Here you can find a guide on how to use the resources at CNAF-INFN.

If you have questions/suggestions, please send an email to user-support<AT>

Frenquently Asked Questions

How to get an account at CNAF

For any problem, please send an email to or to

How to install and use a personal certificate

Using Tier1 computing and storage resources by means of the grid tools requires a personal certificate, not needed if using resources locally. A personal certificate can be obtained from:

    • Once on the web page, you will be asked to insert the Identity Provider in order to authenticate. If you are an INFN user, just type “INFN” and you will be able to select “INFN – National Institute for Nuclear Physics”. All the other users have to select the Identity Provider associated to their institute.
    • Click on “Start single sign-on” and you will be redirected to INFN Identity check web page where you can enter your INFN AAI credentials.
    • In order to obtain a TERENA pk12 certificate, you have to select Grid Premium in the drop-down menu named “Product”.
    • By clicking on “Request Certificate” the certificate will be saved into your browser, from where you can download your certificate in .p12 format. You will also be able to download the certificate as a .zip file. For example in Firefox just go to Preferences -> Privacy & Security -> Certificates -> View Certificates, then double-click on your certificate and click on Details -> Export.

Once obtained the pk12 certificate (hereafter cert.p12), it is necessary to split it in a public and private keys and put them in a .globus folder inside user home directory in the User Interface (UI). The commands are:

cd $HOME 
mkdir .globus 
cd .globus 
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem 
openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem 
chmod 600 usercert.pem 
chmod 400 userkey.pem


The files must have the following permissions:

-rw------- 1 tentids darkside 1793 Jan 14 14:23 usercert.pem
-r-------- 1 tentids darkside 2002 Jan 14 14:23 userkey.pem


In order to transfer files or submit jobs using a Virtual Organization (VO), first generate a proxy with VOMS extensions using the command:

voms-proxy-init --voms <vo name>


We can check the right voms extensions of the proxy with the command:

voms-proxy-info --all


The output should be something like:

subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Matteo Tenti/CN=proxy
issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Matteo Tenti
identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Matteo Tenti
type : full legacy globus proxy
strength : 1024
path : /tmp/x509up_u44006 
timeleft : 11:59:56
key usage : Digital Signature, Key Encipherment, Data Encipherment 
=== VO virgo extension information ===
VO : virgo
subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Matteo Tenti
issuer : /C=IT/O=INFN/OU=Host/L=CNAF/
attribute : /virgo/Role=NULL/Capability=NULL 
timeleft : 11:59:56 
uri :


If the bold part is not present or the timeleft there is zero, the proxy has not the voms extensions and has to be regenerated.

Proxy renewal

The mechanism of proxy renewal is based on proxy delegation: a long-term proxy is stored in a dedicated server, so called MyProxy server (e.g. here at CNAF), and is used to create a new short-term proxy before the old one expires.

Even if a proxy can be created with arbitrary lifetime, the delegation is necessary because its VOMS extensions have a limited lifetime, decided by the VO.

Job submission to WMS (glite-wms-job-submit)

  • Create a proxy (e.g., for the Xenon VO)
    • voms-proxy-init –voms
  • Create and store a long-term proxy on the MyProxy server
    • myproxy-init –voms -s <myproxy_server> -d -n
    • Default lifetime: 168 hours (7 days). Can be changed with -c, e.g. for 10 days:
    • myproxy-init –voms -s <myproxy_server> -d -n -c 240
  • In the jdl of the job, specify the hostname of the MyProxy server.
    • MyProxyServer = < string >
    • E.g.: MyProxyServer = “”
  • Useful commands:
    • myproxy-info -s <myproxy_server> -dv
    • myproxy-destroy -s <myproxy_server> -d

Jobs submission to CE (glite-ce-job-submit)

  • Create a normal proxy
    • voms-proxy-init –voms
  • Delegate it:
    • glite-ce-delegate-proxy -e test
    • In the example above, the string “test” gives the name of the delegated proxy
  • Submit job using the reference to the delegated proxy credentials (-Dflag)
    • glite-ce-job-submit -v -D test -r job.jdl
  • In order to renew delegations:
    • glite-ce-proxy-renew -e test
    • More information available here
    • A password is required and has to be manually inserted.

Nota bene: each job has associated the proxy that was on the UI at the time of job submission.


Local job submission

LSF9 (IBM Platform LSF Standard, Feb 1 2015) is used as batch system (manual, useful references) in our farm.

The most useful commands are the following:

  • bsub for job submission
    • -o to redirect stdout to file
    • -e to redirect stderr to file
    • -f to transfer a file from local machine to worker node before job execution (“local > node”) or from worker node to local machine after job execution (“local < node”)
    • -q to specify the name of the queue where the job is submitted
  • bqueues for checking the status of the queues
  • bjobs for checking the status of the jobs

GFAL 2 utilities for data management

Have a look at this page for a description of useful GFAL2 commands for data management.

How to use the HPC cluster (INFN users only)

How to join CDG meetings

CDG meetings (Comitato di Gestione del Tier-1) are typically held once a month, and announced via email. If you want to be informed about CDG meetings, please send an email to

CDG minutes and slides are available in agenda.

At CNAF, the meeting room is “Valerio Venturi”.

Remote participation is possible, following the instructions sent via mail.

CDG monthly reports

Monthly reports presented at Tier1-CdG meetings are available in the agenda.

How to enter the CNAF VPN

To use CNAF VPN, one has to point to and to follow the installation of the client.

  • If you have a CNAF certificate then you can use it to enter the VPN;
  • if you haven’t a CNAF certificate, then you must use an username and a password. The account must be requested with a mail to net @

When you update your personal certificate, in the Cisco AnyConnect client text field please insert You should then select the personal certificate that will be used by the client for future connections.

How to configure EDUROAM/INFN-dot1x

The procedure to configure eduroam or INFN-dot1x is the same. You just need to select the desired network between the two.

No matter your operating system, when doing the setup you need to provide username and password which are specific to eduroam or INFN-dot1x, and which you have to request your computing center for. The username is always in the form

Instructions for Windows XP users

Instructions for Windows 7 users

Instructions for Windows 8 users

Instructions for MacOS X 10.5.x (Leopard) users

Instructions for MacOS X 10.6.x e 10.7.x (Lion) users

Instructions for Linux users


How to book/join a phone conference or a video conference

Please have a look at this page.