-- TWikiAdminUser - 2015-08-17

Getting started (Guide to new CMS user joining TIFR)


The GRID introduces the concept of a GRID certificate to authenticate users. A GRID certificate is issued by a Certificate Authority (CA) which checks the identity of the user and guarantees that the holder of this certificate is existing and his certificate is valid.

The certificate is used for authentication instead of the user's account to avoid the replication of the user's account to all GRID sites. When authenticating to a site, the user's certificate is mapped to a local account under which all commands are executed.

The certificate itself is not used during the actual GRID usage. All GRID jobs use a proxy of the certificate with a limited lifetime. This enhances security because the user has to re-establish the validty of his certificate after the lifetime of the proxy has ended.

In the following, the application procedure for a GRID certificate and the generation of a proxy is described. The application has to be done once followed by the installation of the certificate in the home directory of the user's account. The proxy generation has to be repeated everytime no valid proxy exists on the user's submission machine.

Application procedure

  • Getting Grid Certificate

  • To work in Grid Environment the user should have a valid grid certificate signed by recognized grid computing certification authority, as for our country user can apply for certificate to "Indian Grid Certificate Authority (IGCA)"
Please follow the instruction on (Indian Grid Certificae Authority (IGCA) and apply for certificate.
  • Make sure you executed all steps carefully and after recieving the certificate please load it into your internet browser
  • Please register yourself with the virtual organization (VO membership) e.g. CMS VO membership

Getting a CERN account

Step 1:
  • E-mailing the CERN Service Desk at Service-Desk@cern.ch from your external email address (from your university or service provider). Please attach a copy of your identification document (identity card or passport). Once you have contacted the CERN Service Desk, if it is not possible for you to send a copy of your identification document, you can send a copy by fax at the following fax number +41 22 766 84 89
  • You will recieve an email with the detailed instructions.
  • Once you have the temporary password for your CERN account, use the initial account configuration wizard at the address http://cern.ch/wizard (Please do so within 5 days or the account will be deactivated):
    1. Log in with your login name and the temporary password;
    2. Follow the instructions on the screen

How to register in the CMS VO

When in possession of a personal certificate, a CMS user has to register his certificate in the CMS Virtual Organisation in order to be authorized to use WLCG resources. The procedure is different depending if you are already registered in the CMS VO or not. You need to check whether or not your AUP (VO Acceptable Usage Policy) status is active. Please click here and check it. If your status is not active, please follow these steps:

  1. Click here (or find the registration form) and submit it
  2. After submitting the form, you should get a confirmation email that contains a link that you need to click to confirm your registration. Find the link and click it
  3. Now, you need to wait for final confirmation that will be done by the VO administrators
  4. When they confirm your registration request, you will get a notification email
  5. Finally, you can sign up the AUP. Please click here to see the page
If you think these steps are not consistent, please contact us.

If you never registered to the CMS VO

First of all, make sure that you are registered in the CERN Human Resources database with an e-mail address.

Please do NOT use Safari to connect to the CMS VOMS-admin server below, use a recent version of Firefox or Chrome instead. Safari will just give you an error page - the problem is known to Apple since a long time, but so far not resolved.

Follow these steps:

  1. obtain a personal certificate, if you have not done so, using the procedure indicated above;
  2. most CA's give users certificates via web pages, so the certificate is already imported in your browser as part of the previous step, in particular this is the case with CERN certificates. If instead you got your certificate as a file, you need to make sure it is P12 format (contact your natciona CA if needed) and load it into your browser (instructions are different for each browser and can be found e.g. via google). Make sure you use the very same browser used to request the certificate.
  3. go to the CMS VOMS-admin server, and follow the instructions, taking into account the following Note that registration service was moved to a new one in March 2015 - Some functionality might not be there in the geginning, e.g. selection of a country representative:
  4. you should find yourself in the CERN graybook as a CMS member. If not, contact the CMS secretariat (cms.people at cern.ch);
  5. when asked, and if you have an account at CERN, provide your e-mail address to match exactly the E-mail field in the CERN phonebook; if not, then give the E-Mail in the CERN graybook; Note that the address you give now will later be used for the communication from the CMS-VO system to you;
  6. if you are an US-CMS member, select Anthony Tiradani as Representative and follow these additional steps;
  7. if you are a German CMS member, select Thomas Kress as Representative;
  8. if you are an Italian CMS member, select Giuseppe Bagliesi as Representative;
  9. if you are a Taiwanese CMS member, select Chia-Ming Kuo as Representative;
  10. otherwise, select Andreas Pfeiffer as Representative;
  11. Most CMS user should not select any group nor role, but some national organization have specific rules (below), user can contact directly their institution for doubts:
User from should select group and role
US-CMS /cms/uscms None
Germany /cms/dcms None
Italy /cms/itcms None
Spain /cms/escms None
Belgium /cms/becms None
Taiwan /cms/twcms None

If you are already registered in the CMS VO with a different certificate

If you have recently obtained a new certificate but you were already registered in the CMS VO with an old certificate, please read these instructions. This is the case, for example, if you got a new CERN certificate from the new CERN CA but you had already a certificate from the old CERN CA. Basically, what you have to do in this case is to add a new certificate to your entry in the CMS VO.

Getting an account at India-CMS Tier-III at TIFR, Mumbai and T2_IN_TIFR

  • After getting certificate and VO membership, Please send an email with your lxplus username and certificate DN, to anyone in this list
  • You will recieve your account information and machine name in the reply to you email, you will also recieve temporary onetime password which you have change when you login into your account.
  • Configure your account with your grid certificate ( As described in these steps GRIDCredentials)
Topic revision: r2 - 2015-08-19 - 06:54:58 - TWikiAdminUser
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback