Personal tools
You are here: Home Services DEISA Interactive access to remote DEISA/PRACE sites
 

Interactive access to remote DEISA/PRACE sites

The followup-project to DEISA is PRACE, so please implicitly change all references to DEISA into those to PRACE.

RZG users with a running DEISA project can login into the remote DEISA system where the project has been allocated.

Most DEISA sites are offering interactive access via gsissh via a DEISA internal network.

First of all, you have to create a "backup" of your X.509 certificate - including your private key - into a so-called keystore. With Firefox itis easy to create such a keystore in PKCS12 format. The corresponding extension if the file name filename should be ".p12". The keystore is sometimes also called "backup" in the security section of your browser.

This keystore, say "mycert.p12", can be transferred from your local machine to the RZG login node vip.rzg.mpg.de using scp or sftp. The keystore is secured by encryption using a passphase (password) that has been set during the backup procedure. Please note that the policy of some CAs does not allow to locate the private key into a shared storage space, such as the NFS, GPFS or AFS filesystem, regardless of the actual level of security.

Following we describe the interactive access of remote DEISA login nodes using gsi-ssh on vip.rzg.mpg.de, which is the HPC login node at RZG.

 

Login to vip.rzg.mpg.de with "ssh" using your DEISA username and the corresponding password.

ssh rzgxxxxx@vip.rzg.mpg.de


Your home directory that is located on a GPFS file system is /u/rzgxxxx


The following steps have to be performed initially (only once and for the first time as a personal setup procedure):

  1. create a subdirectory .globus 
    mkdir $HOME/.globus
    DEISA users from RZG have usually another account with access to the AFS file system. In order to increase the security the directory $HOME/.globus should then be realized as a symbolic link to a directory in your personal AFS file space. You will also have to get an AFS token via /afs/ipp/bin/klog for the alternative account.
    cd
ln -s /afs/ipp/u/<username>/.globus .globus
  2. copy your personal PKCS12 keystore from your local machine into $HOME/.globus and rename it "usercred.p12".
    Depending of the service you want to use, it can be advantageous to have the .globus folder as a real directory unter /u/rzgxxxxx and to realize usercred.p12 as a link to the real keystore located in the AFS.
    cd /u/rzgxxxxx/.globus
ln -s /afs/ipp/u/<username>/myPersonalKeystore.p12 usercred.p12



The following steps are required after you have logged into vip:

  1. create the DEISA and Globus context using the command 
    module load deisa globus
  2. create a proxy certificate using the command: 
    grid-proxy-init
    Note: if your usercred.p12 is located in the AFS filesystem you will have to get an AFS token first 
    klog <username of the AFS acccount>
    (or make sure that you have a token already)
    You will have to use the same password with grid-proxy-init that has been choosen for the PKCS12 keystore.
  3. login to the login node of the remote DEISA site (e.g. csc ) that has been assigned to your project
    gsissh `deisa_service -i -s fzj`
    Other site acronyms are listed when the command deisa_service is invoked without a parameter.

    With the example above you are now ready to work interactively on the login node if the IBM AIX cluster at FZJ.
  4. load the DEISA context at FZJ and switch your working directory to the DEISA home directory
    module load deisa
cd $DEISA_HOME
    At all DEISA sites you can inspect and use the available software, compilers, libraries, tools, utilities on the HPC machine in the same manner:
    module avail

 

Further References:

 

Document Actions