|
May 23, 2001
How long is your User Account Active?
How is access to a User Account
authenticated?
Connecting to Unix Systems from CUE PC’s
CUE DIRECTORY NAMING CONVENTIONS
Directories available on CUE configured Unix
and PC systems
Directories available on CUE configured Unix
systems only
CUE DESKTOP SYSTEM CONFIGURATION
CUE Unix Login Default Environment
CUE Windows NT Login Default Environment
Supported Email Interface Programs
User Security Responsibilities
How to Change Your
CUE Password
To change your password on Unix:
A. JEFFERSON LAB COMPUTER USER RESPONSIBILITIES
B. Computer and Networking Use
Standards for Use of Computer and Networking
Capability
CUE is an acronym for Common User Environment. This environment provides common computing resources to users across the various Computer Center supported platforms and operating systems. When you log onto any centrally supported system you are essentially using CUE.
CUE is designed based upon several simple principles:
When a user account is assigned it gives you privileges to access CUE systems here at the lab. (CUE is the Common User Environment that encompasses all of the Computer Center centrally managed systems and various other hosts here at the lab)
CUE systems include: UNIX workstations, PC's, Mac's, and any other system that has been configured for the environment.
Your account will allow you to log onto CUE systems, where you will have access to email, www, public domain packages, software development applications, word processing applications, various Jefferson Lab specific packages, and a wide assortment of vendor provided applications.
The password that is provided to you by the Computer Center will allow access to CUE systems, both UNIX and JLAB Windows domain PC's.
Access to the Batch and Interactive Farm systems is controlled by means of your CUE password and UNIX group memberships. Experimental Users should contact the software coordinator for their Experimental Hall to insure that they are included in all appropriate experimental groups to allow access to the Farm systems.
How long is your User Account Active?
Your user account will stay active until your sponsor or supervisor indicates otherwise. To verify user accounts the Computer Center audits computer accounts twice a year (April and October). At this time, your supervisor or sponsor will confirm that your account should be maintained.
How is access to a User Account authenticated?
The authentication of a user account is accomplished by the combination of username and password. You will be provided with an initial password when you receive your account. The Computer Center does not email passwords so if you cannot be physically present, you should call the User Helpdesk (757-269-7155) between 1:30 and 4:30 PM EST, or make other arrangements with your Jefferson Lab sponsor to facilitate this for you. As soon as you successfully login, you should change your password to a secure password. The policy for password content and rules as set forth by DOE and JLAB can be found on the Computer Center Password Rules page.
To login to a CUE configured PC running Windows perform the following:
To logout of a CUE PC running Windows perform
the following:
1.
Press
“Ctrl+ALT+Delete
2.
Select
the “Logoff” button
Or
Select Start button on lower left hand
corner, and ShutDown. Select appropriate option.
There are several different methods of logging into a Unix system at Jefferson Lab, depending upon what resources are available to you. Examples would be logging in from an xterminal here on site, using a terminal emulator from your PC such as Tera Term Pro, or using a telnet application from offsite. All of which require you to supply a valid username and password.
The recommended ways of connecting to Unix systems is to use as secure a connection mode as possible, which means using applications that support SSH (Secure Shell). SSH provides encrypted login sessions that are not easily sniffed when traversing networks. The reasoning behind using SSH capable software is due to the ease with which passwords can be sniffed from a network by almost any machine that is connected. The Tera Term Pro application for PCs provides SSH capabilities, and Unix systems at the lab are configured to support SSH, as are most Unix systems at other labs. It is the responsibility of the individual user to configure their user account for SSH.
No matter how you connect to a Unix system the same general procedure is followed:
Connecting to Unix Systems from CUE PC’s
To connect to Unix systems from a CUE configured PC you use the ttssh application that is available from the Start menu. Connect as follows:
There are several Unix systems provided for the general use at Jefferson Lab. These systems are physically located in the Computer Center machinery room located in room L200 of Cebaf Center. The systems that are available for login are:
· Solaris - jlabs1, jlabs2
· HP - jlabh1, db1 (MIS applications including ETR and REQS)
The db1 system is Jefferson Lab's primary MIS (Management Information System) host that provides access to the lab's administrative applications. Such applications would include CIS (Central Information System), the timesheet entry program ETR, the requisition program REQS, and several other MIS applications. It is a system that's sole purpose is MIS.
The other Unix systems mentioned (all of the systems that start with jlab) are provided for general purpose Unix computing.
There are many other Unix systems located at Jefferson Lab, but most of them are not available for general use. Examples of these systems would include the systems located within our batch and interactive farm, the experimental halls Unix systems, many of the accelerator control systems, as well as the multiple Linux systems.
Logging off of a Unix system is a relatively simple but important process. Logging out will prevent an unauthorized user from gaining access to your files and using your account for any promiscuous activities. To log off you simply type the exit command from the command line, which will exit you from your currently open shell. If you are logging off of an xterminal to completely log out you will need to locate the exit button from the bottom menu, click it with your mouse, and then select the OK button, which asks if you really wish to logout.
When you log onto a CUE system there will be a centrally provide home directory that will be available to you whether you log onto a Unix system or whether you logon to a CUE configured PC running Windows. When you log onto a Unix system configured for CUE (i.e.. jlabs1, jlabh1, db1) your home directory is /home/username, where username is the username that you have been assigned by the Computer Center. If you are logging onto a CUE configured PC your home directory can be found under the J: drive under "My Computer". All of these home directories are currently located on a central NFS-based fileserver. Because these file systems are mounted to all the CUE configured systems, regardless of which operating system they are running, you will see the same home directory (i.e. the same set of your files).
Within CUE provisions are made to supply areas that are shared and accessible by individuals in groups that are assigned ownership of the directories. These group areas are found under the /group/groupname, where groupname is usually the name of the assigned group, directory on CUE Unix systems. On a CUE configured PC the group areas are located from the M: drive and then the groupname folder, which is again usually the name of the group that controls the area. These common group areas are set up for individual groups upon requests to the helpdesk when there is a justifiable need for the areas. When a request for a group area is made please include:
NOTE: If the group does not exist prior to the request for the group
shared directory it will have to be created via a request to the helpdesk.
When making the request for new groups please include the name of the new group
and which usernames should be members of the group.
CUE DIRECTORY NAMING CONVENTIONS
The CUE directory naming structure is implemented to provide a sensible and common directory structure for centrally provided CUE directories and filesystems. When logged onto a CUE configured system the following directories are automatically mounted without any user intervention:
Directories available on CUE configured Unix and PC systems
·
/home home directories (/home/jones)
·
/apps application directories
(/apps/ideas)
·
/group Shared disk areas for workgroups.
·
/site cross-platform utilities (/site/info
contains information files of interest to users, etc.)
·
/scratch scratch space (/scratch/jones, not
backed up)
Directories available on CUE configured Unix systems only
·
/work central work areas for data
reduction and simulation (not backed up)
·
/cache on-line temporary storage for experiment
data files already on tape in the central data silo
·
/var/mail central mail directory
CUE DESKTOP SYSTEM CONFIGURATION
For ease of system management and configuration Desktop Systems including: Unix, Linux, and Windows are configured in a similar fashion for each platform within CUE. In most cases the Computer Center provides a standard desktop configuration for each platform. These standard CUE desktop configurations enable the Computer Center to manage and troubleshoot these systems more efficiently. Additionally these standard configurations make transitioning from machine to machine and platform to platform easier.
CUE provides a standard set of applications located in default locations on both Unix and Windows NT systems. The default location for CUE supported software is the /apps directory on CUE configured Unix systems, and the L: drive (apps directory) on CUE configured Windows systems.
The CUE Unix Software page found at http://cc.jlab.org/services/cue/cuesw.html provides in depth current information on what software is available on each CUE supported Unix platform as well as brief descriptions and which revision of the software is installed. All CUE Unix software is installed and available without any user intervention or configuration necessary.
The Windows Services page located at http://cc.jlab.org/service/windows/ provides information specifically for the Windows implementation of CUE including supported software and installation instructions. CUE Windows software currently requires user interaction to install, upgrade, and maintain. In the near future users will have the option of remote desktop management for their CUE Windows systems through remote management software for all CUE supported software.
When a login is performed onto any CUE configured system, whether it is Unix or Windows, a default environment is setup for that login session.
CUE Unix Login Default Environment
If your account has been configured for CUE Unix systems, logging on, will by default, run environment configuration scripts that set your default path, default environment variables, and run news notification scripts. By default all new user accounts are configured for CUE and should require no modifications to login scripts. To make sure that your account is configured for CUE execute the /site/bin/cuefix script after you login to a CUE configured Unix machine. This script copies the default CUE .cshrc and .login files to your home directory, and moves your current files to old.cshrc and old.login.
When you login to a CUE configured Unix system your /home/username/.cshrc file is executed if your are running csh or tcsh. This script calls the /site/env/syscshrc script which configures your path, manpath, and sets several environment variables.
Next your /home/username/.login file is executed which sets login environment variables and executes two additional CUE environment configuration scripts. The actual scripts that are run and their basic function are:
·
/site/env/syslogin - determines the platform and OS of
the login session and then sets platform specific environment variables
·
/site/env/sysapps - determines the platform and OS of
the login session and then sets application specific environment variables
If you wish to make modifications to the default CUE provided .cshrc and .login files you should try to add only those customizations that are essential. Making changes to these scripts can cause undesired results if the changes that are made are not done correctly. Remember that you can execute the /site/bin/cuefix script at anytime to reset your login scripts to the CUE defaults.
CUE Windows Login Default Environment
If your PC has been configured for CUE Windows, the login script will map standard network directories for you. These directories are:
·
\\jlabhome\username
·
\\jlabsite\site
·
\\jlabapps\apps
·
\\jlabgrp\group
The login script copy pathman.exe file to your local hard drive. This file adds a path statement to your user environment for \\jlabapps\apps rather than replacing the existing path statement and changing your personal parameters.
There are various printing resources provided by the Computer Center for site wide usage. If a system is configured within CUE the print services mentioned here will be available.
There are many printers of varying type and purpose located around the site that can be printed to from Computer Center supported systems. These printers are available from all centrally provided Unix systems as well as desktop PC's that have been configured to use them. The names of these printers, printer type, and physical location can be found at:
http://cc.jlab.org/cgi-bin/printers.cgi
The Computer Center central printers are as follows:
Cebaf Center, located in the atrium above the cafeteria.
Trailer City, located in room 172
Specific details for CUE printing can be found at http://cc.jlab.org/services/printing/.
After receiving your JLAB CUE user account you will be capable of using the electronic mail services provided by the Computer Center. The supported email applications at JLAB must utilize IMAP mail using SSL (Secure Socket Layer).
Your standard email address at Jefferson Lab is of the form:
yourID@jlab.org
where 'yourID' is your computer-user account. Most people can also use the form:
Firstname.Lastname@jlab.org
unless someone else on site has the same first and last names registered in CIS.
There are several items to be considered and completed before actually using your email account:
Supported Email Interface Programs
The JLAB Computer Center recommends the following Mail Interface Programs, depending on what type of device you use to log in:
Text Terminal: Pine (text mode interface).
X Terminal or Unix workstation one of the following:
o Netscape Communicator - This is the default verion of netscape that you get when you logon and type "netscape". Netscape should be configured as an IMAP mail client with SSL enabled.
o Pine - This is a text mode interface, useful if you want to check you mail from a terminal window. There is a Pine "Getting Started" guide found at http://cc.jlab.org/services/docs/pine/ or http:/www.washington.edu/pine for more details.
o Dtmail (GUI-Graphical User Interface) - This is the default mail program you get by clicking the "mail icon" on your desktop.
PC or Macintosh: Netscape 4.5 (or above), configured as an IMAP mail reader with SSL enabled.
Instructions for configuring supported email client applications can be found at http://cc.jlab.org/services/email/.
Most users at the lab will read their mail in CUE, either by directly logging into a CUE Unix system (i.e. jlabs1,jlabs2, jlabh1, etc.) or by accessing their mail through a mail interface program running on their PC. In both of these cases, incoming mail is stored in your central mail "inbox" (located in the Unix file /var/mail/username ) which actually resides on the central fileserver (fs1) so that it is accessible by all of the CUE systems.
Once you read an incoming mail message, you either delete it or save it. When you save it, the message may be saved directly in the CUE home directory (/home/username) in a mail directory you set up (something like: /home/username/mail or /home/username/Mail) or possibly in mail folders on your local disk on your personal computer. This depends on which mail program you are using and how you have configured it
If you read mail on a CUE Unix system, that system can directly send outgoing mail. If you read mail on a personal computer, however, your PC or Mac must send outgoing mail "through" a central Unix server. The CUE system smtpmail.jlab.org is set up to do this.
The goal of Security at Jefferson Lab is to provide a secure, robust, and useable computing environment for the working community. This goal embodies the appropriate protection of data and resources from unauthorized used, protection from operational failures due to unauthorized use, and the use of procedures and policies that are effective without being operationally burdensome. Further goals are to ensure individual accountability for data, information, and other computing resources to which individuals have access, and to ensure that all applicable policies, directives, mandates and legal requirements are applied and adhered to.
User Security Responsibilities
Users are expected to be familiar with Jefferson Lab security policies, and other applicable laws, policies, mandates and procedures. Users are responsible for their own behavior. Specifically:
a) Use file protection mechanisms to maintain appropriate file access control.
b) Select and maintain good passwords. Do not write passwords down, or disclose them to others. Passwords must to conform to the rules described in http://cc.jlab.org/policies/PasswordRules.html .
c) Use password encryption wherever possible. Secure shell (ssh) is available for all systems at the lab, the central IMAP mail server is capable of password encryption. For all practical purposes there is no reason to use clear text passwords between any systems on site. Do not use telnet, use ssh. Do not use POP (or clear text IMAP), use encrypted IMAP. Simple instructions for using these services are available from the Computer Center.
d) Use ssh wherever possible when connecting to the lab from an external site. Ask your local system administrator to set up ssh. The only reason to not use ssh is from countries (e.g. France) where it is illegal to do so. When connecting with ssh from outside the lab you must use a pass phrase.
e) Do not share accounts. In general there are no shared accounts on central systems.
a) Do not intentionally modify, destroy, read, or transfer information in an unauthorized manner; do not intentionally deny others authorized access to or use of computing resources and information.
b) Provide the correct identity and authentication information when requested and to not attempt to assume another party's identity.
In accordance with DOE Notice 205.3 and guidance in 205.3-1, all passwords in use on any system at Jefferson Lab must be in accordance with the following rules and guidelines.
Individuals must not:
Passwords must be changed:
How to Change Your CUE Password
Log in to a central unix system (db1, jlabs1, jlabs2, jlabh1)
Type ‘jpasswd’ and press the enter key.
You will be prompted for a new password. Type it and press enter.
You will be prompted to retype the password. Type it again and press enter.
This password change will affect accounts on all Central User Environment systems. The list includes, but is not limited to:
JLAB Windows NT domain
db1
jlabs1 & jlabs2
jlabh1
ifarmxx
This password change will not affect Costpoint, Netscape calendar, or Accelerator Systems.
A. JEFFERSON LAB COMPUTER USER RESPONSIBILITIES
All Laboratory personal computers, computing systems, and their associated communication systems are to be used only for official Laboratory business. By signing for a Jefferson Lab computer account, users signify their agreement not to misuse the Jefferson Lab computing complex and accept responsibility for any activity associated with their username and password.
Do NOT give your password to anyone.
Use a password that you can memorize so that it does not have to be written down. In situations where a written copy is necessary, insure that it is safely guarded in a secure location.
Do not share your passwords for file access. If you need to share files with another user, please contact the Computer Center to have a secure method of sharing arranged.
You must change the temporary password you will be issued when you first receive a computer account. Your password on all systems must be at least 8 characters long. Please change your password at regular intervals.
As with any password, do NOT use anything having to do with your name, the names of your family members, or Jefferson Lab. Do NOT use any word that would be in a dictionary. Consider including a few numbers, mispelling a word, or use letters that actually stand for the first letter of each word in a title or sentence.
Report any suspicious login failures to your account to the Computer Center.
Managers of computer systems not under the administration of the Computer Center are also responsible to insure that the systems under their control adhere to secure password management strategies. The Jefferson Lab Computer Center is required to inform the staff members involved and their line management whenever computer systems are brought to the attention of the Computer Center which are in violation of these policies.
Remember that the security of all of Jefferson Lab's systems can be compromised if you compromise your password!
Users are responsible for ensuring that the spirit and letter of the laws for copyright and trademark protection are followed to protect both the individual and the Laboratory. Only legal copies of copyrighted software are allowed to be on Jefferson Lab computer systems including personal computers. Users may not copy nor distribute any licensed or proprietary software without the approval of the author and/or organizational owner. In addition to commercial products, software developed at Jefferson Lab may not be distributed beyond the Laboratory without formal release authorization.
The Jefferson Lab Computer Center is required to inform the staff members involved and their line management whenever computer systems are brought to the attention of the Computer Center which are in violation of these policies. For example, the Computer Center cannot and will not be put in the position of restoring policy violating software from failed disk systems on to new disk systems.
The Computer Center provides regular backups of all data on the computers that it manages. All operators of PCs and Macintoshes or any other computer system not directly managed by the Computer Center are responsible for the security and integrity of all hardware and software including the data files on their computer system. Because the software, data, files, and the time to create the files and equipment are Jefferson Lab investments, employees are responsible for insuring that these resources are neither corrupted nor lost. The Jefferson Lab Computer Center is required to inform the staff members involved and their line management whenever computer systems are brought to the attention of the Computer Center that are in violation of these policies. For example, the Jefferson Lab Computer Center will make every effort to save the files on a failed disk, but we are required to inform line management if proper backups are not also available. There are many methods used at the Laboratory to back up the data on personal computer systems including floppy disks, tape backup, and virtual disks. Please contact the Computer Center for assistance in implementing an appropriate backup method for your activity.
On all Jefferson Lab computer systems, the only authorized work is that which is connected with the research, design, construction, and operation of Jefferson Lab, its associated and authorized research, development, and administrative and support activities, and its associated SURA supported activities. Examples of fraudulent and improper use include, but are not limited to: personal holiday greeting generators, party invitations, poetry, personal letters, personal finance programs, pornography, investment programs, recipes, outside organizational membership lists, and programs used for personal gain or entertainment. Users are also charged to use resources cooperatively with other users. This responsibility includes monitoring background and interactive jobs to insure that other users are not excluded from the use of central resources, releasing limited licenses after appropriate time periods so that others may access them, and making special arrangements for high priority or high resource dependent jobs.
In order to assure that the above policies are being followed, The Jefferson Lab Computer Center has the responsibility of periodically inspecting user files.</big></big>
B.
Computer and Networking Use
It is the policy of SURA/Jefferson Lab that use of computer and networking capability is primarily for laboratory related purposes, and that the organization reserves the right to monitor the use of applicable equipment.
All electronic transmissions and records, including e-mail, computer files, web documents, etc., are considered Laboratory records and as such are subject to disclosure to lab management as well as to law enforcement, government officials, or to other third parties through the subpoena process.
This policy applies to all forms of computer and networking use, whether accessed on or from laboratory premises, accessed using lab computer equipment or via lab-paid access methods. The scope includes the development and execution of computer codes, document processing and printing, electronic mail, database and file storage, World Wide Web access and development, and network access.
1. The
Jefferson Lab Computer Center is responsible for managing the central
computational resources and for providing information to system users, personal
computer users, and managers of standalone computing resources for system
management and use. The Computer Center Manager and assigned staff are
authorized by the Laboratory Director's Council to monitor the use of the
computational resources in order to ensure the appropriate use and that all
applicable policies and standards of use and security are upheld. The Manager
and staff are further authorized to take appropriate measures in cases of
breach of use and security policies. These measures are at the discretion of
the Computer Center Manager and designated Computer Security Officer, and may
include immediate disconnection of an offending system from the network,
immediate revocation of a user account, and reporting the offending behavior to
the relevant supervisory authority as appropriate. Further action, including
legal action, is possible according to the nature of the offense and is at the
discretion of the Laboratory Management or DOE authorities.
The complete applicable guidelines for use of the Jefferson Laboratory computational resources are available at http://cc.jlab.org/policies or in hard copy from the Computer Center.
2. The Laboratory’s Webmaster oversees
the contents of Jefferson Lab’s web site. Page development is delegated to
local webmasters, or individuals responsible for a specific topic. Page editors
shall be identified at the bottom of the first page. Webmasters have the
responsibility of maintaining the quality, adhering to lab standards for web
publishing, adhering to fair copyright and trademark usage, linking local
topics with other Lab pages, and ensuring individuals posting content are familiar
with lab standards and policies. Local webmasters are responsible for ensuring
adherence to relevant security practices. The applicable guidelines are
available at http://www.jlab.org/CC/policies, and in hard copy from the
Computer Center or the Laboratory Webmaster.
3. Department Managers are responsible
for delegating and overseeing the quality of the homepage for the department.
In addition, supervisory staff shall collaborate with the Computer Center or
webmaster to resolve any individual user issues.
4. All staff shall comply with the
standards for use of computer and networking capability.
Standards for Use of Computer and Networking Capability
1. User Accounts: All staff shall accept responsibility for any activity
associated with their user account. The Computer Center provides guidelines for
account protection. As the security of all systems can be compromised with
misuse, breaches shall be resolved immediately.
2. Software Protection: All staff are
responsible for ensuring the laws for copyright, licensing and trademark
protection are followed. In addition to commercial products, software developed
at the Lab shall not be distributed beyond the Lab without formal release
authorization.
3. Laboratory personal computers,
computing systems and their associated communication systems are to be used for
official business of the Laboratory. Official business includes all authorized
work connected with the research, design, construction and operation of the
laboratory, its associated and authorized research, development, education, and
associated administrative and support activities.
4. Posting content to the Web is a form
of publication. No content may be posted to the Web if it would violate U.S.
copyright laws or Jefferson Lab’s intellectual property rights.
5. Personal software, (e.g. personal
holiday greeting card generators, or investment programs, etc.) shall not be
placed on Laboratory computers. Work of a personal nature shall not be
generated during work time. Individual professional home pages are to be used
only at the discretion of management and are to be limited to work information.
6. If engaging in a public professional
forum, the user must differentiate personal opinions expressed by including a
disclaimer to the effect that "the views expressed herein are solely the
author’s and not those of SURA/Jefferson Lab or the U.S. Department of
Energy."
7. Standards of behavior include but
are not limited to:
a. Obscene, pornographic, offensive,
threatening, harassing or intimidating material shall not be entered into the computer
or sent by electronic means.
b. All staff shall use resources
cooperatively with other computer users by monitoring background and
interactive jobs to ensure that other users are not excluded from the use of
central resources. This could include releasing limited licenses after
appropriate time periods so that others may access them, and making special
arrangements through the Computer Center for high priority or high resource
dependent jobs.
c. Computers shall not be used for any
activity involving personal entertainment or financial gain (e.g. when
operating and advertising a commercial enterprise or professional service on
laboratory computer systems).
d. Computers shall not be used for the
support of any activity not officially chartered by the Lab (e.g. clubs or
private organizations) or for any other activity that might be construed as
inappropriate use of taxpayer funded resources.
This document is maintained by {helpdesk@jlab.org}
Copyright Jefferson Lab 2007