How to get Grid Credentials#

First, get a DOE grid certificate. The instructions for doing this are here. (See below for further hints if you weren’t able to figure things out from the USCMS website.)#

Verify that your grid certificate is installed correctly in .globus:#

voms-proxy-init

If all goes well, the above should ask you for the password of your private key and will then generate a temporary grid proxy credential for you. A grid proxy is simply a temporary identity that is signed by your DOE certificate. Various grid commands use this proxy to identify you to grid services. Using voms-proxy-info you can see how much time is left on your proxy. Once the time runs out, you need to renew the proxy with voms-proxy-init in order to continue using it.#

Once you have a grid certificate, request to be added to the CMS Virtual Organization (VO). Instructions are here.#

Once you have been added to the CMS VO (actually one hour afterwards), you should be able to start using your grid certificate to access various CMS grid services such as the SRM interface to the Wisconsin storage cluster, where you can read and write data files.#

For some specific examples of using simple grid computing commands, see Basic Grid Commands.#

Hints on Installing Grid Certificate#

Exporting certificate from browser#

Info from DOEGrids Certificate Service is here#

Once you have your certificate stored in your browser, you will need to extract it to a file for use with grid software. The steps for doing this depend on the specific browser. For example, in Mozilla, you do the following:#

Choose Edit/Preferences/Security/Certificates/Manage Certificates/Backup#

Save file in /tmp and choose whatever password you want. (The following assumes name is mycert.p12.)#

Now use openssl to convert the certificate from pkcs12 format to x509:#

mkdir ~/.globus
cd /tmp openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out ~/.globus/usercert.pem
openssl pkcs12 -in mycert.p12 -nocerts -out ~/.globus/userkey.pem chmod 0600 \~/.globus/userkey.pem

If your home directory happens to be in AFS, you will want to make sure the ACL on .globus does not allow anybody else to read your private key userkey.pem. Example:#

fs setacl -dir ~/.globus -acl system:anyuser none