r3 - 27 Jul 2006 - 16:23:25 - JohnHoverYou are here: TWiki >  Support Web > GridSmallGuide

Small guide to Certificates, VO and such

Grid Certificates

Your certificate will identify you to all the GRID services: it's your credential. It is actually a pair of things you will be getting: a certificate and the private key.

  • The certificate is a file that establish your identity, who you are. The GRID tools will be sending it around when you submit a job, copy a file from location to location... yes, the certificate will travel the world. It's main component is the subject DN (that is your, you are the subject, Distinguished Name) which is the name you will have over the GRID.
  • The private key is the proof that you are the owner of the certificate. Therefore you have to be sure to keep it private, or other people will be able to prove they are you! In fact, the private key is typically protected with a password, which essentially will be your GRID password.

Virtual Organizations (VOs)

LHC experiments (e.g. CMS, LHCb, or ATLAS for our typical reader) are all "Virtual Organizations": groups of people that sit on different physical locations all over the world to achieve a common goal, e.g. finding QGP (or the Higgs) first! Essentially, a VO is a set of GRID identities, organized in groups, with roles assigned to individuals.

Before you can start using GRID resources, you have to join one of these organization as they have the agreement with the different universities, institutes, and national labs to use the their computing resources. You will send a request which will be approved by a representative of your experiment (you can join only the VO of the experiment you are part of). Your DN will be added to the list of DNs of the VO, and all the sites, all around the world, will know: you are part of your Virtual Organization!

Grid Software

As we said, the GRID tools will use your certificate to establish your identity when you make a request. Now, how can they do that if you don't give them the certificate? So you need to make it available.

You will also typically start your day by creating a Proxy certificate. A proxy certificate is like a token for AFS or Kerberos: you will authenticate by writing your GRID password (the private key password) and you will create a "proxy" ( a "pre-authenticated certificate" which has a limited lifespan ) so you won't have to type the GRID password for every operation.

What in a perfect GRID should happen is that you will be automatically added to the list of authorized people because you are in your VO. If it didn't work, you are not in a perfect GRID and you might have to:

  • wait some time: sites do not download the list of members every 10 seconds from the VO server. Give it a day, and the server will allow you in.
  • to access some resource you might need to be in a specific group inside the VO.
  • go through a site specific procedure: there is still no complete agreement on how all sites should grant access: a particular site might require you to go through another (painful) procedure. At BNL you just need to be part of the VO. This is also true for Grid3 sites. We are working so that all the other sites will work in the same way

-- JohnHover - 26 Jul 2006

About This Site

Please note that this site is a content mirror of the BNL US ATLAS TWiki. To edit the content of this page, click the Edit this page button at the top of the page and log in with your US ATLAS computing account name and password.


Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback