Back to User FAQ
Content of this topic is adapted from https://www.gridpp.ac.uk/wiki/Instruction_for_VO_administrators#CA_rollover by kind permission of the authors with changes for the general case.
Grid users renewing their personal certificates
If your certificate identity (the Subject or DN) changes you must register the new identity in your VO(s) to maintain access to the Grid. For example, your certificate identity will change if -
- you move and get a certificate from a different Certification Authority (CA)
your CA changes the format of your certificate Subject (or DN)
your CA changes its own (the Issuer) certificate Subject (or DN)
In 2006 both the CERN CA and the UK eScience CA changed their certificates so the following instructions generally apply to users of these CAs when they first renew their certificate after the changes were applied.
If there are no changes to the certificate identity when the certificate is renewed then no action is necessary at the VO.
If your certificate identity does change when the certificate is renewed then the correct action depends on the registration service software that the VO uses -
ALICE, ATLAS, CMS, LHCb and DTEAM VO users should follow the instructions for VOMRS users below.
ESR ,HONE, ILC, ZEUS, Biomed and Pheno VO users should follow the instructions for VOMS-Admin users below.
If the VO is not listed above you should contact the VO manager to find out if they use VOMRS or VOMS-Admin interfaces. VO contact information is available on the CIC Portal site.
The following schematic shows in outline the workflow for a user to register a new certificate. Detailed instructions for each step are given below.
Instructions for users of VOs using the VOMS-Admin registration interface
You have to register again. This process effectively creates a new user in the VO.
With the *new* certificate loaded in your browser, go to the VO Registration page and submit a new request to join the VO. The VO Admin will then approve (or deny) the new request.
The VO registration page is a URL like https://VOMS_Server:8443/voms/VOname/webui/request/user/create where VOMS_Server and VOname need to be replaced with the correct host address and VO name. For example, users of the Biomed VO should go to URL https://voms-biomed.in2p3.fr:8443/voms/biomed/webui/request/user/create. Note that -
- This process is independent of the old certificate being still valid or not.
- If you had any Roles or belonged to any Group those have to be re-created for the new registration by the VO manager.
- After the new registration is complete and any Roles reassigned, you should ask the VO manager to delete the old entry from the VO (there is no need to maintain entries that are not valid anymore).
If you are the VO Administrator you will have to ask the VOMS_Server system administrator to reassign the VO-Admin Role. You can try to approve your new entry with the old certificate loaded in their browser, while this is still valid, and assign the VO-Admin Role to your (new) self.
Instructions for users of VOs using the VOMRS registration interface
There are 2 ways depending on your old certificate having expired or not. In both cases the entry point is the registration page for the VO: https://VOMRS_Server:8443/vo/VOname/vomrs where VOMS_Server and VOname need to be replaced with the correct host address and VO name. Common large VOMRS VO links to be used are ATLAS ALICE CMS LHCb DTEAM
If the old certificate has expired you have to re-register with the new certificate loaded in your browser.
- You should contact their VO manager and ask them to delete your existing entry before attempting to reregister. Once the existing entry has been deleted you should submit a new registration request at the appropriate URL as given above.
If the old certificate has not expired you can Add your new certificate to your existing registration by following these steps -
Access the registration page with the old certificate loaded in the browser.
- To add the new one you must follow the chain of links (to open the menus click on [+]) -
Open menu Member Info -> Open menu Certificates -> Add Certificate
On the form provided, enter your DN and the Issuer DN. The SN field can be left blank and there is a menu to choose from for the Issuer DN.
the new (2006) UK eScience CA DN is: /C=UK/O=eScienceCA/OU=Authority/CN=CA
the new (2006) CERN CA DN is: /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
if you visit this page with your new certificate loaded in your browser it will display the DNs.
- The VO manager will be asked to approve the addition. You will receive a notification of the changes requested and of the approval. Without the approval from the VO manager the certificate is not considered valid and will not being inserted into VOMS.
It is important that, when you receive the notification that the new certificate is approved by the VO manager, you make the new certificate identity your primary certificate before the old one expires.
- Make the new certificate your primary by following the chain of links (to open the menus click on [+]) -
Open menu Member Info -> Open menu Certificates -> Change Primary Certificate
On the form provided enter your name and click Search to locate your details.
On the table of certificates shown in the search results, select the check-box in the Select column for the certificate identity you wish to become the primary and click Submit
The primary certificate identity corresponds to the identity you use in your browser to access your VO registration details.
- Make the new certificate your primary by following the chain of links (to open the menus click on [+]) -
- When any jobs that may be running with your old certificate identity have completed, you should delete your old certificate from the VO by following the chain of links (to open the menus click on [+]) -
Open menu Member Info -> Open menu Certificates -> Delete Certificate
On the form provided enter your name and click Search to locate your details.
On the table of certificates shown in the search results, select the check-box in the Select column for the certificate identity you wish to delete and click Submit.
Instructions for VO Managers.
These instructions only apply to VOMRS VO administrators -
- To remove a user from the VO using the VOMRS interface -
- At the VOMRS service, using the left-hand menu controls -
- You have to follow the chain of links (to open the menus click on [+] ) -
Open menu VO Registration Home -> Open menu Members -> Remove
- Use the form to search for the user to remove. (the percent sign "%" can be used as a wildcard)
- Select the user to be removed by clicking the appropriate row in the right-hand 'Select' column from the search results displayed. (Note: sometimes scroll-right is needed to see the select column!)
- Click the 'Submit' button to remove the user. Confirmation or failure reason will be given by VOMRS.
Comprehensive help is available at the "Help about.." link on the Registration Homepage
Attachments