Grid certificate
From BeSTGRID
| Start Computing on BeSTGRID | ||||
|---|---|---|---|---|
| Using or Joining BeSTGRID | 1. Obtain a Grid Certificate | 2. Join a Virtual Organisation | 3. Proxy Certificates | 4. Submitting jobs with Grisu |
A Grid Certificate is a X.509 Certificate used to identify Grid Users and allow access to BeSTGRID Computational Grid services.
Contents |
[edit] Introduction
In order to use any of the BeSTGRID Computational Grid services a Grid User is required to identify themselves with either a University or CRI Identity Provider or by obtaining a Grid Certificate. BeSTGRID Grid Certificates are provided by the APACGrid Certificate Authority and are used by a variety of applications, such as web browsers and Grid Tools, to allow access to sites and services provided by BeSTGRID and its partners such as ARCS. This document will provide an overview on how a Grid User obtains, uses, and maintains their Grid Certificate.
[edit] Grid Certificate Policies
- A Grid Certificate expires 1 calendar year after issue and must be renewed annually.
- A Grid Certificate must not be shared; Grid Users must have their own Grid Certificate. Shared Grid Certificates will be revoked without warning.
[edit] Prerequisites
- Java will need to be installed and updated to the latest version
- The APAC Certificate Authority Server certificate will needed to be downloaded and installed
- The Grix grid tool ...
- will need to be downloaded and installed (see Grix),
- or started using [Java Web Start link]
- that there is no HTTP proxy or firewall blocking access to the Grix servers (listed here)
[edit] Getting a Grid Certificate
The recommended method of obtaining a Grid Cerificate is with the Grix grid tool, though it may be requested directly from the APACGrid Certificate Authority.
[edit] Grid Certificate request procedure
This procedure is written for Grix v1.2.2, it has three main phases, requesting the Grid Certificate, verifying the Grid User's identity, and retrieving & installing the Grid Certificate once it has been issued. Requesting the certificate and verifying the Grid User's identity do not have to happen in any specific order, and identity verification can be done well in advance of a certificate request provided the Registry Authority Operator (RAO) can recall the identity verification. However, the Grid Certificate Request will not be approved until the Grid User s identity is confirmed.
[edit] Request Grid Certificate with Grix
- Open the Grix application
- Select the Certificate tab
- Enter the following details in the request form fields
- Country: NZ
- Organisation: BeSTGRID
- Organisation Unit: Use the full name of the organisation as indicated in the Organisation Unit Definition table below.
- Name: The name of the Grid User (at least first name and surname)
- Email: The email address of the Grid User (should be an email address hosted by the Grid User's parent organisation)
- Click on the Request button to submit the Grid Certificate request
[edit] Organisation Unit Definitions for BeSTGRID
Using consistent names in the Organisation Unit (OU) field of Grid Certificates ensures that Grid Users from the same organisation or institution can be quickly found and easily managed.
| Organisation | OU text |
|---|---|
| University of Auckland | The University of Auckland |
| University of Canterbury | University of Canterbury |
| Victoria University of Wellington | Victoria University of Wellington |
| Massey University | Massey University |
| Landcare Research | Landcare Research NZ ltd |
| Lincoln University | Lincoln University |
[edit] Verify Grid User's Identity
The Grid User will need to choose a Registry Authority Operator (RAO) from the list of approved ARCS RAOs, there may be an RAO within the Grid User's organisation but it may be more convenient to see the closest RAO. There may be a stronger burden of proof required when meeting an RAO outside the Grid User's organisation.
The Grid User will need to provide proof of identity, preferably some form of Photo ID, such as a drivers license or student ID card, when they meet the RAO. The RAO will not approve requests on behalf of other Grid Users. The Grid User and RAO must physically meet, proof of identity can not be confirmed by email, fax, telephone, or any other communications media.
Once proof of identity has been established, the RAO may be happy to renew Grid Certificates when they expire without re-presenting proof of identity. It is recommended that proof of identity be re-established if the Grid User's circumstances change, e.g. working for a new organisation.
- Choose an RAO from the list of approved ARCS RAOs
- Contact the RAO to see if they are available, and make arrangements to meet the RAO
- The Grid User presents their photo ID when they meet the RAO
- If the RAO is satisfied with the Grid User's proof of identity, they will then approve the Grid Certificate request and contact a Certificate Authority Operator (CAO) to issue the Grid Certificate
[edit] Retrieving and Installing the Grid Certificate
- The Grid User should recieve an automated email from the ARCS Certificate Authority Server when the Certificate Authority Operator (CAO) issues the Grid Certificate
- The Grid User can then do either or both of:
- follow the link in the email to retrieve the Grid Certificate as a downloadable file
- Click on the link in the Grid Certificate issue notification email
- Check that the certificate details are correct
- Select CER format from the Certificate drop down menu at the bottom of the page
- Click on the Download button and save the certificate in a safe and secure location
- Locate the certificate file, right click on it and select Install
- NOTE: This should work for Windows 2k/XP/Vista/7, some other installation process may be required for other operating systems.
- use Grix to retrieve the Grid Certificate (recommended)
- Open the Grix application
- Select the Certificate tab
- If the Retrieve button is active, click on it to retrieve the Grid Certificate
- Once Grix has retrieved the certificate, click on Export for Browser
- Enter the Grid Certificates passphrase when prompted
- Locate the certificate file, right click on it and select Install
- NOTE: This should work for Windows 2k/XP/Vista/7, some other installation process may be required for other operating systems.
- follow the link in the email to retrieve the Grid Certificate as a downloadable file
[edit] What to do next
Once a Grid User has been issued with a Grid Certificate they will need to use Grix to apply for BeSTGRID Virtual Organisation membership
[edit] Renewing a Grid Certificate
A Grid Certificate is only valid for the calender year after it is issued, and will need to be renewed near it's expiry date. A Grid User will not normally have to go through the whole Grid Certificate Request process in order to renew their certificate.
This process has not yet been documented
[edit] Revoking a Grid Certificate
If a Grid User leaves a organisation that is a BeSTGRID member, even if it is to move to another member organisation, their Grid Certificate should be revoked. If a Grid Certificate and its passphrase is stolen or otherwise compromised, it must be revoked.
Grid Users may have to request a new Grid Certificate from scratch if their Grid Certificate is revoked.
This process has not yet been documented'
