|
| 1 | +--- |
| 2 | +sort: 2 |
| 3 | +title: Getting a GRID certificate |
| 4 | +--- |
| 5 | + |
| 6 | +# Getting a GRID certificate |
| 7 | + |
| 8 | +We will illustrate how to get, renew, register and prepare your digital certificates to use the ALICE Grid services. |
| 9 | + |
| 10 | +## Obtain a digital certificate |
| 11 | + |
| 12 | +Your home institute may provide you with a digital certificate. However, we reccommend you get one from CERN, because the procedure is very easy and automated when you have a CERN account. |
| 13 | + |
| 14 | +* [Generate a new CERN Grid User certificate](https://ca.cern.ch/ca/user/Request.aspx?template=EE2User) |
| 15 | + |
| 16 | +You will be asked whether you want to protect your certificate with a password. Note that in most cases you will not be allowed to import the certificate if you don't specify a password, so please protect it with a password. |
| 17 | + |
| 18 | +**This is not your CERN password. Use a new, arbitrary one.** |
| 19 | + |
| 20 | +Proceed until you get a message saying that your certificate is ready to be downloaded: click on it and a file called `myCertificate.p12` will be downloaded. |
| 21 | + |
| 22 | +## Register your certificate in your browser |
| 23 | + |
| 24 | +There are several ways to add your newly downloaded certificate to your browser, and they depend on the browser and the operating system. We will focus on Firefox as an example. |
| 25 | + |
| 26 | +Open Firefox, go to the **Preferences**, select **Privacy and security** on the left hand menu. Scroll the settings page to the bottom and click on the **Show certificates...** button. |
| 27 | + |
| 28 | +A new window will open: click the **Personal certificates** tab. Click **Import...** and select the `myCertificate.p12` file you have just generated. Type the password you have used in the previous step (this is not your CERN password). |
| 29 | + |
| 30 | +Your newly imported certificate will appear in the list. |
| 31 | + |
| 32 | +## Add the CERN Grid certificates to your browser |
| 33 | + |
| 34 | +In case you navigate to an ALICE HTTPS site and you get a security warning, it is probably because your browser does not have any means to recognize the site as valid. |
| 35 | + |
| 36 | +*Most people ignore security exceptions. **Do not do that, ever.** This is bad, very bad. Someone can steal your data. For real. Without you knowing it.* |
| 37 | + |
| 38 | +Go to [this site](https://cafiles.cern.ch/cafiles/certificates/Grid.aspx), there are two links at the bottom of the page saying "CERN Root/Grid Certification Authority", etc.: with Firefox as your browser, click on both of them, and Firefox will ask you if you want to "trust" them: say "yes" to all questions. |
| 39 | + |
| 40 | +## Test your browser setup |
| 41 | + |
| 42 | +Navigate to the [ALICE Grid monitoring](https://alimonitor.cern.ch/) page. If you have your personal certificate installed, and the CERN Grid certificates installed as well, Firefox should ask you to select a certificate to be used to authenticate to the site. |
| 43 | + |
| 44 | +In case you have many, select the one that identifies you (it should have your full name somewhere) issued by the CERN Grid Certification Authority, and tell Firefox to remember it. |
| 45 | + |
| 46 | +You should be able to see the page without further ado. Next to the address bar, a green lock icon should appear. If you see broken locks, red icons, warnings of various kinds, then there is some kind of security problem and you should repeat the steps above. |
| 47 | + |
| 48 | +## Register your certificate to the ALICE Grid |
| 49 | + |
| 50 | +This operation needs to be performed only once. With Firefox, click on [this link](https://alien.web.cern.ch/content/register-alice-virtual-organization) and follow the guided procedure, after having selected your personal certificate for authenticating. |
| 51 | + |
| 52 | +## Convert your certificate for using the Grid tools |
| 53 | + |
| 54 | +Keep at hand the `myCertificate.p12` file you have previously downloaded. You need to convert it into two files (a "certificate" and a "key") in order to use the ALICE Grid services from the command line. |
| 55 | + |
| 56 | +You will export your certificates to the following directory: |
| 57 | +```bash |
| 58 | +~/.globus |
| 59 | +``` |
| 60 | + |
| 61 | +Now export the certificate with the following command (you will be prompted for the export password you have selected when you have generated it): |
| 62 | +```bash |
| 63 | +openssl pkcs12 -clcerts -nokeys -in ~/Downloads/myCertificate.p12 -out ~/.globus/usercert.pem |
| 64 | +``` |
| 65 | + |
| 66 | +The result will be a file called `usercert.pem` in your `~/.globus` directory. Note that your input file ending with `.p12` may have a different name and may be stored in a different location. |
| 67 | + |
| 68 | +Time to export the **private key**: |
| 69 | +```bash |
| 70 | +openssl pkcs12 -nocerts -in ~/Downloads/myCertificate.p12 -out ~/.globus/userkey.pem |
| 71 | +chmod 0400 ~/.globus/userkey.pem |
| 72 | +``` |
| 73 | +When it says: |
| 74 | +```bash |
| 75 | +Enter Import Password: |
| 76 | +``` |
| 77 | +you should provide it with the export password you have entered when you generated it. The next question will be: |
| 78 | +```bash |
| 79 | +Enter PEM pass phrase: |
| 80 | +``` |
| 81 | +You should provide it with another password that will be used to protect the private key. You can use the same password as before if you want, but please **do not use your CERN password** (yes, we are stressing this point a **lot**). This question will be asked twice for confirmation. |
| 82 | + |
| 83 | +## Test your certificate |
| 84 | + |
| 85 | +Your certificate will be available to the ALICE Grid command line client. |
| 86 | + |
| 87 | +Enter your ALICE environment and create a "temporary access token": |
| 88 | +```bash |
| 89 | +alienv enter O2Physics/latest |
| 90 | +alien-token-destroy |
| 91 | +alien-token-init YOUR_ALIEN_USERNAME |
| 92 | +``` |
| 93 | + |
| 94 | +This assumes you have completed your [installation](https://aliceo2group.github.io/analysis-framework/docs/gettingstarted/installing.html). You do not have either `alienv` or the `alien-token-*` commands available in case you have never done it. |
| 95 | + |
| 96 | +The `alien-token-init` command will ask you for a password. This is the last password you have used when you have converted your `.p12` certificate into two `.pem` files. |
| 97 | + |
| 98 | +### Creating JAliEn and AliEn tokens |
| 99 | +Note that the new JAliEn Grid clients automatically create tokens, while AliEn-ROOT-Legacy (ROOT5) requires running alien-token-init manually. There is alien-token-init for JAliEn, and you can use it to test your credentials or (re)create tokens manually. |
0 commit comments