In this section are summarized the relevant points of certification. Most items are unchanged with respect to EDG1, the new points are:
Users must have a valid certificate to access the grid. Certificates are issued by recognised authorities designed by Institutes accessing the grid, therefore each user must check the local certification procedure at the belonging organization. Certification guide lines are explained in  and .
When you have obtained a certificate, you must register with either EDG or LCG or both to be recognised as a grid user. For LCG HOWTO documentation check  and .
To be able to submit jobs in a grid environment, you must have an account
on a EDG2 or LCG-1 User Interface (UI) node. Once you have the account,
copy your certificate files usercert.pem and userkey.pem
with the correct permissions in the
Before starting grid usage, check that your certificate is correct and valid with the commands:
$ grid-cert-info display certificate information
$ openssl verify -CApath \
~/.globus/usercert.pem check certificate validity
Once the above steps are completed, you must authenticate yourself using
proxy commands. EDG1 commands are still valid:
$ grid-proxy-init create a proxy certificate
$ grid-proxy-info print proxy certificate status
$ grid-Proxy-destroy destroy a proxy certificate before
The default certificate lifetime is 12 hours or the time you specify in the command:
$ grid-proxy-init -valid 5:00 set proxy for 5 hours
A job runs as long as a proxy exists. If the job is still running when the proxy expires, the job aborts. Thus for long jobs the submitter should set a very long duration time. As long lifetimes create security risks, the usage of a server is available and recommended. In this case the user stores the proxy certificate on a proxy repository server. The middleware then renews the user certificate before the job proxy expires and until the job ends. Renewal is triggered at 3/4 of the actual proxy lifetime. Renewal process depends on the value of GRIDMANAGER_MINIMUM_PROXY_TIME.
There are cases in which proxy may not be able to renew:
The advanced proxy management offered by EDG2 and LCG-1 through the
renewal feature is available via the myproxy command suite. The
user must know the host name of a MyProxy server.
The commands are:
$ myroxy-init -help print help
$ myproxy-init -s proxy_server -d -n create proxy
$ myproxy-info -s proxy_server -d -n print proxy
$ myproxy-destroy -s proxy_server -d -n destroy proxy
The proxy server node is site and VO dependent and is usually defined in the UI
configuration file stored at
Check the defined value with
grep as shown in the example that queries two
different sites for the same VO:
$ hostname adc0014 $ grep -i myproxy /opt/edg/etc/alice/edg_wl_ui.conf ## MyProxyServer is optional. Uncomment and fill correctly for ## MYPROXY_SERVER environment variable MyProxyServer = "adc0024.cern.ch" $ hostname boalice9.bo.infn.it $ grep -i myproxy /opt/edg/etc/alice/edg_wl_ui.conf ## MyProxyServer is optional. Uncomment and fill correctly for ## MYPROXY_SERVER environment variable MyProxyServer = "testbed013.cnaf.infn.it"The server name is a user customizable variable supplied to commands like
--config-vooption, or defined using attributes in job submission files.