Getting Started & Setting up Account at Wisconsin#

• Getting Started & Setting up Account at Wisconsin
• AFS Account
• Grid Certificate
• CMS Virtual Organization
• Using your certificate
• Renewing Your Grid Certificate

These are the steps for getting getting an account on Wisconsin computers and getting credentials so that you may run jobs on many computers#

---

AFS Account#

Email help@hep.wisc.edu to get an AFS account on Wisconsin machines. Then#

ssh login.hep.wisc.edu

and type the command#

kpasswd

to change your password.#

---

Grid Certificate#

A grid certificate gives you authorization to run jobs on many computers in the world-wide LHC Computing Grid and to access files stored in CMS storage elements, such as the HDFS system in Wisconsin.#

To get a certificate, you must be a registered user at CERN for the CMS experiment and should have a valid CERN email address.#

Do you have a valid CERN account/email address ? NO : please contact help@hep.wisc.edu to get this first. Otherwise, read on.#

To get a grid certificate:#

1. On the CERN Certification Authority page, under “Grid Certificates”, click on New Grid User certificate#

2. Enter the requested information and download the new certificate. #

3. Import the certificate into your browser by following instructions for your browser.#

4. Copy the certificate file to one of the login machines. If your computer has the ‘scp’ command (available under windows via cygwin), you could do it like this:#

   scp mycert.p12 username@login.hep.wisc.edu:private/mycert.p12
   

5. Now, ssh to login.hep.wisc.edu and enter the following commands. The openssl commands will prompt for passwords, so don’t paste all the commands at once.#

   mkdir -p ~/.globus 
   mkdir -p ~/.globus/private
   chmod 700 ~/.globus/private/
   fs setacl -dir ~/.globus/private -acl $USER rlidkwa -clear
   ln -fs ~/.globus/private/userkey.pem ~/.globus/userkey.pem
   openssl pkcs12 -in ~/private/mycert.p12 -clcerts -nokeys -out ~/.globus/usercert.pem 
   openssl pkcs12 -in ~/private/mycert.p12 -nocerts -out ~/.globus/private/userkey.pem
   chmod 0600 ~/.globus/private/userkey.pem 
   chmod 640 ~/.globus/usercert.pem
   rm ~/private/mycert.p12
   

   When prompted for a PEM pass phrase, enter a password to use to encrypt your private key. You must use this password in the future whenever you run a command that needs access to the private key.#

6. Verify that your grid certificate is installed correctly, type at the command prompt:#

   voms-proxy-init -voms=cms
   

   The output should ask you for your password and will look like:#

   Enter GRID pass phrase:
   Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
   Creating temporary proxy .................... Done
   Contacting  voms-cms-auth.app.cern.ch:443 [/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch] "cms" Done
   Creating proxy ...................... Done
   
   Your proxy is valid until Thu Jun 27 20:37:14 2024
   

You are not done yet! Getting a grid certificate only gives you an identity. It doesn’t automatically register that certificate as a recognized member of the CMS Virtual Organization. To do that, you must register your certificate and you must send your certificate subject name (the output of the “voms-proxy-info -subject” command) i.e.#

    voms-proxy-info -subject
    /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra/CN=831384442

to help@hep.wisc.edu to get your certificate mapped to your account in the hep.wisc.edu storage system.#

A “voms proxy” is simply a temporary identity that is signed by your grid certificate. Various grid commands use this proxy to identify you to grid services. Using voms-proxy-info you can see how much time is left on your proxy. Once the time runs out, you need to renew the proxy with voms-proxy-init in order to continue using it.#

NOTE : Certificates expire in a year, you will be emailed a reminder a month before your certificate expires. See Renewing Your Grid Certificate).#

---

CMS Virtual Organization#

Once you have a grid certificate, you must request to be added to the CMS Virtual Organization (VO).#

If you have an existing non-expired certificate that is already registered with the CMS VO, expand the “Membership Info” link on the left, then expand “Certificates”, and use the “Add Certificate” procedure. To do this, you will need to have connected to the website using your old certificate. If you used your new certificate instead, then restart your browser and select your old certificate when connecting to the page.#

Here are more detailed instructions from the “How to get access to WLCG” twiki page for registering in the CMS VO.#

Once you have been accepted as a member of the CMS VO, it takes about an hour to be recognized as such across the CMS computing grid. At that point, you should be able to start using your grid certificate to access various CMS grid services.#

If you need to write files to the Wisconsin storage cluster, then you must perform another step. Do the voms-proxy-init command as mentioned above and then do voms-proxy-info. Copy the output of that command and paste it in an email to help@hep.wisc.edu to request HDFS access.#

Using your certificate#

To create a CMS grid proxy:#

1. Log into lxplus or one of the HEP login servers: ssh login.hep.wisc.edu#

2. Run voms-proxy-init:#

   voms-proxy-init -rfc -valid 144:00 -voms cms
   
   Enter GRID pass phrase:
   Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
   Creating temporary proxy ................. Done
   Contacting  voms-cms-auth.app.cern.ch:443 [/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch] "cms" Done
   Creating proxy .......................................... Done
   
   Your proxy is valid until Wed Jul  3 08:56:45 2024
   

3. To check your proxy:#

   voms-proxy-info -all
   
   subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra/CN=136360294
   issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
   identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
   type      : RFC compliant proxy
   strength  : 2048 bits
   path      : /tmp/x509up_u10032
   timeleft  : 143:59:35
   key usage : Digital Signature, Key Encipherment
   === VO cms extension information ===
   VO        : cms
   subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mohapatr/CN=659205/CN=Ajit Kumar Mohapatra
   issuer    : /DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch
   attribute : /cms/Role=NULL/Capability=NULL
   attribute : /cms/compute/Role=NULL/Capability=NULL
   attribute : /cms/compute/scope/Role=NULL/Capability=NULL
   attribute : /cms/country/Role=NULL/Capability=NULL
   attribute : /cms/country/us/Role=NULL/Capability=NULL
   attribute : /cms/uscms/Role=NULL/Capability=NULL
   timeleft  : 143:59:35
   uri       : voms-cms-auth.app.cern.ch:15000
   

   Note that your grid proxy is valid for the time given by the “-valid” parameter. In this example, the period is 144 hours (6 days). If your jobs have to continue running past the expiration time, you will need to renew your proxy before the time runs out.#

---

Renewing Your Grid Certificate#

To renew a CERN grid certificate:#

On the CERN Certification Authority page, under “Tools & Downloads”, “My Certificates”, click on My User certificates. Click on New Grid User Certificate. Follow the instructions.#

Once the new certificate has been generated, you need to download it, import it into your browser, and put the new certificate in your .globus directory. The procedure is the same as when you first got a new certificate. See instructions here.#

When you follow the above procedure and create a new certificate before the old one expires, you should not need to reregister with the CMS VO, because your certificate name is unchanged.#

---

Need Help ? Please contact help@hep.wisc.edu#