LC Hotline: 2-4531

From offsite: (925) 422-4531

 

Hours

Monday–Friday
8am–12pm, 1–4:45pm
B453 R1103 | Q-clearance area

 

Technical Bulletin #513 RZ Token & Login Behavior Change

The RZ CRYPTOCard token assigned to you by Lawrence Livermore National Laboratory, used for logins to LLNL OCF (Unclassified) Restricted Zone (RZ) Systems, is being replaced with a new and different RZ RSA SecurID token. Your new token will be mailed to you in January, 2017.

Date Action
Now Set your RZ RSA SecurID token PIN.

NOTE:  If you have an LLNL RSA SecurID token (i.e., used for the CZ),
don’t set your RZ PIN to the same value used with that token.

Feb 1st, 2017 at noon

Actual cutover to using RZ RSA SecurID token for access to LC RZ systems. CryptoCard no longer accepted.

RECOMMENDED ACTION → To prepare for the change, please set a PIN and test your new RZ RSA token at https://rzotp.llnl.gov (select Token > Use CRYPTOCard to Set PIN menu option). Please note that even though you have set a PIN value for your new RZ RSA SecurID token, it will not be usable until LC changes authentication from Cryptocard to RZ RSASecurID (see below).  You will still be able to test your PIN and RZ RSA SecurID token at the web site above.

The switch to using the RZ RSA SecurID token is scheduled for Wednesday, February 1, 2017 at 12:00pm. After this date and time, your logon with RZ CRYPTOCard PIN and token as the password will no longer be supported. To prevent loss of access to LC RZ systems it is important that you set a PIN and test your new RZ RSA token prior to this date. If you haven’t done so, then you will need to set a PIN before attempting your logon into any RZ System.

LOGIN BEHAVIOR AFTER CUTOVER → After the cutover at 12:00 PM on February 1:

  • Access to RZ clusters will still require going through the RZ gateway, just like today.

  • All current uses of the CryptoCard will be replaced with the RZ RSA token.

  • In addition, the back-end RZ resources (rzzeus, rzalastor, etc) that today require LLNL RSA authentication will instead require RZ RSA authentication.

In short, the only form of one-time password required to access any RZ resource after noon on February 1 will be the new RZ RSA pin + token.

RZ Access Details

Based on “Accessing the Collaboration and Restricted Zones” (https://computing.llnl.gov/?set=access&page=zone_access)

From To Now Starting Feb. 1st, 2017 at noon
CZ Machines RZ Machine Not permitted. Not permitted.
rzfis,
rzfastfis,
rztapefis
Not permitted. Not permitted.
rzstage Not permitted. Not permitted.
rzarchive
rzstorage
Not permitted. Not permitted.
rzlc.llnl.gov web pages Not permitted. No permitted.
From To Now Starting Feb. 1st, 2017 at noon
LLNL Desktops RZ Machine

SSH to rzgw.llnl.gov with CRYPTOCard, then SSH to RZ machine with RSA token.

SSH to rzgw.llnl.gov with RZ RSA PIN+tokencode, then SSH to RZ machine with RZ RSA PIN+tokencode.

rzfis,
rzfastfis,
rztapefis

RZ users only. FTP to host; authenticate with CRYPTOCard.

RZ users only. FTP to host; authenticate with RZ RSA PIN+tokencode.

rzstage

RZ users only. Use SFTP, SCP or Hopper; FTP not permitted. Authenticate with CRYPTOCard. Refer to Technical Bulletin 469.

RZ users only. Use SFTP, SCP or Hopper; FTP not permitted. Authenticate with RZ RSA PIN+tokencode. Refer to Technical Bulletin 469.

rzarchive
rzstorage

RZ users only. FTP to rzarchive or rzstorage; authenticate with CRYPTOCard.

RZ users only. FTP to rzarchive or rzstorage; authenticate with RZ RSA PIN+tokencode.

rzlc.llnl.gov web pages

Authenticate with CRYPTOCard.

Authenticate with RZ RSA PIN+tokencode.

From To Now Starting Feb. 1st, 2017 at noon
RZ Machines RZmachine

SSH with RSA token; SSH keys permitted.

SSH with RZ RSA PIN+tokencode; SSH keys permitted.

rzfis
rsfastfis
rztapefis

FTP to host; authenticate with CRYPTOCard.

FTP to host; authenticate with RZ RSA PIN+tokencode.
rzstage N/A. N/A.
rzarchive
rzstorage

N/A. Use FTP to storage.

N/A. Use FTP to storage.
rzlc.llnl.gov web pages

Authenticate with CRYPTOCard.

Authenticate with RZ RSA PIN+tokencode.

From To Now Starting Feb. 1st, 2017 at noon
External Internet RZ Machine VPN required. SSH to rzgw.llnl.gov with CRYPTOCard, then SSH to RZ machine with RSA token. VPN required. SSH to rzgw.llnl.gov with RZ RSA PIN+tokencode, then SSH to RZ machine with RZ RSA PIN+tokencode.
From To Now Starting Feb. 1st, 2017 at noon
LANL, Sandia Machines RZ Machine

Begin on a LANL/Sandia iHPC login node. For example, at Sandia startfrom ihpc.sandia.gov; at LANL start from ihpc-gate1.lanl.gov.

ssh -l llnl-username rzgw.llnl.gov
Password: LLNL PIN + CRYPTOCard

on rzgw:
kinit sandia-username@dce.sandia.gov
or
kinit lanl-username@lanl.gov
Enter Sandia/LANL kerberos password
ssh loginmachine
No password required

 

Begin on a LANL/Sandia iHPC login node. For example, at Sandia startfrom ihpc.sandia.gov; at LANL start from ihpc-gate1.lanl.gov.

ssh -l llnl-username rzgw.llnl.gov
Password: LLNL RZ RSA PIN+tokencode

on rzgw:
kinit sandia-username@dce.sandia.gov
or
kinit lanl-username@lanl.gov
Enter Sandia/LANL kerberos password
ssh loginmachine
No password required

For additional information including a Frequently Asked Questions list, see https://rzotp.llnl.gov/otp/cgi-bin/faq.cgi
If you have trouble with your existing or replacement tokens contact the LC Hotline for assistance.

What to Do With Your CRYPTOCard Token After Feb. 1, 2017

Place the token(s) in a sealed envelope and return via
onsite or offsite mail:

Onsite Laboratory mail to:
LC Customer Service Group, L-63

Offsite Mailing Address:
LC Customer Service Group
Lawrence Livermore National Laboratory
P.O. Box 808, L-63
Livermore, CA 94551-9900

If you are unable to return the token, dispose of the token via your local electronic waste procedure as you would with any lithium battery

Normal Return of RSA SecurID Token(s)

When you no longer need the token(s) that has been issued to you due to separation from LLNL, change in assignment, etc., you are responsible for returning them to LLNL. Place the token(s) in a sealed envelope and return via onsite or offsite mail:

Onsite Laboratory mail to:
4Help L-279

Offsite Mailing Address:
Lawrence Livermore National Laboratory
P.O. Box 808, L-279
Livermore, CA
94551-9900

PDF of TB513 for download and distribution.

LLNL-WEB-732728