Setting Up KPI : Certificates and VOMS Setting Up KPI : Certificates and VOMS

 

Certificate Authority, user and host certificates

Entities such as users and hosts in your Grid infrastructure will authenticate themselves to one another using X.509 certificates. All host nodes except the User Interface (UI), Worker Node (WN) and Information System (top/site BDII) require host certificate/key files to be installed.
 
In order to submit jobs, users must have a personal user certificate issued by a trusted Certification Authority (CA), and they must also be registered members of a Virtual Organization (VO).

The GILDA CA

If you are creating an infrastructure for training or testing purposes, you can use the GILDA Certification Authority. GILDA maintains a Certification Authority for training purposes which issues short-term user and host certificates.
 
You can request GILDA user and host certificates from the GILDA CA website https://gilda-security.ct.infn.it/CA/. You should request a separate host certificate for each of the hosts in your training infrastructure, and a separate personal user certificate for each user. Users must also be part of the GILDA VO, please email the GILDA CA directly at gilda-ca@ct.infn.it to check that your certificate is registered in the GILDA VO.
 
To enable support for GILDA certificates on your infrastructure you will also need to install the GILDA CA certificate on the hosts. GILDA CA certificate is distributed by EUGRIDPMA here  https://dist.eugridpma.info/distribution/igtf/current/unaccredited/RPMS
 
You can install latest version in this way
 
$ wget https://dist.eugridpma.info/distribution/igtf/current/unaccredited/RPMS/ca_GILDA-CA-2011-1.50-1.noarch.rpm
$ rpm -Uvh ca_GILDA-CA-2011-1.50-1.noarch.rpm
 
If you already have a personal certificate and VO subscription you can use your own certificate instead of the GILDA certificate, but  you may still require host certificates to be issued by GILDA.

Production Infrastructures and CAs

If you are installing a production infrastructure you cannot use GILDA certificates. Instead you must comply with the EGI Policy on Approved Certification Authorities which defines a common set of trust anchors ("Certification Authorities") that all sites in EGI should install. You can find more information about installing these CAs on the EGI website at https://wiki.egi.eu/wiki/EGI_IGTF_Release.
 
To enable support for production CAs on your infrastructure you should install the EGI metapackage ca-policy-egi-core which you can get from the EGI-trustanchors repository. You can enable this repository as follows:
 
$ wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo -O /etc/yum.repos.d/EGI-trustanchors.repo
 
then to install all the certs you just run
 
$ yum install ca-policy-egi-core
 
You should then contact your local Certificate Authority to obtain user and host certificates. You can find the list of currently supported Certificate Authorities at http://repository.egi.eu/sw/production/cas/1/current/ca-policy-egi-core.list.

Installing your host certificate

Once you have a host certificate issued by an organisation such as GILDA or one of the EGI-supported CAs, you should copy the hostcert.pem and hostkey.pem files to the directory /etc/grid-security/ on your host. You must also change the permissions on these two files as follows:
 
$ chmod 600 /etc/grid-security/hostcert.pem
$ chmod 400 /etc/grid-security/hostkey.pem

Installing your user certificate

In order to use most EMI components you will also require a user certificate. If you have an existing grid certificate you can use this, if not, you can obtain a short-term user certificate from GILDA by visiting https://gilda-security.ct.infn.it/CA/.
 
When you have downloaded your certificate, you should copy your usercert and userkey pem files to the .globus directory in your home directory and change their permissions. If you have downloaded a p12 file from your browser you should perform the following steps:
 
$ mkdir ~/.globus
$ openssl pkcs12 -nocerts -in backup.p12 -out ~/.globus/userkey.pem
$ openssl pkcs12 -clcerts -nokeys -in backup.p12 -out ~/.globus/usercert.pem
$ chmod 0444 ~/.globus/usercert.pem
$ chmod 0400 ~/.globus/userkey.pem

Installing the VOMS client

The Virtual Organization Membership Service (VOMS) issues proxy certificates for authentication and authorisation which include attributes based on the user's membership of a Virtual Organisation (VO). VOMS allows access to be controlled on a per-VO basis.
 
Many EMI components rely on VOMS for their authentication and authorisation. For this reason, whatever EMI service you are installing, it's likely that the installation will carry voms-clients. Hovewer, this tutorial will show you how to set up a VOMS client so that you can create proxy credentials for other EMI services.
 
Before installing VOMS you should follow the steps at http://www.eu-emi.eu/training/emi-2-installation to install the EMI and other required repositories and prepare your host.
 
Next you should install the VOMS packages:
 
$ yum install voms-clients
 
Each VOMS-aware EMI service needs to have a way to verify if the proxy certificate presented by a client was signed by a trusted VOMS server. To ensure that this is possible you must create a "List of Certificates" (LSC) file for each VOMS server that you wish to support. We will configure the GILDA CA, so you should create a file /etc/grid-security/vomsdir/gilda/voms.ct.infn.it.lsc containing the following lines:
 
/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it
/C=IT/O=INFN/CN=INFN CA
 
You should also list the details of the GILDA VOMS host in the file /etc/vomses/gilda-voms.ct.infn.it
 
"gilda" "voms.ct.infn.it" "15001" "/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it" "gilda"
 
Now you should be able to create a proxy certificate by running the command
 
$ voms-proxy-init --voms gilda