HPSS Passwords
Overview
The HPSS systems use NIM and the NERSC LDAP server to create an "hpss token" for user authentication. The HPSS token does not expire and users may generate new tokens as often as they wish and old tokens will still be honored. If a user wishes to disable previously generated tokens for security reasons NERSC consultants should be contacted.
Because HPSS passwords do not expire it is only necessary to generate a password one time for continued use of HPSS. This password is placed in a .netrc file for use by HSI, HTAR, pftp, and most FTP clients.
Automatic Token Generation for use at NERSC
Connection to HPSS from a NERSC system (Franklin, Hopper, Carver, etc.) is simple. The first time you try to connect using a NERSC provided client like HSI, HTAR or PFTP you will be prompted for your NIM password which will generate a token stored in $HOME/.netrc. After completing this step you will be able to connect to HPSS without typing a password:
% hsi
Generating .netrc entry...
kantypas@auth2.nersc.gov's password:
Please note that if you have an existing $HOME/.netrc file or you are having problems connecting to either HPSS system you should remove any entries referring to "machine archive" or "machine archive.nersc.gov" for the HPSS user system -or- "machine hpss" or "machine hpss.nersc.gov" for the HPSS backups system. After you remove the entries try connecting to the HPSS system again with your NIM password and a new entry/token will be placed in your $HOME/.netrc file. If the problem persists contact NERSC account support.
Manual Token Generation for use at NERSC
Login to NIM and select "Generate an HPSS token" from the "Actions" menu. For example, see the screenshot below:
This will provide you with a token (an encrypted string) in the pale yellow highlighted box that may be used on any machine in the NERSC network by any supported HPSS client (i.e., FTP, pftp, HSI or HTAR). See below for a screenshot showing token generation:
Below the pale yellow highlighted box you are also provided with a sample .netrc file with your updated password. Creating a .netrc as shown and placing it in your home directory will enable pftp, HSI, HTAR and some FTP clients to read it upon starting a new session to HPSS and avoid the need to enter your username/password. Permission on your .netrc file should be set to 600 (chmod 600 ~/.netrc).
Token Generation for Remote Access to NERSC HPSS
To generate a string for access to NERSC HPSS from outside the NERSC network login to NIM and select "Generate an HPSS token" from the "Actions" menu. Ignore the password provided and select "Please use this link to specify a different IP address". Then enter the IP address of the system from which you wish to connect to HPSS. Note that this prefills the box with the IP address that the browser is running on and this may not be the system you intend to access HPSS from. Enter the correct IP address and select "Generate Token". See the screenshot below showing the screen to enter the IP address:
This will provide you with a password (an encrypted string) in a pale yellow highlighted box that may be used by on any machine within the same class C network as the IP address provided. You may place the encrypted string in a .netrc file for HSI or HTAR to read. This will avoid the need to enter your usename/password. A sample .netrc file with your correct password will be provided below the pale yellow hightlighted box.
