Most plug-ins of gPlazma support X.509 certificates for
      authentication and authorisation. X.509 certificates are used to identify
      entities (e.g., persons, hosts) in the Internet. The certificates contain
      a DN (Distinguished Name) that uniquely describes the entity. To give
      the certificate credibility it is issued by a CA (Certificate Authority)
      which checks the identity upon request of the certificate (e.g., by
      checking the persons id). For the use of X.509 certificates with dCache
      your users will have to request a certificate from a CA you trust and you
      need host certificates for every host of your dCache instance.
    
To be able to locally verify the validity of the certificates, you need to store the CA certificates on your system. Most operating systems come with a number of commercial CA certificates, but for the Grid you will need the certificates of the Grid CAs. For this, CERN packages a number of CA certificates. These are deployed by most grid sites. By deploying these certificates, you state that you trust the CA’s procedure for the identification of individuals and you agree to act promptly if there are any security issues.
To install the CERN CA certificates follow the following steps:
[root] #cd /etc/yum.repos.d/[root] #wget http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/lcg-CA.repo[root] #yum install lcg-CA
        This will create the directory /etc/grid-security/certificates
        which contains the Grid CA certificates.
      
Certificates which have been revoked are collected in certificate revocation lists (CRLs). To get the CRLs install the fetch-crl command as described below.
[root] #yum install fetch-crl[root] #/usr/sbin/fetch-crl
        fetch-crl adds X.509 CRLs to /etc/grid-security/certificates.
        It is recommended to set up a cron job to periodically update the CRLs.
      
        If you do not have a valid grid user certificate yet, you have to
        request one from your CA. Follow the instructions from your CA on how to
        get a certificate. After your request was accepted you will get a URL
        pointing to your new certificate. Install it into your browser to be
        able to access grid resources with it.  Once you have the certificate
        in your browser, make a backup and name it
        userCertificate.p12.  Copy the user certificate to
        the directory ~/.globus/ on your
        worker node and convert it to usercert.pem and
        userkey.pem as described below.
      
[user] $openssl pkcs12 -clcerts -nokeys -in <userCertificate>.p12 -out usercert.pemEnter Import Password: MAC verified OK
During the backup your browser asked you for a password to encrypt the certificate. Enter this password here when asked for a password. This will create your user certificate.
[user] $openssl pkcs12 -nocerts -in <userCertificate>.p12 -out userkey.pemEnter Import Password: MAC verified OK Enter PEM pass phrase:
In this step you need to again enter the backup password. When asked for the PEM pass phrase choose a secure password. If you want to use your key without having to type in the pass phrase every time, you can remove it by executing the following command.
[root] #openssl rsa -in userkey.pem -out userkey.pemEnter pass phrase for userkey.pem: writing RSA key
Now change the file permissions to make the key only readable by you and the certificate world readable and only writable by you.
[root] #chmod 400 userkey.pem[root] #chmod 644 usercert.pem
To request a host certificate for your server host, follow again the instructions of your CA.
        The conversion to hostcert.pem and
        hostkey.pem works analogous to the user
        certificate. For the hostkey you have to remove the pass phrase. How to
        do this is also explained in the previous section. Finally copy the
        host*.pem files to
        /etc/grid-security/ as root and
        change the file permissions in favour of the user running the grid
        application.
      
        For very large groups of people, it is often more convenient to
        authorise people based on their membership of some group. To identify
        that they are a member of some group, the certificate owner can create a
        new short-lived X.509 certificate that includes their membership of
        various groups. This short-lived certificate is called a
        proxy-certificate and, if the membership information comes from a VOMS
        server, it is often referred to as a VOMS-proxy.
      
[root] #cd /etc/yum.repos.d/[root] #wget http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-UI.repo[root] #yum install glite-security-voms-clients
To create a VOMS proxy for your user certificate you need to execute the voms-proxy-init as a user.
Example:
[user] $export PATH=/opt/glite/bin/:$PATH[user] $voms-proxy-initEnter GRID pass phrase: Your identity: /C=DE/O=GermanGrid/OU=DESY/CN=John Doe Creating proxy ........................................................................Done Your proxy is valid until Mon Mar 7 22:06:15 2011
            You can certify your membership of a VO by using the command
            voms-proxy-init -voms
              <yourVO>. This is useful as in
            dCache authorization can be done by VO (see the section called “Authorizing a VO”). To be able to use
            the extension -voms
              <yourVO> you need to be able
            to access VOMS servers. To this end you need the the VOMS server’s
            and the CA’s DN. Create a file
            /etc/grid-security/vomsdir/<VO>/<hostname>.lsc
            per VOMS server containing on the 1st line the VOMS server’s DN and
            on the 2nd line, the corresponding CA’s DN. The name of this file
            should be the fully qualified hostname followed by an
            .lsc extension and the file must appear in a
            subdirectory /etc/grid-security/vomsdir/<VO>
              for each VO that is supported by that VOMS server and by the
              site.
          
At http://operations-portal.egi.eu/vo you can search for a VO and find this information.
Example:
For example, the file /etc/grid-security/vomsdir/desy/grid-voms.desy.de.lsc contains:
/C=DE/O=GermanGrid/OU=DESY/CN=host/grid-voms.desy.de /C=DE/O=GermanGrid/CN=GridKa-CA
where the first entry is the DN of the DESY VOMS server and the second entry is the DN of the CA which signed the DESY VOMS server’s certificate.
            In addition, you need to have a file
            /opt/glite/etc/vomses containing your VO’s
            VOMS server.
          
Example:
              For DESY the file /opt/glite/etc/vomses should
              contain the entry
            
"desy" "grid-voms.desy.de" "15104" "/C=DE/O=GermanGrid/OU=DESY/CN=host/grid-voms.desy.de" "desy" "24"
The first entry “desy” is the real name or a nickname of your VO. “grid-voms.desy.de” is the hostname of the VOMS server. The number “15104” is the port number the server is listening on. The forth entry is the DN of the server’s VOMS certificate. The fifth entry, “desy”, is the VO name and the last entry is the globus version number which is not used anymore and can be omitted.
Example:
Use the command voms-proxy-init -voms to create a VOMS proxy with VO “desy”.
[user] $voms-proxy-init -voms desyEnter GRID pass phrase: Your identity: /C=DE/O=GermanGrid/OU=DESY/CN=John Doe Creating temporary proxy ....................................................... Done Contacting grid-voms.desy.de:15104 [/C=DE/O=GermanGrid/OU=DESY/CN=host/grid-voms.desy.de] "desy" Done Creating proxy .................................... Done Your proxy is valid until Mon Mar 7 23:52:13 2011
View the information about your VOMS proxy with voms-proxy-info
[user] $voms-proxy-infosubject : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe/CN=proxy issuer : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe identity : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe type : proxy strength : 1024 bits path : /tmp/x509up_u500 timeleft : 11:28:02
The last line tells you how much longer your proxy will be valid.
If your proxy is expired you will get
[user] $voms-proxy-infosubject : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe/CN=proxy issuer : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe identity : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe type : proxy strength : 1024 bits path : /tmp/x509up_u500 timeleft : 0:00:00
The command voms-proxy-info -all gives you information about the proxy and about the VO.
[user] $voms-proxy-info -allsubject : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe/CN=proxy issuer : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe identity : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe type : proxy strength : 1024 bits path : /tmp/x509up_u500 timeleft : 11:24:57 === VO desy extension information === VO : desy subject : /C=DE/O=GermanGrid/OU=DESY/CN=John Doe issuer : /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-voms.desy.de attribute : /desy/Role=NULL/Capability=NULL attribute : /desy/test/Role=NULL/Capability=NULL timeleft : 11:24:57 uri : grid-voms.desy.de:15104
Use the command voms-proxy-destroy to destroy your VOMS proxy.
[user] $voms-proxy-destroy[user] $voms-proxy-infoCouldn't find a valid proxy.
 
   