CERN grid computing on the Tier3

This page will show you how to request a CERN grid certificate, join the ATLAS Virtual Organization (VO), export and install your CERN grid certificate, and set up your local work area on the Tier3. You must be registered with CERN human resources before following these instructions. To see if you are registered, visit and search for your name in the search box. If you are registered, you should see yourself under "participants".

1. Requesting a certificate

The first step to acquiring access to the ATLAS grid resources is obtaining a grid certificate. This certificate will be used to register with the ATLAS VO and will later allow you to access the grid. Navigate to the CERN certification authority page Under the heading "Grid User certificates" click on the link for New Grid User certificate and choose a passphrase (not your CERN password). Follow the instructions to install the certificate in your browser.

tip You can check first to make sure you are eligible for a grid certificate by clicking on the Check account eligibility for Grid user certificate link under "Grid User certificates"

2. Registering with the ATLAS VO

Complete this step in the same browser where you installed your certificate. On most (if not all) browsers, the CERN Grid Certification Authority is not trusted by default. To trust the CERN Grid CA, you must install the appropriate certificates. Instructions can be found on the CERN Certification Authorities Files and Documents webpage under the CERN Grid CA Certificates tab. If these are not installed, you will need to add an exception to your browser security settings the first time you visit the ATLAS VOMS (Virtual Organization Management Service) webpage.

Visit the ATLAS VOMS server and fill in the required fields:
  • Given name (including any middle name)
  • Family name
  • Institution
  • Address (at your institution)
  • Phone (at your institution)
  • Email (must match the primary email address associated with your CERN account)
Some of these fields may be filled out from the information given in your certificate. Read the VO Acceptable Use Policy and accept the terms, then click Submit. An email will be sent to you with a link that will allow you to confirm your registration request. After following this link, you will get a message that says an administrator is working on it. Once your request has been approved (usually within a day) you will receive a confirmation email.

3. Converting your certificate for use on the Tier3

Your grid certificate is installed in your browser as a single file in the PKCS #12 (Public-Key Cryptography Standards #12) format and has a .p12 file extension. This file contains both the public certificate and the private key. To use your grid certificate on the Tier3 (and other systems) you will need to put the certificate and the private key in separate PEM (Privacy Enhanced Mail) files.

3a. Export your certificate

First, you will need to export your certificate from your browser.
  • In the Chrome browser:
Go to Settings --> click Show advanced settings... --> under HTTPS/SSL click Manage certificates... In the pop-up window go to the tab labeled Your Certificates, choose your certificate and click Export... You will be asked to create a password to encrypt the certificate.
  • In Firefox:
Go to Options --> click Advanced --> click Certificates --> click View Certificates. In the tab labeled Your Certificates, choose your certificate and click Backup... You will be asked to create a password to encrypt the certificate.

3b. Convert your certificate to a key+cert pair

With the .p12 file in hand, open a terminal. You will need a directory in your home area called .globus (don't forget the '.'!). For the Tier3, this will be /home/<username>/.globus. In the directory with the .p12 file, enter the following command:
openssl pkcs12 -in <your-cert-file.p12> -clcerts -nokeys -out ~/.globus/usercert.pem
This will output the public client certificates without any keys in the .globus directory. You will be asked to enter the Import Password, which is the password you created when you exported the certificate from your browser. Next, enter
openssl pkcs12 -in <your-cert-file.p12> -nocerts -out ~/.globus/userkey.pem
This will output the private key without any certificates in the .globus directory. You will be asked to enter the Import Password again and will also be asked to create a new passphrase. This is the passphrase you will use each time you use your key+cert pair. Once this is complete, delete the .p12 file for security. To protect the private key file, change the permissions so that only you have read and write access. This can be done with the following command:
chmod 600 ~/.globus/userkey.pem

tip You can import your grid certificate to any browser without requesting a new certificate by first exporting it following the above instructions and then importing the .p12 file into the new browser. If you only have access to the .pem key+cert pair, you can create the .p12 file by running the following commands in the directory with the .pem files:
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out <your-cert-file.p12> -name "<a descriptive name for your certificate>"
chmod 600 <your-cert-file.p12>

4. Setting up a grid environment

Using the ATLAS grid resources requires setting up a work area with the proper environment variables set and getting a VOMS proxy. On the Tier3, there are only a few things that are required. First, make sure that the lines below are somewhere in your .bashrc file on the Tier3.
export ATLAS_LOCAL_ROOT_BASE=/cvmfs/
export RUCIO_ACCOUNT="your-cern-username"
alias setupATLAS="source ${ATLAS_LOCAL_ROOT_BASE}/user/"

Next, open a fresh terminal and enter the following:
lsetup rucio
voms-proxy-init -voms atlas
The first command will run a setup script that prepares a list of local tools and sets the appropriate environment variables and default options for the Tier3. The second command sets up rucio, the ATLAS Distributed Data Management (DDM) tool. The last command sets up a VOMS proxy that is valid for 12 hours. Adding the option -valid sets the validity for h hours and m minutes. With this configuration you are now ready to download Monte Carlo and data samples.

See also...

-- EmilyJohnson - 12 Sep 2016
Topic revision: r4 - 13 Sep 2016, EmilyJohnson

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback