How to join
Generallly speaking any person from CE region who is working in academic environment is a suitable candidate for obtaining an account at VOCE. Concerning the fact that work in a distributed grid environment requires secure access to resources it is necessary to obtain a valid personal certificate from an internationally accepted certification authority for proper utilization of provided computational infrastructure.
Please read following information concerning specific VOCE topics in two following categories:
User registration procedure
Computational resources setup
How to obtain a personal certificate
A certificate is a data file whose function is similar to an ID card or a driving licence, i.e.
it is intended for authetication of certificate owner. Every certificate is digitally signed and
its validity is limited by an expiration time. A valid personal certificate can be obtained from a
local certification authority (CA). Certification authority issues certificates to enable
establishment of a trust, manages their issuing and possibly also revoke them (revoke their
validity). The list of CAs that are accepted for VOCE purposes are based on authoritative list
EUGridPMA. List of currently supported CAs together with step by step guide how to obtain a
personal certificate from specific CA can be founded in
To start and successfully complete the registration process your personal certificate must be loaded into your web browser. Browsers (including Internet Explorer, Netscape and Mozilla) compared to the grid middleware use a different format for certificates. Browsers require a format called PKCS12 whereas grid software uses PEM format. If your certificate was issued to you in PEM format you have to install the OpenSSL package (usually preinstalled on Linux distributions; binaries for MS Windows version of OpenSSL) for the certificate coversion from PEM format to PKCS12 format. Use following command on a machine with OpenSSL installed to convert the certificate to desired format
openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out my_cert.p12 -name "My certificate"
userkey.pem -- The path to your private key file.
usercert.pem -- The path to your certificate file.
my_cert.p12 -- The path for the PKCS12 format file output.
"My certificate" -- An optional name which can be used to select this certificate in the browser after you have loaded it if you have more than one loaded.
You will be asked for two passwords: one set when you exported the certificate from the browser; the other is the password of the private key. It is safe to use the same password. When you finish export of the certificate you have to import the certificate into your browser. Instructions to load certificates into some common browsers are given below.
1. Start Firefox
2. Go to the Tools menu and select "Options...".
3. Select "Advanced".
4. Scroll down to "Certficates/Client Certificate Selection" and check "Ask Every Time".
5. Click on "Manage Certificates".
6. Click on "Import".
7. Give the path to the file my_cert.p12. You will be asked for the master password for the Software Security Device (a password for storage of sensitive personal information in a browser) and the password used to encrypt the certificate backup.
Mozilla or Netscape
1. Start Mozilla or Netscape
2. Go to the Edit menu and select "Preferences -> Privacy & Security -> Certificates -> Manage Certificates"
3. Choose Import Certificate option
4. Give the path to the file my_cert.p12.
5. Go to the Edit menu and select "Preferences -> Privacy & Security -> Certificates -> Master Passw...
6. At the "Master Password Timeout" box, check "Every time it is needed". Note that this step is needed to prevent webservers to extract your credentials from your browser without your endorsement.
1. Start Internet Explorer
2. Go to the Tools menu and select "Internet Options".
3. Choose the Content tab and click on Certificates which will open a dialogue box.
4. Click on Import to start the Import wizard and follow the instructions. In the password dialog box, type the password for your private key and check "Enable strong private key protection". Note that this step is needed to prevent webservers to extract your credentials from your browser without your endorsement. The certificate should go into the "Personal'' certificate store and you should also select "high security" to prevent Internet Explorer saving your pass phrase.
We also allow users to manage their personal certificates registered in VOCE (modify them and/or add a new one). However, this procedure must be handled manually by the VOCE administrators. Therefore every user is kindly requested to send an email containing a new certificate that has to be added before expiration date of his/her personal certificate used for accessing VOCE resources. We need to have a complete certificate, not just the subject name, so please ensure the mail will contain an output of the following command:
It is also important to take into acount that an user can have registered his/her personal certificate only in one virtual organization. Therefore for accessing other virtual organizations than VOCE it is required to have another personal certificate!
If you are a person interested in utilization of VOCE resources, please visit and fill in VOCE registration form (using a browser with your personal certificate loaded in the browser).
Your VOCE membership is bound to the extension of your VOCE account required at the end of each year. Your VOCE account can be extended online by filling form field, in which you have to decribe your current VOCE activities including new, planned ones.
All VOCE users are separated into VOCE institutions. Each VOCE institution is composed of a set of users that are managed autonomously by a dedicated administrator. Users' membership in a VOCE institution is defined using the users' subject names. A VOCE institution can be either linked to an existing organization participating in EGEE or it can be a virtual entity grouping set of people, which was created in order to ease their administration. In each country there is a catch-all institution, which handles users that do not fall into any existing VOCE institution.
|Austria, Austrian Grid CA||
|Croatia, SRCE CA||
|Czech Republic, CESNET CA, Step by Step Guide||
|Hungary, NIIF CA||
|MTA SZTAKI||/C=HU/O=KFKI RMKI CA/OU=SZTAKI/|
||/C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA|
|NIIF||/C=HU/O=KFKI RMKI CA/OU=NIIF/|
|KFKI RMKI||/C=HU/O=KFKI RMKI CA/OU=KFKI RMKI/|
|ELTE||/C=HU/O=KFKI RMKI CA/OU=ELTE/|
|BME||/C=HU/O=KFKI RMKI CA/OU=BME/|
|Poland, Polish Grid CA||
|Slovakia, SlovakGrid CA||
|Slovenia, SIGNET CA||
If you prefer using your own UI, you will need to configure it to support VOCE. A simple
configuration file is provided.
This file save as: "/opt/glite/etc/voce/glite_wms.conf".
To see all details concerning access to VOCE UI, visit User Interface section.
If you are willing to offer you computational resources as part of VOCE service, please do it
using instructions below.
Automatic configuration using YAIM with VOMS support
There is a possibility to use automatic configurator YAIM to support VOCE. To do so, please, modify your site-info.def file accordingly as described below.
1. add ldap://meta-ldap.cesnet.cz/ou=People,o=VOCE,dc=eu-egee,dc=org to
2. add to the end of the file.
# egee_voce is an example of a queue that will accept voce jobs
# voce #
VO_VOCE_VOMSES="'voce skurut19.cesnet.cz 7001
where SE_HOST is some SE of any VOCE organization (if your organization does not have SE, use please dpm1.egee.cesnet.cz )
And add the users to the users.conf file too. E.g:
And add the users to the group.conf file too. E.g:
It is also necessary to have installed certificate of our VOMS server skurut19.cesnet.cz in /etc/grid-security/vomsdir. To get the certificate, please, check VOCE card at CIC portal.
More information about YAIM you can find at yaim.info and at configuration template at "/opt/glite/yaim/examples/siteinfo/site-info.def"
We also have LFC (LFC = LCG File Catalog = LHC Computing Grid File Catalog = Large Hadron Collider Computing Grid File Catalog)(LFC = LCG File Catalog = LHC Computing Grid File Catalog = Large Hadron Collider Computing Grid File Catalog) at lfc1.egee.cesnet.cz