Install the DataONE client side certificate¶
In addition to acting as servers in the DataONE infrastructure, Member Nodes also act as clients, initiating connections to other Nodes. When connecting to other Nodes, Member Nodes authenticate themselves in a process called client side authentication, in which a client side certificate is provided to the server.
Obtain the client side certificate¶
Client side certificates for MNs are issued by the DataONE CA. MNs go through a testing phase before being registered in the DataONE production environment used by the public, so DataONE will first issue a test certificate to your node. The test certificate is valid only in DataONE’s test environments. When the MN is ready to join the production environment, DataONE will issue a production certifiate for your node. The certificates are valid for several years and are linked to your MN via their DNs.
To obtain a client side certificate for testing:
Work with DataONE to determine a Node ID on the form,
urn:node:NODEID
, for your node.Create an account on the DataONE Registration page,
Notify DataONE by sending an email to support@dataone.org. In the email, state that you are requesting a client side certificate for a new MN and include the agreed upon Node ID, on the form
urn:node:NODEID
.DataONE will create the certificate for you and notify you of its creation with a reply to your email.
Follow the link provided in the email, and sign in using the account created or used in the first step, above.
Warning
Anyone who has the private key can act as your Node in the DataONE infrastructure. Keep the private key safe. Set it to be readable only by root and follow best practices for security to keep root from being compromised. If your private key becomes compromised, please inform DataONE so that the certificate can be revoked and a new one generated.
Install the client side certificate¶
When the signed client side certificate has been received from DataONE, move it and its private key to the
/var/local/dataone/certs/client
folder.Rename the files to
client_cert.pem
andclient_key.pem
.Remove the password from the key:
$ cd /var/local/dataone/certs/client $ sudo openssl rsa -in client_key.pem -out client_key_nopassword.pem $ sudo chown root:root client_key.pem client_key_nopassword.pem $ sudo chmod 400 client_key.pem client_key_nopassword.pemOther names and/or directories may be used. If so, update
CLIENT_CERT_PATH
andCLIENT_CERT_PRIVATE_KEY_PATH
in the GMNsettings.py
file to the new paths.