Skip to content

Retiring X.509 Credentials in favor of SciTokens

Effective Date: 20 May 2025

Services Impacted: Any services currently accepting X.509 credentials for authorization

Details

Many LVK services that require authentication currently support authorization using X.509 certificates. In particular, it is possible for any LV user to obtain such a credential based on their LIGO.ORG identity. There are also methods for KAGRA and Virgo users to obtain such credentials, and operators of automated "robot" services can request a Kerberos keytab that permits the generation of such a credential.

This technology has been deprecated for some time, and it has now proven impossible for CompSoft to support it through the newly announced end date of O4. As such, we will be shutting down this service during the planned two-month commissioning break in April and May of 2025. Users of these credentials will need to migrate to the use of SciTokens before the effective date above.

Overview

Affected Services

On the effective date, ligo-proxy-init and ecp-get-cert will cease to provide X.509 user certificates based on a user's LIGO.ORG (marie.curie) identity. On the same date, any LVK managed services that currently accept such credentials will cease to do so, even if those credentials are not yet expired.

A partial list of affected services is: 

GRACEDB
gw_data_find
DQSegDB
The ability to use such credentials to access proprietary CVMFS data is already deprecated and could disappear at any time without warning.

Impact

If you or a service you manage currently uses such credentials to access protected LVK resources, then prior to the effective date, you must migrate that service to use SciTokens instead. A general overview of SciTokens may be found on this page in the Computing Guide, and instructions specific to using SciTokens from within HTCondor are documented on this page.

For using tokens within HTCondor there are two kinds of issuers available: the IGWN issuer, and a condor-managed issuer known as the AP issuer, available at most LIGO Lab managed access points (that is, submit nodes). The details are described in the documentation linked above, but if your service uses HTCondor from a dedicated access point at a LIGO Lab managed LDG cluster (that is, any of CIT, LLO, or LHO), then you may request that it be converted to support the IGWN issuer, the AP issuer, or both. You may make such a request by opening a new helpdesk ticket.

If your use of X.509 certificates has been through a robot certificate keytab, then please be aware that this existing keytab cannot be used to generate a SciToken. If your automated process that needs a credential runs under HTCondor and does not need to interact with GRACEDB, then you will likely find it sufficient to use the AP issuer, which does not require any keytab, only that the HTCondor jobs are submitted from the correct shared account. On the other hand, if your automated process does not run under HTCondor, or it does, but requires access to GRACEDB, then you will need to use the IGWN issuer. In that case you will need to request a new keytab at https://robots.ligo.org. When completing that form, select option 4, "SciToken keytab", as the kind of keytab. Please ensure when completing that form that you enumerate all of the scopes that your service will require.

The Computing and Software working group is developing a script to help automate the refresh of robot SciToken credentials, as well as to simplify the documentation that we have linked above. However, if you require additional help, please do not hesitate to reach out. You may find the dedicated Mattermost (R) channel a convenient place to do so. That channel also has many useful links in the channel header.