PSC Certificate Information

PSC Grid Certificate Information

Authenticating to PSC TG resources involves these steps:

Obtaining a X.509 or KX.509 certificate. This can be a one-time process, or something that must be done every time, depending on the lifetime of the certificate.
Placing your Distinguished Name (DN) in the PSC grid-mapfiles. This need only be done once.
Creating a grid-proxy. This must be done each time.

X.509/KX.509 certificates

You may authenticate to PSC grid resources using an X.509 user certificate issued by any of the TeraGrid approved Certificate Authorities (CAs).

All but the PSC KCA and the USC KCA issue long-time certificates, valid for months or years; PSC and USC issue short-term certificates, as needed, to PSC and USC account holders.

With a long-term certificate, users must keep the X.509 key and certificate stored securely (typically in ~/.globus). Grid proxys are generated from long-term certificates using grid-proxy-init for use in authentication with GSISSH or Globus client commands.

If you have a long-term X.509 certificate from one of the TG approved CAs, you can use it to authenticate to PSC.

If you are a PSC user and do not currently have a long-term X.509 certificate from one of the TeraGrid-approved authorities, you may obtain a short-term certificate from the PSC KCA with the kinit and kx509 commands.

Obtaining a PSC KX.509 User Certificate

Use the kinit and kx509 commands to get a short-term X.509 certificate. This certificate has a default lifetime of ten hours.

$ kinit johndoe@PSC.EDU
johndoe@PSC.EDU's Password:
$ kx509
$ klist
Credentials cache: FILE:/tmp/krb5cc_00000_s11466
        Principal: johndoe@PSC.EDU

  Issued           Expires          Principal
Jan  5 12:06:19  Jan  5 22:06:20  krbtgt/PSC.EDU@PSC.EDU
Jan  5 12:06:19  Jan  5 22:06:20  afs@PSC.EDU
Jan  5 12:06:22  Jan  5 22:06:20  kca_service/gridinfo.psc.edu@PSC.EDU
Jan  5 12:06:22  Jan  5 22:06:20  kx509/certificate@PSC.EDU

   V4-ticket file: /tmp/tkt19215
        Principal: johndoe@PSC.EDU

  Issued           Expires          Principal
Jan  5 12:06:19  Jan  5 22:11:19  krbtgt.PSC.EDU@PSC.EDU

Distinguished Name (DN)

The output of the grid-proxy-info -subject command (described below) is known as the "Distinguished Name" (DN). This is used in the grid-mapfiles (which control access to each resource), among other places.

The PSC DN for user johndoe has one of these two forms:

/C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=johndoe/UID=johndoe/Email=johndoe@PSC.EDU

/C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=johndoe/USERID=johndoe/Email=johndoe@PSC.EDU

Including your DN in the PSC Grid Mapfiles

PSC automatically puts both forms of the DN into the PSC grid-mapfiles for all PSC users. We recommend that both versions be placed in the grid-mapfiles of other TeraGrid systems to avoid authentication issues that have been observed between different releases of GSISSH and Globus software.

Users from other sites may enter their DN in the PSC grid-mapfiles from the PSC DN management page at https://dirs.psc.edu/cgi-bin/teragrid/userpage/list.pl. You will need your PSC username and password to access the site, and will have to enter your DN or your public key on the form.

Inclusion into other sites' mapfiles is a site-specific process. See http://www.teragrid.org/userinfo/access/sso_nontgca.php#dn.

Grid Proxy Creation

Create a grid proxy from the short-term KX.509 certificate by using the kxlist -p (for proxy) command. The proxy will have the same lifetime as the certificate.

$ kxlist -p
Service kx509/certificate
 issuer= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Kerberos Certification Authority
 subject= /C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=johndoe/UID=johndoe/emailAddress=johndoe@PSC.EDU
 serial=0108
 hash=a1266002

This proxy works as any other Globus proxy works. You can now run grid commands such as globus-job-run and globus-url-copy, or any other Globus GSI-enabled application (gsincftp, etc.).

You can verify that the grid proxy was created by issuing the grid-proxy-info command. Using the -subject option displays your "certificate subject", also known as your Distinguished Name (DN).

$ grid-proxy-info -subject
/C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=johndoe/USERID=johndoe/Email=johndoe@PSC.EDU

Proxy Lifetime

KX.509 certificates can be created with a longer lifetime than the default of 10 hours. The grid proxy created from this certificate inherits this longer lifetime.

Use the -l option to kinit to specify the lifetime that you want. The argument to kinit -l may be given in seconds or in hh:mm:ss format, depending on the kinit implementation. Here we ask for a lifetime of one day (86400 seconds):

$ kinit -l 86400
johndoe@PSC.EDU's Password:
$ klist
Credentials cache: FILE:/tmp/krb5cc_19215_s11466
        Principal: johndoe@PSC.EDU

  Issued           Expires          Principal
Jan  5 12:31:49  Jan  6 12:31:49  krbtgt/PSC.EDU@PSC.EDU
Jan  5 12:31:49  Jan  6 12:31:49  afs@PSC.EDU
Jan  5 12:31:53  Jan  6 12:31:49  kca_service/gridinfo.psc.edu@PSC.EDU
Jan  5 12:31:53  Jan  6 12:31:49  kx509/certificate@PSC.EDU

   V4-ticket file: /tmp/tkt19215
        Principal: johndoe@PSC.EDU

  Issued           Expires          Principal
Jan  5 12:31:49  Jan  6 13:58:10  krbtgt.PSC.EDU@PSC.EDU
$ kx509
$ kxlist -p
Service kx509/certificate
 issuer= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Kerberos Certification Authority
 subject= /C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=johndoe/UID=johndoe/emailAddress=johndoe@PSC.EDU
 serial=010C
 hash=a1266002

$ grid-proxy-info
subject  : /C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=johndoe/USERID=johndoe/Email=johndoe@PSC.EDU
issuer   : /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Kerberos Certification Authority
identity : /C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=johndoe/USERID=johndoe/Email=johndoe@PSC.EDU
type     : end entity credential
strength : 512 bits
path     : /tmp/x509up_u19215
timeleft : 23:59:50

Destroying a Proxy

When you are finished with your Globus session, you should destroy your grid proxy with the grid-proxy-destroy command so that no one else can use it.