Grid certificate

http://technical.bestgrid.org/index.php/Grid_certificate
还可以参考 grid certificate profile 

Grid certificate

Start Computing on BeSTGRIDUsing or Joining BeSTGRID1. Obtain a Grid Certificate2. Join a Virtual Organisation3. Proxy Certificates4. Submitting jobs with Grisu

Getting Access to BeSTGRID

A Grid Certificate is aX.509 Certificate used to identifyGrid Users and allow access toBeSTGRIDComputational Grid services.

Contents

[hide]

• 1 Introduction
  • 1.1Grid Certificate Policies
  • 1.2Prerequisites
• 2Getting a Grid Certificate
  • 2.1Grid Certificate request procedure
    • 2.1.1Request Grid Certificate with Grix
      • 2.1.1.1Organisation Unit Definitions for BeSTGRID
    • 2.1.2Verify Grid User's Identity
    • 2.1.3Retrieving and Installing the Grid Certificate
  • 2.2What to do next
• 3Renewing a Grid Certificate
• 4Revoking a Grid Certificate

[edit]Introduction

In order to use any of the BeSTGRID Computational Grid services aGrid User is required to identify themselves with either a University or CRIIdentity Provider or by obtaining aGrid Certificate. BeSTGRID Grid Certificates are provided by theAPACGrid Certificate Authority and are used by a variety of applications, such as web browsers andGrid Tools, to allow access to sites and services provided byBeSTGRID and its partners such asARCS. This document will provide an overview on how aGrid User obtains, uses, and maintains theirGrid Certificate.

[edit]Grid Certificate Policies

• A Grid Certificate expires 1 calendar year after issue and must be renewed annually.
• A Grid Certificate must not be shared; Grid Users must have their own Grid Certificate. Shared Grid Certificates will be revoked without warning.

[edit]Prerequisites

• Java will need to be installed and updated to the latest version
• The APAC Certificate Authority Server certificate will needed to be downloaded and installed
• The Grix grid tool ...
  • will need to be downloaded and installed (see Grix),
  • or started using [Java Web Start link]
  • that there is no HTTP proxy or firewall blocking access to the Grix servers (listed here)

[edit]Getting a Grid Certificate

The recommended method of obtaining a Grid Cerificate is with the Grix grid tool, though it may be requested directly from the APACGrid Certificate Authority.

[edit]Grid Certificate request procedure

This procedure is written for Grix v1.2.2, it has three main phases, requesting the Grid Certificate, verifying the Grid User's identity, and retrieving & installing the Grid Certificate once it has been issued. Requesting the certificate and verifying the Grid User's identity do not have to happen in any specific order, and identity verification can be done well in advance of a certificate request provided theRegistry Authority Operator (RAO) can recall the identity verification. However, the Grid Certificate Request will not be approved until the Grid Users identity is confirmed.

[edit]Request Grid Certificate with Grix

1. Open the Grix application
2. Select the Certificate tab
3. Enter the following details in the request form fields
   • Country: NZ
   • Organisation: BeSTGRID
   • Organisation Unit: Use the full name of the organisation as indicated in theOrganisation Unit Definition table below.
   • Name: The name of the Grid User (at least first name and surname)
   • Email: The email address of the Grid User (should be an email address hosted by the Grid User's parent organisation)
4. Click on the Request button to submit the Grid Certificate request

[edit]Organisation Unit Definitions for BeSTGRID

Using consistent names in the Organisation Unit (OU) field of Grid Certificates ensures that Grid Users from the same organisation or institution can be quickly found and easily managed.

OrganisationOU textUniversity of AucklandThe University of AucklandUniversity of CanterburyUniversity of CanterburyVictoria University of WellingtonVictoria University of WellingtonMassey UniversityMassey UniversityLandcare ResearchLandcare Research NZ ltdLincoln UniversityLincoln University

[edit]Verify Grid User's Identity

The Grid User will need to choose a Registry Authority Operator (RAO) from the list of approved ARCS RAOs, there may be an RAO within the Grid User's organisation but it may be more convenient to see the closest RAO. There may be a stronger burden of proof required when meeting an RAO outside the Grid User's organisation.

The Grid User will need to provide proof of identity, preferably some form of Photo ID, such as a drivers license or student ID card, when they meet the RAO. The RAO will not approve requests on behalf of other Grid Users. The Grid User and RAO must physically meet, proof of identity can not be confirmed by email, fax, telephone, or any other communications media.

Once proof of identity has been established, the RAO may be happy to renew Grid Certificates when they expire without re-presenting proof of identity. It is recommended that proof of identity be re-established if the Grid User's circumstances change, e.g. working for a new organisation.

1. Choose an RAO from the list of approved ARCS RAOs
2. Contact the RAO to see if they are available, and make arrangements to meet the RAO
3. The Grid User presents their photo ID when they meet the RAO
4. If the RAO is satisfied with the Grid User's proof of identity, they will then approve the Grid Certificate request and contact a Certificate Authority Operator (CAO) to issue the Grid Certificate

[edit]Retrieving and Installing the Grid Certificate

1. The Grid User should recieve an automated email from the ARCS Certificate Authority Server when the Certificate Authority Operator (CAO) issues the Grid Certificate
2. The Grid User can then do either or both of:
   • follow the link in the email to retrieve the Grid Certificate as a downloadable file
     1. Click on the link in the Grid Certificate issue notification email
     2. Check that the certificate details are correct
     3. Select CER format from the Certificate drop down menu at the bottom of the page
     4. Click on the Download button and save the certificate in a safe and secure location
     5. Locate the certificate file, right click on it and select Install
        • NOTE: This should work for Windows 2k/XP/Vista/7, some other installation process may be required for other operating systems.
   • use Grix to retrieve the Grid Certificate (recommended)
     1. Open the Grix application
     2. Select the Certificate tab
     3. If the Retrieve button is active, click on it to retrieve the Grid Certificate
     4. Once Grix has retrieved the certificate, click on Export for Browser
     5. Enter the Grid Certificates passphrase when prompted
     6. Locate the certificate file, right click on it and select Install
        • NOTE: This should work for Windows 2k/XP/Vista/7, some other installation process may be required for other operating systems.

[edit]What to do next

Once a Grid User has been issued with a Grid Certificate they will need to useGrix toapply for BeSTGRID Virtual Organisation membership

[edit]Renewing a Grid Certificate

A Grid Certificate is only valid for the calender year after it is issued, and will need to be renewed near it's expiry date. A Grid User will not normally have to go through the whole Grid Certificate Request process in order to renew their certificate.

This process has not yet been documented

[edit]Revoking a Grid Certificate

If a Grid User leaves a organisation that is a BeSTGRID member, even if it is to move to another member organisation, their Grid Certificate should be revoked. If a Grid Certificate and its passphrase is stolen or otherwise compromised, it must be revoked.

Grid Users may have to request a new Grid Certificate from scratch if their Grid Certificate is revoked.

This process has not yet been documented'