In this section are summarized the relevant points of certification. Most items are unchanged with respect to EDG1, the new points are:
Users must have a valid certificate to access the grid. Certificates are issued by recognised authorities designed by Institutes accessing the grid, therefore each user must check the local certification procedure at the belonging organization. Certification guide lines are explained in [1] and [2].
When you have obtained a certificate, you must register with either EDG or LCG or both to be recognised as a grid user. For LCG HOWTO documentation check [3] and [4].
To be able to submit jobs in a grid environment, you must have an account
on a EDG2 or LCG-1 User Interface (UI) node. Once you have the account,
copy your certificate files usercert.pem and userkey.pem
with the correct permissions in the ~/.globus directory.
Before starting grid usage, check that your certificate is correct and
valid with the commands:
$ grid-cert-info display certificate information
$ openssl verify -CApath \
/etc/grid-security/certificates \
~/.globus/usercert.pem check certificate validity
Once the above steps are completed, you must authenticate yourself using
proxy commands. EDG1 commands are still valid:
$ grid-proxy-init create a proxy certificate
$ grid-proxy-info print proxy certificate status
$ grid-Proxy-destroy destroy a proxy certificate before
expiration
The default certificate lifetime is 12 hours or the time you specify in
the command:
$ grid-proxy-init -valid 5:00 set proxy for 5 hours
A job runs as long as a proxy exists. If the job is still running when
the proxy expires, the job aborts. Thus for long jobs the submitter should
set a very long duration time. As long lifetimes create security risks, the
usage of a server is available and recommended. In this case the user
stores the proxy certificate on a proxy repository server. The middleware
then renews the user certificate before the job proxy expires and until the
job ends. Renewal is triggered at 3/4 of the actual proxy lifetime.
Renewal process depends on the value of
GRIDMANAGER_MINIMUM_PROXY_TIME.
There are cases in which proxy may not be able to renew:
The advanced proxy management offered by EDG2 and LCG-1 through the
renewal feature is available via the myproxy command suite. The
user must know the host name of a MyProxy server.
The commands are:
$ myroxy-init -help print help
$ myproxy-init -s proxy_server -d -n create proxy
$ myproxy-info -s proxy_server -d -n print proxy
status
$ myproxy-destroy -s proxy_server -d -n destroy proxy
The proxy server node is site and VO dependent and is usually defined in the UI
configuration file stored at
$EDG_WL_LOCATION/etc/VO/edg_wl_ui.conf.
Check the defined value with grep as shown in the example that queries two
different sites for the same VO:
$ hostname adc0014 $ grep -i myproxy /opt/edg/etc/alice/edg_wl_ui.conf ## MyProxyServer is optional. Uncomment and fill correctly for ## MYPROXY_SERVER environment variable MyProxyServer = "adc0024.cern.ch" $ hostname boalice9.bo.infn.it $ grep -i myproxy /opt/edg/etc/alice/edg_wl_ui.conf ## MyProxyServer is optional. Uncomment and fill correctly for ## MYPROXY_SERVER environment variable MyProxyServer = "testbed013.cnaf.infn.it"The server name is a user customizable variable supplied to commands like
edg-job-submit through the --config-vo option, or defined using
attributes in job submission files.