How to get access to WLCG

Summary

Three things are needed to have access to WLCG:

1. an account on a User Interface (any machine with the WLCG commands installed).
2. a personal certificate, used to authenticate with the Grid;
3. having your personal certificate registered in the CMS Virtual Organisation;

These steps are here explained in detail.

Note: in order to obtain a Grid certificate, and later to register with CMS Virtual Organization, you will need to use your web browser. The Certification Authority which your institution will refer you to will provide instructions from their side. But eventually you will need to point your browser to servers hosted at CERN, for this you must be sure that your browser trusts the CERN certificates. Please follow instructions in https://twiki.cern.ch/twiki/bin/view/CMSPublic/SWGuideVomsFAQ#CERN_Authority_root_certificate . A direct link to CERN iinstructions is https://cafiles.cern.ch/cafiles/certificates/list.aspx?ca=grid

Note that the proper procedure, regardless of which browser you are using, is NOT just to grant exceptions for each and every site you visit on a case-by-case basis, but instead it is important to use the certificate authority files as described above to set up the proper trust anchor paths for your browser and operating system.

Getting an account on a User Interface

A machine with the WLCG commands installed is, by definition, a User Interface (UI). Many institutes have local UIs; at CERN the needed commands are installed as part of the operating system on LXPLUS6, if you use an SL5 machine at CERN you can source the one of these script (pick according to your login shell):

/afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.csh   (tcsh)
/afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.sh     (bash)

Getting a personal certificate

A personal certificate consists of a pair of files, the private key (userkey.pem) and the certificate itself, containing the public key (usercert.pem). To obtain a certificate, a request has to be made to a Certification Authority recognized by WLCG. You have three options, ordered from most preferred to least preferred:

1. request a certificate from the CERN CA if you have a CERN NICE/lxplus account ( instructions here);
2. find out from the list of recognized International Grid Trust Federation Certification Authorities the one that provides service to your country and request a certificate from that CA following the procedures published on their web site;
3. request a certificate from the WLCG catch-all CA if no CA exists for your country and you do not have a CERN NICE/lxplus account.

Special note for German collaborators: If you are a member of a German CMS institution, they require you to use a certificate from the German CA. You can contact your local institution for more details.

How to register in the CMS VO

When in possession of a personal certificate, a CMS user has to register his or her certificate in the CMS Virtual Organisation in order to be authorized to use WLCG resources.

Needed steps are:

1. Make sure you are registered at CERN as a CMS member (VOMS will check it) in CERN's Human Rescource Data Base.
   • Most users can simply verify that they appear in CERN's phonebook and that CMS is indicated as main experiment in there. But there are a few cases in which CERN will not list you in the phonebook even if everything is OK, in this case you want to be sure that both CMS Secreatariat and CERN User's Office have acknowledged your registration.
2. Make sure your web browser is ready and your personal certificate is in it (best it to make sure that it is the only personal certificate).
   • Remember that if you change browser (or computer) it is up to you to import your certificate from one browser to another
   • Registration can only done using your web browser. All major modern browsers should work, but if possible we recommend using Firefox as it is the most tested one.
   • Most CA's give users certificates via web pages, so the certificate is already imported in your browser as part of previous steps, in particular this is the case with CERN certificates. If instead you got your certificate as a file, you need to make sure it is P12 format (contact your national CA if needed) and then load it into your browser (instructions are different for each browser and can be found e.g. via google).
3. Click here to reach the VOMSAdmin server and submit the registration form
   • If you have problems, see Troubleshoot instructions below.
   • Documentation on the VOMSAdmin web page(s) is available here but usually there's no need to lookup this manual
4. After submitting the form, you will get a confirmation email that contains a link that you need to click to confirm your registration. Find the link and click it.
5. Now, you need to wait for final confirmation that will be done by the VO administrators, wait up to a day especially on weekends
6. When they confirm your registration request, you will get a notification email
7. Finally, you can sign up the AUP using the link in that mail, or go directly to here

1. pick your VOMS groups and roles if needed
   • Most CMS user should not select any group nor role, but some national organization have specific rules (below), user can contact directly their institution for doubts:

User from	should select group	and role
US-CMS	/cms/uscms	None
Germany	/cms/dcms	None
Italy	/cms/itcms	None
Spain	/cms/escms	None
Belgium	/cms/becms	None

Special instructions for US-CMS users

All members should sign up for the /cms/uscms group. Further, you can select your role in the group. If you do not know any reason to pick a specific role, do not select any. For any question, contact Anthony Tiradani (tiradani AT fnal.gov).

CERN Human Resources registration

To check if you are already registered, follow these steps:

1. go to http://graybook.cern.ch/ExperimentSearch.html;
2. select CMS as experiment, enter your family name and click search;
3. if you find yourself, then you are already registered; otherwise, you need to register;
4. if the generic e-mail and the physical e-mail are all none, please write to Cms.People@cernNOSPAMPLEASE.ch and ask your preferred e-mail address to be added to the Graybook and to the CERN phonebook; The registration to the CMS VO cannot proceed until this is done.

To register in the CERN HR database:

1. complete this web pre-registration form;
2. you will then be contacted by the CMS secretariat (cms.people at cern.ch) to fill in the CMS registration form.

You will be contacted by the CMS secretariat to confirm your registration.

Troubleshooting -- Solutions to common problems

You can find in this page tips and hints for common problems when trying to obtain or renew your CMS VO membership

You can find here hints on how to verify that your grid certificate is working.

If you try that and get an error message that you do not understand, and if you are sure that you have properly followed the VOMS registration procedure, the following are possible reasons:

If you are getting an authorisation error when using WLCG commands, the cause can be one among many:

1. your proxy certificate has expired;
2. your personal certificate has expired;
3. you have renewed your certificate but you are still using your OLD private key;
4. your membership in the CMS-VO has expired, or you have not re-signed the grid usage rules.

You should be able to easily detect and solve those. If there is any problem with your data in the CERN HR database, contact CERN User Office.

If you really have a problem that you can not solve yourself, contact the CMS Computing Tools on CMS Talk (cmstalk+computing-tools@dovecotmtaNOSPAMPLEASENOSPAMPLEASE.cern.ch)

---

StefanoBelforte - 2016-10-23 - streamline Troubleshooting section and point to HN for help

---

StefanoBelforte - 2015-12-18 - simplify VO registration part and point to new VOMSAdmin host

---

StefanoBelforte - 2015-11-10 - point to CERN User Office for Human Resource DB problems

---

AndreasPfeiffer - 2015-03-03 - updated links to new VOMS service