Support for X.509 for KAGRA and LIGO.ORG identities is ending
Generating and using X.509 certificates associated with KAGRA and LIGO.ORG identities is being dropped.
Please see https://git.ligo.org/groups/computing/-/epics/25 and the associated issues for details.
All X.509 workflows should attempt to migrate to using SciTokens.
X.509 Authentication¶
The IGWN collaborations rely heavily on a technology standard called X.509 to authenticate users and authorise access to data and services.
In a typical workflow, users authenticate using their institutional or collaboration identity to create an X.509 credential that is valid for a short amount of time (normally a few days). This credential can then be leveraged to gain access to various computing centres and services.
Installing the X.509 tools¶
Installing CIECPLib¶
X.509 credentials for LIGO.ORG and KAGRA can be generated using ciecplib
.
ciepclib
can be installed using your preferred package manager on a number of systems:
conda install --channel conda-forge ciecplib
Debian packages are available from the IGWN Debian Repositories:
apt-get install ciecp-utils
python -m pip install ciecplib
Installing ligo-proxy-init
¶
ligo-proxy-init
is the tool traditionallty used by LIGO members to generate X.509 certificates and proxies.
ligo-proxy-init
is just a wrapper around ecp-get-cert
As of ligo-proxy-utils-2.0.0, ligo-proxy-init
is just a wrapper around ecp-get-cert
, users should switch to using ecp-get-cert
directly.
ligo-proxy-init
is provided by the ligo-proxy-utils
package, which can be installed as follows using your preferred package manager on a number of systems:
conda install --channel conda-forge ligo-proxy-utils
Debian packages are available from the IGWN Debian Repositories:
apt-get install ligo-proxy-utils
python -m pip install ligo-proxy-utils
Installing the VOMS client¶
The VOMS user tools can be installed using your preferred package manager on a number of systems:
conda install --channel conda-forge voms
Debian packages are available from the IGWN Debian Repositories:
apt-get install voms-clients
RPM packages are available from EPEL:
yum install voms-clients
How to generate a credential¶
X.509 for KAGRA¶
KAGRA identity holders can create X.509 credentials when they are required using ecp-get-cert
(provided by ciecplib
):
ecp-get-cert --identity-provider KAGRA --username albert.einstein --verbose
Notes:
-
You can also set the
ECP_IDP
environment variable to your default--identity-provider
so that you don't have to enter it every time.export ECP_IDP="KAGRA"
setenv ECP_IDP KAGRA
$Env:ECP_IDP = "KAGRA"
-
The
--reuse
option can be passed to avoid unnecessarily generating a new credential if an existing one can be used, and is valid for more than the given number of hours.
X.509 for LIGO.ORG¶
LIGO.ORG identity holders can create X.509 credentials when they are required using ecp-get-cert
(provided by ciecplib
):
ecp-get-cert --identity-provider LIGO --username albert.einstein --verbose
Notes:
-
You can also set the
ECP_IDP
environment variable to your default--identity-provider
so that you don't have to enter it every time.export ECP_IDP="LIGO"
setenv ECP_IDP LIGO
$Env:ECP_IDP = "LIGO"
-
The
--reuse
option can be passed to avoid unnecessarily generating a new credential if an existing one can be used, and is valid for more than the given number of hours. -
The
--kerberos
option can be used to use an existing kerberos ticket for authentication when generating a new X.509 credential.
X.509 for Virgo¶
Virgo uses a user grid certificate system powered by the Virtual Organisation Management Servce (VOMS).
Users must obtain a grid certificate which they store on one or more machines, and then generate 'VOMS proxy' credentials for use in workflows.
Getting a GRID certificate¶
Please get in touch with your Home Institution in order to obtain a GRID-enabled X.509 certificate. Once the certificate is obtained, install it on the machine(s) you intend to use to connect to the IGWN resources, following the instructions provided by your home institution.
The certificate may come in many different formats. In the end it should be converted to an X.509 certificate and then split, extracting the private key and your own public certificate. These two files should be placed in ~/.globus
and are userkey.pem
and usercert.pem
. To get certificate-format-specific instructions to extract these two certificate components please refer to your Home Institution instructions.
The same ~/.globus
folder with the two contained files should be present on any machine from which you expect to be able to create new proxy certificates (e.g. your laptop, a workstation, and your home directory on any remote submission machine of IGWN).
Virgo VOMS¶
Once you have a valid certificate, you are allowed to complete the procedure for the registration of your certificate in the Virgo VOMS by connecting to this page.
When opening this page a web browser prompt should ask you to provide a certificate to connect to the website. Select your X.509 certificate from the suggestions or manually select it if needed.
Once connected to the page you can apply for VOMS memberships using the provided button. Apply for the following memberships by selecting them from the dropdown menu:
/virgo
/virgo/virgo
You'll be notified by email upon membership approval.
Generating a VOMS proxy¶
With a valid certificate, and VOMS group membership, a VOMS proxy can be generated by running voms-proxy-init
(provided by voms
):
voms-proxy-init
LIGO.ORG for Virgo members¶
All Virgo members are automatically assigned a LIGO.ORG identity in addition to any Virgo VOMS credentials they may create. These LIGO.ORG identities can be used in all of the same places as LIGO.ORG identities assigned to LIGO members.
See X.509 for LIGO.ORG for details on using a LIGO.ORG credential.