NCSA Home
Contact Us | Intranet | Search

User Information Home
Compute Resources
Software
Data
Security
Allocations
Consulting
Training
Strategic Applications Program

NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year:
help.ncsa.uiuc.edu
217-244-0710
help@ncsa.uiuc.edu

Getting an NCSA Certificate

A new NCSA Certificate Authority (CA) is in place as of May 30, 2007. To meet the TAGPMA (The Americas Grid Policy Management Authority) standards, the new CA has some additional requirements:
  • When generating your User Certificate with the ncsa-cert-request command, you are prompted for both your NCSA kerberos password as well as your NCSA default password. Your NCSA default password is listed on the paper work you received when you were granted a NCSA account.
  • The DN (Distinguished Name) format has changed. The DNs now includes "OU=People", as required by TAGPMA to differentiate from credentials generated via MyProxy.
  • To generate a Host Certificate you must be the registered System Adminsitrator in the NCSA DNS database for the given host, also required by TAGPMA.

If this is your first visit to this page, please read through the entire page before proceeding.

Please note that NCSA user certificates are intended for use by TeraGrid/NCSA users and staff (i.e. a NCSA Kerberos password is required to get a NCSA user certificate).    If you do not have an NCSA Kerberos password, you should get a different certificate.

Overview

You need to pick a "home" machine from which you will be starting your grid computing tasks. For the purposes of these instructions this would be an NCSA machine on which you have an account. This is where you will store your certificate and from where you will start all your grid computing.

Follow these steps to request your NCSA certificate:
  1. Log into the machine from which you will be requesting your certificate.
  2. If you want to check the help for different flags, type
    % ncsa-cert-request -help
    If the output looks something like "ncsa-cert-request: Command not found.", then your path and environment need to be configured properly. Setting Your Environment and Path explains how to do this for NCSA production machines.
  3. For a user certificate, just run the script to request the certificate.
    % ncsa-cert-request
  4. You will be prompted for both your NCSA Kerberos password and your NCSA default password: 
       To continue, please enter the NCSA Kerberos password for jdoe:
   To continue, please enter the NCSA default password for jdoe:
  5. Then you will be prompted to enter a pass phrase.

    Your pass phrase is much like a traditional password. You should choose a pass phrase containing at least 12 characters. Choose a pass phrase that you can remember, but which cannot be easily guessed. The longer the phrase is, the more secure it is. For example, it could be a line from your favorite song. It is a good practice to include at least one numerical character (0-9) and one non-alphanumeric character (!@#$%^&*). Make sure you remember this pass phrase. If you forget it, you'll have to revoke your certificate and request a new one.

  6. When prompted enter your pass phrase a second time to confirm your pass phrase (i.e. make sure you didn't make any typing errors).

After a few seconds you should see a message describing the various certificate files now in the ~/.globus directory.

Test your certificate

You should test your certificate in two ways:

  1. Use the grid-cert-info command to display information about your certificate. Try it twice with two different flags:
    1. -subject: shows your distinguished name
    2. -enddate: shows when your certificate expires

      Ex.
      % grid-cert-info -subject
      /C=US/O=National Center for Supercomputing Applications/OU=People/CN=John Doe

      % grid-cert-info -enddate
      May 2 20:00:31 2008 GMT

    "grid-cert-info -help" will show you other flags you can use to find out other information about your certificate.

  2. Get a proxy certificate and get info about it using the grid-proxy-init and grid-proxy-info -all commands.

    % grid-proxy-init
    Your identity: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=John Doe
    Enter GRID pass phrase for this identity:
    Creating proxy .................................. Done
    Your proxy is valid until: Thu May 31 02:04:04 2007

    % grid-proxy-info -all
    subject : /C=US/O=National Center for Supercomputing Applications/OU=People/CN=John Doe/CN=proxy
    issuer : /C=US/O=National Center for Supercomputing Applications/OU=People/CN=John Doe
    identity : /C=US/O=National Center for Supercomputing Applications/OU=People/CN=John Doe
    type : full
    strength : 512 bits
    path : $HOME/.globus/userproxy.pem
    timeleft : 11:58:55

Problems

If you encounter problems requesting or testing your NCSA certificate, please send email to the NCSA consulting office: consult@ncsa.uiuc.edu.

University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map
Contact consult with questions regarding this page. Last updated June 1, 2007.
All rights reserved. ©2008 Board of Trustees of the University of Illinois.