T2B Wiki - User contributions [en-gb]

Monitoring

2016-05-06T10:10:02Z

Shkelzen Rugovac:

{| class="wikitable"
| '''Nagios old style'''
| '''Nagios Check_mk style'''
| '''Nagios History'''
| '''JSON'''
| '''Python'''
|-
| [[https://etf-cms-prod.cern.ch/etf/nagios/cgi-bin/status.cgi?host=cream02.iihe.ac.be][cream02]]
| [[https://etf-cms-prod.cern.ch/etf/check_mk/view.py?view_name=host&host=cream02.iihe.ac.be][cream02]]
| [[https://etf-cms-prod.cern.ch/etf/nagios/cgi-bin/notifications.cgi?host=cream02.iihe.ac.be][cream02]]
| [[https://etf-cms-prod.cern.ch/etf/check_mk/view.py?view_name=host&host=cream02.iihe.ac.be&output_format=json][cream02]]
| [[https://etf-cms-prod.cern.ch/etf/check_mk/view.py?view_name=host&host=cream02.iihe.ac.be&output_format=python][cream02]]
|-
| [[https://etf-cms-prod.cern.ch/etf/nagios/cgi-bin/status.cgi?host=maite.iihe.ac.be][maite]]
| [[https://etf-cms-prod.cern.ch/etf/check_mk/view.py?view_name=host&host=maite.iihe.ac.be][maite]]
| [[https://etf-cms-prod.cern.ch/etf/nagios/cgi-bin/notifications.cgi?host=maite.iihe.ac.be][maite]]
| [[https://etf-cms-prod.cern.ch/etf/check_mk/view.py?view_name=host&host=maite.iihe.ac.be&output_format=json][maite]]
| [[https://etf-cms-prod.cern.ch/etf/check_mk/view.py?view_name=host&host=maite.iihe.ac.be&output_format=python][maite]]
|}

----
Links:

*VUB-ULB GRID:
**Ganglia http://mon.iihe.ac.be/ganglia

*BEgrid:
**Ganglia https://ganglia.begrid.be/ganglia/
**GridIce https://gridice.begrid.be/gridice

*LCG
**GocDB/Gstat http://goc.grid.sinica.edu.tw/gstat/
**GridIce http://gridice2.cnaf.infn.it:50080/gridice/site/site.php
**Admin SFTs https://monitoring.egee.man.poznan.pl/admin2
**GGUS Ticket Service https://gus.fzk.de/pages/home.php
**Accounting Info http://www2.egee.cesga.es/gridsite/accounting/CESGA/tree_egee.php?Path=1.7
**Availabilty/Reliabilty http://gridview.cern.ch/GRIDVIEW/same_index.php
**Modded version (only displays UCL and ULB-VUB): http://mon.iihe.ac.be/modded_gridview/same_index.php
**Basic plots
***Select <tt>Tier-2 Site Availability</tt>
***Select both sites
***Select eg daily plots for one month

*Belnet Network Monitor http://monitor.belnet.be/graph/grapherrd.php: (This page only works from whitin BELNET client network.)
**the Inbound/Outbound are from BELNET view (ie Outbound BELNET = Incoming university traffic)
**the "Free traffic" is Research traffic, the red line is a limit for commercial traffic.
**UCL (whole campus) http://monitor.belnet.be/graph/grapherrd.php?page=lln.cfg&target=ucl
**ULB-VUB (whole campus) http://monitor.belnet.be/graph/grapherrd.php?page=brussels.cfg&target=ulb-vub

*CMS
**Dashboard http://arda-dashboard.cern.ch/cms/
**Monalisa http://monalisa.cacr.caltech.edu:9090/
**CRAB http://cmsgridweb.pg.infn.it/crab/crabmon.php
**Phedex Heartbeat http://cmsdoc.cern.ch/cms/aprom/TransferHeartbeat/browser
**Phedex on Dashboard http://pcardabg.cern.ch:8080/dashboard/phedex/
**Installed software https://twiki.cern.ch/twiki/bin/view/CMS/CMSSWInstStatus
**SC4
**SC4 Site Status https://twiki.cern.ch/twiki/bin/view/CMS/SWIntSC4SiteStatus
**CSA06
**Wiki: https://uimon.cern.ch/twiki/bin/view/CMS/CSA06

{{TracNotice|{{PAGENAME}}}}

Network bond and tag

2016-04-21T12:46:59Z

Shkelzen Rugovac: /* On the switch */

=== On the host ===

In '''/etc/sysconfig/network-scripts''':
:* ifcfg-bond0
<pre>DEVICE="bond0"
BOOTPROTO=none
IPADDR=192.168.10.135
BROADCAST=192.168.255.255
NETMASK=255.255.0.0
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
BONDING_MASTER=yes
TYPE=Bond
BONDING_OPTS="mode=4 miimon=100 lacp_rate=0"
</pre>

To get second bond interface tagged to vlan 2 (PUB)
vconfig add bond0 2

:* ifcfg-bond0.2
<pre>
DEVICE="bond0.2"
BOOTPROTO=none
ONPARENT=yes
IPADDR=193.58.172.92
BROADCAST="193.58.172.127"
NETMASK=255.255.255.128
GATEWAY=193.58.172.2
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
VLAN=yes
</pre>

* Aggregate interfaces eth0 and eth1 to the bond:
** ifcfg-eth0
<pre>
DEVICE="eth0"
BOOTPROTO=none
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
MASTER=bond0
SLAVE=yes
</pre>

:* ifcfg-eth1
<pre>
DEVICE="eth1"
BOOTPROTO=none
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
MASTER=bond0
SLAVE=yes
</pre>

=== On the switch ===
We are configuring everything in LACP [<=> mode=4 in MODPROBE_OPTS for bond0]
* Adding the PoX interface on the 10G switch
** Using the interface, create the lacp port first in tab '''ETH Mgmt''', click on '''Link Aggregation''', Provide in the box '''LAG Interface Number''' PoX (X a number).
** On tab '''Ports''', click on the port you want to add, select '''LAG''': PoX, '''LAG mode''': active ('''LACP rate''' is auto on slow [<=> lacp_rate=0 in MODPROBE_OPTS for bond0] )
::: ''If it does not work and complains about vlans, follow the section '''Adding a new port to PoX''' below''

* on the switch in CLI:
** the PoX port is going to be in hybrid mode, to have untagged[=access] vlan1 and tagged[=hybrid allowed-vlan] vlan 2 (ex: Po5): '''[ vlan1 cannot be tagged on the switch ]'''
<pre>
melswitch1 [standalone: master] > enable
melswitch1 [standalone: master] # config term
melswitch1 [standalone: master] (config) # interface port-channel 5
melswitch1 [standalone: master] (config interface port-channel 5) # switchport mode hybrid
melswitch1 [standalone: master] (config interface port-channel 5) # switchport access vlan 1
melswitch1 [standalone: master] (config interface port-channel 5) # switchport hybrid allowed-vlan 2
</pre>

:* Adding a new port to PoX (ex: ethernet 1/27)
<pre>
melswitch1 [standalone: master] (config) # interface ethernet 1/27
melswitch1 [standalone: master] (config interface ethernet 1/27) # switchport mode hybrid
melswitch1 [standalone: master] (config interface ethernet 1/27) # switchport access vlan 1
melswitch1 [standalone: master] (config interface ethernet 1/27) # switchport hybrid allowed-vlan 2
</pre>
then on the interface, add the port to PoX following the previous section.

Network bond and tag

2016-04-21T12:45:49Z

Shkelzen Rugovac: /* On the switch */

=== On the host ===

In '''/etc/sysconfig/network-scripts''':
:* ifcfg-bond0
<pre>DEVICE="bond0"
BOOTPROTO=none
IPADDR=192.168.10.135
BROADCAST=192.168.255.255
NETMASK=255.255.0.0
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
BONDING_MASTER=yes
TYPE=Bond
BONDING_OPTS="mode=4 miimon=100 lacp_rate=0"
</pre>

To get second bond interface tagged to vlan 2 (PUB)
vconfig add bond0 2

:* ifcfg-bond0.2
<pre>
DEVICE="bond0.2"
BOOTPROTO=none
ONPARENT=yes
IPADDR=193.58.172.92
BROADCAST="193.58.172.127"
NETMASK=255.255.255.128
GATEWAY=193.58.172.2
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
VLAN=yes
</pre>

* Aggregate interfaces eth0 and eth1 to the bond:
** ifcfg-eth0
<pre>
DEVICE="eth0"
BOOTPROTO=none
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
MASTER=bond0
SLAVE=yes
</pre>

:* ifcfg-eth1
<pre>
DEVICE="eth1"
BOOTPROTO=none
NM_CONTROLLED="no"
ONBOOT="yes"
USERCTL=no
MASTER=bond0
SLAVE=yes
</pre>

=== On the switch ===
We are configuring everything in LACP [<=> mode=4 in MODPROBE_OPTS for bond0]
* Adding the PoX interface on the 10G switch
** Using the interface, create the lacp port first in tab '''ETH Mgmt''', click on '''Link Aggregation''', Provide in the box '''LAG Interface Number''' PoX (X a number).
** On tab '''Ports''', click on the port you want to add, select '''LAG''': PoX, '''LAG mode''': active ('''LACP rate''' is auto on slow [<=> lacp_rate=0 in MODPROBE_OPTS for bond0] )
::: ''If is does not work and complains about vlans, follow the section '''Adding a new port to PoX''' below''

* on the switch in CLI:
** the PoX port is going to be in hybrid mode, to have untagged[=access] vlan1 and tagged[=hybrid allowed-vlan] vlan 2 (ex: Po5): '''[ vlan1 cannot be tagged on the switch ]'''
<pre>
melswitch1 [standalone: master] > enable
melswitch1 [standalone: master] # config term
melswitch1 [standalone: master] (config) # interface port-channel 5
melswitch1 [standalone: master] (config interface port-channel 5) # switchport mode hybrid
melswitch1 [standalone: master] (config interface port-channel 5) # switchport access vlan 1
melswitch1 [standalone: master] (config interface port-channel 5) # switchport hybrid allowed-vlan 2
</pre>

:* Adding a new port to PoX (ex: ethernet 1/27)
<pre>
melswitch1 [standalone: master] (config) # interface ethernet 1/27
melswitch1 [standalone: master] (config interface ethernet 1/27) # switchport mode hybrid
melswitch1 [standalone: master] (config interface ethernet 1/27) # switchport access vlan 1
melswitch1 [standalone: master] (config interface ethernet 1/27) # switchport hybrid allowed-vlan 2
</pre>
then on the interface, add the port to PoX following the previous section.

UpdateCertificates

2016-03-25T13:22:46Z

Shkelzen Rugovac: /* Renew Certificates */

== Deprecated content ! Please read before going any further on this page ! ==
The procedure to request certificates has changed since a few months. The new procedure is described [http://wikit.iihe.ac.be/index.php/SSL_Certificates here].

So, what is written below is not valid anymore and needs to be adapted...

== Update and request server certificates ==
[[PageOutline]]
----
=== Introduction ===
All certificates for our machines will have to be updated every year. We will receive mails starting 2 weeks before the certificates expire. 
the decision was taken to update all the certificates at once and Stein De Weirdt wrote a script to do just that. 
The last update of the certificates happened on 2 mai 2008 on a cloudy but warm afternoon.

=== Procedure ===

Log in on '''ccq3''' and generate all the necessary certificates with this tool:
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py
</pre>
the tools help output gives:
<pre>
Usage:
--mode Mode: new,renew,conv,get (default: renew)
renew: make new server requests from existing certificates (in directory --dir) and upload the requests
get: - will make quattor templates in <--dir>/private
- public key need to be put in <--dir>/PemDir (to be created)
- the matching private key is looked for in <--dir>
new: make new server request (with DN attributes --att and create the requests/key in --dir)
--dir Read/write templates to/from dir (default: .)

--debug Set debug mode. (default: False)
--att DN Attributes, comma separated list eg (OU=IIHE,CN=gridce.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be)
- assumes C=BE and O=BEGRID
- emailAddress is mandatory (and should be last att)

</pre>

'''1.''' Create/renew certificate
==== Create New Certificate ====
To create a new certificate, do:
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=new --dir=/root/new-cert/ --att=OU=IIHE,CN=behar050.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be --debug
</pre>
==== Renew Certificates ====
To renew all certificates, first remove all .pem files in /root/new-cert/. Move the .tpl files from /root/new-cert/private to /root/new-cert/. Then, remove everything from the 2 subdirectories (private and PemDir) 
Then Do:
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=renew --dir=/root/new-cert/ --debug
</pre>
'''2.'''All the keys need to be uploaded one by one to the belnet site. Go to https://gridra.belnet.be , click "Request a Certificate", choose server from the drop down box. Upload one generate certificate (the ones with -req). On OU needs to be added. For this chose 'VUB'. 

'''3.''' All the generated certificates will be send via mail. Download them all (choose only the one ending in _iihe_ac_be.pem from every mail) and put them in /root/new-cert/PemDir and do:
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=get --dir=/root/new-cert/ --debug
</pre>
all the certificates templates will be saved in /root/new-cert/private. 
'''4.''' next step is to update all the quattor files and to make the clients connect for their new certificates. 
For this, put the private templates on ccq3, /opt/CB6/private or /opt/CB5/private, in the appropriate glite version dir.
<pre>
cd /opt/CB6/svncheck/
./runcheck
</pre>
'''5.''' This will broadcast a message to all the machines and they will respond within 5 minutes and start updating. All services except one will update fine 
'''6.''' We now check that the update was complete and for this we first log in to '''maite'''.
<pre>
grep filecopy /var/log/ncm-cdispd.log
</pre>
Or alternatively
<pre>
less /var/log/ncm/component-filecopy.log
</pre>
Now, check the certificate:
<pre>
openssl x509 -in /etc/grid-security/hostcert.pem -noout -dates
</pre>
And make sure the new end date is indeed a year from now. 

'''7.''' We now perform a final check: log in to any UI and do
<pre>
srmls srm://maite.iihe.ac.be:8443/pnfs/iihe/cms
</pre>
also try to copy some files from storage to the use disk using dccp.
All directories should be listed.

'''8.''' Restart argus service on argus

<pre>
service argus stop
service argus start
</pre>

If this is not enough think of restarting the node.

If the DN of the machine changes (new certificate provider, ...) then its need to be added explicitly into the template of argus. The affected variable is PAP_HOST_DN.

'''9.''' (Optional) Adapt GOCDB server entry

If the DN of the machine changes (especially needed for APEL) then go to the GOCDB page and edit the corresponding entry to reflect the new DN.

{{TracNotice|{{PAGENAME}}}}

Register to the CMS VO

2015-11-05T16:17:36Z

Shkelzen Rugovac:

* Go to the [https://voms2.cern.ch:8443/voms/cms/user/home.action VOMS page]. On the eventual certificate prompt, select the one you just created. 
** Enter the email address registered at cern, then click submit. 
** You should appear just below. If it's you, well click on the correct button ! 

:: [[ File:vocms1.png|center]] 
:* If it doesn't find you with the email you entered after clicking on submit, then look in the [https://phonebook.cern.ch/phonebook/ CERN phonebook] for your email. If you cannot find yourself, then make sure you are registered to CERN or CMS at least.
:: [[File:cern_phonebook.png|center]]
:* Fill in all fields, accept the policy, then submit.
:: [[File:vocms_form.png|center]]
:* The procedure is nearly finished, look at your inbox corresponding to the CERN email.
[[File:vocms_email.png|center]]
:* Just click on the confirmation link in the email received.
[[File:vocms_end.png|center]]

* Now you only need to wait 1 or 2 hours for your membership to be approved !

* You can [[SiteDB | follow the wiki]] to check SiteDB if your certificate as well as membership are fine.

Certificates and VOs

2015-09-23T15:01:42Z

Shkelzen Rugovac: /* CMS */

== Getting access the IIHE T2B ==

*In order to get access to grid and the Tier2 at the IIHE you need obtain a BEgrid Certificate and get access to the User Interfaces of the IIHE.
*BEgrid certificates are managed by [http://www.begrid.be/ BELNET]
*The access to the IIHE UI's, called the Mx machines (x representing a number) is explained [[First_access_to_t2b|here]]
*'''First registration''': The registration procedure consist of several steps outlined below in the section [#Firstregistration:Outlineofregistrationprocedure First registration]
*'''Certificate Renewal''': The procedure to renew your certificate is described in section [#Certificaterenewal:Updatecertificate Certificate Renewal]

==== Password advice ====
In the registration procedure that is described here, a number of passwords will be requested from you. Please choose good ones and don't share them with other people (or write them on post-its ;).

----
=== First registration: Outline of registration procedure ===

*First, a very important preliminary remark before going into the steps of the certificate request procedure : you can use Firefox or IE, but please DON'T USE CHROME and KEEP THE SAME BROWSER AND LAPTOP/PC DURING ALL THE PROCEDURE.
*If you request a certificate for the very first time, you can follow the procedure [http://quattor.begrid.be/trac/centralised-begrid-v5/wiki/Access_to_BEgrid here]. The section ''Get a BEgrid Certificate'' should provide you with a BEgrid certificate and should allow you to prepare your browser
**Get a BEgrid certificate
**Browser preparation

*The next step is to Join a Virtual organisation ''VO'' as described further on this page in the section ''Virtual Organisation''. You can make several choices. If you intend to use the CMS grid infrastructure your VO is CMS. For BEgrid applications join beapps or betest.
*A summary of the steps you should take is given here:
**VO CMS :
**# VO CMS registration
**#Become a member of the group /cms/becms
**VO BEAPPS :
**#VO BEAPPS registration
**VO BETEST :
**#VO BETEST registration

*If you join the CMS VO you still need to do following steps as described in section ''Mailing-list and access to Mx-machines''
**Create your Hypernews account
**Register your DN in SiteDB
**Else CRAB will not work.
**First, make a public certificate [https://ca.cern.ch/ca/Help/?kbid=023010 Instructions]
**Next, upload this public certificate in this [https://accountmap.web.cern.ch/accountmap/Mapping/Certificates.aspx page]
**After ~15 minutes, the changes should be reflected on [https://cmsweb.cern.ch/sitedb/dev/people this page]

==== Virtual Organisation ====
What VO should I join?
*Depending on your experiment or type of application, you have to choose a corresponding VO. If you have no clue which it is, ask your contact person. Unless you really know what your doing (but why are you reading this page?), don't join <tt>dteam</tt> or <tt>ops</tt>.
==== CMS ====
For all people that are in the CMS collaboration and that need access to something.
*You need to have your browsercertificate loaded.
*Go to: [https://voms2.cern.ch:8443/voms/cms/user/home.action VO CMS registration]
**[https://voms2.cern.ch:8443/voms/cms/user/home.action Phase I]
**fill in a valid email address
***the email address must be known in the CERN database and in the CMS database (normally this is the address used when registering with CMS for the first time)
***in case you have problems, try the [http://consult.cern.ch/xwho CERN xwho database] to find your known email address
**select ''Marti Pimia'' as representative
**fill in your first name and last name
**wait for an email to go to Phase II
**click on the link in the email. It will take you to the Phase II registration page.
**fill in your personal information
**pick any additional roles (if really needed). the default should be ok for lost people.
**on the bottom: read the ''GRID Acceptable Use Policy'' and select ok
**click to register
**'''Also send an email to the admins''' [ grid_admin[AT]listserv.vub.ac.be ] to tell them who you are. Also put your team leader in CC, in this way we know that you are part of the Belgian collaborators (it is impossible for us to know all new members)
**you now have to wait for approval of your request. this can take some time and you will notified by email.
**at latest one day after this approval you will be able to use the CMS grid resources.
*After you are member of the VO cms, you need to join the group <tt>/cms/becms</tt>
**Goto the [https://voms2.cern.ch:8443/voms/cms/user/home.action Select Groups & Group Roles]
**Select the group <tt>/cms/becms</tt>
**Press <tt>Submit</tt> at the bottom of the page
**[[Image(cms-groups-becms.png, 50%)]]

==== BEapps ====
*Not needed if you are in CMS
*For all people that want to have their application running in BEgrid on a production level.
*You must have your browser certificate loaded.
*Go to: [https://voms01.begrid.be:8443/voms/beapps/StartRegistration.do VO BEapps registration]
==== BEtest ====
*Not needed if you are in CMS
*For all people that want to test their application running in BEgrid.
*You must have your browser certificate loaded.
*Go to: [https://voms01.begrid.be:8443/voms/betest/StartRegistration.do VO BEtest registration]

==== Hypernews & SiteDb ====

*HN account
**[https://hypernews.cern.ch/HyperNews/CMS/add-member.pl New member info]
**If you have a lxplus account, you can register yourself
**If not, you need to send an email to the cms hn admin.
**Register HN account in SiteDB ([https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB instructions])
**Else CRAB will not work.
**First, make a public certificate [https://ca.cern.ch/ca/Help/?kbid=023010 Instructions]
**Next, upload this public certificate in this [https://accountmap.web.cern.ch/accountmap/Mapping/Certificates.aspx page]
**After ~15 minutes, the changes should be reflected on [https://cmsweb.cern.ch/sitedb/dev/people this page]

*Once you have access to the UIs, you need to install your certificate on these machines. This procedure is described [http://quattor.begrid.be/trac/centralised-begrid-v5/wiki/Access_to_BEgrid here] under the section ''Install your certificate in your new Unix account''

----

=== Certificate renewal: Update certificate ===
<pre>
#comment
As the CA changed, users with a certificate made before November 2008 should ask for a new certificate. This is because the certificate authority changed.
*Certificate renewal for certificates delivered BEFORE November 2008
**First follow the procedure as detailed in "Requesting a certificate for the very first time"
**Install your newly received certificate in a directory other than .globus, as you will use the old one while waiting for the new one to be approved by cms
**Then go to https://lcg-voms.cern.ch:8443/vo/cms/vomrs?path=/RootNode/MemberAction/MemberDNs/AddDN&action=execute&do=select
**Fill in your new Dn (you can obtain this by running the following command:
</pre>
<pre>
#comment
openssl x509 -in usercert.pem -subject
</pre>
<pre>
#comment
**Your new DN starts with /C=BE
**Make sure when you copy, not to add any whitespace before or after the DN
**also change the CA (dropdown box) to : /C=BE/OU=BEGRID/O=BELNET/CN=BEgrid CA
***note that a similar one exists with an email address. Do NOT use the one with the email address.
**In the reasons box, fill in: "Change of CA"
**Wait until the new certificate is approved and then ...
**contact the admins to have your dcache acces mapped to your new DN (send us the DN via email)
**also change your DN into siteDB (https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB)
</pre>

*Certificate renewal
**Please DON'T USE CHROME and KEEP THE SAME BROWSER AND LAPTOP/PC DURING ALL THE PROCEDURE !
**Go to the belnet site https://gridra.belnet.be/pub/
**Go to request a new certificate based on an existing certificate (the renew function does not work on their site)
**You can install your new certificate directly in your browser with the "Integrate" button (recommended) or download it as a file.
**then, install your new certificate in your Unix account:
**The certificate has to be copied on the User Interface server (and saved in a different format ...)
***Export the certificate from your browser, into a 'p12' - file
***for Firefox: Select Edit/Preferences->Advanced->Manage Certificates; Select the Certificate Click "Backup" give the requested password, then Save with file name "cert" (Will create file cert.p12)
***for Internet Explorer Select Tools/Internet Options Select Content Select Certificates Select Personal Select the Certificate Click "Export" On Certificate Manager Export Wizard Select Next Select 'Yes, export the private key'
***For MAC:
####Open the Keychain Access utility (Applications -> Utilities)
2. Select your certificate or key from the Certificates or Keys category, and do one of the following:
#####Choose File -> Export items ...
b. Right-click, and choose Export [your name]'s ID ...
3. In the Save As field, enter cert.12 for the exported item, and click Save. You will be prompted to enter a new export password for the item.
**Select Personal Information Exchange PKCS#12 (.PFX) give the requested password, then Save with file name "cert".( will save cert.pfx, rename this to cert.p12 )
***scp the file cert.p12 on the User Interface server.
***login on the userinterface-server; The file cert.p12 should be in your homedirectory now. Execute fillowing commands (to transform the certificate and private key from the PFX-format into PEM format; they will ask for the passphrase you put on cert.p12 in order to read it, and will ask you for a new passphrase to put on the private key userkey.pem; You can take the same passphrase ... !)

<pre>
mkdir ~/.globus
openssl pkcs12 -nocerts -in cert.p12 -out ~/.globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.globus/usercert.pem
chmod 400 ~/.globus/userkey.pem
chmod 644 ~/.globus/usercert.pem
</pre>

----
=== Questions and Remarks ===
==== Who is my local BEgrid contact person? ====
Good question. If you really don't know or you can't ask anybody else, you may always contact rosette.vandenbroucke@vub.ac.be with this question.

==== Some links ====
*[http://www.alw.nih.gov/Security/Docs/passwd.html www.alw.nih.gov]
*[http://www.auscert.org.au/render.html?it=2260 www.auscert.org.au]
*[http://en.wikipedia.org/wiki/Passwords en.wikipedia.org]
*pisa.belnet.be [http://pisa.belnet.be/pisa/nl/password.htm (dutch)], [http://pisa.belnet.be/pisa/fr/password.htm (french)]

==== Extra ====
Useful link for all detailed commands on certificates:
*http://goc.eu-eela.org/operations/certification-authority-and-virtual-organisation-operations/certificate-manipulation/

==== Problems ====
==== No certificate matches private key ====
When the conversion to <tt>.p12</tt> fails with this message, a number of things might be wrong:
*Make sure that the request-key is the one matching the certificate (ie the download.cer file).
*Check the public modulus:
**<tt>openssl rsa -noout -text -in <request_key></tt>
**<tt>openssl req -noout -text -in <newcert_request.pem></tt>
**<tt>openssl x509 -noout -text -in <download.cer></tt>
*They should all have the same modulus, eg
<pre>
Modulus (2048 bit):
00:a8:7d:e0:ec:c6:ba:0b:39:87:92:87:2e:1d:03:
</pre>
*If this is not the case, something went wrong somewhere. You should contact gridcaNOSPAM@belnet.be and explain them your problem.
==== Troubleshooting check-list ====
This section gives a summary of the different steps of the registration procedure detailed on this page. You can use it as a check-list, e.g. to verify that you don't have missed a step.
- Browser preparation
- Get a BEgrid certificate
- Join a VO (CMS or BEAPPS or BETEST) :
**VO CMS :
**VO CMS registration
**Send a email to the T2B grid-admins (grid_adminNOSPAM@listserv.vub.ac.be) to introduce yourself
**Become a member of the group /cms/becms
**Create your Hypernews account
**Register your DN in SiteDB
**Register to T2B mailing-list
**VO BEAPPS :
**VO BEAPPS registration
**VO BETEST :
**VO BETEST registration
- Send your SSH key to grid_adminNOSPAM@listserv.vub.ac.be

=== Certificates ===
BEgrid certificates are managed by BELNET
*[https://gridra.belnet.be/pub/ Homepage of the BELNET CA]
*Email your questions or remarks to gridcaNOSPAM@belnet.be

==== Browser preparation ====
==== Everybody has to do this at least once : ====
*Load the certificate authenticating the BEgrid CA by clicking on the appropriate link at https://gridra.belnet.be/
**This may bring up a so-called <tt>Software Security Device</tt> that will manage your certifiactes in your browser.
When this is the first time you use it, you'll need to configure it first.
Most probably this means setting a password to protect the device.
**If nothing happens automagically, download the certificate from the above link and import it yourself
**Mozilla/firefox/etc : Edit -> Preferences -> Advanced -> Manage certificates -> authorities -> import
*If your CA is CERN, to load the CA certificate go to [https://ca.cern.ch/ca/ the CERN CA homepage], and in the section ''Download CA certificates and CRLs'' click on both [https://ca.cern.ch/ca/CRL/CERN%20Root%20CA.crt CERN Root CA certificate] and [https://ca.cern.ch/ca/CRL/CERN%20Trusted%20Certification%20Authority.crt CERN Trusted Certification Authority Certificate]

==== If your certificate is no longer in your browser : ====
This can happen if you have changed from laptop or if you have reinstalled everything from scratch on your laptop ''without having restored a backup of your browser environment''. In this case, if you still have access to our UIs, you can recreate the PKCS12 (*.p12) certificate from the usercert.pem and userkey.pem files located in your ~/.globus. Here is the procedure :
<pre>
On a UI :
cd ~/.globus
openssl pkcs12 -export -out cert.p12 -inkey userkey.pem -in usercert.pem
</pre>
It will prompt you to type the password of your userkey.pem, it is the one you use to submit crab jobs. To export the p12 use the same password. So just type 3 times the same password it is easier like that.

After that, copy the cert.p12 file back to your computer. Then you just have to import the certificate on your browser.

Example for Mozilla Firefox: Go to Preferences > Advanced > Encryption > View Certificates >Your certificates > Import

There you just have to choose the cert.p12 and it will ask you for the password you used before.

{{TracNotice|{{PAGENAME}}}}

First access to t2b

2015-09-23T14:57:20Z

Shkelzen Rugovac: /* Getting access */

There are a few steps to gain access to the T2:

* '''First thing to know:''' our contact mail is '''''grid_admin AT listserv.vub.ac.be''''' . Please always send mails to this list and not to personnal emails, this way everyone here can respond and keep up-to-date with problems.

 
=== Getting access ===
* Now, to get access to our T2, we need 3 things :
** To know you: send us a mail with your promotor in cc presenting yourself (name, university, Physics group/experiment). Please do so preferrably from your preferred contact email, as it is the one we will keep to contact you.
** Add to this email the login you want to use. If you have a CERN account, it would be simpler for it to be the same (although not mandatory).
** Finally, copy-past the content of your '''PUBLIC''' ssh key, in order to have access to our User Interfaces (UIs, or often called the mX machines). To create a pair of ssh keys if you don't have one already, do the following:
<pre>
in a shell type:
> ssh-keygen
and follow the instructions. The defaults suggested are fine. Just choose a password.

this will create 2 files in the following directory: $HOME/.ssh
The files are:
id_rsa
id_rsa.pub

You need to send us the content of id_rsa.pub, which is your public key. The other is your private key and should never be shared.
Note that if you already have one somewhere else, copying both id_rsa[.pub] files on your computer is fine too.
</pre>
:* [OPTIONAL] If you already have a certificate, please send us your DN. It is the content of "Identity" when issuing the command voms-proxy-info.

 

=== Next Steps ===
* Now that you have access to our T2, read the following:
*# [[Media:submission_T2.pdf|PDF giving a short overview of the T2]]
*# [[Policies|Connecting to our UIs and policy applied]]
*# [[LocalSubmission|Local job submission]]
*: ... everything else on the [[Main_Page|twiki front page]]
 
* If you need a grid certificate, follow this [[Certificates_and_VOs|twiki page]]
 
*You need to register to the t2b user mailing-list
*# Go to the [https://e-groups.cern.ch/e-groups/EgroupsManageOwnerAdmin.do request page]
*# search for the list beginning with '''belgian-t2-users'''
*# then hit the button subscribe
*# If any of this fails, ask someone to contact the mailinglist admins (or ask them to send a mail to this list with your request)