LIGO Data Grid

Navigation

CompComm
LSC
LIGO

DataGrid Details

What is LSC DataGrid?
Cluster Usage
Monitoring
Available Data
Service Details
OSG

User Manual

How to get started
Install Data Grid Client
Getting Certificates
Renewing Certificates
Certificates in your Browser
Account Request
Intro to Data Grid Tools
Matlab Cluster Tips
FAQ

Admin Manual

Install DataGrid Server
Get server certificates
Configure/deploy Condor
Configure/deploy CondorView
Graceful Condor shutdown
CondorC on LDG
LAMS / VOMS Admin
Syracuse X4500 Pages
Edit these web pages

Bug Tracking

LDG trouble ticket system

Policy

Reference O/S Schedule

LDG Collaborations

Condor-LIGO biweekly telecon
Globus-LIGO monthly telecon
Archival GriPhyN-LIGO WG pages

Exits

LSC
LIGO
OSG

Globusligo

Getting a Digital Certificate

In order to use the LIGO Data Grid (LDG) (see Getting Started on the LIGO DataGrid for an overview of "getting on the grid") you will need a digital grid certificate. If you have used the LDG before, and are returning to it, you may already have a valid certificate. If so, you do not need to get a new one unless your primary email address has changed since you obtained it. To determine if you already have a certificate, look for the certificate files ~/.globus/usercert.pem and ~/.globus/userkey.pem. If they exist, you probably have a certificate already. Next, you can see if the certificate is valid by using the command grid-cert-info -ed. This should tell you when your certificate will expire. If the expiry date is less than a month away (but has not passed) you should probably renew your certificate. If it has already expired, you will need a new grid certificate. The step-by-step instructions below tell you how to get a grid certificate if you are a member of the LIGO Scientific Collaboration (LSC) at an institution within the United States. If you are a member of the LSC, but at an institution outside the United States, it may still possible to use this procedure, but the preferred procedure is to obtain a grid certificate from a Certificate Authority (CA) in your home country, for instance the UK e-Science CA in the United Kingdom or GermanGrid CA in Germany.

Members of VIRGO and other person wanting to use the LDG who are not members of the LSC cannot obtain a certificate via the procedures outlined below. Rather, members of VIRGO should obtain certificates from GRID-FR if they are at a French institution, from INFN CA if they are at an Italian institution, and from DutchGrid/NIKHEF CA at an institution from the Netherlands. Further details are available at the Virgo Computing Centers page. Finally, if you have a certificate through some other agency, it may be acceptable for use on the LDG. The full list of CAs that is supported on the LDG is here.

If you are a member of the LSC at a US institution and you need a new grid certificate, you can (and should) get a grid certificate using the following procedure (assuming you have already installed the LIGO DataGrid Client package version 4.5 or later. Note: Do not use versions 4.4 or earlier of the LSC Datagrid Client package - the certificate utilities in those versions are now deprecated.):

  1. Read and agree to the Subscriber Obligations specified in section 2.1.2 of the DOEGrids Certificate Policy and Certificate Practice Statement (CP/CPS).

    The CP/CPS is a PDF document you can find here.

  2. Determine your sponsor and notify LIGO Laboratory

    2A. In order for your identity to be verified and matched to the request you must choose a sponsor.

    • If you are a member of LIGO-CIT, your sponsor is Kent Blackburn.
    • If you are a member of LIGO-MIT, your sponsor is Erik Katsavounidis.
    • If you are a member of another LSC group, your sponsor will be the Principle Investigator (PI) of your LSC group, as listed in the group MOU. In some cases, the PI may designate another individual in the group to act as a sponsor for the group. A partial list of sponsors is here. If you do not see your group sponsor listed here, you may assume that the PI listed in your groups MOU is your sponsor.

    The sponsor will contact you after the request has been made and in a secure fashion will verify that you did indeed request a certificate.

    2B. LIGO Laboratory must approve all certificate requests that involve access to LIGO data. Please send an email to LIGO advising LIGO of your upcoming request. Please provide:

    • your name;
    • your email address;
    • the name of your sponsor;
    • the email address of your sponsor; and
    • your phone number.

  3. Setup your environment

    If you have not done so already, source either ~/ldg-4.5/setup.sh (for bash, sh, or ksh users) or ~/ldg-4.5/setup.csh (for tcsh users), or, when later versions of LDG are released, source the latest ldg-n.n/setup.(c)sh file, in order to properly setup your shell to use the Grid tools.

  4. Run LSCrequestCert

    Run the executable LSCrequestCert using the following options (quotes around names, email address, and phone numbers are helpful): 

    -name (your full name, for example 'John Doe')
-email (your institutional email, No AOL, hotmail, or like!)
-phone (your institutional phone, No home or cell phone!)
-sponsor_name (sponsor's name)
-sponsor_email (sponsor's email)
-sponsor_phone (sponsor's phone)

    If you do not provide the information using the options above you will be prompted for them.

    Here is an example usage: 

    [host]$ LSCrequestCert -name "Scott Koranda" -email "skoranda@uwm.edu"
-phone "4142295056" -sponsor_name "Patrick Brady" -sponsor_email
"patrick@gravity.phys.uwm.edu" -sponsor_phone "4142296508"
  5. Enter a passphrase to protect your private key.

    You will be prompted twice to enter a passphrase to protect your private key. You must remember this passphrase since only you will ever know it. It cannot be recovered or reset by any administrator.

    Note that it is not a password but a passphrase. The longer the phrase the better. Consider the first line of your favorite song, poem, or the like.

  6. Wait.

    Your request has been uploaded to the certificate authority. You must now wait for your request to be verified by the Registration Authority (RA) working together with your sponsor.

    You will be notified by email when your certificate request has been signed and is ready to be retrieved.

  7. Run LSCretrieveCert

    As instructed in the email you receive, cut and past the retrieval command into your shell, 

    cert-retrieve -serialnum 1234
    where 1234 should be replaced by the serial number in the email. When prompted enter the passphrase protecting your private key.

    Your certificate is now ready for you to use. It is stored in the file ~/.globus/usercert.pem. Your private key is stored in the file ~/.globus/userkey.pem.

  8. Generate a p12 certificate for browsers/mailers

    Next you will be asked if you want to generate a pkcs12 certificate for your browser or mailer. This is not necessary to use the LIGO Data Grid, but it might be useful for some people. In any case, it doesn't hurt to have it available, so go ahead and answer with a "y".

    You will be asked for your passphrase - this is the passphrase you chose when you requested the certificate. Enter it, and you will be asked for an export password. This is the password you will use with the pkcs12 certificate - it can be different than the passphrase you just entered, but it doesn't have to be. Pick a pkcs12 password, and verify it when you are requested to. You must remember this password too if you ever want to use the pkcs12 bundle, so please do.

    You now have a pkcs12 certificate named userpair.p12 in your ~/.globus. If you ever want/need to load it into your browser, you can find instructions that should help here.

To request accounts on LSC resources see the Account Request form.


Supported by the National Science Foundation. Any opinions, findings and conclusions or recomendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF)
$Id: certificates.html,v 1.27 2007/11/21 17:20:50 warren Exp $