Proxy Certificates

Created by CMS Connect Editors
Last updated: Dec 11, 2020

You will need a valid VO CMS proxy certificate in order to be able to submit jobs via CMS Connect. If you don't have a valid grid CMS user certificate, follow Section 5.1 of the CMS Offline WorkBook.

  • If you already have a valid VO CMS signed user grid certificate installed another remote machine like lxplus.cern.ch (usually in ~/.globus/{usercert.pem, userkey.pem}) you can simply copy them to the CMS Connect login machine. Just execute the following command from login-el7.uscms.org and enter the username and password to access that remote machine.

$ copy_certificates 

			=================================================================================

			This script checks if you have globus certificates or lets you
			copy them from another machine otherwise (default: lxplus.cern.ch)
			NOTE: New certificates need to be requested first. Follow this Twiki for that:

			https://twiki.cern.ch/twiki/bin/view/CMSPublic/WorkBookStartingGrid#ObtainingCert
			=================================================================================


Check for certificates in /home/yourusername/.globus

...

Couldn't find any certificates.
Copying certificates from another machine
Note: This requires certificates to be under the standard $HOME/.globus location
...

Enter hostname of machine to login: lxplus.cern.ch
Enter username for lxplus.cern.ch: yourusername

Warning: Permanently added the RSA host key for IP address '188.184.70.205' to the list of known hosts.

Password: 

usercert.pem                                                                                                                                                                                                                                              100% 3526     3.4KB/s   00:00    
userkey.pem                                                                                                                                                                                                                                               100% 2009     2.0KB/s   00:01
All Done...
You can execute the following to initialize your proxy: 

voms-proxy-init -voms cms -valid 192:00


Once you have your certificates available on the submission machine, you will need to initialize the proxy with voms-proxy-init. If you don't initialize your proxy certificate by yourself, or the remaining lifetime of such certificate is short, you will be asked to type your GRID pass phrase to automatically renew your certificate while submitting your jobs.

$ condor_submit job_T2_US_Purdue.jdl 

Submitting job(s)
Your voms proxy expires in 516228s. Please renew!

Enter GRID pass phrase:

Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=khurtado/CN=764581/CN=Kenyi Paolo Hurtado Anampa
Creating temporary proxy ......................................................................... Done
Contacting  voms2.cern.ch:15002 [/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch] "cms" Done
Creating proxy .......................................................................................................... Done

Your proxy is valid until Fri Nov 13 12:58:27 2015

..........

10 job(s) submitted to cluster 1101.

Of course, you can also initialize your certificate by hand too. The usual command for getting your grid proxy working is:

voms-proxy-init --voms cms -valid 192:00

where -valid 192:00 is the number of hours your proxy will be alive.