Skip to content

Using your identity to access computing services

X.509 credentials

The IGWN collaborations rely heavily on a technology standard called X.509 to authenticate users and authorise access to data and services.

In a typical workflow, users authenticate using their institutional or collaboration identity to create an X.509 credential that is valid for a short amount of time (normally a few days). This credential can then be leveraged to gain access to various computing centres and services.

See below for details on creating an X.509 credential based on the type of identity you have.

KAGRA

KAGRA members are currently unable to acquire X.509 credentials that can be used to gain access to IGWN services. However, this will hopefully change in the near future, and the workflow will be very similar to that for LIGO.

LIGO (LIGO.ORG)

LIGO.ORG identity holders can create X.509 credentials when they are required using one of the following tools:

  • ecp-get-cert, from the ciecplib Python Package
  • ligo-proxy-init, from the LDG Client package

Creating a new X.509 credential

To generate a new LIGO.ORG X.509 credential using ecp-get-cert:

ecp-get-cert --identity-provider LIGO --username albert.einstein --verbose

Notes:

  • you can also set the ECP_IDP environment variable to your default --identity-provider so that you don't have to enter it every time.
  • the --reuse option can be passed to avoid unnecessarily generating a new credential if an existing one can be used, and is valid for more than the given number of hours.
  • the --kerberos option can be used to use an existing kerberos ticket for authentication when generating a new X.509 credential.

ecp-get-cert can be used to generate a credential for any identity provider that supports ECP and is registered with CILogon. For a list of providers, see https://cilogon.org/include/ecpidps.txt.

To generate a new LIGO.ORG X.509 credential using ligo-proxy-init:

ligo-proxy-init albert.einstein

Notes:

  • the --kerberos option can be used to use an existing kerberos ticket for authentication when generating a new X.509 credential.

For more details on how to create, or refresh, an X.509 credential, see below.

Virgo

Getting a grid certificate from your home institution

Please get in touch with your Home Institution in order to obtain a GRID-enabled X.509 certificate. Once the certificate is obtained, install it on the machine(s) you intend to use to connect to the IGWN resources, following the instructions provided by your home institution.

The certificate may come in many different formats. In the end it should be converted to an X.509 certificate and then split, extracting the private key and your own public certificate. These two files should be placed in ~/.globus and are userkey.pem and usercert.pem. To get certificate format specific instructions to extract these two certificate components please refer to your Home Institution instructions. The same ~/.globus folder with the two contained files should be present on any machine from which you expect to be able to create new proxy certificates (e.g. your laptop, a workstation and your home directory on any remote submission machine of IGWN).

Virgo VOMS

Once you have a valid certificate, you are allowed to complete the procedure for the registration of your certificate in the Virgo VOMS (Virtual Organization Membership Service) by connecting to this page. When opening this page a web browser prompt should ask you to provide a certificate to connect to the website. Select your X.509 certificate from the suggestions or manually select it if needed.

Once connected to the page you can apply for VOMS memberships using the provided button. Apply for /virgo and /virgo/virgo memberships selecting them from the dropdown menu.

You'll be notified by email upon membership approval.

Install the VOMS client package

VOMS users will need to install the VOMS client software package in order to use their Virgo identity, just search for voms* in your system's software package manager.

LIGO identities for Virgo members

Virgo members get LIGO.ORG identities

In order to workaround differences in collaboration identity management, all Virgo Collaboration members are also given a LIGO.ORG identity, which should be used to gain access to LIGO- or IGWN-operated computing centres, including the IGWN HTCondor submission points.