Data and Computing Facility Operations
How to use SRM on the UAF
Introduction
Prerequisites
Prepare your UAF account to use srmcp
Transfering a file
Monitoring SRM
Gettin Help
Introduction
SRM (Storage Resource
Management) is a grid-service available on the UAF. The srmcp command
allows for file transfers between sites and mass storage
systems. Here we will show examples to transfer files from CASTOR at CERN to Fermilab. Since it is a
grid service there are two prerequisites:
Prerequisites
The whole procedure will probaly take a few days but you might want to start using other
CMS grid services like CRAB to do analysis
on the grid and to access available data sets e.g. from the Computing, Software and
Analysis challenge: CSA06.
So let's get on the GRID.
First you need to get a valid grid credential (a.k.a certificate). This can be obtained from the following site: http://www.doegrids.org/
Once you have your certificate and imported it into your browser you can register to the VO (Virtual Organization): https://lcg-voms.cern.ch:8443/vo/cms/vomrs
Prepare your UAF account to use
srmcp
First export the certificate from the exact browser you used when applying for the
certificate. E.g. in Firefox the sequence is:
edit-> preferences -> advanced ->certificates -> manage
certificates -> select the DOE certificate -> backup
select a name .e.g YourCert.p12
select a passphrase
You should now have the file YourCert.p12 that you can copy to the UAF.
Now log into the UAF and setup the globus user environment:
source /opt/globus/etc/globus-user-env.csh
Besides setting all the environmental variables this should also create the $HOME/.globus directory. Copy your YourCert.p12 into this
directory.
This now has to be converted into PEM format.
openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out
$HOME/.globus/usercert.pem
To get the encrypted private key:
openssl pkcs12 -in YourCert.p12 -nocerts -out
$HOME/.globus/userkey.pem
For more details have a look at the following web site:
http://www.grid-support.ac.uk/content/view/63/55/
Now we are ready try the certification proxy initialization using the grid-poxy-init command. If everything is ok and you enter the correct passphrase:
/opt/globus/bin/grid-proxy-init -valid
30:00
Your identity: /DC=org/DC=doegrids/OU=People/CN=Hans Wenzel
869603
Enter GRID pass phrase for this identity:
Creating proxy .............................. Done
Your proxy is valid until: Tue Oct 31 17:32:46 2006
Certification proxy initialization may fail for several reasons. When you copy
your .pem files into ~/.globus/ verify file protections that must be as
follows:
ls -l .globus
-rw-r--r-- 1 wenzel
us_cms 1711 Oct 26 10:37 usercert.pem
-r-------- 1 wenzel
us_cms 1910 Oct 26 10:39
userkey.pem
Note that userkey.pem must be readable only by the user that owns the file.
If either userkey.pem permissions are bad or your passphrase is wrong, you will get the
following error message:
/opt/globus/bin/grid-proxy-init -valid 30:00
Your identity: /C=IT/O=ANY/OU=Personal Certificate/L=BBB/CN=Mm
Lz/Email=M.@site
Enter GRID pass phrase for this identity:
ERROR: Couldn't read user key. This is likely caused by
either giving the wrong passphrase or bad file
permissions
key file location: /home/lz/.globus/userkey.pem
Use -debug for further information.
More detailed information is given by the -debug option. You may use the debug option as default with the proxy commands. The printed information is brief and it is more or less meaningful depending on the failure reason. One situation in which the -debug option is very useful is when your proxy is missing or expired as shown below:
/opt/globus/bin/grid-proxy-info -debug
ERROR: Couldn't find a valid proxy.
grid_proxy_info.c:334:
globus_gsi_system_config.c:4538:
globus_gsi_sysconfig_get_proxy_filename_unix:
Could not find a valid proxy certificate file location:
A file location for the proxy cert could not be found
in:
1) env. var. X509_USER_PROXY=NULL
2) /tmp/x509up_u10009
Transfering a file
At this point we should be ready to try to transfer a file. In the example below I am
copying a file from my area in CASTOR at
CERN to a local disk area on the UAF. Using the -debug option you will receive very
detailed information what's happening and in case things are failing it should explain
why. The printed information is more or less meaningful depending on the failure
reason.
export PATH=/usr/java/jdk1.5.0_10/bin/:$PATH
srmcp -debug=true -2 "srm://cms-srm.cern.ch:8443/srm/managerv2?
SFN=/castor/cern.ch/user/w/wenzel/hsimple.root"
file:////uscmst1b_scratch/lpc1/wenzel/hsimple.root
srmcp -debug=true "srm://cmssrm.fnal.gov:8443/srm/managerv2?SFN=/4/test/TESTFILE"
file:////uscmst1b_scratch/lpc1/3DayLifetime/yujun/TESTFILE
One can also copy directly from CASTOR SRM (and other SRM servers) from/to FNAL dCache. E.g. To copy to your local area in dCache which is mounted as /pnfs/cms/WAX/2/wenzel on the UAF issue the following command:
srmcp -debug=true -2
"srm://cms-srm.cern.ch:8443/srm/managerv2?SFN=/castor/cern.ch/user/w/wenzel/hsimple.root"
"srm://cmssrm.fnal.gov:8443/srm/managerv2?SFN=/2/wenzel/hsimple.root"
Some users may have some confusion with how many "slashes(/)" to put for the SURL. One easiest way, as suggested by Jon, to think about this is: "a / is a separator and part of the file path, and if in doubt add a / because the dcache will gladly ignore multiple slashes (like unix), but it will never add one for you. For example file:////dev/null looks ridiculous, but if you divide it up:
file:// <implied localhost.localdomain>/ /dev/null
and if you don't add the localhost, you get 4 slashes in a row.
If the pnfs path of the your resilient file is, for example:
/pnfs/cms/WAX/resilient/gerbaudo/mc-hcal-120_Ieta1-29_Iphi1-2_E005.root
you srmcp that as
"srmcp
srm://cmssrm.fnal.gov:8443/resilient/gerbaudo/mc-hcal-120_Ieta1-29_Iphi1-2_E005.root
file:///test.root"
http://cmssrv33.fnal.gov:8080/srmwatch/
SRM client package provider is - at the moment this is osg-int@opensciencegrid.or
or if you think the problem is on the fermilab side contact the helpdesk (helpdesk@fnal.gov) or the t1 team (cms-t1@fnal.gov).
Last modified: October 30, 2006 by Hans Wenzel
