sPHENIX is a new detector at RHIC.

[pinkenburg <pinkenburg AT bnl.gov>]

Hi folks,

this will happen at 10am today (in 10 minutes). Don't panic when you can't login anymore, just follow the simple steps in this email. If you encounter problems, let me know, rather than fill up the ticket system.


on Tuesday rcf will move to single signon (one username/password gets you everywhere). There was extensive work over the last couple of months to change the underlying infra structure but you shouldn't see any of this.

Briefly - from Tuesday 10am on you will be asked to put your password into the new system if you try to log in. You can re-use your old password (it has to fulfill the automatic check against BNL password rules). There are 2 ways of doing this - either from the gateway (where you ssh into using your ssh key), run pwchange (the instructions are printed out when you log into the gateway).

If you try to get to password protected web pages you will be prompted to use the web interface to put your password into the new system.

ssh keys are not affected and will just continue to work

If you had an afs token (most likely you did not) it will be invalidated and you have to get a new one using your updated password.

That's all there is, I've tried it on a test system (using my old password) - it's easy. Tuesday is not the deadline for this - you can put in your password at your own leisure. You just won't get into rcf with your old password from Tuesday 10am on. The grace period hasn't been announced yet - it's probably one or two months after which you will just have to file a ticket.

If you use afs from your own machine, you need to change the kerberos realm in the krb5.conf (linux) according to the instructions in this mail.

You might hear from STAR that one can change the password on the gateways already on Monday, but this will only be active Tuesday from 10am on - I personally will wait till then.

Chris

-------- Forwarded Message -------- Subject: [Rhic-rcf-l] ***IMPORTANT*** SDCC/RACF Authentication Changes on 12/11 Date: Fri, 7 Dec 2018 16:03:35 -0500 From: RACF Computing Facility Staff <announce AT rcf.rhic.bnl.gov> To: rhic-rcf-l AT lists.bnl.gov, sdcc_users-l AT lists.bnl.gov, bnl-shared-tier3-l AT lists.bnl.gov

On December 11, 2018 at 10:00AM EST, the SDCC/RACF will move our password protected systems and services to a new, unified authentication system: IPA (Identity, Policy, and Audit). In order to access facility services after the cutover time, users will need to register a password in the new IPA authentication system.

The following two methods will be made available at the cutover time on 12/11 to allow users to register a password in the IPA system. Users may choose to use either method:

1. Interactive Command Line
a) Login to the RHIC (rssh.rhic.bnl.gov), ATLAS (atlasgw.usatlas.bnl.gov), or SDCC (ssh.sdcc.bnl.gov) SSH gateways using your SSH public key (as usual)
b) Once on a gateway, run "pwchange" - this command will need to be used only once for this transition process
c) Follow the prompts to register your password.
2. Web Interface
a) Access the following URL: https://migration.sdcc.bnl.gov/passwd
As this page is protected, you will need to use your current password and current Identity Provider, be it RHIC, USATLAS or SDCC. b) Fill out the form to register your password.


Examples of facility services that will require the new IPA password beginning on December 11 include the following:
a) Password-based access to interactive nodes
b) RHIC & USATLAS AFS file systems
c) Access to facility web pages protected by password
1) This includes the ssh key upload page, and services like Gitea
d) HPSS HSI/HTAR
e) BNL Box

Examples of services that will *NOT* be affected by the transition:
a) SSH gateway logins (via SSH public key)
b) RCF mail/webmail (this interface has and will continue to use a separate password)


For users of RHIC or USATLAS AFS services, the following changes will also need to be made on December 11:
a) For technical reasons, AFS users on interactive farm nodes at the RACF/SDCC facility will no longer automatically receive AFS tokens upon login (when logging in via password). As such, users will need to run "aklog" after logging in to obtain an AFS token
b) The rhic.bnl.gov and usatlas.bnl.gov AFS server restarts at the time of transition will invalidate all existing AFS tokens. You'll need to obtain a new token if you require one. There will also be a momentary (up to a few minutes) interruption in AFS service for non-replicated volumes while the AFS fileservers are restarted
c) Authentication for the RHIC and USATLAS AFS cells will be moved to the SDCC.BNL.GOV Kerberos5 realm. External users will need to authenticate to the SDCC.BNL.GOV Kerberos realm before running aklog to obtain an AFS token. Documentation on setting up your krb5.conf (Linux), or krb5.ini files for this realm are available here: https://www.racf.bnl.gov/docs/authentication/new-sdcc-kerberos-realm-configuration-files
d) External AFS users will need to be running OpenAFS 1.6.5 or newer client software, as the RHIC and USATLAS AFS cells will be switching to AES-based AFS tokens

This announcement is also available here: https://www.racf.bnl.gov/docs/authentication/migration


SDCC/RACF Staff

--
This message has been forwarded from the RACF announcements page.
Recent messages are available at:
https://www.racf.bnl.gov/Facility/RACFNews/announce.html
_______________________________________________
Rhic-rcf-l mailing list
Rhic-rcf-l AT lists.bnl.gov
https://lists.bnl.gov/mailman/listinfo/rhic-rcf-l