NOTE: please follow the instructions here instead - the rest of this page is obsolete!
France delivers GRID-FR certificates. Follow strictly the procedure described at http://igc.services.cnrs.fr/GRID-FR/index.html. Once you have your certificate, usually in a .p12 format, you have to create the user certificate and user key in the .pem format: At CCIN2P3 a script alows you to extract the .pem from the .p2.
Obtaining personal a certificate at CCIN2P3
At CCIN2P3 a script alows you to extract the .pem from the .p2.
ccali29:~/.globus> import_grid_cert schutz.p12 At this stage you will be asked for: 1. the password you used for exporting your certificate. 2. the password you will need when logging into the grid. Enter Import Password: ************* MAC verified OK Enter PEM pass phrase: ************ Verifying password - Enter PEM pass phrase: ******** import_grid_cert: your personnal key has been written to the file '/afs/in2p3.fr/home/s/schutz/.globus/userkey.pem' Please enter again the password you used for exporting your certificate. Enter Import Password: MAC verified OK import_grid_cert: your personnal certificate has been written to the file '/afs/in2p3.fr/home/s/schutz/.globus/usercert.pem' Do you want to be registered to use the grid?[yes/no]
Elsewhere, if nothing is made available enter the command
openssl pkcs12 -nocerts -in $cert_file -out $keyfile
%ENDCODE
or customize the following script
%CODE{"bash"}%
#!/bin/ksh
##################################################################
# File: import_grid_cert #
# #
# Usage: import_grid_cert -help #
# import_grid_cert <certificate_file> #
# #
# Description: This script has been created in order to convert a certificate #
# from .P12 format to .PEM format using the application OPENSSL #
# If the conversion is OK then the rights autorizations #
# are assigned to .globus repository and the *.PEM files. #
# #
# Then the user is asked to be add in the grid map file. #
# If the answer is YES : The administrator will receive a mail #
# containing the login and the certificate 's subject of this user. #
# With this mail the user will be added and have an account to #
# use the grid at CC. #
# If the answer is NO : The certificate is only converted. #
# No more is done. #
# #
# #
# #
# Author: Nadia LAJILI
nlajili@in2p3.fr #
# IN2P3 Computer Center #
# http://www.in2p3.fr/CC Lyon (FRANCE) #
# #
# #
##################################################################
#creation of the .globus directory on which the certificat will be stored
#$1=this variable represented the name of the file *.p12
##################################################################
# R O U T I N E S #
##################################################################
ShowUsage()
{
programName=$1
echo "Usage: $programName [-help]"
echo " " $programName "<certificate_file>"
echo
echo " where <certificate_file> is the name of the *.p12 file which"
echo " contain your certificate"
}
PrintMessage()
{
echo $programName":" $*
}
##################################################################
# MAIN #
##################################################################
###
# Execution starts here..
###
###
# Initialize global variables
###
programName=`basename $0`
cert_file=$1
###
# if the file parameter is null or empty
###
if [ -z $cert_file ]; then
ShowUsage $programName
exit 1
fi
if [ $cert_file = "-help" -o $cert_file = "-HELP" ]; then
ShowUsage $programName
exit 1
fi
###
# Make sure the file exist, is readable and not empty
###
if [ ! -s $cert_file ]; then
PrintMessage "the file '$cert_file' does not exist or is empty"
exit 1
fi
if [ ! -r $cert_file ]; then
PrintMessage "the file '$cert_file' is not readable"
exit 1
fi
###
# Make sure we have a valid AFS token
###
isTokenAlive=`tokens | grep Expire`
if [ -z $isTokenAlive ]; then
PrintMessage "you have not a valid AFS token. Please use 'klog' to acquire one."
exit 1
fi
###
# Is the $HOME/.globus directory already created?
###
targetdirectory=$HOME/.globus
if [ ! -d $targetdirectory ]; then
mkdir $targetdirectory
fi
###
#One certificate already exists??
###
certificatefile=$targetdirectory/usercert.pem
if [ -s $certificatefile ]; then
#echo je renome1
mv $certificatefile $certificatefile".old"
fi
keyfile=$targetdirectory/userkey.pem
if [ -s $keyfile ]; then
#echo je renome2
mv $keyfile $keyfile".old"
fi
###
#conversion of the certificat with openssl on *.PEM
###
#echo $cert_file
echo
echo "At this stage you will be asked for:"
echo "1. the password you used for exporting your certificate."
echo "2. the password you will need when logging into the grid."
openssl pkcs12 -nocerts -in $cert_file -out $keyfile
###
#Test the return value of the openssl command
###
result=$?
if [ $result -ne 0 ]; then
PrintMessage "your personal key cannot be extracted from the supplied file. It may be corrupted."
exit 1
fi;
PrintMessage "your personnal key has been written to the file '$keyfile'"
echo
echo "Please enter again the password you used for exporting your certificate."
openssl pkcs12 -clcerts -nokeys -in $cert_file -out $certificatefile
###
#Test the return value of the openssl command
###
result=$?
if [ $result -ne 0 ]; then
PrintMessage "your personal certificate cannot be extracted from the supplied file. It may be corrupted."
exit 1
fi;
PrintMessage "your personnal certificate has been written to the file '$certificatefile'"
###
#Modifcation of the autorisations for file *.PEM and the globus directory
###
chmod 0400 $keyfile
chmod 0644 $certificatefile
chmod 0550 $targetdirectory
###
# Modification of the AFS read directory
###
fs sa $targetdirectory system:anyuser none
#pour verification
#fs la
echo
echo "Do you want to be registered to use the grid?[yes/no]"
read rep
#echo "reponse lue : "$rep
###
# Controle of the answer typed
###
while test X$rep != "Xyes" && test X$rep != "Xno"
do
echo "Do you want to be registered to use the grid?[yes/no]"
read rep
#echo "reponse lue bis : "$rep
done ;
###
# if YES : send a mail to the site administrator with the login of the user
# and the subject of its certificate
###
globusAdministrator="
globus-admin@cc.in2p3.fr"
if [ $rep = "yes" ]; then
subj=`openssl x509 -subject -in $certificatefile | grep subject`
login=`id -u -n`
#Copie ds un fichier temporaire
tempFile=/tmp/grid.$$
echo $subj > $tempFile
echo "login=" $login >> $tempFile
# cat $tempFile
#Envoi du mail
mail -s "Certificat Datagrid" $globusAdministrator < $tempFile
#rm $tempFile
fi
#
# We are done
#
exit 0The script will store your certificate and key in the $HOME/.globus directory. The access rights of the two .pem files must be as shown below.
-rwxr-xr-x 1 schutz alice 3816 Nov 10 19:38 schutz.p12 -rw-r--r-- 1 schutz alice 1739 Nov 14 17:28 usercert.pem -r-------- 1 schutz alice 1127 Nov 14 17:28 userkey.pem
Create the $HOME/.alien directory with the link as show below:
1 schutz alice 659 Nov 17 10:40 Environment 1 schutz alice 36 Nov 17 10:44 globus -> /afs/in2p3.fr/home/s/schutz/.globus/
The file Environment is not mandatory, but it is better to have it. Copy it from below and edit the ALIEN_USER name and the ALIEN_HOSTNAME:
ALIEN_PATH=:/afs/in2p3.fr/throng/alice/offline/alien/bin:/afs/in2p3.fr/throng/alice/offline/alien/globus/bin ALIEN_LD_LIBRARY_PATH=/afs/in2p3.fr/throng/alice/offline/alien/globus/lib:/afs/in2p3.fr/throng/alice/offline/alien/lib GLOBUS_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien/globus SWIG_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien GSOAP_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien CGSI_GSOAP_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien CLASSAD_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien MYPROXY_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien ALIEN_ORGANISATION=Alice ALIEN_USER=schutz ALIEN_HOSTNAME=cclcgalice.in2p3.fr
Now you have to proceed with registration to LCG (from step 3) and Alice.