Supercomputing Networking Research Education Ohio Supercomputer Center Site Map Staff Directory Support
Cluster Ohio Home

Cluster Ohio Support
HPC Home

Related Links

Blue Collar Computing
Ralph Regula School
  of Computational
  Science
BALE
Interface Lab

Cluster Ohio

Obtaining an OSC Cluster Ohio Grid User Certificate

To use the grid computing resources in Cluster Ohio, each user must generate a personal key pair and have it signed by the certificate authority which authorizes his or her access to the machines. This guide describes the process, which is actually quite simple, although it does involve multiple parties.

  1. Log on to the central OSC cluster machine, oscbw. Everyone who has an account on any machine at OSC also has an account here.
  2. Run the shell script which will generate your key pair and build the request email.
    3. grid-cert-request

    Output from the openssl key generation will be displayed on your terminal, and soon it will ask you for a pass phrase:

    Generating a 1024 bit RSA private key
    .....++++++
    .++++++
    writing new private key

    A pass phrase is essentially like a login password but it can be longer, up to 64 characters, and can include spaces, digits, and numbers. You should use a fairly long phrase that is easy for you to type and to remember. After you type it, it will ask you to type it again to verify that you typed the same phrase both times:

    Verifying password - Enter PEM pass phrase:

    Next some more output is generated and the screen is cleared (unless you use the flag -verbose). Finally it will print a summary of the key it generated with instructions on how to get the key signed, the next necessary step before you can use your key:

    A private key and a certificate request has been generated with the subject:

    /O=Grid/O=OSC/CN=Joe User

If the CN=Joe User is not appropriate, rerun this
script with the -force -cn "Common Name" options.

Your private key is stored in /home/osc1999/.globus/userkey.pem
Your request is stored in /home/osc1999/.globus/usercert_request.pem

    Please e-mail the request to the OSC Certification Authority grid-cert-request@osc.edu You may use a command similar to the following:

    cat /home/osc1999/.globus/usercert_request.pem | 
    
mail grid-cert-request@osc.edu

    Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact OSC Certification Authority at grid-cert-request@osc.edu

  3. Send mail to the certificate authority. Now you should use your mouse to click in the above line that will send mail to the grid certificate authority (a human) at OSC. When he reads the email, he will receive a copy of the public part of your key, and will sign it which signifies that the central authority knows that this key is associated with you, personally. Your key will then be officially recognized by all sites in the Cluster Ohio network.
  4. Wait for the mail response.
    If the .forward file in your home directory is set up to forward email to your usual mailbox, you will receive the response from the grid certificate request there, otherwise you can use the mail command on oscbw to check for mail there. (See here for more information about your dot files---a .forward file is quite handy in general.)
  5. Copy the signed certificate into ~/.globus/usercert.pem.
    The mail response sent back to you from the certificate authority will include all the information about your certificate as well as a block of encoded text at the bottom which is the actual signed key. You should copy the entire mail message into the file ~/.globus/usercert.pem which exists in the .globus subdirectory of your home directory. Note that there will already be a zero-length placeholder file there which was created when you ran the grid-cert-request script. Go ahead and replace it with the mail message.
  6. Check the permissions. To ensure that no one else can use your certificate or tamper with it, check the permissions on your key files to make sure they are correct. Type the following command to see the permissions on these files: 
    7. ls -la ~/.globus

    If everything is correct you should see output similar to the following:

    -r--r--r--    1 osc1999  G-1999       2735 May 19 13:51 usercert.pem
-rw-r--r--    1 osc1999  G-1999       1249 May 19 13:51 usercert_request.pem
-r--------    1 osc1999  G-1999        963 May 19 13:51 userkey.pem

    To change the permissions if they do not match, type the following:

    chmod 444 ~/.globus/usercert.pem
chmod 400 ~/.globus/userkey.pem
  7. Done! If later you want to see information about your certificate, use 
    grid-cert-info

    To change the passphrase you initially selected, use

    grid-change-pass-phrase

Last updated 20 May 2003 by Pete Wyckoff <pw@osc.edu>.