STEP 1: Upload your identity in the browser
If you do not have a certificate you can either request one from the
DOEGrids or you can use your Fermilab Kerberos principal.
Uploading the X509 certificate into the browser
You can find documentation on how to load your certificate into the browser at several places on the web. These instructions are browser specific and may vary from browser to browser. You can also find these instructions for commonly used browsers at the bottom of the page
http://computing.fnal.gov/security/pki/Get-Personal-DOEGrids-Cert.html under the section "Importing your Certificate into a Browser, and Exporting it to the File System"
Uploading the Kerberos credentials into the browser
For instructions on converting your Kerberos ticket to an X509 certificate and uploading it into your browser can be found at
http://security.fnal.gov/pki/Get-KCA-Cert.html
Testing if the certificate upload in the browser was successful
To check if you have successfully loaded the certificate in the browser follow the instructions on the page
http://computing.fnal.gov/security/pki/browsercerttest.html
STEP 1a: Check if you are already registered with DZero VOMS
First please make sure that you are not already registered with the Dzero VO. Dzero users
(Dzero users existing before August 1, 2005) are already registered with the Dzero VO using their KCA subject. Your KCA subject looks like this -
"/DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Parag A. Mhashilkar/USERID=parag"
To verify that you are also registered with the DZero VOMS -
- Goto DZero VOMS
- Type in your last name to lookup your entry
If your Grid subject already exists, then you are already registered with the DZero VOMS. To add new subject follow the instructions to "For users registered with DZero VOMS/To add another certificate" below. Please make sure to upload one of the approved certificates in the browser, which is registered with the VOMS.
STEP 2: Fill in the VO registration form
For users not registered with DZero VOMS
Fill the form for
New user at Dzero VO registration page.
Note: If you have multiple certificates please enroll only one certificate first. Get the registration approved and you can later add more certificates to your registration.
Additional information about the individual fields you need to modify on the form are explained below. Keep the remaining fields to defaults -
- DN: If your CA is trusted by the Dzero VO the registration page should show the DN you want to register at the bottom of the page. This is the second last line on the page and should look something like -
You are logged in as /DC=org/DC=doegrids/OU=People/CN=Parag Mhashilkar 209917.
The DN in this example is "/DC=org/DC=doegrids/OU=People/CN=Parag Mhashilkar 209917"
- SN: This is Serial Number available of the certificate. This information is available in the certificate. If you are not sure about this info you can leave this field blank.
- CA: Select the CA from the drop-down list who issued the certificate. This is the last line on the page and should look something like -
/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
- Email Address: Please make sure you verify that the email address is correct. All the future communication regarding your registration will be sent to this email.
- Select institution: Select the institution you belong to. If your institution is not listed below please email the VO admins
- Select representative: Select the DN of the representative to whom you are personally known or as instructed by your institution. Unless and otherwise instructed by your site/institution, you should always select the following representative -
"/DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Alan M. Jonckheere/USERID=jonckheere"
- Grid job submission rights: If you will be submitting grid jobs select "Full" else select "None"
- Fill in your Personal Information like, First name, last name, Phone in the relevant fileds.
- Sam User: This is your userid on whose behalf all the SAM commands will be executed. In most cases this is your Fermilab userid.
For users registered with DZero VOMS/To add another certificate
Make sure that you have your
approved certificate loaded in the browser. This is the certificate which is registered with VOMS found from step 1. above.
To register new DN you don't need to load the new certificate in the browser. Expand the menu on the left hand side. Click Member Info -> Certificates -> Add Certificate.
Fill the form to
Add a new certificate.
Enter your First name and Last name in the search criteria and click the "Search" button. This should list your registration entry with options to add your new DN. Enter the following information in the fields (see above for the description of these fields) -
- New DN
- New SN
- New CA
Click the "Submit" button.
Repeat this process for the number of additional certificates you want to add.
For users registered with DZero VOMS/To update the Personal Info and Email address
Expand the menu on the left hand side. To update the personal information Click Members -> Edit Personal Info or to edit the email address Click Memebers -> Change Email Address
Press the Search button to display your information. Make the required changes and press Submit to submit the changes.
In the configuration below we assume the user jobs will run as user "samgrid". This may vary from site to site.
Client Configuration
The contents of vomses file for the Dzero VO
"dzero" "voms.fnal.gov" "15002" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "dzero"
This file can be installed in ~/.edg/vomses with
permissions of 0644
Configuration for edg-mkgridmap
Following lines need to be added to the edg-mkgridmap.conf. If you are using VDT, these lines should go in $VDT_LOCATION/edg/etc/edg-mkgridmap.conf
- Services:
group vomss://voms.fnal.gov:8443/voms/dzero?/dzero/services sam
- Users:
group vomss://voms.fnal.gov:8443/voms/dzero?/dzero/users samgrid
Configuration for GUMS
Use the following configuration if you want to generate grid-mapfiles from GUMS
- Services:
<groupMapping name='dzero-voms' accountingVo='dzero'
accountingDesc='DZERO'>
<userGroup
className='gov.bnl.gums.VOMSGroup'
url='https://voms.fnal.gov:8443/voms/dzero/services/VOMSAdmin'
persistenceFactory='mysql'
name='dzeroservice-voms'
voGroup="/dzero/services"
sslCertfile='/etc/grid-security/http/httpcert.pem'
sslKey='/etc/grid-security/http/httpkey.pem'
ignoreFQAN="false" />
<accountMapping
className='gov.bnl.gums.GroupAccountMapper'
groupName='sam' />
</groupMapping>
- Users:
<groupMapping name='dzero-voms' accountingVo='dzero'
accountingDesc='DZERO'>
<userGroup
className='gov.bnl.gums.VOMSGroup'
url='https://voms.fnal.gov:8443/voms/dzero/services/VOMSAdmin'
persistenceFactory='mysql'
name='dzerouser-voms'
voGroup="/dzero/users"
sslCertfile='/etc/grid-security/http/httpcert.pem'
sslKey='/etc/grid-security/http/httpkey.pem'
ignoreFQAN="false" />
<accountMapping
className='gov.bnl.gums.GroupAccountMapper'
groupName='samgrid' />
</groupMapping>
VO Administrators/Representatives should make sure that they are subscribed
to all the relevant events regarding the user registrations.
To find the list of events you can subscribe to click on the "Subscription"
link in the menu on the left.
Subscribing to relevant events will make sure that you will always be
notified via email whenever the particular event occurs.
Once the user submits the registration request Admins/Representatives are
required to approve the request.
If you are subscribed to the relevant event you should get an email
notifying about the new registration that is awaiting approval.
To approve users without a Fermilab ID
Users who use Fermilab resources are required to have a valid Fermilab ID.
However some users do their computing on resources other than those at Fermilab.
In such cases, users who do not have Fermilab ID, can become a member the Dzero
VO. In such cases VO Admins/Representatives should seek an approval from Amber
Boehnlein (via email/phone) informing her about the request.
VO Admins can use Comments/Reasons field in the User Approval Form,
to note such special cases.
To update the Personal Info or Email addresses
Follow the same "Users" instructions except that, being a VO-Admin you can
see all or filter selected few user entries based on the search criteria.
You can find additional documentation or help regarding the VOMRS registration at
VOMRS Help Page