Access Prerequisites
Follow this table to determine what is needed to access classified (SCF), unclassified Collaboration Zone (OCF-CZ) and unclassified Restricted Zone (OCF-RZ) Livermore Computing (LC) systems.
|
Going to |
SCF |
OCF-CZ |
OCF-RZ |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Coming from |
LLNL |
LANL/ |
Other DOE |
LLNL |
LANL/ |
Other |
LLNL |
LANL |
Sandia |
Other |
|
| Valid account on the LC machine(s) you wish to use (see the Accounts Web pages) |
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
|
| Network connectivity from your local machine to the LC OCF or SCF network |
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
|
| SSH (protocol 2) software installed on your local machine (see Using SSH) |
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
|
| LLNL RSA token + PIN |
X
|
|
X
|
X
|
|
X
|
|
|
|
|
|
| RZ RSA token + PIN |
|
|
|
|
|
|
X
|
|
X
|
X
|
|
| Virtual Private Network (VPN) account + VPN software |
|
|
|
|
|
|
|
X
|
|||
| Ability to authenticate locally with credential forwarding (kinit -f)* |
|
X
|
|
|
X
|
|
X
|
X
|
|
||
* LANL/Sandia users can access LC machines on the SCF, CZ and RZ using their local credentials. See the instructions under the Logging In to LLNL Machines.
Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or an LC CZ/RZ machine.
Available Resources
LC provides unclassified Open Computing Facility (OCF) and classified Secure Computing Facility (SCF) high performance computing (HPC) resources.
Most information about Los Alamos HPC and Sandia HPC resources requires LANL/Sandia authentication. Request access through Sarape.
OTP (One-Time Passwords, a.k.a. Tokens) for CZ, RZ, and SCF
OCF and SCF users (except for LANL and Sandia on the SCF) authenticate using a PIN and an LLNL RSA token/one-time password (OTP). Additionally, OCF RZ users require a PIN and a RZ RSA token passcode. The LC Hotline will send you an LLNL RSA token and/or RZ RSA token when you are given an account. When you receive your LLNL RSA/RZ RSA token, you must enable it before you can log in. Instructions are provided with your account notification e-mail.
The same RSA token is used for both CZ and SCF; however, a different PIN is used for each network. RSA token information can also be found on One-Time Password Toolkit page, including token diagnostics and testing.
For specifics on using a RZ RSA token, refer to Technical Bulletin 513, RZ Token and Login Behavior Change. From the RZ Token Self-Help Website, you may change your PIN or resync your RZ RSA token.
SSH and VPN Access
Using SSH to Access LC Machines
Secure Shell (SSH), is the only login method for LC systems. SSH includes SCP or SFTP for file transfers between hosts. For more information on SSH and SCP, SSH access modes, RSA authentication, and how-tos, see the Secure Shell section of the Introduction to Livermore Computing Resources.
Consult the directions for Connecting to LC Machines with X-Win32 for first-time setup and routine connections via X-Win32 on a Windows PC.
Use the Setting Up SSH Keys guide if you want to access LC production machines using passwordless authentication (only permitted between LC machines)
Currently, LC requires all SSH access to be compatible with SSH protocol 2.
For February 2023 changes to git-over-ssh, see https://hpc.llnl.gov/technical-bulletins/bulletin-552
Virtual Private Network (VPN) Access
VPN access is provided for off-site, unclassified access to LC RZ machines. It is required for the following types of access:
- Employees at home, on travel, or working off-site.
- Non-employees and collaborators (such as the ASC Alliances) who are physically located outside of LLNL, while using RZ systems.
- LANL and Sandia users when they are not physically at their lab.
Connecting to LC Machines with X-Win32
The instructions below show how to setup an X-Win32 connection to LC machines.
X-Win32 can be installed on LLNL Windows systems via the LANDesk Software Portal. For assistance with license keys, see the answers.llnl.gov article "How to: Manually add license to X-Win32"
1. Click on the Windows Start Logo, start typing "x-win32" and click on the X-Win32 Desktop app.
2. The X-Win32 Configuration dialog box (below) should appear. Make sure that you are on the "Connections" tab. Then click the "Manual" button to setup a connection. Note: You can also select the Wizard button to be led through the process step by step.
3. A Connection Method dialog box will appear. Select "ssh" and then Next.
4. In the New Connection dialog box, setup your connection.
Connection Name: the name you want to call this connection - usually the name of the machine
Host: the actual name of the machine - including the .llnl.gov suffix is needed if you are connecting from outside the LLNL domain
Login: your LC username
Command: /usr/bin/xterm - your choice of xterm options - see man page.
Password: leave blank
Confirm Password: leave blank
Then click the Save button.
5. You should now see your new connection in the X-Win32 Configuration dialog box. If not, click the My Connections toggle to expand the list. Then select your connection and click the Launch button.
6. You may see the Update Host Key dialog box. Click the Accept button to proceed.
7. When prompted for a password, enter your LC PIN + OTP token passcode combination.
8. If all went well, you should then see a terminal window appear and you will be logged into the machine for this connection.
Setting Up SSH Keys
Secure Shell (SSH) is used to make a secure connection to LC's production machines. By setting up SSH keys, you can access LC production machines using passwordless authentication. Use of SSH keys is only permitted between LC machines and not from outside the LC network or from desktop office machines.
By default, SSH will authenticate in secure password mode (i.e., when host1 does an SSH to host2 and is prompted for a userid and password, the information will be sent in encrypted form to host2). That way, passwords cannot be "sniffed" or sent "clear text" over the network.
One of the features of SSH is that it allows you to bypass this usual login method (userid/password) by setting up RSA authentication keys.
The RSA key authentication methods allow you to optionally:
- Improve security even more by requiring a login passphrase, which can be much longer than a typical UNIX password.
- Relax the need to enter a userid/password. Obviously, there are known security risks with this convenience.
Creating RSA keys with OpenSSH is a one-time process that can be done as follows:
- Execute ssh-keygen -t rsa -b 4096
- When prompted, enter a passphrase if you want improved security. If you want the convenience of being able to SSH into other LC OpenSSH machines without entering a userid/password, don't enter anything.
- After the command completes, cd to your .ssh file and copy the file that ends in .pub to a file named authorized_keys. This is your public key. For example: cp id_rsa.pub authorized_keys
- Because all OCF/SCF machines share the same home directory, you don't need to copy your public key file to each host.
- Make sure that your .ssh files are readable only by you.
More about SSH at LC
For a more in-depth treatment of SSH at LC, check out this Confluence page on the subject.
Logging in to LLNL Machines
Login methods vary, depending upon where you are coming from and where you want to go.
CZ systems | RZ systems | CZ web access | RZ web access | SCF systems | SCF web access
The instructions below assume that the Access Prerequisites have been met. All access requires SSH (version 2) as described in Using SSH to Access LC Machines.
Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or from an LC CZ/RZ machine.
|
Logging in to LLNL OCF (Unclassified) Collaboration Zone (CZ) Systems |
||
|---|---|---|
| From Inside LLNL |
ssh loginmachine
|
|
| From LANL/Sandia |
Begin on a LANL/Sandia iHPC login node. For example, at LANL start from ihpc-gate1.lanl.gov; at Sandia start from ihpc.sandia.gov. If in doubt, get a forwardable kerberos credential by authenticating with the kinit -f command. ssh -l lc-username loginmachine.llnl.gov No password required -o ServerAliveInterval=60 -o ServerAliveCountMax=30 |
|
| From Outside LLNL | ssh -l lc-username loginmachine.llnl.gov User ID: LC Username Password: LLNL PIN + LLNL RSA token
|
|
|
Logging in to LLNL OCF (Unclassified) Restricted Zone (RZ) Systems |
||
| From Inside LLNL |
ssh loginmachine
|
|
| From LANL |
Start from ihpc-gate1.lanl.gov If in doubt, get a forwardable kerberos credential by authenticating with the kinit -f command. Execute the reticket command: [moniker@ihpc-gate1 ~]$ reticket Need to generate Turquoise Kerberos ticket... Enter OTP Token Value: < LANL CryptoCard token value > Then connect to an LC cluster in the RZ zone using your LC username: ssh -l lc-username loginmachine.llnl.gov No password required -o ServerAliveInterval=60 -o ServerAliveCountMax=30 |
|
| From Sandia |
Start from ihpc.sandia.gov Connect directly to the RZ login machine using your LC username and RZ credentials: ssh -l lc_username loginmachine.llnl.gov Password: PIN + RZ RSA token 
Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command: |
|
| From Outside LLNL |
Start VPN NOTE If unfamiliar with how to VPN, see: https://access.llnl.gov/vpn/
|
|
|
Logging in to LC.llnl.gov Web : Confluence / Jira / GitLab |
||
| From Inside LLNL |
User ID: OUN
CZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication. Image
For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with: Image
MyLC and JupyterHub currently require a separate authentication using LC Username and LLNL PIN + LLNL RSA token. |
|
| From LANL/Sandia |
New login page will have a OneID button which leads to local site's OneID page allowing authentication with site MFA. Image
CZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication. For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with: Image
|
|
| From Outside LLNL |
Browse to lc.llnl.gov, you'll need to log in to a "pre-login" page first, and then the LC login page itself. Both use your OUN + LLNL RSA token. User ID: OUN
|
|
|
Logging into RZLC.llnl.gov Web : Confluence / Jira / GitLab |
||
| From Inside LLNL or Sandia |
User ID: OUN
Image
Image
|
|
| From LANL |
New login page will have button pointing to LANL's OneID page, allowing authentication with LANL MFA.
Image
|
|
| From Outside LLNL |
Start VPN NOTE If unfamiliar with how to VPN, see: https://access.llnl.gov/vpn/ After VPN has been initiated, login to RZ.llnl.gov: User ID: LC Username
|
|
|
Logging into LLNL SCF (Classified) Systems |
||
| From Inside LLNL | ssh loginmachine User ID: LC Username Password: SCF PIN + LLNL RSA token
|
|
| From LANL |
Connect to the classified HPC system, redcap. Run kinit -f Then ssh to an LC cluster using your LC username: ssh -l lc-username loginmachine.llnl.gov |
|
| From Sandia |
Connect to local, classified HPC system Run kinit -f Then ssh to an LC cluster using your LC username: ssh -l lc-username loginmachine.llnl.gov |
|
| Other DOE Sites | ssh loginmachine.llnl.gov User ID: LC Username Password: SCF PIN + LLNL RSA token 
|
|
|
Logging into SCF Web / Atlassian |
||
| From LLNL |
User ID: LC Username
|
|
| From LANL/Sandia |
LANL users: authenticate with your lanl-username@lanl.gov and your LANL secure CryptoCard password. Sandia users: authenticate with your sandia-username@dce.sandia.gov and your Sandia secure CryptoCard password. NOTE: If you are logging in to GitLab, LANL/Sandia users need to use their LC Username, rather than their local username. You will still use your LANL/Sandia CryptoCard password. |
|
| From Outside of Tri-Labs |
User ID: LC Username
|
|
Login Nodes
Whenever you log in to an LC system, you are placed onto a login node. These nodes are dedicated to serving interactive activities such as file editing, launching batch jobs, compiling, file transfer, debugging, and other short duration activities. At any one time, there may be multiple users on a login node.
These nodes should not be used to run parallel and/or production jobs! By doing so, you may seriously degrade the performance of others' interactive work. Be sure to use nodes designated for interactive or batch production work to run jobs.
For more information about the differences between login nodes and nodes designated for production work, please see the Login Nodes section of the "Introduction to Livermore Computing Resources" tutorial and the Running Jobs page on this HPC site.
Logging Into LANL/Sandia Machines
Classified systems: both LANL and Sandia classified Tri-lab systems support Kerberos passwordless SSH access from LLNL.
Unclassified systems: access methods vary between Sandia and LANL.
Please consult the Sandia Access Instructions or the LANL Access Instructions for details.
File Transfers
Files may be transferred using Hopper, SCP, FTP, SFTP, NFT, HSI, or HTAR. For more details, see the File Transfer and Sharing section of Introduction to Livermore Computing Resources.
Miscellaneous Access Topics
X Terminal Control
For an X client (such as the TotalView debugger) to display on an X-display server (such as your X terminal or workstation), the client must be authorized to connect to the server. XAUTH offers an alternative way to manage this authorization.
Remote Access
An approved Remote Access Request is required for U.S. citizen collaborators (non-LLNL collaborators sponsored by an LLNL employee) for the following remote access accounts: VPN-C, VPN, VPN-B. Requests for remote access are made through the EZid Identity Management System.
Foreign Nationals at LLNL
There are additional access policies and restrictions for Foreign Nationals. See Foreign Nationals at LLNL for details.
Shared Office Facilities
Shared office facilities provided by Livermore Computing are available in Building 453 (authenticated users can visit Shared Office Policies on myconfluence.llnl.gov for specifics of location and policies). The shared offices have workstations that permit access to both the classified (SCF) and unclassified (OCF) networks. They are intended for users that do not have access to the SCF network from their own offices and need a temporary location from which to work. OCF network access is provided primarily as a convenience. For general information regarding access to and use of the shared office facilities, contact the LC Hotline at lc-support@llnl.gov or 422-4531.
Additional Information
- Introduction to LC Resources tutorial covering most topics of interest to new users.
- LC OCF CZ Machine Status displays which LC CZ machines are up or down, machine load and usage information, and machine announcements.
- LC OCF RZ Machine Status displays which LC RZ machines are up or down, machine load and usage information, and machine announcements.
- Messages of the day are listed after you log in to any machine. They are specific to a machine.