In order to access data, submit your analysis jobs to the Grid, and access some restricted web pages, you will need to:
~/.globusdirectory of every machine you use. The
~/.globus/usercert.pemfiles must exist at the end of these instructions.
Most of these steps were already covered in the previous sections. We will now cover installing your grid certificate on your computer for use with the Grid.
If your certificate is in your browser, you need to export (backup) the certificate. The procedure for this depends on your OS and your browser. As an example, if you are using Firefox, the procedure is:
Preferences (or Tools) → Advanced → Encryption → View Certificates → Your Certificates → Backup
Export the certificate as
myCert.p12 (or something similar).
If you are using MacOS, you may need to do this in Keychain.
More details can be found here.
Make sure you have a directory called
.globus in your home
directory on lxplus or whichever remote machine you are using.
.globusis a hidden directory because it begins with a period and therefore normally isn’t listed when you call the
lscommand. To see hidden files and directories, add the
.globus does not exist in your home directory, create it
scp (or similar) to copy
myCert.p12 from your personal
computer to your
.globus directory on lxplus:
scp myCert.p12 <username>@lxplus.cern.ch:~/.globus/.
After you have copied it to lxplus, log into lxplus for the remaining steps.
First, remove any old
.pem files in your
rm ~/.globus/userkey.pem rm ~/.globus/usercert.pem
Next, check the permissions of
myCert.p12. They should be
preserved when copying to lxplus, but this may not be the
case on other remote machines. To be safe, you can set the
correct permissions using:
chmod 400 ~/.globus/myCert.p12
Then create new
.pem files from
cd ~/.globus openssl pkcs12 -nocerts -in ./myCert.p12 -out ./userkey.pem openssl pkcs12 -clcerts -nokeys -in ./myCert.p12 -out ./usercert_noText.pem openssl x509 -in ./usercert_noText.pem -text > ./usercert.pem rm ./usercert_noText.pem chmod 444 ./usercert.pem chmod 400 ./userkey.pem
Note that you need to use the file names
usercert.pemexactly for this to work.
openssl pkcs12 -nocerts -in ./myCert.p12 -out ./userkey.pem, you must enter a PEM pass phrase or it could lead to problems. Make sure to remember this pass phrase in addition to the one you used for the original certificate. These can be the same pass phrase.
You will need to request and install a new certificate annually and it is useful to keep previous certificates in case you have any issues with your newest one. One way to do this is to keep year directories within
.globusand copy your new
.pemfiles to the corresponding year. Make sure to keep a copy of your latest version directly in
Repeat this procedure on any other remote machines you wish to
work on or you can copy your
.globus directory from lxplus to
your home directory on other remote machines. Do not copy it
from another remote machine onto lxplus.
From your remote machine, make sure
~/.globus exists and then
use the following commands:
cd ~ scp -r <username>@lxplus.cern.ch:~/.globus/./
After your registration with LCG for the Atlas VO has been approved and also your voms roles approved, you can then check that everything is working by doing:
# NOTE: This should be done on lxplus, not your local computer setupATLAS diagnostics gridCert
and follow the instructions regarding protections.
All tests must pass as described at the end of the
It may take up to 6 hours for the IAM authentication server to sync, so you may see something like “2/4 OK for voms authentication”. Make sure to try again later and it must pass within 24 hours, otherwise your setup is not complete.
It may take an hour or so for your grid credentials to propagate to rucio. If you have set everything up correctly but are unable to use rucio, try again in an hour or two.
If any problems arise when running
gridCert, send the complete file that is produced to the experts. This will make it much easier for them to help you quickly resolve the problem(s).