Howto Get Access to T2B
OBSOLETE
This page is as of now obsolete. Please use this page instead.
Certificates
BEgrid certificates are managed by BELNET
- Homepage of the BELNET CA
- Email your questions or remarks to gridcaNOSPAM@belnet.be
Who is my local BEgrid contact person?
Good question. If you really don't know or you can't ask anybody else, you may always contact rosette.vandenbroucke@vub.ac.be with this question.
Password advice
In the registration procedure that is described here, a number of passwords will be requested from you. Please choose good ones and don't share them with other people (or write them on post-its ;).
Some links
- www.alw.nih.gov
- www.auscert.org.au
- en.wikipedia.org
- pisa.belnet.be (dutch), (french)
Browser preparation
Everybody has to do this at least once.
- Load the certificate authenticating the BEgrid CA by clicking on the appropriate link at https://gridra.belnet.be/
- This may bring up a so-called Software Security Device that will manage your certifiactes in your browser.
When this is the first time you use it, you'll need to configure it first. Most probably this means setting a password to protect the device.
- If nothing happens automagically, download the certificate from the above link and import it yourself
- Mozilla/firefox/etc : Edit -> Preferences -> Advanced -> Manage certificates -> authorities -> import
Requesting a certificate for the very first time
To request a new certificate for the first time, just follow the procedure described here :
Requesting and retrieving your certificate must be done on the same browser and PC !
(Detailed instructions and screenshots are available here)
- Go to https://gridra.belnet.be/pub ( with IE or Firefox; Other browsers might also work)
- Choose 'Request a Certificate',
- Select the correct profile
- Complete the form and send
- A key-pair will be generated and your certificate request will be send to the Registration Authority.
- Once the RA has accepted or refused your request, you will receive a mail with an URL to retrieve your certificate.
- You can install the certificate directly in your browser (recommended) or download it as a file.
- If you installed it in your browser, you can use the backup function of the browser to export the certificate with the key-pair.
Install your certificate in your new Unix account
The certificate has to be copied on the User Interface server (and saved in a different format ...)
- Export the certificate from your browser, into a 'p12' - file
- for Firefox: Select Edit/Preferences->Advanced->Manage Certificates; Select the Certificate Click "Backup" give the requested password, then Save with file name "cert" (Will create file cert.p12)
- for Internet Explorer Select Tools/Internet Options Select Content Select Certificates Select Personal Select the Certificate Click "Export" On Certificate Manager Export Wizard Select Next Select 'Yes, export the private key'
- Specific procedure for MAC OS
Select Personal Information Exchange PKCS#12 (.PFX) give the requested password, then Save with file name "cert".( will save cert.pfx, rename this to cert.p12 )
- scp the file cert.p12 on the User Interface server.
- login on the userinterface-server; The file cert.p12 should be in your homedirectory now. Execute fillowing commands (to transform the certificate and private key from the PFX-format into PEM format; they will ask for the passphrase you put on cert.p12 in order to read it, and will ask you for a new passphrase to put on the private key userkey.pem; You can take the same passphrase ... !)
mkdir ~/.globus openssl pkcs12 -nocerts -in cert.p12 -out ~/.globus/userkey.pem openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.globus/usercert.pem chmod 400 ~/.globus/userkey.pem chmod 644 ~/.globus/usercert.pem
Update certificate
As the CA changed, users with a certificate made before November 2008 should ask for a new certificate. This is because the certificate authority changed.
- Certificate renewal for certificates delivered BEFORE November 2008
- First follow the procedure as detailed in "Requesting a certificate for the very first time"
- Install your newly received certificate in a directory other than .globus, as you will use the old one while waiting for the new one to be approved by cms
- Then go to https://lcg-voms.cern.ch:8443/vo/cms/vomrs?path=/RootNode/MemberAction/MemberDNs/AddDN&action=execute&do=select
- Fill in your new Dn (you can obtain this by running the following command:
openssl x509 -in usercert.pem -subject
- Your new DN starts with /C=BE
- Make sure when you copy, not to add any whitespace before or after the DN
- also change the CA (dropdown box) to : /C=BE/OU=BEGRID/O=BELNET/CN=BEgrid CA
- note that a similar one exists with an email address. Do NOT use the one with the email address.
- In the reasons box, fill in: "Change of CA"
- Wait until the new certificate is approved and then ...
- contact the admins to have your dcache acces mapped to your new DN (send us the DN via email)
- also change your DN into siteDB (https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB)
- Certificate renewal for certificates delivered AFTER November 2008
- Go to the belnet site https://gridra.belnet.be/pub/
- Go to request a new certificate based on an existing certificate (the renew function does not work on their site)
Extra
Useful link for all detailed commands on certificates:
Virtual Organisation
What VO should I join?
Depending on your experiment or type of application, you have to choose a corresponding VO. If you have no clue which it is, ask your contact person.
Unless you really know what your doing (but why are you reading this page?), don't join dteam or ops.
CMS
For all people that are in the CMS collaboration and that need access to something.
- You need to have your browsercertificate loaded.
- Go to: VO CMS registration
- Phase I
- fill in a valid email address
- the email address must be known in the CERN database and in the CMS database (normally this is the address used when registering with CMS for the first time)
- in case you have problems, try the CERN xwho database to find your known email address
- select Marti Pimia as representative
- fill in your first name and last name
- wait for an email to go to Phase II
- click on the link in the email. It will take you to the Phase II registration page.
- fill in your personal information
- pick any additional roles (if really needed). the default should be ok for lost people.
- on the bottom: read the GRID Acceptable Use Policy and select ok
- click to register
- Also send an email to the admins [ grid_admin[AT]listserv.vub.ac.be ] to tell them who you are. Also put your team leader in CC, in this way we know that you are part of the Belgian collaborators (it is impossible for us to know all new members)
- you now have to wait for approval of your request. this can take some time and you will notified by email.
- at latest one day after this approval you will be able to use the CMS grid resources.
- After you are member of the VO cms, you need to join the group /cms/becms
- Goto the Select Groups & Group Roles
- Select the group /cms/becms
- Press Submit at the bottom of the page
- Image(cms-groups-becms.png, 50%)
- HN account
- New member info
- If you have a lxplus account, you can register yourself
- If not, you need to send an email to the cms hn admin.
- Register HN account in SiteDB
- IMPORTANT: this is a new step (01/06/2008) and is (among other things) needed to login at the UI's at the computing center.
- Don't forget to edit the DN of your profile.
- Your new DN can be obtained by running the following command:
openssl x509 -in usercert.pem -subject
- You need to register to the t2b user mailinglist
- Go to the request page
- list is called belgian-t2-users@cern.ch
- If any of this fails, ask someone to contact the mailinglist admins (or ask them to send a mail to this list with your request)
- Once all this is completed, send an email to the admins [ grid_admin[AT]listserv.vub.ac.be ] with your public ssh keys. We can then grant you access to the M0 and M1 machines.
- do this by the following procedure:
in a shell type: ssh-keygen and follow the instructions. The defaults suggested are fine. Just choose a password. this will create 2 files in the following directory: <home dir>/.ssh The files are: id_rsa id_rsa.pub You need to send us the id_rsa.pub, which contains your public key. The other is your private key and should never be shared.
- On these machines, a backup scheme is present, please read the page to familiarize yourself.
- Also, a quorum of 490G is applied to these disks. If you need more user space, please contact the admins.
BEapps
- For all people that want to have their application running in BEgrid on a production level.
- You need to have your browsercertificate loaded.
- Go to: VO BEapps registration
BEtest
- For all people that want to test their application running in BEgrid.
- You need to have your browsercertificate loaded.
- Go to: VO BEtest registration
Get access to UI using Linux
- Valid UIs: m0.iihe.ac.be, m1.iihe.ac.be, m8.iihe.ac.be, m9.iihe.ac.be, m6.iihe.ac.be, m7.iihe.ac.be
- Direct password authentication is not allowed on the UIs for security reasons. You will need keypair authentication to gain access.
- A valid keypair can be easily generated with ssh-keygen. This program will create a public and a private key. Needless to say that you should protect your private key with a strong passwd and that you do not share the private key with others nor use the same private key on different machines.
- From the machine you use to connect run ssh-keygen -t rsa -b 2048
- It first prompts for the location of the files. keep the default values unless you know what you are doing
- Then it will prompt for a password. this is the password used to encrypt your key. if you fill nothing and just press return, you will be able to use passwordless login to the machine. this is not very secure.
- If you want to add or remove the password from your private key, read the examples section of man rsa
- This generates 2 files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, of which ~/.ssh/id_rsa.pub is the public key.
- Send an email to grid_admin@listserv.vub.ac.be and explain to us who you are and what you want to do. Very important : attach your public key (ie id_rsa.pub) to this mail !
- Once you've got a positive answer from us, you can try to connect from your machine to the UI (eg ssh m0.iihe.ac.be)
- It's possible that you need to relogin and/or wait 10 seconds for changes to take effect.
- It's possible that your ssh client doesn't use ssh protocol 2 by default. if not, try to connect with eg "ssh -2 m0.iihe.ac.be". if this works, you can make this the default option by adding in ~/.ssh/config the line
Protocol 2
Get access to UI using Windows
- Valid UIs: m0.iihe.ac.be, m1.iihe.ac.be, m8.iihe.ac.be, m9.iihe.ac.be, m6.iihe.ac.be, m7.iihe.ac.be
- Using the following ssh client: ssh secure shell 3.2.2.
- Open the ssh secure shell client and then do the following:
- Go to Edit > Settings.
- In the tree view, select Global Settings > User Authentication > Keys.
- Select Generate New. The Key Generation wizard starts.
- Select Next.
- Select the Key Type and Key Length. Take RSA as Key Type instead of the default DSA
- Select Next. Wait for key generation to complete.
- Select Next. Enter a name for your private key file and enter the passphrase you will use to access the private key. You must enter the passphrase identically in the two Passphrase fields. The passphrase must consist of at least 8 characters and must contain both numbers and letters. This is the passphrase you'll have to type when logging in on e.g. m1. Select Next.
- Select Finish. Do not try to upload because this will not work
- From the Keys list, select your private key file and then select View. Notepad opens showing your public key.
- In the SSH Secure Shell application Settings window, select OK to close the Settings window.
- Save your public key on the /user disk (do a scp to e.g. lxpub2) in the .ssh directory, for instance /user/pvmulder/.ssh/pub_windows_rsa.pub
- Make sure you are copying/saving the PUBLIC key!
- Make sure the key is 1 long string and there are no newlines, otherwise it will not work!!!
- For instance if your public key looks like this (just an example, not my real key ;-) ):
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "[2048-bit rsa, petra@your-9e8503f508, Thu Jun 14 2007 09:20:\44]" AAAAB3NzaC1yc2EAAAADAQABAAABAQDNi9sQXqc6hsNjMXCyLBBE2pIiOufc0wFfMx2T7RGQTl dKXmBZyVMeBwnibDgsq4J3+ukPTPRCYnrvZUYH/3tKnD8SvXUomczbxnVPJeiwEPIM6MULFh0J ... ...<not ar real key>... ... LB7PtGFsBYunntmA4mmY0tHpBkNwLO+93N9T1i7Nr0dcp97/r8Yrm/1e7 ---- END SSH2 PUBLIC KEY ----
- After some cutting away and adding ssh-rsa in front it should look like this (make sure everything is on the same line):
ssh-rsa AAAB3NzaC1yc2EAAAADAQABAxbfP4UblsxBFKfd...<not a real key>...BYunntmA4mmY0tHpBkNwLO+93N9T1i7Nr0dcp97/r8Yrm/1e7
- Then type (if pub_windows_rsa.pub is the name of your public key): ssh-rsa pub_windows_rsa.pub export
Now you can simply login on the m<x> machines by using the quick connect button in you ssh secure shell client and filling in e.g. m1.iihe.ac.be and your username.
Problems
No certificate matches private key
When the converion to .p12 fails with this message, a number of things might be wrong:
- make sure that the request-key is the one matching the certificate (ie the download.cer file).
- check the public modulus:
- openssl rsa -noout -text -in <request_key>
- openssl req -noout -text -in <newcert_request.pem>
- openssl x509 -noout -text -in <download.cer>
- they should all have the same modulus, eg
Modulus (2048 bit): 00:a8:7d:e0:ec:c6:ba:0b:39:87:92:87:2e:1d:03:
- if this is not the case, somthing went wrong somewhere. You should contact gridcaNOSPAM@belnet.be and explain them your problem.