RA - HPCL (Laboratory for Internet Computing - Registration Authority) C=CY, O=CYGRID, O=HPCL, CN=*

Users' Certificates

Private key generation

Generate your private key file using the following openssl command on any Linux box:

  • openssl genrsa -des3 -out <username>.key 1024

Make sure that for the password of the private key you use at least 8 characters, and include at least one character from EACH of the following four character classes:

{a-z}
{A-Z}
{0-9}
{!, @, #, $, %, ^, &, *}

Strictly speaking, this is not necessary, but it's for your own protection, since misusing grid resources could result in losing future access. Keep the key file safe, preferably offline, and make several backups.

Certification Request generation

After the private key generation, you are ready to create a certification request file, in order for the CyGrid Certification Authority to issue your credentials for Grid access.

  • As a first step, download the file ra-hpcl.cnf (right-click on the link and choose 'save as') and place it into the same directory as your private key file.
  • In the directory you saved the configuration file, run the following command:
  • openssl req -new -key <username>.key -out <username>.csr -config ra-hpcl.cnf

Registration

The next step would be for you to bring the certification request file on a floppy, CD-ROM or USB stick, with the completed application form, your Cypriot ID card (or passport if you are a non-Cypriot civilian), and a photocopy of your ID card, to HPCL (University Campus, building 8EE-01, office 217), in order to initiate the registration process. Checklist for registration:

  • The completed and signed application form
  • Certification request file (on floppy/CD-ROM/USB stick)
  • Your Cypriot identification card (or passport)
  • Photocopy of your ID card (or passport)
  • 2 passport-type photos (optional)

Machines' Certificates

Private key generation

Generate your private key file using the following openssl command on any Linux box:

  • openssl genrsa -out <hostName>.key 1024

Replace hostName with the name of the machine, e.g. se101.
Note that you will not be prompted for a password.

Certification Request generation

First you need to download the RA configuration file host.cnf (save as...) and place it in the directory you have stored the host private key.

Then you can generate your certification request file using the following command:

  • openssl req -new -key <hostName>.key -out <hostName>.csr -config host.cnf

Make sure you are in the directory that contains the host private key and configuration file.
Replace hostName with the name of the machine, e.g. se101.

Electronic exchange:

For site administrators who are known to the CyGridCA, the following method of submitting the request and obtaining the signed host certificate will speed up the process. (Known administrators are those who have already obtained a personal certificate signed by CyGridCA.)

  • Attach the certification request to an e-mail message
  • Sign the e-mail message using your personal certificate (p12 format)
  • Send the signed e-mail to cygrid-ca AT cs.ucy.ac.cy and carbon copy to CyGridCA manager (grid AT cs.ucy.ac.cy)

The RA manager will validate the electronic signature (by checking the certificate's fingerprint against the known one) and if everything is correct, the request will be forwarded to the CyGridCA (again signed by the RA manager's personal certificate). When the certificate is created, it will be sent back to the RA and the RA will forward to the requesting party.

Once the certificate is received through e-mail, the site administrator is responsible for checking the message signature (by comparing the fingerprint of the signature against the known one for this registration authority). If everything is correct, please proceed to the next step, otherwise please notify the registration authority by phone (see the contact details).

Setting up the host:

  • Place the certificate file received by your RA to the corresponding machine:
    • Directory: /etc/grid-security/
    • Change filename to hostcert.pem
    • Change access mode to 444
  • Place the private key file you created to the same machine:
    • Directory: /etc/grid-security/
    • Change filename to hostkey.pem
    • Change access mode to 400
  • Download the CA certificate file: afe55e66.0 and validate the fingerprint.
  • Copy the CA certificate (without changing the name) to the following directory:
    • /etc/grid-security/certificates/
  • Change access mode to 644 and set root as owner of the file:
    • chmod 644 afe55e66.0
    • chown root afe55e66.0
  • Check the CA signing policy:
    • File /etc/grid-security/certificates/afe55e66.signing_policy
    • Make sure the following lines are present:
      access_id_CA x509 '/C=CY/O=CyGrid/O=HPCL/CN=CyGridCA
      pos_rights globus CA:sign
      cond_subjects globus '"/C=CY/O=CyGrid/*"'