Purdue Homepage | Purdue Search | Campus Map | Purdue Directories
Direct inquiries or comments to: rcac-info@purdue.edu
All content Copyright © 2007, Purdue University, all rights reserved.
An equal access/equal opportunity university.
TeraGrid resources primarily use certificate-based authentication. These certificates (X.509 certificates) are somewhat similar to how SSL/TLS and credit card transactions on the internet work. In this case, however, a certificate must be presented by you as proof you are who you claim to be. These user certificates are issued and signed by trusted Certificate Authorities (CAs). Not all CAs are trusted by TeraGrid sites.
You should receive instructions on obtaining an NCSA certificate with your introductory TeraGrid packet. Purdue affiliates may also obtain a Purdue certificate.
It is fairly easy to obtain an NCSA user certificate, so you may wish to start by getting one of those and using it to log in to systems in the future.
bash-3.00$ ncsa-cert-request
bash-3.00$ grid-cert-info -subject bash-3.00$ grid-cert-info -enddate
If you do not wish to obtain an NCSA user certificate, it is possible to use a user certificate from any TeraGrid-trusted Certificate Authority. To do so, place those certificate files in your ".globus" directory. Read the "File Transfer" section of the user guide for information on how to transfer your certificate (and other files) between sites.
You should confirm your certificate is approved by locating your user certificate's Distinguished Name (DN) in the gridmap file.
First, to extract your DN from your user certificate:
bash-3.00$ grid-cert-info -subject
Then search for this DN in the gridmap file:
bash-3.00$ grep <your_DN> /etc/grid-security/grid-mapfile
If you are not in the gridmap file, you may use "gx-request" on many of the sites to request your DN be added. See here for a list. If gx-request is not supported on a system, you will have to email your DN to the TeraGrid HelpDesk.
Proxy Certificates are temporary authentication credentials issued based on your user certificate. These proxy certificates may be used to authenticate to various TeraGrid resources in lieu of your user certificate. This is generally safer than using your actual certificate, as these proxy certificates are only good for a matter of hours, so should one fall into the wrong hands, it would be of limited impact.
There are two ways of obtaining a proxy certificate. One is to derive a proxy certificate from your existing user certificate in your .globus directory, as explained above. However, you may also obtain a proxy certificate without a local user certificate. This is possible using the automatic NCSA user certificate created for all TeraGrid users, and the TeraGrid MyProxy server. Either method may be used. You may already have a local user certificate, or you may find it easier to directly obtain proxy certificates whenever you need them from the TeraGrid MyProxy server.
Either method's proxy certificates may be used to run jobs at TeraGrid sites or login via gsissh, as described elsewhere.
If you have a local user certificate in place in your ".globus" directory, you may derive a proxy certificate from this by running "grid-proxy-init":
bash-3.00$ grid-proxy-init Enter pass phrase: <user_certificate_passphrase> A proxy has been received for user username in /tmp/x509up_u#####
By default, the proxy certificate is valid for 12 hours. If you wish to have it remain valid longer, this can be done using the "-valid" option:
bash-3.00$ grid-proxy-init -valid <hh:mm>
When your TeraGrid account was created, a user certificate and Distinguished Name (DN) was created on your behalf by the NCSA Certificate Authority (CA). This DN is stored in your profile in the TeraGrid account database and automatically propagated to all TeraGrid sites. A proxy certificate derived from this can be retrieved from the TeraGrid MyProxy certificate repository (myproxy.teragrid.org) while on any TeraGrid resource by using the command "myproxy-get-delegation", supplying your TeraGrid Portal user name with the "-l" option, and your TeraGrid Portal password as the MyProxy passphrase:
bash-3.00$ myproxy-get-delegation -l <portal_username> -s myproxy.teragrid.org Enter MyProxy pass phrase: <portal_password> A proxy has been received for user username in /tmp/x509up_u#####
By default, the proxy certificate is valid for 12 hours. If you wish to have it remain valid longer, this can be done using the "-t" option:
bash-3.00$ myproxy-get-delegation -t <hh:mm>
You can verify the status of your current proxy certificate at any time by running "grid-proxy-info":
bash-3.00$ grid-proxy-info
You may delete your current proxy certificate at any time by running "grid-proxy-destroy":
bash-3.00$ grid-proxy-destroy
If you are a Purdue affiliate and physically on campus, you may obtain a user certificate from the Purdue Certificate Authority. This is not necessary, as you only need a certificate from any one of the TeraGrid sites, and you can generate one yourself at NCSA once you have received your initial TeraGrid account as described above.
To get a Purdue user certificate, contact ca-admin. You will then be contacted with further information. You will be asked to show up in person and show an ID. You should also bring a USB-drive or disc, for them to copy your certificate to.
Copy the certificate files to the ".globus" directory in your home directory (create this directory if it does not exist):
bash-3.00$ mkdir -p ~/.globus bash-3.00$ cp userkey.pem ~/.globus bash-3.00$ cp usercert.pem ~/.globus
Important: Be sure your certificate has a passphrase! To change or add a passphrase:
bash-3.00$ grid-change-pass-phrase
It is now possible to use Single Sign-On (SSO) directly from your desktop/laptop. TeraGrid provides detailed instructions on Single Sign-On for Mac OSX, Linux, and Windows. You will need a user certificate. If you have an NCSA certificate (see above), your certificate will already be registered for you to log in via Single Sign-On.
Install 'Single-sign-on software: