Help
Skip Navigation Links.

Grid Robot certificates

Robots, also known as automated clients, are entities that perform tasks without human intervention.

These procedures generally run using an identity with the necessary privileges to perform their tasks. If automated tasks need to authenticate using a certificate provided by the CERN Grid Certification Authority, a robot certificate should be used.

Robot certificates can only be issued to valid Service accounts.

The purpose of a robot certificate is to allow the team performing the automated tasks to authenticate without needing individual user certificates. Moreover, if the certificate subject is used by the application, it will not be necessary to modify the application's configuration each time a new certificate is issued.

Who can request a robot certificate

Please note that the official Certificate Policy and Certificate Practice Statement documents for the CERN Grid Certification Authority are available at the address http://cern.ch/cafiles. This help page is only an informal excerpt from the official documents.

A robot certificate can be requested under the following conditions:

  • The robot certificate will be used in a completely automated environment.
  • The robot certificate will be used without human interventions. Robot certificates should be used only inside scripts and applications that are scheduled and running on a regular basis.
  • Owners of Service accounts associated to the certificate should have a permanent position at CERN, or have an approval from their supervisor (this is due to the fact that if the Service account will be assigned to a new owner, the certificate's subject will change when it's renewed).
  • The email of this service account must either forward messages to a responsible e-group or to the personal email address of the owner. The service account's email will be used to contact the team or person that is responsible for the Robot certificate (as defined in EUGridPMA Robot policy).

A robot certificate must not be used for the following purposes:

  • To share a certificate so that people don't need to enter individual credentials.
  • To obtain a certificate for a Service account.

How to request a robot certificate

If your requirements satisfy the conditions to get a robot certificates, you can request one as follows:

  • Make sure that you are the owner of the Service account that will be used to request robot certificates. If you do not have such a service account, you can create one from the "My Accounts" page on the Account Management site.
  • Make sure that you have a valid CERN User certificate.
  • Send an email, signed with your user certificate, to cern-ca-managers@cern.ch, containing:
    • The reason why you need a robot certificate
    • The name (login) of the service account that will be used to request the certificate
  • After a successful evaluation of your request, your Service account will be granted the right to get a Robot certificate.
  • Login to the CERN Grid Certification Authority site using the authorized service account and request a Robot certificate through this page.

Created: 10/12/2015
Last reviewed: 11/2/2015
Tools:
Send the page Send  |  Printable version Print