Why am I unable to authenticate to XSEDE digital services using a Science Gateway community account?

The Extreme Science and Engineering Discovery Environment (XSEDE) makes community accounts available to Science Gateway projects to facilitate the use of XSEDE resources by large research communities. However, for security purposes XSEDE MyProxy certificate authorities do not issue end entity certificates for community accounts. As a result, community accounts cannot access XSEDE resources via interfaces that use proxy certificates to delegate privileges (e.g., Globus Online) or perform single sign-on (e.g., the Single Sign-on Login Hub).

Additionally, XSEDE does not automatically assign SSL certificates to community accounts. To enable certificate-based authentication, allowing gateway users to log in with community account credentials to access XSEDE digital services via GSI-enabled OpenSSH (GSI-OpenSSH) or GridFTP, the account owner (i.e., the principal investigator) must obtain an IGTF server certificate, and then add its subject distinguished name (DN) to the community account's XSEDE User Portal profile. To do this, the principal investigator (PI) must:

  1. Decide which type of certificate is needed:
    • IGTF Server Certificate: These certificates are used for securing single servers; they do not support wildcards or multiple domains.
    • IGTF Multi-Domain Certificate: These certificates are similar to IGTF Server Certificates but can be used to secure up to 99 additional hostnames.

    Both certificates have a maximum lifetime of one year. For more, see the XSEDE Certificate Service page.

  2. Generate a Certificate Signing Request (CSR) and the associated private key. For instructions, see the XSEDE Generating a Certificate Signing Request page.
  3. Submit the CSR. Use the XSEDE Submit Help Desk Ticket form (or email help@xsede.org). For details, see the XSEDE Submitting a Certificate Signing Request page.
  4. Install the certificate. When the certificate request is approved and processed, the PI will receive email containing instructions for downloading the certificate file. Use it with the private key generated with the CSR (in step 2 above). For more, see the "Installing the Certificate and Root CAs" information at the bottom of the XSEDE Submitting a Certificate Signing Request page.
  5. Add the certificate's subject DN(s) to the community account's profile in the XSEDE User Portal. Log into the XSEDE User Portal using the community account's username and password, go to the Profile page (My XSEDE > Profile), click Manage DNs (in the menu on the left), enter the certificate's subject DN in the "Add DN" field, and then click Add DN.

If you need help or have questions, contact the XSEDE Help Desk. For other support options, see How do I get help with XSEDE?

This document was developed with support from National Science Foundation (NSF) grants 1053575 and 1548562. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.

This is document anod in the Knowledge Base.
Last modified on 2018-02-13 15:35:16.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.