How to get access to WLCG

Contents:

%COMPLETE4%

Summary

Three things are needed to have access to WLCG:

  1. a personal certificate, used to authenticate with the Grid;
  2. having your personal certificate registered in the CMS Virtual Organisation;
  3. an account on a User Interface (any machine with the WLCG commands installed).

These steps are here explained in detail.

Getting a personal certificate

A personal certificate consists of a pair of files, the private key (userkey.pem) and the certificate itself, containing the public key (usercert.pem). To obtain a certificate, a request has to be made to a Certification Authority recognized by WLCG. You have three options:

  1. find out from the list of recognized Certification Authorities the one relative to your country and request a certificate from them following the procedures published on their web site;
  2. request a certificate from the CERN CA if you have a CERN NICE account (here);
  3. request a certificate from the WLCG catch-all CA if no CA exists for your country and you do not have a CERN NICE account.

When a personal certificate is renewed, normally the certificate subject is identical to the old one: in that case, nothing has to be done about the VO registration.

How to get or renew a certificate from the CERN CA

The CERN CA will issue certificates only to people with a CERN NICE account.

The steps to follow to make a request are explained in the CA website. The instructions to convert the certificate in a format appropriate for use in the Grid are here. If you have problems, write to the Helpdesk: Helpdesk@cernNOSPAMPLEASE.ch. The procedure to renew a certificate is identical to the procedure to get a certificate for the first time.

Make sure that the certificate and the private key are installed in $HOME/.globus with the following permissions: 

-rw-r--r-- 1 doe zh 4541 Feb 23 17:44 usercert.pem
-r-------- 1 doe zh 963 Feb 22 11:52 userkey.pem

Notice that the private key must be readable only by you, otherwise the certificate will not work (and your private key could be stolen).

How to register in the CMS VO

When in possession of a personal certificate, a CMS user has to register his certificate in the CMS Virtual Organisation in order to be authorized to use WLCG resources. The procedure is different depending if you are already registered in the CMS VO or not.

If you never registered to the CMS VO

First of all, make sure that you are registered in the CERN Human Resources database with an e-mail address.

Follow these steps:

  1. obtain a personal certificate, if you have not done so;
  2. convert your certificate in P12 format and load it into your browser (instuctions here); however this is not necessary if you have obtained a CERN certificate, because it is already in the browser (use the very same browser used to request the certificate);
  3. go to the CMS VOMRS server, and follow the instructions, taking into account the following;
  4. when asked, provide an e-mail address which matches the Generic E-mail of the Preferred E-mail fields in the CERN HR database; if you have an account at CERN, choose your CERN e-mail address;
  5. if you are an US-CMS member, select Vijay Sekhri as Representative and follow these additional steps;
  6. if you are a German CMS member, select Thomas Kress as Representative;
  7. if you are an Italian CMS member, select Giuseppe Bagliesi as Representative;
  8. if you are a Taiwanese CMS member, select Chia-Ming Kuo as Representative;
  9. otherwise, select Andrea Sciabà as Representative;
  10. select which groups and roles to join following the indications of the following table. The average CMS user should only select the combination /cms/Role=cmsuser.

Group Group Roles Description Non-US-CMS member US-CMS member German CMS members Italian CMS members Taiwanese CMS members
/cms no role All CMS users Y Y Y Y Y
cmsuser Normal user in OSG Y Y Y Y Y
lcgadmin To install CMS software on WLCG N N N N N
production MC production in WLCG N N N N N
cmst0admin CMS T0 admins N N N N N
cmst1admin CMS T1 admins N N N N N
cmst2admin CMS T2 admins N N N N N
/cms/production no role For testing only (obsolete) N N N N N
high_prio For high priority productions N N N N N
/cms/analysis no role For testing only (obsolete) N N N N N
/cms/HeavyIons no role For Heavy Ions studies N N N N N
/cms/Higgs no role For Higgs studies N N N N N
/cms/StandardModel no role For SM studies N N N N N
/cms/Susy no role For SUSY studies N N N N N
/cms/uscms no role OSG CMS users N Y N N N
cmsfrontier Frontier ops N N N N N
cmsphedex PhEDEx ops in OSG N N N N N
cmsprod MC production in OSG N N N N N
cmssoft To install CMS software on OSG N N N N N
cmst1admin CMS T1 admins N N N N N
cmst2admin CMS T2 admins N N N N N
cmsuser Normal user in OSG N Y N N N
/cms/dcms no role German user N N Y N N
/cms/itcms no role Italian user N N N Y N
/cms/twcms no role Taiwanese user N N N N Y

If are already registered in the CMS VO with a different certificate

If you have recently obtained a new certificate but you were already registered in the CMS VO with an old certificate, please read also these instructions. This is the case, for example, if you got a new CERN certificate from the new CERN CA but you had already a certificate from the old CERN CA. Basically, what you have to do in this case is to add a new certificate to your entry in the CMS VO. Special instructions for US-CMS users

All members should sign up for the /cms/uscms group. Further, you can select your role in the group from cmsfrontier, cmsphedex, cmsprod, cmssoft, cmst2admin and cmsuser. If you do not know your role, then your default role should be cmsuser. For any question, contact Vijay Sekhri. CERN Human Resources registration

To check if you are already registered, follow these steps:

  1. go to http://graybook.cern.ch/ExperimentSearch.html;
  2. select CMS as experiment, enter your family name and click search;
  3. if you find yourself, then you are already registered; otherwise, you need to register;
  4. if the generic e-mail and the physical e-mail are all , please follow the advice on this page or write to Cms.People@cernNOSPAMPLEASE.ch and ask your preferred e-mail address to be defined as physical e-mail address. The registration to the CMS VO cannot proceed until this is done.

To register in the CERN HR database:

  1. complete this web pre-registration form;
  2. you will then be contacted by the CMS secretariat to fill in the CMS registration form.

You will be contacted by the CMS secretariat to confirm your registration.

Getting an account on a User Interface

A machine with the WLCG commands installed is, by definition, a User Interface (UI). Many institutes have local UIs; at CERN you can login to LXPLUS and source the script 

/afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.csh (tcsh)
or 
/afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.sh (bash)

To learn how to use the WLCG commands, you should by all means read the gLite 3 User Guide: it explains all the basic concepts, all the commands and it is full of examples. Here it is simply said that to send WLCG commands you must first create a "proxy certificate", valid for 12 hours by default, with the command grid-proxy-init: think of it as a sort of "Grid token", much in the same way you need an AFS token for LXPLUS. For comments or problems with the gLite 3 User Guide, write to support-eis@cernNOSPAMPLEASE.ch.

Technical stuff

The URL of the CMS VOMS server is https://voms.cern.ch:8443/voms/cms/.

The latest LCMAPS configuration in LCG is [[http://lcgdeploy.cvs.cern.ch/cgi-bin/lcgdeploy.cgi/lcg-scripts/yaim/examples/groups.conf?rev=HEAD&content-type=text/vnd.viewcvs-markup][here].

Troubleshooting

If you are getting an authorisation error when using WLCG commands, the cause can be one among many:

  1. your proxy certificate has expired;
  2. your personal certificate has expired;
  3. the certificate of your CA has expired;
  4. the Certificate Revocation List of your CA has expired;
  5. you have renewed your certificate but you are still using your OLD private key.

You are not supposed to be able to recognize the nature of the problem (apart from the first two cases, which are trivial), so in case you need help, send a ticket to the Global Grid User Support.

If there is any problem with your data in the CERN HR database, go to this page.

For problems, contact the CMS User Support.

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2009-04-21 - MarcoCalloni
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Sandbox All webs login

  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback