Grid Certificate and VO Membership

Last update: 14 Nov 2022 [History] [Edit]

It is important that your grid certificate is working for your analysis; you may also be unable to fully participate in some sections of hands-on exercises which require a valid grid proxy.

If you do not have a grid certificate, you may be able to easily obtain one from https://ca.cern.ch/ca/; you will then need to apply for VO membership. The organisers may be able to expedite this for you. Please note that you will need to obtain and use a new certificate from the CERN Certificate Authority for each new machine you wish to certify.

ATLAS Virtual Organisation (VO) Membership

Hopefully you have already started this process following instructions from your institute, this can sometimes take time.

Register for the ATLAS VO

  • Browse to the VOMS area - https://lcg-voms2.cern.ch:8443/voms/atlas/user/home.action. Note that your personal certificate DN and Certificate Authority are noted on the registration page. If they are not, then you will need to install your certificate into your browser before proceeding.
  • Complete all text fields; all are required:
    • Given (first) name
    • Family (last) name
    • Institution
    • Phone number (at your institution)
    • Address (at your institution)
    • Email address (this address must match your primary email address as registered with your CERN user account)
  • Read The VO AUP agreement, and click the check box to acknowledge and agree to the policy terms.
  • Click Submit.
  • You will be presented with a “Confirmation Required” page, which refers to an email you will receive, including a link to confirm your registration request (or to cancel your request if it was made in error). This link will remain valid for a one-week activation period. Please use this confirmation link before the expiration date, or your registration application will be discarded automatically.
  • Following the confirmation link should result in a page that confirms your VO membership request, and informs you that a VO administrator will handle your request as soon as possible.
  • You will receive an other confirmation email when your request has been confirmed.
  • If you receive an error message that your email address is not registered at CERN, you may need to wait a day or two after your registration has been confirmed so that your information can be completely processed.

Using the Grid Certificate

In order to access data, submit your analysis jobs to the Grid, and access some restricted web pages, you will need to

  • have a Grid certificate,
  • be registered with the Atlas VO,
    • at a minimum, you must apply for the following roles: /atlas and /atlas/<your country code> (for example, your country code can be ca for Canada.)
    • your nickname must be the same as your lxplus username
    • visit https://lcg-voms2.cern.ch:8443/voms/atlas/user/home.action to view your VO memberships
  • have the certificate installed
    • in both a web browser (recommend firefox) and
    • in the ~/.globus directory of every machine you use. The ~/.globus/userkey.pem and ~/.globus/usercert.pem files must exist at the end of these instructions.

If your certificate is in your browser, you need to export (backup) the certificate: (Depending on OS and browser this may be ) for Firefox: Preferences (or Tools) → Advanced → Encryption → View Certificates → Your Certificates → Backup Use scp (or similar) to copy this file across to your lxplus account (e.g. scp cert.p12 username@lxplus.cern.ch:. ). You need to convert your certificate (here assumed to be called mycert.pfx into the correct form using:

> openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out usercert.pem
> openssl pkcs12 -in mycert.pfx -nocerts -out userkey.pem
> chmod 400 userkey.pem
> chmod 444 usercert.pem

(Word of advice: When executing openssl pkcs12 -in mycert.pfx -nocerts -out userkey.pem you must enter a PEM pass phrase or it could lead to problems.)

Move these two files (userkey.pem and usercert.pem) to the .globus directory (If you haven’t got one then mkdir ~/.globus). You probably need to remember two passwords, one for the original certificate and one for the converted one.

lsetup rucio
voms-proxy-init --voms atlas

Then do:

voms-proxy-info -all

and you should see something as follows:

...
attribute : nickname = aparker (atlas)
...

The new (as of March 2015) web page for accessing VOMS information is https://voms2.cern.ch:8443/voms/atlas. Ask, if you have questions on this.

If you have the grid certificate in the .globus directory in the pem (two file) format, but need to import it back into the browser, then you should find the two .pem files (in the .globus directory) and type this command:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out gridCert.p12

This certificate gridCert.p12 should be copied across to your laptop and imported into the browser (e.g Preferences (or Tools) → Advanced → Encryption → View Certificates → Your Certificates → Import ).

Alternative instructions to do this - see these pages for your cloud:

After your registration with LCG for the Atlas VO has been approved and also your voms roles approved, you can then check that everything is working by doing

# NOTE: This should be done on lxplus, not your local computer
setupATLAS
diagnostics
gridCert

and follow the instructions regarding protections.

All tests must pass as described at the end of the gridCert command. It is not vital this passes to participate in the ATLAS tutorials but it is strongly recommended you have this set up properly.