Certificate F.A.Q.

Warning, important It is recommended to do it with FIREFOX Warning, important

Warning, important Even if you only want to use the DIRAC portal, you must go through all the steps below Warning, important

Get a certificate

There are two ways to get a certificate:
  1. Through CERN.
    • This should be easier. But for this your CERN account cannot be "external" (you need to be in the "USER" group, "PART" is not enough). This means that for new users they need to either show up at the User's Office to fully register, or they should opt for option 2.
    • Request a new certificate at https://ca.cern.ch/ca
  2. Through a Certification Authority (CA) of your home country. (you can find it at http://wlcg.web.cern.ch/getting-started/certificates )

Renew a certificate

Renewing really means requesting a new certificate.
  • You will have two valid certificates for a brief period. That's ok.
  • CERN certificates can be requested at https://ca.cern.ch/ca
  • You do not have to re-sign the Virtual Organisation (VO) terms and agreements (they can also expire, but independently from the certificate).

Export the certificate to your browser

Once you got your certificate you should export it. It can then be uploaded to other browser(s) and copied to lxplus for grid usage. Details and screenshots can be found in the Help Contents at https://ca.cern.ch/ca/Help/.

Note: if you have finished all the steps, and access the Dirac page with browser, make sure that your link starts with https instead of http. Find the Dirac link through google will give you the http one, from which you will have "Error Notification: Operation failed. Not a registered user".

Convert the certificate for grid usage

Once you exported your certificate transfer the p12-file to your LXPLUS home directory. Now use the command below to have your certificate properly installed in your .globus directory.
lb-dirac dirac-cert-convert MyFile.p12
Make sure that you pass phrase is not empty nor shorter than 6 characters

If you want to do this step manually, you should convert the certificate obtained above into one usable for the Grid, following instructions in https://ca.cern.ch/ca/Help/?kbid=023010. Slides 15 to 17 of the presentation show some screenshots of the procedure.

Join the LHCb Virtual Organisation

In order to be able to use your certificate for submitting jobs to the DIRAC system you need to join the LHCb Virtual Organisation (VO). To do this go to the web page https://lcg-voms2.cern.ch:8443/voms/lhcb, follow the instructions to join as explained here: https://cern.service-now.com/service-portal?id=kb_article&n=KB0003002 . You then have to wait for this to be approved (confirmation sent by mail). Warning, important : If you get the message "you are already registered, please send a mail to project-lcg-vo-lhcb-admin- at -cern.ch and ask to be remove from the VO to continue the registration.

Sign the "Grid Acceptable Use Policy" (aka AUP)

This may be done via the VOMS portal at https://lcg-voms2.cern.ch:8443/voms/lhcb/aup/load.action even if already done.

Using the certificate

After obtaining a certificate for the first time, you should upload a proxy to DIRAC, using (on lxplus) the commands:

DIRAC will remind you periodically (currently once a year), by sending you a mail whose subject is "Your proxy uploaded to DIRAC will expire in xx days", when you need to upload a new proxy.

Your proxy is necessary for accessing the bookkeeping, and of course for submitting jobs on the Grid. Once you have installed your certificate (e.g. on lxplus), get a proxy (which has a limited validity) using the lhcb-proxy-init command.

More information with lhcb-proxy-init -h (e.g. for setting a non-default validity)

Be aware that it might take about 24 hours after your Virtual Organisation membership has been approved before this works.


Operation failed: Not a registered user.

Check if lhcb-proxy-init works on lxplus and that your certificate is installed in your browser. If you have any anti-virus software installed ensure any scanning of HTTPS connections is disabled as this breaks the secure connection between your certificate and the LHCbDIRAC webserver. You can check if your connection is being intercepted by viewing the SSL certificate (search for " how to view ssl certificate NAME-OF-BROWSER"). The certificate should be signed by the "CERN Grid Certification Authority" however some anti-virus programs will replace it with their own certificate.

Edit | Attach | Watch | Print version | History: r41 < r40 < r39 < r38 < r37 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r41 - 2023-01-24 - ChristopheHaen
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LHCb/FAQ All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback