Registering with VOMS

In order to make a VOMS proxy, one must be registered in the GPN VOMS.  The URL for the VOMS is http://t2.unl.edu:8443/voms/gpn.  If you previously loaded your certificate correctly, you will see a message at the bottom of the page along the lines of:

You are logged in as "/DC=net/DC=greatplains/OU=People/CN=Brian Bockelman"
certified by "/DC=edu/DC=unl/OU=Certificate Authorities/CN=UNL Certificate Authority 1".

If you are logged in as "null", then you did not successfully import your certificate into the browser.

In the VOMS webpage, click on "New user registration", and fill out the form.  Hit submit, and check your email - there should be a confirmation email sent to the address you provided.  Once you have confirmed your email address, an administrator will  approve your registration into our VOMS if appropriate.  The VOMS automatically contacts the administrator, so no further action is needed until you get your success email message.

Loading the Certificate

Get a shell account on your GPN machine.  Once logged in to , create the directory which will hold your certificate.  It must be called .globus:

mkdir ~/.globus
cd ~/.globus

Now, open a new text file called "usercert.pem" with your favorite editor.  From your copy of the certificate on the local machine, copy all the text between and including "-----BEGIN CERTIFICATE----" and "-----END CERTIFICATE-----".  Save this file.

Then, create a new text file called "userkey.pem".  From your copy of the certificate text, copy all text between and including "-----BEGIN ENCRYPTED PRIVATE KEY-----" and "-----END ENCRYPTED PRIVATE KEY-----".

We now need to change the permissions on these two files in order for globus to be able to use them:

chmod 600 ~/.globus/userkey.pem
chmod 644 ~/.globus/usercert.pem

Finally, we must use grid-proxy-init to create the proxy certificate from our certificate and key:

grid-proxy-init

Here is the expected output:

[osg-test2] /home/brian > grid-proxy-init
Your identity: /DC=org/DC=doegrids/OU=People/CN=Brian Bockelman 504307
Enter GRID pass phrase for this identity:
Creating proxy .............................. Done
Your proxy is valid until: Fri Mar 10 09:46:17 2006

The pass phrase that the program asks you for is the private passphrase you created along with the certificate.  If you used the UNL certificate authority, it had to be at least 8 characters long.  If the last line says that the proxy is valid, then your authentication has been set up correctly.

The default proxy lifetime is 12 hours, then it expires.  In order to increase the lifetime, use the c option.  For example, to create an 80 hour proxy, use:

grid-proxy-init -c 80

Using a VOMS Proxy

If you have the program "voms-proxy-init" installed, use this command to create a new VOMS proxy:

voms-proxy-init --voms gpn:/gpn

If you do not have the GPN VO already installed, create the file /opt/glite/etc/vomses, and place the following line in it:

"gpn" "t2.unl.edu" "15002" "/DC=org/DC=doegrids/OU=Services/CN=voms/t2.unl.edu" "gpn"

The command voms-proxy-init has a superset of the functionality of grid-proxy-init.  If you do not have this command installed, issue the following pacman directive in $VDT_LOCATION:

pacman -get http://vdt.cs.wisc.edu/vdt_1310_cache/:VOMS-Client

Older versions of pacman have been known to corrupt the installation directory when some commands are run.  Backup your install directory prior to using it! 

In any case, "grid-proxy-init" will still work.  Once you have successfully created your proxy with either command, you ought to be able to authenticate against gpn-husker.unl.edu with the command:

globusrun -a -r gpn-husker.unl.edu

If this does not work, you may have to wait a bit before the authentication system pulls new data from the VOMS server.  In the future, we will have separate groups and roles to distinguish people (Faculty, Students, Administrators, etc); this will require people to use a voms proxy instead of a normal grid proxy.