obtaining-login-credentials.md 12.9 KB
Newer Older
Lukáš Krupčík's avatar
Lukáš Krupčík committed
1
# Obtaining Login Credentials
Lukáš Krupčík's avatar
Lukáš Krupčík committed
2

Lukáš Krupčík's avatar
Lukáš Krupčík committed
3
## Obtaining Authorization
4

Lukáš Krupčík's avatar
Lukáš Krupčík committed
5
The computational resources of IT4I are allocated by the Allocation Committee to a Project, investigated by a Primary Investigator. By allocating the computational resources, the Allocation Committee is authorizing the PI to access and use the clusters. The PI may decide to authorize a number of her/his Collaborators to access and use the clusters, to consume the resources allocated to her/his Project. These collaborators will be associated to the Project. The Figure below is depicting the authorization chain:
Lukáš Krupčík's avatar
Lukáš Krupčík committed
6

Lukáš Krupčík's avatar
Lukáš Krupčík committed
7
![](../../img/Authorization_chain.png)
Lukáš Krupčík's avatar
Lukáš Krupčík committed
8

9
!!! note
David Hrbáč's avatar
David Hrbáč committed
10
    You need to either [become the PI][1] or [be named as a collaborator][2] by a PI in order to access and use the clusters.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
11

Lukáš Krupčík's avatar
Lukáš Krupčík committed
12
Head of Supercomputing Services acts as a PI of a project DD-13-5. Joining this project, you may **access and explore the clusters**, use software, development environment and computers via the qexp and qfree queues. You may use these resources for own education/research, no paperwork is required. All IT4I employees may contact the Head of Supercomputing Services in order to obtain **free access to the clusters**.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
13

Lukáš Krupčík's avatar
Lukáš Krupčík committed
14
## Authorization of PI by Allocation Committee
Lukáš Krupčík's avatar
Lukáš Krupčík committed
15

16 17
The PI is authorized to use the clusters by the allocation decision issued by the Allocation Committee. The PI will be informed by IT4I about the Allocation Committee decision.

18 19
## Process Flow Chart

Lukáš Krupčík's avatar
Lukáš Krupčík committed
20
This chart describes the process of obtaining login credentials on the clusters. You may skip the tasks, that you have already done. Some of the tasks, marked with asterisk (\*), are clickable and will take you to more detailed description.
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

* I am collaborator on a project and want to obtain login credetials

<div class="mermaid">
graph TB
id10(I am collaborator on a project and want to obtain login credetials)
id20[Obtain certificate for digital signature]
id10-->id20
id30[EduID organizations from CESNET*]
click id30 "#certificates-for-digital-signatures"
id40[Personal certificate from PostSignum or I.CA]
id50[Free certificate from Comodo*]
click id50 "#alternative-way-to-personal-certificate"
id55[Other trusted certificate]
subgraph ""
id20-->id30
id20-->id40
id20-->id50
id20-->id55
end
id60[Export and save certificate to a file]
id30-->id60
id40-->id60
id50-->id60
id55-->id60
id70[Import certificate into your email client*]
click id70 "#installation-of-the-certificate-into-your-mail-client"
id60-->id70
id80[Send email with request for access to IT4I Support*]
click id80 "#login-credentials"
id70-->id80
</div>

* I am Primary Investigator and I want to allow my collaborators to access my project

<div class="mermaid">
graph TB
id110(I am Primary Investigator and I want to allow my collaborators to access my project)
id120[Obtain certificate for digital signature]
id110-->id120
id130[EduID organizations from CESNET*]
click id130 "#certificates-for-digital-signatures"
id140[Personal certificate from PostSignum or I.CA]
id150[Free certificate from Comodo*]
click id150 "#alternative-way-to-personal-certificate"
id155[Other trusted certificate]
subgraph ""
id120-->id130
id120-->id140
id120-->id150
id120-->id155
end
id160[Export and save certificate to a file]
id130-->id160
id140-->id160
id150-->id160
id155-->id160
id170[Import certificate into your email client*]
click id170 "#installation-of-the-certificate-into-your-mail-client"
id160-->id170
id180[Send email with request for authorization to IT4I Support*]
click id180 "#authorization-by-e-mail-an-alternative-approach"
id170-->id180
</div>

* I am an existing User / Primary Investigator and I want to manage my Projects / Users

<div class="mermaid">
graph TB
id210(I am an existing User / Primary Investigator and I want to manage my Projects / Users)
id220[Log in to extranet.it4i.cz]
id230[Go to Projects section]
id210-->id220
id220-->id230
id240[Submit request to become project member]
id245[Wait for approval from Primary Investigator]
id230-->|User|id240
id240-->id245
id250[Wait for user to submit the request to become project member]
id255[Approve or deny user requests for becoming project members]
id230-->|Primary Investigator|id250
id250-->id255
id240-.->id255
</div>

106 107
## Login Credentials

David Hrbáč's avatar
David Hrbáč committed
108
Once authorized by PI, every person (PI or Collaborator) wishing to access the clusters, should contact the [IT4I support][a] (E-mail: [support\[at\]it4i.cz][b]) providing following information:
109 110 111

1. Project ID
1. Full name and affiliation
David Hrbáč's avatar
David Hrbáč committed
112
1. Statement that you have read and accepted the [Acceptable use policy document][c] (AUP).
113
1. Attach the AUP file.
David Hrbáč's avatar
David Hrbáč committed
114
1. Your preferred username, min 3, max 12 characters long. The preferred username must associate your surname and name or be otherwise derived from it. Only alphanumeric sequences and dash signs are allowed.
David Hrbáč's avatar
David Hrbáč committed
115
1. In case you choose [Alternative way to personal certificate][3], a **scan of photo ID** (personal ID or passport or driver license) is required
116 117

!!! warning
David Hrbáč's avatar
David Hrbáč committed
118
    Should the above information be provided by e-mail, the e-mail **must be** digitally signed. Read more on [digital signatures][4] below.
119

David Hrbáč's avatar
David Hrbáč committed
120 121 122
!!! hint
    VSB associates will bee given VSB login username.

123 124 125
Example (except the subject line which must be in English, you may use Czech or Slovak language for communication with us):

```console
David Hrbáč's avatar
David Hrbáč committed
126
Subject: Access to IT4Innovations
127

David Hrbáč's avatar
David Hrbáč committed
128
Dear support,
129

David Hrbáč's avatar
David Hrbáč committed
130 131 132
Please open the user account for me and attach the account to OPEN-0-0
Name and affiliation: John Smith, john.smith@myemail.com, Department of Chemistry, MIT, US
I have read and accept the Acceptable use policy document (attached)
133

David Hrbáč's avatar
David Hrbáč committed
134
Preferred username: johnsm
135

David Hrbáč's avatar
David Hrbáč committed
136 137 138
Thank you,
John Smith
(Digitally signed)
139 140 141 142 143 144 145 146
```

You will receive your personal login credentials by protected e-mail. The login credentials include:

1. username
1. ssh private key and private key passphrase
1. system password

David Hrbáč's avatar
David Hrbáč committed
147
The clusters are accessed by the [private key][5] and username. Username and password are used for login to the [information systems][d].
Lukáš Krupčík's avatar
Lukáš Krupčík committed
148

David Hrbáč's avatar
David Hrbáč committed
149
## Authorization by Web
Lukáš Krupčík's avatar
Lukáš Krupčík committed
150

151
!!! warning
Lukáš Krupčík's avatar
Lukáš Krupčík committed
152
    **Only** for those who already have their IT4I HPC account. This is a preferred way of granting access to project resources. Please, use this method whenever it's possible.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
153

Lukáš Krupčík's avatar
Lukáš Krupčík committed
154
This is a preferred way of granting access to project resources. Please, use this method whenever it's possible.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
155

David Hrbáč's avatar
David Hrbáč committed
156
Log in to the [IT4I Extranet portal][e] using IT4I credentials and go to the **Projects** section.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
157

Lukáš Krupčík's avatar
Lukáš Krupčík committed
158 159
* **Users:** Please, submit your requests for becoming a project member.
* **Primary Investigators:** Please, approve or deny users' requests in the same section.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
160

David Hrbáč's avatar
David Hrbáč committed
161
## Authorization by E-Mail (An Alternative Approach)
Lukáš Krupčík's avatar
Lukáš Krupčík committed
162

David Hrbáč's avatar
David Hrbáč committed
163
In order to authorize a Collaborator to utilize the allocated resources, the PI should contact the [IT4I support][a] (E-mail: [support\[at\]it4i.cz][b]) and provide following information:
Lukáš Krupčík's avatar
Lukáš Krupčík committed
164

Lukáš Krupčík's avatar
Lukáš Krupčík committed
165 166 167
1. Identify your project by project ID
1. Provide list of people, including himself, who are authorized to use the resources allocated to the project. The list must include full name, e-mail and affiliation. Provide usernames as well, if collaborator login access already exists on the IT4I systems.
1. Include "Authorization to IT4Innovations" into the subject line.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
168

169
!!! warning
David Hrbáč's avatar
David Hrbáč committed
170
    Should the above information be provided by e-mail, the e-mail **must be** digitally signed. Read more on [digital signatures][4] below.
171

Lukáš Krupčík's avatar
Lukáš Krupčík committed
172
Example (except the subject line which must be in English, you may use Czech or Slovak language for communication with us):
Lukáš Krupčík's avatar
Lukáš Krupčík committed
173

Lukáš Krupčík's avatar
Lukáš Krupčík committed
174
```console
David Hrbáč's avatar
David Hrbáč committed
175
Subject: Authorization to IT4Innovations
Lukáš Krupčík's avatar
Lukáš Krupčík committed
176

David Hrbáč's avatar
David Hrbáč committed
177
Dear support,
Lukáš Krupčík's avatar
Lukáš Krupčík committed
178

David Hrbáč's avatar
David Hrbáč committed
179
Please include my collaborators to project OPEN-0-0.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
180

David Hrbáč's avatar
David Hrbáč committed
181 182 183
John Smith, john.smith@myemail.com, Department of Chemistry, MIT, US
Jonas Johansson, jjohansson@otheremail.se, Department of Physics, RIT, Sweden
Luisa Fibonacci, lf@emailitalia.it, Department of Mathematics, National Research Council, Italy
Lukáš Krupčík's avatar
Lukáš Krupčík committed
184

David Hrbáč's avatar
David Hrbáč committed
185 186 187
Thank you,
PI
(Digitally signed)
Lukáš Krupčík's avatar
Lukáš Krupčík committed
188
```
Lukáš Krupčík's avatar
Lukáš Krupčík committed
189

Lukáš Krupčík's avatar
Lukáš Krupčík committed
190
## Change Passphrase
Lukáš Krupčík's avatar
Lukáš Krupčík committed
191 192 193

On Linux, use

Lukáš Krupčík's avatar
Lukáš Krupčík committed
194
```console
Lukáš Krupčík's avatar
Lukáš Krupčík committed
195
local $ ssh-keygen -f id_rsa -p
Lukáš Krupčík's avatar
Lukáš Krupčík committed
196
```
Lukáš Krupčík's avatar
Lukáš Krupčík committed
197

David Hrbáč's avatar
David Hrbáč committed
198
On Windows, use [PuTTY Key Generator][6].
Lukáš Krupčík's avatar
Lukáš Krupčík committed
199

David Hrbáč's avatar
David Hrbáč committed
200
## Certificates for Digital Signatures
Lukáš Krupčík's avatar
Lukáš Krupčík committed
201

David Hrbáč's avatar
David Hrbáč committed
202
We accept personal certificates issued by any widely respected certification authority (CA). This includes certificates by CAs organized in [International Grid Trust Federation][f], its European branch [EUGridPMA][g] and its member organizations, e.g. the [CESNET certification authority][h]. The Czech _"Qualified certificate" (Kvalifikovaný certifikát)_ provided by [PostSignum][i] or [I.CA][j], that is used in electronic contact with Czech authorities is accepted as well.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
203

204
Certificate generation process for academic purposes, utilizing the CESNET certification authority, is well-described here:
Lukáš Krupčík's avatar
Lukáš Krupčík committed
205

David Hrbáč's avatar
David Hrbáč committed
206
* [How to generate a personal TCS certificate in Mozilla Firefox web browser.][k] (in Czech)
Lubomir Prda's avatar
Lubomir Prda committed
207

208 209 210
!!! note
    Certificate file can be installed into your email client. Web-based email interfaces cannot be used for secure communication, external application, such as Thunderbird or Outlook must be used. This way, your new credentials will be visible only in applications, that have access to your certificate.

Lukáš Krupčík's avatar
Lukáš Krupčík committed
211
If you are not able to obtain certificate from any of the respected certification authorities, follow the Alternative Way bellow.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
212

David Hrbáč's avatar
David Hrbáč committed
213
A FAQ about certificates can be found here: [Certificates FAQ][7].
Lukáš Krupčík's avatar
Lukáš Krupčík committed
214

Lukáš Krupčík's avatar
Lukáš Krupčík committed
215
## Alternative Way to Personal Certificate
Lukáš Krupčík's avatar
Lukáš Krupčík committed
216

Lukáš Krupčík's avatar
Lukáš Krupčík committed
217
Follow these steps **only** if you can not obtain your certificate in a standard way. In case you choose this procedure, attach a **scan of photo ID** (personal ID or passport or drivers license) when applying for login credentials.
218 219

!!! warning
Lubomir Prda's avatar
Lubomir Prda committed
220
    Please use Firefox (clone) for following steps. Other browsers, like Chrome, are not compatible.
221

David Hrbáč's avatar
David Hrbáč committed
222
* Go to [COMODO Application for Secure Email Certificate][l].
223
* Fill in the form, accept the Subscriber Agreement and submit it by the _Next_ button.
224 225
  * Type in the e-mail address, which you intend to use for communication with us.
  * Don't forget your chosen _Revocation password_.
226 227
* You will receive an e-mail with link to collect your certificate. Be sure to open the link in the same browser, in which you submited the application.
* Your browser should notify you, that the certificate has been correctly installed in it. Now you will need to save it as a file.
Lubomir Prda's avatar
Lubomir Prda committed
228 229
* In Firefox navigate to _Options > Advanced > Certificates > View Certificates_.
* Choose the _Your Certificates_ tab and find the fresh certificate with today's date.
230
* Select it and hit the _Backup..._ button
Lubomir Prda's avatar
Lubomir Prda committed
231 232
* Standard save dialog should appear, where you can choose a name for the certificate file for easy identification in the future.
* You will be prompted to choose a passphrase for your new certificate. This passphrase will be needed for installation into your favourite email client.
233 234

!!! note
235
    Certificate file now can be installed into your email client. Web-based email interfaces cannot be used for secure communication, external application, such as Thunderbird or Outlook must be used (instructions bellow). This way, your new credentials will be visible only in applications, that have access to your certificate.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
236 237

## Installation of the Certificate Into Your Mail Client
Lukáš Krupčík's avatar
Lukáš Krupčík committed
238

Lukáš Krupčík's avatar
Lukáš Krupčík committed
239
The procedure is similar to the following guides:
Pavel Jirásek's avatar
Pavel Jirásek committed
240 241

MS Outlook 2010
Pavel Jirásek's avatar
Pavel Jirásek committed
242

David Hrbáč's avatar
David Hrbáč committed
243 244
* [How to Remove, Import, and Export Digital certificates][m]
* [Importing a PKCS #12 certificate (in Czech)][o]
Pavel Jirásek's avatar
Pavel Jirásek committed
245 246

Mozilla Thudnerbird
Pavel Jirásek's avatar
Pavel Jirásek committed
247

David Hrbáč's avatar
David Hrbáč committed
248 249
* [Installing an SMIME certificate][p]
* [Importing a PKCS #12 certificate (in Czech)][q]
Lukáš Krupčík's avatar
Lukáš Krupčík committed
250

Lukáš Krupčík's avatar
Lukáš Krupčík committed
251
## End of User Account Lifecycle
Lukáš Krupčík's avatar
Lukáš Krupčík committed
252

Lukáš Krupčík's avatar
Lukáš Krupčík committed
253
User accounts are supported by membership in active Project(s) or by affiliation to IT4Innovations. User accounts, that loose the support (meaning, are not attached to an active project and are not affiliated with IT4I), will be deleted 1 year after the last project to which they were attached expires.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
254

Lukáš Krupčík's avatar
Lukáš Krupčík committed
255
User will get 3 automatically generated warning e-mail messages of the pending removal:.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
256

Lukáš Krupčík's avatar
Lukáš Krupčík committed
257 258 259
* First message will be sent 3 months before the removal
* Second message will be sent 1 month before the removal
* Third message will be sent 1 week before the removal.
Lukáš Krupčík's avatar
Lukáš Krupčík committed
260

David Hrbáč's avatar
David Hrbáč committed
261
These messages will inform about the projected removal date and will challenge the user to migrate her/his data.
David Hrbáč's avatar
David Hrbáč committed
262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286

[1]: ../applying-for-resources.md
[2]: #authorization-by-web
[3]: #alternative-way-to-personal-certificate
[4]: #certificates-for-digital-signatures
[5]: ../accessing-the-clusters/shell-access-and-data-transfer/ssh-keys.md
[6]: ../accessing-the-clusters/shell-access-and-data-transfer/putty.md#putty-key-generator
[7]: ../obtaining-login-credentials/certificates-faq.md

[a]: https://support.it4i.cz/rt/
[b]: mailto:support@it4i.cz
[c]: http://www.it4i.cz/acceptable-use-policy.pdf
[d]: http://support.it4i.cz/
[e]: https://extranet.it4i.cz
[f]: http://www.igtf.net/
[g]: https://www.eugridpma.org
[h]: https://tcs.cesnet.cz
[i]: http://www.postsignum.cz/
[j]: http://www.ica.cz/Kvalifikovany-certifikat.aspx
[k]: http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-gen
[l]: https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate
[m]: http://support.microsoft.com/kb/179380
[o]: http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/outl-cert-imp
[p]: https://support.globalsign.com/customer/portal/articles/1214955-install-certificate---mozilla-thunderbird
[q]: http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-imp