Scientific Data & Computing Center

[RACF Computing Facility Staff <announce AT rcf.rhic.bnl.gov>]

On December 11, 2018 at 10:00AM EST, the SDCC/RACF will move our password 
protected systems and services to a new, unified authentication system: IPA 
(Identity, Policy, and Audit).  In order to access facility services after 
the cutover time, users will need to register a password in the new IPA 
authentication system.

The following two methods will be made available at the cutover time on 12/11 
to allow users to register a password in the IPA system.  Users may choose to 
use either method:

1. Interactive Command Line
   a) Login to the RHIC (rssh.rhic.bnl.gov), ATLAS (atlasgw.usatlas.bnl.gov), 
or SDCC (ssh.sdcc.bnl.gov) SSH gateways using your SSH public key (as usual)
   b) Once on a gateway, run "pwchange" - this command will need to be used 
only once for this transition process
   c) Follow the prompts to register your password.
2. Web Interface
   a) Access the following URL: https://migration.sdcc.bnl.gov/passwd
      As this page is protected, you will need to use your current password 
and current Identity Provider, be it RHIC, USATLAS or SDCC.  
   b) Fill out the form to register your password.


Examples of facility services that will require the new IPA password 
beginning on December 11 include the following:
   a) Password-based access to interactive nodes
   b) RHIC & USATLAS AFS file systems
   c) Access to facility web pages protected by password
      1) This includes the ssh key upload page, and services like Gitea
   d) HPSS HSI/HTAR
   e) BNL Box

Examples of services that will *NOT* be affected by the transition:
   a) SSH gateway logins (via SSH public key)
   b) RCF mail/webmail (this interface has and will continue to use a 
separate password)


For users of RHIC or USATLAS AFS services, the following changes will also 
need to be made on December 11:
   a) For technical reasons, AFS users on interactive farm nodes at the 
RACF/SDCC facility will no longer automatically receive AFS tokens upon login 
(when logging in via password). As such, users will need to run "aklog" after 
logging in to obtain an AFS token
   b) The rhic.bnl.gov and usatlas.bnl.gov AFS server restarts at the time of 
transition will invalidate all existing AFS tokens. You'll need to obtain a 
new token if you require one. There will also be a momentary (up to a few 
minutes) interruption in AFS service for non-replicated volumes while the AFS 
fileservers are restarted
   c) Authentication for the RHIC and USATLAS AFS cells will be moved to the 
SDCC.BNL.GOV Kerberos5 realm.  External users will need to authenticate to 
the SDCC.BNL.GOV Kerberos realm before running aklog to obtain an AFS token.  
Documentation on setting up your krb5.conf (Linux), or krb5.ini files for 
this realm are available here: 
https://www.racf.bnl.gov/docs/authentication/new-sdcc-kerberos-realm-configuration-files
   d) External AFS users will need to be running OpenAFS 1.6.5 or newer 
client software, as the RHIC and USATLAS AFS cells will be switching to 
AES-based AFS tokens

This announcement is also available here: 
https://www.racf.bnl.gov/docs/authentication/migration


SDCC/RACF Staff

--
This message has been forwarded from the RACF announcements page.
Recent messages are available at:
https://www.racf.bnl.gov/Facility/RACFNews/announce.html