It is important that your grid certificate is working for your analysis; you may also be unable to fully participate in some sections of hands-on exercises which require a valid grid proxy.
If you do not have a grid certificate, you may be able to easily obtain one from https://ca.cern.ch/ca/; you will then need to apply for VO membership. The organisers may be able to expedite this for you. Please note that you will need to obtain and use a new certificate from the CERN Certificate Authority for each new machine you wish to certify.
Hopefully you have already started this process following instructions from your institute, this can sometimes take time.
Register for the ATLAS VO
https://lcg-voms2.cern.ch:8443/voms/atlas/user/home.action
.
Note that your personal certificate DN and Certificate Authority are noted on the registration page. If they are not, then you will need to install your certificate into your browser before proceeding.In order to access data, submit your analysis jobs to the Grid, and access some restricted web pages, you will need to
/atlas
and /atlas/<your country code>
(for example, your country code can be ca for Canada.)https://lcg-voms2.cern.ch:8443/voms/atlas/user/home.action
to view your VO memberships~/.globus
directory of every machine you use. The ~/.globus/userkey.pem
and ~/.globus/usercert.pem
files must exist at the end of these instructions.If your certificate is in your browser, you need to export (backup) the certificate: (Depending on OS and browser this may be ) for Firefox: Preferences (or Tools) → Advanced → Encryption → View Certificates → Your Certificates → Backup
Use scp
(or similar) to copy this file across to your lxplus account
(e.g. scp cert.p12 username@lxplus.cern.ch:.
).
You need to convert your certificate (here assumed to be called mycert.pfx
into the correct form using:
> openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out usercert.pem
> openssl pkcs12 -in mycert.pfx -nocerts -out userkey.pem
> chmod 400 userkey.pem
> chmod 444 usercert.pem
(Word of advice: When executing openssl pkcs12 -in mycert.pfx -nocerts -out userkey.pem
you must enter a PEM pass phrase or it could lead to problems.)
Move these two files (userkey.pem and usercert.pem) to the .globus
directory (If you haven’t got one then mkdir ~/.globus
). You probably need to remember two passwords, one for the original certificate and one for the converted one.
lsetup rucio
voms-proxy-init --voms atlas
Then do:
voms-proxy-info -all
and you should see something as follows:
...
attribute : nickname = aparker (atlas)
...
The new (as of March 2015) web page for accessing VOMS information is https://voms2.cern.ch:8443/voms/atlas
. Ask, if you have questions on this.
If you have the grid certificate in the .globus
directory in the pem
(two file) format, but need to import it back into the browser, then you should find the two .pem
files (in the .globus
directory) and type this command:
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out gridCert.p12
This certificate gridCert.p12
should be copied across to your laptop and imported into the browser (e.g Preferences (or Tools) → Advanced → Encryption → View Certificates → Your Certificates → Import ).
Alternative instructions to do this - see these pages for your cloud:
After your registration with LCG for the Atlas VO has been approved and also your voms roles approved, you can then check that everything is working by doing
# NOTE: This should be done on lxplus, not your local computer
setupATLAS
diagnostics
gridCert
and follow the instructions regarding protections.
All tests must pass as described at the end of the gridCert
command. It is not vital this passes to participate in the ATLAS tutorials but it is strongly recommended you have this set up properly.