grid
What Is It?
Case Studies
Grid Monitor
Testbed Info
Terminology
FAQ

USER REFERENCE
Getting Started
Tutorial
Certificates
Resources
NPACKage
HotPage

LEARN MORE
Events
Web Links
Contacts
 

NPACI Archive Page

The NPACI program ended on September 30, 2004. This site is presented for archival purposes only. For current resources at each of the partner sites, please refer to the appropriate institution site.

User Guide - Certificates         

Obtaining a User Certificate

To participate in the grid computing environment that NPACI provides, you will need a digital certificate.  Digital certificates are used on the grid for authentication and encryption purposes by GSI (Grid Security Infrastructure) enabled software.  This certificate will give you single sign-on capabilities across NPACI Grid resources.  For more background on certificates, see Understanding User Certificates at the bottom of this page.

Once you have applied for grid access, you will be notified that you have been given an account on cert.npaci.edu.   Follow the instructions provided below to obtain a digital certificate and to make it usable at NPACI sites.

  1. Login to cert.npaci.edu with the account name and password that have been mailed to you.

  2. Run the program /usr/local/apps/pki_apps/cacl.  You will be prompted for your login password.  Next you will be prompted twice for a private key encryption password of your choosing.  This will be used to encrypt the private key which corresponds to the public key contained in your certificate.

    The cacl program will create a .globus directory in your home directory on cert.npaci.edu.  The .globus directory contains your certificate and private key.

    Please note that you may have only one NPACI Grid certificate per account.  Before issuing a new certificate, the Certificate Authority (CA) will check to see if a valid certificate issued by the CA already exists for the user account, and if such a certificate exists, a new certificate will not be issued.  A user's certificate must expire or be revoked before a new one can be issued.  If you need your certificate revoked for any reason please send e-mail to certman@sdsc.edu.


  3. Copy your certificate directory (.globus) to each NPACI Grid resource you will be using.  Choose one of the two methods below to do this:

    1. Download and run a script on cert.npaci.edu:
      • Save the following script to your home directory: copycert.sh
      • Make the script executable: chmod +x copycert.sh
      • Edit the script and follow the directions at the top of the script
      • Execute the script.

      OR

    2. Copy the certificate directory by hand to each site where you have access:
      • Create a tar file of your .globus directory:

        [cert]% tar cvf globus.tar .globus

      • Copy the globus.tar file to each NPACI Grid resource.
        • tf004i.sdsc.edu (blue horizon)*
        • longhorn.tacc.utexas.edu
        • hypnos.engin.umich.edu
        • morpheus.engin.umich.edu


        For example, to copy your certificate from cert.npaci.edu to morpheus you would do the following:

        [cert]% scp globus.tar ux444444@morpheus.engin.umich.edu:.
        [cert]% ssh morpheus.engin.umich.edu -l ux444444         .....

      • Expand the .globus directory
        [morpheus]% tar xvf globus.tar

    4. At the end of the process, you should have a .globus directory in your home directory on each resource where you want to access the grid.

    ! N.B., Blue horizon machines (tf004i, tf005i, and the "b80s") share a directory.  Copy the .globus directory to the blue horizon machines only once.  Similarly, cert.npaci.edu and griddle.sdsc.edu share a directory.  Once the certificate has been established on cert.paci.edu, it does not need to be copied to griddle.

  4. Wait to allow the NPACI partner sites time to update their "grid-mapfile" with your Distinguished Name, or DN.  A Distinguished Name is a globally unique identifier that represents you as an individual.  In Globus, DNs are constructed from entity name and domain information.  The following is an example of a DN for the NPACI Grid:

    /C=US/O=NPACI/OU=SDSC/CN=Jane Doe/USERID=jdoe

    Most users should wait for an hour after getting a certificate before proceeding. 

    ! N.B., users whose usernames on Blue Horizon are different than their NPACI usernames will need to request special configuration before the grid-mapfiles will be updated.  Please send a request via the NPACI Consulting Web page form (http://www.npaci.edu/Consult).  Fill in the following fields:

    • NPACI Resource: NPACI Grid
    • Type of Problem:  Certificates
    • Summary:  need certificates configured
    • Description of Request field: names of the machines which you need configured to accept your SDSC certificate, your username on blue horizon, and your NPACI Grid username

    Since this change must be made manually, the wait will be longer than an hour; you will be notified when the changes have been made.


  5. Check to see if your certificate information has been added to each site's grid-mapfile.  Log into each site and issue the following command (replace "your_username" with the appropriate username for your account):

    % grep your_username /etc/grid-security/grid-mapfile
    Example output:
    "/C=US/O=NPACI/OU=SDSC/CN=Test User/USERID=ux454549" ux454549

    If this command does not return anything, you have not been added to the grid-mapfile.  If the information does not appear after the appropriate waiting time, notify NPACI consulting via the NPACI Consulting Web page form (http://www.npaci.edu/Consult).  Fill in the following fields:

    • NPACI Resource:  NPACI Grid
    • Type of Problem:  Certificates
    • Summary:  certificate not recognized
    • Description of Request field: names of the machines which are not recognizing your certificate; when you copied your certificate to the resource; your NPACI Grid username

After all grid-mapfiles at each site have been updated, you will be able to use your certificate to authenticate to each NPACI site where you have an allocation.  To continue "Getting Started" and to verify your access to the grid, return to the Getting Started Guide.

Understanding User Certificates

The Globus Toolkit uses the Grid Security Infrastructure (GSI) for enabling secure authentication and communication over an open network.  GSI provides a number of useful services for Grids, including mutual authentication and single sign-on.

The primary motivations behind the GSI are:

  • The need for secure communication (authenticated and perhaps confidential) between elements of a computational Grid
  • The need to support security across organizational boundaries, thus prohibiting a centrally-managed security system
  • The need to support "single sign-on" for users of the Grid, including delegation of credentials for computations that involve multiple resources and/or sites

GSI is based on public key encryption, X.509 certificates, and the Secure Sockets Layer (SSL) communication protocol.  Extensions to these standards have been added for single sign-on and delegation.  The Globus Toolkit's implementation of the GSI adheres to the Generic Security Service API (GSS-API), which is a standard API for security systems promoted by the Internet Engineering Task Force (IETF).