Getting Started & Setting up Account at Wisconsin#

These are the steps for getting getting an account on Wisconsin computers and getting credentials so that you may run jobs on many computers#


AFS Account#

Email help@hep.wisc.edu to get an AFS account on Wisconsin machines. Then#

ssh login.hep.wisc.edu

and type the command#

kpasswd

to change your password.#


Grid Certificate#

A grid certificate gives you authorization to run jobs on many computers in the world-wide LHC Computing Grid and to access files stored in CMS storage elements, such as the HDFS system in Wisconsin.#

To get a certificate, you must be a registered user at CERN for the CMS experiment and should have a valid CERN email address.#

Do you have a valid CERN account/email address ? NO : please contact help@hep.wisc.edu to get this first. Otherwise, read on.#

  1. Using Firefox, go to: https://ca.cern.ch/ca/user/Request.aspx. (We have not confirmed whether other browsers work for this function.)
  2. Enter the requested information and download the new certificate into your browser.
  3. Once you have the certificate in your browser, the procedure for extracting it to a file depends on the specific browser. For Firefox 3.5.7, go to Preferences/Advanced/Encryption/View Certificates/Your Certificate. Click on your certificate and select Backup. Save it as mycert.p12 and choose whatever password you want.
  4. Copy the file mycert.p12 to one of the login machines. If your computer has the ‘scp’ command (available under windows via cygwin), you could do it like this:#

    scp mycert.p12 username@login.hep.wisc.edu:private/mycert.p12
    
  5. Now, ssh to login.hep.wisc.edu and enter the following commands,#

    mkdir -p ~/.globus 
    mkdir -p ~/.globus/private
    chmod 700 ~/.globus/private/
    fs setacl -dir ~/.globus/private -acl $USER rlidkwa -clear
    ln -fs ~/.globus/private/userkey.pem ~/.globus/userkey.pem
    openssl pkcs12 -in ~/private/mycert.p12 -clcerts -nokeys -out ~/.globus/usercert.pem 
    openssl pkcs12 -in ~/private/mycert.p12 -nocerts -out ~/.globus/private/userkey.pem
    chmod 0600 ~/.globus/private/userkey.pem 
    chmod 640 ~/.globus/usercert.pem
    rm ~/private/mycert.p12
    

    When prompted for a PEM pass phrase, enter a password to use to encrypt your private key. You must use this password in the future whenever you run a command that needs access to the private key.#

  6. Verify that your grid certificate is installed correctly, type at the command prompt:#

    voms-proxy-init
    

    The output should ask you for your password and will look like:#

    Enter GRID pass phrase:
    Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=dbradley/CN=614788/CN=Daniel Charles Bradley
    Creating proxy ..................................................... Done
    
    Your proxy is valid until Mon Apr  8 22:18:34 2013
    

You are not done yet! Getting a grid certificate only gives you an identity. It doesn’t automatically register that certificate as a recognized member of the CMS Virtual Organization. To do that, you must register your certificate.#

A “voms proxy” is simply a temporary identity that is signed by your grid certificate. Various grid commands use this proxy to identify you to grid services. Using voms-proxy-info you can see how much time is left on your proxy. Once the time runs out, you need to renew the proxy with voms-proxy-init in order to continue using it.#

NOTE : Certificates expire in a year, you will be emailed with instructions on how to get a new one. You should use the same browser/server to renew (see instructions here) the certificate. Once you have the renewed certificate in your brower, repeat steps 7-10 mentioned above to use it successfuly.#


CMS Virtual Organization#

Once you have a grid certificate, you must request to be added to the CMS Virtual Organization (VO).#

If you have an existing non-expired certificate that is already registered with the CMS VO, expand the “Membership Info” link on the left, then expand “Certificates”, and use the “Add Certificate” procedure. To do this, you will need to have connected to the website using your old certificate. If you used your new certificate instead, then restart your browser and select your old certificate when connecting to the page. In addition to completing this procedure, see instructions below for registering your new certificate in SiteDB.#

If instead you do not have an existing non-expired certificate registered in the CMS VO, connect using your new certificate, and use the link on the left labeled Registration (Phase I). Make sure you enter your CERN email address in your request form for the CMS VO, even if this address simply forwards to something else. Select Anthony Tiradani or Burt Holzman as representative. Sign up for the /cms/uscms group. Your role should be cmsuser. If you have any problems or questions about this, it may be helpful to refer to the latest instructions.#

Once you have been accepted as a member of the CMS VO, it takes about an hour to be recognized as such across the CMS computing grid. At that point, you should be able to start using your grid certificate to access various CMS grid services.#

If you need to write files to the Wisconsin storage cluster, then you must perform another step. Do the voms-proxy-init command as mentioned above and then do voms-proxy-info. Copy the output of that command and paste it in an email to help@hep.wisc.edu to request HDFS access.#

If you previously ran CRAB jobs with a DOEGrids certificate, you may encounter a CRAB error when using your new CERN certificate. The error message is#

Problem extracting user name from SiteDB

To solve this, remove SiteDBusername.conf in the submission directory and ~/.cmssitedbcache and /tmp/jsonparser[USERNAME]. You won’t have all of these but they have all been used in various CRAB versions.#

Here are some example commands you can now use.\ Create a grid proxy,#

voms-proxy-init 
Cannot find file or dir: $prefix/etc/vomses 
Your identity: /DC=org/DC=doegrids/OU=People/CN= Mike Anderson 74371 
Enter GRID pass phrase: 
Creating proxy ......................................... Done 
Your proxy is valid until Wed Aug  8 05:49:15 2007 

Notice that it is valid for 12 hours#

To make it valid for longer,#

voms-proxy-init -valid 48:00

See if you have a valid grix proxy,#

voms-proxy-info 
WARNING: Unable to verify signature! Server certificate possibly not installed.
Error: VOMS extension not found!
subject   : /DC=org/DC=doegrids/OU=People/CN=Mike Anderson 74371/CN=proxy
issuer    : /DC=org/DC=doegrids/OU=People/CN=Mike Anderson 74371
identity  : /DC=org/DC=doegrids/OU=People/CN=Mike Anderson 74371
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u782
timeleft  : 47:59:06

See other example commands that use the grid proxy.#


SiteDB#

When switching from DOEGrids to the CERN CA, you will need to associate your new certificate with your SiteDB entry. To do so, follow the instructions on the SiteDBForCRAB page: https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB#Adding_your_DN_to_your_profile.#

Use your old certificate to follow the link labeled CERN Account Mapping Certificate. Upload the usercert.pem file from your new certificate. Delete the old DOEGrids certificate using the Delete link next to it on the web page after successfully uploading your new certificate.#


Renewing Your Grid Certificate#

To renew a CERN grid certificate, go to https://ca.cern.ch/ca/user/MyCertificates.aspx. Click on “New Grid User Certificate”. Follow the instructions.#

Once the new certificate has been downloaded to your browser, you need to export it and put the new certificate in your .globus directory. The procedure is the same as when you first got a new certificate. See instructions here.#

When you follow the above procedure and create a new certificate before the old one expires, you should not need to reregister with the CMS VO, because your certificate name is unchanged. If your old certificate expires before you create a new certificate, the certificate name will be different (i.e. the serial number in the subject name), so you will need to reregister the certificate in the CMS VO.#


Need Help ? Please contact help@hep.wisc.edu#