Get a certificate proxy » History » Version 8

Gianluca Petrillo, 02/01/2018 10:31 AM

1 2 Gianluca Petrillo
h1. Get a SBND certificate and proxy
2 2 Gianluca Petrillo
3 5 Gianluca Petrillo
bq. Note: this page is about certificates and proxies to access grid resources. For "personal" certificates to access DocDB and web-based resources, you want a [[Setting up access with CILogon certificate|CILogon certificate]] instead.
4 5 Gianluca Petrillo
5 2 Gianluca Petrillo
h2. Virtual Organization membership
6 2 Gianluca Petrillo
7 2 Gianluca Petrillo
First, you need to be registered in the proper Virtual Organization, which in our case is a unsurprising @sbnd@.
8 2 Gianluca Petrillo
You can play some _roles_ in the organisation, and you need to choose which one to wear when getting a certificate proxy. Examples of roles are @Analysis@ (which you should pick if unsure) and @Production@.
9 2 Gianluca Petrillo
10 2 Gianluca Petrillo
You can check your status by pointing your browser to Fermilab VOMS server at . You will be required to present a certificate (the [[Setting up access with CILogon certificate|CILogon certificate]] is good enough for this), and from it the server will know who you are and will tell what you can do.
11 2 Gianluca Petrillo
12 3 Gianluca Petrillo
If you don't get the expected result (e.g., you are not listed in the @fermilab/sbnd@ group or you need to play a different role), [[Computing resources#Opening-a-ticket-in-Fermilab-Service-Desk|request the change via service desk]].
13 3 Gianluca Petrillo
14 2 Gianluca Petrillo
h2. Get the proxy
15 1 Gianluca Petrillo
16 1 Gianluca Petrillo
The ritual for getting the certificate and proxy goes like this:
17 1 Gianluca Petrillo
<pre>kinit "${USER}@FNAL.GOV"                                                     # get your Kerberos authentication
18 4 Gianluca Petrillo
setup cigetcert                                                              # (if not already there)
19 4 Gianluca Petrillo
cigetcert -s ''                                            # ask for a certificate
20 1 Gianluca Petrillo
voms-proxy-init -noregen -rfc -voms 'fermilab:/fermilab/sbnd/Role=Analysis'  # create a "proxy" from the certificate</pre>
21 8 Gianluca Petrillo
22 8 Gianluca Petrillo
bq. Make sure UPS is set up first (e.g. @source /cvmfs/
23 8 Gianluca Petrillo
24 1 Gianluca Petrillo
The last line of the output from this sequence should look something like:
25 1 Gianluca Petrillo
<pre>Your proxy is valid until Tue Sep 27 01:49:24 2016</pre>
26 1 Gianluca Petrillo
where the date is 24 hours in the future.
27 1 Gianluca Petrillo
This "proxy" is what we need to get our job done.
28 4 Gianluca Petrillo
The command <pre>voms-proxy-info -all</pre> will tell you more than you want to know about your current certificate.
29 6 Dominic Brailsford
30 6 Dominic Brailsford
h2. Production role jobs
31 6 Dominic Brailsford
32 6 Dominic Brailsford
h3. Getting production privileges
33 6 Dominic Brailsford
34 6 Dominic Brailsford
Submit a service desk ticket asking for production role privileges for SBND.  You will most likely have to add a computing coordinator to the watch list.
35 6 Dominic Brailsford
You then have to ask someone with access to the sbndpro account to add you to the k5login file.  The people to ask are the computing coordinators or the production coordinator(s).
36 6 Dominic Brailsford
You should then be able to ssh to an sbnd machine as the sbndpro user:
37 6 Dominic Brailsford
<pre> ssh -Y </pre>
38 6 Dominic Brailsford
39 6 Dominic Brailsford
h3. Getting the production proxy (old-school method)
40 6 Dominic Brailsford
41 7 Dominic Brailsford
The following should be run on the command line when logged into the sbndpro account.
42 6 Dominic Brailsford
<pre>kx509; voms-proxy-init -noregen -rfc -voms 'fermilab:/fermilab/sbnd/Role=Production' </pre>
43 6 Dominic Brailsford
You should now be able to submit production jobs.
44 6 Dominic Brailsford
45 6 Dominic Brailsford
46 6 Dominic Brailsford
h3. Getting the production proxy (the new method)
47 1 Gianluca Petrillo
48 7 Dominic Brailsford
A much easier alternative to getting production-role access is to use the production proxy certificate that is pushed to the gpvm several times a day, courtesy of the SCD.  
49 7 Dominic Brailsford
As with the old-school method, the certificate is only accessible from the sbndpro account.  
50 1 Gianluca Petrillo
51 7 Dominic Brailsford
Here is some fine print, sent from Kevin Retzke when this method was setup on the sbndgpvms:
52 7 Dominic Brailsford
53 6 Dominic Brailsford
54 6 Dominic Brailsford
Some requirement/fine print: 
55 6 Dominic Brailsford
56 6 Dominic Brailsford
1. We only offer the service for service accounts that are abiding by cs-docdb 5644 and its addendums. These requirements include, but are not limited to: 
57 6 Dominic Brailsford
* No more than ten people from the experiment are allowed in the .k5login file at any time. USDC members do not count against the limit. 
58 6 Dominic Brailsford
* The cert and key files should never be sent over a network via any unencrypted means, especially as email attachments. 
59 6 Dominic Brailsford
60 6 Dominic Brailsford
2. Our service principal (monitor/gcso/ needs to be added to the .k5login of the production account on each target machines. 
61 6 Dominic Brailsford
62 6 Dominic Brailsford
3. The destination directory (we typically use /opt/accountname) needs to be created on each target machine, owned by the production account. 
63 6 Dominic Brailsford
64 6 Dominic Brailsford
4. Someone with the production role must be designated to have the service certificate registered under in VOMS. 
65 1 Gianluca Petrillo
66 7 Dominic Brailsford
67 6 Dominic Brailsford
The certificate has to be registered to someone.  At time of writing, the certificate is registered to Dominic Brailsford.
68 6 Dominic Brailsford
69 6 Dominic Brailsford
To use the certificate, make sure the following environment variable is set:
70 6 Dominic Brailsford
71 6 Dominic Brailsford
72 6 Dominic Brailsford
At time of writing, the .profile file for sbndpro should setup the X509_USER_PROXY environment variable so hopefully you don't need to do anything!  Once X509_USER_PROXY is set, you are able to submit production jobs (no need to use the old-school method as well!)