Username for CRAB

If you are reading this page due to an error message from CRAB you need to check that your DN is correctly registered with CMS (see section Adding your DN to your profile below). If you are certain this is already done and still have CRIC problems, follow the trouble shooting guide below.

What is this

This page explains what you need to do so that CRAB can extract your username from your authentication credential. As of this writing (February 2020) CRAB relies on X509 certificates with VOMS extensions as credential and looks up CRIC in order to map to a username. A globally unique username is needed for proper identification and isolation of CRAB tasks and outputs and we will use your CERN computer account username for that. The procedure to extract such username from your VOMS proxy was changed from SiteDB to CRIC in 2018, this page reflects current practice and may be updated in the future if needed.

The old twiki about SiteDB can be found here, in case we missed to port some useful bit of information.

If you look for a general introduction to how to get a certificate, a VOMS membership, use those with CMSWEB and/or CRAB etc., please look in the CMS Offline Workbook at CMS.WorkBookGetAccount#AccessGrid

VERY important note about certificates

A valid GRID certificate is needed in order to access services hosted on CMSWEB and many other services. You MUST be aware that different client tools will look for the certificate in different places and formats. In particular

  • web browsers request you to import a certificate and then use their own internal copy of it
  • commands, script etc. from Linux shell will look for .pem files in your ~/.globus directory
You must make it sure that same certificate is in both places, in particular if you switch to a new certificate from a different CA or if you simply renew your certificate (which you have to every year) the new one has to be put im both places. Only you can make this check. Please do it before you report any problem.

Relations between certificate in browser and in ~/.globus, converstion to/from pem format etc. are described in this twiki page

What is CRIC?

CRIC is a database and web interface that CMS uses to track sites and the people responsible for maintaining them. It is also used by CRAB to find out the primary account username associated with the DN of the user. The username is a string used to create the endpoint for the stageout and publication (see for example stageout and publication with CRAB2 or Data handling in CRAB3).

CRIC is also used to define groups and to define people's roles within that group.

Accessing CRIC

CRAB or other tools will access information from CRIC via programmatic API's, but in order to view or check your informaiton or to diagnose problems you will want to access it from CMSWEB.

This requires that your browser is properly configured to trust CERN CA's and to present your valid personal grid certificates. Those requirements applies in many other instances as well, you can find instructions and debugging tips in

Adding your DN to your profile

From December 2018 CMS users are not required anymore to be registered in SiteDB Now the user information username - DN are automatically stored in CRIC querying the CERN users database through the public information in LDAP. This means

  • CMS users with a CERN grid certificate are automatically registered in CRIC, with their CERN certificate associated to their primary CERN account.
  • Users who have a non-CERN certificate mapped to their account, but wish to use the CERN certificate in CRIC are allowed to do so automatically
  • CMS users with a non-CERN certificate (i.e. issued by DOE Grids, GermanGrid, INFN, etc.) should map their certificates to their corresponding primary CERN account via the CERN Grid Certification Authority page

Note: If the user's primary account is not attached to the CMS group, the user may need to follow the steps here to enable access to CMS resources (like EOS).

Useful instructions for steps above are:

  1. Access CERN Grid CA
    go to the CERN Grid Certification Authority page, authenticate (use SignIn link at top right) and you should see a page like this:
  2. Add a certificate mapping
    click on "Map a non-CERN certificate to your account" (see red hand icon in the image above) which should lead you to this page which looks like the image below. To add a new mapping, use the "Map Certificate" tab and then use the "Browse..." (or "Choose File") and "Submit" buttons to upload your usercert.pem file (which is what the page refers to with "Base64 format"). This file is usually found in the ~/.globus directory in the machine(s) you use for grid work
  3. Remove a certificate mapping
    To remove an existing mapping, use the "Settings" tab. There will be a cyan [delete] buttton to click. See image below and notice postion of the red cursor:


  1. If you have multiple CERN user accounts, be aware that CRAB is only tested to work with certificates mapped to your primary account, as far as we know there is no satisfactory way to use a CERN non-primary account name as userame in CRAB
  2. Map the certificate using the instructions at point 2. of the previous section.
    • Whatever certificate users would like to use must be mapped to the primary account and that same certificate must be installed in your browser.
  3. Check if the association is ok in the [][CRIC people page]].
    • Please allow some time for CRIC to update. If you have changed/updated your DN, it could take up to 4 hours to show your changes in CRIC.
  4. Users with a different username in lxplus and their local site system may need to get new arrangements with their home T2 administrators in order to identify the stageout area in /store/user/.

Check which certificate is mapped to your CERN account

You can check what is mapped to your CERN account at the CERN CA page using instructions above, but if you want a quicker, no graphical way, or need to check someone else's situation, you can access CERN LDAP service from lxplus (make sure you do not have CMSSW setup as it messes up ldap) with:
ldapsearch -LLL -x -o ldif-wrap=no -h -b "DC=cern,DC=ch" "cn=USERNAME" altSecurityIdentities | grep altSecurity 
make sure to replace USERNAME string in command above with your CERN user name. If you did not indicate an alternative the mapping the output will not be very telling, and that's OK. But if you did, it will be shown frst in the list like in the following example:

belforte@lxplus100/~> ldapsearch -LLL -x -o ldif-wrap=no -h -b "DC=cern,DC=ch" "cn=belforte" altSecurityIdentities | grep altSecurity
dn: CN=belforte,OU=Users,OU=Organic Units,DC=cern,DC=ch
altSecurityIdentities: X509:<I>C=NL,S=Noord-Holland,L=Amsterdam,O=TERENA,CN=TERENA eScience Personal CA 3<S>DC=org,DC=terena,DC=tcs,C=IT,O=Istituto Nazionale di Fisica Nucleare,CN=Stefano Belforte
altSecurityIdentities: X509:<I>DC=ch,DC=cern,CN=CERN Certification Authority<S>DC=ch,DC=cern,OU=Organic Units,OU=Users,CN=lsfcert
altSecurityIdentities: X509:<I>DC=ch,DC=cern,CN=CERN Certification Authority<S>DC=ch,DC=cern,OU=Organic Units,OU=Users,CN=acronmc
altSecurityIdentities: X509:<I>DC=ch,DC=cern,CN=CERN Trusted Certification Authority<S>DC=ch,DC=cern,OU=Organic Units,OU=Users,CN=pkinitor,CN=653930,CN=Pkinit Kerberosservice

Verifying your certificate using your browser

  • Install your X509 grid certificate in your web browser and enable it for; DQMGUIGridCertificate outlines some of the key steps. This recipe there should work at least in Firefox, Chrome and Safari.
  • Visit and make sure it shows valid certificate which has been registered as a CMS VO member. The X509 DN shown here should be the same as displayed in the previous step, and must match the grid certificate you use for job submission. You need to have everything reported here as ok before you can proceed to the next step.<br/><br/><img src="/twiki/pub/CMSPublic/UsernameForCRAB/auth_verify.png" alt="authentication verification" width="500" height="400" />

CMSWEB common problems and solutions

Authentication to CMSWEB fails

  • Most CMSWEB servicies (DAS, PhEDEx subscription management) requires authentication via a certificate. If your browser is not properly setup you will see ill see something like

    Need to authenticate
  • Solution: Click as indicated in the page to Diagnose certificate p4roblems, you will be redirecte to where more diagnotic will appear as indicated below

You have no valid certificate

  • Either you do not have a personal certificate in the browser, or it is expired.
  • you will see something like

    no certificate
  • Solution: make sure that your personal certificate is imported in the browser and that it is not expired. Best to have only one certificate in the browser

Your certificate is not in VOMS

  • you will see something like

    cert not in VOMS
  • Solution: if you never registered in CMS VOMS, do so. If you registered already and your membership is not expired, maybe you registered with a a different certificate. It is better to use only one certificate for everything. Make your mind which one you want to use and keep only that in your browser. You can always add a certificate to your VOMS membership from the VOMS web page, no need to register as a new person.

Check username extraction from CRIC

First of all make sure that you have same certificate in your browser and in ~/.globus, see UsernameForCRAB#VERY_important_note_about_certif

in your browser

Check that CRIC recognises you at this should show both your username account ("login") and certificate ("dn").

in CRAB3

In order to check if your username can be extracted from CRIC, please use the crab checkusername command (you need to have setup UI, cmsenv and CRAB3 in the proper order and have created a valid proxy).

If you still have problems

  • Check that your CRAB configuration and environment is correct by following Check username extraction from CRIC above.
  • Check that your DN is correctly reported at
  • Please allow some time for things to update, it could take up to 4hrs to show your changes if you have changed/updated your DN.
  • If your destination storage is EOS at CERN, you can verify that you are correctly mapped in there to your lxplus username with
    voms-proxy-init -voms cms
    voms-proxy-info -all
    uberftp pwd
    If you do not see your username listed as the one logged in, add the output of those coomands to your problem report
  • if you have a problem which you still can not solve, report it to the Computing Tools CMS.HyperNews forum providing as many details as possible and make sure to include the exact command or action which fails, add screenshots if relevant etc.

How to report problems with CRIC

If the whoami above works then your problem is in CRAB. Report the issue to the Computing Tools CMS.HyperNews forum.

If you have troubles adding your DN to your account, or break something while doing that, report the problems by filing a GGUS ticket and choose the following settings in the mask:

  • Type of issue: 'OTHER'
  • Support Unit: 'WLCG: CRIC'

In the text field make sure you include:

  • The CRIC keywork in the subject.
  • A description of the problem as detailed as you can.
  • Your username.
  • Your certificate DN.
  • Your email address.
Not including this information will make solving your problem slower/impossible.
Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng CERN_CA.png r1 manage 108.4 K 2019-01-11 - 09:32 KateDziedziniewicz  
PNGpng Certificate_Mapping.png r1 manage 330.6 K 2019-01-11 - 09:32 KateDziedziniewicz  
PNGpng NeedToAuthenticate.png r1 manage 52.1 K 2019-01-11 - 09:27 KateDziedziniewicz  
PNGpng NoCert.png r1 manage 96.1 K 2019-01-11 - 09:27 KateDziedziniewicz  
PNGpng Remove_Mapping.png r1 manage 175.5 K 2020-02-28 - 00:35 StefanoBelforte  
PNGpng ValidCertNotInVoms.png r1 manage 94.5 K 2019-01-11 - 09:27 KateDziedziniewicz  
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2020-04-10 - StefanoBelforte
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback