Introduction

The middleware used by the high-throughput computing service (HTC, aka computing grid) of the SCIGNE platform is based on the Grid Community Toolkit (previously known as Globus Toolkit), that uses X.509 certificates for authentication. This certificate permits to simplify (single sign-on technology) and makes more secure the use of the different components that are part of the world-wide computing grid.

This document details the procurement and the management of a certificate in the framework of the use of grid resources, be it the SCIGNE platform, the EGI or WLCG infrastructures.

Digital Certificates

A digital certificate is like a digital id card, that permits:

• to indicate the quality of the owner of the certificate (user, service or machine) and the limit of validity of the information contained;

• to authenticate and obtain a certain number of privileges on a set of grid services;

• to ensure the confidentiality of exchanges thanks to the encryption of data;

• to ensure the non-repudiation and integrity of the data thanks to the digital signature.

The certificate is issued by a certification authority that acts as a trusted third party. For staff from CNRS, the certificate is obtained from the SESAME portal : French institutions (CEA, CNRS, INRAE, INRIA, INSERM, Universities, …), the certificates are issued by the TCS, Each establishment has its own way of issuing them:

• Directly via the Renater portal

• By setting up a dedicated portal

CNRS has a dedicated portal: SESAME.

Obtaining a User Certificate

To obtain a certificate that can be used with the high-throughput computing service, two steps are necessary. First, you have to ask for a certificate to the certificate authority, and then you must register the issued certificate with the vo.scigne.fr.

Requesting a User Certificate

It is only possible to obtain a CNRS certificate for agents with a JANUS identifier pointing to an e-mail address in a domain managed by the CNRS. If this is not the case, you must go through the authority that owns the domain name. For example, for the staff of the Creatis laboratory, whose domain name is managed by INSA, you need to contact the INSA to obtain a certificate.

To obtain a certificate, follow these steps:

1. Connect to the SESAME portal: https://sesame.cnrs.fr/

2. Click on “Manage my certificates”.

3. Identify yourself using your CNRS identifiers. To do this select “CNRS - Unit staff” and go to the next step. You will then be asked to identify yourself with your Janus identifiers.

4. Order a certificate by clicking on the “Request a new personal certificate” button

5. Choose a strong password to protect the certificate (see ANSSI Guide).

6. The generated certificate is then automatically downloaded to your computer.

Once your certificate has been downloaded, you need to back it up and store it. It can also be loaded into the browser by following the procedure described in the section Certificate Management with Firefox.

Registration with the Regional VO

In order to perform computations on the SCIGNE HTC service, it is necessary to register your certificate with the vo.scigne.fr VO by going to the registration page. Registering with the VO will give you a set of of rights on the regional computing grid. Once the form is completed, you will receive an email message asking you to confirm your request. It is important to reply to this message, in order to to be able to join the regional VO.

Once your application is validated, you can use your certificate to access the regional computing grid and perform calculations.

Registration with Other VOs

Other VOs are available and allow access to more important computing and storage resources. Do not hesitate to contact the SCIGNE support team for more information on how to access them.

You will find below the list of supported VOs and the link to register:

• alice : https://alice-auth.cern.ch/ ;

• belle : https://voms.cc.kek.jp:8443/voms/belle ;

• biomed : https://iam-biomed.ijclab.in2p3.fr ;

• cms : https://cms-auth.cern.ch/ ;

• vo.agata.org : https://iam-agata.ijclab.in2p3.fr/ ;

• vo.complex-system.eu : https://voms2.hellasgrid.gr:8443/voms/vo.complex-systems.eu/register/start.action ;

• vo.france-grilles.fr : https://iam.mesonet.fr.

The global list of existing VOs is available on the Operation Portal. If you would like the platform to support other VOs, please feel free to contact the SCIGNE team!

Renewing a User Certificate

Each year, you will receive an email inviting you to renew your certificate, two months before its expiration. This is done by logging on to the site indicated in the message. The renewed certificate does not need to be re-registered with the regional VO.

Certificate Management with Firefox

The certificate is used with your browser to access secure sites. This section explains how to import and export certificates in Firefox, which we recommend using to manage your certificate. The procedure may vary slightly depending on the version of Firefox you are using.

Saving your certificate is important so that you can restore it if you need to reinstall your browser, or if you want to use it with other software (such as tools for accessing the HTC service, an email client, etc.).

Import a Certificate

To import your digital certificate into Firefox, follow these steps:

1. Go to the main menu and select Edit > Settings.

2. Select the Privacy and Security tab and then in the security section, the View Certificates… button.

3. In the Your certificates tab, click on the Import… button.

4. A new window will show up and permit you to select a file to import. Once you have selected the file containing your certificate, a dialog box will appear and permit you to enter the Firefox Password Manager password and the another window asking your primary password.

5. Once all the previous steps have been done successfully, the certificate appears in the certificate list.

Export a Certificate

For exporting a certificate from Firefox, follow the steps below:

1. Go the Edit > Settings menu entry and select Privacy and Security > View Certificates....

2. In the Your certificates tab, select the certificate you want to export, and click on the Backup… button.

3. Firefox will ask you for the file name to backup your certificate. It will be stored in the PKCS12 file format (.p12 extension).

4. A dialog box will open and ask you for your primary password, and two times for the password that will be used to encrypt your certificate. You have to ensure that this password is strong enough and is stored in a secure location.

5. Once the password are validated, Firefox will save your password at the given path.

Certificate Management with the Command Line

the tools used to access the HTC service (job and storage management) require a valide certificate in X.509 format. This certificate is composed of two files placed in the $HOME/.globus directory:

• userkey.pem - the private key

• usercert.pem - the public key

These files are generated from the PKCS12 file that has been backed up from Firefox with the openssl command. In the following example, the backed up certificate is named cert.p12. The generation of the public and private keys is done with:

$ openssl pkcs12 -nocerts -in cert.p12 -out ~/.globus/userkey.pem
$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.globus/usercert.pem
$ chmod 400 ~/.globus/userkey.pem
$ chmod 400 ~/.globus/usercert.pem
$ ls ~/.globus
-r-------- 1 user group 1935 Feb 16  2010 usercert.pem
-r-------- 1 user group 1920 Feb 16  2010 userkey.pem

The chmod commmand is used to restrict the access to the certificate.

Supplementary Documentation

The following documentations are available to obtain further information about X.509 certificates:

• ANSSI guide for generating a strong password (in French)

• RENATER documentation about digital certificates (in French)

• Wikipedia article about digital certificates

• Viewing certificates in Firefox