How to get a grid certificate

Below are instructions to obtain a grid certificate and install it at the BNL Tier 1 center through an application process performed in your web browser. It does not work on all browsers (by any means). If you use Internet Explorer or possibly Firefox you're probably alright. If you are using Safari, Camino, Opera, OmniWeb, ... you're probably not alright.

An alternative procedure -- and this is recommended -- is to follow these instructions to get a certificate via a simpler Linux command line process rather than browser gymnastics. Then come back here and follow the instructions for setting up your environment and joining the ATLAS VO.

Requesting a grid certificate

Go to the DOE web site and request a certificate. Fill in the form, including a password that you will use later and a name of a contact person - preferably your supervisor at your institute. For affiliation, select PPDG. In the comments section, please say that you are an ATLAS member and you will be using this certificate for ATLAS related activities.

Once you hit submit, you will get an identification number. Note this number down. There is unfortunately no other e-mail confirmation. This is the number you can use to track the status of your request, should you not get the certificate. Normally, you must get a response from doegrids.org within two days. If you do not get a response, send an e-mail message with the identification number to osg-ra@opensciencegrid.org .

Installing the certificate at BNL

The e-mail message you receive will clearly tell you how to install the certificate.

  • Get your certificate by clicking on the link in your e-mail. The certificate is displayed on a web browser. Scroll down to the bottom of this page and click on Import.

  • Export this certificate - this will create a file with extension .pfx or .p12. The e-mail message you receive from doegrids.org will tell you how to export the file - we have repeated some of those instructions below to make it easier. BNL also provides you a script to install your certificate instead of following the line by line instructions provided by doegrids.org.

  • Exporting a certificate will depend on the web browser you use:
    • Netscape: Click on Edit --> Preferences --> Privacy & Security --> Certificates and click on Manage Certificates. Select your certificate and click the "Backup" key at the bottom. Enter a name for this certificate file (no extension, an extension of .pfx or .p12 is automatically assigned).
    • Internet Explorer ....

  • The above procedure will create a file (your certificate) xxx.pfx or xxx.p12 where xxx is the name of the file you gave. Copy this file over to the machine you are working on. In case of BNL, that will be the acas nodes.

  • You are now ready to install it. There are two ways to do this:
    • Create a directory $HOME/.globus and then follow the directions by doegrid.org found here. There are two steps: installing the certificate and getting an encripted private key. For the former, it will prompt you for your password (which you specified while requesting for a certificate). For the latter, it will ask you [as an input] for a PEM pass phrase. Enter a phrase that you can remember.
    • Simply execute the following script at BNL /afs/usatlas.bnl.gov/acfstaff/grid/bin/install_certificate.sh xxx.p12 where xxx.12 (or xxx.pfx) is the name of the certificate file you save in the earlier step.

Setting up the environment

You will likely use this certificate to copy data files or to submit jobs over the grid. At Tier 1, we recommend that you source the following script in your login file. This will setup all the grid environment variables necessary for you to use the certificate.

source /afs/usatlas.bnl.gov/lcg/lcg-2.7.0/etc/profile.d/grid_env.[c]sh

After sourcing the file, you can verify your certificate installation using the command:


This should return with a message like:

Your identity: /DC=org/DC=doegrids/OU=People/CN=John Smith 123456 Enter GRID pass phrase for this identity:
Creating proxy ...............................................Done
Your proxy is valid until: Fri Apr 14 23:43:09

Joining the ATLAS VO.

You now have your certificate. If you need access to European sites like CERN - which you do - you will need to join the ATLAS Virtual Organization (VO). To join it, see here for current instructions. If you obtained your grid certificate using the script approach, you'll need to load your certificate into your browser at this point -- see the instructions on the CertificateScripts page. As the representative specify John Hover (John jhover@bnl.gov is at the BNL Tier 1).

Special Sites

You are now allowed access to LCG, GRID and OSG sites in general. However, because of individual security rules, some sites may present additional registration requirements. To check on additional requirements imposed by some sites, look here.

What can you do with your new grid certificate?

-- TorreWenaus - Aug 2006

-- SriniRajagopalan - 14 Apr 2006

