• About EGEE
  • News
  • Mission
  • Partners
  • Activities
  • Applications
  • FAQs
  • Results
• EGEE Events
  • Local actions
  • Official meetings
  • Press releases
  • ??? NavText ???
• Grids related info
  • GridCafé
  • Lexicon & acronyms
  • Specific pointers
• For users
  • Test the Grid / GILDA
  • Grid tools
  • Quick start
  • Support
  • Access portals
• VOCE
  • How to join
  • Usage rules
  • VOCE Utilization
  • User Interface
  • Manuals / Guides
  • VOCE support
  • VOCE UIPnP
  • Wiki
• JRA1 CZ
  • LB - Logging & Bookkeeping
  • Job Provenance
  • Proxy renewal
• SA1 CZ
  • Monitoring
• VO auger

How to join

Generallly speaking any person from CE region who is working in academic environment is a suitable candidate for obtaining an account at VOCE. Concerning the fact that work in a distributed grid environment requires secure access to resources it is necessary to obtain a valid personal certificate from an internationally accepted certification authority for proper utilization of provided computational infrastructure.

Please read following information concerning specific VOCE topics in two following categories:

User registration procedure

• Certification
• User registration
• Account extension

Computational resources setup

• Administration
• UI setup
• Resources registration

User registration procedure

Certification

How to obtain a personal certificate

A certificate is a data file whose function is similar to an ID card or a driving licence, i.e. it is intended for authetication of certificate owner. Every certificate is digitally signed and its validity is limited by an expiration time. A valid personal certificate can be obtained from a local certification authority (CA). Certification authority issues certificates to enable establishment of a trust, manages their issuing and possibly also revoke them (revoke their validity). The list of CAs that are accepted for VOCE purposes are based on authoritative list provided by EUGridPMA. List of currently supported CAs together with step by step guide how to obtain a personal certificate from specific CA can be founded in table below.

Import of certificate into a browser

To start and successfully complete the registration process your personal certificate must be loaded into your web browser. Browsers (including Internet Explorer, Netscape and Mozilla) compared to the grid middleware use a different format for certificates. Browsers require a format called PKCS12 whereas grid software uses PEM format. If your certificate was issued to you in PEM format you have to install the OpenSSL package (usually preinstalled on Linux distributions; binaries for MS Windows version of OpenSSL) for the certificate coversion from PEM format to PKCS12 format. Use following command on a machine with OpenSSL installed to convert the certificate to desired format

openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out my_cert.p12 -name "My certificate"

Where:

userkey.pem -- The path to your private key file.
usercert.pem -- The path to your certificate file.
my_cert.p12 -- The path for the PKCS12 format file output.
"My certificate" -- An optional name which can be used to select this certificate in the browser after you have loaded it if you have more than one loaded.

You will be asked for two passwords: one set when you exported the certificate from the browser; the other is the password of the private key. It is safe to use the same password. When you finish export of the certificate you have to import the certificate into your browser. Instructions to load certificates into some common browsers are given below.

Firefox

1. Start Firefox
2. Go to the Tools menu and select "Options...".
3. Select "Advanced".
4. Scroll down to "Certficates/Client Certificate Selection" and check "Ask Every Time".
5. Click on "Manage Certificates".
6. Click on "Import".
7. Give the path to the file my_cert.p12. You will be asked for the master password for the Software Security Device (a password for storage of sensitive personal information in a browser) and the password used to encrypt the certificate backup.

Mozilla or Netscape

1. Start Mozilla or Netscape
2. Go to the Edit menu and select "Preferences -> Privacy & Security -> Certificates -> Manage Certificates"
3. Choose Import Certificate option
4. Give the path to the file my_cert.p12.
5. Go to the Edit menu and select "Preferences -> Privacy & Security -> Certificates -> Master Passw...
6. At the "Master Password Timeout" box, check "Every time it is needed". Note that this step is needed to prevent webservers to extract your credentials from your browser without your endorsement.

Internet Explorer

1. Start Internet Explorer
2. Go to the Tools menu and select "Internet Options".
3. Choose the Content tab and click on Certificates which will open a dialogue box.
4. Click on Import to start the Import wizard and follow the instructions. In the password dialog box, type the password for your private key and check "Enable strong private key protection". Note that this step is needed to prevent webservers to extract your credentials from your browser without your endorsement. The certificate should go into the "Personal'' certificate store and you should also select "high security" to prevent Internet Explorer saving your pass phrase.

Renewal of personal certificate

If you do not modify your subject name of your personal certificate, the validity of your personal certificate will be extended automatically after the expiration period.

We also allow users to manage their personal certificates registered in VOCE (modify them and/or add a new one). However, this procedure must be handled manually by the VOCE administrators. Therefore every user is kindly requested to send an email containing a new certificate that has to be added before expiration date of his/her personal certificate used for accessing VOCE resources. We need to have a complete certificate, not just the subject name, so please ensure the mail will contain an output of the following command:
This email with the new certificate has to be signed with the previously registered certificate and has to be sent to address kouril@ics.muni.cz.

It is also important to take into acount that an user can have registered his/her personal certificate only in one virtual organization. Therefore for accessing other virtual organizations than VOCE it is required to have another personal certificate!

User registration

If you are a person interested in utilization of VOCE resources, please visit and fill in VOCE registration form (using a browser with your personal certificate loaded in the browser).

NOTE for Czech users: If you are a potential Czech VOCE user you might be already a member of local Czech grid project METACentrum . In this case you do not use the VOCE form mentioned above but please edit your personal settings at the METACentrum portal (section My account/Personal Information). If you are currently not a METACentrum member, please consider that if you decide to become a METACentrum member you obtain an access to Czech local computational resources in addition to VOCE resources you ask for, therefore we recommend you to become a METACentrum member. This will allow you to utilize METACentrum capacities as well as available VOCE computational resources.

Account extension

Your VOCE membership is bound to the extension of your VOCE account required at the end of each year. Your VOCE account can be extended online by filling form field, in which you have to decribe your current VOCE activities including new, planned ones.

Resources registration procedure

Administration

All VOCE users are separated into VOCE institutions. Each VOCE institution is composed of a set of users that are managed autonomously by a dedicated administrator. Users' membership in a VOCE institution is defined using the users' subject names. A VOCE institution can be either linked to an existing organization participating in EGEE or it can be a virtual entity grouping set of people, which was created in order to ease their administration. In each country there is a catch-all institution, which handles users that do not fall into any existing VOCE institution.

Austria, Austrian Grid CA
UNIINNSBRUCK	/C=AT/O=AustrianGrid/OU=UIBK/
GUP	/C=AT/O=AustrianGrid/OU=JKU/
Croatia, SRCE CA
SRCE	/C=HR/O=edu/OU=srce/
RBI	/C=HR/O=edu/OU=irb/
FESB	/C=HR/O=edu/OU=fesb/
Czech Republic, CESNET CA, Step by Step Guide
CESNET	/C=CZ/O=CESNET/
	/O=CESNET/
Hungary, NIIF CA
MTA SZTAKI	/C=HU/O=KFKI RMKI CA/OU=SZTAKI/
	/C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA
	/C=HU/O=NIIF CA/OU=GRID/
NIIF	/C=HU/O=KFKI RMKI CA/OU=NIIF/
KFKI RMKI	/C=HU/O=KFKI RMKI CA/OU=KFKI RMKI/
ELTE	/C=HU/O=KFKI RMKI CA/OU=ELTE/
BME	/C=HU/O=KFKI RMKI CA/OU=BME/
Poland, Polish Grid CA
ICM	/C=PL/O=GRID/O=ICM/
PSNC	/C=PL/O=GRID/O=PSNC/
CYFRONET	/C=PL/O=GRID/O=Cyfronet/
Slovakia, SlovakGrid CA
II-SAS	/C=SK/O=SlovakGrid/
Slovenia, SIGNET CA
JSI	/C=SI/O=SiGNET/

UI setup

If you prefer using your own UI, you will need to configure it to support VOCE. A simple configuration file is provided. This file save as: "/opt/glite/etc/voce/glite_wms.conf".
To see all details concerning access to VOCE UI, visit User Interface section.

Resources registration

If you are willing to offer you computational resources as part of VOCE service, please do it using instructions below.

Automatic configuration using YAIM with VOMS support

There is a possibility to use automatic configurator YAIM to support VOCE. To do so, please, modify your site-info.def file accordingly as described below.

For site-info.def:

1. add ldap://meta-ldap.cesnet.cz/ou=People,o=VOCE,dc=eu-egee,dc=org to GRIDMAP_AUTH

2. add to the end of the file.

VOS="$VOS voce" # egee_voce is an example of a queue that will accept voce jobs QUEUES="$QUEUES egee_voce" EGEE_VOCE_GROUP_ENABLE="voce"
########
# voce #
########
VO_VOCE_SW_DIR=$VO_SW_DIR/voce

VO_VOCE_DEFAULT_SE=$SE_HOST
VO_VOCE_STORAGE_DIR=$CLASSIC_STORAGE_DIR/voce
VO_VOCE_VOMS_SERVERS="vomss://skurut19.cesnet.cz:8443/voms/voce?/voce/"
VO_VOCE_VOMSES="'voce skurut19.cesnet.cz 7001
/DC=cz/DC=cesnet-ca/O=CESNET/CN=skurut19.cesnet.cz voce'"
VO_VOCE_VOMS_CA_DN="'/DC=cz/DC=cesnet-ca/CN=CESNET CA'"

where SE_HOST is some SE of any VOCE organization (if your organization does not have SE, use please dpm1.egee.cesnet.cz )

And add the users to the users.conf file too. E.g:

19488:voceprd:1077:voce:voce:prd:
19489:vocesgm:1077:voce:voce:sgm:
19114:voce001:1077:voce:voce::
19122:voce002:1077:voce:voce::
19123:voce003:1077:voce:voce::
19124:voce004:1077:voce:voce::
19128:voce005:1077:voce:voce::
19129:voce006:1077:voce:voce::
19130:voce007:1077:voce:voce::
19131:voce008:1077:voce:voce::
19132:voce009:1077:voce:voce::
19133:voce010:1077:voce:voce::
19134:voce011:1077:voce:voce::
19138:voce012:1077:voce:voce::
19144:voce013:1077:voce:voce::
19145:voce014:1077:voce:voce::
19146:voce015:1077:voce:voce::
19147:voce016:1077:voce:voce::
19148:voce017:1077:voce:voce::
19149:voce018:1077:voce:voce::
19150:voce019:1077:voce:voce::
19151:voce020:1077:voce:voce::

And add the users to the group.conf file too. E.g:

"/VO=voce/GROUP=/voce/ROLE=lcgadmin":::sgm:
"/VO=voce/GROUP=/voce/ROLE=production":::prd:
"/VO=voce/GROUP=/voce"::::

It is also necessary to have installed certificate of our VOMS server skurut19.cesnet.cz in /etc/grid-security/vomsdir. To get the certificate, please, check VOCE card at CIC portal.

More information about YAIM you can find at yaim.info and at configuration template at "/opt/glite/yaim/examples/siteinfo/site-info.def"

We also have LFC (LFC = LCG File Catalog = LHC Computing Grid File Catalog = Large Hadron Collider Computing Grid File Catalog)(LFC = LCG File Catalog = LHC Computing Grid File Catalog = Large Hadron Collider Computing Grid File Catalog) at lfc1.egee.cesnet.cz