CoEPP RC
 

Grid Computing Start

1. Grid Registration You must follow these steps before you can gain access to grid resources and data
2. Grid Basics A very basic introduction to using grid

Grid Registration

  1. Register with CERN HR (only a requirement if you want to be part of any WLCG VO, i.e. ATLAS)
  2. Obtain a grid certificate
  3. Export your grid certificate
  4. Register with the ATLAS VO (Grid Virtual Organisation).
  5. Registering for Belle GRID access

Steps 1 and 2 can be done simultaneously and both take a few days (possibly week(s)) to complete. Get the ball rolling as early as possible if you know you need grid access.

1. Register with CERN HR (only for ATLAS VO)

CERN requires everyone who is part of ATLAS to be registered with CERN HR

Scan your passport and send it to your local team leader. Your team leader will do the registration for you using the above “New Registration” page.

Adelaide Paul Jackson
Melbourne Geoff Taylor or Elisabetta Barberio
Sydney Kevin Varvell

Once registered, you will receive an email from CERN HR with details of your username, a temporary password, a CERN email address (xxx@cern.ch) as well as a link to the account management portal.

You need to log into the account configuration wizard to finish the registration, for example, you need to learn CERN's security and computing rules and pass a test, you can set an external email address so that all emails sent to your CERN email address will be forwarded to that external email address, and lastly you need to reset your passwords.

2. Obtain a grid certificate

x509 certificates are the primary authentication method for grid computing.

The process of obtaining a grid certificate in Australia is covered in detail here:

3. Export your grid certificate

Export your certificate from your browser

  • In the following example we will demonstrate how to do it from a Firefox browser, but the procedure should be similar in other browsers.
    1. Go to: Preferences → Advanced → Certificates → View Certificates → Your Certificates
    2. Select the certificate you want to export, and select 'Backup'
    3. Select the location where to save the certificate (in .p12 format)
    4. At this point, the browser may request you to you to introduce the password that you use to protect the access to private information (if you have that functionality enabled)
    5. Complete the procedure by introducing a difficult passphrase to protect your private key (you will need this one later).

Install the certificate in an User Interface

  • You will now need to login to an user interface, copy your .p12 certificate file, and convert it from .p12 to pem, doing the following operations:
# Create the $HOME/.globus directory and your public / private key files with the proper permissions
[username@machine ~]$ mkdir $HOME/.globus; mv usercert.p12 $HOME/.globus; cd $HOME/.globus

# Extract the private key (the passphrase you used to export your certificate will be requested)
[username@machine ~]$ openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

# Extract the public key (the passphrase you used to export your certificate will be requested)
[username@machine~]$ openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem
Enter Import Password:
MAC verified OK

# Be sure that both private and public keys do have the right permissions
[username@machine~]$ chmod 644 usercert.pem; chmod 400 userkey.pem

4. Register for ATLAS VO (Grid Virtual Organisation).

Register with ATLAS VO

  • The Registration on the ATLAS VO is a two step process:
    1. First you request membership to the VO
    2. Once approved, you can request membership to specific VO Groups

Request ATLAS VO membership

  • To apply for membership in this Virtual Organization, you must be registered in the CERN Human Resource database and have your membership there linked to the atlas experiment. The VO registration process requires that you know the email address linked to your CERN Human Resource record. To find out your CERN Human Resource record, use the CERN Phonebook service before proceeding with the registration
  1. Confirm the email address registered in CERN Phonebook (This is your CERN email address xxx@cern.ch)
  2. Fill out the form with accurate data (your phone number and address). Do not forget to read and accept the ATLAS VO Acceptable Use Policy
  3. You will receive an email - click the confirmation link. This email will be sent to the email address registered in CERN Phonebook. If you do not use it frequently, make sure you have either forwarded that email address to another address.
  4. Your request will be approved by an administrator shortly & you will receive an email

Request ATLAS /atlas/au group membership

  • Once you have been approved as a valid VO member, you can request to be included in VO groups. Australian users should, by default, select membership on '/atlas/au' and '/atlas/lcg1' groups.
  1. Request for membership under the '/atlas/au' and '/atlas/lcg1' groups in the “Your groups and roles” menu
  2. Your request will be approved by a VO group administrator shortly & you will receive an email

Getting Started

5. Registering for Belle GRID access

There are 2 steps you must take to get access to the Belle GRID once you have your grid certificate (Only Step 2 above needs to be done).

Register with Belle VO

  1. Click Registration (Phase I) and fill out the form
  2. You will receive an email - click the confirmation link
  3. Fill out and submit the Phase II form
  4. Your request will be approved by an administrator shortly & you will receive an email

Now you must Register with DIRAC

  1. Find your Distinguished Name (DN) by following command: openssl x509 -noout -in ~/.globus/usercert.pem -subject
  2. Send an email with the following information to DIRAC administrator group (comp-dirac-admin@belle2.org).
    • your Name
    • your KEKCC account name
    • your DN information (above),
    • your mail address (issued by your host institute. any free mail address is not acceptable)
Name : John Doe
KEKCC account : johndoe
DN : /DC=XXX/DC=yyyy/O=ZZZ/OU=aaa/CN=John Doe bbb
email : john.doe@your.institute
  1. If you don't receive any response in two working days, you may send another mail to comp-dirac-admin@belle2.org
  2. After getting a reply from dirac_admin, visit DIRAC web portal to confirm you are correctly registered.

Visit DIRAC web portal to confirm you are correctly registered

  1. Visit the DIRAC web portal https://dirac.cc.kek.jp:8443
  2. You should see your DIRAC user name and DN at the bottom right as follows:

Getting Started

After that, if you have access to a local Scientific Linux 5 machine, you should install gbasf2 following the instructions below: https://belle2.cc.kek.jp/~twiki/bin/view/Computing/GBasf2.
If you don't have access to a local Scientific Linux 5 or Scientific Linux 6 machine you can use the gbasf2 installation at KEK in the /sw/belle2/gbasf2 directory. If you cannot access this directory you can ask Hara-san to be added to the belle2 group.

Certificate operations

Multiple certificate under your VO membership

Add a new certificate

  • If one or more of your grid certificates have recently changed, or you've obtained a new certificate, you'll need to add the additional certificate to your existing VO membership certificate list.
  • To add your new certificate, you can choose one of the following options:
    1. Load directly your public key (of the new certificate) in .PEM format.
    2. Fill the DN and CA information of your new certificate, and click 'Request Certificate'.

Fill the DN and CA information of your new certificate in VOMS

  • Obtain the distinguished name (DN) and certificate authority (CA) of your new grid certificate. In most cases, you can use OpenSSL to return the DN and CA of your certificate already installed in your User Interface:
openssl x509 -noout -in usercert.pem -subject | sed 's/subject= //'
openssl x509 -noout -in usercert.pem -issuer | sed 's/issuer= //'
  • Scroll down to the 'Certificates' section, and click 'Request New Certificate'.
  • Fill the DN and CA information of your new certificate, and click 'Request Certificate'.

Load your public key in .PEM format in VOMS

  • Scroll down to the 'Certificates' section, and click 'Request New Certificate'.
  • Under 'Certificate File', click 'Browse', select your local public key pem file, and click 'Request Certificate'.

Generate proxy

  • Once you have completed the operations above, and approved in ATLAS VO, you should be able to generate a proxy, and start using grid tools
# Generate a proxy for the ATLAS VO
-bash-4.1$ voms-proxy-init --voms atlas
Enter GRID pass phrase for this identity:
Contacting voms2.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch] "atlas"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1051.
Your proxy is valid until Mon May 11 15:02:15 UTC 2015

# Check the proxy information
-bash-4.1$ voms-proxy-info --all
subject   : /C=TW/O=AP/OU=GRID/CN=Goncalo Borges 152986/CN=proxy
issuer    : /C=TW/O=AP/OU=GRID/CN=Goncalo Borges 152986
identity  : /C=TW/O=AP/OU=GRID/CN=Goncalo Borges 152986
type      : full legacy globus proxy
strength  : 1024
path      : /tmp/x509up_u1051
timeleft  : 11:59:49
key usage : Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
=== VO atlas extension information ===
VO        : atlas
subject   : /C=TW/O=AP/OU=GRID/CN=Goncalo Borges 152986
issuer    : /DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
attribute : /atlas/Role=NULL/Capability=NULL
attribute : /atlas/au/Role=NULL/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
attribute : nickname = goncalo (atlas)
timeleft  : 11:59:49
uri       : voms2.cern.ch:15001
  • Check Grid Basics for a simple tutorial on how to use some of the Grid tools
tutorial/grid.txt · Last modified: 2017/06/23 15:26 by scrosby
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki