GridShib-CA with TeraGrid

From MyWiki

Links

• TeraGrid GridShib-CA page
• GridShib-CA info page at globus.org

What Is This?

These instructions show how you can use GridShib-CA to get a short-lived credential to log in to various TeraGrid systems using GSI-SSHTerm. Currently, only "tg-login3.ncsa.teragrid.org" is supported.

How To

1. Go to the main TeraGrid GridShib-CA page. You should see the following.

   

2. In the middle of that page you will see a section of "Prerequisites". You should make sure your client machine is configured properly. Basically, you need Java Web Start or Java 1.4.2 or higher installed.
3. Once you have verified the prerequisites, go back to the main TeraGrid GridShib-CA page. Towards the bottom of that page you will see several "Login" buttons as shown below.

   

   These are the currently configured methods of using GridShib-CA with a TeraGrid system. For the purpose of these instructions, we will click on the Login via University of Illinois Urbana-Champaign button.

4. (Note: The following screen shots are for the UIUC login service. Other institutions/organizations will be presented with different login screens which provide similar functionality.) Once on the UIUC BlueStem page, enter your username and password as you usually do. Upon successful authentication, you will be given a link to return to the shibboleth page. Note that similar authentication mechanisms are in place for organizations other than UIUC.

   
   
   

5. After clicking "Return" and going back to the GridShib-CA page, you will see your GridShib-CA X.509 identity (DN). It should look something like the following.

   

   Your GridShib DN (distinguished name) is the long X.509 identity string, in this case "/DC=edu/DC=uiuc/DC=ncsa/DC=gridshib-ca/O=Shibboleth User/OU=urn:mace:inqueue:uiuc.edu/CN=mark68@uiuc.edu". You will need to copy/paste your DN string in following steps.

6. As a one-time registration step, you need to login to "tg-login3.ncsa.teragrid.org" via some other means (e.g. by using GSI-SSHTerm with a MyProxy credential or TeraGrid username/password). Once on tg-login3, run the following command:

        gx-request -add -dn "YOUR GRIDSHIB DN"

   where "YOUR GRIDSHIB DN" is the long X.509 identity string from your browser window above. This will add a binding between your GridShib-CA DN and your TeraGrid account.

7. You will need to wait up to an hour for the DN to be propagated internally. You can check progress by grepping "/etc/grid-security/grid-mapfile" for your GridShib-CA DN.
8. Once your DN has been added to the grid-mapfile, you can now go back to the GridShib-CA browser window and click on the "Press here to generate and download Grid credential" button. This will download a .jnlp file which will launch a Java Web Start application.
9. When the Java Web Start application launches, you will see the following warning/security popup box.

   

   This is because the application needs access to your local filesystem. Click the "Run" button to continue.

10. Next the application will generate a GridShib-CA-based credential and save it to your drive. You can see the output in the application window.

    

    When you see the "Press OK to close application", press the OK button to exit. You now have a credential stored on your hard drive. This credential is valid for the time you specified in the browser window (default is 12 hours). Note that the credential file does not get deleted after that time, so you will need to go back to the GridShib CA web page to generate a new credential if the one stored locally has expired.

11. Finally, your browser will automatically open the following window:

    

    At this point, yet another Java Web Start application will launch. In this case it's the GSI-SSHTerm application. If you already have GSI-SSHTerm installed on your computer, you do not need to redownload the .jnlp file (but it won't hurt). GSI-SSHTerm will find the newly installed GridShib-CA certificate on your drive, and you can then connect to "tg-login3.ncsa.teragrid.org" without having to give a username/password.