Sponsored by BMBF Logo

AstroGrid-D Membership

How to request a certificate and become a member of the AstroGrid-D

Quick Reference

  • Besides your name and e-mail address, you will need the following information:
    • your passport or identification card number,
    • your institute acronym
    • the e-mail of your local RA and
    • a password, which you will use often.
  • Run one of the following scripts:
    if Globus is not installed:
    perl openssl_generate_user_req.txt -u "first_name last_name" -i institute_acronym -r RA_email_address
    if Globus is locally installed:
    perl generate_user_req.txt -u "first_name last_name"
  • E-mail the file request.pem file as an attachment to the local RA.
  • A few days later your certificate will arrive as an e-mail from the CA.
    Copy it into ~/.globus where your key already resides.
  • Convert your certificate:
    openssl pkcs12 -export -inkey ~/.globus/userkey.pem -in ~/.globus/usercert.pem -out ~/usercert.p12 -name p12_user_certificate

  • Import the certificate into the browser
  • Register with the VO Membership Registration Service VOMRS

1. User-Certificate

For access to the AstroGrid-D each individual needs a signed X.509 certificate. One applies for the certificate at the local registration authority (RA), i. e. the institute member responsible for handling Globus certificates. For a request three files are created: A request file to be e-mailed to the RA, usercert-file (empty) and a private, password protected key file. This key file will later be used to authorise the usage of the certificate.

For the request four items have to be determined:
1. The name of the person applying (e. g. "Karl Schwarzschild").
The name is composed of first name and second name. If several people at one institute have the same name, a distinctive initial must be added.
2. The pre-defined acronym for your institute, e. g. "AIP".
This is also called the "OU" (for organisational unit).
The RA list also contains the list of defined OUs. A few institutes use two levels of OUs, i. e. the institute acronym (1st level) and the sub unit (2nd level).
3. The e-mail address of the local root authority as given in the RA list.
4. Your password. 
A good password is nine letters long or more, contains special characters but no dictionary words.
Between sending out the request and the first use of the certificate a few days may pass. Take care not to forget your password in the meantime.

From your name and the institute's OU the "distinguished name" (DN) is formed, which uniquely identifies each user. Example:
/O=GermanGrid/OU=AIP/CN=Karl Schwarzschild
The actual certificate request is created by a program which is part of the Globus-helper package (see below for direct download links to the program). There are two versions:

A) If Globus toolkit is not installed: OpenSSL

Download openssl_generate_user_req.txt. (this is actually a perl script but called .txt for technical reasons)

If Globus is unavailable, OpenSSL can be used to create the key. It is available for all unix versions and already installed in most cases. The script that creates the request is called openssl_generate_user_req.pl. The syntax:

perl openssl_generate_user_req.txt -u "FirstName LastName" -i InstituteAcronym -r RA_Email

B) If Globus toolkit is installed

Download generate_user_req.txt . (this is actually a perl script but called .txt for technical reasons)

If the Globus toolkit is already installed locally or the user can remotely log onto a machine with Globus, one can use the script generate_user_req.pl which is slightly easier to use. The syntax:

perl generate_user_req.txt -u "FirstName LastName"

Both scripts ask the user to enter their certificate password. The error message unable to write 'random state' can be ignored. Your distinguished name is shown to you at the end and you should carefully check it for spelling mistakes etc. At the end a request file is created, named like FirstName_SecondName_usercert_request.pem. If you noticed an error in your data, you can just re-run the script. In this case, you must additionally use the option -f (force) to overwrite the last set of request and key files.

When the files are successfully create, you must e-mail the request.pem file as an attachment to your local RA. In order to identify yourself you must provide your office phone number and a passport or ID-card number in this email that the local RA will register.

All cert files (userkey.pem, usercert.pem)  reside in the directory ~/.globus. For security matters this key should only be readable for the owner (perms:600). Take care not to edit or overwrite the key file after you emailed your certificate request because your certificate can only be authorised by the corresponding key file. Thus you must also not call the certificate request script again, once you send out a valid request.

When the RA receives your request, they will check and confirm it and forward it to the root certificate authority ("Root-CA"). For AstroGrid-D this is either the FZK or the DFN. After a few days you will receive your valid and signed certificate as an email. You must save it into the Globus certificate directory ~/.globus.

cat obtained_certfile > $HOME/.globus/usercert.pem
C) Web Interface
As a new, easier alternative the FZK now also offers a Web Interface to require or update a certificate. Application and retrieval are handled in your browser (make sure that you use the same browser installation at all times!). If you use this method, the certificate will be imported in your browser. To use it for globus, you must export and convert it. In most cases you will find the certificate options in your browser at "Preferences [ / Advanced ] / Security" or look at the cern step by step guide or the GridKa help pages for more details about different browsers. You will be given the option to export your certificate in a p12 format. To convert this p12 file into the globus readable "pem" format, you can either use

Then move the two resulting files into $HOME/.globus.

For accessing the AstroGrid-D you will need the signed certificate, your key and the corresponding password.

2. VOMRS-Registration

To join the "virtual organisation" AstroGrid-D you must register at the "Virtual Organisation Membership Registration Service" (VOMRS) of the AstroGrid-D. to do this you just need to access the VOMRS web page and confirm your intention by email. However, your browser first will need  your certificate to set up the connection. For this purpose the certificate must first be converted form the "pem" format into the "p12" format which can be read by all web browsers. Use openssl to do this:
openssl pkcs12 -export -inkey ~/.globus/userkey.pem -in ~/.globus/usercert.pem -out ~/usercert.p12 -name p12_user_certificate

The exact procedure to import the certificate depends on your browser. As already mentioned in 1.C), you will find the import option at "Preferences [ / Advanced ] / Security". You can use this step by step guide to help you.

Once the certificate is imported you can access the AstroGrid-D VOMRS web page and register. If the VOMRS server returnes an error, your certificate is not imported properly (e.g. you are using a different browser). The detailed steps to register will be explained to you on that web page. The VOMRS management must confirm your registration which may take a couple of days.
VOMRS registration includes that the Acceptable Usage Policies (AUP) are acknowledged by the registrant.
Only those users registered to the VOMRS will get access to the distributed resources (workstations, clusters, etc.), potentially restricted depending on your virtual organisation membership. The use of a specific resource is possible only if the user's distinguished name (DN) has been copied form the VOMRS into the local access file (grid-mapfile). It may take a few days until this file has been updated on all grid resources.

3. Grid Access

Once you are fully registered and the grid-mapfiles have been updated you will be allowed to access most grid resources of the AstroGrid-D or to run jobs. Everywhere you will be assigned an identical user name ("agdusr###"). The easiest way to actually use Globus is an installation on your local machine. Otherwise you may choose to remotely log onto a machine where Globus is installed to start your jobs.

A limited but platform independent access is possible using a Java client called Grid Application Toolkit .

The number of commands and components of the Globus toolkit is very large. As an introduction you may try the IBM redbook SG246778, "Introduction to Grid Computing" (3,3 MB, 300 pages).

4. FAQ

What happens if I overwrite my key or forget my password?
You will be unable to use your certificate. When you report the problem to your local RA your old certificate will be declared as invalid. You must create a new request with the method above. These things happen.
How long will my certificate be valid? 
One year.
What does Globus do with my certificate?
Using so called "public key infrastructure" (PKI) and querying the root- certificate authority the validity of the certificate and your authorisation is checked. The user client checks the resource certificate and vice versa.
Are there other applications for my certificate?
The X.509 standard is widely used in many applications, for example to sign documents, e. g. using Open Office.