next up previous contents
Next: Job Submission Up: Grid Experience using EDG2 Previous: Changes and New Features   Contents

Certificates, Accounts, Proxy and Renewal

In this section are summarized the relevant points of certification. Most items are unchanged with respect to EDG1, the new points are:

Users must have a valid certificate to access the grid. Certificates are issued by recognised authorities designed by Institutes accessing the grid, therefore each user must check the local certification procedure at the belonging organization. Certification guide lines are explained in [1] and [2].

When you have obtained a certificate, you must register with either EDG or LCG or both to be recognised as a grid user. For LCG HOWTO documentation check [3] and [4].

To be able to submit jobs in a grid environment, you must have an account on a EDG2 or LCG-1 User Interface (UI) node. Once you have the account, copy your certificate files usercert.pem and userkey.pem with the correct permissions in the ~/.globus directory.


Before starting grid usage, check that your certificate is correct and valid with the commands:

$ grid-cert-info display certificate information
$ openssl verify -CApath \
/etc/grid-security/certificates \
~/.globus/usercert.pem check certificate validity

Once the above steps are completed, you must authenticate yourself using proxy commands. EDG1 commands are still valid:

$ grid-proxy-init create a proxy certificate
$ grid-proxy-info print proxy certificate status
$ grid-Proxy-destroy destroy a proxy certificate before expiration

The default certificate lifetime is 12 hours or the time you specify in the command:

$ grid-proxy-init -valid 5:00 set proxy for 5 hours

A job runs as long as a proxy exists. If the job is still running when the proxy expires, the job aborts. Thus for long jobs the submitter should set a very long duration time. As long lifetimes create security risks, the usage of a server is available and recommended. In this case the user stores the proxy certificate on a proxy repository server. The middleware then renews the user certificate before the job proxy expires and until the job ends. Renewal is triggered at 3/4 of the actual proxy lifetime. Renewal process depends on the value of GRIDMANAGER_MINIMUM_PROXY_TIME.

There are cases in which proxy may not be able to renew:

The advanced proxy management offered by EDG2 and LCG-1 through the renewal feature is available via the myproxy command suite. The user must know the host name of a MyProxy server.
The commands are:

$ myroxy-init -help print help
$ myproxy-init -s proxy_server -d -n create proxy
$ myproxy-info -s proxy_server -d -n print proxy status
$ myproxy-destroy -s proxy_server -d -n destroy proxy

The proxy server node is site and VO dependent and is usually defined in the UI configuration file stored at $EDG_WL_LOCATION/etc/VO/edg_wl_ui.conf. Check the defined value with grep as shown in the example that queries two different sites for the same VO:

$ hostname
adc0014
$ grep -i myproxy /opt/edg/etc/alice/edg_wl_ui.conf
## MyProxyServer is optional. Uncomment and fill correctly for
## MYPROXY_SERVER environment variable
MyProxyServer = "adc0024.cern.ch"
$ hostname
boalice9.bo.infn.it
$ grep -i myproxy /opt/edg/etc/alice/edg_wl_ui.conf
## MyProxyServer is optional. Uncomment and fill correctly for
## MYPROXY_SERVER environment variable
MyProxyServer = "testbed013.cnaf.infn.it"
The server name is a user customizable variable supplied to commands like edg-job-submit through the --config-vo option, or defined using attributes in job submission files.


next up previous contents
Next: Job Submission Up: Grid Experience using EDG2 Previous: Changes and New Features   Contents
luvisetto 2003-12-17