DigiCerts

DOEGrids CA retirement is March 31, 2013

The DOEGrids CA will cease issuing certificates on March 31, 2013. After this date, it will not be possible to request a personal, host or service certificate from DOEGrids. All currently issued certificates will remain valid until their expiration date. The Open Science Grid has a transition plan in place at OSG CA Transition. OSG operates a public key infrastructure (PKI) as part of its identity management services with CA services from DigiCerts. The OIM page new has a "Certificate" tab where one can request a personal certificate as well as host and service certificates. It is also possible to register as a "Grid Admin" for host and service certificates making it much easier to request and approve host/service certificates.

The following are the steps need to switch from DOEGrids to DigiCerts (via OSG PKI)

You can also follow the BNL notes at https://www.racf.bnl.gov/docs/howto/grid/osg-certificates

For most users, the main steps you will need to complete are:

• Request a personal grid certificate
• Download the grid certificate (.p12 file) and note the new DN for this grid certificate
• Upload the new grid certificate to your web browser
• Transfer the grid certificate (.p12 file) to your local system where you work and creat the .pem files for voms-proxy usage
• Add the new grid certificate information to the Atlas VO

For grid administrators, there is a special section with extended directions further down on this page.

Request a Personal Grid Certificate

You request a personal certificate via OIM at https://oim.grid.iu.edu/oim/certificate.

Click on the "Request new" under "User Certificates". You need to choose the VO "Atlas". For your sponsor chose Rob Gardner: rwg@uchicago.edu. At some point the request will be granted. Unfortunately this may take a while, but if it takes more than a couple weeks, then email one of your responsible grid administrators to expediate the process.

Download the grid certificate (.p12 file) and note the new DN for this grid certificate

Eventually you will receive an email giving instructions how to retrieve your personal certificate. You will recieve one email that looks like:

Notification of Ticket Change 
https://ticket.grid.iu.edu/goc/14434
Description:
Dear Samuel Meehan,
Your user certificate request has been approved.
> From: Rob Gardner [mailto:rwg@hep.uchicago.edu] 
Sent: Wednesday, April 03, 2013 3:13 PM
To: Baltz, William
Cc: 'samuel.meehan@cern.ch'
Subject: Re: VO-ATLAS Certificate Request for Samuel Meehan 
Approve.
On Apr 3, 2013, at 2:11 PM, "Baltz, William" <wbaltz@bnl.gov> wrote:
**To retrieve your certificate please visit https://oim.grid.iu.edu/oim/certificateuser?id=384 and click on Issue Certificate button.**

This is the email that contains the link at the bottom that you need to follow to obtain the .p12 file that is your grid certificate. The key points are that you can only retrieve your new certificate from the same web browser from which the request was made. Should the browser information become lost, the passwords is forgotten, etc, you will be forced to ask for a "renewal" which can again take several weeks.

The second thing you need to note from these emails is your new DN which is the piece of information that needs to be entered into the USATLAS Virtual Organization database by John Hover to identify you when you try to set up your voms-proxy through BNL. You will recieve and email like:

Description:
Dear William Baltz, Alain Deximo (ATLAS VO RAs),
An unauthenticated user; Samuel Meehan <samuel.meehan@cern.ch> has requested a user certificate. Please determine this request's authenticity, and approve / disapprove at https://oim.grid.iu.edu/oim/certificateuser?id=384
User has manually entered sponsor information with name: Rob Gardner. RA must confirm the identify of this sponsor. RA should also consider registering this sponsor for this VO.
NOTE: User is registering OIM contact & requesting new certificate: contact id:1193
NOTE: Requested DN: **/DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=Samuel Meehan 1193**
OSG-GOC goc@opensciencegrid.org

and it is the bold line at the bottom that is your "DN" that will need to be used later, when adding this to the Atlas VO.

Upload the new grid certificate to your web browser

Once you have the PK12 file saved to disk, you can then import the certificate into your browser. However, be warned. At this point this certificate is NOT authorized to access any Atlas resources.

Google Chrome

To do this in Google Chrome follow the follow path of links:

 Settings-->Advanced-->HTTPS/SSC-->[Manage Certificates]

Add the grid certificate by clicking the plus at the bottom of this window and selecting the new certificate you just retrieved.

Transfer the grid certificate (.p12 file) to your local system where you work and creat the .pem files for voms-proxy usage

Once you have the PK12 file saved to disk, you can then move over to the linux system were it can be converted into PEM files. However, be warned. At this point this certificate is NOT authorized to access any Atlas resources.

To do this, move the .p12 files to the .globus directory in the area where you will need to use tools. In this directory, execute the following two commands:

Generate cert:

openssl pkcs12 -in CERTIFICATEFILE.p12 -clcerts -nokeys -out usercert.pem

Generate key:

openssl pkcs12 -in CERTIFICATEFILE.p12 -nocerts -out userkey.pem

They will ask for your import key to unlock the p12 files, and then you'll be asked to create a password for the userkey.pem file. This is the password you put in when you do a voms-proxy-init. Once you have properly created these files, you need to change their permissions using chmod such that you find their permissions to be as follows or else when you try to initialize your voms-proxy, it will complain that it is not safe enough:

-r-----r-- 1 meehan mwt2 5742 Apr  9 10:10 user_certificate_and_key.U384.p12
-r-------- 1 meehan mwt2 2201 Apr  9 10:10 usercert.pem
-r-------- 1 meehan mwt2 1887 Apr  9 10:10 userkey.pem

NOTE that at this point this certificate is NOT authorized to access any Atlas resources and so if you try to request a voms-proxy-init you will not be successful until you get approval by John Hover from BNL.

Add your DigitCert DN to the Atlas VO

The BNL notes for adding your DigiCert DN to the Atlas VO can be found at https://www.racf.bnl.gov/docs/howto/grid/multicertvo The key is that your DOEGrids DN must still be valid and it must be the active certificate in your browser when performing these steps. So you will use this old grid certificate DN to log in and then you will follow these steps to add your new OSG grid certificate DN to the Atlas VO. The following are some snapshots showing how one can accomplish this.

Start by going to the page https://lcg-voms.cern.ch:8443/vo/atlas/vomrs.

Make certain the DN at the bottom of the page is your DOEGrids DN

Add your DN to your existing Atlas VO registration

Open the "Member Info" tab, then the "Certificates" tab, then click on "Add Certificates"

• Click on Search, your DOEGrids DN should appear
• In "New DN", add the DN for your DigiCert certificate. Your DN is that piece of information you should have found in one of the emails you recieved.
• In "New CA". select "/DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1" from the drop down box. Note that may be rather far down on this long list.
• Fill in a reason such as "Adding my DigiCert DN to the Atlas VO"
• Click on "Submit"

Successful submission

If all goes well, you should then see a screen such as

Failed submission

If you see this type of screen, contact John Hover. He will need to remove a bad registration for your DigiCert DN. This will happen if your browser was using your DigiCert DN and then you tried to add it to the Atlas VO. You must use your DOEGrids DN when doing the registration.

Completion of the registration

After you received the "Success" message, you should receive an email about this request

Dear VO Member,

A request to add a new certificate
DN: /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
CA: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
to your certificate list was made by a Member
DN: /DC=org/DC=doegrids/OU=People/CN=David Lesny 786524
CA: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
The following reason was provided: Add new DigiCert DN to existing VO registration.
Please contact VO administrator if you have any questions.

VOMRS atlas Service 

The request must be approved by John Hover. After he approves this request, you will receive the email

Dear VO Member,

The status of your certificate
DN: /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
CA: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
has been changed from New to Approved due to following reason: Approved..
The change was made by a VOAdmin
DN: /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=John Hover 241
CA: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
Please contact VO administrator if you have any questions.

VOMRS atlas Service 

At this point, you should be able to get a proxy with all your Atlas VO Roles. Please note that it may take 5 to 10 minutes for your new DN to propagate to the CERN VOMS servers and up to 24 hours to propagate to the BNL VOMS server. This is why the request for a proxy failed against the BNL VOMS server.

Enter GRID pass phrase:
Your identity: /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
Creating temporary proxy ................................. Done
Contacting  vo.racf.bnl.gov:15003 [/DC=org/DC=doegrids/OU=Services/CN=vo.racf.bnl.gov] "atlas" Failed

Error: atlas: Unable to satisfy G/atlas/usatlas Request!

Trying next server for atlas.
Creating temporary proxy .................................... Done
Contacting  voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "atlas" Done

Warning: voms.cern.ch:15001: The validity of this VOMS AC in your proxy is shortened to 345600 seconds!

Creating proxy ................................. Done
Your proxy is valid until Wed Feb 27 13:57:44 2013
subject   : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148/CN=proxy
issuer    : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
identity  : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u1047
timeleft  : 168:00:00
=== VO atlas extension information ===
VO        : atlas
subject   : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
issuer    : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
attribute : /atlas/usatlas/Role=NULL/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
attribute : nickname = dlesny (atlas)
timeleft  : 96:00:00
uri       : voms.cern.ch:15001
[ddl@lx0 .globus]$ voms-proxy-info -all
subject   : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148/CN=proxy
issuer    : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
identity  : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u1047
timeleft  : 167:59:43
=== VO atlas extension information ===
VO        : atlas
subject   : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=David Lesny 148
issuer    : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
attribute : /atlas/usatlas/Role=NULL/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
attribute : nickname = dlesny (atlas)
timeleft  : 95:59:43
uri       : voms.cern.ch:15001

Become a Grid Administrator (GA)

You must be a GA to be able to request and create host and server certificates in a timely fashion.  You request this via the OIM Certificate page https://oim.grid.iu.edu/oim/certificate. You can use either your DigiCert or DOEGrids DN when making this request.

   * Click on the "GridAdmins" section on the left side of the screen.    * Click on the "Request for GridAdmin Enrollment" in the upper right    * In the "GridAdmin Enrollment Request" box, fill in the page and hit submit       * Your full name such as "David Lesny"       * The Domain Name you need GA for such as "uchicago.edu", "mwt2.org", "iu.edu", "illinois.edu"    * Select the "ATLAS" VO in the drop down box    * Click on Submit

Once you are approved as a GA for the requested domains, you can then use the OSG Certificate tools installed on uct2-int to request host certificates

The following is an example to request a "test" certificate for node "uct2-int.mwt2.org". For a true request, you would not use the "-T"

[ddl@uct2-int ~]$ osg-gridadmin-cert-request  --help
usage: osg-gridadmin-cert-request [options] arg
Usage:osg-gridadmin-cert-request -h/--help [for detailed explanations of options]




options:
  -h, --help            show this help message and exit
  -k PKEY, --pkey=PKEY  Specify Requestor's private key (PEM Format).  If not
                        specified will take the value of X509_USER_KEY or
                        $HOME/.globus/userkey.pem
  -c CERT, --cert=CERT  Specify Requestor's certificate (PEM Format).  If not
                        specified will take the value of X509_USER_CERT or
                        $HOME/.globus/usercert.pem
  -T, --test            Run in test mode
  -t TIMEOUT, --timeout=TIMEOUT
                        Specify the timeout in minutes
  -q, --quiet           don't print status messages to stdout




  Hostname Options:
    Use either of these options.     Specify hostname as a single hostname
    using -H/--hostname     or specify from a file using -f/--hostfile.




    -H HOSTNAME, --hostname=HOSTNAME
                        Specify the hostname or service/hostname for which you
                        want to request the certificate for.  If specified
                        -f/--hostfile will be ignored
    -f HOSTFILE, --hostfile=HOSTFILE
                        Filename with one hostname or service/hostname per
                        line




[ddl@uct2-int ~]$ osg-gridadmin-cert-request -T -H uct2-int.mwt2.org
Running in test mode
The timeout is set to 5
Please enter the pass phrase for '/home/ddl/.globus/userkey.pem':
Beginning request process for uct2-int.mwt2.org
Generating certificate...
Connecting to server to request certificate...
Id is: 415
Connecting to server to approve certificate...
Contacting Server to initiate certificate issuance.
Issuing certificate...
Waiting for response from Certificate Authority. Please wait.
. 
Certificate written to ./uct2-int.mwt2.org.pem




[ddl@uct2-int ~]$ ll uct2-int.mwt2.org*
-rw------- 1 ddl mwt2 1679 Feb 26 14:18 uct2-int.mwt2.org-key.pem
-rw-r--r-- 1 ddl mwt2 5514 Feb 26 14:19 uct2-int.mwt2.org.pem

DN based permission sites

These are the various special sites which use DN based authorization that you might need to change

LJSFi

This is the validation system managed by Alessandro De Salvo, Alessandro.De.Salvo@cern.ch. It handles the validation of all Atlas releases on a given site. To manage MWT2, you need to have your DN registered.

You can register your new DN at https://atlas-install.roma1.infn.it/atlas_install/protected/user.php. Make certain your browser is using you DigiCert DN when authenticating against this site.

Request for User Registration

Pending Request

Once your request has been approved, you can ask Alessandro to delete your old DOEGrids DN from the system

FTS Channels

LFC Dump requests

PerfSonar Dashboard