Certificate Management Wizard (MyProxy Uploader) Tutorial
Configure Network Settings
Apply For/Manage Your Certificate Tab
- Enter a new Keystore password
- Getting a certificate:
- Install your certificate for Grid authentication
- Export your certificate and import it into your browser
(Setup is automatic, but you can customize each step if you need to)
- Setup 1: Your Currently Installed User Certificate and Key
- Setup 2: CA Setup
- Setup 3: Date
- Setup 4: MyProxy Servers
- Setup 5: Voms
Use Your Installed Certificate Tab
- Create a local proxy credential (for continuous authentication to the Grid for 'n' hours)
- Upload a proxy credential (so it can be retrieved by remote applications and when you are travelling)
- Create a VOMS credential (voms-proxy-init)
Configure Network Settings
If the tool reports that it cannot connect to the CA Server (shown as a red message at the base of the tool), you might need to configure CertWizard with your institution's Web Proxy and other connection details.
Note: not all institutions use a Web/Proxy Cache. If you aren't certain you should check with your local networking team
Specify Connection Details on Command Line
You can specify the connection details for the .zip download version of CertWizard: Download and unpack the zip file. Then specify your institution's Web Proxy host, port, username (if any) and password (if any) on the command line when running the tool:
$ java -Dhttp.proxyHost=proxyhost -Dhttp.proxyPort=proxyPortNumber -Dhttp.proxyUser=someUserName -Dhttp.proxyPassword=somePassword -jar Certwizard.jar # e.g. For STFC Daresbury Laboratory's Web Proxy $ java -Dhttp.proxyHost=wwwcache.dl.ac.uk -Dhttp.proxyPort=8080 -jar Certwizard.jar
Alternatively, specify the connection details for ALL your Java applicatons using the Java Control Panel (needed for the Java WebStart version of CertWizard) Again, make sure you use your own institution's Web Proxy not the example one given below:
- Win: Start | Control Panel | Java (1.)
- Linux/Unix: type 'jcontrol &'
- MAC: 'Applications | Utilities | Java Preferences' or 'System Preferences | Other | Java'
Then, on the 'General' tab click the 'Network Settings' (2.) button where you can specify the Web proxy details (3.).
Still have network connection issues?
We have noticed that some anti-virus software does block CertWizard's access to the internet. Therefore, please check that your anti-virus software and local firewall settings permit CertWizard and Java to access the internet. If you are still having problems and you are using the Java WebStart version, try clearing your Java WebStart cache and re-running the application.
Apply For/Manage Your Certificate Tab
Your certificates and certificate requests are stored in a password protected Keystore file. You need to provide a password to secure the Keystore file.
- If you already have an existing eScience certificate you can import it from file rather than applying for a new certificate. This file is usually exported from your browser as a '.p12/.pfx' file. How to export your certificate from your browser.
You can apply for a UK eScience certificate in a few easy steps. First click the 'Apply' button then fill out the required information and click 'Apply' on the dialog box.
After your certificate request has been submitted, a confirmation dialog will be shown.
- Your new certificate request will now appear in the pull down list.
- Note that the Subject DN contains the string 'CSR' (i.e. Certificate Signing Request).
- At this point, you will need to go to your local RA operator and present photo ID (please remember your PIN number, you will need to confirm this with the RA operator) .
- After you have been to your RA to confirm your identity, you will be sent an email confirmation. Press the 'Refresh' button and your certificate will downloaded into the Certificate Wizard's Keystore file.
To use your certificate for Grid authentication (see 'Use Your Certificate' Tab), you must select a certificate and press the 'Install' button.
You can export your certificate as a standalone '.p12' file so that it can be imported into your browser (you may need to do this as some websites authenticate you using your certificate). Exporting your certificate is also recommended in order to make a backup (keep the exported file safe!). Exporting your certificate is easy; select your VALID certificate in the pull down and click 'Export'. Accept the defaults in the Export dialog box (export Private Key and Certificates and in PKCS #12 format), and follow the export wizard.
Setup is performed automatically (but you can return to each step to perform customisations).
Setup 1: Your Currently Installed User Certificate and Key
Step 1) of the setup tab shows your currently installed certificate and private key (which must be installed correctly as 'usercert.pem' and 'userkey.pem' files in your '$HOME/.globus' directory, also with correct permissions on *nix based systems).
- Note, you should install a certificate and private key using the 'Apply-For/Manage Your Certificate' tab: First either a) import an existing certificate OR b) apply for a certificate in the 'Apply-For/Manage Your Certificate' tab. Then install the certificate by clicking the 'Install' button (the install button in the 'Apply-For/Manage Your Certificate' tab). In doing so, you can perform subsequent certificate renewal and revocation requests at a later date.
- Note, you can also configure your currently installed certificate and key without using the 'Apply-For/Manage Your Certificate' tab. This can be done in step 1) of the setup tab shown above, but this does not import the certficate into the Keystore accessed in the 'Apply-For/Manage Your Certificate' tab). This can be done by clicking the 'Browse' and then 'Install' button in Step 1) of the Settings tab (under the 'Install from .pfx/.p12 file' option), or by browsing for the usercert.pem and userkey.pem files directly under the 'Locate .pem files' option.
Click "Next">, you should not need to change anything here. "CA" Means "Certificate Authority", if you have a UK eScience certificate, you can click "Next>" as the 3 CA certificates in the right hand "Provided CA Certificates" panel are sufficient and are already installed by the Certificate Wizard.
You can pass an existing CA trust root certificate directory to the CertWiz using the -DX509_CERT_DIR command line variable as shown below (this is only available when using CertWiz on the command line, and is not available via the WebStart version). When doing this, CertWiz will NOT deploy the provided UK CA trust root certs into that directory (although you can do this manually be selecting the certificates on the right and clicking 'Add Provided' button).
java -DX509_CERT_DIR=/etc/grid/mycerts -jar Certwizard.jar
Click "Next>", unless the tool shows an error greater than 10 secs. We strongly recommend that you configure your PC using an NTP or remote service. Time accurarcy is important in Grids.
Click "Next>", you should not need to change anything here. Note that the default is the new NGS myproxy server at myproxy.ngs.ac.uk, not the historical server at myproxy.grid-support.ac.uk.
Click "Next>", you should not need to change anything here, unless you want to use the myproxy uploader with a VO ("Virtual Organisation") other than NGS. On this tab, you can create new Vomses files and edit vomses files through an embedded text editor. The tool will list files and directories that are direct children of the selected Vomses directory.
A local proxy credential will provide you with continuous authentication to the Grid for a user specified amount of time. Other desktop applications such as the GSI-SSHTerm Application will use this proxy credential. The only page you use normally and the next time you use the tool it will open here !
Click 'Local Credentials' Tab then click 'Create', enter the password you used on page 1 and click 'Create'.
Click 'MyProxy' Tab.
Click "Upload". Click OK to confirm the Local proxy to upload is correct (inc VOMs attributes if required)
Enter any username you like eg 'ngs0901' or 'janedoe', and any password you like for Myproxy passphrase. You will use this username and passphrase to login to the NGS portal or with gsi-sshterm. You can change it each time you login.
Click 'OK' and you should see the proxy being uploaded to the myproxy server.
- Click the 'X' button to close the upload tool or "Send to Tray" to keep running but send to your windows tray
To use this uploaded proxy on the NGS portal for example, use the myproxy server drop down on the authentication page and select 'myproxy.ngs.ac.uk' enter the username and passphrase you invented, from "Do Actions" above, as myproxy username and password. Click login and you should be in ! (You should see "You have grid credentials loaded" message in green )
When you logout you can log back in within the 12 hr (default) lifetime of the proxy using the same username/passphrase. If its expired you have to upload a new proxy, but now you only have to do the 'Create' and 'Upload' steps from the 'Do Actions' MyProxy Tab above, not the full wizard. So just a couple of mouse clicks !
The Wizard provides a graphical interface to perfom 'voms-proxy-init' (no separate voms-proxy-init installation is required).
Select your member VOs
You can select/change the directory which contains your vomses files (as below). The left panel lists all the VOs listed in the vomses files. You select your member VOs by clickling on the VO names. VOs are then added to the right panels. When you have selected your member VOs, use the 'voms-proxy-init' button to create a VO enabled proxy credential. The wizard will request VO attributes from the associated Voms servers for your proxy credenrtial.
Save selected VOs into a Voms profile file
You can quickly save your VO selections in a Voms profile file (properties file). In doing this, you can quickly re-create a new Voms credential without having to repeatedly re-select each of your member VOs. After selecting the member VOs in the right panel, select a Voms profile file (we recommend that you accept the suggested defaults) and save the VO profile by clicking ‘Save –voms Options’. You will be prompted for a name to save this profile under.
You can easily modify the Voms profile by selecting the Voms profile file, and selecting ‘Edit’ as highlighted below.
This will load the file for editing with the embedded notepad editor.