The following instructions are mainly for Windows users.
First of all, you have to download and install an SSH client for Windows, like Putty or SSH Secure Shell Client.
Then refer to
- "CASE 1)" if you have requested a certificate to your certification authority
- or "CASE 2)" (down in this page) if you have requested a certificate to CA-CINECA .
CASE 1) if you have requested a certificate to your certification authority
- Login on a CINECA HPC cluster and copy your X.509 personal certificate on such cluster.
Convert your certificate in pem format. If it is a .p12 or a .pfx, convert it typing:
bash$ openssl pkcs12 -clcerts -nokeys -in <your certificate in p12 or pfx format> -out usercert.pem
Enter Import Password: <password used for backup of your .p12 certificate>
MAC verified OK
bash$ openssl pkcs12 -nocerts -in <your certificate in p12 or pfx format> -out userkey.pem
Enter Import Password: <password used for backup of your .p12 certificate>
MAC verified OK
Enter PEM pass phrase: <password to encrypt your private key>
Verifying - Enter PEM pass phrase <password to encrypt your private key>
Set the right permission to the file just created:
bash$ chmod 644 usercert.pem
bash$ chmod 400 userkey.pem
Extract your own user DN (Distinguished Name) from the certificate, for example typing
bash$ openssl x509 -in usercert.pem -noout -subject | sed 's/subject= //'The DN is written as a "Backslash Separated Values" string which states who you are, which are your organization and country, who gave you that certificate and so on. For example, a sample INFN certificate reports: "/C=IT/O=INFN/OU=Personal Certificate/L=YourOrganization/CN=Your Name".
- To use Globus OnLine for transfer data on FERMI, PICO, GALILEO and MARCONI clusters, the DN has to be added to our UserDB profile (https://userdb.hpc.cineca.it/user) under the "personal data" section in the field X.509 certificate and following the specified syntax. To use globus-url-copy with the iRODS repository, you have been add as PI or collaborator to a DRES of type REPO.
Create the directory ~/.globus and copy here the usercert.pem ed userkey.pem.
bash$ mkdir ~/.globus
bash$ cp <some location>/usercert.pem ~/.globus
bash$ cp <some location>/userkey.pem ~/.globus
Type the commands:
bash$ mkdir ~/.globus/certificates && cd ~/.globus/certificates
bash$ wget http://dist.eugridpma.info/distribution/igtf/current/accredited/igtf-preinstalled-bundle-classic.tar.gz && tar -zxvf igtf-preinstalled-bundle-classic.tar.gz
bash$ wget http://dist.eugridpma.info/distribution/igtf/current/accredited/igtf-preinstalled-bundle-mics.tar.gz && tar -zxvf igtf-preinstalled-bundle-mics.tar.gz
bash$ wget http://dist.eugridpma.info/distribution/igtf/current/accredited/igtf-preinstalled-bundle-slcs.tar.gz && tar -zxvf igtf-preinstalled-bundle-slcs.tar.gz
bash$ wget http://dist.eugridpma.info/distribution/igtf/current/accredited/igtf-preinstalled-bundle-iota.tar.gz && tar -zxvf igtf-preinstalled-bundle-iota.tar.gz
Create your proxy certificate (starting from your x509 certificate) by using the command
grid-proxy-init
The password required is the same used to encrypt your private key.
Store it in the proxy server by the command:
myproxy-init -s grid.hpc.cineca.it -l <username>
By default, the proxy lifetime credential is 12 hours. Use the option "-c 0 -t <hours>" to modify such default.
When you finish to use your proxy credential, destroy it by typing:
myproxy-destroy -s grid.hpc.cineca.it -l <username>
grid-proxy-destroy
NB The proxy will destroy oneself 12 hours running from its "init". So after this time you have to create again the proxy for a new transfer.
CASE 2) if you have requested a certificate to CA-CINECA
The proxy credential are already created and stored on the CINECA myproxy-server.