How to get access to WLCG

Three things are needed to have access to WLCG:

1. a personal certificate, used to authenticate with the Grid;

2. having your personal certificate registered in the CMS Virtual Organisation;

3. an account on a User Interface (any machine with the WLCG commands installed).

These steps are here explained in detail.

Getting a personal certificate

A personal certificate consists of a pair of files, the private key (userkey.pem) and the certificate itself, containing the public key (usercert.pem). To obtain a certificate, a request has to be made to a Certification Authority recognized by WLCG. You have three options:

· find out from the list of recognized Certification Authorities the one relative to your country and request a certificate from them following the procedures published on their web site;

· request a certificate from the CERN CA if you have a CERN NICE account;

· request a certificate from the WLCG catch-all CA if no CA exists for your country and you do not have a CERN NICE account.

When a personal certificate is renewed, normally the certificate subject is identical to the old one: in that case, nothing has to be done about the VO registration.

How to get or renew a certificate from the CERN CA

The CERN CA will issue certificates only to people with a CERN NICE account.

The steps to follow to make a request are explained in the CA website. The instructions to convert the certificate in a format appropriate for use in the Grid are here. If you have problems, write to the Helpdesk. The procedure to renew a certificate is identical to the procedure to get a certificate for the first time.

Make sure that the certificate and the private key are installed in $HOME/.globus with the following permissions:

-rw-r--r-- 1 doe zh 4541 Feb 23 17:44 usercert.pem
-r-------- 1 doe zh 963 Feb 22 11:52 userkey.pem

Notice that the private key must be readable only by you, otherwise the certificate will not work (and your private key could be stolen).

How to register in the CMS VO

When in possession of a personal certificate, a CMS user has to register his certificate in the CMS Virtual Organisation in order to be authorized to use WLCG resources. The procedure is different depending if you are already registered in the CMS VO or not.

If you never registered to the CMS VO

First of all, make sure that you are registered in the CERN Human Resources database with an e-mail address.

Follow these steps:

obtain a personal certificate, if you have not done so;
convert your certificate in P12 format and load it into your browser; however this is not necessary if you have obtained a CERN certificate, because it is already in the browser (use the very same browser used to request the certificate);
go to the CMS VOMRS server, and follow the instructions, taking into account the following;
when asked, provide an e-mail address which matches the Generic E-mail of the Preferred E-mail fields in the CERN HR database; if you have an account at CERN, choose your CERN e-mail address;
if you are an US-CMS member, select Vijay Sekhri as Representative and follow these additional steps;
if you are a German CMS member, select Thomas Kress as Representative;
if you are an Italian CMS member, select Giuseppe Bagliesi as Representative;
if you are a Taiwanese CMS member, select Chia-Ming Kuo as Representative;
otherwise, select Andrea Sciabà as Representative;
select which groups and roles to join following the indications of the following table. The average CMS user should only select the combination /cms/Role=cmsuser.

Group	Group Roles	Description	Non-US-CMS member	US-CMS member	German CMS members	Italian CMS members	Taiwanese CMS members
/cms	no role	All CMS users	Y	Y	Y	Y	Y
	cmsuser	Normal user in OSG	Y	Y	Y	Y	Y
	lcgadmin	To install CMS software on WLCG	N	N	N	N	N
	production	MC production in WLCG	N	N	N	N	N
	cmst0admin	CMS T0 admins	N	N	N	N	N
	cmst1admin	CMS T1 admins	N	N	N	N	N
	cmst2admin	CMS T2 admins	N	N	N	N	N
/cms/production	no role	For testing only (obsolete)	N	N	N	N	N
	high_prio	For high priority productions	N	N	N	N	N
/cms/analysis	no role	For testing only (obsolete)	N	N	N	N	N
/cms/HeavyIons	no role	For Heavy Ions studies	N	N	N	N	N
/cms/Higgs	no role	For Higgs studies	N	N	N	N	N
/cms/StandardModel	no role	For SM studies	N	N	N	N	N
/cms/Susy	no role	For SUSY studies	N	N	N	N	N
/cms/uscms	no role	OSG CMS users	N	Y	N	N	N
	cmsfrontier	Frontier ops	N	N	N	N	N
	cmsphedex	PhEDEx ops in OSG	N	N	N	N	N
	cmsprod	MC production in OSG	N	N	N	N	N
	cmssoft	To install CMS software on OSG	N	N	N	N	N
	cmst1admin	CMS T1 admins	N	N	N	N	N
	cmst2admin	CMS T2 admins	N	N	N	N	N
	cmsuser	Normal user in OSG	N	Y	N	N	N
/cms/dcms	no role	German user	N	N	Y	N	N
/cms/itcms	no role	Italian user	N	N	N	Y	N
/cms/twcms	no role	Taiwanese user	N	N	N	N	Y

If are already registered in the CMS VO with a different certificate

If you have recently obtained a new certificate but you were already registered in the CMS VO with an old certificate, please read also these instructions. This is the case, for example, if you got a new CERN certificate from the new CERN CA but you had already a certificate from the old CERN CA. Basically, what you have to do in this case is to add a new certificate to your entry in the CMS VO.

Special instructions for US-CMS users

All members should sign up for the /cms/uscms group. Further, you can select your role in the group from cmsfrontier, cmsphedex, cmsprod, cmssoft, cmst2admin and cmsuser. If you do not know your role, then your default role should be cmsuser. For any question, contact Vijay Sekhri.

CERN Human Resources registration

To check if you are already registered, follow these steps:

go to http://graybook.cern.ch/ExperimentSearch.html;
select CMS as experiment, enter your family name and click search;
if you find yourself, then you are already registered; otherwise, you need to register;
if the generic e-mail and the physical e-mail are all <none>, please follow the advice on this page or write to Cms.People@cern.ch and ask your preferred e-mail address to be defined as physical e-mail address. The registration to the CMS VO cannot proceed until this is done.

To register in the CERN HR database:

complete this web pre-registration form;
you will then be contacted by the CMS secretariat to fill in the CMS registration form.

You will be contacted by the CMS secretariat to confirm your registration.

Getting an account on a User Interface

A machine with the WLCG commands installed is, by definition, a User Interface (UI). Many institutes have local UIs; at CERN you can login to LXPLUS and source the script

/afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.csh (tcsh)

or

/afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.sh (bash)

To learn how to use the WLCG commands, you should by all means read the gLite 3 User Guide: it explains all the basic concepts, all the
commands and it is full of examples. Here it is simply said that to send WLCG commands you must first create a "proxy certificate", valid for 12 hours by default, with the command grid-proxy-init: think of it as a sort of "Grid token", much in the same way you need an AFS token for LXPLUS. For comments or problems with the gLite 3 User Guide, write to <support-eis@cern.ch>.

Technical stuff

The URL of the CMS VOMS server is https://voms.cern.ch:8443/voms/cms/.

The latest LCMAPS configuration in LCG is here.

Troubleshooting

If you are getting an authorisation error when using WLCG commands, the cause can be one among many:

1.  your proxy certificate has expired;

2.  your personal certificate has expired;

3.  the certificate of your CA has expired;

4.  the Certificate Revocation List of your CA has expired;

5.  you have renewed your certificate but you are still using your OLD private key.

You are not supposed to be able to recognize the nature of the problem (apart from the first two cases, which are trivial), so in case you need help, send a ticket to the Global Grid User Support.

If there is any problem with your data in the CERN HR database, go to this page.

For problems, contact the CMS User Support.