MGRID Portal How-To

Installing kx509 for Mozilla/Netscape on Linux
Grid-Enable Your Browser > Installing kx509 for Mozilla/Netscape on Linux

IMPORTANT: Before you begin, make sure that your computer's time and time zone are correct. Portal authentication will not work if your computr's clock is more than five minutes from the Kerberos server.

1. Download

The instructions for Mozilla and Netscape are the same, however the browser appears slightly differently. You can use these instructions for either browser.

Your host must have Kerberos version 5 installed in your system. Most Linux systems have this already. To check if you have it, check that you can execute the klist command:

%/usr/kerberos/bin/klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_136962)

Kerberos 4 ticket cache: /tmp/tkt136962
klist: You have no tickets cached

Note: some systems have another version of the Kerberos tools that are not compatible. The incompatible klist and kinit are usually in the /usr/java/j2sdk1.4.2_03/bin directory.

If entering "klist" at the command prompt, and you get the output below, then you are not using the proper version of the Kerberos tools.

%klist
Credentials cache /tmp/krb5cc_136962 not found.

You should have /usr/kerberos/bin in your path to execute the proper version.

If you do not have Kerberos, have your system administrator install it, or download and install it yourself from the MIT Kerberos Distribution Page.

Next, download the following file (by right clicking on it and selecting "Save Link Target As...") and put it in the /etc directory. This requires root privileges. If you suspect that you are using your current /etc/krb5.conf, then it would be prudent to save a copy of it before overwriting it:

krb5.conf

2. Certificates

To provide a chain of authentication, your browser needs the following certificates. For each of these, download them by clicking on them.

cren_ca.crt Education and Research Client CA
umich_root.crt University of Michigan Root CA
umich_ca.crt UMICH Kerberos Certification Authority
mgrid.crt MGRID

You will be presented with the "Downloading Certificate" dialog below. Select "Trust this CA to identify web sites." and then click "OK".

Downloading Certificate

3. kx509

Download the kx509 security module below by right-clicking on it and then using "Save As...".

libpkcs11.so

Or, if you are using Fedora Core 3 or later, use this one instead:

libpkcs11.so.0.1

NOTE: This file has been compiled for RedHat 9 / Fedora Core 3. If you are running a different version of Linux, these may not work for you and you may need to download and compile the source from kpkcs11.tar.gz.

Put it into the .mozilla directory (under your home directory). Use the "F8" function key to show hidden files (Any file preceded by a "." is considered hidden).

Use
Edit -->
Preferences... -->
Privacy & Security -->
Certificates -->

to bring up the dialog below:

Preferences

Click on "Manage Security Devices..." to bring up the "Device Manager" dialog.

Device Manager

Click on "Load" to bring up the following dialog:

Load PKCS

Click on "Browse..." and select the libpkcs11.so file. After selecting the libpkcs11.so file, click "OK" from the above dialog.

When give the following prompt, click "OK":

Confirm

The browser will respond with the following confirmation:

Alert

Exit the "Device Manager" and "Preferences" dialogs by clicking "OK".

4. Authenticate

Download the following files into the /usr/bin directory (this requires root privileges) by right-clicking on them and using "Save Link Target As...". Note: you can put these in another directory, just make sure that they are on your path.

kx509 kx509 binary
kxlist lists certificates
kin authentication script

Make sure that they can be executed by setting the mode by issuing the following shell command:

%chmod 755 /usr/bin/kx509 /usr/bin/kxlist /usr/bin/kin

From a command line, execute the "kin" command. It will prompt you for your UMICH password, and respond as shown below, with the "notAfter" field indicating when the certificate will expire, and you must again run the "kin" command.

%kin
Password for irrer@UMICH.EDU:
notAfter=May 6 02:40:58 2004 GMT

The above command authenticates you and creates a certificate. This certificate is good for a short time. To find out when your certificate wil expire, use the klist command as shown below:

%klist
Ticket cache: FILE:/tmp/krb5cc_136962
Default principal: irrer@UMICH.EDU

Valid starting

Expires

Service principal

01/29/04 13:54:04

01/29/04 23:54:04 krbtgt/UMICH.EDU@UMICH.EDU
01/29/04 13:54:06 01/29/04 23:54:04 kca_service/fall.ifs.umich.edu@UMICH.EDU
01/28/04 13:54:06 01/29/04 23:54:04 kx509/certificate@UMICH.EDU

Kerberos 4 ticket cache: /tmp/tkt136962
klist: You have no tickets cached

5. Try It

The MGRID portal is accessable from this web page.

The first time you use this web site you may be given the following warning. Select "Accept this certificate permanantly":

Website Certified by an Unknown Authority

Next you wil be shown the warning below, at which just click "OK":

Security Warning

If you have not authenticated properly, you will get the following message:


MGRID How-to

Grid-Enable Your Browser
Submit a Simple Interactive Job
Schedule a Non-Interactive Job
Monitor Your Non-Interactive Jobs
Change Authorization
When Your Certificate Will Expire
How Much Resources People Use
Upload and Download Your Files Into and Out of MGRID
What Computing Clusters are Available from MGRID
What Technology MGRID Uses
Typical MGRID User Steps

Close