The RZ CRYPTOcard token assigned to you by Lawrence Livermore National Laboratory, used for logins to LLNL OCF (Unclassified) Restricted Zone (RZ) Systems, is being replaced with a new and different RZ RSA SecurID token. Your new token will be mailed to you in January, 2017.
| Date | Action |
|---|---|
| Now | Set your RZ RSA SecurID token PIN.
NOTE: If you have an LLNL RSA SecurID token (i.e., used for the CZ), |
| Feb 1st, 2017 at noon |
Actual cutover to using RZ RSA SecurID token for access to LC RZ systems. CRYPTOcard no longer accepted. |
RECOMMENDED ACTION → To prepare for the change, please set a PIN and test your new RZ RSA token at https://rzotp.llnl.gov (select Token > Use CRYPTOcard to Set PIN menu option). Please note that even though you have set a PIN value for your new RZ RSA SecurID token, it will not be usable until LC changes authentication from CRYPTOcard to RZ RSASecurID (see below). You will still be able to test your PIN and RZ RSA SecurID token at the web site above.
The switch to using the RZ RSA SecurID token is scheduled for Wednesday, February 1, 2017 at 12:00pm. After this date and time, your logon with RZ CRYPTOcard PIN and token as the password will no longer be supported. To prevent loss of access to LC RZ systems it is important that you set a PIN and test your new RZ RSA token prior to this date. If you haven’t done so, then you will need to set a PIN before attempting your logon into any RZ System.
LOGIN BEHAVIOR AFTER CUTOVER → After the cutover at 12:00 PM on February 1:
- Access to RZ clusters will still require going through the RZ gateway, just like today.
- All current uses of the CRYPTOcard will be replaced with the RZ RSA token.
- In addition, the back-end RZ resources (rzzeus, rzalastor, etc) that today require LLNL RSA authentication will instead require RZ RSA authentication.
In short, the only form of one-time password required to access any RZ resource after noon on February 1 will be the new RZ RSA pin + token.
RZ Access Details
Based on “Accessing the Collaboration and Restricted Zones” (https://computing.llnl.gov/?set=access&page=zone_access)
| From | To | Now | Starting Feb. 1st, 2017 at noon |
|---|---|---|---|
| CZ Machines | RZ Machine | Not permitted. | Not permitted. |
| rzfis, rzfastfis, rztapefis |
Not permitted. | Not permitted. | |
| rzstage | Not permitted. | Not permitted. | |
| rzarchive rzstorage |
Not permitted. | Not permitted. | |
| rzlc.llnl.gov web pages | Not permitted. | No permitted. |
| From | To | Now | Starting Feb. 1st, 2017 at noon |
|---|---|---|---|
| LLNL Desktops | RZ Machine |
SSH to rzgw.llnl.gov with CRYPTOcard, then SSH to RZ machine with RSA token. |
SSH to rzgw.llnl.gov with RZ RSA PIN+tokencode, then SSH to RZ machine with RZ RSA PIN+tokencode. |
| rzfis, rzfastfis, rztapefis |
RZ users only. FTP to host; authenticate with CRYPTOcard. |
RZ users only. FTP to host; authenticate with RZ RSA PIN+tokencode. |
|
| rzstage |
RZ users only. Use SFTP, SCP or Hopper; FTP not permitted. Authenticate with CRYPTOcard. Refer to Technical Bulletin 469. |
RZ users only. Use SFTP, SCP or Hopper; FTP not permitted. Authenticate with RZ RSA PIN+tokencode. Refer to Technical Bulletin 469. |
|
| rzarchive rzstorage |
RZ users only. FTP to rzarchive or rzstorage; authenticate with CRYPTOcard. |
RZ users only. FTP to rzarchive or rzstorage; authenticate with RZ RSA PIN+tokencode. |
|
| rzlc.llnl.gov web pages |
Authenticate with CRYPTOcard. |
Authenticate with RZ RSA PIN+tokencode. |
| From | To | Now | Starting Feb. 1st, 2017 at noon |
|---|---|---|---|
| RZ Machines | RZmachine |
SSH with RSA token; SSH keys permitted. |
SSH with RZ RSA PIN+tokencode; SSH keys permitted. |
| rzfis rsfastfis rztapefis |
FTP to host; authenticate with CRYPTOcard. |
FTP to host; authenticate with RZ RSA PIN+tokencode. | |
| rzstage | N/A. | N/A. | |
| rzarchive rzstorage |
N/A. Use FTP to storage. |
N/A. Use FTP to storage. | |
| rzlc.llnl.gov web pages |
Authenticate with CRYPTOcard. |
Authenticate with RZ RSA PIN+tokencode. |
| From | To | Now | Starting Feb. 1st, 2017 at noon |
|---|---|---|---|
| External Internet | RZ Machine | VPN required. SSH to rzgw.llnl.gov with CRYPTOcard, then SSH to RZ machine with RSA token. | VPN required. SSH to rzgw.llnl.gov with RZ RSA PIN+tokencode, then SSH to RZ machine with RZ RSA PIN+tokencode. |
| From | To | Now | Starting Feb. 1st, 2017 at noon |
|---|---|---|---|
| LANL, Sandia Machines | RZ Machine |
Begin on a LANL/Sandia iHPC login node. For example, at Sandia startfrom ihpc.sandia.gov; at LANL start from ihpc-gate1.lanl.gov. ssh -l llnl-username rzgw.llnl.gov on rzgw:
|
Begin on a LANL/Sandia iHPC login node. For example, at Sandia start from ihpc.sandia.gov; at LANL start from ihpc-gate1.lanl.gov. ssh -l llnl-username rzgw.llnl.gov on rzgw: kinit sandia-username@dce.sandia.gov or kinit lanl-username@lanl.gov Enter Sandia/LANL kerberos password |
For additional information including a Frequently Asked Questions list, see https://rzotp.llnl.gov/otp/cgi-bin/faq.cgi
If you have trouble with your existing or replacement tokens contact the LC Hotline for assistance.
What to Do With Your CRYPTOcard Token After Feb. 1, 2017
Place the token(s) in a sealed envelope and return via
onsite or offsite mail:
Onsite Laboratory mail to:
LC Customer Service Group, L-63
Offsite Mailing Address:
LC Customer Service Group
Lawrence Livermore National Laboratory
P.O. Box 808, L-63
Livermore, CA 94551-9900
If you are unable to return the token, dispose of the token via your local electronic waste procedure as you would with any lithium battery
Normal Return of RSA SecurID Token(s)
When you no longer need the token(s) that has been issued to you due to separation from LLNL, change in assignment, etc., you are responsible for returning them to LLNL. Place the token(s) in a sealed envelope and return via onsite or offsite mail:
Onsite Laboratory mail to:
4Help L-279
Offsite Mailing Address:
Lawrence Livermore National Laboratory
P.O. Box 808, L-279
Livermore, CA
94551-9900