GSISSH-Term is a Java based terminal client application for accessing the Grid created by the UK’s NGS. It supports the use of grid certicates for authentication. Since this application is written in Java, it is supported on most platforms (e.g. Windows, Macintosh and Linux). PRACE provides a customised version of GSISSH-Term which includes PRACE users’ customisations and additional bug fixes.

Preparing for GSISSH-Term

Users have to place the required grid certificates (CA certificates and personal certificates) appropriately on their machine before they can access PRACE’s grid. Please follow the steps decribed in the Personal eScience certificate and CA certificates sections.

Since GSISSH-Term is a Java based application, you will need Java Runtime Environment (JRE) 1.5 or higher installed (it’s highly recommended to use 1.6 or higher, preferably provided by Oracle(TM)). You should also install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’ which are not included in the default distribution of JRE due to import control restrictions. Please download the files from the following links:

Extract the two jar files,"local_policy.jar" and "US_export_policy.jar", and copy them to

  • {JRE_HOME}/lib/security

Note that there are files with identical names but different content in the folder. This is because JRE supports by default up to 512-bit security. JCE provides additional support for 1024 bits.

GSISSH-Term as a Java webstart application

Before continuing, you should have set up your grid certificates and Java. If you have not done so, please refer to the previous section "Preparing for GSISSH-Term" before proceeding.

To install and start GSISSH-Term via Java Web Start, please click on and open it with Java webstart (javaws).

For your security, GSISSH-Term webstart application is signed with a Oracle Java recognised commercial root CA (Deutsche Telekom Root CA2) certificate. A "Warning – Security" window, similar to the one here will be displayed.

To verify that you are indeed using and downloading the version from PRACE (hosted at LRZ), please click on the "More Information" link. Depending on the version of Java you are using, the user interface may differ slightly. Another window will appear, please click on the "More Information" link. Verify that the certificate information is as such:

Issuer: CN=LRZ-CA - G01, OU=LRZ-CA, O=Leibniz-Rechenzentrum, L=Muenchen, ST=Bayern, C=DE
Subject: CN=PN: Siew Hoon Leong - CodeSigning, OU=Leibniz-Rechenzentrum, L=Muenchen, ST=Bayern, C=DE

You should see the following window when GSISSH-Term is initiated successfully.

For instructions on how to use GSISSH-Term, proceed to the section "Using GSISSH-TERM" below.

GSISSH-Term as a web browser applet

Before continuing, you should have set up your grid certificates and Java. If you have not done so, please refer to the previous section "Preparing for GSISSH-Term" before proceeding any further.

For new users who would simply like to try GSISSH-Term and have an idea how it looks like and how it works, you can start GSISSH-Term as a browser applet. All you need to do is to open this link in your web browser. You should see the following window when GSISSH-Term is initiated successfully.

GSISSH-Term as a web browser applet

GSISSH-Term as a web browser applet

For instructions on how to use GSISSH-Term, proceed to the section "Using GSISSH-Term" below.

Using GSISSH-Term

To create a new connection, select "File – New Connection" or the shortcut icon "Create a New Connection" (first icon from the left). The following window will be displayed:

Now, you can simply enter the host name of one of the PRACE GSI SSH Door nodes in the textbox "Host to Connect to:" and click on the "Ok" button. The following table shows the door nodes in PRACE which offer access from public Internet. For direct access to LRZ, the IP number of the external PC must first be registered (please submit a request to the PRACE Helpdesk service) and the LRZ AUP (Acceptable Use Policy) should be accepted.

Door nodes in PRACE

LRZ (with firewall)supermuc.lrz.de2222

Note: If your Home site or Execution sites are not offering public GSI SSH access, you can access the required site from one of the door node sites via GSI SSH hops. Please refer to the PRACE Door Nodes documentation to learn how to proceed.

For users who are accessing multiple PRACE accounts via a single user certificate, you can configure which account to login to by clicking on the "Advanced" button. The "Connection Profile" will be opened. Select the "Host" tab. By default, the "Username" textbox is left empty. If you want to login to a specific account that you owned, you should then fill in the "Username" textbox. You can leave the rest of the options as they are.

Important note for Windows users: in order to introduce uneccessary delays that could lead to a failure of the login operation, please click on the GSI Defaults tab and ensure that the Authentication Order methods are arranged according to the following picture

This check should be performed during the set up phase, once the Use list has been updated, GSISSH-Term will not change it.

Now, select the "Connect" button.

You will be prompted to enter your "Grid Certificate Passphrase". Enter the passphrase of your grid certificate and click "Ok" or hit the "Enter" key of your keyboard.

If you do not have your *.pem files and is using the grid certificate imported in the browser instead, you will be prompted to select the web browser where your grid certificate is imported. On Linux, only Firefox/Mozilla is supported. On Windows, Firefox/Mozilla and Internet explorer are supported. On Macintosh OS X, Safari and Chrome are supported via Keychain Access (only for PRACE customised version).

Web browser selection

Web browser selection

In the case of Mozilla/Firefox, please enter your Mozilla/Firefox master password as your certificate store passphrase and select the "Ok" button.

Browser Certificate Store

Browser Certificate Store

In the case of Safari/Chrome on Macintosh OS X via Keychain access. If your certificate is not locked, you should be prompted with the following window. Select either "Allow" or "Always Allow" based on your personal preference. If your certificate is locked, you will be prompted an additional dialog to enter the password to unlock the particular keychain in Keychain Access.

If both authentication methods mentioned above are unavailable or unsuccessful, you can also access the grid resource via your *.p12 keystore file. In the following window, in the section "Use a Grid certificate in pkcs12 format:", you will now be asked to specify the location of your pkcs12 keystore file: Click the Browse… button and select the keystore file. Enter the keystore passphrase in the "Passphrase" textbox and select the "Use Certificate" button

You should now be logged on to the door node:


  • To check Java version, in your Linux/Unix/Macintosh OS X terminal or Windows command prompt, please use the following command:

    java -version
  • A word of caution: on networked Windows systems we observed that a different location on a shared drive is sometimes used. The exact path is pointed by the Windows registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop. A possible way to retrieve the value is to use the reg.exe from a command line prompt, typing

    reg.exe query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

    For example, a sample output is

    reg.exe query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        Desktop      REG_EXPAND_SZ     \\\lu95jib\Desktop

    Clearly the ".globus" folder should be created in \\\lu95jib\Desktop.

    In case of problems, please report them to the PRACE Helpdesk service.

  • Please use only printable ASCII characters for your certificate(keystore) passphrase. If you have used unprintable characters, please kindly change your passphrase and replace your "userkey.pem" with the following commands on a Unix/Linus/OS X machine:

    mv userkey.pem userkey.pem.old
    openssl rsa -in userkey.pem.old -des3 -out userkey.pem
  • If you notice strange characters while using the delete and/or backspace keys on some machines, e.g. IBM AIX OS, in your shell, you can set your "$HOME/.inputrc" as such

    "\e[3~": delete-char
    # this is actually equivalent to "\C-?": delete-char
    # VT
    "\e[1~": beginning-of-line
    "\e[4~": end-of-line
    # kvt
    # rxvt and konsole (i.e. the KDE-app...)

    More information is available at the following site.

Share: Share on LinkedInTweet about this on TwitterShare on FacebookShare on Google+Email this to someone