Here you can find a guide on how to use the resources at CNAF-INFN.

If you have questions/suggestions, please send an email to user-support<AT>

Frenquently Asked Questions

How to get an account at CNAF

For any problem, please send an email to or to

How to install and use a personal certificate

Using Tier1 computing and storage resources by means of the grid tools requires a personal certificate, not needed if using resources locally. A personal certificate can be obtained following the procedure outlined here.

Once obtained the pk12 certificate (hereafter cert.p12), it is necessary to split it in a public and private keys and put them in a .globus folder inside user home directory in the User Interface (UI). The commands are:

cd $HOME 
mkdir .globus 
cd .globus 
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem 
openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem 
chmod 600 usercert.pem 
chmod 400 userkey.pem

The files must have the following permissions:

-rw------- 1 username virgo 2240 May 28 2019 usercert.pem 
-r-------- 1 username virgo 2004 May 28 2019 userkey.pem

In order to transfer files or submit jobs using a Virtual Organization (VO), first generate a proxy with VOMS extensions using the command:

voms-proxy-init --voms <vo name>

We can check the right voms extensions of the proxy with the command:

voms-proxy-info --all

The output should be something like:

subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Lucia Morganti/CN=559862463
issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Lucia Morganti
identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Lucia Morganti
type : RFC3820 compliant impersonation proxy
strength : 1024
path : /tmp/x509up_u21073
timeleft : 11:59:54
key usage : Digital Signature, Key Encipherment, Data Encipherment
=== VO virgo extension information ===
VO : virgo
subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Lucia Morganti
issuer : /DC=org/DC=terena/DC=tcs/C=IT/ST=Lazio/L=Frascati/O=Istituto Nazionale di Fisica Nucleare/
attribute : /virgo/virgo/Role=NULL/Capability=NULL
attribute : /virgo/Role=NULL/Capability=NULL
timeleft : 11:59:54
uri :

If the bold part is not present or the timeleft there is zero, the proxy has not the voms extensions and has to be regenerated.

Proxy renewal

The mechanism of proxy renewal is based on proxy delegation: a long-term proxy is stored in a dedicated server, so called MyProxy server (e.g. here at CNAF), and is used to create a new short-term proxy before the old one expires.

Even if a proxy can be created with arbitrary lifetime, the delegation is necessary because its VOMS extensions have a limited lifetime, decided by the VO.

Job submission to WMS (glite-wms-job-submit)

  • Create a proxy (e.g., for the Xenon VO)
    • voms-proxy-init –voms
  • Create and store a long-term proxy on the MyProxy server
    • myproxy-init –voms -s <myproxy_server> -d -n
    • Default lifetime: 168 hours (7 days). Can be changed with -c, e.g. for 10 days:
    • myproxy-init –voms -s <myproxy_server> -d -n -c 240
  • In the jdl of the job, specify the hostname of the MyProxy server.
    • MyProxyServer = < string >
    • E.g.: MyProxyServer = “”
  • Useful commands:
    • myproxy-info -s <myproxy_server> -dv
    • myproxy-destroy -s <myproxy_server> -d

Jobs submission to CE (glite-ce-job-submit)

  • Create a normal proxy
    • voms-proxy-init –voms
  • Delegate it:
    • glite-ce-delegate-proxy -e test
    • In the example above, the string “test” gives the name of the delegated proxy
  • Submit job using the reference to the delegated proxy credentials (-Dflag)
    • glite-ce-job-submit -v -D test -r job.jdl
  • In order to renew delegations:
    • glite-ce-proxy-renew -e test
    • More information available here
    • A password is required and has to be manually inserted.

Nota bene: each job has associated the proxy that was on the UI at the time of job submission.


GFAL 2 utilities for data management

Have a look at this page for a description of useful GFAL2 commands for data management.

How to use the HPC cluster (INFN users only)

How to join CDG meetings

CDG meetings (Comitato di Gestione del Tier-1) are typically held once a month, and announced via email. If you want to be informed about CDG meetings, please send an email to

CDG minutes and slides are available in agenda.

At CNAF, the meeting room is “Valerio Venturi”.

Remote participation is possible, following the instructions sent via mail.

CDG monthly reports

Monthly reports presented at Tier1-CdG meetings are available in the agenda.

How to enter the CNAF VPN

To use CNAF VPN, one has to point to and to follow the installation of the client.

  • If you have a CNAF certificate then you can use it to enter the VPN.

    NOTICE: on login page click on ‘Login’ leaving empty the password field; this starts the download of Cisco AnyConnect application.

  • if you haven’t a CNAF certificate, then you must use an username and a password. The account must be requested with a mail to net @

When you update your personal certificate, in the Cisco AnyConnect client text field please insert You should then select the personal certificate that will be used by the client for future connections.

How to configure EDUROAM/INFN-dot1x

The procedure to configure eduroam or INFN-dot1x is the same. You just need to select the desired network between the two.

No matter your operating system, when doing the setup you need to provide username and password which are specific to eduroam or INFN-dot1x, and which you have to request your computing center for. The username is always in the form

Instructions for Windows XP users

Instructions for Windows 7 users

Instructions for Windows 8 users

Instructions for MacOS X 10.5.x (Leopard) users

Instructions for MacOS X 10.6.x e 10.7.x (Lion) users

Instructions for Linux users


How to book/join a phone conference or a video conference

Please have a look at this page.