Certificates and stuff - a guide for MICE

1. Root Certificates and trust
2. Getting Your Own Certificate
3. Joining the MICE VO
4. Use the Grid

To use the Grid, you will need 1) some trust stuff in your web browser (so that you know that sites claiming to be on the Grid are genuine), 2) a certificate (so the Grid knows who you are) and 3) membership of the MICE VO (so the Grid lets you access MICE stuff).

The rest of this page will take you through those in that order.

1. Root Certificates and trust

Resources on the Grid identify themselves using digital certificates - but how do you know that a particular certificate is genuine? User and host certificates must themselves be signed by a "Certification Authority" (CA) that vouches that they are genuine (and which also publishes a list (the "CRL") of its certificates that shouldn't be trusted). Great - but how do you know that the alleged CA certificate is itself genuine? Unfortunately, while Grid resources have a list of the genuine certificates installed, the rest of us don't.

So the first thing you have to do is to go to a site that _is_ trusted (because its CA certificate is already in your web browser), and from there go to the websites of the CAs relevant to MICE, and finally "import into your browser" each CA's "root certificates" and CRL.

CAs relevant to MICE are:

• The UK eScience CA (for VOMS, eLog, https access to data) in Great Britain
• The GermanGrid/GridKA CA (GGUS) in Germany
• The CERN CA (SAM, Savannah) in Switzerland
• The CNRS/Grid-FR CA (CIC) in France
• You could also add whichever CA you will be getting your personal certificate from in the next step, if not above, but you would usually do that anyway as you work through the application procedure

As web browsers all behave differently, it's pretty well impossible to give simple-yet-comprehensive written instructions here. Basically:

1. Go to the TACAR repository (in a new window). If your web browser complains with e.g. "invalid security certificate", DO NOT CONTINUE. Try a few days later, and if you still have problems contact your local IT support.
2. Press the "Install" button corresponding to each of the following CAs: "CERN Root-CA", "CERN Intermediate CA", "GridKa-CA", "UK e-Science New Root", "UK e-Science New CA", "CNRS2 CA", "CNRS2-Project CA", "GRID2-FR CA" When importing the certificates, make sure to tell the browser to trust that CA for signing websites, by making the relevant ticks in a dialogue box similar to this:
   
3. Ideally, you should also import each CA's CRL list into your browser. As web browsers and the CA sites are all different, it's pretty well impossible to give simple-yet-comprehensive written instructions here. Basically: go to the CA site from its listing on the TACAR page, and follow links involving "CRLs" and "browser import". If asked, set the CRLs to auto-update every few weeks.

You will need to go through this again if you move your certificate to a different web browser. (But you won't need to repeat it if you move it back again)

2. Getting Your Own Certificate

The basic process is as follows:

1. Use your web browser to apply to a suitable Certificate Authority (CA)
2. Show ID in person to a CA representative (an "RA")
3. When the certificate is granted, re-visit the CA site with the very same browser you used for the application to collect it.
4. To test your certificate (for any CA), go to the UK CA docs and follow the "testing your certificate" instructions. Copy your DN to the clipboard if possible - you'll need it in the next step. (Your "DN" is the big mess of gibberish starting with "/C" and with your name lurking near the end).
5. With the certificate in the browser, apply to join the VO (see below)
6. Make a "backup" or "export" of the certificate; this will be a .p12 file on disk. The browser will ask you for a passphrase to secure it. This will be your "Grid passphrase" - make sure you remember it! Note that it can contain spaces, so you can use a longer phrase or sentence that's easier to remember and type.
   (If you don't know how to do this, go to the UK CA docs and follow the "Backing up yourcertificate" instructions).
   You should keep this .p12 file in a safe place as a backup, and you can also copy it to use with the Grid clients (section 4).

Note that if you lose a copy of the certificate you will have to revoke it and get a new one issued, so I suggest avoiding putting it on USB sticks as they're too easy to mislay. You should also never keep it in a browser that other people might have access to, so if you applied from say a shared PC at home then you should keep a separate copy of the .p12 securely filed away on a floppy disk/CD-R and delete it from the browser.

Unfortunately I can't tell you which CA you should use. It can be any of those trusted by the EGEE/LCG Grid (not just the subset listed in section 1): if you're at CERN then use the CERN CA, else there will be a national CA; locate it via the EUGridPMA Map. If you already have a certificate for use with one of the LHC experiments, that should work with MICE too (but you'll still need to go through sections 1, 3 and 4 on this page).

Your CA's website should have detailed guides on how to apply, backup and look after your certificate. Read and follow them carefully, especially any bits about "root certificates". The comprehensive documentation from the UK eScience CA includes material on saving, restoring and generally looking after your certificate, and will usually apply to those from other CAs too.

Your certificate will probably expire after one year - make sure you renew it before it does, otherwise you need to do the whole of this step again. You should get a reminder e-mail about 30 days before.

3. Joining the MICE VO

The procedure is being reviewed; currently you should:

1. Go to the MICE VOMS server (in a new window) with your certificate in your browser. The page will confirm your DN and provide an application form. Note down the DN (or copy it to the clipboard) as you will need it later.
2. Fill out the application form and press the "Register" button.
3. E-mail your DN to Henry Nebrensky, along with a quick description of who you are, which institute you're at, etc.
4. There won't be any notification - after a couple of days check that your DN appears correctly on the list of users accessed via the "VO management" link.

4. Use the Grid

Note that you can use your certificate for all sorts of things, such as encrypting or digitally signing e-mail. To use the Grid, you still need to make your certificate available to the client software.

Some aspects of the Grid are accessed through your web browser; you can use any browser into which you have loaded your certificate and set up the trust relationships as per section 1.

For typical Grid use such as submitting jobs and accessing data, you will need to put your certificate where the command-line Grid clients, such as those installed on heplnw17, can find it. The default location is as usercred.p12 in a subdirectory ~/.globus in your home directory. usercred.p12 should have permissions of 400 and .globus 700.

(Note that some older documentation discusses splitting your certificate into two .pem files at this point. This is not necessary for MICE, unless you need to store the certificate in a non-standard location.)

Back