Configuring shared accounts OSG certificates and Kerberos principal¶
As requested by the Minos production group, the OPOS helps the experiment get and configure the OSG certificate for the shared accounts minospro and minosana. The idea will be to replicate the schemas that had been applied for shared accounts in other IF (Intensity Frontiers) experiments (e.g. NOvA production account ).
Service OSG certificate¶
To request an OSG certificate:
First you need to generate a CSR (certificate signing request) and key file for "minospro/hostname.fnal.gov" ; see CSRRequest
then fill the form available in https://oim.grid.iu.edu/oim/certificaterequesthost. pasting in the contents
of the request.pem file you made.
After submitting the request, if needed, contact one of our GridAdmins to expedite getting it approved:
Then follow the email instructions to fetch the certificate from the website.
You should now have a key file "hostkey.pem", saved from the website, and the "request.key" file you made when
you made the certificate signing request, "hostcert.pem" which you should install
in gpsn01:/scratch/minos/minospro/private/. Please, if existing, copy any old ones to an ".old" subdirectory.
Before using to generate a proxy you need to register it with the experiment VO. That can be done by following the next steps: Open a "General Request" ticket in SNOW, with suggested short description "Please add service certificate to Minos VO", and suggested long message: "We need to add this to the Minos VO with both the production and analysis roles: Subject: DC=com, DC=DigiCert-Grid, O=Open Science Grid, OU=Services, CN=minospro\/minos27.fnal.gov @FNAL.GOV"
Now, you're ready to generate your OSG proxies which can be used with systems as SAM. To do it, use the following command:
voms-proxy-init -cert=/scratch/minos/minospro/private/hostkey.pem -key=/scratch/minos/minospro/private/request.key --rfc --voms=fermilab:/fermilab/minos/Role=Production -out /scratch/minospro/grid/minospro.Production.proxy
To use your new proxy, just set variable X509_USER_PROXY to have the path to the production proxy.
Kerberos for project principal¶
To get a Kerberos principal for the shared account what the requester will do, includes three steps:
1) Open an "Additional Kerberos Items" ticket in SNOW (https://fermi.service-now.com). Go to "Service Catalog", "Accounts", pick "Additional Kerberos Items". Place the following message in additional information:
> I would like a kerberos principal for minospro/minos/minosgpvm02.fnal.gov@FNAL.GOV. We will use it for Minos to authenticate experiment production activities.
The requester will receive an email with a one time password. With this password, the requester should:
2) Create the key tab file for the project principal following instructions available in: http://security.fnal.gov/krb5/make-a-keytab.html.
More details on the process: https://cdcvs.fnal.gov/redmine/projects/discompsupp/wiki/How_to_get_a_service_cert