Requesting a Grid Certificate

Since the authentication and authorization of resources and people functioning in Grid-related areas, is performed by a Public Key Infrastructure (PKI), participation to Grid Computing requires a certificate that adheres to the specifications of the European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) . Due to the cooperation of the EUGridPMA and the corresponding american (TAGPMA) and Asia-Pacific (APGridPMA) associations, these certificates have a worldwide scope within the scientific field.

For Germany, members of the EUGridPMA are the DFN - German Research Network and the Karlsruhe Research center(FZK). The aforementioned organisations operate a so called Certification Authority (CA), which is commissioned to generate Certifications adhering to the EUGridPMA specifications. In order for an electronic certificate to be identified with one person or resource, it is necessary that the owner or the party responsible for the resource, respectively, appear personally to one of these CAs along with an appropriate document to verify his identity.
To simplify this process for the users, the so called Registration Authorities (RA) were established. Their function is to undertake this operation on behalf of the CA. LRZ is authorized to operate a DFN-PKI related RA, responsible for LRZ itself and for the three Universities in Munich.

Besides these classic X.509 certificates, Grid middleware can also use so-called short lived credentials, SLCs, issued by a short lived credential service, SLCS. In Germany the DFN is operating such a service. The advantage is that no trip to an RA is necessary, all can be conveniently done from your desk via the internet - if your home institution provides an accepted identity provider. The drawback is that these SLCs are only valid for a maximum of 7 days.

Obtaining a Short Lived Credential

All you need to do is browse to the SLCS of the DFN and follow the instructions given there. This flash movie (with audio narrative) explains what is happening behind the scenes.

LRZ needs to register the certificate's unique identification string and associate it with your user account.

To use a short lived credential in your browser you need the certificate in P12 format. This can easily be obtained from the SLCS by clicking the box P12 format desired. You will then receive it only in P12 format in your /tmp directory. This file will be protected with the password "DFN".

The import of this file is depending on the type of browser you use.

Obtaining a Long Lived Credential

Generating a User Certificate Request

The first step to acquire a certificate is by generating a certificate request. The easiest way is to use a browser capable of handling certificate generation such as Firefox 3.0 or higher (3.5 recommended). The following steps are required:

• Go to LRZ Grid RA . The "Zertifikate" tab should be chosen after the window has finished loading.
• Click on the button named "Nutzerzertifikat". The following page contains a form where all the entries followed with a '*' should be filled in. The PIN is required in the case you want to lock your certificate.

  

  It is important that you choose the proper department from the drop-down list between:
  • Leibniz-Rechenzentrum
  • Universität der Bundeswehr
  • Technischen Universität
  • Ludwig-Maximilians-Universität
  When you are done click on the button 'Weiter' on the bottom of the page.
• You will be presented with a page containing the details you have just inserted and asking you to verify if everything is correct. If you want to correct something you should click on the button 'Ändern' otherwise if you are certain that all details are correct click on the button 'Bestätigen'. You will the see a window like the one below:

  

• After the process is finished a new webpage will load. You should click on the button 'Zertifikatantrag anzeigen' to get a pdf form which you will have to print and fill-in. Save the form you then click on the button 'Beenden' to finish the session. You should present this form personally to the registration authority along with documents verifying your identity (passport, driver's license, etc.) and affiliation (e.g. student ID). In order to arrange an appointment you can send an e-mail to grid-ra@lrz.de.
• Shortly after you deliver the document, you will receive an e-mail verifying that your certificate was processed successfully and offering two links. The first will take you to a LRZ Grid RA webpage where you should choose to install the DFN certificates in your browser. Clicking on the second link gives access to your user certificate. You should click on the button 'Zertifikat importieren' to import your certificate in your browser.
• It is recommended to protect the private key by setting a master password in the browser. For example in Firefox Preferences menu it is in Security tab. Given password will be asked once when the certificate used after browser restart. It will be asked also when doing a backup of the certificate in the browser.

LRZ needs to register the certificate's unique identification string and associate it with your user account.

Extracting your certificate

In order to do extract your certificate from the browser:

• Go to firefox preferences and select the 'advanced' section. Then click on the 'View Certificates' button.
• In the new window, select the tab named 'Your certificates'. There should be an entry with your name under the 'DFN-Verein' category as shown below:

  

  Select the certificate and click on the 'Backup...' button. Save the certificate in a safe folder under the name usercert.p12. You will be asked for a password for your certificate which you should not lose.
The certificate is saved according to the PKCS12 specification which is supported by unicore.

Using the certificate with Globus

For this step you should open a terminal window and make sure you have installed OpenSSL which you can get from the OpenSSL Website. Go to the folder where you saved the usercert.p12 file and type the following commands:

• To extract your certificate from the usercert.p12 file and save it to usercert.pem :
  openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem
  You will be asked for the usercert import password once (The one you provided when exporting from Firefox).
• To extract your private key from the usercert.p12 file and save it to userkey.pem :
  openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem
  You will be asked for the usercert import password once and to for the new password for the PEM private key twice.
• You should set permissions to the files generated as follows:
  chmod 0400 userkey.pem
  chmod 0600 usercert.pem

The files usercert.pem and userkey.pem should be saved in the .globus directory in your home directory in a unix machine. In a windows machine the corresponding folder would be under

\Documents and Settings\{Your Username}\.globus

For those who are using GSISSH-Term, apart from the userkey.pem, usercert.pem, authentication with the p12 keys and browser is also possible. If there is some need to convert p12 into .pem files it can be done in following way:

openssl pkcs12 -export -inkey userkey.pem -out gsisshterm.p12 -name "Firstname Lastname" -in usercert.pem

Information on using the private key of a personal certificate

The role of the private key is to enable identify a person in the Grid. This means that a person who manages to get access to your private key will, as regards the grid, be identified with your person. It is important to make sure that the private key is accessible only by you. On Linux systems you should make sure that you remove all privileges from group and other users. Do not provide your private key password to other people and make sure it does not accidentally fall into the wrong hands.

The default validity period for DFN certificates is a year. Renewal of the certificate should be done as described. If the identification provided initially is still valid it need not be presented at the LRZ again.

For any further questions please contact the LRZ Grid Team

Apart from this, it is a good idea to familiarize oneself with the various PKI operations (Policies, CRLs, etc.). You can find general information about certificates and certification policies at the LRZ (Encryption, digital signatures, Certification) as well as the DFN (both in German).