Setting Up Credentials
This Web page explains the various steps to obtain the required credentials to run grid applications
User Entry in USCGrid Mapfile
You must have a USC UNIX login ID and a HPCC account in order to use USCGrid and HPCC computing resources. The USCGrid server software will not accept jobs for execution from users that it does not recognize. In order for your UNIX login ID to be recognized by the USCGrid server software, your UNIX login ID must be entered in the USCGrid mapfile.
To request that your UNIX login ID be added to the USCGrid mapfile, you need to send an e-mail message containing a copy of your kx509 certificate to the USCGrid administrator:
almaak.usc.edu(23): source /usr/usc/globus/default/setup.csh
almaak.usc.edu(24): kinit
Password for shelley@ISD.USC.EDU:
almaak.usc.edu(25): kx509
almaak.usc.edu(26): kxlist -p
Service kx509/certificate
issuer= /C=US/ST=California/L=Los Angeles/O=University of Southern California/CN=usc.edu
subject= /C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu\
/CN=shelley/USERID=shelley/Email=shelley@USC.EDU
serial=A1
hash=25b24e07
almaak.usc.edu(27): grid-proxy-info | mail -s "add me to grid mapfile" grid-request@usc.edu
Setting up Your UNIX Environment for Grid Computing
Once you have taken care of the USCGrid Mapfile, you need to set up the proper environment.
If you use the csh or tcsh shell, you will want to run setup.csh:
almaak.usc.edu(5): source /usr/usc/globus/default/setup.csh
For any other shell, run setup.sh:
almaak.usc.edu(5): source /usr/usc/globus/default/setup.sh
You might consider adding the appropriate source statement to your .login file in your home directory. That will ensure that anytime that you login, the nmi setup script will be run and you'll be ready for the subsequent steps.
Acquiring a Kerberos Ticket
USC uses Kerberos authentication software from MIT to authenticate the user's identity before granting access to restricted services. Before you can submit a grid-computing job, you must acquire a USC Kerberos ticket, proving that you are who you say you are.
Since every USC UNIX login ID should already be known to our Kerberos server, authenticating yourself to Kerberos and obtaining a ticket should be as simple as typing kinit at the command prompt:
almaak.usc.edu(33): kinit
Password for shelley@ISD.USC.EDU:
If you receive an error message about a non-existent Kerberos principal, you probably have a pre-existing USC UNIX login ID for which a Kerberos principal was never created. You will need to create a Kerberos principal by changing your password on the ITS Password Change Web page.
If, after changing your password and waiting for the change to propagate, you still cannot use the kinit command successfully, please e-mail the UNIX systems administrator. Include as much information as you can regarding the problem.
Translating a Kerberos Ticket into an X.509 Certificate
The grid software authenticates using X.509 PKI certificates; you must translate your new Kerberos ticket into an X.509 certificate using kx509 after you authenticate your indentity through the USC Kerberos software, using these steps:
almaak.usc.edu(34): kx509
almaak.usc.edu(35): kxlist -p
Service kx509/certificate
issuer= /C=US/ST=California/L=Los Angeles/O=University of Southern California
/CN=usc.edu
subject= /C=US/ST=California/L=Los Angeles/O=University of Southern California
/OU=usc.edu/CN=shelley/USERID=shelley/Email=shelley@USC.EDU
serial=6A
hash=25b24e07
Verifying the X.509 Certificate
The final step in authentication is to verify that the grid software recognizes your new kx509 certificate:
almaak.usc.edu(36): grid-proxy-info
subject : /C=US/ST=California/L=Los Angeles/O=University of Southern California
/OU=usc.edu/CN=shelley/USERID=shelley/Email=shelley@USC.EDU
issuer : /C=US/ST=California/L=Los Angeles/O=University of Southern California
/CN=usc.edu
type : not a proxy
strength : 512 bits
timeleft : 9:50:11
