User Access to BEgrid

From Begrid Wiki
Jump to navigationJump to search

PageOutline(1,Page Contents)

1. Get a certificate

Authentication on BEgrid is done with certificates. The procedure to get a certificate is explained here.

Requesting and retrieving your certificate must be done on the same browser and PC !

What if you can't get a certificate ?

It can happen that some users cannot get a grid certificate (because their home organization is not member of the Belnet R&E Federation, for example). Even in this case, we still have a solution for you, thanks to the per-user sub-proxies (PUSP) system. The only requirement is to have an account on our UIs (skip the next section and jump directly to this one).

2. Become member of the appropriate VO

BEgrid manages a VO called 'beapps' open to all Belgian researchers and that can be used for production of for learning activities.

  • Go to (with the browser and PC/laptop you used to request your certificate)
  • Follow the procedure asking membership. You'll soon receive an email, to confirm your request. Click on the link it contains.
  • Wait up to a few days for another mail confirming your VO membership. It can still take a few hours before this membership is propagated over BEgrid

3. Ask for a local Unix account on a User Interface

To get an access to a UI, send an email to BEgrid Team to request an account. In attachment to your email, put your public SSH key (login with password is not allowed for security reasons), and in the body, describe yourself in a few words, telling us also what's your research field and the kind of activity you intend to conduct on the BEgrid infrastructure.

For training purpose, BEgrid maintains a "non-production" UI that is much restricted than the others (no access to global fileservers, account not created into the central account management system, etc.) but that is enough to start learning grid computing. If you want to get access to this UI, please follow this link.

The following section explains how to create your personal SSH keypair.

Create your SSH keypair

Our computing cluster is secured with SSH, and we don't allow login with password for security reasons. Instead, you must use an SSH keypair to login. An SSH keypair is made of a public key and a private key. According to your personal is equipped with Windows or Linux, the procedure to generate such a keypair is different :

Linux personal computer

Open a Unix-like shell session with your usual user account (not as root !), and type the following command :

ssh-keygen -t rsa

This will create 2 files in the $HOME/.ssh directory :


You need to send us the content of, which is your public key. The other is your private key and should never be shared.

Windows personal computer

PuTTY is an SSH client for Windows that you will use to generate your SSH keys. You can download it here.

To generate an SSH key with PuTTYgen, follow these steps:

  1. Launch the PuTTYgen program.
  2. In "Type of key to generate", select "SSH-2 RSA".
  3. Click the "Generate" button.
  4. Move your mouse in the area below the progress bar. When the progress bar is full, PuTTYgen generates your key pair.
  5. Type a passphrase in the Key passphrase field. Type the same passphrase in the Confirm passphrase field. You can use a key without a passphrase, but this is not recommended.
  6. Click the Save private key button to save the private key. Warning! You must save the private key. You will need it to connect to your machine.
  7. Right-click in the text field labeled "Public key" (for pasting into the content of a mail that you will send to us later) and choose Select All.
  8. Right-click again in the same text field and choose Copy.


Write us an email to BEgrid Team and, in the content part of the mail, paste the content of the public key that you have previously copied to clipboard.

4. Install your certificate in your new Unix account

The certificate has to be copied on the UI (and saved in a different format ...)

  • Export the certificate from your browser, into a *.p12 file :
    • for Firefox
    • for Chrome
    • for Microsoft Internet Explorer or Edge : Click the Search icon (or Windows+R keys for the Run dialog), type certmgr.msc and press Enter. Under Certificates - Current User, click Personal -> Certificates, in the right-hand pane, right-click your certificate, and select All Tasks -> Export. In the Export wizard, be sure to export the private key, include all certificates and extended properties, and protect the key with a password.
Note : browsers other than Firefox, Chrome and Internet Explorer are not supported.
  • Copy the file cert.p12 on the UI with the scp command :
scp cert.p12 <your_login>
  • Login on to the UI :
ssh <your_login>

The file cert.p12 should be in your homedirectory now. Execute fillowing commands :

 mkdir ~/.globus
 openssl pkcs12 -nocerts -in cert.p12 -out ~/.globus/userkey.pem
 openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.globus/usercert.pem
 chmod 400 ~/.globus/userkey.pem
 chmod 644 ~/.globus/usercert.pem

Note that you'll be asked the passphrase you gave during the export and that is protecting the p12 file, and you'll be asked again a passphrase to protect the private key (you can use the same...).