Security authentication

The gateways uses two built-in security mechanisms to control access to ECMWF:

• Interactive authentication: users will be prompted for their ECMWF user identifier and the PASSCODE (obtained by entering their PIN number into the security token).
• Batch authentication: users need to create an ECaccess certificate before they access ECMWF facilities. This method allows Member State users to automate authentication within scripts. The HTTP/S, Telnet, X11 and SSH plugins support only the first method. The FTP plugin supports both.

The ECaccess certificate is a standard X509 digital certificate saved on the user's computer as a file. It identifies a user to the gateway. The ECaccess Certification Authority (ECCA) signs each certificate. Therefore, when a user provides his certificate to the gateway, its signature is checked using the ECCA public key for verification. A certificate can be created:

• Using the "ecaccess-certificate-create" command: this is described in section 5.1.
• Using the Web interface: login to the Web server (providing an ECMWF user identifier and token PASSCODE) and in the menu click the "Get Certificate" option to download the new Certificate, see section 7.