A valid certificate is needed in order to access the grid. Certificates are used to identify users. In addition to a valid certificate any user is required to be also a member of a virtual organisation (VO). Which resources are available for the user, is authorised based on the VO membership.
Look up the instructions from here.
Once you have your certificate, the next step is to log in to a grid UI. This is a computer which is pre-configured with grid middleware client tools. The grid middleware is what allows the different resources to talk to each other and makes it possible for user to submit jobs. To login from IPPP desktop machines, use:
ssh -Y username@gridui1.dur.scotgrid.ac.uk
Your username and password for the gridui is not necessarily identical to your credentials on the main IPPP system.
After you have got your certificate application approved, export the certificate as a PKCS12 file and copy this .p12 file to the grid UI (these steps are covered at the tutorial on obtaining certificates). In order to use the certificate for grid submissions, it needs to be converted to a public - private key pair. First, create a directory under your home directory in the grid UI
mkdir .globus
and run the following commands (replace gridcert.p12 with the name or your PKCS12 file.)
openssl pkcs12 -nocerts -in gridcert.p12 -out .globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in gridcert.p12 -out .globus/usercert.pem
The last step is to set the permissions right
chmod 444 .globus/usercert.pem
chmod 400 .globus/userkey.pem
Your private key is encrypted and can be only accessed with a passphrase. Once you submit your job, communication between different grid resources is needed, each communication requiring authentication. To reduce the number of times you need to enter your passphrase, grid security infrastructure supports proxy certificates (delegation). A proxy contains a modified version of your public and private keys, and this private key is not encrypted. The slightly lower level of security is acceptable here because proxies have a finite lifetime.
The next step is to create a proxy, which also tests that your certificate is valid and properly installed. The proxy generation is done using the VOMS (Virtual Organisation Management Service) client tools. To create a standard 12h proxy, execute
arcproxy -S pheno -N
where pheno is the name of your virtual organisation. It will prompt you to enter your passphrase and after that it will tell you if the proxy generation succeeded or not. If successful, you should see output similar to this:
Enter pass phrase for private key: Your identity: /C=UK/O=eScience/OU=Durham/L=eScience/CN=jeppe andersen Contacting VOMS server (named pheno): voms03.gridpp.ac.uk on port: 15011 Proxy generation succeeded Your proxy is valid until: 2015-12-09 04:16:25You can test if you have a valid proxy, and how much time is left, with
arcproxy --info
which should give an output like:Subject: /C=UK/O=eScience/OU=Durham/L=eScience/CN=jeppe andersen/CN=852084312 Issuer: /C=UK/O=eScience/OU=Durham/L=eScience/CN=jeppe andersen Identity: /C=UK/O=eScience/OU=Durham/L=eScience/CN=jeppe andersen Time left for proxy: 11 hours 51 minutes 50 seconds Proxy path: /tmp/x509up_u1101 Proxy type: X.509 Proxy Certificate Profile RFC compliant impersonation proxy - RFC inheritAll proxy Proxy key length: 1024 Proxy signature: sha256 ====== AC extension information for VO pheno ====== VO : pheno subject : /C=UK/O=eScience/OU=Durham/L=eScience/CN=jeppe andersen issuer : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk uri : voms03.gridpp.ac.uk:15011 attribute : /pheno/Role=NULL/Capability=NULL Time left for AC: 11 hours 51 minutes 52 secondsThis contains information both on the validity of the certificate, and its association with the VO (Pheno in this case).
Different grid sites use sometimes different middleware and not all the client tools can communicate with all the sites. In order to see which resources are available to your VO, use
lcg-infosites --vo pheno all
This command will print out information about all the resources available for you. If the name of the computing element contains "arc" or "nordugrid", it uses ARC grid front-end on top of the cluster, and can be accessed via ARC client tools. If the name contains "cream", it uses gLite-CREAM front-end and the submission can be done using gLite or Dirac. The current (8/12/2015) list of cream compute elements (i.e. places where you can submit jobs to using the arc backend - see later) is found as
lcg-infosites --vo pheno ce | grep -v cream
# CPU Free Total Jobs Running Waiting ComputingElement
----------------------------------------------------------------
16626 300 17378 16326 1052 arc-ce01.gridpp.rl.ac.uk:2811/nordugrid-Condor-grid3000M
16626 294 17734 16332 1402 arc-ce02.gridpp.rl.ac.uk:2811/nordugrid-Condor-grid3000M
16618 309 17441 16309 1132 arc-ce03.gridpp.rl.ac.uk:2811/nordugrid-Condor-grid3000M
16618 276 17081 16342 739 arc-ce04.gridpp.rl.ac.uk:2811/nordugrid-Condor-grid3000M
272 0 13 13 0 ce1.dur.scotgrid.ac.uk:2811/nordugrid-SLURM-ce1
232 0 1013 764 249 ce2.dur.scotgrid.ac.uk:2811/nordugrid-SLURM-ce2
2052 0 652 652 0 dc2-grid-21.brunel.ac.uk:2811/nordugrid-Condor-default
720 0 452 445 7 dc2-grid-28.brunel.ac.uk:2811/nordugrid-Condor-default
724 2 903 722 181 hepgrid2.ph.liv.ac.uk:2811/nordugrid-Condor-grid
3964 0 2655 2482 173 heplnv146.pp.rl.ac.uk:2811/nordugrid-Condor-grid
3964 0 2757 2477 280 heplnv147.pp.rl.ac.uk:2811/nordugrid-Condor-grid
5032 0 2747 2647 100 svr009.gla.scotgrid.ac.uk:2811/nordugrid-Condor-condor_q2d
5032 0 2748 2648 100 svr010.gla.scotgrid.ac.uk:2811/nordugrid-Condor-condor_q2d
5032 0 2742 2642 100 svr011.gla.scotgrid.ac.uk:2811/nordugrid-Condor-condor_q2d
5032 0 2651 2651 0 svr019.gla.scotgrid.ac.uk:2811/nordugrid-Condor-condor_q2d
16 8 20 8 12 t2arc00.physics.ox.ac.uk:2811/nordugrid-Condor-condorDEV
1560 206 1869 1354 515 t2arc01.physics.ox.ac.uk:2811/nordugrid-Condor-gridAMD