Register with the ALICE Virtual Organization#

In order to register with WLCG and use JAliEn, each user must complete the following 4 steps:

Step 1: Cleanup old/expired certificates
If you have old or expired certificates and are registering a new one, make sure to follow these steps:
- Remove your old certificate from your browser. Some certification authorities (CAs) install the new certificate directly in the browser from which you do the request, but the CERN Grid CA does not.
- On the computer(s) you use to do alien-token-init from:
  - Remove the .pem files from $HOME/.globus (if they are still valid, make copies of them first). You will need to create a new set with from your new certificate.
  - Remove /tmp/x509up_* - these are temporary proxy certificates created from the .pem keypair and may interfere with the new certificate.
- To create a new .pem keypair once you have your new certificate, you can follow these instructions
Step 2: Obtain a valid X509 certificate
To obtain a valid personal digital certificate (also known as PKI or X509 certificate), either refer to the instructions within your institute, or get a CERN Grid CA certificate connected to your CERN account. For certificates issued outside of CERN, mind they have to be from a Certificate Authority (CA) that is part of the IGTF! Please beware: only some of the GEANT CAs are in IGTF!

For CERN issued certificates see the following locations for setup and informations:
p12 to pem files conversion

If the certificate is loaded in the browser and then exported as a .p12 (or .pfx) file, or it is obtained in such a format from the CA, you can create the X509 ~/.globus/user{cert,key}.pem files needed by JAliEn as follows (you may first want to make backup copies of pre-existing such files):
```
openssl pkcs12 -out ~/.globus/usercert.pem -in the_p12_or_pfx_file -nokeys -clcerts
```
```
openssl pkcs12 -out ~/.globus/userkey.pem  -in the_p12_or_pfx_file -nocerts
```
```
chmod 600 ~/.globus/userkey.pem
```
pem files to p12 conversion

If the certificate was obtained by process of generating a X509 key pem file, then a certificate request, that was sent to Certificate Authority for signing, then a signed certificate pem file was received, and there is a need to load this certificate in the browser for authentication in web pages, a conversion from .pem files to .p12 file is required:
```
openssl pkcs12 -export -in cert_file.pem -inkey cert_key.pem -out "name_of_p12_file.p12" -name "a_name_label_for_this_certificate"
```
Step 3: Load certificate into browser
Tips for loading your personal certificate into your browser(s) are available on this page: scroll down to "Additional Information".

For some Certificate Authorities (CAs), the procedure to obtain a personal digital certificate includes loading it into the browser already.

Make sure you don't have any leftover old certificates there (see step 1).
Step 4: Follow the registration steps in IAM (Identity and Access Management) as shown below.

Please pay close attention!

the steps are quite different from the old VOMS-admin service

Registration in ALICE IAM (Identity and Access Management)#

Before clicking on the link below, import your grid certificate in the browser from which you will do the registration process

Advice: use only Firefox or Chrome browser for the registration process

Step 1: go to https://alice-auth.cern.ch
- (Note the hostname has changed from what is shown in the following slides)
Step 2:
Step 3:
Step 4:
Step 5:
Step 6:
Step 7:
Step 8:
Step 9:
Step 10:
Step 11:
Step 12:
Step 13:
Step 14:
Step 15:
Step 16 (last one) before you are able to use the Grid:

Send a mail to project-lcg-vo-alice-admin@cern.ch

stating that you have linked your certificate to your IAM account and wait for confirmation from the administrator that your VO account is now active for the certificate you linked !

Until you received the confirmation, the account is not activated