Grid Certificate installation on UIs: Difference between revisions

• Prerequisite : You have obtained a valid grid certificate, installed it in your browser

• Export or 'backup' the certificate from the browser used for the application. The interface for this varies from browser to browser. The exported file will probably have the extension .p12 or .pfx. Guard this file carefully. Store it off your computer, or remove it once you are finished with this process.
• Copy the file to the user's home directory.
• Create a directory in the user's home directory:

           mkdir $HOME/.globus

• Extract the certificate creating a public and a private key file replacing YourCert.p12 with the filename chosen during step 1. You will be asked to define a passphrase during this step. This passphrase has to be entered every time a proxy is created from the certificate. For security reasons, an empty passphrase is not allowed.

           openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
           openssl pkcs12 -in YourCert.p12 -nocerts -out $HOME/.globus/userkey.pem

• Set the correct access mode on your userkey.pem and usercert.pem files.

           chmod 400 $HOME/.globus/userkey.pem 
           chmod 600 $HOME/.globus/usercert.pem

• Further protection of the $HOME/.globus directory is necessary to prevent everyone except the user to enter this directory.

           chmod go-rx $HOME/.globus

• If the $HOME/.globus directory holding the certificate resides in an afs home-directory (e.g. lxplus), the directory has to be further secured using afs-tools in addition to set the normal unix file access permissions.

           fs setacl -dir $HOME/.globus -acl system:anyuser l

• The user's GRID certificate (usercert.pem and userkey.pem) can be copied to every other machine to access the GRID by transporting the $HOME/.globus directory. The security measures described above have to be repeated.