Important Change for Issuance of Grid Certificates for Members of US Institutions

As of March 23, 2013, the DOEGrids Certificate Authority (CA) will no longer issue new or reissue old certificates. The process has now been taken over by the Open Science Grid which operates under the new DigiCert Grid CA. All people who are registered with the ALICE VO and access the grid using a DOEGrid certificate will need to obtain a new certificate via the OSG web interface (see below) and then re-register with the ALICE VO [1] using that new certificate as their old DOEGrids certificate expires.

People can determine the CA issuer of their current certificate using the openssl command and their usercert.pem file:

• openssl x509 -in .globus/usercert.pem -noout -issuer

With results such as the following depending on whether the issuer is DOEGrids, OSG DigiCert or CERN:

• issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1

• issuer= /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1

• issuer= /DC=ch/DC=cern/CN=CERN Trusted Certification Authority

Users with certificate from the DOEGrids CA are encourage to obtain a new certificate from the OSG DigiCert Grid CA as described below.

(update in progress - 3/8/2013)

Introduction

In order to work within the ALICE Grid infrastructure, [2]AliEn, users must:

• possess a grid certificate from an accepted Certificate Authority
  • Persons from US institutions previously used DOEGrids CA, but now should use the [3] OSG/DigiCertGrid CA
  • Any ALICE member (including US participants) may use the [4] CERN CA
• be registered with the ALICE Virtual Organization with their grid certificate following the steps shown on [5] AliEn website

Obtaining a Grid Certificate

A grid certificated is typically obtained using a web portal to request and then retrieve the certificate. FireFox or IE are recommended browsers while Chrome is now reported to work as well. Safari is not recommended as there have been reoccurring problems with managing Grid certificates and VO registration with that browser. The process for the OSG DigiCert Grid CA is described [6] here, including steps to download the new DigiCert Grid CA certificate file as well as request your new certificate from the [7] OSG Information Management Portal. On the request page, choose "ALICE" from the list of VOs and include contact information for a sponsor to approve your certificate.

The certificate should be approved within a day or two and email sent to you describing how to retrieve it. Previously with DOEGrids, the certificate was automatically loaded into your browser and then exported to a file for grid use. This caused many of the browser-related problems users experienced. In the new procedure, the user downloads the certificate to a 'pkcs12' file (with .p12 extension) and then imports it into a browser as needed for the purposes of registering with the ALICE VO.

As noted in the OSG documentation linked above, the pkcs12 file can be used directly with grid tools installed into $HOME/.globus/usercred.p12 . More commonly, people install as x509 usercert.pem and userkey.pem files, store in the users $HOME/.globus/ subdirectory. To create these files from your 'pkcs12' file (example usercred.p12 here) use the following openssl commands:

• openssl pkcs12 -in usercred.p12 -clcerts -nokeys -out usercert.pem
• openssl pkcs12 -in usercred.p12 -nocerts -out userkey.pem

In both cases, you will have to enter the passphrase you used to encrypt the "usercred.p12" file. In the 2nd step you'll also need to set a password for the userkey.pem file which you will use to obtain grid credentials as proxies. The permissions on the usercert.pem should not write-able and userkey.pem not readable by anyone other than the owner. For example:

• chmod 644 usercert.pem
• chmod 600 userkey.pem