DPE
LHC Grid
VO
MOP
MCPS

Obtain and Use the Fermilab KCA certificate on the USCMS Grid Testbed

To access Fermilab computing resources for general grid computing, one must register with Fermilab and obtain the appropriate proxy credentials. For first time users, the steps below will walk you through the process. Proxy credentials are generated using the kx509 client (a product of the Univ. of Michigan and part of the NSF Middleware Initiative).

Synopsis of steps:

1. Register with Fermilab
   • Get your Fermilab VID
   • Get your Kerberos Principal
2. Install the Fermilab KCA certificate and signing_policy;
3. Install the KCA client software;

1. Register with Fermilab

   Eventually, this step will be automated when one registers with CMS. For now, it is manual. The detailed steps can be found here . It usually takes several days to get your principal and password. Note: If you have already have your Fermilab Kerberos principal, you may go directly to Step 2.

2. Install the Fermilab KCA certificate and signing_policy

   You may download them from this web site:
   http://computing.fnal.gov/security/pki/
   
   You need to put these two files:
   
   e1fce4e9.0
   e1fce4e9.signing_policy
   
   under /etc/grid-security/certificates directory after downloading them.
   
   To do this requires root access. So, if you can not do it yourself, please ask your system administrator to do it and ask him/her to change the file mode to 644.
   
   

3. Install the client program

   The software package you will download is for use on Linux 2.4.x machines. It is based on the package of FNAL-Kerberos (1.7.1) and kx509 client side programs compiled by the people at Fermilab. It also contains a script for easy utilization. It is pre-configured for usage with the Fermilab KCA server. The following is the steps you have to follow:
   

   • Client software can be downloaded from this web site:
     http://www.uscms.org/s&c/VO/doc/kx509_client_forCMS.tgz
     
   • Untar the software into your favority directory
   • Go inside the bin directory and test to run:
     
        ./kca-proxy-init
     
      If you want more options, please try to run:
     
          ./kca-proxy-init -h
     
     Or, you may want to setup the KCA_PROXY_PATH to the directory where you have untar-ed the tarball. And then you may issue a command from any directory:
     $KCA_PROXY_PATH/bin/kca-proxy-init [principal]
     
     The software has been tested to work under Redhat Linux 7.1 and 7.3. If there is no error message, go to next step. If you find any problems with the software or need other versions, please e-mail yujun@fnal.gov.
     
     
   • Check the generated X.509 proxy using the grid command:
     
       grid-proxy-info
     
     
   • Add your DN subject to the grid-mapfile
     E-mail this information to the system administrator where you want to run the grid jobs and ask them to add your dn subject to the grid-mapfile. For testing purposes, you may e-mail yujun@fnal.gov and he will put you in the grid-mapfile on a machine called: yamashita.fnal.gov, for the temporary test.
   
   

4. Do a test run

   Once your KCA subject has been added to the grid-map file and you installed the Fermilab KCA certificate and signing_policy, you are ready to go. You may use the regular grid command to do the things regularly:
   
   >globus-job-run <contact> /bin/echo "Hello World!"
   
   If you meet any error at this stage, try to figure out if the error is caused by the GLOBUS or KCA. If it is KCA related, you may e-mail: nightwatch@fnal.gov or you may e-mail yujun@fnal.gov who is the contact point for USCMS users. Good Luck!
   
   

This package is free to use and distributed. However, it contains copy-righted material and DISCLAIMER OF LIABILITY. You may want to read the README file from the FNAL-Kerberos-clientonly package for details.

Security, Privacy, Legal
Webmaster