OSG CMS Certificate Setup

Written by Terrence Martin

Instructions for registering your OSG certificate for CMS and getting set up to submit your first jobs.

If you are not a CMS user and are instead a local UCSD user please follow these instructions. Differences between CMS VOMS and UCSD Grid registration are noted.

Step 1-a: DOE Grid Certificate Application and Renewal

Note: You must use the same web browser this step. We recommend you use a recent version of Firefox

Go to the web site https://pki1.doegrids.org/ and select New User

Fill your own information for the subscribers identity and contact information.

In the affiliation drop down select OSG and in the second drop down "VO Name for OSG(Virtual Organization Name)" select CMS.

For sponsor information put the following

Terrence Martin
tmartin@physics.ucsd.edu This email address is being protected from spam bots, you need Javascript enabled to view it

Leave additional comments and passwords blank.

Select 2048 key length and hit submit

Write down the number you recieve in response.

After a couple of days you may be contacted by phone or in person to verify your identity. Once your identity is verified you will recieve an email in a day or so telling you that you can download your signed certificate. Follow that emails instructions. Once completed you should have your DOE certificate for the OSG in your browser. This certificate can then be exported to other browsers and to a file suitable for use in submitting Grid jobs.

Step 1-b: CERN Certificate



Step 2: Registering your certificate with the CMS VOMS Server

NOTE: Step 2 is only for users that are registering with CMS VOMS. If you are a local UCSD user then skip to step 3.

NOTE: Registration has changed. Please visit http://cms.cern.ch/iCMS/jsp/secr/reg/reg.jsp for an online form.

Step 3: Exporting your certificate

1. If you are using mozilla or firefox go under your preferences and find your manage certificates button. It is often under advanced or security settings
2. Click manage certificates and enter your certificate manager password if prompted.
3. Click on the "Your Certificates" tab or equivalent.
4. Select all of your certificates (if you have more than one) and click backup.
5. You will be prompted for a file name, name the file DOEGrid.p12.
6. When you are prompted for a password enter one. This will be the encryption password for the key you are exporting, do not forget it.
7. Transfer the file to your submission host (eg. uaf-3.t2.ucsd.edu) with scp.

Step 4: Converting a p12 file to a voms-proxy cert file

NOTE: If you are a local UCSD grid user and not part of CMS you need to use grid-proxy-init rather than voms-proxy-init.

Note: These steps are performed on the host you copied your cert to. Generally the OSG submission host you will be using for job submission to the OSG. At UCSD this would be a system like uaf-1.t2.ucsd.edu.

  1. cd into the directory you exported your cert into in step 3
  2. Run:

#~ openssl pkcs12 -nocerts -in DOEGrid.p12 -out userkey.pem

  1. Enter your password when prompted

#~ openssl pkcs12 -clcerts -nokeys -in DOEGrid.p12 -out usercert.pem

  1. Enter your password when prompted
  2. Copy all of the usercert.pem and userkey.pem onto your submit node (eg. uaf-1.t2.ucsd.edu) into "~/.globus". If this directory does not exist you will have to create it with the following commands.

mkdir ~/.globus
chmod 700 ~/.globus

  1. Set permissions on the files in the ~/.globus directory to be restricted only to your user.

chmod 600 ~/.globus/*

  1. Source your local VDT setup.sh (source /data/vdt/setup.sh on uaf-1.t2.ucsd.edu)

Step 5: Getting your voms or grid proxy

VOMS Proxy

First source the osg install setup.

eg. source /data/vdt/setup.sh on uaf-1.t2.ucsd.edu

For a voms proxy run voms-proxy-init

voms-proxy-init --voms cms:/cms/uscms/Role=cmsuser

/cms/uscms/Role= should be set to whatever roll you want to use. If you are not sure and are part of the USCMS project use cmsuser.

GRID Proxy

If you are not in the CMS HR database and are running just as a local UCSD user run


Optional: Creating a longer lived voms proxy

To create a proxy that lives longer than the default 12 hours just add an extra option when you get your proxy

voms-proxy-init -valid 120:00 --voms cms:/cms/uscms/Role=cmsuser

h = hours

m = minutes

For more voms-proxy-init options run voms-proxy-init -help or voms-proxy-init -usage

Optional: Destroying your proxy

It is sometimes necessary to remove your proxy. To do this the best approach is to use voms-proxy-destroy or grid-proxy-destroy as necessary. By running one of these commands you remove the proxy from the submit host so you can create another.

-- Main.TerrenceMartin 8/24/2017

Topic revision: r3 - 2017/08/24 - 19:58:39 - TerrenceMartin
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback