PRAGMA VOMRS User Guide

From PRAGMA wiki
Revision as of 17:03, 21 October 2015 by Wikiadmin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Current VOMS-aware sites/cluster and account type

  • AIST - sakura.hpcc.jp; shared and pooled (individual) accounts
  • IHPC - sirius.ihpc.a-star.edu.sg; shared accounts
  • SDSC - rocks-153.sdsc.edu; shared and pooled (individual) accounts
  • BeSTGRID - ng2hpc.canterbury.ac.nz; shared accounts

Test access to a VOMS-aware site in PRAGMA grid

  • You need to join PRAGMA VO to access to VOMS-aware sites.
    • To find out your VO member status, access PRAGMA VOMS web site with a browser, click "Member" in the left pane, fill in your first name and select the box for "Groups (Roles)", then click the "Search" button.
    • If you are not a member yet and like to join, email Cindy
    • Explainations of some PRAGMA VO groups
/PRAGMA/Individuals - users who needs individual accounts
/PRAGMA/USERS - default user group
/PRAGMA/Avian-Flu-Grid - for Avian Flu Grid project
/PRAGMA/e-AIRS - for e-AIRS project
/PRAGMA/Nimrod - for Nimrod project
/PRAGMA/USM-DEER - for USM DEER project
  • Create a proxy

If voms-proxy-init does not exist on your local system, ask your administrator to install VOMS client.
For example, if a user joined /PRAGMA/Avian-Flu-Grid VO-group and like to create a proxy as the group member

$ voms-proxy-init -voms PRAGMA -order /PRAGMA/Avian-Flu-Grid
  • Test gsissh

If gsissh does not exist on your local system, ask your administrator to install GSISSH client.

$ gsissh <remote-host-FQDN>

For example:

[changc@rocks-153 ~]$ voms-proxy-init -voms PRAGMA -order /PRAGMA/USERS
Enter GRID pass phrase:
Your identity: /DC=NET/DC=PRAGMA-GRID/OU=SDSC/CN=Cindy Chang
Creating proxy ..................................... Done
Your proxy is valid until Tue May 19 13:03:29 2009
[changc@rocks-153 ~]$ gsissh sakura.hpcc.jp
Last login: Mon May 18 19:21:06 2009 from sirius.ihpc.a-star.edu.sg
Cindy Chang@sakura ~ $ id
uid=10210(g-pragma) gid=10210(g-pragma) groups=10210(g-pragma)
Cindy Chang@sakura ~ $ pwd
/home/g-pragma/DC_NET_DC_PRAGMA-GRID_OU_SDSC_CN_Cindy_Chang

If gsissh fails, run "voms-proxy-info -all" and "gsissh -v <hostname>", email the outputs to your system admistrator for help.

  • Shared account

The first time you login to a shared account, a new subdirectory in the shared account home directory will be created and become your home directory. See the example above.

  • Test Globus authentication, job submission

See User_Testing#Test_Globus_access

Access PRAGMA VOMRS Web Site With a Browser

To access PRAGMA VOMRS web site, you need to load 3 certificate files into your browser:

  1. Your own globus user certificate
  2. The certificate of the CA that issued your user certificate
  3. PRAGMA-UCSD CA certificate


Here is an example of user Cindy obtaining access to PRAGMA VOMRS web site using internet explorer on a PC laptop:

  • Get the user certificate file ready. Cindy has these certificate files
[zhengc@rocks-52 ~]$ ls -l .globus
total 20
...
-r--------  1 zhengc zhengc 4998 Mar  7  2006 usercert.pem
-r--------  1 zhengc zhengc 1743 Mar  7  2006 userkey.pem

Since the internet explorer does not accept certificate in PEM format, she converts it to an acceptable format (cer, p12, or p7b, ...)

$ openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12
Enter Export Password:
Verifying - Enter Export Password:

Then she copies usercert.p12 to her laptop.

  • Cindy's user certificate is issued by SDSC CA. SDSC provides directly import the root certificate file to a browser at http://www.sdsc.edu/CA/loadCAcert.html, so no need to download its certificate file.
  • Download PRAGMA-UCSD CA root certificate file http://ca.pragma-grid.net/ca-certs/7721d4d3.cer.
  • Now Cindy is ready to import these certificates into her internet explorer browser.
    • In the case of SDSC root CA, point the browser to http://www.sdsc.edu/CA/loadCAcert.html and import it as a "Trusted Root Certification Authorities".
    • In the case of PRAGMA-UCSD CA which does not provide direct import to browser
      • Open internet explorer
      • Click "Tools" -> "Internet Options"
      • Click "Contents", then "Certificates"
      • Click "Trusted Root Certification Authorities"
      • Click "Import...", then "Next"
      • Click "Browse..." and find the 7721d4d3.cer file and confirm the rest of the prompt to finish.
    • Then import user certificate
      • Open internet explorer
      • Click "Tools" -> "Internet Options"
      • Click "Contents", then "Certificates"
      • Click "Personal"
      • Click "Import...", then "Next"
      • Click "Browse..." and find the usercert.p12 file and confirm the rest of the prompt to finish.

Now Cindy is able to access PRAGMA VOMRS web site by pointing her browser to https://vomrs-pragma.sdsc.edu:8443/vomrs/PRAGMA/vomrs. When She is prompt to "Choose a digital certificate", her user certificate is listed in the dialog box. Select it and click "Ok", bring her to the "PRAGMA VO Registration" page.

Apply For PRAGMA VO Membership

Click the "+" sign on the left of "Members" in the manu pane (left), then click "Register". In the right pane, a registration form appears. Fill out the form, then click "Submit" button.

The VO admin and site representatives will be notified of your application. When they approve, you will receive an email. Then you should follow the instructions in the email to confirm and complete the registration.

For more detail info about VOMRS, see http://wwwserver2.fnal.gov/www/docs/vox/voxconv/Output/voxTOC.html.

If you are designated as a group representative, please make sure that you subscribe email notification. At the VOMRS interface, click the "Subscription" on the left manu pane, then check all the notifications you desire, then click the "Submit" button on the bottom.

Setup a new PRAGMA VO group

For users who want to have his/her individual UNIX account, register yourself in VOMS and join the /PRAGMA/Individuals group. Other groups in PRAGMA VO will be mapped into a shared UNIX account at VOMS-aware sites. This means that members of a such group share an UNIX account at VOMS-aware site. Most groups are project-based. To setup a new group, follow these steps:

  • Email VOMS Administrator the following info:
    • project and group descriptions and url
    • name and DN string of group manager(s)
  • VOMS administrator will approve, create the group
  • The VOMS administrator will designate a administrator at a VOMS-aware site to work with a group member to implement and test group account mapping, then update the wiki document and inform all other VOMS-aware sites
  • All VOMS-aware sites implement the the group account mapping then inform the group manager(s)
    • Note that to access BeSTGrid resources, a group manager need to complete a group account registration at BeSTGrid. See BeSTGRID for details.
  • A group member then test access to each VOMS-aware sites.
  • When all tests pass, group manager(s) add more members in the group.