The Web server

The ECaccess gateway HTTP/S interface allows Member States to manage their job submissions and file transfers from their Web browser, e.g. Firefox, Mozilla or Internet Explorer. This section gives an overview of what this interface provides and how it works. Please note that only interactive authentication as described in Security authentication is supported. The main purpose of the HTTP/S plugin is to provide easy access and monitoring for on-line users. For use from within shell scripts (batch), most of those features are also provided through the FTP plugin and are described in the previous sections.

Authentication

Assuming that the Member State ECaccess gateway (see Ecaccess concepts) runs on the server "ecaccess.meteo.ms", users connect to the application by pointing their Web browser at "http://ecaccess.meteo.ms:9080/" and will be redirected to the login page. Note that the default HTTP port number used for ECaccess is 9080.

By giving an ECMWF user identifier and a passcode, the user is authenticated and routed to a personal page; a user context is maintained for the subsequent operations from his browser. Users have the ability to request everything available from their account, until the time allocation expires or the "logout" option from the "Account" menu is selected.

Users connecting for the first time to the login page of the Web server will receive a security alert from their browser. This is normal; users have to accept the HTTP/S plugin certificate as a trusted certificate to allow the encryption of communications.

The procedure to trust the certificate depends on the browser:

• If using Internet Explorer, you will receive a security alert. You will be given an option to view the certificate. Select it, and then select the ïnstall certificate" option. Follow the instructions to install the certificate. Once you have returned to the security alert box, select the "Accept" option.
• If using Firefox or Mozilla, you will receive a security alert. Follow the instructions in the alert box to accept the certificate as certified. In the last dialogue box you will be given an option to accept this certificate for all your sessions. Select it.

Once this procedure is complete, your future connections to the HTTP/S plugin will not produce any security alerts.

Features

After successful authentication users are redirected from the login page to the main page, from which they will be provided with a menu including available operations described in this section. Note that the ECaccess gateway administrator can set up the HTTP/S plugin to secure only the login process. Therefore, when redirected from the secured login page to the unsecured main page you may receive a security alert. This is a normal message; just select the Äccept" option to continue. The main page provides the following options (organized through menu entries in the left margin): Browsing menu

• Browse files: the user can browse through his ECHOME, ECSCRATCH or ECFS files and directories.
• Delete files: users can select files to be deleted from the different places listed above.
• Copy files: users can copy files between two domains (files can be copied from an ECSCRATCH directory to an ECFS directory, for example).
• Transfer files: users can use their browser facilities to transfer files between their computer and their ECHOME, ECSCRATCH or ECFS directories; files are transferred over an FTP connection.
• Add scripts to the job list: users can select one or several scripts and add them to their job list for later submission. Users may continue browsing files, adding more scripts to their basket.
• Select scripts for submission: users can select one or several scripts for immediate submission.
• Request secure file transfers: users can select files to be sent via their transfer spool (equivalent of the TSUB command of the FTP plugin or of the ecaccess-ectrans-request Web Toolkit command or of the ectrans command on the systems at ECMWF).

Queues/Jobs menu

• Browse queues: users can browse through the ëcgate" queues to select a target queue for their next job request.
• Browse basket: users can select scripts from their basket for their next job request.
• Submit new jobs: users can specify complementary parameters related to the execution and confirmed action of their request. The application then submits the job request, which is sent to the job spool (equivalent of the JREQ command of the FTP plugin).

Monitoring menu

• Monitor job submissions: see Monitoring batch job submissions
• Monitor secure file transfers: see Monitoring ectrans file transfers
• Browse the events history: the history allows saving details (date, name and summary) concerning each event for later consultation by users themselves.

Account menu

• Access the ECtrans configuration: the user can define the mapping between his ECMWF user identifier and his local user identifiers. He can also check his available protocols.
• Request a new ECaccess Certificate: the user can download a new ECaccess Certificate (description and purpose of these Certificates are discussed in section 3).
• Logout: the user context is deleted and the browser is sent back to the login page.

Users views

The following snapshots illustrate a typical interactive session a user could have using the web interface.

Different browsers on different operating systems may have different presentations of the same page. First, under the heading "Web session", login by providing your ECMWF user identifier and your passcode. You may modify the default value of 30 minutes to a greater value, if you plan to use the service with breaks of more than 30 minutes.

Once authenticated, your browser is redirected to the main page containing the menu described in the previous section (the default option is "Browsing > ECHOME files"). To browse other directories from your home directory, select a target directory and press the "Browse" button.

To download a file from your current directory (./gribex in this case), click the transfer icon of the target file in the list. To upload a file into your current directory select the "Upload files" option and click the "I want to" button.

Click the "Browse" button and select the file (E:\fortran.txt) you want to upload to your current directory (you may repeat the operation three times if you want to transfer more than one file). Then click the "Upload local files to your target directory".

Once uploaded, a summary is printed to inform you of the size of the files uploaded. You may click the "Browse uploaded files" to return to your current directory (where your files have been uploaded).

You can see the "fortran.txt" file is now stored in your current directory. You can continue browsing directories and repeat the operation as many times as you need. To submit a job, you should first choose which system at ECMWF you want to use. To have a list of the systems at ECMWF supporting a batch service, click the "Browse queues" button.

The queues shown are known as ECaccess queues. For each of these ECaccess queues, you can click on the "show details" icon to see its associated batch queues on the system at ECMWF, e.g. below for the ECaccess queue hpcd:

To submit a new job, select the "Submit new job" option in the "Queues/Jobs" menu.

You may enter your script in the text area provided or select a script from your computer. Select the target queue ("hpcd" in this case). Note that the batch queue (or class) and other batch directives have to be included in your script. Alternatively, you can inform ECaccess that your script does not contain batch directives. In this case, default values will be used and ECaccess will fully manage your submission. Once your script is read, click the "Submit job" button to send your request to the server. The list of notifications allows you to attach your job to one event in the ECMWF operational suite. Please refer to the Web page on submission of time critical jobs for further details.

Once the job is submitted, a summary screen gives you the job identifier number of your new job request. It can be used to reference the submitted job using the monitoring interface (described in the next section). If you want to arrange a secure file transfer of the result, click the "Transfer with Ectrans after execution" button.

If required, modify the default values (gateway name, user identifier) and specify the erase option of the secure file transfer (erase option is discussed in Unattended file transfer - ectrans). Then click the "Send file(s) to your target host" to proceed.

Once it is spooled, a summary screen gives you the copy identifier number of your new transfer request. It can be used to reference the secure file transfer using the monitoring interface (described in the next section).

Ectrans setup

Before being able to launch unattended transfers from ECMWF (Unattended file transfer - ectrans) back to your site, using the command ectrans, you will have to configure an ectrans association between your ECMWF User ID and the remote system and user-id. This is done through the web interface, by clicking "ECtrans setup" from the lower left panel.

To create a new association, click the "Add association" button. Choose an Association name, "trajectory" in the example below. This is the name that will be used as association (previously know as 'msuser') with the ectrans command. Fill in the remaining info, giving the required information on your local system. In the example below, we create an association named trajectory that will be used to transfer files using ftp by default to a local system named "system.meteo.ms" as a user local_UID. The data transferred will be written into the directory /data/trajectory. The local files will have a temporary suffix ".tmp" added to their names during the transfer. Note that you can change the configuration of the ectrans association by modifying the options given in the window titled "Complementary information":

When you have entered all the information for your association, click the button "Create this MS user". A new association has been defined for you. Please note that (between all users) an association name can be defined only once per gateway. You can define more associations, e.g. to transfer files from ECMWF to different systems or other local UIDs. You can also allow other users at ECMWF to transfer files with ectrans to your association. To do this, click the "Grant Association(s)" button:

Select the association to which you want to give access to another user. Enter the ECMWF user name. Then grant the association.

The UID and name of the person you have given access to the association is now added to the list. To remove an entry from the list, click the "Remove from the list" icon on the left:

NX service

A service using the NX technology allows users to run at ECMWF X Window based applications like Metview, XCdp, or a simple xterm. The easiest way to use this service is via a web browser, see The Web server#How to connect using a web browser

It is also possible to connect using a standalone NX client application completely independent of any web browser, see The Web server#Example of session starting a standalone xterm on the supercomputer. A similar service is available through the ECaccess gateway "msaccess.ecmwf.int" and through your local gateway provided that you have installed the ECaccess gateway v3.3.0 at least.

NX allows you to run remote X Window sessions even across slow or low-bandwidth network connections, making it possible to start sessions from clients running on Windows, Linux, Mac OS X and Solaris platforms.

Thanks to exclusive X protocol compression techniques and an integrated set of proxy agents, NX improves the power of the X Window System to transparently run graphical desktops and applications through the network. Even on slow or low-bandwidth network connections, you can get a fast response thanks to the NX lazy encoding algorithm and NX capability to automatically tune itself to network bandwidth and latency parameters.

In addition NX allows having both standalone X terminal and "virtual desktops" independent of the web browser session used to start them. The windows can be minimised and the web browser can even be terminated.

For more information on NX, please see www.nomachine.com/documents/.

How to connect using a web browser

The easiest way to connect to ECMWF using the NX service is simply to go to: http://ecaccess.ecmwf.int/. You will get to a page like:

Using various drop down menus in the bottom part of the page you will be able to select the type of NX session you want to establish. Please note that your web browser needs to be Java enabled. You can connect to both ecgate and the supercomputer using the drop down menu "ECMWF server". You can select the type of network link you are using with the menu "Network link speed". This will select a number of options which should by optimal for your configuration. You can select the type of window you want to have using the "Window option" menu: if you select "floating window" you will get a single X Window application like xterm or Metview (you can choose the application using the next menu). If, instead, you select "virtual desktop" you will get a fully working desktop using the WindowMaker window manager. In this case you can select the "Virtual desktop resolution" to be either "available area" or "full screen".

Example of session starting a standalone xterm on the supercomputer

In this case you need to select "cca" as "ECMWF server", specify your type of network link (you can leave this to the default "adsl"), then select "floating window" as "Window option, leave the default "Floating window application" to "xterm" and press "Log on". This, after some windows warning about certificates and ssh key which you need to accept, will display the following page:

You will need to click on the "Continue" button to start the NX connection. The following window will appear:

This window allows you to enter your userid and corresponding passcode generated by your security token. After entering the appropriate information click on "Login" to proceed. The Java applet in the web browser will display various messages detailing the progress of the connection to ECMWF (depending on your firewall setup you may get various warning messages: you will need to authorise all sessions from anything related to NX - nxclient, nxauth, nxssh, etc) until this will be displayed in your browser:

The application you have requested to start, in this case an "xterm", should also start as a separate X based window. You can now minimise (or even close) your web browser and start using your xterm.

Example of session starting a virtual desktop on ecgate

In this case select the following (for the link speed you can leave the default "adsl"):

and press "Log on". The login process will be the same as the one described in the previous example but at the end the following window will appear:

The window manager available on this desktop is called WindowMaker. By right clicking on the mouse you will get an Application Menu which allows you to start an xterm or other X based applications. The main desktop window is a standalone X Window and can be minimised. If you prefer, you can start a virtual desktop in full screen mode by choosing the "Virtual desktop resolution" option "full screen". See WindowMaker Overview below for more details.

How to connect using a standalone NX client

In addition to using the web browser based access to ECMWF via NX described previously, you can also download a standalone NX client. To do this, you will need to install the NX client for your platform. Please note that we are aware of problems when trying to connect to ecaccess with the most recent versions of this software obtained from www.nomachine.com/download. Therefore users are currently advised not to use the latest versions available from the NoMachine website. Instead they can get the latest working version from ECMWF ftp server where NoMachine clients for Windows (nomachine-enterprise-client_5.0.53_7.exe), Linux (nomachine-enterprise-client_5.1.54_1_x86_64.tar.gz), and macOS (nomachine_4.0.369_6.dmg) are available.

The installation is quite straightforward and is described in more detail at www.nomachine.com/all-document. You can then use the "Download session file" option available through the web interface:

This URL allows you to download a complete configuration file which can be used with your standalone NX client. You can have multiple configuration files, say one for a standalone xterm on ecgate and another one for a full virtual desktop still on ecgate, and then select the appropriate one from your NX client.

Alternatively, you can use the NX client "Wizard" to setup your own configuration as described in the NX client documentation available at www.nomachine.com/documents/configuration/client-guide.php We recommend using this option for advanced users only. We also recommend that you first look at one of the configuration files which you can obtain by downloading the "session file". The first time you start the NX client the following window will appear:

You will have to click "Next" where you will be asked to enter the name of your NX session (in the example <your session>) and the host to connect to. You will have to enter the ECaccess host name "ecaccess.ecmwf.int" as host:

You will then get the following window where you can choose you type of desktop. You will need to choose "Unix" and "Custom":

Click on "Next" to get the following window:

Check the "Show the Advanced Configuration dialog" box and click the Finish button. You will get the following window:

If you then click "Ok" you will be able to start your session. In this case you will get a standalone xterm on ecgate. Depending on your firewall setup you may get various warning messages. You will need to authorise all sessions from anything related to NX (nxclient, nxauth, nxssh, etc).

If you have a new openssh installed on your machine, it might fail due to ciphers. To address this, modify in ~/.nx/config/player.cfg:
  "SSH client mode" value = "native" instead of "library".

WindowMaker overview

WindowMaker is a popular window manager for the X Window System, allowing graphical applications to be run on Unix-like operating-systems. It is designed to emulate NeXT's GUI as an OpenStep-compatible environment and has been described as "one of the most useful and universal window managers available." WindowMaker has a reputation for being fast, efficient and highly stable and is very popular among open source solutions for use on both newer and older machines. More information on WindowMaker can be found at http://en.wikipedia.org/wiki/Window_Maker and www.windowmaker.org. WindowMaker is the window manager which is used when you connect with NX to either ecgate or the supercomputer and select the "virtual desktop" option. For example, when you connect to ecgate using the virtual desktop you will get a desktop as shown here:

The main customisation which has been implemented is a specific "Application Menu" which you can obtain when right-click (opposite mouse button for left-handed mouse) on the desktop. The menus on ecgate and the supercomputer are designed to be very similar with the one on ecgate offering more choices regarding the available applications. The usage of the menus should be quite straightforward. To terminate a WindowMaker session you need to select the "Exit" option from the menu