If you need a credential from the DOEGrids CA you must manage it yourself as its Certificate Policy does not allow third parties to know your private key. The scripts and Web interfaces described here will also work for FusionGrid CA credentials, but those credentials can more easily be kept on the Credential Manager.
Obtaining a FusionGrid credential
There are two ways of obtaining your identity credential. One way is through a script based interface described at Script Interface and the other is a Web based interface which is described at Web Interface.
The script interface is writen in Perl 5 and requires the openssl and curl programs. These binaries are included in Linux, FreeBSD and MacOSX distributions or can be easily downloaded and installed. The script interface is customized for the FusionGrid use of credentials. By default it produces the certificate and key files in the directory where the grid signon program expects them. This interface requires fewer steps that the Web interface and is recommended for Unix users, especically those who change systems or browsers frequently.
The Web interface works well if you consistently run the same browser on the same machine since your private key and certificate will be stored in the browser's internal data. It has been extensively used on IE, Mozilla and Netscape browsers and should work on any browser that supports Java script. Once your credential is stored in your browser you can use it to sign and encrypt mail and do renewals or revocations from your browser. However, in order to use the credential to access FusionGrid services, you must export the credential to your $HOME/.globus directory and reformat in into two files.
Certificate approval process
Whichever method you use to request a certificate, the DOEGrids CA server sends mail to all of the DOEGrids Registration Authorities (RA) in a message that includes only the affiliation/VO name that you selected and your email address. Your RA has to recognize it as belonging to her, go to the CA web site to look at the request and see who the sponsor is. The RA sends email to the sponsor to approve the request and once it is approved issues the certificate. You should receive mail from the CA server within 1-2 working days after you make your request. If you have problems or are not getting a response within 2 days, please send queries to your RA, Mary Thompson
Once you have your credential stored in your $HOME/.globus directory as
set the $GLOBUS_LOCATION environment variablegrid-proxy-init creates a proxy credential that is derived from your user certificate. This credential has an unencrypted private key, so that it can be used repeatedly without requiring a passphrase to be input at each use. This credential is stored in a well known location (/tmp/x509up_NNNN). It has a default life-time of 12 hours.
source $GLOBUS_LOCACTION/etc/globus-user-env.csh
grid-proxy-init -v
Due to the policy contstaints of the DOEGrids CA certificates are only valid for one year. They can be renewed either through the script or Web interface. The renewal interface keeps the same private/public key and gives you a new certificate identical to the old one except for a new validity period. Unfortunately, the new certificate is not valid until the old expires.
A new Web and script interface has been provided called "certificate replacement" that takes an existing certificate, creates and automatically issues a certificate with the same Distinguished Name that is valid immediately. Unlike the renewed certificate, this one has a different private/public key pair.
 |
|
Home | The National Fusion Collaboratory Project |