You are here: Home Grid Made Easy Installing and Managing Certificates
Personal tools

Installing and Managing Certificates

After installing and configuring either the EGRID Live CD as a UI or EGRID Ready UI you need to install your certificates and create a proxy certificate to access any grid resources. The certificate should be issued by a Certification Authority (CA) trusted by the Grid system that you are accessing. CAs? are organised geographically and by research institute. Each CA has its own procedure to release certificates. The CERN web site [2.6]? maintains an updated list of recognised CAs?, as well as detailed information on how to release and install certificates of a particular CA.

Typically, you will get the following two files from the CA:

contains the private key associated with the certificate
the certificate when sent by the CA

Installing the Certificate

It is necessary to create a directory named .globus inside user's home directory and place the user certificate and keys file there, named usercert.pem and userkey.pem respectively, with the right permissions.

Step 1

Make the .globus directory and copy certificates into it:

$ mkdir ~/.globus
$ cp usercert.pem ~/.globus
$ cp userkey.pem ~/.globus
Step 2

Then you need to set the proper access rights. The userkey.pem file should only be read by the user (keep it very private!), while usercert.pem file should be readable by everyone. None of the files need any executable or write privileges.

$ cd ~/.globus $ chmod 444 usercert.pem $ chmod 400 userkey.pem

After setting permissions, listing the .globus directory should result in output similar to this one:

$ ls -l
total 12
-r--r--r-- 1 doe doe 5432 2006-07-13 13:14 usercert.pem
-r-------- 1 doe doe 1751 2006-07-13 13:14 userkey.pem



The userkey.pem file must have permissions =<600, or else most grid software will not work and the error message is not likely to direct you to the actual problem.

Checking a Certificate

After installing the certificate you can verify that the certificate is not corrupted and information is readable.

The Globus command grid-cert-info can be used to list information about the certificate:

$ grid-cert-info

If the certificate is properly formed, the output will be something like:

        Version: 3 (0x2)
        Serial Number: 48 (0x30)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=GRID@Trieste, DC=it, DC=egrid, CN=GRID@Trieste CA 1
            Not Before: May 26 16:56:04 2006 GMT
            Not After : May 26 16:56:04 2007 GMT
        Subject: O=GRID@Trieste, DC=it, DC=sissa, DC=grid, OU=people, CN=Moses Sokunbi
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, E-mail Protection, Time Stamping
            X509v3 Issuer Alternative Name:
      , URI:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
                DirName:/O=GRID@Trieste/DC=it/DC=egrid/CN=GRID@Trieste CA 1

            X509v3 Subject Alternative Name:
    Signature Algorithm: sha1WithRSAEncryption

The grid-cert-info command takes many options. The -help option lists all the options supported by the command:

$ grid-cert-info -help

grid-cert-info [-help] [-file certfile] [-all] [-subject] [...]

    Displays certificate information. Unless the optional -file
    argument is given, the default location of the file containing the
    certficate is assumed:

      -- The location pointed to by the .
      -- If X509_USER_CERT not set, /home/rmurri/.globus/usercert.pem.

    Several options can be given: The output of
        "grid-cert-info -subject -issuer"
    is equivalent to that of
        "grid-cert-info -subject ; grid-cert-info -issuer"

      -help, -usage                Display usage
      -version                     Display version
      -file certfile     |-f       Use 'certfile' at non-default location

    Options determining what to print from certificate

      -all                        Whole certificate
      -subject           |-s      Subject string of the cert
      -issuer            |-i      Issuer
      -startdate         |-sd     Validity of cert: start date
      -enddate           |-ed     Validity of cert: end date

In particular, the -subject option returns the subject of the certificate:

$ grid-cert-info -subject
/O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi

The openssl x509 command can be used instead to verify the validity of a certificate with respect to the certificate of the CA that issued it. To verify a user certificate, just issue the following command from the UI:

$ openssl verify \
  -CApath /etc/grid-security/certificates \

If the certificate is valid, the output will be like this:

/home/moses/.globus/usercert.pem: OK

If the certificate of the CA that issued the user certificate is not found in -CApath?, an error message like the following will appear:

usercert.pem: /O=GRID/O=GRID@Trieste/OU=people/CN=Moses Sokunbi
error 20 at 0 depth lookup:unable to get local issuer certificate

Proxy Certificates

A proxy certificate is a delegated user credential that authenticates the user in every secure interaction, and has a limited lifetime. It prevents having to use user's own certificate, which could compromise its safety. When userkey.pem and usercert.pem files are copied to the ~/.globus directory and access privileges are set the user is in a position to generate a proxy certificate.

The grid-proxy-init command is used to generate proxy certificates. However in order to generate a proxy certificate, the user must provide the password to get the private key out of the userkey.pem file.

Creating a Proxy Certificate

To create a proxy certificate, issue the command:

$ grid-proxy-init

Your identity: /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sukumbi
Enter GRID pass phrase for this identity:

Creating proxy.....................................................................Done
Your proxy is valid until: Fri Sep 1 23:01:57 2006

If the user gives a wrong pass phrase, the output will be:

ERROR: Couldn't read user key. This is likely caused by either
giving the wrong passphrase or bad file permissions

key file location:

Use -debug for further information.

The proxy certificate will be saved in the file /tmp/x509up_u<uid>, where <uid> is the Unix UID of the user. If the environment variable X509_USER_PROXY is defined (e.g. X509_USER_PROXY=$HOME/.globus/proxy), a proxy with that file name will be created, if possible.

If the proxy certificate file cannot be created, the output will be:

ERROR: The proxy credential could not be written to the output file.

Use -debug for further information.

If the user certificate files are missing, or the permissions of userkey.pem are not correct, the output will be:

ERROR: Couldn't find valid credentials to generate a proxy.

Use -debug for further information.

By default, the proxy has a lifetime of 12 hours. To specify a different lifetime, the -valid H:M option can be used (the proxy is valid for H hours and M minutes). When a proxy certificate has expired, it becomes useless and a new one has to be created with grid-proxy-init command. It is not advisable to create longer lifetime proxies because they imply bigger security risks.

The -help option provides a full list of options supported by he command:

$ grid-proxy-init -help

Syntax: grid-proxy-init-bin [-help][-pwstdin][-limited][-valid H:M] ...

    -help, -usage             Displays usage
    -version                  Displays version
    -debug                    Enables extra debug output
    -q                        Quiet mode, minimal output
    -verify                   Verifies certificate to make proxy for
    -pwstdin                  Allows passphrase from stdin
    -limited                  Creates a limited globus proxy
    -independent              Creates a independent globus proxy
    -old                      Creates a legacy globus proxy
    -valid <h:m>              Proxy is valid for h hours and m
                              minutes (default:12:00)
    -hours <hours>            Deprecated support of hours option
    -bits  <bits>             Number of bits in key {512|1024|2048|4096}
    -policy <policyfile>      File containing policy to store in the
                              ProxyCertInfo extension
    -pl <oid>,                OID string for the policy language
    -policy-language <oid>    used in the policy file
    -path-length <l>          Allow a chain of at most l proxies to be
                              generated from this one
    -cert     <certfile>      Non-standard location of user certificate
    -key      <keyfile>       Non-standard location of user key
    -certdir  <certdir>       Non-standard location of trusted cert dir
    -out      <proxyfile>     Non-standard location of new proxy cert

After creating a certificate it is also possible to print information about it.

Getting information about the proxy certificate

To print information about a proxy certificate, for example, he subject or the time left before expiration, use the command:

$ grid-proxy-info

The output, if a valid proxy exists, will be similar to:

subject  : /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi/CN=proxy
issuer   : /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi
identity : /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi
type     : full legacy globus proxy
strength : 512 bits
path     : /tmp/x509up_u1000
timeleft : 11:49:12

If a proxy certificate does not exist, the output is:

ERROR: Couldn't find a valid proxy.
Use -debug for further information.

If the certificate exists but is no longer valid timeleft : will be indicated as 00:00:00.

Destroying a Proxy Certificate

It is also possible to destroy a proxy certificate before its expiration. The grid-proxy-destroy command is used to destroy an existing proxy certificate, though proxies already sent with jobs will still be valid when the local copy is destroyed.

Use the following command to destroy the proxy certificate:

$ grid-proxy-destroy

No output will be shown if the proxy file was successfully removed. If no proxy certificate exists, the result will be:

ERROR: Proxy file doesn't exist or has bad permissions
Use -debug for further information.

Long-term proxy creation and management

A proxy certificate created as described in the previous section can cause problems, if the job does not finish before the proxy expires, then the job will be aborted. This is clearly a problem if, for example, the user must submit a number of jobs that take a lot of time to finish: he/she should create a proxy certificate with a very long lifetime, which could increase the security risks.

To overcome this limit, a proxy credential repository system is used, which allows the user to create and store a long-term proxy certificate on a dedicated server (called MyProxy? Server). The WMS (Workload Management System) will then be able to use this long-term proxy to periodically renew the proxy for a submitted job before it expires and until the job ends (or the long-term proxy expires).

As the renewal process should starts some time before the initial proxy expires, it is necessary to generate an initial proxy that is long enough. If the renewal is triggered bit too late job will fail by giving the following error:

Status Reason: Got a job held event, reason: Globus error 131: the
user proxy expired (job is still running)

The minimum recommended time for the initial proxy is 30 minutes, and the edg-job-* commands will not even be accepted if the lifetime of the proxy credentials in the UI is lower than 10 minutes. An error message like the following will be produced:

**** Error: UI_PROXY_DURATION ****
Proxy certificate will expire within less then 00:10 hours.

The advanced proxy management can be performed using the myproxy command suite. The user must know the host name of a MyProxy? Server.

For the WMS to know what MyProxy? Server to use in the proxy certificate renewal process, the name of the server must be included in an attribute of the job's JDL file. If the user does not add it manually, then the name of the default MyProxy? Server is added automatically when the job is submitted. This default MyProxy? Server node is site- and VO- dependent and is usually defined in the UI VO's configuration file, stored at $EDG_WL_LOCATION/etc/<vo>/edg_wl_ui.conf.

Creating a long-term proxy

To create and store a long-term proxy certificate, the user must use the myproxy-init command which has the following format:

myproxy-init -s "host_name" -d -n

where -s "host_name" specifies the hostname of the machine where a MyProxy? Server runs, the -d option instructs the server to use the subject of the certificate as the default username, and the -n option avoids the use of a passphrase to access to the long-term proxy, so that the WMS can perform the renewals automatically.

Use the following command:

$ myproxy-init -s -d -n

The output will be similar to:

Your identity: /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi
Enter GRID pass phrase for this identity:
Creating proxy .................................. Done
Proxy Verify OK
Your proxy is valid until: Fri Sep 8 11:15:37 2006
A proxy valid for 168 hours (7.0 days) for user
/O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi now
exists on

By default, the long-term proxy lasts for one week and the proxy certificates created from it last 12 hours. These lifetimes can be changed using the -c and -t option, respectively.

If the -s "host_name" option is missing, the command will try to use the $MYPROXY_SERVER environment variable to determine the MyProxy? Server.

If the hostname of MyProxy? Server is wrong, or the service is unavailable, the output will be similar to:

Your identity: /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi
Enter GRID pass phrase for this identity:
Creating proxy .................................. Done
Proxy Verify OK
Unknown host ""

where only the last line reveals that an error occurred.

Retrieving information about a long-term Proxy

After creating a long term proxy, information about it can be retrieved. To get information about a long-term proxy stored in MyProxy? Server, the myproxy-info command which has the following format can be used:

myproxy-info -s "host_name" -d

where the -s and -d options have the same meaning as in the myproxy-init command.

Use the following command to get information about the long term proxy that was just created:

$ myproxy-info -s -d

The output will be similar to the following:

username: /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi
owner: /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi
timeleft: 166:19:21 (6.9 days)



The user must have a valid proxy certificate on the UI, created with grid-proxy-init command, to successfully interact with his long-term certificate on MyProxy? server.

Deleting a long-term proxy

When ever the long term proxy is not necessary it can be deleted using the myproxy-destroy command which has the following format:

myproxy-destroy -s "host_name" -d

To delete a long term proxy certificate that was just created se the following command:

$ myproxy-destroy -s -d

The output will be similar to the following:

Default MyProxy credential for user /O=GRID@Trieste/DC=it/DC=sissa/DC=grid/OU=people/CN=Moses Sokunbi was
successfully removed.

« December 2022 »
Su Mo Tu We Th Fr Sa

Powered by Plone This site conforms to the following standards: