|
Grid Computing at NERSC: Certificates
Table of Contents:
Getting a Short Lived NERSC Certificate
The NERSC Online CA now offers a quick and painless way to obtain grid certificates. You can obtain a grid certificate with a single command using this method.
If you are on a NERSC system, load the globus module to set up your environment:
% module load osg
# or "module load globus" on PDSF
On the client system (assuming you have the globus binaries in your path), simply run:
% myproxy-logon [-T] -s nerscca.nersc.gov
When prompted ("Enter MyProxy pass phrase:"), enter your NIM/LDAP password. You should now have a grid certificate that can be used to access NERSC systems. The -T flag is optional, and only needs to be run the first time you issue this command. This flag will pick up the necessary trust anchors, so that your grid clients can trust NERSC certificates. You can also change the default lifetime of the certificate (12 hours) using the -t flag.
Useful Options:
-l <username> |
NERSC username |
-s <servername> |
Hostname for NERSC CA server |
-t <hours> |
Certificate lifetime in hours. Default is 12 hours. Maximum is 277 hours. |
-T |
Download trust anchors so that your clients trust NERSC certificates.
Only need to do this the first time you get a certificate, or if your trust anchors are out of date.
|
You can view your certificate information at any time by logging into NIM, and clicking on the Grid certificates tab.
All NERSC systems have already been pre-populated to accept these certificates, so you don't have to do anything additional in NIM.
How to obtain a DOEGrids certificate for use at NERSC
In order to use grid tools, users can also obtain and install
DOEGrids user certificates. The
DOE Grids web pages provide all the
necessary details for the
application and
installation process.
The basic steps in this process are:
- Import DOEGrids CA certificates into your browser
- Request a user certificate
- Retrieve the certificate via your web browser
- Export the certificate into a pkcs12 (.p12) file
- Convert the exported file into a Globus usercert/key pair
Once you have your usercert.pem and a userkey.pem files, you can use
your certificate with Globus.
In order to login to NERSC with your grid certificate, you will first
need to register your certificate information with the NIM web interface, so that this can be
propagated to the grid-mapfile on the host systems.
- Login to NIM, and click on the "Grid Certificates" tab.
- Click on the "Add existing Grid Certificate to NIM" link.
- Enter the appropriate information for the "Cert Subject" and "Cert
Issuer" fields. You can get this information as follows:
- Make sure you enter the above fields in the exact format as that
returned by the "grid-cert-info -subject" and
"grid-cert-info -issuer" commands.
- Click on "Add Certificate"
- It will take up to 2 hours for the certificate to be approved and
propagated to the various systems. You should receive confirmation
when this has happened. You can now use your grid certificate to login
to NERSC systems.
Storing Your certificate on a MyProxy server
NERSC provides a MyProxy service to conveniently store and access your
grid certificate from multiple systems.
Instead of creating local copies of your usercert.pem and userkey.pem
files on all the systems you wish to use, you can simply store a certificate
on our myproxy server (myproxy.nersc.gov), and then access this proxy
certificate (also called a delegated proxy credential) from any other
machine without having to make local copies of your original
certificate.
To store your proxy certificate, issue this command from a machine
that has your original certificate key pair:
% myproxy-init -s myproxy.nersc.gov
Your identity: /DC=org/DC=doegrids/OU=People/CN=Joe User 123456
Enter GRID pass phrase for this identity:
Creating proxy ............................................Done
Proxy Verify OK
Your proxy is valid until: Tue Jul 24 13:47:44 2007
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user joeuser now exists on myproxy.nersc.gov.
This will prompt you for your local certificate password, and then ask
you for a myproxy password. Your myproxy password will be used to pick up
your delegated proxy from other machines. You can set this to anything you like as long
as it meets the
NERSC password requirements.
The above process stores a proxy certificate that is valid for 7 days on the
myproxy.nersc.gov server under your default username. Other useful
options include:
-l <username> |
specify an alternate user to store certificate under |
-c <hours> |
lifetime of certificate in hours.
-c 0 will store a
proxy certificate with the maximum possible lifetime i.e. the lifetime
of the orginal certificate |
To download a proxy certificate for use, enter the following:
% myproxy-logon -s myproxy.nersc.gov -l joeuser
Enter MyProxy pass phrase:
A credential has been received for user joeuser in /tmp/x509up_u1234.
This will prompt you for the myproxy server password that you set
above, and create up a short lived (12 hours) grid proxy certificate
on your local machine. You may omit the -l flag if you used your
default local username to store the certificate on the myproxy server.
In all the examples describing grid access, you can substitute
the grid-proxy-init command with
myproxy-logon. Instead of generating a proxy from a
local certificate, it will download a proxy certificate from the
myproxy server, but the end result is exactly the same.
Using MyProxy to store renewable proxy certificates
The NERSC MyProxy server (myproxy.nersc.gov) can now accept renewable credentials.
This store long term renewable credentials:
% myproxy-init -A -k renewable -s myproxy.nersc.gov -c <HOURS>
(Set <HOURS> to 0 if you want the maximum lifetime of the cert)
To initialize the proxy:
(stores a proxy in /tmp/x509up_u$UID)
To renew them using a valid existing proxy as follows:
% myproxy-logon -a /tmp/x509up_u$UID -k renewable -s myproxy.nersc.gov
(where the /tmp/x509up_u$UID is the existing proxy file)
|