„PRACE User Support” változatai közötti eltérés

Innen: KIFÜ Wiki
(User Guide to obtain a digital certificate)
(User Guide to obtain a digital certificate)
3. sor: 3. sor:
  
 
This document gives a short overview about how to require a digital certificate from NIIF CA for users, if the pre-registration form has been filled.
 
This document gives a short overview about how to require a digital certificate from NIIF CA for users, if the pre-registration form has been filled.
 +
 
This guide is valid only for the Hungarian users.
 
This guide is valid only for the Hungarian users.
 +
 
If you are from a foreign country, and would like to get a certificate, [http://www.eugridpma.org/members/worldmap/ here] you can found your country's certification authority.
 
If you are from a foreign country, and would like to get a certificate, [http://www.eugridpma.org/members/worldmap/ here] you can found your country's certification authority.
  

A lap 2013. június 24., 12:19-kori változata

User Guide to obtain a digital certificate

This document gives a short overview about how to require a digital certificate from NIIF CA for users, if the pre-registration form has been filled.

This guide is valid only for the Hungarian users.

If you are from a foreign country, and would like to get a certificate, here you can found your country's certification authority.


Installing NIIF CA root certificate

The first step is to download the "root certificate" ("NIIF CA Root Certificate" part), in the the format, which is known for the used browser or other SSL-using program. The browser asks wether to install/accept the certificate or not - accept or install the certificate in any cases. In addition, activate or allow the option which permits the browser to use the certificate to authenticate websites. Without that, it is not possible to reach the CA's web interface with secure protocol (https). The downloaded/installed certificate can be found in the certificate management modul of the browser.


Request a certificate

Request a certificate with openssl

  • Sing in into the certification registration website of the NIIF CA with our email address and password stored in the directory.
  • This site uses secure protocol (https), which the browser often indicates with a warning window - they should be acknowledged implicitly.
  • In the opening page - which is the public web surface of the CMS certificate management software - choose the "OpenSSL kliens kérelem benyújtása (PKCS#10)" (request an OpenSSL client) option. This leads to the datasheet, which must be filled in accordance with the printed datasheet. First, according to the purpose of the request, the corresponding field must be choosen (CSIRT, GRID, NIIF felhasználó, Független kutató, HBONE).
  • Copy the public part of our certificate in the field "PKCS#10". You can find a user guide about How to create a PKCS#10 certificate with openssl, which suitable for the NIIF CA requirements below.
  • A Challenge and a Request passwords must be given - both of them must be at least 8 characters long. Note them, because they needed for cancellation the certificate, or for the personal authentication.
  • Fill the other fields (name, email address, phone, organisation), and if there is anything, the CA operator should know, fill the last field with it. If everything is done, after a last check, click on the Elküld ("send") button on the bottom of the page.
  • In case of a successful PKCS#10 key-uploading, a page is opening with the confirmation of the successful certification request.

User Guide to create a PKCS#10 digital certification request with openssl

This paragraph gives a short overview about how to require a digital certificate from NIIF CA for users using openssl with the PKCS#10 format.The latest version of the openssl program can be downloaded from: Windows, Linux.

1. Download the openssl configuration file
To generate the CSR, there is a prewritten niif_ca_user_openssl.cnf file on the NIIF CA website.
The following modifications must be done in the config:


#purpose of the certificate

1.organizationalUnitName = Organizational Unit Name
1.organizationalUnitName_default = GRID # For example: GRID, HBONE, General Purpose
2.organizationalUnitName = Second Organizational Unit Name
2.organizationalUnitName_default = NIIF # For example: BME, ELTE, SZFKI, SZTAKI, NIIF, ...
commonName = Common Name (YOUR name) # User Name.
commonName_max = 64A


2. Create PKCS#10 reqquest
  • No existing secret key:

Run the

   openssl req -newkey rsa:1024 -config ./niif_ca_user_openssl.cnf -out new_csr.pem 

command, and answer the appearing questions at the prompt. The Institute (NIIF CA) and country (HU) datas should not be changed, or the request is going to be invalid. The certification request and the corresponding private key will be saved in the new_csr.pem and privkey.pem files. To gain acces to the private key, during the generating given "pass phrase" password must be used. In case of a forgotten password, the certificate will be unusable.

  • Existing private key (extend)

If there is an existing, previously generated private key (it must be at least a 1024 bit RSA key), which can be found in the old_key.pem file, then the following command creates the CSR

   openssl req -new -key ./old_key.pem -config ./niif_ca_user_openssl.cnf -out new_csr.pem


Personal Authentication

After the successful registration on the website, please visit the NIIF CA Registration Office personally with the copy of the pre-registration datasheet, the Request password and an ID document (ID card, passport).

Address:

NIIF Iroda
(RA Administrator)
Victor Hugo Str. 18-22.
H-1132 Budapest, HUNGARY
email: ca (at) niif (dot) hu
RA opening hours: Monday, 14:00 - 16:30 (CET)

During the authentication, the colleagues of the Registration Office verify the datas of the certificate and the user, and after the successful identification, they take the next steps in order to create the certification (it is not needed to wait for it).


Downloading the certificate

An email is going to arrive after the valid certificate has been completed (to the given email address during the request), and clicking on the URL in the email, the certificate can be downloaded. The saved certificate does not contain the private key.

If the certificate is installed into the browser, it is advised to export it with the private key in PKCS#12 format, so there will be a common backup with the private key and the certificate. Handle this backup carefully! If the private key lost, or gets into unauthorized hands, immediately request a certificate cancellation at the registration interface "Tanúsítvány visszavonása" (certificate cancellation) or at the Registration Office, and inform the concerned people!

Access with GSI-SSH

A user can access to the supercomputers by using the GSI-SSH protocol.

It requires a machine with a Globus installation that provides the gsissh client.

The needed credentials (these mean the private and public keys) must be created before entering the machine with the

   grid-proxy-init

or

   arcproxy

commands.

By default, the proxies are valid for 12 hours. It is possible to modify this default value with the following commands:

   arcproxy -c validityPeriod=86400

or

   grid-proxy-init -hours 24

Both of the previous commands set the validation of the proxies to 24 hours. Using the arcproxy, the validation time must be given in seconds.


To enter the site, the

   gsissh -p 2222 login.budapest.hpc.niif.hu

command has to be used.


GridFTP file transfer

In order to use GridFTP for file transfer, one needs a GridFTP client program that provides the interface between the user and a remote GridFTP server. There are several clients available for GridFTP, one of which is globus-url-copy, a command line tool which can transfer files using the GridFTP protocol as well as other protocols such as http and ftp. globus-url-copy is distributed with the Globus Toolkit and usually available on machines that have the Globus Toolkit installed.


Syntax

   globus-url-copy [options] sourceURL destinationURL

  • [options] The optional command line switches as described later.
  • sourceURL The URL of the file(s) to be copied. If it is a directory, it must end with a slash (/), and all files within that directory will be copied.
  • destURL The URL to which to copy the file(s). To copy several files to one destination URL, destURL must be a directory and be terminated with a slash (/).


Globus-url-copy supports multiple protocols, so the format of the source and destination URLs can be either

   file://path 


when you refer to a local file or directory or

   protocol://host[:port]/path


when you refer to a remote file or directory.

globus-url-copy is supporting other protocols such as http, https, ftp and gsiftp as well.


  • Example:

   globus-url-copy file://task/myfile.c gsiftp://login.budapest.hpc.hu/home/task/myfile.c 

This command uploads the myfile.c file from the locak task folder to the remote machine's home/task folder.


Command line options for globus-url-copy [options]

  • -help Prints usage information for the globus-url-copy program.
  • -version Prints the version of the globus-url-copy program.
  • -vb During the transfer, displays: (1) number of bytes transferred (2) performance since the last update (every 5 seconds) (3) average performance for the whole transfer


The following table lists parameters which you can set to optimize the performance of your data transfer:

  • -tcp-bs <size>Specifies the size (in bytes) of the TCP buffer to be used by the underlying GridFTP data channels.
  • -p <number of parallel streams> Specifies the number of parallel streams to be used in the GridFTP transfer.
  • -stripe Use this parameter to initiate a “striped” GridFTP transfer that uses more than one node at the source and destination. As multiple nodes contribute to the transfer, each using its own network interface, a larger amount of the network bandwidth can be consumed than with a single system. Thus, at least for “big” (> 100 MB) files, striping can considerably improve performance.