View Source

Currently, there are two technologies involved in Authentication (AuthN for short) and Authorization (AuthZ) used in the computing grid:

Virtual Organization Membership Service (VOMS), based on the X.509 standard for SSL certificates;
JSON Web Token (JWT, also known as SCITOKEN), based on openid-connect and OAuth 2.

These technologies allow users to interact with the grid middleware, for example HTCondor-CE and Arc-CE for computing job submission, StoRM, dCache, XRootD, etc... for storage management.

This guide provides instructions for using the corresponding command line clients.

VOMS

A VOMS proxy is a file, typically stored in /tmp/x509up_u$UID, that contains a certificate chain and a private key, to be used to interact with grid middleware. The proxy descends from a grid-enabled (i.e. IGTF) personal certificate and is shorter-lived, typically 12 hours.

For generating a proxy certificate, use the following command:

[ashtimmerman@ui-tier1 ~]$ voms-proxy-init
Enter GRID pass phrase for this identity:
Created proxy in /tmp/x509up_u10171.
Your proxy is valid until Wed Jun 18 07:04:04 CEST 2025

For generating a proxy certificate with VO, use the following command:

$ voms-proxy-init --voms <VO_name>

[ashtimmerman@ui-tier1 ~]$ voms-proxy-init --voms juno
Enter GRID pass phrase for this identity:
Contacting voms-juno.cloud.cnaf.infn.it:15008 [/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it] "juno"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u10171.
Your proxy is valid until Mon Jun 30 22:14:31 CEST 2025

For displaying basic information about the current VOMS proxy, use the following command:

[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all 
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1171514709
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity  : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u10171
timeleft  : 11:58:42
key usage : Digital Signature, Key Encipherment
=== VO juno extension information ===
VO        : juno
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it
attribute : /juno/Role=NULL/Capability=NULL
timeleft  : 11:58:42
uri       : voms-juno.cloud.cnaf.infn.it:15008

For displaying the entire certificate chain, including intermediate and root certificates used to validate the proxy, use the following command:

[ashtimmermanus@ui-tier1 ~]$ voms-proxy-info --all --chain
=== Proxy Chain Information ===
X.509 v3 certificate
Subject: CN=1479623907,CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Valid from: Tue Jun 17 19:04:04 CEST 2025
Valid to: Wed Jun 18 07:04:04 CEST 2025
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Serial number: 1479623907
VOMS extensions: no.

X.509 v3 certificate
Subject: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=GEANT TCS Authentication RSA CA 4B,O=GEANT Vereniging,C=NL
Valid from: Fri Nov 22 09:08:54 CET 2024
Valid to: Mon Dec 22 09:08:54 CET 2025
Subject alternative names: 
  email: aksieniia.shtimmerman@cnaf.infn.it
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Allowed extended usage: clientAuth emailProtection
Serial number: 101113208650839486715316733014861942537

=== Proxy Information ===
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1479623907
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity  : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u10171
timeleft  : 11:42:28
key usage : Digital Signature, Key Encipherment

For removing the current VOMS proxy certificate from the system, use the following command:

[ashtimmerman@ui-tier1 ~]$ voms-proxy-destroy
[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all
Proxy not found: /tmp/x509up_u10171 (No such file or directory)

JWT

To initialize the OIDC-agent service and obtain an access token:

To start the OIDC agent, use the following command:

[ashtimmerman@ui-tier1 ~]$ eval $(oidc-agent-service use)  
54956

To avoid having to manually run eval $(oidc-agent-service use) every time you open a new terminal session, you can add the following line to your .bashrc file.

Add the line at the end of the file and apply the changes with: source ~/.bashrc:

 eval "$(oidc-agent-service use)"

Use oidc-gen to register a client and obtain tokens, you must include the following scopes: compute.read, compute.create, compute.cancel, compute.modify, openid, profile, offline_access to use HTCondor :

$ oidc-gen -w device  <client_name>

[ashtimmerman@ui-tier1 ~]$ oidc-gen -w device axy
[1] https://iam-t1-computing.cloud.cnaf.infn.it/
[...]
Issuer [https://iam-t1-computing.cloud.cnaf.infn.it/]: 
The following scopes are supported: openid profile email address phone offline_access eduperson_scoped_affiliation eduperson_entitlement eduperson_assurance entitlements wlcg.groups compute.read compute.create compute.cancel compute.modify storage.read storage.create storage.modify storage.stage
Scopes or 'max' (space separated) [openid profile offline_access]: compute.read compute.create compute.cancel compute.modify openid profile offline_access
Registering Client ...
Generating account configuration ...
accepted

Using a browser on any device, visit:
https://iam-t1-computing.cloud.cnaf.infn.it/device

And enter the code: REDACTED
Alternatively you can use the following QR code to visit the above listed URL.

Enter encryption password for account configuration <client_name>: 
Confirm encryption password: 
Everything setup correctly!

To load an existing account configuration, use the following command:

$ oidc-add <client_name>)

[ashtimmerman@ui-tier1 ~]$ oidc-add axy
Enter decryption password for account config 'axy': 
success

To give a list of all existing account configurations:

[ashtimmerman@ui-tier1 ~]$ oidc-add -l
The following account configurations are usable: 
axy
myobolicatest
t1-computing

[ashtimmerman@ui-tier1 ~]$ oidc-gen -l

To list of the currently loaded accounts can be retrieved with:

[ashtimmermanus@ui-tier1 ~]$ oidc-add -a
The following account configurations are currently loaded: 
axy

To verify the correct setup, use the following command:

 oidc-token <client_name>)

[ashtimmerman@ui-tier1 ~]$ oidc-token axy
[eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ............]

To obtain an OIDC bearer token and store it in the BEARER_TOKEN environment variable, use the following command:

[ashtimmerman@ui-tier1 ~]$ export BEARER_TOKEN=$(oidc-token <client_name>)