Difference between revisions of "HPC:Login"

From HPC wiki
 
(15 intermediate revisions by 2 users not shown)
Line 43: Line 43:
  
 
=== VPN for Off-campus access ===
 
=== VPN for Off-campus access ===
The PMACS Cluster is behind a firewall. All users authorized to use the PMACS cluster can use this VPN to establish secure connections to the PMACS cluster when trying to SSH from off-campus. Please download Forticlient from one of the appropriate links below for your operating system. Once a VPN tunnel has been setup, normal SSH connections to the cluster head node: <code>consign.pmacs.upenn.edu</code> can be established.  
+
Pulse Secure VPN replaces the 'Forticlinet VPN' based remote access, and now all Off-campus connections must be using 'Pulse Secure VPN' to connect to the PMACS environment (Both HPC and LPC clusters), which is secured behind the firewall. 'Forticlient VPN' must be uninstalled, if used before.<br>
 +
  Pulse Secure VPN is different than 'University VPN' and must be turned off while installing/using the 'Pulse Secure VPN'.
  
'''Note 1''': There may be other VPNs managed by PMACS/UPHS. Please ensure that while connecting to the PMACS cluster, you are using this VPN only.
+
==== Pre-requisites ====
 +
Pulse Secure VPN client requires the user must have 'pennkey' created and also enrolled into the DUO 2 factor authentication.
  
==== Forticlient Software ====
+
Duo enrollment link is below;<br>
The Forticlient gives you access to secured University of Pennsylvania resources. Please download and install Forticlient to use the PMACS cluster.
+
::https://twostep.apps.upenn.edu/twoFactor/twoFactorUi/app/UiMain.optinWizard
  
First download the appropriate installer for
+
Duo enrollment status verification link is below;<br>
 +
::https://twostep.apps.upenn.edu/twoFactor/twoFactorUi/app/UiMain.duoPush
  
[https://upenn.box.com/s/o7yl6jh35o6j3xuu8q6bj6mixt4x4xwh <strong>Mac OSX</strong>]
+
'Pulse Secure VPN' can be downloaded from the PMACS website.<br>
 +
::https://remote.pmacs.upenn.edu/  
  
[https://upenn.box.com/s/zknl5nlneve6upn5nyyngkpe7w20n0rv <strong>Windows</strong>]
+
Pulse Secure VPN client install instructions are given in the below section.
  
[https://hpcwiki.genomics.upenn.edu/vpn/FortiClientInstaller-GNULinux.tar.gz <strong>GNU/Linux</strong>]
+
====Instructions to VPN into PMACS====
 +
Please use the below instructions(pdf format), to set up your VPN client on either a MAC or a PC.
  
Please also see the section '''[[HPC:Login#More_VPN_Info|below]]''' for more information on how to run the VPN client on GNU/Linux systems.
+
'''MAC OS'''<br>
 +
[[File:pulse-secure-vpn-mac-os-automated-install-and-configuration.pdf|thumb|left|Pulse Secure Automated Setup on MAC - preferred]]<nowiki>
 +
  -    Preferrred method</nowiki> <br>
  
Once the appropriate installer has been downloaded and installed, a reboot may be required to connect.
+
[[File:pulse-secure-vpn-mac-os-manual-install-and-configuration.pdf|thumb|left|Pulse Secure Manual Setup on MAC]] <br>
See pictures [[HPC:Login#More_VPN_Info| <strong>below</strong>]] for details on how to configure the Standalone VPN client (works for Windows and MacOS). Separate information for GNU/Linux VPN clients is also [[HPC:Login#More_VPN_Info| <strong>below</strong>]].
+
 
 +
'''Windows''' <br>
 +
 
 +
[[File:pulse-secure-vpn-windows-automated-install-and-configuration.pdf|thumb|left|Pulse Secure Automated Setup on Windows - preferred]]<nowiki>  
 +
  -    Preferrred method</nowiki> <br>
 +
 
 +
[[File:pulse-secure-vpn-windows-manual-install-and-configuration.pdf|thumb|left|Pulse Secure Manual Setup on Windows]] <br>
 +
 
 +
When logging into Pulse Secure VPN you will be asked for a secondary password, which is DUO secure code, depending on how you have set up DUO this will mean typing "push", "phone", "text", or entering a secure code.
 +
 
 +
Push: a DUO popup will appear on the phone setup with DUO that will ask for your Approval (recommended)<br>
 +
Phone: a call will be sent to the number specified and you will be asked to press a key to approve.<br>
 +
Text: a text message will be sent to the number specified and you will be asked to reply to approve.<br>
  
 
=== Important Host/Server Names ===
 
=== Important Host/Server Names ===
Line 96: Line 115:
  
 
=== File transfer to and from the HPC ===
 
=== File transfer to and from the HPC ===
----
+
 
<div class="mw-collapsible mw-collapsed">
 
 
Transferring data to/from the PMACS HPC cluster is done with program that supports the SSH v2 protocol. Programs like SCP, sFTP, rsync, WinSCP, Filezilla etc. are all supported.
 
Transferring data to/from the PMACS HPC cluster is done with program that supports the SSH v2 protocol. Programs like SCP, sFTP, rsync, WinSCP, Filezilla etc. are all supported.
  
Line 103: Line 121:
  
 
==== File transfer using command line tools ====
 
==== File transfer using command line tools ====
 +
 +
----
 +
<div class="mw-collapsible mw-collapsed">
 +
 
Poplar command line programs for file transfer include SCP, sFTP, rsync, PSCP etc.  
 
Poplar command line programs for file transfer include SCP, sFTP, rsync, PSCP etc.  
  
Line 112: Line 134:
 
% rsync -av test PMACSUSER@mercury.pmacs.upenn.edu:~/
 
% rsync -av test PMACSUSER@mercury.pmacs.upenn.edu:~/
 
</pre>
 
</pre>
 +
 +
</div>
  
 
==== File transfer using graphical tools ====
 
==== File transfer using graphical tools ====
 +
 +
----
 +
<div class="mw-collapsible mw-collapsed">
  
 
Popular command line programs for file transfer include WinSCP, FileZilla, MobaXTerm, etc.
 
Popular command line programs for file transfer include WinSCP, FileZilla, MobaXTerm, etc.
Line 210: Line 237:
 
----
 
----
 
<div class="mw-collapsible mw-collapsed">
 
<div class="mw-collapsible mw-collapsed">
Below are screenshots that describe how to use the HPC VPN on MacOS systems:
+
The screenshot below describes how to use the HPC VPN on MacOS systems:
 +
 
 
[[image:PMACS_VPN_OSX_setup.png|center|500px]]
 
[[image:PMACS_VPN_OSX_setup.png|center|500px]]
 +
 +
 
Below are screenshots that describe how to use the HPC VPN on GNU/Linux systems:
 
Below are screenshots that describe how to use the HPC VPN on GNU/Linux systems:
  
 
[[image:Forticlient1-1.png|center|500px]]
 
[[image:Forticlient1-1.png|center|500px]]
  
 
+
If presented with a warning message indicating that the SSLVPN certificate is invalid, click "Continue" as it can be safely ignored.
  
 
[[image:Forticlient2.png|center|500px]]
 
[[image:Forticlient2.png|center|500px]]
 
  
  
 
[[image:Forticlient3.png|center|500px]]
 
[[image:Forticlient3.png|center|500px]]
  
 
 
[[image:Forticlient4-1.png|center|500px]]
 
 
</div>
 
</div>
  

Latest revision as of 21:07, 30 November 2022

Connecting to the PMACS Cluster

Currently, secure shell is the only supported method of connecting to the cluster. The login machine name is consign.pmacs.upenn.edu You should probably add "ServerKeepAliveInterval 60" to your SSH client's configuration. After your account is created, you can connect using your PMACS credentials.

SSH Clients

Windows


The University of Pennyslvania officially recommends SecureCRT as its supported shell client for Windows. However, inexperienced Unix users may find SecureCRT's interface both difficult to navigate and outdated. An alternative software we recommend is MobaXterm. MobaXterm comes with a variety of tools such as Keypair generation, FTP, SFTP, tabbed windows, and more.

MobaXTerm

Once you have installed MobaXTerm, you can launch the software and find this screen.

Moba1.PNG



At the upper left of the window, click "session".

Moba1.2.png



This is your sessions window, where you can manage different types of connections (SSH, FTP, SFTP, et cetera).

Moba2.PNG



To connect to the cluster, select "SSH".

Moba2.2.png



You are now presented with a few options. In the "Remote Host" field you can either enter: mercury.pmacs.upenn.edu if you have not logged into the cluster before. Otherwise, the "Remote Host" field can be consign.pmacs.upenn.edu if you intend to submit jobs to the cluster. You should also check the box "Specify Username" and in the "Username field" enter your PMACS ID. Leave the port number 22.

Moba3.2.png



For example:

Moba4.PNG



Once you have connected to the cluster it will ask you for your password. MobaXterm will remember your settings and save the session for future use under "Recent Sessions" when you open MobaXTerm again. If you would like to avoid having to manually enter your password each time you log in, consider setting up Public/Private key pairs on the cluster .

Mac OSX


Mac OSX already comes with the Terminal application preinstalled which can be used to SSH to the cluster. OSX users do not need install any additional software in order to connect to the cluster. However, more experienced users may find using a third party software such as iTerm2 more to their liking.

VPN for Off-campus access

Pulse Secure VPN replaces the 'Forticlinet VPN' based remote access, and now all Off-campus connections must be using 'Pulse Secure VPN' to connect to the PMACS environment (Both HPC and LPC clusters), which is secured behind the firewall. 'Forticlient VPN' must be uninstalled, if used before.

  Pulse Secure VPN is different than 'University VPN' and must be turned off while installing/using the 'Pulse Secure VPN'.

Pre-requisites

Pulse Secure VPN client requires the user must have 'pennkey' created and also enrolled into the DUO 2 factor authentication.

Duo enrollment link is below;

https://twostep.apps.upenn.edu/twoFactor/twoFactorUi/app/UiMain.optinWizard

Duo enrollment status verification link is below;

https://twostep.apps.upenn.edu/twoFactor/twoFactorUi/app/UiMain.duoPush

'Pulse Secure VPN' can be downloaded from the PMACS website.

https://remote.pmacs.upenn.edu/

Pulse Secure VPN client install instructions are given in the below section.

Instructions to VPN into PMACS

Please use the below instructions(pdf format), to set up your VPN client on either a MAC or a PC.

MAC OS
File:Pulse-secure-vpn-mac-os-automated-install-and-configuration.pdf - Preferrred method

File:Pulse-secure-vpn-mac-os-manual-install-and-configuration.pdf

Windows

File:Pulse-secure-vpn-windows-automated-install-and-configuration.pdf - Preferrred method

File:Pulse-secure-vpn-windows-manual-install-and-configuration.pdf

When logging into Pulse Secure VPN you will be asked for a secondary password, which is DUO secure code, depending on how you have set up DUO this will mean typing "push", "phone", "text", or entering a secure code.

Push: a DUO popup will appear on the phone setup with DUO that will ask for your Approval (recommended)
Phone: a call will be sent to the number specified and you will be asked to press a key to approve.
Text: a text message will be sent to the number specified and you will be asked to reply to approve.

Important Host/Server Names

  • consign.pmacs.upenn.edu : head node/login server ; Do NOT run jobs on consign
  • mercury.pmacs.upenn.edu : file transfer server and the server where home directories are initailized on First Login; Do NOT run jobs on mercury either
  • juneau.med.upenn.edu : VPN used to connect to the cluster. Use your PMACS ID and password to login into the VPN.
    • But first see note about the VPN (above).

First Login

Temporary Password Change

All PMACS accounts are provisioned with a temporary password. Before you can log into the PMACS cluster for the first time, you will need to change this temporary password. Change of the temporary password and enrollment into the PMACS password reset system can be done here

Initialize your home area

  • With the newly changed password log into the file transfer host: mercury.pmacs.upenn.edu
  $ ssh <your_user_name>@mercury.pmacs.upenn.edu

Remember to replace <your_user_name> above with your PMACS ID. Note that your PMACS ID is identical to your Pennkey username.

  • Upon login, you will see a message similar to
 
 Creating home directory for <user_name>
  • You are now ready to start using the PMACS HPC cluster. Open a new terminal session :
 
  $ ssh <your_user_name>@consign.pmacs.upenn.edu

Remember to replace <your_user_name> above with your PMACS ID.

Once your home area has been initialized, you are ready to begin using the PMACS cluster. Do NOT attempt to run jobs on mercury.pmacs.upenn.edu or submit jobs from mercury.pmacs.upenn.edu. Please look at the PMACS HPC Users Guide for more information on how to run jobs on the PMACS cluster.

File transfer to and from the HPC

Transferring data to/from the PMACS HPC cluster is done with program that supports the SSH v2 protocol. Programs like SCP, sFTP, rsync, WinSCP, Filezilla etc. are all supported.

All file transfer operations to/from the PMACS HPC cluster must be done via the dedicated file transfer server: mercury.pmacs.upenn.edu

File transfer using command line tools


Poplar command line programs for file transfer include SCP, sFTP, rsync, PSCP etc.

The following examples show how to transfer data (in this case, a file named "test") from a laptop/desktop computer to the PMACS HPC using the rsync program via the file transfer server: mercury.pmacs.upenn.edu

Be sure to replace "PMACSUSER" in the command below with your PMACS userid

% rsync -av test PMACSUSER@mercury.pmacs.upenn.edu:~/

File transfer using graphical tools


Popular command line programs for file transfer include WinSCP, FileZilla, MobaXTerm, etc.

The image below shows the settings to use in FileZilla, for file transfer to the PMACS HPC via the file transfer server: mercury.pmacs.upenn.edu Be sure to replace "PMACSUSER" in the image below with your PMACS userid

Filezilla

File upload mercury1.png

MobaXTerm

Moba5.PNG

MobaXTerm also supports SFTP during an SSH session. If you are connected to mercury.pmacs.upenn.edu via SSH, you can still easily upload and download files to your home directory.

Select SFTP on the left-hand side, as seen by the arrow in the image below.

Moba6.png

You can then download selected files or upload files from your computer via the "Upload" and "Download" buttons, as shown in the image below.

Moba6.1.png

Enrollment into the PMACS Password Reset system


All PMACS account passwords are set to expire every 180 days. To avoid your password from expiring and possibly preventing access to the PMACS cluster, all cluster users are encouraged to enroll into the reset system. The password reset application can be accessed here. Once enrolled, this system will also allow you to recover forgotten PMACS passwords and reset known/expired PMACS passwords.

Optional Section: Instructions for generating Public-Private keypairs


For added convenience and security, Public-Private Keys may be used for SSH connections to the PMACS cluster.

On Mac OS X and GNU/Linux systems, run the following command from within a terminal and follow the on-screen instructions. Please DO NOT copy-paste. Read each command and run the command on your own:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key ($HOME/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in $HOME/.ssh/id_rsa.
Your public key has been saved in $HOME/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx asrini@
The key's randomart image is:
+--[ RSA 2048]----+
|          .      |
|       kjweo     |
|        x B E x  |
|         * B l + |
|        S +aser .|
|           + +   |
|          . weq  |
|           . x 12|
|            45+  |
+-----------------+

On Windows machines you can generate and use PublicKeys with MobaXTerm. Select MobaKeygen from the "tools" menu.

Moba7.png

Generate a new keypair.

Moba7.2.PNG

Congratulations, you have generated a new Public/Private keypair! You may want to save them for future usage. You can also copy and paste the Public key into your .ssh/authorized_keys

Moba7.3.PNG

After generating a Public-Private keypair, copy the contents of the .ssh/id_rsa.pub file to a file named .ssh/authorized_keys in your home area on the PMACS cluster.


INSTRUCTIONS BELOW, TO COPY PUBLIC KEYS, INDICATE USING THE HEAD NODE. YOU CAN ALSO USE OUR DEDICATED FILE TRANSFER NODE: mercury.pmacs.upenn.edu

[$USER@consign ~]$ if [ ! -d $HOME/.ssh ]; then mkdir -m 700 $HOME/.ssh; fi 

[$USER@consign ~]$ vim .ssh/authorized_keys

One SSH public key per line; save and close the file

Then change the permissions on the file:

[$USER@consign ~]$ chmod 600 .ssh/authorized_keys 


INSTRUCTIONS ABOVE, TO COPY PUBLIC KEYS, INDICATE USING THE HEAD NODE. YOU CAN ALSO USE OUR DEDICATED FILE TRANSFER NODE: mercury.pmacs.upenn.edu

More VPN Info


The screenshot below describes how to use the HPC VPN on MacOS systems:

PMACS VPN OSX setup.png


Below are screenshots that describe how to use the HPC VPN on GNU/Linux systems:

Forticlient1-1.png

If presented with a warning message indicating that the SSLVPN certificate is invalid, click "Continue" as it can be safely ignored.

Forticlient2.png


Forticlient3.png

Other Pages