Personal tools
You are here: Home User Support User Documentation Interactive access to HPC resources 4 Accessing DEISA Door Nodes using gsissh

4 Accessing DEISA Door Nodes using gsissh

For security and administrative reasons, not all DEISA sites are open worldwide for access via either gsissh or ssh. In most cases, gsissh (as well as gridFTP services) are only available on the private DEISA network. A few DEISA sites provide access to gsissh (and gridFTP) from the public Internet: we call them Door Nodes. Figure 1 shows that there can be different Door Nodes for different services. In this section, we explain how to use access a DEISA Door Node from your local workstation.

Figure 1

1: DEISA door nodes for gsissh and gridFTP providing access from the public Internet.

 

4.1 GSISSH-Term

GSISSH-Term is a Java based terminal client application for accessing the Grid created by the UK's NGS. It supports the use of grid certicates for authentication. Since this application is written in Java, it is supported on most platforms (e.g. Windows, MAC and Linux). DEISA provides a customised version of GSISSH-Term which includes DEISA users' customisations and additional bug fixes.

4.2 Preparing for GSISSH-Term

Setting up Grid Certificates

Users have to place the required grid certificates (CA certificates and personal certificates) appropriately on their machine before they can access DEISA's grid. Please follow the following steps:

  • Ensure that your grid certificates (usercert.pem and userkey.pem) are in ".globus" folder in your home directory. For Linux/Unix user, the ".globus" folder should be in $HOME. For Windows user (for more information, please refer to the section "Hints"), the ".globus" folder should be in following directory %HOMEPATH%.
    Hint: Please kindly ensure that your certificate and private key are named "usercert.pem" and "userkey.pem" respectively.
  • DEISA customised version of GSISSH-Term that automatically retrieve from the server and update the required CA certificates into the appropriate local folders. As such, users do not have to be concerned with the set up of the CA certificates.

Setting up Java

Since GSISSH-Term as a Java based application, you will need Java Runtime Environment (JRE) 1.5 or higher installed. You should also install “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” which are not included in the default distribution of JRE due to import control restrictions. Please download the files from the following links:

Extract the two jar files,"local_policy.jar" and "US_export_policy.jar", and copy them to

  • {JRE_HOME}/lib/security

Note that there are files with identical names but different content in the folder. This is because JRE supports by default up to 512 bit security. JCE provides additional support for 1024 bits.

4.3 GSISSH-Term as a Java webstart application

Before continuing, you should have set up your grid certificates and Java. If you have not done so, please refer to the previous section "Preparing for GSISSH-Term" before proceeding any further.

To install and start GSISSH-Term via Java Web Start, please click on this link and open it with Java webstart (javaws).

For your security, GSISSH-Term webstart application is signed with 2 certificates. A "Warning - Security"  window, similar to the one here will be displayed.

 DEISA-GSISSH-TERM-7.png

2: GSISSH-Term digital signature security window

 

To verify that you are indeed using and downloading the version from DEISA (hosted at LRZ),  please click on the "More Information ..." link. Depending on the version of Java you are using, the user interface may differ slightly. Another window will appear, please click on the "Certificate Details ..." link. Verify that the certificate information is as such:

Issuer: CN=DFN-Verein PCA Grid - G01, OU=DFN-PKI, O=DFN-Verein, C=DE
Subject: CN=Siew Hoon Leong, OU=Leibniz-Rechenzentrum, O=GridGermany, C=DE

The second certificate prompt will request for you to accept a certificate from "The Legion of the Bouncy Castle".

 DEISA-GSISSH-TERM-8.png

3: Bouncy Castle digital signature security window

 

To verify, make sure that the certificate information is as such:

Issuer: CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
Subject: CN=The Legion of the Bouncy Castle, OU=Java Software Code Signing, O=Sun Microsystems Inc

You should see the following window when GSISSH-Term is initiated successfully.

Figure 2

4: GSISSH-Term main window

 

For instructions on how to use GSISSH-Term, proceed to the section "Using GSISSH-TERM" below.

4.4 GSISSH-Term as a web browser applet

Before continuing, you should have set up your grid certificates and Java. If you have not done so, please refer to the previous section "Preparing for GSISSH-Term" before proceeding any further.

For new users who would simply like to try GSISSH-Term and have an idea how it looks like and how it works, you can start GSISSH-Term as a browser  applet. All you need to do is to open this link in your web browser. You should see the following window when GSISSH-Term is initiated successfully.

GSISSH-Term as a web browser applet

5: GSISSH-Term as a web browser applet

 

For instructions on how to use GSISSH-Term, proceed to the section "Using GSISSH-Term" below.

4.5 Using GSISSH-Term

To create a new connection, select "File → New Connection" or the shortcut icon "Create a New Connection" (first icon from the left). The following window will be displayed:

DEISA-GSISSH-TERM-2.png

6: Connect to host dialog

 

Now, you can simply enter the host name of one of the DEISA Gsissh Door nodes in the textbox "Host to Connect to:" and click on the "Ok" button. The following table shows the door nodes in DEISA which offer access from public Internet. For direct access to LRZ, the IP number of the external PC must first be registered (please submit a request to the DEISA Helpdesk service).

Table 2: Door nodes in DEISA
SITE Hostname Port
CINECA grid.sp6.cineca.it 2222
SARA p6012.huygens.sara.nl 2222
LRZ (with firewall)
a01.hlrb2.lrz-muenchen.de 2222
RZG vip.rzg.mpg.de 2222

Note: If your Home site or Execution sites are not offering public gsissh access, you can access the required site from one of the door node sites via gsissh hops. A description on how to do that is available in the next section "Using GSISSH-Term in DEISA environment".

For users who are accessing multiple DEISA accounts via a single user certificate, you can configure which account to login to by clicking on the "Advanced" button. The "Connection Profile" will be opened. Select the "Host" tab. By default, the "Username" textbox is left empty. If you want to login to a specific account that you owned, you should then fill in the "Username" textbox. You can leave the rest of the options as they are.

DEISA-GSISSH-TERM-3.png

7: Connection Profile window

 

Now, select the "Connect" button.

You will be prompted to enter your "Grid Certificate Passphrase". Enter the passphrase of your grid certificate and click "Ok" or hit the "Enter" key of your keyboard.

DEISA-GSISSH-TERM-4.png

8: Enter your grid certificate passphrase dialog

 

If you do not have your *.pem files and is using the grid certificate imported in the browser instead, you will be prompted to select the web browser where your grid certificate is imported. On Linux, only Firefox/Mozilla is supported. On Windows, Firefox/Mozilla and Internet explorer are supported. On Mac OS X, Safari and Chrome are supported via Keychain Access (only for DEISA customised version).

Web browser selection

9: Web browser selection for authentication

 

In the case of Mozilla/Firefox, please enter your Mozilla/Firefox master password as your certificate store passphrase and select the "Ok" button.

Browser Certificate Store

10: Mozilla/Firefox certificate store

 

In the case of Safari/Chrome on Mac OS X via Keychain access. If your certificate is not locked, you should be prompted with the following window. Select either "Allow" or "Always Allow" based on your personal preference. If your certificate is locked, you will be prompted an additional dialog to enter the password to unlock the particular keychain in Keychain Access.

macBrowserAlertWin.png

11: Mac OS X security warning window

 

If both authentication methods mentioned above are unavailable or unsuccessful, you can also access the grid resource via your *.p12 keystore file. In the following window, in the section "Use a Grid certificate in pkcs12 format:", you will now be asked to specify the location of your  pkcs12 keystore file: Click the “Browse” button and select the keystore file. Enter the keystore passphrase in the "Passphrase" textbox and select the "Use Certificate" button

DEISA-GSISSH-TERM-5.png

12: Grid certificate/proxy needed for authentication

 

You should now be logged on to the door node:

DEISA-GSISSH-TERM-6.png

13: Welcome screen upon successful login

4.6 Using GSISSH-Term in DEISA environment

To set up the proper DEISA and Globus environment, you have to load two modulefiles:

module load deisa
module load globus

Alternatively, both modules can be loaded using the following sequence:

module load deisa globus

Only after issuing the “module load globus” command will you have access to the Globus client commands, such as gsissh. Other vital parameters that are needed to work with Globus are also set by “module load globus”, thus Globus commands will only work properly after this modulefile is loaded.

If the door node you used is not your Execution Site, then you have to use gsissh from the door node to the Execution Site via the internal DEISA network. This can be done very easily using the program deisa_service[4] (using the correct kind of inverted commas is essential!):

gsissh `deisa_service –i –s <execution site>`

For example, if SARA is the target the command is:

gsissh `deisa_service –i –s sara`

If you are not sure whether an Execution Site supports the service you require, you can also call deisa_service directly on the command line. If the service is not available, you will be notified.:

deisa_service -e -s <execution site>

Simply invoke

deisa_service

to obtain a list of valid options and their meaning.

gsissh (and gsissh-TERM) automatically transfer your proxy credentials (a short-lived copy of your credentials) to the target system, so that you do not have to type your passphrase a second time when using gsissh on the target machine to log into another remote machine. There is also no need to put your credentials (usercert.pem and userkey.pem) directly on any DEISA machine. For security reasons it is advisable to keep the userkey.pem file only on your private, local workstation. $HOME file systems (or the $HOME/.globus directory) on DEISA supercomputers may be mounted via NFS and storing your private key on an NFS file system may violate the policy of the Certification Authority that issued your personal certificate.


[1] If you only have your keystore file cert.p12 (as used by UNICORE), then you can use the cert.p12 file instead, however, it must not contain CA certificates, only your key and your public certificate. Your keystore passphrase should only contain printable ASCII characters. If you experience difficulties using your keystore file, use your *.pem files instead.

[2] A word of caution: on networked Windows systems we observed that a different location on a shared drive is sometimes used. The exact path depends on the specifics of the respective local installation. In case of problems, please report them to the DEISA Helpdesk service.

[3] See http://www.deisa.eu/usersupport/user-documentation/faq/CertificatesFAQ

[4] Using deisa_service without parameters produces a short help screen:

deisa_service <network flag> <service flag> <site>

where the network flag distinguishes internal private DEISA network and external public Internet, the service flag identifies the Globus service, e.g., gsissh, gridftp or WS-GRAM, and the site acronym names the Execution Site.

4.7 Hints

  • To check Java version, in your Linux/Unix/OS X terminal or Windows command prompt, please use the following command:
    java -version
  • To create a ".globus" directory in Windows, simply use the following command in your command prompt:
    md .globus
    or
    mkdir .globus
  • For your security, it is encouraged that you modify the access rights of your ".globus" directory and PEM certificates as follows.:
    Unix/Linux/OS X:
    chmod 700 ~/.globus
    chmod 400 ~/.globus/*.pem
  • Please use only printable ASCII characters for your certificate(keystore) passphrase. If you have used unprintable characters, please kindly change your passphrase and replace your "userkey.pem" with the following commands on a Unix/Linus/OS X machine:
    mv userkey.pem userkey.pem.old
    openssl rsa -in userkey.pem.old -des3 -out userkey.pem
  • To convert  your "userkey.pem" and "usercert.pem" to pkcs12 format, use the following commands on a Unix/Linux/OS X machine:
    openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out keystore.p12
  • To convert  your pkcs12 keystore (e.g. keystore.p12) to PEM format, use the following commands on a Unix/Linux/OS X machine:
    openssl pkcs12 -in keystore.p12 -out usercert.pem -clcerts -nokeys
    openssl pkcs12 -in keystore.p12 -out userkey.pem -nocerts
  • If you notice strange characters while using the delete and/or backspace keys on some machines, e.g. IBM AIX OS, in your shell, you can set your "$HOME/.inputrc" as such
    "\e[3~": delete-char
    # this is actually equivalent to "\C-?": delete-char
    # VT
    "\e[1~": beginning-of-line
    "\e[4~": end-of-line
    # kvt
    "\e[H":beginning-of-line
    "\e[F":end-of-line
    # rxvt and konsole (i.e. the KDE-app...)
    "\e[7~":beginning-of-line
    "\e[8~":end-of-line
    More information is available at the following site.
Document Actions