What's a UK e-Science certificate?

A UK e-Science certificate is an X-500 certificate issued by the UK e-Science Authority. If you want to know the details, Wikipedia describes these well; if you don't and simply want to use one, think of it as something similar to a traditional passphrase-protected SSH key with which you can authenticate to certain systems.

(There are significant differences however: certificates are issued by a certification authority; like a driver's licence, can expire or be revoked.)

Why should I get one?

Because one is required to gain access to many "grid"-based HPC clusters on which you are entitled to an account.

How do I get one?

Unfortunately, the process is a little long-winded. In outline:

1. Request a certificate from ca.grid-support.ac.uk.
2. Meet, face-to-face, a representative of the UoM Registration Authority (RA) in order to verify your identity.
3. Assuming the RA representative approves your application you will receive an email indicating that your certificate is ready for download using your Web browser.
4. Following the instructions in the email, download the certificate into your browser; then export/save it into a file named (for example) eSciCA.cert — the browser will add suffix .p12 indicating PKCS12 format. Your browser will prompt your for a password which is used to protect the file —do not forget this!.

For more details visit the dedicated Web page.

How do I use it?

Your certificate is used with GSI-SSHTerm to authenticate (login) to grid-based compute resources.

Commonly, to gain access to computational grids based on the Globus middleware stack, users download and install the Globus client software. This is not easy since Globus is no longer included in any major Linux distribution.

The Globus client software includes a version of SSH, gsissh, which can use e-Science certificates for authentication and also "real" grid tools which facilite the submission and running of jobs without ever "logging in" to the compute resource.

GSI-SSHTerm, described here, is a standalone Java application which combines both virtual terminal functionality (cf. xterm) and that of gsissh. This is sufficient to access these computational grids and submit jobs, though not to make full use of their capabilities [Section 6.]

Prerequisites

1. First ensure your e-Science certificate is installed (correctly!) as described above.
2. Ensure you have an up-to-date Sun Java runtime-environment (JRE) installed on your machine, e.g.,

       apt-get install sun-java6-jre
       apt-get install sun-java6-bin

gridproxyinit and GSI-SSHTerm

1. Download gridproxyinit.jar.tar.gz, a Java-based certificate proxy, required to help GSI-SSHTerm use your certificate, and unpack it:

       prompt> tar xvz < gridproxyinit.jar.tar.gz
           #
           # ...creates a directory "gridproxyinit" and extracts files into this new
           #    directory...
           #

2. Download jws.jnlp (local mirror), or visit the NGS to get it.
   
   This file relates to the Java Network Launch Protocol; it is used to automatically download required Java .jar files and then start the GSI-SSHTerm Java application (see below).
3. Invoke/run gridproxyinit-run.jar:

       prompt> cd gridproxyinit
       prompt> java -jar ./gridproxyinit-run.jar
           #
           # ...ensure this is the Sun JRE "java", not e.g. that from GCJ,
           #    for example, 
           #        /usr/lib/jvm/java-6-sun/bin/java
           #    not
           #        /usr/lib/jvm/java-gcj/bin/java

   From the radio buttons, select PK12 — this is not the default — and under Options select the location of your certificate (e.g., /home/<username>eSciCA.cert.pk12), enter the password you used to protect it and click Create.
4. Start the GSI-SSHTerm application using jws.jnlp:

       prompt> javaws jws.jnlp

   The first time you "run" jws.jnlp the GSI-SSHTerm application will be downloaded — a window displaying the name and publisher of the application, and download progress, will open — then you will see a Security Warning window open: click Run (assuming you trust the download!) and the GSI-SSHTerm application window should open after a few seconds.
   
   To open a connection to a cluster on which you have an account, click on File, New Connection, enter a hostname (e.g., man2.nw-grid.ac.uk) and click Ok.

The application procedures for obtaining accounts on both the NGS and the NW-Grid are relatively lightweight. To apply for an account:

• on the NW-Grid, follow the "User Registration" link (top right) of the NW-Grid home page;
• on the NGS, follow the "Apply for Access" link on the NGS home page.

The simplest way to install Globus client software on a Linux machine is to use the VDT distro of Globus. The steps are described at www.grid-support.ac.uk (Introductory Statement):

1. Prerequisites: VDT uses a package-manager called Pacman, so the first step is to install that; this in turn requires Python (at least v2.3). Installation of Pacman is described in the VDT documentation. If Pacman does not find a suitable installation of Python, it attempts to download and build one as part of the install/setup process.
2. As of 2007/March/15, the next step, Base VDT Globus Installation, contains some misleading instructions, so beware:
   • When telling Pacman about the respository, ensure there is no space after cache:, i.e., pacman -cache: http://www.cs.wisc.edu/vdt/vdt_121_cache.
   • This is wrong: pacman -get Globus, it should be pacman -get http://vdt.cs.wisc.edu/vdt_1310_cache:GSIOpenSSH.
3. Bearing in mind the above two points, install Globus as described. Then extract the required user certificate (public key) and private use key from your UK e-Science certificate, for use with Globus, also as described; however, this page then describes extracting host certificate and key, but these are not required for a Globus client and can only be extracted from a requested/downloaded server/host certificate. The UK Grid Support site includes alternative descriptions and explanation of the extraction procedurem which may prove clearer: Installing your e-Science Certificate and Private Key (part of Setting up Your User Environment); or follow Step 2 in, Preparing your User Certificate for use by Globus Toolkit.
4. Optional Extras: this step describes how to install GSI-SSH, which is a customised version of OpenSSH which can use certificates for authentication. GSI-SSH is indeed not necessary for use of the NGS of NW-Grid, but it is very commonly used; install it. (Installation of GITS is also mentioned; this can be ignored.)

We need access to the Java console to see what's going on. Start GSISSH-Term using javaws's -viewer option:

  javaws -viewer jws.jnlp

  Exit --> Preferences --> Advanced

Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException
	at uk.ac.rl.esc.browser.Browser.getProfiles(Browser.java:687)
	at uk.ac.rl.esc.browser.Browser.getBrowserList(Browser.java:940)
	at com.sshtools.sshterm.GSIAuthTab.setConnectionProfile(GSIAuthTab.java:170)
	at com.sshtools.common.ui.SshToolsConnectionPanel.setConnectionProfile(SshToolsConnectionPanel.java:133)
	at com.sshtools.common.ui.SshToolsConnectionPanel.showConnectionDialog(SshToolsConnectionPanel.java:191)
	at com.sshtools.sshterm.SshTerminalPanel.actionPerformed(SshTerminalPanel.java:882)
	at com.sshtools.common.ui.StandardAction.actionPerformed(StandardAction.java:148)

  victim> strace -o open javaws jws.jnlp

  [pid 24257] open("/usr/lib", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 15
  [pid 24257] open("/root/.mozilla", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 15
  [pid 24257] open("/root/.mozilla/firefox/profiles.ini", O_RDONLY|O_LARGEFILE) = 15
  Process 24259 detached