Some notes on the computing environment

Adding grid tools to the environment

The first time you log in, you need to run the command /info/grid03/course-init, which will do some KTH-specific things in your environment that in effect

1. Defines the environment variable GLOBUS_LOCATION
2. Sources the file $GLOBUS_LOCATION/etc/globus-user-env.{sh,csh} (either or, depending on what shell you run)
3. Defines the environment variable NORDUGRID_LOCATION
4. Adds the directory $NORDUGRID_LOCATION/bin to your PATH.

After you have run this command, please logout and log in again to ensure that the changes make an effect. 

Acquiring grid credentials

The command /info/grid03/get-creds will acquire pre-issued grid credentials for you and install them properly in your home directory. In real life, you would have to run the command grid-cert-request and follow the instructions (which means, among other things, sending a request file to the Certification Authority, CA).

The files to remember are:

• userkey.pem - the private part of a key pair that is used to identify you. Although it is stored encrypted and scrambled by a pass-phrase, it should also be protected by UNIX file permissions.
• usercert.pem - the certificate that binds the public part of the same key pair with an identity (you). This file only contains public information and can be distributed freely.

NOTE: you need to have your pass-phrase for your grid credentials ready at hand, as the program will ask you to change the pass phrase. The pass-phrase will be handed out to you.

A word on Kerberos

We use Kerberos for local and remote authentication. If you do not have Kerberos clients on your local machine, we distribute what we call the Kerberos Travelkit , that should be installed in your local machine prior to logging in to NADA/PDC.

We do not run ssh, which you may have encountered in other computing environments. Instead we run a kerberized telnet that uses a so-called ticket to authenticate to the remote system. Various applications can then in turn make use of the ticket to authenticate as you when needed.

Acquring a Kerberos ticket

The Kerberos ticket is acquired in a secure way on the local machine (usually via the command kinit or kauth, depending on implementation) before a connection to the remote system is opened.

    kinit <username>@NADA.KTH.SE

will create the ticket on your local machine. <username> is your account name at NADA/PDC. Note that the "domain" name should always be NADA.KTH.SE, even if you plan to connect to a pdc.kth.se host.

The ticket is time-stamped and only valid for a certain period (usually 12 or 24 hours). An option -l <time> (lowercase L) can be given to the kinit command that specifies a non-default lifetime of the ticket (up to a week). The argument <time> can either be an integer (seconds), or a more human readable string like 1h for one hour or 3d for three days.

Logging in from a remote machine

    telnet -l <username> computer.pdc.kth.se

As a security measure, a ticket is bound to the machine it was created on, so it is not possible to use them on any other machine. As your home directory is mounted on AFS, which in turn uses Kerberos to validate a user's access rights, a ticket MUST be created after you have logged in, otherwise you will only be able to read the publicly accessible files in your home directory.

The -l <username> option is necessary if your user name at NADA/PDC is different from the user name that you currently run as on your local host.

Additional information

See http://www.pdc.kth.se/support/kerberos5-tour.html for additional details. For pointers to background information, see http://www.pdc.kth.se/support/tours.html.