Environment from the Molecular Level A NERC eScience testbed project

Grid Certified Access Instructions

Sections of this website, notably the wiki require that the user have a valid e-Science certificate before they can be accessed. Not only must the user have this certificate, but they must also inform the site administrator (Richard Bruin) of their distinguished name (DN) before they can be given access to the protected pages.

Below are instructions on all stages of certificate request, importing and conversion so that the DN can be extracted before sending to the site admininstrator. These instructions apply to linux / unix but should be very similar to those for Windows and Mac. If you have any comments or questions about the installation process please contact Richard.

Certificate request

To request an e-Science certificate connect to http://ca.grid-support.ac.uk and request a certificate as per the instructions on the site. (Note, you will need a personal certificate).

Tips

• You will need to use an approved browser, such as Nescape 4.79, even if this is not your regular browser. This is because Netscape 4.79 (and some version of Internet Explorer) have a well-defined method to handle certificates that allow user access. Netscape has an archive of older browsers. Do not think you can get away with using something else, even if you can get the system to look as if it is working: you can't! Users of Mac OS X will have to use Nescape in classic mode, even though it might grieve them so to do!
• When you download and export your certificate, you need to do so using the same browser on the same computer, because information is stored when you put in your original request.
• You will have to give a number of pass phrases at various stages of the certificate process, including when making the initial request. It makes sense to use the same pass phrase for each stage of the process in case you forget which one you are using. You will need a pass phrase to request your certificate, which will be used to download your certificate later. You will also need a separate pass phrase for securing your certificates in Netscape.
• If anything goes wrong at any stage, there is no fix. Like some board games, you have to go back to the start (and you don't collect £50).

Exporting your certificate from Netscape 4.79

To receive your certificate you will need to be using Netscape 4.79. Once the certificate has been downloaded however, it can be exported from the browser and used within other browsers. To export it, follow these steps:

1. Click on the security button at the top of the browser
2. Choose 'Yours' from the 'Certificates' submenu at the side of the window which opens
3. Highlight the e-Science certificate and click 'export'
4. Enter the password you set for netscape to use to protect your certificates
5. Enter a password to protect your certificate after it has been exported
6. Confirm the new password
7. Next, choose a location to save the file. This should be a folder which is not visible to other users of your computer since the certificate has quite a high security value
8. Close netscape, your certificate has now been exported

Importing the certificate into your normal browser

The instructions for importing your certificate into your day-to-day browser vary from browser to browser. The following instructions apply to mozilla:

1. Open mozilla
2. Click on Edit->Preferences
3. Choose the Privacy & security section on the left of the window which opens
4. Choose the certificates submenu
5. Click on 'manage certificates' another window will open
6. In this window, under the 'Your certificates' tab, click 'import'
7. Specify the location of the certificate you just exported and click 'open'
8. Another window opens, specify a password for the certificate to be used within mozilla
9. Then enter the password used to encrypt the certificate when asked
10. Your certificate has now been imported into your browser of choice

For users of Mac OS X, you actually import your certificate into the application called Keychain, instead of into your browser directly:

1. Ensure that you have your .p12 file somewhere that can be read by normal Mac OS X (eg not in the .globus directoory).
2. Open the program "Keychain Access" from within the Applications/Utilities folder.
3. Select the menu item File/import, and select your .p12 file. You will need to give your pass phrase. Voila!

Processing your certificate to retrieve your DN

Unfortunately, before you can use your e-Science certificate to access the wiki, the wiki admin (Richard) needs to know your DN as specified within the certificate. This is to ensure that only e-Minerals project members may access the site, rather than just all e-Science certificate holders. The following instructions specify how to process the certificate to generate your private key and to retrieve your DN. Again, these instructions apply to linux and may vary for other operating systems, please get in touch if you require any assistance.

1. Navigate to the directory in which you saved your exported certificate
2. Run the following command:

openssl pkcs12 -in mykey.p12 -clcerts -nokeys -out usercert.pem

where mykey.p12 is replaced by the name of your certificate, as saved previously.

3. Enter the certificate password when asked
4. Next, run the following command:

openssl pkcs12 -in mykey.p12 -nocerts -out userkey.pem

where, again, mykey.p12 is replaced by the name of your certificate, as saved previously.

5. Again, enter your certificate password when asked
6. Next, enter a password to encrypt this section of your certificate. This is to help to keep your certificate secure from prying eyes.
7. Open the file usercert.pem, just created
8. Copy the line which starts: 'subject='
9. Everything after the equals sign, to the end of the line is your DN. Send this to the wiki admin (Richard) who will then be able to give you access to the wiki asap.