Dzero VO - re-signing problems

A VO (Virtual Organization) is any organization that is recognized by suppliers of Grid resources, who negotiates use of those resources on your behalf and who can verify your identity. Membership in a VO, and authentication through the VO when you attemp to use those resources is what gives you access to resources on the Grid. Dzero has such as VO, as does CMS, Atlas, etc. You can belong to more than one VO and can choose which one to use for a given activity.

You are already a member of the dzero VO or you would not have gotten the notice. So it does no good to attempt to register again, even if that's the only choice presented to you.

A few years ago everyone who had signed up for a SAM account at DØ (a username/password type of access) was registered automatically with the dzero VO. The certificate used was the one that is generated from your kerberos ticket, the KCA certificate. The VO, and the Grid, in general knows you by the certificate that you present to it. So whenever you do anything on the Grid, or with the VO, you must present a certificate that it recognizes. More on this later.

As a normal part of using any Grid resource, you are required to re-sign the Grid and VO (Virtual Organization) AUP (Acceptable Use Policy) once per year to maintain your membership. All SAM resources are now considered Grid resources and your authorization is through the Dzero VO. HOWEVER, if you

• NEVER want to use the Grid
• NEVER want to use SAM via any of the Grid tools (gridftp etc)
• ALWAYS use SAM resources ONLY from CAB and/or ClueD0

So your options are:

1. Ignore this notice. I think this is a valid option. But if you continue to get the notices, then you'll have to do one of the following.
2. Or, if you know that you won't be using any Grid or SAM resources, you can ask the VO administrator (me) to remove you from the VO. A mailto: address to an administrator is in the notice.
3. Or, you can just re-sign the AUP by clicking on the re-sign link provided. That should get you to a web page where you can click on and read "the Grid and VO AUPs". When you are done, you should be able to click on "I have read and agree to the Grid and VO AUPs" link and you're done.

First a general statement:
Grid tools, including VOMRS, which you are using here, determine your identity from a "certificate" that you (or your browser in this case) present. It determines if it should trust the information in the certificate based on the trust status of the certificate issuer (the Certificate Authority (CA)). In order for any operation with the VO to work, the VO (VOMRS) must be able to recognize who you are and must trust the entire chain of signing CAs.

In order for that to happen:

• you MUST have the certificate that you used (or was used for you) to register with the VO loaded in your browser.
• your browser must present that certificate to the VO
• the CA which issued the certificate must be trusted by your browser.

1. If you are not able to access the web site at all. This can occur for several reason.
   NOTE: There are NO on-site/off-site restrictions on access.
   1. Most often the problem is that you don't have the correct certificate loaded into your browser, or it has expired. The certificate's Distinguished Name (DN) and Cerificate Authority (CA) needed are listed in the email you received. Depending on your browser you may see any of several error messages if you have no certificate loaded, or only expired ones:

          "vomrs.fnal.gov has received an incorrect or unexpected message. Error Code: -12227" 
      

      or you may just see an empty pop-up window asking you to choose a certificate to present.
      1. The DN for most D0 people is the one of the form:
             /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=<name>/CN=UID:<username>
         and is issued by
             /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA This is the Fermilab Kerberos derived certificate and is valid for at most one week, so needs to be renewed frequently.
         NOTE:if the DN contains: /USERID=<username> or /UID=<username> see section B.2.ii. below.

         By far the easiest way to use this certificate is:

         1. login to ClueD0
         2. kinit -f -r7d (get the maximum renewable time, will get you the maximum certificate lifetime)
         3. get-cert.sh -i (convert ticket to certificate and load into several Linux browsers including firefox)
         4. READ and follow instructions, you MUST give one password and if you have your bowser's password cache password protected, the password for each of those.
         5. Start firefox
         6. If you have more than one certificate loaded, be sure to tell your browser to ask every time, which one to present. If you don't do this the browser will inevitably present the wrong one.
         7. Cut and paste URL into the address bar.
         8. You may need to accept the CA as a valid authority (in firefox, "grant an exception").
         9. At this point you should be able to login, but you may not get the re-sign screen. In that case, see B) below.
      2. if you use another certificate, you must load that into your browser. Where you get it from and how you load it are well beyond the scope of this article.
   2. If your browser complains that the SITE isn't trusted, you must tell it to trust it. How this is done depends on the browser. USUALLY this just requires you to accept the SITE's certificate. But you may also need to edit your preferences/options to tell the browser that this is a trusted domain. I've had to change the security settings on my browser as well.
   3. If the CA of your certificate isn't trusted, or has expired, you must tell your browser to fetch a new one or to trust this one. USUALLY this just requires you to "grant an exception" (firefox) but other action may be needed.
2. If you can login to the site, but the top of the main screen does NOT say:
     "Re-sign the Grid and VO AUPs"
   most often the left hand menu will only give you a choice to:
     "Register (Phase 1)"
   1. check that you are logged in with the correct certificate. The one your browser presented is listed in tiny red letters at the bottom left of the page. Compare that with the one in your email. They won't be the same. The DN's have to match exactly, the whole thing. It's a string comparison. A "." after your middle initial can be enough of a difference as can an extra space.
   2. either
      1. load the correct certificate into your browser and present that
         (tell browser to ask you which one to present)
      2. cut and paste the two lines in red at the bottom left into an email and send it to me, preferably forward the original email with this added information and a description of what you've done and what you see. I'll add the new certificate to your record and then you can try again. The format of the DN has changed several times and many users' records haven't been changed to keep up. So we have to catch those by hand.
3. If you can login to the site and the top line of the main frame is
     Re-sign the Grid and VO AUPs
   but the "I have read and agree..." button doesn't seem to work:
   1. You MUST download (and read) the PDF document at
        "the Grid and VO AUPs"
      link. You should also at least skim the documents at the links listed in the PDF.
   2. You MUST have cookies enabled so that the site can verify that you have downloaded the document.

A suggestion from Harold Fox: You can copy the x509 certificate produced by get-cert.sh on ClueD0 from /tmp/ (you are given the name by get-cert.sh) to your remote machine. Load the certificate into your remote browser and you can run the browser on your remote machine. That's a LOT better performance.
NOTE: there is no password for the x509 certificate, but only you should have read access to it, so that's OK. Your browser will ask for one though. Just click continue or hit enter, as appropriate

If everything fails, let me know. I'll send you the AUP. Once you have assured me that you've read it and agree to it (it's pretty trivial) I'll update your status.

Alan