NCSA Home
Contact Us | Intranet | Search

User Information Home
Compute Resources
Software
Data
Security
Allocations
Consulting
Training
Strategic Applications Program

NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year:
help.ncsa.uiuc.edu
217-244-0710
help@ncsa.uiuc.edu

Using Your User Certificate

Obtaining Information about Your Certificate

You can use the grid-cert-info command to display information about your certificate. This command must be run on the machine that has your certificate files (i.e. ~/.globus). Try it twice with two different flags:

  1. -subject: shows your distinguished name (DN)
  2. -enddate: shows when your certificate expires

    Ex.
    % grid-cert-info -subject
    /C=US/O=National Center for Supercomputing Applications/CN=John Doe

    % grid-cert-info -enddate
    Jun 5 17:22:19 2006 GMT

"grid-cert-info -help" will show you other flags you can use to find out other information about your certificate.

Getting a Proxy Certificate

You don't actually use your certificate for authentication. Instead you generate a proxy certificate using grid-proxy-init. You have to run this command on the machine that has your user certificate (i.e. ~/.globus). You can get information about the proxy certificate using the grid-proxy-info command.

% grid-proxy-init
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=John Doe
Enter GRID pass phrase for this identity:
Creating proxy .................................. Done
Your proxy is valid until: Thu Jun 19 05:09:41 2006

% grid-proxy-info -all
subject : /C=US/O=National Center for Supercomputing Applications/CN=John Doe/CN=proxy/CN=proxy
issuer : /C=US/O=National Center for Supercomputing Applications/CN=John Doe/CN=proxy
identity : /C=US/O=National Center for Supercomputing Applications/CN=John Doe
type : full
strength : 512 bits
path : /tmp/x509up_u27031
timeleft : 11:59:32

Your proxy by default expires within 12 hours. You just need to run the grid-proxy-init command again.

Using Your Proxy Certificate

This is only a brief introduction to what you can do with your proxy certificate. Don't forget to get your proxy certificate (grid-proxy-init) first.

  • Check to see if you can authenticate to the machine using your proxy certificate. If you cannot authenticate to the remove machine, then you will not be able to log into the machine or remotely run jobs on that machine using your certificate. 

      % globusrun -a -r login-hg.ncsa.teragrid.org

  GRAM Authentication test successful

  • A GSI-Enabled OpenSSH will use your proxy certificate to authenticate you. 

      % gsissh login-w.ncsa.teragrid.org 
  Last login: Thurs  Jun 19 13:19:01 2006 from ncsabox.ncsa.uiuc.edu
  < snip >
  tund:~$

    It should NOT ask you for your password.

    GSI-Enabled OpenSSH will forward your proxy to the remote machine. So, you don't have to run grid-proxy-init on the remote machine to use it again. To illustrate this, after gsissh-ing to a remote machine, run grid-proxy-info: 

      $ grid-proxy-info
  subject  : /C=US/O=National Center for Supercomputing Applications/CN=John Doe/CN=proxy/CN=proxy
  issuer   : /C=US/O=National Center for Supercomputing Applications/CN=John Doe/CN=proxy
  identity : /C=US/O=National Center for Supercomputing Applications/CN=John Doe
  type     : full
  strength : 512 bits
  path     : /tmp/x509up_p17249.fileyAggpM.1
  timeleft : 11:57:56

Back to top

Destroying Your Proxy Certificate

When you are done using your proxy, you can destroy it by running the grid-proxy-destroy command. 

% grid-proxy-info
subject  : /C=US/O=National Center for Supercomputing Applications/CN=John Doe/CN=proxy/CN=proxy
issuer   : /C=US/O=National Center for Supercomputing Applications/CN=John Doe/CN=proxy
identity : /C=US/O=National Center for Supercomputing Applications/CN=John Doe
type     : full
strength : 512 bits
timeleft : 11:50:49
% grid-proxy-destroy
% grid-proxy-info


ERROR: Couldn't find a valid proxy.
Use -debug for further information.

If you do not destroy it, it will expire at the time length indicated by the timeleft field.

Moving Your Certificate

At some time you may wish to move your certificate and private key to a different host. For example, suppose you have been securely connecting to an NCSA HPC machine using SSH or Kerberos, and then using your certificate from that machine to access the grid. Suppose you then decide that you want to use your certificate to authenticate and connect to the grid directly from your desktop computer. After installing the necessary software on your desktop computer you will need to move your certificate and private key to your desktop machine. The simplest way to move your certificate and key to a new machine is to create and then move a tarfile. At a prompt enter 

  oldhost% cd ~
  oldhost% tar -cf ~/cert.tar .globus

to create a tarfile in your home directory named cert.tar that will contain all the files in your ~/.globus directory. Next transfer the tarfile to the new host using, for example, scp or globus-url-copy. Then in your home directory on the new host enter 

  newhost% cd ~
  newhost% tar -xf cert.tar

to create the directory ~/.globus on the new host. The new directory will contain your certificate and private key. Make sure that the permissions on all the user* files in ~/.globus/ are 600.

After transferring and testing your certificate and key we strongly recommend that you delete your certificate and key from the old host-your certificate and key are less likely to be compromised if you have only one copy to manage.

Back to top

University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map
Contact consult with questions regarding this page. Last updated January 24, 2007.
All rights reserved. ©2008 Board of Trustees of the University of Illinois.