ARCHIVED: Why am I unable to authenticate to XSEDE digital services using a Science Gateway community account?

This content has been archived, and is no longer maintained by Indiana University. Resources linked from this page may no longer be available or reliable.

The Extreme Science and Engineering Discovery Environment (XSEDE) makes community accounts available to Science Gateway projects to facilitate the use of XSEDE resources by large research communities. However, for security purposes XSEDE MyProxy certificate authorities do not issue end entity certificates for community accounts. As a result, community accounts cannot access XSEDE resources via interfaces that use proxy certificates to delegate privileges (e.g., Globus Online) or perform single sign-on (e.g., the Single Sign-on Login Hub).

Additionally, XSEDE does not automatically assign SSL certificates to community accounts. To enable certificate-based authentication, allowing gateway users to log in with community account credentials to access XSEDE digital services via GSI-enabled OpenSSH (GSI-OpenSSH) or GridFTP, the account owner (i.e., the principal investigator) must obtain an IGTF server certificate, and then add its subject distinguished name (DN) to the community account's XSEDE User Portal profile. To do this, the principal investigator (PI) must:

  1. Decide which type of certificate is needed:
    • IGTF Server Certificate: These certificates are used for securing single servers; they do not support wildcards or multiple domains.
    • IGTF Multi-Domain Certificate: These certificates are similar to IGTF Server Certificates but can be used to secure up to 99 additional hostnames.

    Both certificates have a maximum lifetime of one year. For more, see the XSEDE Certificate Service page.

  2. Generate a Certificate Signing Request (CSR) and the associated private key. For instructions, see the XSEDE Generating a Certificate Signing Request page.
  3. Submit the CSR. Use the XSEDE Submit Help Desk Ticket form (or email For details, see the XSEDE Submitting a Certificate Signing Request page.
  4. Install the certificate. When the certificate request is approved and processed, the PI will receive email containing instructions for downloading the certificate file. Use it with the private key generated with the CSR (in step 2 above). For more, see the "Installing the Certificate and Root CAs" information at the bottom of the XSEDE Submitting a Certificate Signing Request page.
  5. Add the certificate's subject DN(s) to the community account's profile in the XSEDE User Portal. Log into the XSEDE User Portal using the community account's username and password, go to the Profile page (My XSEDE > Profile), click Manage DNs (in the menu on the left), enter the certificate's subject DN in the "Add DN" field, and then click Add DN.

If you need help or have questions, contact the XSEDE Help Desk. For other support options, see Get help with XSEDE.

This document was developed with support from National Science Foundation (NSF) grants 1053575 and 1548562. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.

This is document anod in the Knowledge Base.
Last modified on 2018-09-27 11:15:19.

Contact us

For help or to comment, email the UITS Support Center.