1. Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country – A set of countries A common trust domain for grid computing has been created to join the several existing certification authorities into a single authentication domain and thus enabling sharing of grid resources worldwide. – The International Grid Trust Federation (IGTF) has been created to coordinate and manage this trust domain. – IGTF is divided in three Policy Management Authorities (PMAs) covering the Asia Pacific, Europe and Americas.

2. CA and RA A network of RA is created to perform the identification of subjects RA exists at level of organization or departments RA are created on users request, their existence is user driven

3. Obtaining a digital certificate

4. Request of an INFN certificate Before requesting a personal certificate, user must be authenticated by a Registration Authority. In detail: – User goes phisically to RA which verifies his identity (https://security.fi.infn.it/CA/RA/ shows all the INFN RA) – RA opens URL: https://security.fi.infn.it/cgi-bin/RAvfy.pl and fills it with user’s data: name, surname, e-mail; finally, a random number is generated and communicated to user.

5. Request of an INFN certificate – If needed, user with its browser downloads INFN CA public cert

6. Request of an INFN certificate – within 48 hours from the communication of the code by the RA, the user submit the certificate request using the same values used before by the RA https://security.fi.infn.it/CA/mgt/restricted/ucert.phphttps://security.fi.infn.it/CA/mgt/restricted/ucert.php – if everything is ok, with 48 working hours, user will receive instruction on how to download its personal certificate; he/she must use the same browser used for the request

7. Issuing a grid user certificate Private Key encrypted on local disk: passphrase Cert Request Public Key State of Illinois ID Cert User generates public/private key pair in browser (user certificates) User sends public key (request) to CA CA signature links identity and public key in certificate. CA informs user. Certification Authority Certification Authority CA root certificate Instructions, tutorials (should be) on CA homepages http://security.fi.infn.it/CA/ User shows RA proof of identity. RA RA registration code Download link

8. Certificate Management Most of other CA’s: – You receive already a PKCS12 certificate (can import it directly into the web browser) – For future use, you will need to copy it as usercred.p12 in a directory ~/.globus on your UI – permissions: chmod 400 usercred.p12 – GRID passphrase is the certificate passphrase set when the certificate has been exported from the browser

9. INFN certificate renewal When a certificate is close to the expiration, CA sends a reminder email 20, 10 and 5 days before Simply click on the web url shown in this mail in order to renew your personal certificate To check the lifetime of your personal certificate: – grid-cert-info -enddate – Credentials are in pkcs12 format, OpenSSL will prompt for p12 password – Enter Import Password: – Feb 20 14:00:46 2014 GMT Or simply consult your CA web site

10. UI access(via ssh) ssh username@ui2.grid.unipg.itusername@ Username= prima lettera del nome+cognome – Es: Emidio Giorgio => egiorgio Password= ??