docs.it4i/general/accessing-the-clusters/shell-access-and-data-transfer/putty.md

+# PuTTY (Windows)
+
+## Windows PuTTY Installer
+
+We recommned you to download "**A Windows installer for everything except PuTTYtel**" with **Pageant** (SSH authentication agent) and **PuTTYgen** (PuTTY key generator) which is available [here](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html).
+
+!!! note
+    After installation you can proceed directly to private keys authentication using ["Putty"](#putty).
+
+    "Change Password for Existing Private Key" is optional.
+
+    "Generate a New Public/Private key pair" is intended for users without Public/Private key in the initial email containing login credentials.
+
+    "Pageant" is optional.
+
+## PuTTY - How to Connect to the IT4Innovations Cluster
+
+* Run PuTTY
+* Enter Host name and Save session fields with login address and browse Connection -  SSH - Auth menu. The _Host Name_ input may be in the format **"username@clustername.it4i.cz"** so you don't have to type your login each time.In this example we will connect to the Salomon cluster using **"salomon.it4i.cz"**.
+
+![](../../../img/PuTTY_host_Salomon.png)
+
+* Category - Connection -  SSH - Auth:
+      Select Attempt authentication using Pageant.
+      Select Allow agent forwarding.
+      Browse and select your [private key](ssh-keys/) file.
+
+![](../../../img/PuTTY_keyV.png)
+
+* Return to Session page and Save selected configuration with _Save_ button.
+
+![](../../../img/PuTTY_save_Salomon.png)
+
+* Now you can log in using _Open_ button.
+
+![](../../../img/PuTTY_open_Salomon.png)
+
+* Enter your username if the _Host Name_ input is not in the format "username@salomon.it4i.cz".
+* Enter passphrase for selected [private key](/general/accessing-the-clusters/shell-access-and-data-transfer/ssh-keys/) file if Pageant **SSH authentication agent is not used.**
+
+## Another PuTTY Settings
+
+* Category - Windows - Translation - Remote character set and select **UTF-8**.
+* Category - Terminal - Features and select **Disable application keypad mode** (enable numpad)
+* Save your configuration on Session page in to Default Settings with _Save_ button.
+
+## Pageant SSH Agent
+
+Pageant holds your private key in memory without needing to retype a passphrase on every login.
+
+* Run Pageant.
+* On Pageant Key List press _Add key_ and select your private key (id_rsa.ppk).
+* Enter your passphrase.
+* Now you have your private key in memory without needing to retype a passphrase on every login.
+
+![](../../../img/PageantV.png)
+
+## PuTTY Key Generator
+
+PuTTYgen is the PuTTY key generator. You can load in an existing private key and change your passphrase or generate a new public/private key pair.
+
+### Change Password for Existing Private Key
+
+You can change the password of your SSH key with "PuTTY Key Generator". Make sure to backup the key.
+
+* Load your [private key](/general/accessing-the-clusters/shell-access-and-data-transfer/ssh-keys/) file with _Load_ button.
+* Enter your current passphrase.
+* Change key passphrase.
+* Confirm key passphrase.
+* Save your private key with _Save private key_ button.
+
+![](../../../img/PuttyKeygeneratorV.png)
+
+### Generate a New Public/Private Key
+
+You can generate an additional public/private key pair and insert public key into authorized_keys file for authentication with your own private key.
+
+* Start with _Generate_ button.
+
+![](../../../img/PuttyKeygenerator_001V.png)
+
+* Generate some randomness.
+
+![](../../../img/PuttyKeygenerator_002V.png)
+
+* Wait.
+
+![](../../../img/PuttyKeygenerator_003V.png)
+
+* Enter a _comment_ for your key using format 'username@organization.example.com'.
+      Enter key passphrase.
+      Confirm key passphrase.
+      Save your new private key in "_.ppk" format with _Save private key\* button.
+
+![](../../../img/PuttyKeygenerator_004V.png)
+
+* Save the public key with _Save public key_ button.
+      You can copy public key out of the ‘Public key for pasting into authorized_keys file’ box.
+
+![](../../../img/PuttyKeygenerator_005V.png)
+
+* Export private key in OpenSSH format "id_rsa" using Conversion - Export OpenSSH key
+
+![](../../../img/PuttyKeygenerator_006V.png)
+
+* Now you can insert additional public key into authorized_keys file for authentication with your own private key.
+      You must log in using ssh key received after registration. Then proceed to [How to add your own key](/general/accessing-the-clusters/shell-access-and-data-transfer/ssh-keys/).

docs.it4i/general/accessing-the-clusters/shell-access-and-data-transfer/ssh-keys.md

+# OpenSSH Keys (UNIX)
+
+## Key Management
+
+After logging in, you can see .ssh/ directory with SSH keys and authorized_keys file:
+
+```console
+$ cd /home/username/
+$ ls -la .ssh/
+    total 24
+    drwx------ 2 username username 4096 May 13 15:12 .
+    drwxr-x---22 username username 4096 May 13 07:22 ..
+    -rw-r--r-- 1 username username 392 May 21 2014 authorized_keys
+    -rw------- 1 username username 1675 May 21 2014 id_rsa
+    -rw------- 1 username username 1460 May 21 2014 id_rsa.ppk
+    -rw-r--r-- 1 username username 392 May 21 2014 id_rsa.pub
+```
+
+!!! hint
+    Private keys in .ssh directory are without passphrase and allow you to connect within the cluster.
+
+## Access Privileges on .ssh Folder
+
+* .ssh directory: `700 (drwx------)`
+* Authorized_keys, known_hosts and public key (.pub file): `644 (-rw-r--r--)`
+* Private key (id_rsa/id_rsa.ppk): `600 (-rw-------)`
+
+```console
+$ cd /home/username/
+$ chmod 700 .ssh/
+$ chmod 644 .ssh/authorized_keys
+$ chmod 644 .ssh/id_rsa.pub
+$ chmod 644 .ssh/known_hosts
+$ chmod 600 .ssh/id_rsa
+$ chmod 600 .ssh/id_rsa.ppk
+```
+
+## Private Key
+
+!!! note
+    The path to a private key is usually /home/username/.ssh/
+
+Private key file in `id_rsa` or `*.ppk` format is used to authenticate with the servers. Private key is present locally on local side and used for example in SSH agent Pageant (for Windows users). The private key should always be kept in a safe place.
+
+An example of private key format:
+
+```console
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEpAIBAAKCAQEAqbo7jokygnBpG2wYa5NB45ns6+UKTNLMLHF0BO3zmRtKEElE
+    aGqXfbYwvXlcuRb2d9/Y5dVpCZHV0kbY3NhtVOcEIe+1ROaiU9BEsUAhMNEvgiLV
+    gSql4QvRO4BWPlM8+WAWXDp3oeoBh8glXyuh9teb8yq98fv1r1peYGRrW3/s4V+q
+    O1SQ0XY2T7rWCYRLIP6rTMXArTI35v3WU513mn7nm1fJ7oN0QgVH5b0W9V1Kyc4l
+    9vILHeMXxvz+i/5jTEfLOJpiRGYZYcaYrE4dIiHPl3IlbV7hlkK23Xb1US8QJr5G
+    ADxp1VTkHjY+mKagEfxl1hQIb42JLHhKMEGqNQIDAQABAoIBAQCkypPuxZjL+vai
+    UGa5dAWiRZ46P2yrwHPKpvEdpCdDPbLAc1K/CtdBkHZsUPxNHVV6eFWweW99giIY
+    Av+mFWC58X8asBHQ7xkmxW0cqAZRzpkRAl9IBS9/fKjO28Fgy/p+suOi8oWbKIgJ
+    3LMkX0nnT9oz1AkOfTNC6Tv+3SE7eTj1RPcMjur4W1Cd1N3EljLszdVk4tLxlXBS
+    yl9NzVnJJbJR4t01l45VfFECgYEAno1WJSB/SwdZvS9GkfhvmZd3r4vyV9Bmo3dn
+    XZAh8HRW13imOnpklDR4FRe98D9A7V3yh9h60Co4oAUd6N+Oc68/qnv/8O9efA+M
+    /neI9ANYFo8F0+yFCp4Duj7zPV3aWlN/pd8TNzLqecqh10uZNMy8rAjCxybeZjWd
+    DyhgywXhAoGBAN3BCazNefYpLbpBQzwes+f2oStvwOYKDqySWsYVXeVgUI+OWTVZ
+    eZ26Y86E8MQO+q0TIxpwou+TEaUgOSqCX40Q37rGSl9K+rjnboJBYNCmwVp9bfyj
+    kCLL/3g57nTSqhgHNa1xwemePvgNdn6FZteA8sXiCg5ZzaISqWAffek5AoGBAMPw
+    V/vwQ96C8E3l1cH5cUbmBCCcfXM2GLv74bb1V3SvCiAKgOrZ8gEgUiQ0+TfcbAbe
+    7MM20vRNQjaLTBpai/BTbmqM1Q+r1KNjq8k5bfTdAoGANgzlNM9omM10rd9WagL5
+    yuJcal/03p048mtB4OI4Xr5ZJISHze8fK4jQ5veUT9Vu2Fy/w6QMsuRf+qWeCXR5
+    RPC2H0JzkS+2uZp8BOHk1iDPqbxWXJE9I57CxBV9C/tfzo2IhtOOcuJ4LY+sw+y/
+    ocKpJbdLTWrTLdqLHwicdn8OxeWot1mOukyK2l0UeDkY6H5pYPtHTpAZvRBd7ETL
+    Zs2RP3KFFvho6aIDGrY0wee740/jWotx7fbxxKwPyDRsbH3+1Wx/eX2RND4OGdkH
+    gejJEzpk/7y/P/hCad7bSDdHZwO+Z03HIRC0E8yQz+JYatrqckaRCtd7cXryTmTR
+    FbvLJmECgYBDpfno2CzcFJCTdNBZFi34oJRiDb+HdESXepk58PcNcgK3R8PXf+au
+    OqDBtZIuFv9U1WAg0gzGwt/0Y9u2c8m0nXziUS6AePxy5sBHs7g9C9WeZRz/nCWK
+    +cHIm7XOwBEzDKz5f9eBqRGipm0skDZNKl8X/5QMTT5K3Eci2n+lTw==
+    -----END RSA PRIVATE KEY-----
+```
+
+## Public Key
+
+Public key file in `*.pub` format is used to verify a digital signature. Public key is present on the remote side and allows access to the owner of the matching private key.
+
+An example of public key format:
+
+```console
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpujuOiTKCcGkbbBhrk0Hjmezr5QpM0swscXQE7fOZG0oQSURoapd9tjC9eVy5FvZ339jl1WkJkdXSRtjc2G1U5wQh77VE5qJT0ESxQCEw0S+CItWBKqXhC9E7gFY+UyP5YBZcOneh6gGHyCVfK6H215vzKr3x+/WvWl5gZGtbf+zhX6o4RJDRdjZPutYJhEsg/qtMxcCtMjfm/dZTnXeafuebV8nug3RCBUflvRb1XUrJuiX28gsd4xfG/P6L/mNMR8s4kmJEZhlhxpj8Th0iIc+XciVtXuGWQrbddcVRLxAmvkYAPGnVVOQeNj69pqAR/GXaFAhvjYkseEowQao1 username@organization.example.com
+```
+
+## How to Add Your Own Key
+
+First, generate a new keypair of your public and private key:
+
+```console
+local $ ssh-keygen -C 'username@organization.example.com' -f additional_key
+```
+
+!!! note
+    Please, enter **strong** **passphrase** for securing your private key.
+
+You can insert additional public key into authorized_keys file for authentication with your own private key. Additional records in authorized_keys file must be delimited by new line. Users are not advised to remove the default public key from authorized_keys file.
+
+Example:
+
+```console
+$ cat additional_key.pub > ~/.ssh/authorized_keys
+```
+
+In this example, we add an additional public key, stored in file additional_key.pub into the authorized_keys. Next time we log in, we will be able to use the private addtional_key key to log in.
+
+## How to Remove Your Own Key
+
+Removing your key from authorized_keys can be done simply by deleting the corresponding public key which can be identified by a comment at the end of line (e.g. _username@organization.example.com_).

docs.it4i/general/accessing-the-clusters/vpn-access.md

+# VPN Access
+
+## Accessing IT4Innovations Internal Resources via VPN
+
+For using resources and licenses which are located at IT4Innovations local network, it is necessary to VPN connect to this network. We use Cisco AnyConnect Secure Mobility Client, which is supported on the following operating systems:
+
+* Windows XP
+* Windows Vista
+* Windows 7
+* Windows 8
+* Linux
+* MacOS
+
+It is impossible to connect to VPN from other operating systems.
+
+## VPN Client Installation
+
+You can install VPN client from web interface after successful login with [IT4I credentials](/general/obtaining-login-credentials/obtaining-login-credentials/#login-credentials) on address [https://vpn.it4i.cz/user](https://vpn.it4i.cz/user)
+
+![](../../img/vpn_web_login.png)
+
+According to the Java settings after login, the client either automatically installs, or downloads installation file for your operating system. It is necessary to allow start of installation tool for automatic installation. If auto install does not start, then proceed with manual installation described in next steps.
+
+![](../../img/vpn_web_login_2.png)
+![](../../img/vpn_web_install_2.png)
+![](../../img/copy_of_vpn_web_install_3.png)
+
+After successful installation, VPN connection will be established and you can use available resources from IT4I network.
+
+![](../../img/vpn_web_install_4.png)
+
+If your Java setting doesn't allow automatic installation, you can download installation file and install VPN client manually.
+
+![](../../img/vpn_web_download.png)
+
+After you click on the link, download of installation file will start.
+
+![](../../img/vpn_web_download_2.png)
+
+After successful download of installation file, you have to execute this executable with administrator or root rights and install VPN client manually.
+
+## Working With VPN Client
+
+You can use graphical user interface or command line interface to run VPN client on all supported operating systems. We suggest using GUI.
+
+Before the first login to VPN, you have to fill URL **[https://vpn.it4i.cz/user](https://vpn.it4i.cz/user)** into the text field.
+
+![](../../img/vpn_contacting_https_cluster.png)
+
+After you click on the Connect button, you must fill your login credentials.
+
+![](../../img/vpn_contacting_https.png)
+
+After a successful login, the client will minimize to the system tray. If everything works, you can see a lock in the Cisco tray icon.
+
+![](../../img/anyconnecticon.jpg)
+
+If you right-click on this icon, you will see a context menu in which you can control the VPN connection.
+
+![](../../img/anyconnectcontextmenu.jpg)
+
+When you connect to the VPN for the first time, the client downloads the profile and creates a new item "IT4I cluster" in the connection list. For subsequent connections, it is not necessary to re-enter the URL address, but just select the corresponding item.
+
+![](../../img/vpn_contacting.png)
+
+Then AnyConnect automatically proceeds like in the case of first logon.
+
+![](../../img/vpn_login.png)
+
+After a successful logon, you can see a green circle with a tick mark on the lock icon.
+
+![](../../img/vpn_successfull_connection.png)
+
+For disconnecting, right-click on the AnyConnect client icon in the system tray and select **VPN Disconnect**.

docs.it4i/general/applying-for-resources.md

+# Applying for Resources
+
+Computational resources may be allocated by any of the following [Computing resources allocation](http://www.it4i.cz/computing-resources-allocation/?lang=en) mechanisms.
+
+Academic researchers can apply for computational resources via  [Open Access Competitions](http://www.it4i.cz/open-access-competition/?lang=en&lang=en).
+
+Anyone is welcomed to apply via the [Directors Discretion.](http://www.it4i.cz/obtaining-computational-resources-through-directors-discretion/?lang=en&lang=en)
+
+Foreign (mostly European) users can obtain computational resources via the [PRACE (DECI) program](http://www.prace-ri.eu/DECI-Projects).
+
+In all cases, IT4Innovations’ access mechanisms are aimed at distributing computational resources while taking into account the development and application of supercomputing methods and their benefits and usefulness for society. The applicants are expected to submit a proposal. In the proposal, the applicants **apply for a particular amount of core-hours** of computational resources. The requested core-hours should be substantiated by scientific excellence of the proposal, its computational maturity and expected impacts. Proposals do undergo a scientific, technical and economic evaluation. The allocation decisions are based on this evaluation. More information at [Computing resources allocation](http://www.it4i.cz/computing-resources-allocation/?lang=en) and [Obtaining Login Credentials](/general/obtaining-login-credentials/obtaining-login-credentials/) page.

docs.it4i/general/obtaining-login-credentials/certificates-faq.md

+# Certificates FAQ
+
+FAQ about certificates in general
+
+## Q: What Are Certificates?
+
+IT4Innovations employs X.509 certificates for secure communication (e. g. credentials exchange) and for grid services related to PRACE, as they present a single method of authentication for all PRACE services, where only one password is required.
+
+There are different kinds of certificates, each with a different scope of use. We mention here:
+
+* User (Private) certificates
+* Certificate Authority (CA) certificates
+* Host certificates
+* Service certificates
+
+However, users need only manage User and CA certificates. Note that your user certificate is protected by an associated private key, and this **private key must never be disclosed**.
+
+## Q: Which X.509 Certificates Are Recognised by IT4Innovations?
+
+[The Certificates for Digital Signatures](#the-certificates-for-digital-signatures).
+
+## Q: How Do I Get a User Certificate That Can Be Used With IT4Innovations?
+
+To get a certificate, you must make a request to your local, IGTF approved, Certificate Authority (CA). Usually you then must visit, in person, your nearest Registration Authority (RA) to verify your affiliation and identity (photo identification is required). Usually, you will then be emailed details on how to retrieve your certificate, although procedures can vary between CAs. If you are in Europe, you can locate [your trusted CA](https://www.eugridpma.org/members/worldmap/).
+
+In some countries certificates can also be retrieved using the TERENA Certificate Service, see the FAQ below for the link.
+
+## Q: Does IT4Innovations Support Short Lived Certificates (SLCS)?
+
+Yes, provided that the CA which provides this service is also a member of IGTF.
+
+## Q: Does IT4Innovations Support the TERENA Certificate Service?
+
+ Yes, ITInnovations supports TERENA eScience personal certificates. For more information, visit [TCS - Trusted Certificate Service](https://tcs-escience-portal.terena.org/), where you also can find if your organisation/country can use this service
+
+## Q: What Format Should My Certificate Take?
+
+User Certificates come in many formats, the three most common being the ’PKCS12’, ’PEM’ and the JKS formats.
+
+The PKCS12 (often abbreviated to ’p12’) format stores your user certificate, along with your associated private key, in a single file. This form of your certificate is typically employed by web browsers, mail clients, and grid services like UNICORE, DART, gsissh-term and Globus toolkit (GSI-SSH, GridFTP and GRAM5).
+
+The PEM format (`*`.pem) stores your user certificate and your associated private key in two separate files. This form of your certificate can be used by PRACE’s gsissh-term and with the grid related services like Globus toolkit (GSI-SSH, GridFTP and GRAM5).
+
+To convert your Certificate from PEM to p12 formats, and _vice versa_, IT4Innovations recommends using the openssl tool (see separate FAQ entry).
+
+JKS is the Java KeyStore and may contain both your personal certificate with your private key and a list of your trusted CA certificates. This form of your certificate can be used by grid services like DART and UNICORE6.
+
+To convert your Certificate from p12 to JKS, IT4Innovations recommends using the keytool utiliy (see separate FAQ entry).
+
+## Q: What Are CA Certificates?
+
+Certification Authority (CA) certificates are used to verify the link between your user certificate and the authority which issued it. They are also used to verify the link between the host certificate of a IT4Innovations server and the CA which issued that certificate. In essence they establish a chain of trust between you and the target server. Thus, for some grid services, users must have a copy of all the CA certificates.
+
+To assist users, SURFsara (a member of PRACE) provides a complete and up-to-date bundle of all the CA certificates that any PRACE user (or IT4Innovations grid services user) will require. Bundle of certificates, in either p12, PEM or JKS formats, are [available here](https://winnetou.surfsara.nl/prace/certs/).
+
+It is worth noting that gsissh-term and DART automatically updates their CA certificates from this SURFsara website. In other cases, if you receive a warning that a server’s certificate can not be validated (not trusted), then update your CA certificates via the SURFsara website. If this fails, then contact the IT4Innovations helpdesk.
+
+Lastly, if you need the CA certificates for a personal Globus 5 installation, then you can install the CA certificates from a MyProxy server with the following command.
+
+```console
+    myproxy-get-trustroots -s myproxy-prace.lrz.de
+```
+
+If you run this command as ’root’, then it will install the certificates into /etc/grid-security/certificates. If you run this not as ’root’, then the certificates will be installed into $HOME/.globus/certificates. For Globus, you can download the globuscerts.tar.gz packet [available here](https://winnetou.surfsara.nl/prace/certs/).
+
+## Q: What Is a DN and How Do I Find Mine?
+
+DN stands for Distinguished Name and is part of your user certificate. IT4Innovations needs to know your DN to enable your account to use the grid services. You may use openssl (see below) to determine your DN or, if your browser contains your user certificate, you can extract your DN from your browser.
+
+For Internet Explorer users, the DN is referred to as the "subject" of your certificate. ToolsInternet OptionsContentCertificatesViewDetailsSubject.
+
+For users running Firefox under Windows, the DN is referred to as the "subject" of your certificate. ToolsOptionsAdvancedEncryptionView Certificates. Highlight your name and then Click ViewDetailsSubject.
+
+## Q: How Do I Use the Openssl Tool?
+
+The following examples are for Unix/Linux operating systems only.
+
+To convert from PEM to p12, enter the following command:
+
+```console
+    openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out
+    username.p12
+```
+
+To convert from p12 to PEM, type the following _four_ commands:
+
+```console
+    openssl pkcs12 -in username.p12 -out usercert.pem -clcerts -nokeys
+    openssl pkcs12 -in username.p12 -out userkey.pem -nocerts
+    chmod 444 usercert.pem
+    chmod 400 userkey.pem
+```
+
+To check your Distinguished Name (DN), enter the following command:
+
+```console
+    openssl x509 -in usercert.pem -noout -subject -nameopt
+    RFC2253
+```
+
+To check your certificate (e.g., DN, validity, issuer, public key algorithm, etc.), enter the following command:
+
+```console
+    openssl x509 -in usercert.pem -text -noout
+```
+
+To download openssl if not pre-installed, see [here](https://www.openssl.org/source/). On Macintosh Mac OS X computers openssl is already pre-installed and can be used immediately.
+
+## Q: How Do I Create and Then Manage a Keystore?
+
+IT4innovations recommends the java based keytool utility to create and manage keystores, which themselves are stores of keys and certificates. For example if you want to convert your pkcs12 formatted key pair into a java keystore you can use the following command.
+
+```console
+    keytool -importkeystore -srckeystore $my_p12_cert -destkeystore
+    $my_keystore -srcstoretype pkcs12 -deststoretype jks -alias
+    $my_nickname -destalias $my_nickname
+```
+
+where $my_p12_cert is the name of your p12 (pkcs12) certificate, $my_keystore is the name that you give to your new java keystore and $my_nickname is the alias name that the p12 certificate was given and is used also for the new keystore.
+
+You also can import CA certificates into your java keystore with the tool, e.g.:
+
+```console
+    keytool -import -trustcacerts -alias $mydomain -file $mydomain.crt -keystore $my_keystore
+```
+
+where $mydomain.crt is the certificate of a trusted signing authority (CA) and $mydomain is the alias name that you give to the entry.
+
+More information on the tool can be found [here](http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html)
+
+## Q: How Do I Use My Certificate to Access the Different Grid Services?
+
+Most grid services require the use of your certificate; however, the format of your certificate depends on the grid Service you wish to employ.
+
+If employing the PRACE version of GSISSH-term (also a Java Web Start Application), you may use either the PEM or p12 formats. Note that this service automatically installs up-to-date PRACE CA certificates.
+
+If the grid service is UNICORE, then you bind your certificate, in either the p12 format or JKS, to UNICORE during the installation of the client on your local machine. For more information visit [UNICORE6 in PRACE](http://www.prace-ri.eu/UNICORE6-in-PRACE)
+
+If the grid service is part of Globus, such as GSI-SSH, GriFTP or GRAM5, then the certificates can be in either p12 or PEM format and must reside in the "$HOME/.globus" directory for Linux and Mac users or %HOMEPATH%.globus for Windows users. (Windows users will have to use the DOS command ’cmd’ to create a directory which starts with a ’.’). Further, user certificates should be named either "usercred.p12" or "usercert.pem" and "userkey.pem", and the CA certificates must be kept in a pre-specified directory as follows. For Linux and Mac users, this directory is either $HOME/.globus/certificates or /etc/grid-security/certificates. For Windows users, this directory is %HOMEPATH%.globuscertificates. (If you are using GSISSH-Term from prace-ri.eu then you do not have to create the .globus directory nor install CA certificates to use this tool alone).
+
+## Q: How Do I Manually Import My Certificate Into My Browser?
+
+If you employ the Firefox browser, then you can import your certificate by first choosing the "Preferences" window. For Windows, this is ToolsOptions. For Linux, this is EditPreferences. For Mac, this is FirefoxPreferences. Then, choose the "Advanced" button; followed by the "Encryption" tab. Then, choose the "Certificates" panel; select the option "Select one automatically" if you have only one certificate, or "Ask me every time" if you have more then one. Then click on the "View Certificates" button to open the "Certificate Manager" window. You can then select the "Your Certificates" tab and click on button "Import". Then locate the PKCS12 (.p12) certificate you wish to import, and employ its associated password.
+
+If you are a Safari user, then simply open the "Keychain Access" application and follow "FileImport items".
+
+If you are an Internet Explorer user, click StartSettingsControl Panel and then double-click on Internet. On the Content tab, click Personal, and then click Import. In the Password box, type your password. NB you may be prompted multiple times for your password. In the "Certificate File To Import" box, type the filename of the certificate you wish to import, and then click OK. Click Close, and then click OK.
+
+## Q: What Is a Proxy Certificate?
+
+A proxy certificate is a short-lived certificate which may be employed by UNICORE and the Globus services. The proxy certificate consists of a new user certificate and a newly generated proxy private key. This proxy typically has a rather short lifetime (normally 12 hours) and often only allows a limited delegation of rights. Its default location, for Unix/Linux, is /tmp/x509_u_uid_ but can be set via the $X509_USER_PROXY environment variable.
+
+## Q: What Is the MyProxy Service?
+
+[The MyProxy Service](http://grid.ncsa.illinois.edu/myproxy/) , can be employed by gsissh-term and Globus tools, and is an online repository that allows users to store long lived proxy certificates remotely, which can then be retrieved for use at a later date. Each proxy is protected by a password provided by the user at the time of storage. This is beneficial to Globus users as they do not have to carry their private keys and certificates when travelling; nor do users have to install private keys and certificates on possibly insecure computers.
+
+## Q: Someone May Have Copied or Had Access to the Private Key of My Certificate Either in a Separate File or in the Browser. What Should I Do?
+
+Please ask the CA that issued your certificate to revoke this certificate and to supply you with a new one. In addition, report this to IT4Innovations by contacting [the support team](https://support.it4i.cz/rt).
+
+## Q: My Certificate Expired. What Should I Do?
+
+In order to still be able to communicate with us, one has to make a request for the new certificate to your Certificate Authority (CA). There is no need to explicitly send us any information about your new certificate if a new one has the same Distinguished Name (DN) as the old one.

docs.it4i/general/obtaining-login-credentials/obtaining-login-credentials.md

+# Obtaining Login Credentials
+
+## Obtaining Authorization
+
+The computational resources of IT4I are allocated by the Allocation Committee to a Project, investigated by a Primary Investigator. By allocating the computational resources, the Allocation Committee is authorizing the PI to access and use the clusters. The PI may decide to authorize a number of her/his Collaborators to access and use the clusters, to consume the resources allocated to her/his Project. These collaborators will be associated to the Project. The Figure below is depicting the authorization chain:
+
+![](../../img/Authorization_chain.png)
+
+!!! note
+    You need to either [become the PI](/general/applying-for-resources) or [be named as a collaborator](#authorization-by-web) by a PI in order to access and use the clusters.
+
+Head of Supercomputing Services acts as a PI of a project DD-13-5. Joining this project, you may **access and explore the clusters**, use software, development environment and computers via the qexp and qfree queues. You may use these resources for own education/research, no paperwork is required. All IT4I employees may contact the Head of Supercomputing Services in order to obtain **free access to the clusters**.
+
+## Authorization of PI by Allocation Committee
+
+The PI is authorized to use the clusters by the allocation decision issued by the Allocation Committee. The PI will be informed by IT4I about the Allocation Committee decision.
+
+## Process Flow Chart
+
+This chart describes the process of obtaining login credentials on the clusters. You may skip the tasks, that you have already done. Some of the tasks, marked with asterisk (\*), are clickable and will take you to more detailed description.
+
+* I am collaborator on a project and want to obtain login credetials
+
+<div class="mermaid">
+graph TB
+id10(I am collaborator on a project and want to obtain login credetials)
+id20[Obtain certificate for digital signature]
+id10-->id20
+id30[EduID organizations from CESNET*]
+click id30 "#certificates-for-digital-signatures"
+id40[Personal certificate from PostSignum or I.CA]
+id50[Free certificate from Comodo*]
+click id50 "#alternative-way-to-personal-certificate"
+id55[Other trusted certificate]
+subgraph ""
+id20-->id30
+id20-->id40
+id20-->id50
+id20-->id55
+end
+id60[Export and save certificate to a file]
+id30-->id60
+id40-->id60
+id50-->id60
+id55-->id60
+id70[Import certificate into your email client*]
+click id70 "#installation-of-the-certificate-into-your-mail-client"
+id60-->id70
+id80[Send email with request for access to IT4I Support*]
+click id80 "#login-credentials"
+id70-->id80
+</div>
+
+* I am Primary Investigator and I want to allow my collaborators to access my project
+
+<div class="mermaid">
+graph TB
+id110(I am Primary Investigator and I want to allow my collaborators to access my project)
+id120[Obtain certificate for digital signature]
+id110-->id120
+id130[EduID organizations from CESNET*]
+click id130 "#certificates-for-digital-signatures"
+id140[Personal certificate from PostSignum or I.CA]
+id150[Free certificate from Comodo*]
+click id150 "#alternative-way-to-personal-certificate"
+id155[Other trusted certificate]
+subgraph ""
+id120-->id130
+id120-->id140
+id120-->id150
+id120-->id155
+end
+id160[Export and save certificate to a file]
+id130-->id160
+id140-->id160
+id150-->id160
+id155-->id160
+id170[Import certificate into your email client*]
+click id170 "#installation-of-the-certificate-into-your-mail-client"
+id160-->id170
+id180[Send email with request for authorization to IT4I Support*]
+click id180 "#authorization-by-e-mail-an-alternative-approach"
+id170-->id180
+</div>
+
+* I am an existing User / Primary Investigator and I want to manage my Projects / Users
+
+<div class="mermaid">
+graph TB
+id210(I am an existing User / Primary Investigator and I want to manage my Projects / Users)
+id220[Log in to extranet.it4i.cz]
+id230[Go to Projects section]
+id210-->id220
+id220-->id230
+id240[Submit request to become project member]
+id245[Wait for approval from Primary Investigator]
+id230-->|User|id240
+id240-->id245
+id250[Wait for user to submit the request to become project member]
+id255[Approve or deny user requests for becoming project members]
+id230-->|Primary Investigator|id250
+id250-->id255
+id240-.->id255
+</div>
+
+## Login Credentials
+
+Once authorized by PI, every person (PI or Collaborator) wishing to access the clusters, should contact the [IT4I support](https://support.it4i.cz/rt/) (E-mail: [support\[at\]it4i.cz](mailto:support@it4i.cz)) providing following information:
+
+1. Project ID
+1. Full name and affiliation
+1. Statement that you have read and accepted the [Acceptable use policy document](http://www.it4i.cz/acceptable-use-policy.pdf) (AUP).
+1. Attach the AUP file.
+1. Your preferred username, max 12 characters long. The preferred username must associate your surname and name or be otherwise derived from it. Only alphanumeric sequences and dash signs are allowed.
+1. In case you choose [Alternative way to personal certificate](#alternative-way-to-personal-certificate), a **scan of photo ID** (personal ID or passport or driver license) is required
+
+!!! warning
+    Should the above information be provided by e-mail, the e-mail **must be** digitally signed. Read more on [digital signatures](#certificates-for-digital-signatures) below.
+
+Example (except the subject line which must be in English, you may use Czech or Slovak language for communication with us):
+
+```console
+Subject: Access to IT4Innovations
+
+Dear support,
+
+Please open the user account for me and attach the account to OPEN-0-0
+Name and affiliation: John Smith, john.smith@myemail.com, Department of Chemistry, MIT, US
+I have read and accept the Acceptable use policy document (attached)
+
+Preferred username: johnsm
+
+Thank you,
+John Smith
+(Digitally signed)
+```
+
+You will receive your personal login credentials by protected e-mail. The login credentials include:
+
+1. username
+1. ssh private key and private key passphrase
+1. system password
+
+The clusters are accessed by the [private key](/general/accessing-the-clusters/shell-access-and-data-transfer/ssh-keys/) and username. Username and password is used for login to the [information systems](http://support.it4i.cz/).
+
+## Authorization by Web
+
+!!! warning
+    **Only** for those who already have their IT4I HPC account. This is a preferred way of granting access to project resources. Please, use this method whenever it's possible.
+
+This is a preferred way of granting access to project resources. Please, use this method whenever it's possible.
+
+Log in to the [IT4I Extranet portal](https://extranet.it4i.cz) using IT4I credentials and go to the **Projects** section.
+
+* **Users:** Please, submit your requests for becoming a project member.
+* **Primary Investigators:** Please, approve or deny users' requests in the same section.
+
+## Authorization by E-Mail (An Alternative Approach)
+
+In order to authorize a Collaborator to utilize the allocated resources, the PI should contact the [IT4I support](https://support.it4i.cz/rt/) (E-mail: [support\[at\]it4i.cz](mailto:support@it4i.cz)) and provide following information:
+
+1. Identify your project by project ID
+1. Provide list of people, including himself, who are authorized to use the resources allocated to the project. The list must include full name, e-mail and affiliation. Provide usernames as well, if collaborator login access already exists on the IT4I systems.
+1. Include "Authorization to IT4Innovations" into the subject line.
+
+!!! warning
+    Should the above information be provided by e-mail, the e-mail **must be** digitally signed. Read more on [digital signatures](#certificates-for-digital-signatures) below.
+
+Example (except the subject line which must be in English, you may use Czech or Slovak language for communication with us):
+
+```console
+Subject: Authorization to IT4Innovations
+
+Dear support,
+
+Please include my collaborators to project OPEN-0-0.
+
+John Smith, john.smith@myemail.com, Department of Chemistry, MIT, US
+Jonas Johansson, jjohansson@otheremail.se, Department of Physics, RIT, Sweden
+Luisa Fibonacci, lf@emailitalia.it, Department of Mathematics, National Research Council, Italy
+
+Thank you,
+PI
+(Digitally signed)
+```
+
+## Change Passphrase
+
+On Linux, use
+
+```console
+local $ ssh-keygen -f id_rsa -p
+```
+
+On Windows, use [PuTTY Key Generator](/general/accessing-the-clusters/shell-access-and-data-transfer/putty/#putty-key-generator).
+
+## Certificates for Digital Signatures
+
+We accept personal certificates issued by any widely respected certification authority (CA). This includes certificates by CAs organized in [International Grid Trust Federation](http://www.igtf.net/), its European branch [EUGridPMA](https://www.eugridpma.org/) and its member organizations, e.g. the [CESNET certification authority](https://tcs.cesnet.cz). The Czech _"Qualified certificate" (Kvalifikovaný certifikát)_ provided by [PostSignum](http://www.postsignum.cz/) or [I.CA](http://www.ica.cz/Kvalifikovany-certifikat.aspx), that is used in electronic contact with Czech authorities is accepted as well.
+
+Certificate generation process for academic purposes, utilizing the CESNET certification authority, is well-described here:
+
+* [How to generate a personal TCS certificate in Mozilla Firefox web browser (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-gen)
+
+!!! note
+    Certificate file can be installed into your email client. Web-based email interfaces cannot be used for secure communication, external application, such as Thunderbird or Outlook must be used. This way, your new credentials will be visible only in applications, that have access to your certificate.
+
+If you are not able to obtain certificate from any of the respected certification authorities, follow the Alternative Way bellow.
+
+A FAQ about certificates can be found here: [Certificates FAQ](/general/obtaining-login-credentials/certificates-faq/).
+
+## Alternative Way to Personal Certificate
+
+Follow these steps **only** if you can not obtain your certificate in a standard way. In case you choose this procedure, attach a **scan of photo ID** (personal ID or passport or drivers license) when applying for login credentials.
+
+!!! warning
+    Please use Firefox (clone) for following steps. Other browsers, like Chrome, are not compatible.
+
+* Go to [COMODO Application for Secure Email Certificate](https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate).
+* Fill in the form, accept the Subscriber Agreement and submit it by the _Next_ button.
+  * Type in the e-mail address, which you intend to use for communication with us.
+  * Don't forget your chosen _Revocation password_.
+* You will receive an e-mail with link to collect your certificate. Be sure to open the link in the same browser, in which you submited the application.
+* Your browser should notify you, that the certificate has been correctly installed in it. Now you will need to save it as a file.
+* In Firefox navigate to _Options > Advanced > Certificates > View Certificates_.
+* Choose the _Your Certificates_ tab and find the fresh certificate with today's date.
+* Select it and hit the _Backup..._ button
+* Standard save dialog should appear, where you can choose a name for the certificate file for easy identification in the future.
+* You will be prompted to choose a passphrase for your new certificate. This passphrase will be needed for installation into your favourite email client.
+
+!!! note
+    Certificate file now can be installed into your email client. Web-based email interfaces cannot be used for secure communication, external application, such as Thunderbird or Outlook must be used (instructions bellow). This way, your new credentials will be visible only in applications, that have access to your certificate.
+
+## Installation of the Certificate Into Your Mail Client
+
+The procedure is similar to the following guides:
+
+MS Outlook 2010
+
+* [How to Remove, Import, and Export Digital certificates](http://support.microsoft.com/kb/179380)
+* [Importing a PKCS #12 certificate (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/outl-cert-imp)
+
+Mozilla Thudnerbird
+
+* [Installing an SMIME certificate](https://support.globalsign.com/customer/portal/articles/1214955-install-certificate---mozilla-thunderbird)
+* [Importing a PKCS #12 certificate (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-imp)
+
+## End of User Account Lifecycle
+
+User accounts are supported by membership in active Project(s) or by affiliation to IT4Innovations. User accounts, that loose the support (meaning, are not attached to an active project and are not affiliated with IT4I), will be deleted 1 year after the last project to which they were attached expires.
+
+User will get 3 automatically generated warning e-mail messages of the pending removal:.
+
+* First message will be sent 3 months before the removal
+* Second message will be sent 1 month before the removal
+* Third message will be sent 1 week before the removal.
+
+These messages will inform about the projected removal date and will challenge the user to migrate her/his data.

docs.it4i/general/resource_allocation_and_job_execution.md

+# Resource Allocation and Job Execution
+
+To run a [job](/#terminology-frequently-used-on-these-pages), [computational resources](/salomon/resources-allocation-policy#resource-accounting-policy) for this particular job must be allocated. This is done via the PBS Pro job workload manager software, which distributes workloads across the supercomputer. Extensive information about PBS Pro can be found in the [PBS Pro User's Guide](/pbspro).
+
+## Resources Allocation Policy
+
+The resources are allocated to the job in a fair-share fashion, subject to constraints set by the queue and resources available to the Project. [The Fair-share](/salomon/job-priority#fair-share-priority)  ensures that individual users may consume approximately equal amount of resources per week. The resources are accessible via queues for queueing the jobs. The queues provide prioritized and exclusive access to the computational resources. Following queues are are the most important:
+
+* **qexp**, the Express queue
+* **qprod**, the Production queue
+* **qlong**, the Long queue
+* **qmpp**, the Massively parallel queue
+* **qnvidia**, **qmic**, **qfat**, the Dedicated queues
+* **qfree**, the Free resource utilization queue
+
+!!! note
+    Check the queue status at [https://extranet.it4i.cz/](https://extranet.it4i.cz/)
+
+Read more on the [Resource AllocationPolicy](/salomon/resources-allocation-policy) page.
+
+## Job Submission and Execution
+
+!!! note
+    Use the **qsub** command to submit your jobs.
+
+The qsub submits the job into the queue. The qsub command creates a request to the PBS Job manager for allocation of specified resources. The **smallest allocation unit is entire node, 16 cores**, with exception of the qexp queue. The resources will be allocated when available, subject to allocation policies and constraints. **After the resources are allocated the jobscript or interactive shell is executed on first of the allocated nodes.**
+
+Read more on the [Job submission and execution](/salomon/job-submission-and-execution) page.
+
+## Capacity Computing
+
+!!! note
+    Use Job arrays when running huge number of jobs.
+
+Use GNU Parallel and/or Job arrays when running (many) single core jobs.
+
+In many cases, it is useful to submit huge (100+) number of computational jobs into the PBS queue system. Huge number of (small) jobs is one of the most effective ways to execute embarrassingly parallel calculations, achieving best runtime, throughput and computer utilization. In this chapter, we discuss the the recommended way to run huge number of jobs, including **ways to run huge number of single core jobs**.
+
+Read more on [Capacity computing](/salomon/capacity-computing) page.