Skip to content

Using your identity to access computing services

Kerberos credentials

A number of IGWN collaboration services can be accessed using a Kerberos credential, generated using the kinit command-line tool.

These tickets can also be used to generate X.509 credentials without having to re-authenticate.

X.509 credentials

The IGWN collaborations rely heavily on a technology standard called X.509 to authenticate users and authorise access to data and services.

In a typical workflow, users authenticate using their institutional or collaboration identity to create an X.509 credential that is valid for a short amount of time (normally a few days). This credential can then be leveraged to gain access to various computing centres and services.

See below for details on creating an X.509 credential based on the type of identity you have.

KAGRA

KAGRA members are currently unable to acquire X.509 credentials that can be used to gain access to IGWN services. However, this will hopefully change in the near future, and the workflow will be very similar to that for LIGO.

LIGO (LIGO.ORG)

Kerberos for LIGO.ORG

LIGO.ORG identity holders can generate Kerberos credentials using the kinit command-line tool, available from the MIT Kerberos (krb5) distribution.

Creating a new Kerberos credential

To generate a new LIGO.ORG Kerberos credential (ticket) using kinit:

kinit albert.einstein@LIGO.ORG

Password-less authentication using a Kerberos keytab

Credentials can be stored in a keytab file to enable (re-)generation of Kerberos tickets without having to re-enter a password each time.

To generate a keytab file:

$ ktutil
ktutil:  addent -password -p albert.einstein@LIGO.ORG -k 1 -e des3-cbc-sha1
Password for albert.einstein@LIGO.ORG:
ktutil:  wkt ligo.org.keytab
ktutil:  quit

This will generate the ligo.org.keytab file in the current directory, feel free then to move it wherever you want.

It is common then to store the path of that file in the KRB5_KTNAME environment variable, e.g.:

export KRB5_KTNAME=${HOME}/.kerberos/ligo.org.keytab

Check permissions on Kerberos keytab

A Kerberos keytab can be used by anybody to impersonate the user who created it. It is extremely important that you verify that the permissions on your keytab file (ligo.org.keytab in the above example) are restricted to only allow read/write for you, the user:

chmod 600 ligo.org.keytab

ktutil not available on Windows

The ktutil utility required to generate keytabs is not available from MIT Kerberos on Windows.

X.509 for LIGO.ORG

LIGO.ORG identity holders can create X.509 credentials when they are required using one of the following tools:

  • ecp-get-cert, from the ciecplib Python Package
  • ligo-proxy-init, from the LDG Client package

Creating a new X.509 credential

To generate a new LIGO.ORG X.509 credential using ecp-get-cert:

ecp-get-cert --identity-provider LIGO --username albert.einstein --verbose

Notes:

  • you can also set the ECP_IDP environment variable to your default --identity-provider so that you don't have to enter it every time.
  • the --reuse option can be passed to avoid unnecessarily generating a new credential if an existing one can be used, and is valid for more than the given number of hours.
  • the --kerberos option can be used to use an existing kerberos ticket for authentication when generating a new X.509 credential.

ecp-get-cert can be used to generate a credential for any identity provider that supports ECP and is registered with CILogon. For a list of providers, see https://cilogon.org/include/ecpidps.txt.

To generate a new LIGO.ORG X.509 credential using ligo-proxy-init:

ligo-proxy-init albert.einstein

Notes:

  • the --kerberos option can be used to use an existing kerberos ticket for authentication when generating a new X.509 credential.

Virgo

Getting a grid certificate from your home institution

Please get in touch with your Home Institution in order to obtain a GRID-enabled X.509 certificate. Once the certificate is obtained, install it on the machine(s) you intend to use to connect to the IGWN resources, following the instructions provided by your home institution.

The certificate may come in many different formats. In the end it should be converted to an X.509 certificate and then split, extracting the private key and your own public certificate. These two files should be placed in ~/.globus and are userkey.pem and usercert.pem. To get certificate format specific instructions to extract these two certificate components please refer to your Home Institution instructions. The same ~/.globus folder with the two contained files should be present on any machine from which you expect to be able to create new proxy certificates (e.g. your laptop, a workstation and your home directory on any remote submission machine of IGWN).

Virgo VOMS

Once you have a valid certificate, you are allowed to complete the procedure for the registration of your certificate in the Virgo VOMS (Virtual Organization Membership Service) by connecting to this page. When opening this page a web browser prompt should ask you to provide a certificate to connect to the website. Select your X.509 certificate from the suggestions or manually select it if needed.

Once connected to the page you can apply for VOMS memberships using the provided button. Apply for /virgo and /virgo/virgo memberships selecting them from the dropdown menu.

You'll be notified by email upon membership approval.

Install the VOMS client package

VOMS users will need to install the VOMS client software package in order to use their Virgo identity, just search for voms* in your system's software package manager.

LIGO identities for Virgo members

Virgo members get LIGO.ORG identities

In order to workaround differences in collaboration identity management, all Virgo Collaboration members are also given a LIGO.ORG identity, which should be used to gain access to LIGO- or IGWN-operated computing centres, including the IGWN HTCondor submission points.