STEP 1: Upload your identity in the browser

If you do not have a certificate you can either request one from the DOEGrids or you can use your Fermilab Kerberos principal.

Uploading the X509 certificate into the browser

You can find documentation on how to load your certificate into the browser at several places on the web. These instructions are browser specific and may vary from browser to browser. You can also find these instructions for commonly used browsers at the bottom of the page http://computing.fnal.gov/security/pki/Get-Personal-DOEGrids-Cert.html under the section "Importing your Certificate into a Browser, and Exporting it to the File System"

Uploading the Kerberos credentials into the browser

For instructions on converting your Kerberos ticket to an X509 certificate and uploading it into your browser can be found at http://security.fnal.gov/pki/Get-KCA-Cert.html

Testing if the certificate upload in the browser was successful

To check if you have successfully loaded the certificate in the browser follow the instructions on the page http://computing.fnal.gov/security/pki/browsercerttest.html

"/DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Parag A. Mhashilkar/USERID=parag"

STEP 2: Fill in the VO registration form

For users not registered with DZero VOMS

Fill the form for New user at Dzero VO registration page.

Note: If you have multiple certificates please enroll only one certificate first. Get the registration approved and you can later add more certificates to your registration.

Additional information about the individual fields you need to modify on the form are explained below. Keep the remaining fields to defaults -

• DN: If your CA is trusted by the Dzero VO the registration page should show the DN you want to register at the bottom of the page. This is the second last line on the page and should look something like -
  

  You are logged in as /DC=org/DC=doegrids/OU=People/CN=Parag Mhashilkar 209917.

  The DN in this example is "/DC=org/DC=doegrids/OU=People/CN=Parag Mhashilkar 209917"
• SN: This is Serial Number available of the certificate. This information is available in the certificate. If you are not sure about this info you can leave this field blank.
• CA: Select the CA from the drop-down list who issued the certificate. This is the last line on the page and should look something like -
  

  /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1

• Email Address: Please make sure you verify that the email address is correct. All the future communication regarding your registration will be sent to this email.
• Select institution: Select the institution you belong to. If your institution is not listed below please email the VO admins
• Select representative: Select the DN of the representative to whom you are personally known or as instructed by your institution. Unless and otherwise instructed by your site/institution, you should always select the following representative -

  "/DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Alan M. Jonckheere/USERID=jonckheere"

• Grid job submission rights: If you will be submitting grid jobs select "Full" else select "None"
• Fill in your Personal Information like, First name, last name, Phone in the relevant fileds.
• Sam User: This is your userid on whose behalf all the SAM commands will be executed. In most cases this is your Fermilab userid.

For users registered with DZero VOMS/To add another certificate

Make sure that you have your approved certificate loaded in the browser. This is the certificate which is registered with VOMS found from step 1. above. To register new DN you don't need to load the new certificate in the browser. Expand the menu on the left hand side. Click Member Info -> Certificates -> Add Certificate. Fill the form to Add a new certificate. Enter your First name and Last name in the search criteria and click the "Search" button. This should list your registration entry with options to add your new DN. Enter the following information in the fields (see above for the description of these fields) -

1. New DN
2. New SN
3. New CA

Click the "Submit" button. Repeat this process for the number of additional certificates you want to add.

For users registered with DZero VOMS/To update the Personal Info and Email address

Expand the menu on the left hand side. To update the personal information Click Members -> Edit Personal Info or to edit the email address Click Memebers -> Change Email Address Press the Search button to display your information. Make the required changes and press Submit to submit the changes.

Instructions for Site Admins

In the configuration below we assume the user jobs will run as user "samgrid". This may vary from site to site.

Client Configuration

The contents of vomses file for the Dzero VO

"dzero" "voms.fnal.gov" "15002" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "dzero"

This file can be installed in ~/.edg/vomses with permissions of 0644

Configuration for edg-mkgridmap

Following lines need to be added to the edg-mkgridmap.conf. If you are using VDT, these lines should go in $VDT_LOCATION/edg/etc/edg-mkgridmap.conf

1. Services:

group vomss://voms.fnal.gov:8443/voms/dzero?/dzero/services sam

2. Users:

group vomss://voms.fnal.gov:8443/voms/dzero?/dzero/users samgrid

Configuration for GUMS

Use the following configuration if you want to generate grid-mapfiles from GUMS

1. Services:

<groupMapping name='dzero-voms' accountingVo='dzero' 
accountingDesc='DZERO'>
   <userGroup
      className='gov.bnl.gums.VOMSGroup'
      url='https://voms.fnal.gov:8443/voms/dzero/services/VOMSAdmin'
      persistenceFactory='mysql'
      name='dzeroservice-voms'
      voGroup="/dzero/services"
      sslCertfile='/etc/grid-security/http/httpcert.pem'
      sslKey='/etc/grid-security/http/httpkey.pem'
      ignoreFQAN="false" />
   <accountMapping
      className='gov.bnl.gums.GroupAccountMapper'
      groupName='sam' />
</groupMapping>

2. Users:

<groupMapping name='dzero-voms' accountingVo='dzero' 
accountingDesc='DZERO'>
   <userGroup
      className='gov.bnl.gums.VOMSGroup'
      url='https://voms.fnal.gov:8443/voms/dzero/services/VOMSAdmin'
      persistenceFactory='mysql'
      name='dzerouser-voms'
      voGroup="/dzero/users"
      sslCertfile='/etc/grid-security/http/httpcert.pem'
      sslKey='/etc/grid-security/http/httpkey.pem'
      ignoreFQAN="false" />
   <accountMapping
      className='gov.bnl.gums.GroupAccountMapper'
      groupName='samgrid' />
</groupMapping>

VO Administrators/Representatives Instructions

VO Administrators/Representatives should make sure that they are subscribed to all the relevant events regarding the user registrations. To find the list of events you can subscribe to click on the "Subscription" link in the menu on the left. Subscribing to relevant events will make sure that you will always be notified via email whenever the particular event occurs.

Once the user submits the registration request Admins/Representatives are required to approve the request. If you are subscribed to the relevant event you should get an email notifying about the new registration that is awaiting approval.

To approve users without a Fermilab ID

Users who use Fermilab resources are required to have a valid Fermilab ID. However some users do their computing on resources other than those at Fermilab. In such cases, users who do not have Fermilab ID, can become a member the Dzero VO. In such cases VO Admins/Representatives should seek an approval from Amber Boehnlein (via email/phone) informing her about the request. VO Admins can use Comments/Reasons field in the User Approval Form, to note such special cases.

To update the Personal Info or Email addresses

Follow the same "Users" instructions except that, being a VO-Admin you can see all or filter selected few user entries based on the search criteria.

Additional Documentation

You can find additional documentation or help regarding the VOMRS registration at VOMRS Help Page

Contacting Dzero VO Admin

If you have queries please send an email to the Dzero VO Admin