TeraGrid resources primarily use certificate-based authentication. These certificates (X.509 certificates) are somewhat similar to how SSL/TLS and credit card transactions on the internet work. In this case, however, a certificate must be presented by you as proof you are who you claim to be. These user certificates are issued and signed by trusted Certificate Authorities (CAs). Not all CAs are trusted by TeraGrid sites.
You should receive instructions on obtaining an NCSA certificate with your introductory TeraGrid packet. Purdue affiliates may also obtain a Purdue certificate.
It is fairly easy to obtain an NCSA user certificate, so you may wish to start by getting one of those and using it to log in to systems in the future.
bash-3.00$ ncsa-cert-request
bash-3.00$ grid-cert-info -subject bash-3.00$ grid-cert-info -enddate
If you do not wish to obtain an NCSA user certificate, it is possible to use a user certificate from any TeraGrid-trusted Certificate Authority. To do so, place those certificate files in your ".globus" directory. Read the "File Transfer" section of the user guide for information on how to transfer your certificate (and other files) between sites.
You should confirm your certificate is approved by locating your user certificate's Distinguished Name (DN) in the gridmap file.
First, to extract your DN from your user certificate:
bash-3.00$ grid-cert-info -subject
Then search for this DN in the gridmap file:
bash-3.00$ grep <your_DN> /etc/grid-security/grid-mapfile
If you are not in the gridmap file, you may use "gx-request" on many of the sites to request your DN be added. See here for a list. If gx-request is not supported on a system, you will have to email your DN to the TeraGrid HelpDesk.
Proxy Certificates are temporary authentication credentials issued based on your user certificate. These proxy certificates may be used to authenticate to various TeraGrid resources in lieu of your user certificate. This is generally safer than using your actual certificate, as these proxy certificates are only good for a matter of hours, so should one fall into the wrong hands, it would be of limited impact.
There are two ways of obtaining a proxy certificate. One is to derive a proxy certificate from your existing user certificate in your .globus directory, as explained above. However, you may also obtain a proxy certificate without a local user certificate. This is possible using the automatic NCSA user certificate created for all TeraGrid users, and the TeraGrid MyProxy server. Either method may be used. You may already have a local user certificate, or you may find it easier to directly obtain proxy certificates whenever you need them from the TeraGrid MyProxy server.
Either method's proxy certificates may be used to run jobs at TeraGrid sites or login via gsissh, as described elsewhere.
If you have a local user certificate in place in your ".globus" directory, you may derive a proxy certificate from this by running "grid-proxy-init":
bash-3.00$ grid-proxy-init Enter pass phrase: <user_certificate_passphrase> A proxy has been received for user username in /tmp/x509up_u#####
By default, the proxy certificate is valid for 12 hours. If you wish to have it remain valid longer, this can be done using the "-valid" option:
bash-3.00$ grid-proxy-init -valid <hh:mm>
When your TeraGrid account was created, a user certificate and Distinguished Name (DN) was created on your behalf by the NCSA Certificate Authority (CA). This DN is stored in your profile in the TeraGrid account database and automatically propagated to all TeraGrid sites. A proxy certificate derived from this can be retrieved from the TeraGrid MyProxy certificate repository (myproxy.teragrid.org) while on any TeraGrid resource by using the command "myproxy-get-delegation", supplying your TeraGrid Portal user name with the "-l" option, and your TeraGrid Portal password as the MyProxy passphrase:
bash-3.00$ myproxy-get-delegation -l <portal_username> -s myproxy.teragrid.org Enter MyProxy pass phrase: <portal_password> A proxy has been received for user username in /tmp/x509up_u#####
By default, the proxy certificate is valid for 12 hours. If you wish to have it remain valid longer, this can be done using the "-t" option:
bash-3.00$ myproxy-get-delegation -t <hh:mm>
You can verify the status of your current proxy certificate at any time by running "grid-proxy-info":
bash-3.00$ grid-proxy-info
You may delete your current proxy certificate at any time by running "grid-proxy-destroy":
bash-3.00$ grid-proxy-destroy
If you are a Purdue affiliate and physically on campus, you may obtain a user certificate from the Purdue Certificate Authority. This is not necessary, as you only need a certificate from any one of the TeraGrid sites, and you can generate one yourself at NCSA once you have received your initial TeraGrid account as described above.
To get a Purdue user certificate, contact ca-admin. You will then be contacted with further information. You will be asked to show up in person and show an ID. You should also bring a USB-drive or disc, for them to copy your certificate to.
Copy the certificate files to the ".globus" directory in your home directory (create this directory if it does not exist):
bash-3.00$ mkdir -p ~/.globus bash-3.00$ cp userkey.pem ~/.globus bash-3.00$ cp usercert.pem ~/.globus
Important: Be sure your certificate has a passphrase! To change or add a passphrase:
bash-3.00$ grid-change-pass-phrase
After using ssh to logon to a TeraGrid resource, it is possible to use myproxy-logon -l <username> to get a proxy. You can then do a grid-proxy-info to get information about the proxy or gsissh to any other TeraGrid resource which you have an account on, without using login/password. The <username> and password should be the ones you use for the TeraGrid portal.
Example. Running myproxy-logon from tg-login.purdue.teragrid.edu:
-bash-3.00$ myproxy-logon -l user123 Enter MyProxy pass phrase: A credential has been received for user user123 in /tmp/x509up_u13185.
You can now examine the proxy with grid-proxy-info.
And logon to other TeraGrid resources you have an account at. In this case, tg-login.sdsc.teragrid.org:
-bash-3.00$ gsissh tg-login.sdsc.teragrid.org Welcome to the TeraGrid Itanium2 Linux Cluster San Diego Supercomputer Center --- This system may be used by authorized persons only. Unauthorized individuals' activity may be monitored and/or recorded by administrative personnel. In the course of such monitoring or system maintenance, the activities of authorized users may also be monitored. Use of this system expressly implies consent to such monitoring and is advised that evidence of criminal activity may be provided to law enforcement officials. --- Email help@teragrid.org for assistance. Check http://clumon.sdsc.edu for cluster status. Please visit http://news.teragrid.org and add your email address under "Manage Subscriptions" to receive email updates about the status of the system. Please use the parallel filesystem /gpfs for output from batch jobs, not your home directory. *** NOTICE *** The /gpfs filesystem is being regularly purged. Any files older than 4 days not associated with a queued or active batch job may be purged. Please be sure to back up your data to a long-term archive. *** ************************************************************************ * The IA-64 cluster now offer user settable reservations. * * Users can reserve time on the systems using the SDSC portal at: * * * * https://portal.sdsc.edu * * * * Reservations are currently allowed on Tuesday-Friday of each week * * and may be made between 10 minutes and 4 weeks in advance. * ************************************************************************ If you have questions, send them to SDSC consultants - send email to help@teragrid.org or use the webpage at: www.sdsc.edu/user_services/consulting . Directory: /users/user123 Tue Apr 21 08:51:42 PDT 2009 tg-login1 /users/user123>
It is now possible to use Single Sign-On (SSO) directly from your desktop/laptop. TeraGrid provides detailed instructions on Single Sign-On for Mac OSX, Linux, and Windows. You will need a user certificate. If you have an NCSA certificate (see above), your certificate will already be registered for you to log in via Single Sign-On.
Install 'Single-sign-on software:
