How to get a certificate at IN2P3

France delivers GRID-FR certificates. Follow strictly the procedure described at http://igc.services.cnrs.fr/GRID-FR/index.html. Once you have your certificate, usually in a .p12 format, you have to create the user certificate and user key in the .pem format: At CCIN2P3 a script alows you to extract the .pem from the .p2.

 

Obtaining personal a certificate at CCIN2P3

At CCIN2P3 a script alows you to extract the .pem from the .p2.

 

ccali29:~/.globus> import_grid_cert schutz.p12
At this stage you will be asked for:
1. the password you used for exporting your certificate.
2. the password you will need when logging into the grid.
Enter Import Password: *************
MAC verified OK
Enter PEM pass phrase: ************
Verifying password - Enter PEM pass phrase: ********
import_grid_cert: your personnal key has been written to the file 
'/afs/in2p3.fr/home/s/schutz/.globus/userkey.pem'

Please enter again the password you used for exporting your certificate.
Enter Import Password:
MAC verified OK
import_grid_cert: your personnal certificate has been written to the file
'/afs/in2p3.fr/home/s/schutz/.globus/usercert.pem'

Do you want to be registered to use the grid?[yes/no]

Elsewhere, if nothing is made available enter the command

 

openssl pkcs12 -nocerts -in $cert_file -out $keyfile
%ENDCODE

or customize the following script

%CODE{"bash"}%
#!/bin/ksh
##################################################################
# File:    import_grid_cert                                                      #
#                                                                                #
# Usage:   import_grid_cert -help                                                #
#          import_grid_cert <certificate_file>                                   #
#                                                                                #
# Description: This script has been created in order to convert a certificate    #
#              from .P12 format to .PEM format using the application OPENSSL     #
#              If the conversion is OK then the rights autorizations             #
#              are assigned to .globus repository and the *.PEM files.           #
#                                                                                #
#              Then the user is asked to be add in the grid map file.            #
#              If the answer is YES : The administrator will receive a mail      #
#              containing the login and the certificate 's subject of this user. #
#              With this mail the user will be added and have an account to      #
#              use the grid at CC.                                               #
#              If the answer is NO : The certificate is only converted.          #
#              No more is done.                                                  #
#                                                                                #
#                                                                                #
#                                                                                #
# Author:      Nadia LAJILI   
 nlajili@in2p3.fr                                   #
# IN2P3 Computer Center                                                          #
# http://www.in2p3.fr/CC Lyon  (FRANCE)                                          #
#                                                                                #
#                                                                                #
##################################################################
#creation of the .globus directory on which the certificat will be stored
#$1=this variable represented the name of the file *.p12
##################################################################
#                        R O U T I N E S                            #
##################################################################
ShowUsage()
{
programName=$1
echo "Usage: $programName [-help]"
echo "      " $programName "<certificate_file>"
echo
echo "       where <certificate_file> is the name of the *.p12 file which"
echo "       contain your certificate"
}

PrintMessage()
{
echo $programName":" $*
}

##################################################################
#                            MAIN                                   #
##################################################################
###
# Execution starts here..
###
###
# Initialize global variables
###
programName=`basename $0`
cert_file=$1
###
# if the file parameter is null or empty
###
if [ -z $cert_file ]; then
ShowUsage $programName
exit 1
fi

if [ $cert_file = "-help" -o $cert_file = "-HELP" ]; then
ShowUsage $programName
exit 1
fi

###
# Make sure the file exist, is readable and not empty
###
if [ ! -s $cert_file ]; then
PrintMessage "the file '$cert_file' does not exist or is empty"
exit 1
fi

if [ ! -r $cert_file ]; then
PrintMessage "the file '$cert_file' is not readable"
exit 1
fi

###
# Make sure we have a valid AFS token
###
isTokenAlive=`tokens | grep Expire`
if [ -z $isTokenAlive ]; then
PrintMessage "you have not a valid AFS token. Please use 'klog' to acquire one."
exit 1
fi

###
# Is the $HOME/.globus directory already created?
###
targetdirectory=$HOME/.globus
if [ ! -d $targetdirectory ]; then
mkdir $targetdirectory
fi

###
#One certificate already exists??
###
certificatefile=$targetdirectory/usercert.pem
if [ -s $certificatefile ]; then
#echo je renome1
mv $certificatefile  $certificatefile".old"
fi

keyfile=$targetdirectory/userkey.pem
if [ -s $keyfile ]; then
#echo je renome2
mv $keyfile  $keyfile".old"
fi


###
#conversion of the certificat with openssl on *.PEM
###

#echo $cert_file
echo
echo "At this stage you will be asked for:"
echo "1. the password you used for exporting your certificate."
echo "2. the password you will need when logging into the grid."

openssl pkcs12 -nocerts -in $cert_file -out $keyfile

###
#Test the return value of the openssl command
###
result=$?
if [ $result -ne 0 ]; then
PrintMessage "your personal key cannot be extracted from the supplied file. It may be corrupted."
exit 1
fi;

PrintMessage "your personnal key has been written to the file '$keyfile'"

echo
echo "Please enter again the password you used for exporting your certificate."

openssl pkcs12 -clcerts -nokeys -in $cert_file -out $certificatefile

###
#Test the return value of the openssl command
###
result=$?
if [ $result -ne 0 ]; then
PrintMessage "your personal certificate cannot be extracted from the supplied file. It may be corrupted."
exit 1
fi;
PrintMessage "your personnal certificate has been written to the file '$certificatefile'"



###
#Modifcation of the autorisations for file *.PEM and the globus directory
###
chmod 0400 $keyfile
chmod 0644 $certificatefile
chmod 0550 $targetdirectory

###
# Modification of the AFS read directory
###

fs sa $targetdirectory  system:anyuser none
#pour verification
#fs la


echo
echo "Do you want to be registered to use the grid?[yes/no]"
read rep
#echo "reponse lue : "$rep

###
# Controle of the answer typed
###

while test X$rep != "Xyes"  &&  test X$rep != "Xno"
do
echo "Do you want to be registered to use the grid?[yes/no]"
read rep
#echo "reponse lue bis : "$rep
done  ;

###
# if YES : send a mail to the site administrator with the login of the user
# and the subject of its certificate
###
globusAdministrator="
 globus-admin@cc.in2p3.fr"
if [ $rep = "yes" ]; then
subj=`openssl x509 -subject -in $certificatefile | grep subject`
login=`id -u -n`

#Copie ds un fichier temporaire
tempFile=/tmp/grid.$$
echo  $subj > $tempFile
echo "login=" $login >> $tempFile
# cat $tempFile

#Envoi du mail
mail -s "Certificat Datagrid" $globusAdministrator < $tempFile
#rm $tempFile
fi

#
# We are done
#
exit 0

The script will store your certificate and key in the $HOME/.globus directory. The access rights of the two .pem files must be as shown below.

 

-rwxr-xr-x    1 schutz   alice        3816 Nov 10 19:38 schutz.p12
-rw-r--r--    1 schutz   alice        1739 Nov 14 17:28 usercert.pem
-r--------    1 schutz   alice        1127 Nov 14 17:28 userkey.pem

Create the $HOME/.alien directory with the link as show below:

 

1 schutz   alice         659 Nov 17 10:40 Environment
1 schutz   alice          36 Nov 17 10:44 globus -> /afs/in2p3.fr/home/s/schutz/.globus/

The file Environment is not mandatory, but it is better to have it. Copy it from below and edit the ALIEN_USER name and the ALIEN_HOSTNAME:

 

ALIEN_PATH=:/afs/in2p3.fr/throng/alice/offline/alien/bin:/afs/in2p3.fr/throng/alice/offline/alien/globus/bin
ALIEN_LD_LIBRARY_PATH=/afs/in2p3.fr/throng/alice/offline/alien/globus/lib:/afs/in2p3.fr/throng/alice/offline/alien/lib
GLOBUS_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien/globus
SWIG_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien
GSOAP_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien
CGSI_GSOAP_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien
CLASSAD_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien
MYPROXY_LOCATION=/afs/in2p3.fr/throng/alice/offline/alien
ALIEN_ORGANISATION=Alice
ALIEN_USER=schutz
ALIEN_HOSTNAME=cclcgalice.in2p3.fr

Now you have to proceed with registration to LCG (from step 3) and Alice.

You are here