-
Notifications
You must be signed in to change notification settings - Fork 176
AuthentificationAuthorization
This page shows how you get your user credentials ready to be used by DIRAC. Your credentials is the mechanism used by DIRAC to identify and authenticate you as a user of the system. This section assumes that the DIRAC client is already installed.
DIRAC uses X509 digital certificates to authenticate its users. Below you will get instructions on how to install those certificates. It is assumed that you have a personal certificate issued by a trusted certification authority.
Exporting your personal certificate depends on the browser and on the operating system you are using.
-
To export your personal certificate from the browser:
-
Firefox:
Preferences -> Advanced -> View Certificates -> Select your certificate -> Backup
-
Explorer:
Tools -> Internet Options -> Content -> Certificates -> Certificates ->Import/Export
As a result you will get the certificate as a file with
.p12extension. -
-
Run
dirac-cert-convert.shscript to convert your certificate to the appropriate form:dirac-cert-convert.sh $HOME/MyCertificate.p12
Output of this command must look like:
$ dirac-cert-convert.sh $HOME/MyCertificate.p12 Creating globus directory Converting p12 key to pem format Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Converting p12 certificate to pem format Enter Import Password: MAC verified OK Information about your certificate: subject= /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar issuer= /C=FR/O=CNRS/CN=GRID2-FR Done
"Enter Import Password:" prompt requires the password given when the certificate was exported from the browser. It will be requested twice. The PEM pass phrase is the password associated with the created private key. This password will be requested each time you will create a proxy. Do not forget it !
-
Check that your certificate was correctly converted and placed in the
$HOME/.globusdirectory, in PEM format and with correct permissions:$ ls -la ~/.globus total 16 drwxr-xr-x 2 hamar marseill 2048 Oct 19 13:01 . drwxr-xr-x 42 hamar marseill 4096 Oct 19 13:00 .. -rw-r--r-- 1 hamar marseill 6052 Oct 19 13:00 usercert.p12 -rw-r--r-- 1 hamar marseill 1914 Oct 19 13:01 usercert.pem -r-------- 1 hamar marseill 1917 Oct 19 13:01 userkey.pem
Before running any command in the grid, it is mandatory to have a valid certificate proxy. The commands to create a valid proxy using DIRAC commands are shown below.
-
First, in the machine where the DIRAC client is installed setup the DIRAC environment running the following commands:
cd $HOME/DIRAC source bashrc
-
After the environment is set up, you are able to create your proxy with the following command:
dirac-proxy-init --group dirac_user
For example, with the additional debug option the output must be like the following:
$ dirac-proxy-init --debug --group dirac_user Enabling debug output Enter Certificate password: Proxy lifetime will be 24:00 User cert is /afs/in2p3.fr/home/h/hamar/.globus/usercert.pem User key is /afs/in2p3.fr/home/h/hamar/.globus/userkey.pem Proxy will be written to /tmp/x509up_u40885 DIRAC Group will be set to dirac_user Proxy strength will be 1024 Contacting CS... Checking DN /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar Username is vhamar Creating proxy for vhamar@dirac_user (/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar) Uploading user pilot proxy with group dirac_pilot... Loading user proxy Uploading proxy on-the-fly Cert file /afs/in2p3.fr/home/h/hamar/.globus/usercert.pem Key file /afs/in2p3.fr/home/h/hamar/.globus/userkey.pem Loading cert and key User credentials loaded Uploading... done
As a result of this command, several operations are accomplished:
- a long user proxy ( with the length of the validity of the certificate ) is uploaded to the DIRAC ProxyManager service, equivalent of the gLite MyProxy service
- a short user proxy is created with the DIRAC extension carrying the DIRAC group name and with the VOMS extension corresponding to the DIRAC group if the gLite UI environment is available.
If the gLite UI environment is not available, the VOMS extensions will not be loaded into the proxy. This is not a serious problem, still most of the operations will be possible.
-
Check that your proxy was correctly created and the DIRAC group and the VOMS extension are set correctly, running the command:
dirac-proxy-info
For example:
$ dirac-proxy-info subject : /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar/CN=proxy/CN=proxy issuer : /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar/CN=proxy identity : /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar timeleft : 23:53:55 DIRAC group : dirac_user path : /tmp/x509up_u40885 username : vhamar VOMS : True VOMS fqan : ['/vo.formation.idgrilles.fr']
-
At this moment, your proxy must be uploaded to the ProxyManager service. To check that:
dirac-proxy-get-uploaded-info
In this case the output shows user DN, group, expiration time and persistency flag:
$ dirac-proxy-get-uploaded-info Checking for DNs /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar -------------------------------------------------------------------------------------------------------- | UserDN | UserGroup | ExpirationTime | PersistentFlag | -------------------------------------------------------------------------------------------------------- | /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Vanessa Hamar | dirac_user | 2011-06-29 12:04:25 | True | --------------------------------------------------------------------------------------------------------
-
The same can be checked in the Web Portal at the following location:
Systems -> Framework -> Manage Proxy
Using the portal you have the option to delete your proxies.