Getting Started & Setting up Account at Wisconsin#

These are the steps for getting getting an account on Wisconsin computers and getting credentials so that you may run jobs on many computers#

CERN Account#

To join CMS and get a CERN computing account, fill out this registration form.#

The form will be sent for approval to your faculty advisor and then approved by the CMS Secretariat.#

Then follow these instructions: CMS computing account.#

Here is more information about CERN computing accounts.#

hep.wisc.edu Account#

Email help@hep.wisc.edu to get a hep.wisc.edu account on Wisconsin machines. Include your CERN user name. Then#

ssh login.hep.wisc.edu

and type the command#

kpasswd

to change your password.#

Fermilab Account#

To get a computing account at Fermilab, follow these instructions.#

Grid Certificate#

A grid certificate gives you authorization to run jobs on many computers in the world-wide LHC Computing Grid and to access files stored in CMS storage elements, such as the HDFS system in Wisconsin.#

To get a certificate, you must be a registered user at CERN for the CMS experiment and should have a valid CERN email address.#

To get a grid certificate:#

  1. On the CERN Certification Authority page, under “Grid Certificates”, click on New Grid User certificate#

  2. Enter the requested information and download the new certificate. #

  3. Import the certificate into your browser by following instructions for your browser.#

  4. Copy the certificate file to one of the login machines. If your computer has the ‘scp’ command (available under windows via cygwin), you could do it like this:#

    scp mycert.p12 username@login.hep.wisc.edu:private/mycert.p12

  5. Now, ssh to login.hep.wisc.edu and enter the following commands. The openssl commands will prompt for passwords, so don’t paste all the commands at once.#

    mkdir -p ~/.globus 
mkdir -p ~/.globus/private
chmod 700 ~/.globus/private/
fs setacl -dir ~/.globus/private -acl $USER rlidkwa -clear
ln -fs ~/.globus/private/userkey.pem ~/.globus/userkey.pem
openssl pkcs12 -in ~/private/mycert.p12 -clcerts -nokeys -out ~/.globus/usercert.pem 
openssl pkcs12 -in ~/private/mycert.p12 -nocerts -out ~/.globus/private/userkey.pem
chmod 0600 ~/.globus/private/userkey.pem 
chmod 640 ~/.globus/usercert.pem
rm ~/private/mycert.p12

    When prompted for a PEM pass phrase, enter a password to use to encrypt your private key. You must use this password in the future whenever you run a command that needs access to the private key.#

  6. Verify that your grid certificate is installed correctly, type at the command prompt:#

    voms-proxy-init

    The output should ask you for your password and will look like:#

    Enter GRID pass phrase:
Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
Creating proxy ................... Done

Your proxy is valid until Sat May  3 03:55:56 2025

You are not done yet! Getting a grid certificate only gives you an identity. It doesn’t automatically register that certificate as a recognized member of the CMS Virtual Organization (VO), unless it’s issued by CERN. To verify the validity of your CMS VO membership, please follow register your certificate. Once verified, please send your certificate identity name (the output of the “voms-proxy-info -identity” command) i.e.#

    voms-proxy-info -identity 
    /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra

to help@hep.wisc.edu to get your certificate mapped to your account in the hep.wisc.edu storage system.#

A “voms proxy” is simply a temporary identity that is signed by your grid certificate. Various grid commands use this proxy to identify you to grid services. Using voms-proxy-info you can see how much time is left on your proxy. Once the time runs out, you need to renew the proxy with voms-proxy-init in order to continue using it.#

NOTE : Certificates expire in a year, you will be emailed a reminder a month before your certificate expires. See Renewing Your Grid Certificate).#

CMS Virtual Organization#

If you are a valid CMS member with a CERN computer account you are automatically registered in CMS Virtual Organization (VO) with the CERN certificate corresponding to your CERN primary account (almost all people have only one account and do not need to care what primary means).#

As a new user you need to sign the Grid Acceptable Usage Policy (AUP), and to sign it again every year. If you have not done it or your signature expired, when you do “voms-proxy-init -voms cms” you will see this message : “User … needs to sign AUP for this organization in order to proceed”.#

To sign the Grid AUP (and to verify your CMS VO membership) use your browser to visit the cms-auth server (a.k.a. CMS IAM server) and login using CERN’s SSO. Here are more detailed instructions from the “How to get access to WLCG” twiki page for registering in the CMS VO.#

With a valid CMS VO membership, you should be able to start using your grid certificate to access various CMS grid services with a CMS voms proxy. Please see instructions below on how to create a CMS voms proxy.#

If you need to write files to the Wisconsin storage cluster, then you must perform another step. Do the voms-proxy-init command as mentioned above and then do voms-proxy-info. Copy the output of that command and paste it in an email to help@hep.wisc.edu to request HDFS access.#

Using your certificate#

To create a CMS voms proxy:#

  1. Log into lxplus or one of the HEP login servers: ssh login.hep.wisc.edu#

  2. Run voms-proxy-init:#

    voms-proxy-init -rfc -valid 144:00 -voms cms

Enter GRID pass phrase:
Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
Creating temporary proxy ............... Done
Contacting  voms-cms-auth.cern.ch:443 [/DC=ch/DC=cern/OU=computers/CN=cms-auth.cern.ch] "cms" Done
Creating proxy ........................ Done

Your proxy is valid until Thu May  8 16:12:59 2025

  3. To check your proxy:#

    voms-proxy-info -all

subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra/CN=136360294
issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
type      : RFC compliant proxy
strength  : 2048 bits
path      : /tmp/x509up_u10032
timeleft  : 143:59:35
key usage : Digital Signature, Key Encipherment
=== VO cms extension information ===
VO        : cms
subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
issuer    : /DC=ch/DC=cern/OU=computers/CN=cms-auth.cern.ch
attribute : /cms/Role=NULL/Capability=NULL
attribute : /cms/compute/Role=NULL/Capability=NULL
attribute : /cms/compute/scope/Role=NULL/Capability=NULL
attribute : /cms/country/Role=NULL/Capability=NULL
attribute : /cms/country/us/Role=NULL/Capability=NULL
attribute : /cms/uscms/Role=NULL/Capability=NULL
timeleft  : 143:59:35
uri       : voms-cms-auth.cern.ch:15000

    Note that your grid proxy is valid for the time given by the “-valid” parameter. In this example, the period is 144 hours (6 days). If your jobs have to continue running past the expiration time, you will need to renew your proxy before the time runs out.#

Renewing Your Grid Certificate#

To renew a CERN grid certificate:#

On the CERN Certification Authority page, under “Tools & Downloads”, “My Certificates”, click on My User certificates. Click on New Grid User Certificate. Follow the instructions.#

Once the new certificate has been generated, you need to download it, import it into your browser, and put the new certificate in your .globus directory. The procedure is the same as when you first got a new certificate. See instructions here.#

When you follow the above procedure and create a new certificate before the old one expires, you DO NOT need to reregister with the CMS VO, because your certificate name is unchanged.#

Need Help ? Please contact help@hep.wisc.edu#