NERSC logo National Energy Research Scientific Computing Center
  A DOE Office of Science User Facility
  at Lawrence Berkeley National Laboratory 		Site Map | Help | Search
Login
Home About News & Publications HPC Users Projects
Systems Services Analytics Status & Statistics Help

HPC Users

Services

Grid

Grid Certificates
Running Grid Jobs
Grid Data Transfer
OSG and Grid Clients

External Documentation

Globus Toolkit
Open Science Grid
Navigation column
for this page:

 

Grid Computing at NERSC: Certificates

Table of Contents:

Getting a Short Lived NERSC Certificate

The NERSC Online CA now offers a quick and painless way to obtain grid certificates. You can obtain a grid certificate with a single command using this method.

If you are on a NERSC system, load the globus module to set up your environment: 

  % module load osg 
    # or "module load globus" on PDSF

On the client system (assuming you have the globus binaries in your path), simply run: 
  % myproxy-logon [-T] -s nerscca.nersc.gov

When prompted ("Enter MyProxy pass phrase:"), enter your NIM/LDAP password. You should now have a grid certificate that can be used to access NERSC systems. The -T flag is optional, and only needs to be run the first time you issue this command. This flag will pick up the necessary trust anchors, so that your grid clients can trust NERSC certificates. You can also change the default lifetime of the certificate (12 hours) using the -t flag.

Useful Options:

-l <username> NERSC username
-s <servername> Hostname for NERSC CA server
-t <hours> Certificate lifetime in hours.
Default is 12 hours. Maximum is 277 hours.
-T Download trust anchors so that your clients trust NERSC certificates.
Only need to do this the first time you get a certificate, or if your trust anchors are out of date.

You can view your certificate information at any time by logging into NIM, and clicking on the Grid certificates tab. All NERSC systems have already been pre-populated to accept these certificates, so you don't have to do anything additional in NIM.

How to obtain a DOEGrids certificate for use at NERSC

In order to use grid tools, users can also obtain and install DOEGrids user certificates. The DOE Grids web pages provide all the necessary details for the application and installation process.

The basic steps in this process are:

  • Import DOEGrids CA certificates into your browser
  • Request a user certificate
  • Retrieve the certificate via your web browser
  • Export the certificate into a pkcs12 (.p12) file
  • Convert the exported file into a Globus usercert/key pair
Once you have your usercert.pem and a userkey.pem files, you can use your certificate with Globus.

In order to login to NERSC with your grid certificate, you will first need to register your certificate information with the NIM web interface, so that this can be propagated to the grid-mapfile on the host systems.

  • Login to NIM, and click on the "Grid Certificates" tab.
  • Click on the "Add existing Grid Certificate to NIM" link.
  • Enter the appropriate information for the "Cert Subject" and "Cert Issuer" fields. You can get this information as follows:
    • Make sure you have your certificate/key pair installed in $HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem on a system that has Globus installed (such as DaVinci or PDSF).
    • Load the globus module 
        % module load globus
    • Get the Cert Subject: 
        % grid-cert-info -subject
      which yields something like: 
        /DC=org/DC=doegrids/OU=People/CN=Alfred E. Newman 123456
    • Get the Cert Issuer: 
        % grid-cert-info -issuer
      which yields: 
        /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
  • Make sure you enter the above fields in the exact format as that returned by the "grid-cert-info -subject" and "grid-cert-info -issuer" commands.
  • Click on "Add Certificate"
  • It will take up to 2 hours for the certificate to be approved and propagated to the various systems. You should receive confirmation when this has happened. You can now use your grid certificate to login to NERSC systems.

Storing Your certificate on a MyProxy server

NERSC provides a MyProxy service to conveniently store and access your grid certificate from multiple systems.

Instead of creating local copies of your usercert.pem and userkey.pem files on all the systems you wish to use, you can simply store a certificate on our myproxy server (myproxy.nersc.gov), and then access this proxy certificate (also called a delegated proxy credential) from any other machine without having to make local copies of your original certificate.

To store your proxy certificate, issue this command from a machine that has your original certificate key pair: 

% myproxy-init -s myproxy.nersc.gov

Your identity: /DC=org/DC=doegrids/OU=People/CN=Joe User 123456
Enter GRID pass phrase for this identity:
Creating proxy ............................................Done
Proxy Verify OK
Your proxy is valid until: Tue Jul 24 13:47:44 2007
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user joeuser now exists on myproxy.nersc.gov.
This will prompt you for your local certificate password, and then ask you for a myproxy password. Your myproxy password will be used to pick up your delegated proxy from other machines. You can set this to anything you like as long as it meets the NERSC password requirements.

The above process stores a proxy certificate that is valid for 7 days on the myproxy.nersc.gov server under your default username. Other useful options include:

-l <username> specify an alternate user to store certificate under
-c <hours> lifetime of certificate in hours.
-c 0 will store a proxy certificate with the maximum possible lifetime i.e. the lifetime of the orginal certificate

To download a proxy certificate for use, enter the following: 

% myproxy-logon -s myproxy.nersc.gov -l joeuser

Enter MyProxy pass phrase:
A credential has been received for user joeuser in /tmp/x509up_u1234.
This will prompt you for the myproxy server password that you set above, and create up a short lived (12 hours) grid proxy certificate on your local machine. You may omit the -l flag if you used your default local username to store the certificate on the myproxy server.

In all the examples describing grid access, you can substitute the grid-proxy-init command with myproxy-logon. Instead of generating a proxy from a local certificate, it will download a proxy certificate from the myproxy server, but the end result is exactly the same.

Using MyProxy to store renewable proxy certificates

The NERSC MyProxy server (myproxy.nersc.gov) can now accept renewable credentials.

This store long term renewable credentials: 

% myproxy-init -A -k renewable -s myproxy.nersc.gov -c <HOURS>
(Set <HOURS> to 0 if you want the maximum lifetime of the cert)

To initialize the proxy: 

% grid-proxy-init
(stores a proxy in /tmp/x509up_u$UID)

To renew them using a valid existing proxy as follows: 

% myproxy-logon -a /tmp/x509up_u$UID -k renewable -s myproxy.nersc.gov
(where the /tmp/x509up_u$UID is the existing proxy file)
Computing Sciences | Computational Research Division | ESnet
LBNL Home
Page last modified: Wed, 01 Apr 2009 23:14:46 GMT
Page URL: http://www.nersc.gov/nusers/services/Grid/certificates.php
Web contact: webmaster@nersc.gov
Computing questions: consult@nersc.gov

Privacy and Security Notice 		DOE Office of Science