2 Client configuration and certificate management
Download the current version of the UNICORE Client installer from http://www.unicore.eu/download/unicore5. Install it on your Unix or Windows workstation following the instruction of the install process. Additional information can be found in the UNICORE user’s guide at http://www.unicore.eu/documentation/manuals/unicore5/files/client_manual.pdf
When you run the UNICORE client for the first time, a new .unicore directory is created in your home directory. Additionally, an empty keystore file will be created in this new directory, which will later contain all the keys and certificates that you will need to use UNICORE. You will be asked for a pass phrase to encrypt the keystore; remember this pass phrase, and keep it confidential. This pass phrase protects your access to the DEISA resources through UNICORE; you will be asked to supply this pass phrase each time you start the UNICORE client. In order to use UNICORE, you have to obtain a personal certificate from one of the Certificate Authorities (CA), following the instructions in The Primer. The process may vary from country; contact the local DEISA help desk when in doubt.
The subsequent description outlines the most convenient process. The required certificate signing request is generated in the UNICORE client. The user’s private key need not leave the keystore and the signed certificate can easily be imported into the client.
Step 1: Within the UNICORE client, go to Settings → Keystore Editor → Actions → Generate Certification Request
Click OK to save the certificate signing request in a directory of your choice (e.g. as Lastname.crs). Your private key is stored in the UNICORE keystore. You should also install the new key entry as the default. Do not forget to save the keystore permanently to disk by
File → Save
Note: you have to complete also the following steps before you can access the DEISA systems.
Step 2: Go to the web site of your national CA (see The Primer) and submit the certificate signing request created in step 1. You will be asked to provide additional information, to print a document with your data and present it at the registration authority (RA) nearest to you. The role of the RA is to verify your identity and request that the CA generates a certificate for you. You will receive the certificate normally via email from the CA together with additional instructions where to find the CA certificates and how to revoke your certificate in case it has been compromised (e.g. your keystore pass phrase has been stolen).
Step 3: After you received the certificate from the CA, normally as a file with the suffix pem, save it in a directory of your choice and import it into the UNICORE keystore:
Settings → Keystore Editor → Actions → Import Certificate
Find the previously saved pem file and click ‘UNICORE: Select certificate(s) to import’. This will bind the certificate to your private key. When you click on ‘Details’ you will be shown the information about your certificate (issued for:) and the information about the CA (issued by:) and how long the certificate will be valid (see Figure 3 below).
Step 4: Forward your certificate to your local user administration to have it linked to your DEISA account (technically the certificate information is entered into the UNICORE User Data Base (UUDB)). Since all DEISA sites share a common user pool, an automated process will ensure that your will also be registered at the other sites. This update normally takes place over night.
Now you are a bona fide DEISA user who is registered to use DEISA resources through UNICORE. Two more steps are needed to give you secure access.
Step 5: The client must know the addresses of the UNICORE gateways at the different sites. Go to
Settings → User defaults
The window shown in Figure 4 will let you specify the location of an xml file describing all available DEISA gateways. This location can point to a web site or to a file on the local disk. The standard location of this file is http://winnetou.sara.nl/deisa/hosts/gateways.xml
You can download this file to your local disk, so you will be able to connect to a gateway also if the remote web server is temporarily not available. On the other hand, in this case you will need to download the file again if new DEISA gateways are added or their address changes. How you can customise your personal DEISA environment is described in the following Section.
Step 6: At this stage you can see all Gateways that are listed in the xml file. However, your client will now refuse to connect to them, since UNICORE’s strong security requires mutual authentication between client and server. This is to prevent that some system pretends to be a Gateway and tries to intercept your jobs. To resolve this issue, you are now required to import the certificates of the CAs that signed the servers into the UNICORE client as ‘trusted certificates’:
Settings → Keystore Editor → Actions → Import Certificate
The list of all certificates of the recognised CAs can be found at http://winnetou.sara.nl/deisa/certs/unicerts.tar.gz (or http://winnetou.sara.nl/deisa/certs/unicerts.zip ).
Copy the certificates you wish to import to separate files on your local disk and import them into the UNICORE keystore.
This last process is a one time effort. From now on you need not bother with passwords and different account on different sites. All you need is your pass phrase to unlock the keystore on your personal system in order to access the DEISA infrastructure in a secure fashion.
Note: There are other methods to generate private-public key pairs for certifications requests, for example using a modern browser. This has the disadvantage that you have to export the certificates from the browser and re-import it into the UNICORE client. So if the national CA supports externally generated certificate signing requests, use this method. Otherwise consult your local administrator.