RequestingCertificates

Prerequisites:

1) $GLOBUS_LOCATION / %GLOBUS_LOCATION% should be set to the directory where Globus is installed (e.g. c:\gt4 or /etc/globus)

2) Training CA hash and signing policy should be present in grid-security directory (either /etc/grid-security/certificates or c:\etc\grid-security\certificates) - These files are available at: http://sites.google.com/site/phgrid/Home/installation-procedurs/ncphilabsimplecainfo

Requesting Host Certificates

Host certificates are provided as a means of securing access to grid services. The procedure below will guide you through the process of requesting a certificate from a trusted Certificate Authority. Setting up a Simple Certificate authority is out of scope for this document. Note: This section assumes the certificates were installed in the /etc/grid-security directory, so replace /etc/grid-security with whatever directory you established for grid security.

Windows

Request the new certificate by running the following commands:

1) %GLOBUS_LOCATION%/bin/grid-cert-request -host [hostname] -int

This will enter interactive mode for generating a request.

2) Enter CA email address: "DWashington1@cdc.gov"

3) Enter name component: "o"

Enter 'O' value: "PHGRID"

4) Enter name component: "ou"

Enter 'OU' value: "phgrid.net"

5) Enter name component: "ou"

Enter 'OU' value: "Globus Public Health NCPHI"

6) Enter name component: "cn"

Enter 'CN' value:"[fully qualified host name-e.g. hostname.domainname.gov]"

7) Enter name component: [hit enter]

8) Email the resulting C:\Documents and Settings\[username]\.globus\hostcert_request.pem to DWashington1@cdc.gov

9) Copy the pem file you receive from NCPHI to c:\etc\grid-security\containercert.pem

10) Copy the hostkey.pem file from c:\Documents and Settings\[username]\.globus\hostkey.pem to c:\etc\grid-security\hostkey.pem (generated along with hostcert_request.pem in step #7)

11) Copy the c:\etc\grid-security\hostkey.pem file to c:\etc\grid-security\containerkey.pem

12) Run the following command to validate correct host certificate installation: (this requires you have copied the hash and signing policy as described earlier in the install instructions)

openssl verify -CApath c:\etc\grid-security\certificates -purpose sslserver c:\etc\grid-security\containercert.pem

You should get a message like: "c:\etc\grid-security\containercert.pem: OK" if the verification is successful.

Unix/Linux/Mac

Login as the root user

Source the globus-user-env.sh file to set up the environment variables:

source $GLOBUS_LOCATION/etc/globus-user-env.sh

Request the new certificate by running the follow command:

$GLOBUS_LOCATION/bin/grid-cert-request -host [enter_hostname]

Email the resulting /etc/grid-security/hostcert_request.pem file to: DWashington1@cdc.gov

Note: If the grid machine has mail configured, you may run the following command to email the certificate: cat /etc/grid-security/hostcert_request.pem | mail DWashington1@cdc.gov

Copy the pem file you receive from NCPHI to /etc/grid-security/hostcert.pem

Copy the /etc/grid-security/hostcert.pem file to /etc/grid-security/containercert.pem

Copy the /etc/grid-security/hostkey.pem file to containerkey.pem

Run the following command to validate correct host certificate installation:

openssl verify -CApath /etc/grid-security/certificates -purpose sslserver \

/etc/grid-security/containercert.pem

Requesting User Certificates

All users are required to have a valid certificate before they can access the grid. Follow the procedures below to request a user certificate.

Windows:

Run the following commands to request a user certificate:

1) %GLOBUS_LOCATION%\bin\grid-cert-request -int

This will enter interactive mode for generating a request.

2) Enter CA email address: "DWashington1@cdc.gov"

3) Enter name component: "o"

Enter 'O' value: "PHGRID"

4) Enter name component: "ou"

Enter 'OU' value: "phgrid.net"

5) Enter name component: "ou"

Enter 'OU' value: "Globus Public Health NCPHI"

6) Enter name component: "ou"

Enter 'OU' value: "phgrid.net"

7) Enter name component: "cn"

Enter 'CN' value:"[Windows userid-e.g. bgates]"

8) Enter name component: [hit enter]

9) Enter PEM pass phrase:[enter difficult to guess pass phrase]

10) Email the resulting C:\Documents and Settings\[username]\.globus\usercert_request.pem to DWashington1@cdc.gov

11) Copy the usercert.pem file you receive from Dan to c:\Documents and Settings\[username]\.globus\usercert.pem (overwriting the existing file)

12) Run %GLOBUS_LOCATION%\bin\grid-proxy-init.bat to test successful installation of the certificate

(optional if errors occurs in step #12) 13) Run the following command to validate correct host certificate installation: (this requires you have copied the hash and signing policy as described earlier in the install instructions)

openssl verify -CApath c:\etc\grid-security\certificates -purpose sslclient c:\Documents and Settings\[username]\.globus\usercert.pem

You should get a message like: "c:\Documents and Settings\[username]\.globus\usercert.pem : OK" if the verification is successful.

Unix/Linux/Mac:

1) Login as a non-root user

2) Enter the command to set $GLOBUS_LOCATION to whereever you installed Globus (e.g. "export GLOBUS_LOCATION=/opt/vdt/globus")

2) source $GLOBUS_LOCATION/etc/globus-user-env.sh

3) run the following command to request a user certificate:

/opt/vdt/globus/bin/grid-cert-request

Note: should you get an error about the CA email address not being set follow the instructions for requesting a certificate using interactive mode as described above in the Windows steps.

4) Choose a pass phrase and enter it at the pass phrase prompt.

5) Email the resulting ~/.globus/usercert_request.pem to DWashington1@cdc.gov

Note: If the grid machine has mail configured, you may run the following command to email the certificate: cat ~/.globus/usercert_request.pem | mail DWashington1@cdc.gov

6) Copy the pem file you receive from Dan to ~/.globus/usercert.pem

7) Run $GLOBUS_LOCATION/bin/grid-proxy-init to test successful installation of the certificate

(optional if errors occur in step #13) 8) Run the following command to validate certificate installation:

openssl verify -CApath <CA certificates path> \

-purpose sslclient ~/.globus/usercert.pem

(<CA certificates path> is typically either /etc/grid-security/certificates or ~/.globus/certificates)