Skip to content

X.509 Authentication

The IGWN collaborations rely heavily on a technology standard called X.509 to authenticate users and authorise access to data and services.

In a typical workflow, users authenticate using their institutional or collaboration identity to create an X.509 credential that is valid for a short amount of time (normally a few days). This credential can then be leveraged to gain access to various computing centres and services.

Installing the X.509 tools

Installing CIECPLib

X.509 credentials for LIGO.ORG and KAGRA can be generated using ciecplib.

ciepclib can be installed using your preferred package manager on a number of systems:

conda install --channel conda-forge ciecplib

Debian packages are available from the IGWN Debian Repositories:

apt-get install ciecp-utils
python -m pip install ciecplib

RPM packages are available from the IGWN Yum Repositories (SL7, RL8):

yum install ciecp-utils

Installing ligo-proxy-init

ligo-proxy-init is the tool traditionallty used by LIGO members to generate X.509 certificates and proxies.

ligo-proxy-init is just a wrapper around ecp-get-cert

As of ligo-proxy-utils-2.0.0, ligo-proxy-init is just a wrapper around ecp-get-cert, users should switch to using ecp-get-cert directly.

ligo-proxy-init is provided by the ligo-proxy-utils package, which can be installed as follows using your preferred package manager on a number of systems:

conda install --channel conda-forge ligo-proxy-utils

Debian packages are available from the IGWN Debian Repositories:

apt-get install ligo-proxy-utils
python -m pip install ligo-proxy-utils

RPM packages are available from the IGWN Yum Repositories (SL7, RL8):

yum install ligo-proxy-utils

Installing the VOMS client

The VOMS user tools can be installed using your preferred package manager on a number of systems:

conda install --channel conda-forge voms

Debian packages are available from the IGWN Debian Repositories:

apt-get install voms-clients

RPM packages are available from EPEL:

yum install voms-clients

How to generate a credential

X.509 for KAGRA

KAGRA identity holders can create X.509 credentials when they are required using ecp-get-cert (provided by ciecplib):

ecp-get-cert --identity-provider KAGRA --username albert.einstein --verbose

Notes:

  • You can also set the ECP_IDP environment variable to your default --identity-provider so that you don't have to enter it every time.

    export ECP_IDP="KAGRA"
    
    setenv ECP_IDP KAGRA
    
    $Env:ECP_IDP = "KAGRA"
    
  • The --reuse option can be passed to avoid unnecessarily generating a new credential if an existing one can be used, and is valid for more than the given number of hours.

X.509 for LIGO.ORG

LIGO.ORG identity holders can create X.509 credentials when they are required using ecp-get-cert (provided by ciecplib):

ecp-get-cert --identity-provider LIGO --username albert.einstein --verbose

Notes:

  • You can also set the ECP_IDP environment variable to your default --identity-provider so that you don't have to enter it every time.

    export ECP_IDP="LIGO"
    
    setenv ECP_IDP LIGO
    
    $Env:ECP_IDP = "LIGO"
    
  • The --reuse option can be passed to avoid unnecessarily generating a new credential if an existing one can be used, and is valid for more than the given number of hours.

  • The --kerberos option can be used to use an existing kerberos ticket for authentication when generating a new X.509 credential.

X.509 for Virgo

Virgo uses a user grid certificate system powered by the Virtual Organisation Management Servce (VOMS).

Users must obtain a grid certificate which they store on one or more machines, and then generate 'VOMS proxy' credentials for use in workflows.

Getting a GRID certificate

Please get in touch with your Home Institution in order to obtain a GRID-enabled X.509 certificate. Once the certificate is obtained, install it on the machine(s) you intend to use to connect to the IGWN resources, following the instructions provided by your home institution.

The certificate may come in many different formats. In the end it should be converted to an X.509 certificate and then split, extracting the private key and your own public certificate. These two files should be placed in ~/.globus and are userkey.pem and usercert.pem. To get certificate-format-specific instructions to extract these two certificate components please refer to your Home Institution instructions.

The same ~/.globus folder with the two contained files should be present on any machine from which you expect to be able to create new proxy certificates (e.g. your laptop, a workstation, and your home directory on any remote submission machine of IGWN).

Virgo VOMS

Once you have a valid certificate, you are allowed to complete the procedure for the registration of your certificate in the Virgo VOMS by connecting to this page.

When opening this page a web browser prompt should ask you to provide a certificate to connect to the website. Select your X.509 certificate from the suggestions or manually select it if needed.

Once connected to the page you can apply for VOMS memberships using the provided button. Apply for the following memberships by selecting them from the dropdown menu:

  • /virgo
  • /virgo/virgo

You'll be notified by email upon membership approval.

Generating a VOMS proxy

With a valid certificate, and VOMS group membership, a VOMS proxy can be generated by running ecp-get-cert (provided by ciecplib):

ecp-get-cert --identity-provider LIGO --username albert.einstein --verbose