Getting Started & Setting up Account at Wisconsin#

These are the steps for getting getting an account on Wisconsin computers and getting credentials so that you may run jobs on many computers#


AFS Account#

Email help@hep.wisc.edu to get an AFS account on Wisconsin machines. Then#

ssh login.hep.wisc.edu

and type the command#

kpasswd

to change your password.#


Grid Certificate#

A grid certificate gives you authorization to run jobs on many computers in the world-wide LHC Computing Grid and to access files stored in CMS storage elements, such as the HDFS system in Wisconsin.#

To get a certificate, you must be a registered user at CERN for the CMS experiment and should have a valid CERN email address.#

Do you have a valid CERN account/email address ? NO : please contact help@hep.wisc.edu to get this first. Otherwise, read on.#

To get a grid certificate:#

  1. On the CERN Certification Authority page, under “Grid Certificates”, click on New Grid User certificate#

  2. Enter the requested information and download the new certificate. #

  3. Import the certificate into your browser by following instructions for your browser.#

  4. Copy the certificate file to one of the login machines. If your computer has the ‘scp’ command (available under windows via cygwin), you could do it like this:#

    scp mycert.p12 username@login.hep.wisc.edu:private/mycert.p12
    
  5. Now, ssh to login.hep.wisc.edu and enter the following commands. The openssl commands will prompt for passwords, so don’t paste all the commands at once.#

    mkdir -p ~/.globus 
    mkdir -p ~/.globus/private
    chmod 700 ~/.globus/private/
    fs setacl -dir ~/.globus/private -acl $USER rlidkwa -clear
    ln -fs ~/.globus/private/userkey.pem ~/.globus/userkey.pem
    openssl pkcs12 -in ~/private/mycert.p12 -clcerts -nokeys -out ~/.globus/usercert.pem 
    openssl pkcs12 -in ~/private/mycert.p12 -nocerts -out ~/.globus/private/userkey.pem
    chmod 0600 ~/.globus/private/userkey.pem 
    chmod 640 ~/.globus/usercert.pem
    rm ~/private/mycert.p12
    

    When prompted for a PEM pass phrase, enter a password to use to encrypt your private key. You must use this password in the future whenever you run a command that needs access to the private key.#

  6. Verify that your grid certificate is installed correctly, type at the command prompt:#

    voms-proxy-init -voms=cms
    

    The output should ask you for your password and will look like:#

    Enter GRID pass phrase:
    Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
    Creating temporary proxy .................... Done
    Contacting  voms-cms-auth.app.cern.ch:443 [/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch] "cms" Done
    Creating proxy ...................... Done
    
    Your proxy is valid until Thu Jun 27 20:37:14 2024
    

You are not done yet! Getting a grid certificate only gives you an identity. It doesn’t automatically register that certificate as a recognized member of the CMS Virtual Organization. To do that, you must register your certificate and you must send your certificate subject name (the output of the “voms-proxy-info -subject” command) i.e.#

    voms-proxy-info -subject
    /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra/CN=831384442

to help@hep.wisc.edu to get your certificate mapped to your account in the hep.wisc.edu storage system.#

A “voms proxy” is simply a temporary identity that is signed by your grid certificate. Various grid commands use this proxy to identify you to grid services. Using voms-proxy-info you can see how much time is left on your proxy. Once the time runs out, you need to renew the proxy with voms-proxy-init in order to continue using it.#

NOTE : Certificates expire in a year, you will be emailed a reminder a month before your certificate expires. See Renewing Your Grid Certificate).#


CMS Virtual Organization#

Once you have a grid certificate, you must request to be added to the CMS Virtual Organization (VO).#

If you have an existing non-expired certificate that is already registered with the CMS VO, expand the “Membership Info” link on the left, then expand “Certificates”, and use the “Add Certificate” procedure. To do this, you will need to have connected to the website using your old certificate. If you used your new certificate instead, then restart your browser and select your old certificate when connecting to the page.#

Here are more detailed instructions from the “How to get access to WLCG” twiki page for registering in the CMS VO.#

Once you have been accepted as a member of the CMS VO, it takes about an hour to be recognized as such across the CMS computing grid. At that point, you should be able to start using your grid certificate to access various CMS grid services.#

If you need to write files to the Wisconsin storage cluster, then you must perform another step. Do the voms-proxy-init command as mentioned above and then do voms-proxy-info. Copy the output of that command and paste it in an email to help@hep.wisc.edu to request HDFS access.#

Using your certificate#

To create a CMS grid proxy:#

  1. Log into lxplus or one of the HEP login servers: ssh login.hep.wisc.edu#

  2. Run voms-proxy-init:#

    voms-proxy-init -rfc -valid 144:00 -voms cms
    
    Enter GRID pass phrase:
    Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
    Creating temporary proxy ................. Done
    Contacting  voms-cms-auth.app.cern.ch:443 [/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch] "cms" Done
    Creating proxy .......................................... Done
    
    Your proxy is valid until Wed Jul  3 08:56:45 2024
    
  3. To check your proxy:#

    voms-proxy-info -all
    
    subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra/CN=136360294
    issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
    identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
    type      : RFC compliant proxy
    strength  : 2048 bits
    path      : /tmp/x509up_u10032
    timeleft  : 143:59:35
    key usage : Digital Signature, Key Encipherment
    === VO cms extension information ===
    VO        : cms
    subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
    issuer    : /DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch
    attribute : /cms/Role=NULL/Capability=NULL
    attribute : /cms/compute/Role=NULL/Capability=NULL
    attribute : /cms/compute/scope/Role=NULL/Capability=NULL
    attribute : /cms/country/Role=NULL/Capability=NULL
    attribute : /cms/country/us/Role=NULL/Capability=NULL
    attribute : /cms/uscms/Role=NULL/Capability=NULL
    timeleft  : 143:59:35
    uri       : voms-cms-auth.app.cern.ch:15000
    

    Note that your grid proxy is valid for the time given by the “-valid” parameter. In this example, the period is 144 hours (6 days). If your jobs have to continue running past the expiration time, you will need to renew your proxy before the time runs out.#


Renewing Your Grid Certificate#

To renew a CERN grid certificate:#

On the CERN Certification Authority page, under “Tools & Downloads”, “My Certificates”, click on My User certificates. Click on New Grid User Certificate. Follow the instructions.#

Once the new certificate has been generated, you need to download it, import it into your browser, and put the new certificate in your .globus directory. The procedure is the same as when you first got a new certificate. See instructions here.#

When you follow the above procedure and create a new certificate before the old one expires, you should not need to reregister with the CMS VO, because your certificate name is unchanged.#


Need Help ? Please contact help@hep.wisc.edu#