Configuring Mozilla to use KCA credentials

Instructions for Linux

Here are the steps for setting up Mozilla to use KCA at Fermilab:

1. Install the X.509 certificate tools.  The supported distribution is from the NSF Grid middleware project and RPMs are available. For persons tied to the UPD infrastructure, a package is available from fnkits via the usual methods.
2. Obtain a valid FNAL Kerberos TGT. If you're logging in at Fermilab, you likely already have one. If not, then you may have to configure your machine or get one specially. See the Fermilab Strong Authentication manual for installation instructions.
3. Obtain credentials from the Fermilab KCA.  To do this, issue the command "kx509" from the command line
   
4. You now need to import the credentials into Mozilla. There are two ways to do this:
   

• install a PKCS11 shared library to read the kx509 credential cache
1. Download the PKCS11 shared library from the UMich CITI pages
2. Install per the instructions in src/INSTALL in the package
   
3. Add the library to the list of PKCS#11 hardware modules in Mozilla
• import the credentials manually.
1. create a credential cache file with the command "kxlist -p"  (This creates a credential cache in the format expected by the Globus toolkit)
2. Convert the cache into PKCS#12 format. One way to do this is via the openssl command "openssl pkcs12 -in /tmp/x509up_u<uid> -out /tmp/x509up_u<uid>.p12 -export"
   (The output file name is arbitrary, but must match the next step.)
3. Import the credentials into Mozilla
   
1. Edit the Mozilla Preferences. Select Manage Certificates under the Certificates tab of Privacy & Security
2. Select  import to import an new certificate. If you have expired cerificiates, you may have to delete them in order to not confuse some servers.
3. Success will show a current certificate under the Fermilab heading.

Instructions for MS Windows

In order to obtain an X.509 certificate, both Kerberos client tools and X.509 tools are needed:
1) Install the X.509 certificate tools located at http://security.fnal.gov/tools/getcert.zip
    Once this file is downloaded, unzip it’s contents into a directory of choice. There is a file readme1st.txt that describes the ZIP contents.
2) Obtain an X.509 certificate from the KCA.
    In the directory where the Kerberos client and X.509 tools are located, run the command script Get-Cert.CMD.
     (If you are logged into Windows with the same name as in your Kerberos principal, the Get-Cert.CMD will obtain a Kerberos credential if needed and then obtain an X.509 certificate)
     (If you are logged into Windows with a name different from your Kerberos principal name, run the command script with your Kerberos principal name as the argument – Get-Cert.CMD )
3) The script will place a copy of the certificate in the file %TEMP%\%user%.pem for manual import into other applications as needed.
4) If you have never imported a certificate into Mozilla, you will be prompted to enter a NEW password.
     Simply press enter at this step.
     If you have set a password for your Certificate store previously, enter that password at the prompt.
5) Your certificate should have automatically imported into Mozilla and you should be good to go.

nightwatch@fnal.gov

Last Modified: 7/24/2003 11:47 AM