[Go to Home]

Grids at Nikhef
User Access
NDPF Status
LCG Site status

Grid Guides
LCG Tutorial
LCG-2 Users Guide
Certificate Guide

LCG Tutorial June 2004
LCG Tutorial Oct 2004

NDPF Systems
NDPF Statistics
NIKHEF Network
NIKHEF Grid Wiki

SC Transfer status

Accounting Gantt

Engineering & Research
VL-e PoC

Photo Gallery 1
Photo Gallery 2
AMD node photos
APEL Accounting
for Management

Globus Quick-Start guide for EDG Distribution Users

This quick-start guide is targetted at users of the EDG distribution of the Globus Toolkit (version 2.0). This version is installed on the DAS-2 fileservers (fs*.das2.*). If you are working with a Globus.1.1.3 derivative you should look here.

Initializing your environment

The Globus software is installed in "/opt/globus" and in "/opt/edg". If you use a regular shell like sh, csh, bash or tcsh, the relevant environment variables are be included automatically by means of the profile.d-mechanism. If you (re)set your path manually, you should include one of the following scripts:
sh and bash Add to your profile: . globus.sh
Or set at least:
if [ -r "$GLOBUS_LOCATION/etc/globus-user-env.sh" ]; then
    . $GLOBUS_LOCATION/etc/globus-user-env.sh
csh and tcsh Add to your (t)cshrc: source globus.csh
Or set at least:
if (! $?GLOBUS_LOCATION ) then
  setenv GLOBUS_LOCATION /opt/globus
if ( -r "$GLOBUS_LOCATION/etc/globus-user-env.csh" ) then
  source $GLOBUS_LOCATION/etc/globus-user-env.csh
This will enable you to locate the Globus software.

The user certificate

Next, you will have to obtain a certificate. If you want to work as part of the EU DataGrid or collaborate with the Virtual Laboratory, you must apply for a medium-security certificate from the DutchGrid CA. If you want to use your certificate only for local demonstration (on trade-fairs, for instance) or for student work on the ASCI DAS-2 systems, you may apply for "DutchDemo" certification.

The fastest way to build a properly formatted certificate request, is going to the web build-a-request interface. After reading some legalese explanations, you can click on the "Build-a-Request" link. In the final page (after filling your full name), select your proper certification class (Medium or Demo).

Certificate Name Forms

The subject name of your certificate is an X.501 Distinguished Name. The name form must be compliant with the "Certification Policy and Practice" of the DutchGrid CA. If you want a personal identity certificate, your name form should be like:
/O=dutchgrid/O=users/O=YourInst/CN=Firstname Lastname
where "Firstname Lastname" is your full name given at birth (as in your official identity papers).

You may also attempt to use the "grid-cert-request" command, but please make sure that the local site configuration generates the proper name forms, at leat 1024 bits keys and specifies the proper e-mail address (so that the email does not go to the Globus CA). The full name is usually taken from the password repository (file, NIS or NIS+). Use your local OS's commands to change it if neccessary, or use the "-cn" option of grid-cert-request.

Your common name is printed at the top of your certificate request. Please verify it! It should contain your real name, including in full both your given name and your family name. In particular, your login-name is not adeqate.

Mail the resulting certificate request to the nikhefCA, per instructions witten to the screen.  You will get your signed certificate, after your identity has been verified. The applicable NIKHEF CA policy is available here.  Install your certificate in "$HOME/.globus/usercert.pem". You may safely delete any empty file with this name that is alreaddy there. The CA's e-mail address is "ca@nikhef.nl".

Passphrases and protection of keys

Choose a passphrase to protect the private key associated with your certificate. Make it strong, since the single-signon technology will allow access to many systems with this certificate. There are some explicit requirements associated with your certificate, see the DutchGrid CA policy documents for details.
  • use both uppercase and lower case characters
  • insert some numbers into it
  • use at least one non-alphanumeric character
  • don't use variation of existing words in a dictionary, i.e., do not just "eleetify" a word as-is.

Getting accounts

Contact "gridadm@nikhef.nl" to get an account on the micro testbed or on the UvA DAS-2 cluster (fs2.das2.nikhef.nl). Include the your certificate "subject" and your local username. Your distinguished name will be added to the grid mapfile for some (or possily all) gridded hosts at NIKHEF or on DAS-2. The reply you get back from the gridadm will state which hosts are available to you. If you want to get access to all DAS-2 clusters, contact the appropriate DAS-2 system/account administrators.

After you got your account, try authenticating with the host. If we assume that you have an account on the UvA DAS-2 cluster, try:

$ grid-proxy-init
Your identity: /O=dutchgrid/O=users/O=nikhef/CN=David Groep
Enter GRID pass phrase for this identity: give passphrase for your private key
Creating proxy ................................................... Done
Your proxy is valid until Fri Mar  1 22:10:27 2002
$ globusrun -a -dryrun -r fs2.das2.nikhef.nl

GRAM Authentication test successful

Now, you can try running your first grid job, say, the id command, on this host:

$ globus-job-run fs2.das2.nikhef.nl /usr/bin/id -a
uid=100(davidg) gid=311(uva) groups=311(uva)
This should return your account name on the local system. It may be your "normal" account name, but also a (temporarily) leased account from a pool. If that's indeed the case: congratulations! You can now start, for example, with the tutorials from the Globus site.
PS: some of the sources from the 3rd Globus Retreat tutorial are available at NIKHEF from `/global/ices/grid/techn/globus-tut', or via this link. These sources apply to Globus version 1.1.2 till 1.1.4, and do not necessarily work with Globus-2.0-beta!

Information Services

The local resource information system (GRIS) is available on port 2135 on each resource, using the LDAP protocol. Queries to this port will tell you the machine configuration, system load, etc. You can connect to the GRIS using your normal LDAP tools, e.g.:
$ ldapsearch  -x -L -h fs2.das2.nikhef.nl -p 2135 -b "Mds-Vo-name=local,o=Grid" '(objectclass=*)'
version: 1

# filter: (objectclass=*)
# requesting: ALL

# fs2.das2.nikhef.nl, local, grid
dn: Mds-Host-hn=fs2.das2.nikhef.nl,Mds-Vo-name=local,o=grid
objectClass: MdsComputer
objectClass: MdsComputerTotal
objectClass: MdsFsTotal
objectClass: MdsHost
The proper Information Index (GIIS) to contact depends on your affiliation to a Virtual Organization. For EDG purposes, you should contact the Central Index at CERN (testbed001.cern.ch), for an overview of DAS-2 resources go to fs2.das2.nikhef.nl and look for the VO "das2":
$ ldapsearch  -x -L -h fs2.das2.nikhef.nl -p 2135 -b "Mds-Vo-name=das2,o=Grid" '(objectclass=*)'

Using GridFTP services

The proper way to use GridFTP services is via the Globus-provided globus-url-copy command. The syntax is somewhat harsh, but at least it works without corrupting your data...
$ globus-url-copy gsiftp://fs2.das2.nikhef.nl/home/davidg/.bashrc gsiftp://fs0.das2.cs.vu.nl/home/davidg/aap
See the "-help" option of globus-url-copy or the Globus web pages for more details.

The other option is to use gsincftp. This interactive client for GridFTP services does not support all the advances features of the GridFTP protocol (in particular to server-stiping and no parallel streams), but is useful to test the authentication of gsiftp:

$ gsincftp fs0.das2.cs.vu.nl
NcFTP 3.0.3 (April 15, 2001) by Mike Gleason (ncftp@ncftp.com).

Copyright (c) 1992-2001 by Mike Gleason.
All rights reserved.

Connecting to                                                   
fs0.das2.cs.vu.nl FTP server (Version wu-2.6.1(1) [GSI patch v0.5] Wed Dec 5 15:47:30 GMT 2001) ready.
Logging in...                                                                   
User davidg logged in.
Logged in to fs0.das2.cs.vu.nl.                                                 
ncftp /home1/davidg > dir
-rw-r--r--    1 davidg   uva            0   Mar  1 13:06   aap
-rw-------    1 davidg   uva          392   Jan 23 13:57   .bash_history

WARNING: the current version of gsincftp has a bug that may cause data curruption when sending files. The larger the file, the higher the probability of corruption. While you still have a good change of correctly sending a 50 MByte file, sending a 1GByte file will probably lead to data curruption. globus-url-copy does not have this problem.

I'm stuck!

Try some lubricant :-)
You can file support requests with support@dutchgrid.nl. On-site users in NIKHEF or at the UvA can also contact me by telephone at NIKHEF extension 2179.
Comments to David Groep