bwHPC Wiki - User contributions [en]

JUSTUS2/Policy Agreement

2026-02-16T15:37:13Z

C Mosch:

== JUSTUS 2 Policy - Agreement - V3 ==
For all users of bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences the [https://www.uni-ulm.de/fileadmin/website_uni_ulm/kiz/wir_ueber_uns/kiz-bo.pdf terms of use for services of the Communication- and Information Center (kiz) of Ulm University] apply.

When registering for the service, you comply with above mentioned terms of use. Additionally you ...

* agree to use the cluster only for research in accordance with DFG funding conditions
* agree to acknowledge the bwForCluster JUSTUS 2 in your publications
* agree to send us references to all publications with contributions by JUSTUS 2
* comply with the terms of use of the software manufacturers
* agree to report any problem that might endanger the cluster operations
* agree to use the resources carefully (without wasting cores, memory or disk space)
* accept that the system is monitored to prevent misuse
* accept that job and software usage statistics are collected for improving the service and reporting to the DFG
* assure that your compute activities comply with the German Foreign Trade Act (Außenwirtschaftsgesetz - AWG) und German Foreign Trade Regulations (Außenwirtschaftsverordnung - AWV), see https://www.bafa.de/DE/Aussenwirtschaft/Ausfuhrkontrolle/Academia/academia_node.html
* agree to contribute to reports for the DFG
* acknowledge that your home directory and work spaces will be deleted after expiration of your account (thus you are responsible to backup your files before your account expires)
* will avoid swap file I/O operations or any other intense I/O to HOME - swap files of single-node jobs must use the node local disk space
* will not run long cpu/memory intense calculations on login/vis nodes - those nodes are for interactive use, compiling and short tests only
* will not store important results in workspaces, since they are not included in any backup
* will not mass-submit very short (minutes) jobs to the batch system
* will plan/submit calculations in such a way that those jobs fill entire nodes - since nodes are user-exclusive on JUSTUS 2

Also see

→ [[.bashrc Do's and Don'ts]]

JUSTUS2/Policy Agreement

2026-02-16T14:29:44Z

C Mosch:

== JUSTUS 2 Policy - Agreement - V3 ==
For all users of bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences the [https://www.uni-ulm.de/fileadmin/website_uni_ulm/kiz/wir_ueber_uns/kiz-bo.pdf terms of use for services of the Communication- and Information Center (kiz) of Ulm University] apply.

When registering for the service, you comply with above mentioned terms of use. Additionally you ...

* agree to use the cluster only for research in accordance with DFG funding conditions
* agree to acknowledge the bwForCluster JUSTUS 2 in your publications
* agree to send us references to all publications with contributions by JUSTUS 2
* comply with the terms of use of the software manufacturers
* agree to report any problem that might endanger the cluster operations
* agree to use the resources carefully (without wasting cores, memory or disk space)
* accept that the system is monitored to prevent misuse
* accept that job and software usage statistics are collected for improving the service and reporting to the DFG
* assure that your compute activities comply with the German Foreign Trade Act (Außenwirtschaftsgesetz - AWG) und German Foreign Trade Regulations (Außenwirtschaftsverordnung - AWV), see https://www.bafa.de/DE/Aussenwirtschaft/Ausfuhrkontrolle/Academia/academia_node.html
* agree to contribute to reports for the DFG
* acknowledge that your home directory and work spaces will be deleted after expiration of your account (thus you are responsible to backup your files before your account expires)
* will avoid swap file I/O operations or any other intense I/O to HOME - swap files of single-node jobs must use the node local disk space
* will not run long cpu/memory intense calculations on login/vis nodes - those nodes are for interactive use, compiling and short tests only
* will not store important results in workspaces, since they are not included in any backup
* will not mass-submit very short (minutes) jobs to the batch system
* will plan/submit calculations in such a way that those jobs fill entire nodes, since nodes are user-exclusive on JUSTUS 2

Also see

→ [[.bashrc Do's and Don'ts]]

JUSTUS2/Policy Agreement

2026-02-16T14:10:00Z

C Mosch:

== JUSTUS 2 Policy - Agreement - V3 ==
For all users of bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences the [https://www.uni-ulm.de/fileadmin/website_uni_ulm/kiz/wir_ueber_uns/kiz-bo.pdf terms of use for services of the Communication- and Information Center (kiz) of Ulm University] apply.

When registering for the service, you comply with above mentioned terms of use. Additionally you ...

* agree to use the cluster only for research in accordance with DFG funding conditions
* agree to acknowledge the bwForCluster JUSTUS 2 in your publications
* agree to send us references to all publications with contributions by JUSTUS 2
* comply with the terms of use of the software manufacturers
* agree to report any problem that might endanger the cluster operations
* agree to use the resources carefully (without wasting cores, memory or disk space)
* accept that the system is monitored to prevent misuse
* accept that job and software usage statistics are collected for improving the service and reporting to the DFG
* assure that your compute activities comply with the German Foreign Trade Act (Außenwirtschaftsgesetz - AWG) und German Foreign Trade Regulations (Außenwirtschaftsverordnung - AWV), see https://www.bafa.de/DE/Aussenwirtschaft/Ausfuhrkontrolle/Academia/academia_node.html
* agree to contribute to reports for the DFG
* acknowledge that your home directory and work spaces will be deleted after expiration of your account (thus you are responsible to backup your files before your account expires)
* will cause no constant file writes from jobs to $HOME: Any calculation swap file has to stay on the local node. Multinode-jobs that must use a common filesystem use workspaces.
* no long cpu/memory intense calculations on login/vis nodes. Those nodes are for interactive use, compiling and short tests.
* no storage of important results in workspaces (there are no backups!)
* no mass-flooding the batch manager with very short (minutes) jobs
* plan/submit calculations so you can fill nodes (nodes are user-exclusive on J2, only your jobs can run on a node you use)

Also see

→ [[.bashrc Do's and Don'ts]]

JUSTUS2/Policy Agreement

2026-02-09T16:03:04Z

C Mosch: /* JUSTUS 2 Policy - Agreement - V2 */

== JUSTUS 2 Policy - Agreement - V3 ==
For all users of bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences the [https://www.uni-ulm.de/fileadmin/website_uni_ulm/kiz/wir_ueber_uns/kiz-bo.pdf|terms of use for services of the Communication- and Information Center (kiz) of Ulm University] apply.
When registering for the service, you comply with above mentioned terms of use. Additionally you ...

* agree to use the cluster only for research in accordance with DFG funding conditions
* agree to acknowledge the bwForCluster JUSTUS 2 in your publications
* agree to send us references to all publications with contributions by JUSTUS 2
* comply with the terms of use of the software manufacturers
* agree to report any problem that might endanger the cluster operations
* agree to use the resources carefully (without wasting cores, memory or disk space)
* accept that the system is monitored to prevent misuse
* accept that job and software usage statistics are collected for improving the service and reporting to the DFG
* assure that your compute activities comply with the German Foreign Trade Act (Außenwirtschaftsgesetz - AWG) und German Foreign Trade Regulations (Außenwirtschaftsverordnung - AWV), see https://www.bafa.de/DE/Aussenwirtschaft/Ausfuhrkontrolle/Academia/academia_node.html
* agree to contribute to reports for the DFG
* acknowledge that your home directory and work spaces will be deleted after expiration of your account (thus you are responsible to backup your files before your account expires)
* will cause no constant file writes from jobs to $HOME: Any calculation swap file has to stay on the local node. Multinode-jobs that must use a common filesystem use workspaces.
* no long cpu/memory intense calculations on login/vis nodes. Those nodes are for interactive use, compiling and short tests.
* no storage of important results in workspaces (there are no backups!)
* no mass-flooding the batch manager with very short (minutes) jobs
* plan/submit calculations so you can fill nodes (nodes are user-exclusive on J2, only your jobs can run on a node you use)

Also see

→ [[.bashrc Do's and Don'ts]]

JUSTUS2/Policy Agreement

2026-02-09T16:02:49Z

C Mosch: /* JUSTUS 2 Policy - Agreement */

== JUSTUS 2 Policy - Agreement - V2 ==
For all users of bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences the [https://www.uni-ulm.de/fileadmin/website_uni_ulm/kiz/wir_ueber_uns/kiz-bo.pdf|terms of use for services of the Communication- and Information Center (kiz) of Ulm University] apply.
When registering for the service, you comply with above mentioned terms of use. Additionally you ...

* agree to use the cluster only for research in accordance with DFG funding conditions
* agree to acknowledge the bwForCluster JUSTUS 2 in your publications
* agree to send us references to all publications with contributions by JUSTUS 2
* comply with the terms of use of the software manufacturers
* agree to report any problem that might endanger the cluster operations
* agree to use the resources carefully (without wasting cores, memory or disk space)
* accept that the system is monitored to prevent misuse
* accept that job and software usage statistics are collected for improving the service and reporting to the DFG
* assure that your compute activities comply with the German Foreign Trade Act (Außenwirtschaftsgesetz - AWG) und German Foreign Trade Regulations (Außenwirtschaftsverordnung - AWV), see https://www.bafa.de/DE/Aussenwirtschaft/Ausfuhrkontrolle/Academia/academia_node.html
* agree to contribute to reports for the DFG
* acknowledge that your home directory and work spaces will be deleted after expiration of your account (thus you are responsible to backup your files before your account expires)
* will cause no constant file writes from jobs to $HOME: Any calculation swap file has to stay on the local node. Multinode-jobs that must use a common filesystem use workspaces.
* no long cpu/memory intense calculations on login/vis nodes. Those nodes are for interactive use, compiling and short tests.
* no storage of important results in workspaces (there are no backups!)
* no mass-flooding the batch manager with very short (minutes) jobs
* plan/submit calculations so you can fill nodes (nodes are user-exclusive on J2, only your jobs can run on a node you use)

Also see

→ [[.bashrc Do's and Don'ts]]

JUSTUS2/Support

2025-03-12T14:04:44Z

C Mosch: /* Registration and HPC Support */

==Entitlement==

In case of questions or problems regarding your entitlement for using any bwForCluster, please
contact your local university first level help desk.

==Registration and HPC Support==

In case of registration problems or questions about using JUSTUS 2, please submit a trouble ticket at the [https://www.bwhpc.de/supportportal bwSupport Portal] (use the "+" sign to create a new ticket) and assign it
to support unit '''GROUP => bwHPC - Support (green arrow on right side) => bwForCluster JUSTUS'''.

JUSTUS2/Support

2025-03-12T13:59:51Z

C Mosch: /* Registration and HPC Support */

==Entitlement==

In case of questions or problems regarding your entitlement for using any bwForCluster, please
contact your local university first level help desk.

==Registration and HPC Support==

In case of registration problems or questions about using JUSTUS 2, please submit a trouble ticket at the [https://www.bwhpc.de/supportportal bwSupport Portal] and assign it
to support unit '''GROUP => bwHPC - Support (green arrow on right side) => bwForCluster JUSTUS'''.

Registration/2FA

2023-11-22T13:56:49Z

C Mosch: /* andOTP is not developed anymore (https://xdaforums.com/t/unmaintained-app-4-4-open-source-andotp-open-source-two-factor-authentication-for-android.3636993/page-6#post-87021655) and has vanished from F-Droid. */

= Generate a Second Factor (2FA) =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
You or your group must take care of the hardware for the second factor yourself. We do not provide hardware keys or mobile devices.
|}

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

If you only have a mobile device, you can use software-based solutions as a second factor. If you don't want to use a smartphone app, we recommend using a hardware token such as Yubikey. The Pros and Cons of the various solutions can be found at the end of this [[Registration/2FA#Pros_and_Cons_of_the_different_Solutions|wiki]].

== 2FA Questions and FAQ ==

If you have any questions about 2FA, please read the [[Registration/2FA/FAQ|FAQs]], and if your question remains unanswered, please submit a support ticket

== How 2FA works on the bwHPC Clusters ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use either six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP) or Yubico OTP.

'''TOTPs''' are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value. If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device.
We do not recommend the use of TOTP generators for PCs. If the second factor is generated on the same computer on which the login takes place, it is no longer a second factor.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* 2FAS for [https://play.google.com/store/apps/details?id=com.twofasapp Android] or [https://apps.apple.com/us/app/2fa-authenticator-2fas/id1217793794 iOS] ([https://2fas.com/ Web Page] and [https://github.com/twofas GitHub], ''Apple and Google Cloud can be used for backups depending on the operating system.'')
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS] (''Google Cloud can be used for backups, but these backups are not encrypted and can therefore be read by Google!'')
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (''Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux], requires account'')
(''These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.'')

[https://www.yubico.com/resources/glossary/yubico-otp/ '''Yubico OTP'''] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed.

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
* '''Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.''' These tools prevent the registration website from generating new security tokens. When the problems remains (you can not generate the QR code or can not confirm it by clicking CHECK), please try once more with an entirely new unmodified web browser profile.
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''', '''bwForCluster JUSTUS 2''' and '''bwForCluster NEMO'''] (2FA tokens are valid for all three clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster Helix''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"''' ([[Registration/2FA#Pros_and_Cons_of_the_different_Solutions|pros ans cons]]).

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

3. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

4. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

5. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster, JUSTUS 2 and NEMO) or '''bwServices''' (Helix).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
If you do not confirm the token by entering the six-digit code in the "Current code:" field, the token will '''NOT''' be initialized!
|}

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

3. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

4. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

5. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for desktop (or Android/iOS) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

3. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

4. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

5. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (Helix).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

6. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

7. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

8. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
Please disable all privacy tools, ad blockers and further add-ons when registering a new Backup TAN list.
|}

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

3. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

4. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

5. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".

'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN, i.e. lost or broken smartphone), you can not access the section "My Tokens" anymore.
In this case you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Open a ticket, include your user name, the name of the bwHPC cluster and ask for a reset of your 2FA tokens.
Please note that this process may take some time and also means additional work for the operators.

= Pros and Cons of the different Solutions =

This section briefly describes the differences between the above solutions.

== Mobile App ==

This sections describes the pros and cons of an app on your mobile device (phone or tablet).

'''Pros:'''
* Can be used at no extra cost if you have a mobile device.
* When using your cell phone, you always have the second factor at your fingertips.

'''Cons:'''
* You need a mobile device.
* If your device is lost or damaged, you will lose your second factor. (''Some services offer cloud synchronization, but you usually need an account and Google Authenticator does not encrypt your TOTP secret keys when storing them in the cloud.'')

== Yubico OTP ==

This sections describes the pros and cons of Yubico OTP. For Yubico OTP to work, you need a Yubikey with Yubico OTP support.

'''Pros:'''
* You do not need a mobile device. All you need is a USB port.
* Simple and fast: The Yubikeys are preconfigured for Yubico OTP. All you need to do is touch the metal plate on the device when prompted.

'''Cons:'''
* You have to spend money on a Yubikey.
* If you lose the device, you will lose the second factor (it is recommended to buy at least two Yubikeys).
* If you do not have your Yubikey with you, you cannot log in to the clusters.
* In bwHPC, the Yubicloud is used to synchronize the Yubico OTP keys (third-party provider).

== Yubikey OATH TOTP ==

This sections describes the pros and cons of Yubikey OATH TOTP. For Yubikey OATH TOTP to work, you need a Yubikey with OATH TOTP support. This solution is similar to the one for mobile apps, but an external pin generator is used.

'''Pros:'''
* You do not need a mobile device. All you need is a USB port.
* You can use multiple devices such as phones and tablets (via USB, Lightning or NFC) or even your computer(s).
* Since the TOTP is calculated on the Yubikey and the computer/mobile device is only used for displaying the TOTP and time synchronization, you can use the same device you use for login.

'''Cons:'''
* You have to spend money on a Yubikey.
* If you lose the device, you will lose the second factor (it is recommended to buy at least two Yubikeys).
* If you do not have your Yubikey with you, you cannot log in to the clusters.

Registration/bwForCluster/Service

2023-11-08T16:52:49Z

C Mosch: /* Step C: bwForCluster Account Creation */

= Prerequisites for Step C =

Prerequisites for successful account creation:
* '''[[Registration/bwForCluster/Entitlement|Step A: bwForCluster Entitlement]]'''
* '''[[Registration/bwForCluster/RV|Step B: Apply for a Rechenvorhaben/project]].

Once you have registered your own RV (''Rechenvorhaben'') or a membership in an RV, you will receive an email with a website to create an account for yourself on that cluster.

= Step C: bwForCluster Registration (Account Creation) =

To finish the registration procedure select the cluster your RV was assigned to:

* '''[[Registration/bwForCluster/BINAC|bwForCluster BINAC]]'''
* '''[[Registration/bwForCluster/JUSTUS2|bwForCluster JUSTUS 2]]'''
* '''[[Registration/bwForCluster/Helix|bwForCluster Helix]]'''
* '''[[Registration/bwForCluster/NEMO|bwForCluster NEMO]]'''

----

[[Registration/bwForCluster| Go back to bwForCluster Registration Home]]

Registration/bwForCluster

2023-11-08T16:52:11Z

C Mosch: /* Three Steps for Registration */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster''' (create an account on the cluster). → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''

After registering, please refer further to '''[[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]]''' at the bottom of the page and to the cluster-specific pages below '''bwHPC Systems''' in the menu on the left.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and Helix)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only Helix)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

[[Category:Feedback]]

Registration/bwForCluster/Service

2023-11-08T16:51:10Z

C Mosch:

= Prerequisites for Step C =

Prerequisites for successful account creation:
* '''[[Registration/bwForCluster/Entitlement|Step A: bwForCluster Entitlement]]'''
* '''[[Registration/bwForCluster/RV|Step B: Apply for a Rechenvorhaben/project]].

Once you have registered your own RV (''Rechenvorhaben'') or a membership in an RV, you will receive an email with a website to create an account for yourself on that cluster.

= Step C: bwForCluster Account Creation =

To finish the registration procedure select the cluster your RV was assigned to:

* '''[[Registration/bwForCluster/BINAC|bwForCluster BINAC]]'''
* '''[[Registration/bwForCluster/JUSTUS2|bwForCluster JUSTUS 2]]'''
* '''[[Registration/bwForCluster/Helix|bwForCluster Helix]]'''
* '''[[Registration/bwForCluster/NEMO|bwForCluster NEMO]]'''

----

[[Registration/bwForCluster| Go back to bwForCluster Registration Home]]

Registration/bwForCluster/JUSTUS2

2023-04-17T07:59:24Z

C Mosch:

= Registration at the bwForCluster JUSTUS 2 =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
You can return to the registration website at any time, in order to review your registration details, change/reset your service password or de-register from the service by yourself.
|}

After having completed steps A+B please visit the '''[https://login.bwidm.de bwForCluster JUSTUS 2 registration page]'''.

Do the following steps to complete registration:

1. Select your home organization from the list on the main page and click '''Proceed''' or '''Fortfahren'''.
[[File:BwIDM-login.png|center|600px|thumb|Select your home organization]]

2. You will be directed to the ''Identity Provider'' of your home organization.
Enter the username and password of your '''home organization''' (usually these credentials are also used for other services like email) and click '''Login/Einloggen'''.

3. You will be redirected back to the registration page '''https://login.bwidm.de'''.
When you log in to bwIDM for the first time, an overview will appear, with the account information that your home institution submits to the system.
Please verify that all data is valid and then click '''Continue/Weiter'''.

4. After you have successfully logged into the bwIDM system, you will be greeted by a welcome screen that displays all the statewide services you have access to.
There you will find a field labeled '''bwForCluster JUSTUS 2'''.
Click '''Register/Registrieren''' to start the registration process.
[[File:BwIDM-reg.png|center|frame|Register for JUSTUS 2]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* If the service JUSTUS 2 '''is not visible''', then you are probably missing the necessary entitlement. Go to [[Registration/bwForCluster/Entitlement|step A]] to check this.
* By clicking on '''Register''' you automatically subscribe to the '''justus2-users''' mailing list. The list provides news and information related to the bwForCluster JUSTUS 2 for computational chemistry and quantum sciences in Ulm.
* When you '''de-register''' your account from the cluster, you automatically unsubscribe from the list.
|}

5. JUSTUS 2 uses a '''2-factor authentication''' (2FA) mechanism to increase security.
If you have never registered a 2FA token on bwIDM, the following error message will appear:
[[File:Bwidm-3-red.png|center|600px|thumb|Second factor missing.]]

Use this '''[https://login.bwidm.de/user/twofa.xhtml link]''' or select '''Index -> My Tokens''' in the main menu.
To register a new token, please follow these '''[[Registration/2FA|instructions]]'''.
Please complete this step before continuing.

6. Read the Terms of Use ('''Nutzungsbedingungen und -richtlinien'''), place a check mark next to '''I have read and accepted the terms of use''' and click '''Register/Registrieren'''.

7. Set a service password for JUSTUS 2 and click '''Save/Speichern'''.
Be sure to use a secure password that is different from any other passwords you currently use or have used on other systems.
[[File:BwIDM-passwd.png|center|800px|Set service password]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Setting a service password is mandatory for access to any bwForCluster.
|}

----

[[Registration/bwForCluster| Go back to bwForCluster Registration Home]]

Registration/bwForCluster/JUSTUS2

2023-04-05T18:28:08Z

C Mosch:

= Registration at the bwForCluster JUSTUS 2 =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
You can return to the registration website at any time, in order to review your registration details, change/reset your service password or de-register from the service by yourself.
|}

After having completed steps A+B please visit the '''[https://login.bwidm.de bwForCluster JUSTUS 2 registration page]'''.

Do the following steps to complete registration:

1. Select your home organization from the list on the main page and click '''Proceed''' or '''Fortfahren'''.
[[File:BwIDM-login.png|center|600px|thumb|Select your home organization]]

2. You will be directed to the ''Identity Provider'' of your home organization.
Enter the username and password of your '''home organization''' (usually these credentials are also used for other services like email) and click '''Login/Einloggen'''.

3. You will be redirected back to the registration page '''https://login.bwidm.de'''.
When you log in to bwIDM for the first time, an overview will appear, with the account information that your home institution submits to the system.
Please verify that all data is valid and then click '''Continue/Weiter'''.

4. After you have successfully logged into the bwIDM system, you will be greeted by a welcome screen that displays all the statewide services you have access to.
There you will find a field labeled '''bwForCluster JUSTUS 2'''.
Click '''Register/Registrieren''' to start the registration process.
[[File:BwIDM-reg.png|center|frame|Register for JUSTUS 2]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* If the service JUSTUS 2 '''is not visible''', then you are probably missing the necessary entitlement. Go to [[Registration/bwForCluster/Entitlement|step A]] to check this.
* By clicking on '''Register''' you automatically subscribe to the '''[https://imap.uni-ulm.de/lists/info/justus2-users justus2-users]''' mailing list. The list provides news and information related to the bwForCluster JUSTUS 2 for computational chemistry and quantum sciences in Ulm.
* When you '''de-register''' your account from the cluster, you automatically unsubscribe from the list.
|}

5. JUSTUS 2 uses a '''2-factor authentication''' (2FA) mechanism to increase security.
If you have never registered a 2FA token on bwIDM, the following error message will appear:
[[File:Bwidm-3-red.png|center|600px|thumb|Second factor missing.]]

Use this '''[https://login.bwidm.de/user/twofa.xhtml link]''' or select '''Index -> My Tokens''' in the main menu.
To register a new token, please follow these '''[[Registration/2FA|instructions]]'''.
Please complete this step before continuing.

6. Read the Terms of Use ('''Nutzungsbedingungen und -richtlinien'''), place a check mark next to '''I have read and accepted the terms of use''' and click '''Register/Registrieren'''.

7. Set a service password for JUSTUS 2 and click '''Save/Speichern'''.
Be sure to use a secure password that is different from any other passwords you currently use or have used on other systems.
[[File:BwIDM-passwd.png|center|800px|Set service password]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Setting a service password is mandatory for access to any bwForCluster.
|}

----

[[Registration/bwForCluster| Go back to bwForCluster Registration Home]]

Registration/bwForCluster/JUSTUS2

2023-04-05T18:27:14Z

C Mosch: /* Registration at the bwForCluster JUSTUS 2 */

= Registration at the bwForCluster JUSTUS 2 =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
You can return to the registration website at any time, in order to review your registration details, change/reset your service password or de-register from the service by yourself.
|}

After having completed steps A+B please visit the '''[https://login.bwidm.de bwForCluster JUSTUS 2 registration page]'''.

Do the following steps to complete registration:

1. Select your home organization from the list on the main page and click '''Proceed''' or '''Fortfahren'''.
[[File:BwIDM-login.png|center|600px|thumb|Select your home organization]]

2. You will be directed to the ''Identity Provider'' of your home organization.
Enter the username and password of your '''home organization''' (usually these credentials are also used for other services like email) and click '''Login/Einloggen'''.

3. You will be redirected back to the registration page '''https://login.bwidm.de'''.
When you log in to bwIDM for the first time, an overview will appear, with the account information that your home institution submits to the system.
Please verify that all data is valid and then click '''Continue/Weiter'''.

4. After you have successfully logged into the bwIDM system, you will be greeted by a welcome screen that displays all the statewide services you have access to.
There you will find a field labeled '''bwForCluster JUSTUS 2'''.
Click '''Register/Registrieren''' to start the registration process.
[[File:BwIDM-reg.png|center|frame|Register for JUSTUS 2]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* If the service JUSTUS 2 '''is not visible''', then you are probably missing the necessary entitlement. Go to [[Registration/bwForCluster/Entitlement|step A]] to check this.
* By clicking on '''Register''' you automatically subscribe to the '''[https://imap.uni-ulm.de/lists/info/justus2-users justus2-users]''' mailing list. The list provides news and information related to the bwForCluster JUSTUS 2 for computational chemistry and quantum sciences in Ulm.
* When you '''De-Register''' your account from the cluster, you automatically unsubscribe from the list.
|}

5. JUSTUS 2 uses a '''2-factor authentication''' (2FA) mechanism to increase security.
If you have never registered a 2FA token on bwIDM, the following error message will appear:
[[File:Bwidm-3-red.png|center|600px|thumb|Second factor missing.]]

Use this '''[https://login.bwidm.de/user/twofa.xhtml link]''' or select '''Index -> My Tokens''' in the main menu.
To register a new token, please follow these '''[[Registration/2FA|instructions]]'''.
Please complete this step before continuing.

6. Read the Terms of Use ('''Nutzungsbedingungen und -richtlinien'''), place a check mark next to '''I have read and accepted the terms of use''' and click '''Register/Registrieren'''.

7. Set a service password for JUSTUS 2 and click '''Save/Speichern'''.
Be sure to use a secure password that is different from any other passwords you currently use or have used on other systems.
[[File:BwIDM-passwd.png|center|800px|Set service password]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Setting a service password is mandatory for access to any bwForCluster.
|}

----

[[Registration/bwForCluster| Go back to bwForCluster Registration Home]]

Registration/bwForCluster/JUSTUS2

2023-04-05T18:22:00Z

C Mosch:

= Registration at the bwForCluster JUSTUS 2 =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
You can return to the registration website at any time, in order to review your registration details, change/reset your service password or de-register from the service by yourself.
|}

After having completed steps A+B please visit the '''[https://login.bwidm.de bwForCluster JUSTUS 2 registration page]'''.

Do the following steps to complete registration:

1. Select your home organization from the list on the main page and click '''Proceed''' or '''Fortfahren'''.
[[File:BwIDM-login.png|center|600px|thumb|Select your home organization]]

2. You will be directed to the ''Identity Provider'' of your home organization.
Enter the username and password of your '''home organization''' (usually these credentials are also used for other services like email) and click '''Login/Einloggen'''.

3. You will be redirected back to the registration page '''https://login.bwidm.de'''.
When you log in to bwIDM for the first time, an overview will appear, with the account information that your home institution submits to the system.
Please verify that all data is valid and then click '''Continue/Weiter'''.

4. After you have successfully logged into the bwIDM system, you will be greeted by a welcome screen that displays all the statewide services you have access to.
There you will find a field labeled '''bwForCluster JUSTUS 2'''.
Click '''Register/Registrieren''' to start the registration process.
[[File:BwIDM-reg.png|center|frame|Register for JUSTUS 2]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* If you do not see the service, then you are probably missing the necessary entitlement. Go to [[Registration/bwForCluster/Entitlement|step A]] to check this.
* By clicking on '''Register''' you automatically subscribe to the '''[https://imap.uni-ulm.de/lists/info/justus2-users justus2-users]''' mailing list. The list provides news and information related to the bwForCluster JUSTUS 2 for computational chemistry and quantum sciences in Ulm.
* When you '''De-Register''' your account from the cluster, you automatically unsubscribe from the list.
|}

5. JUSTUS 2 uses a '''2-factor authentication''' (2FA) mechanism to increase security.
If you have never registered a 2FA token on bwIDM, the following error message will appear:
[[File:Bwidm-3-red.png|center|600px|thumb|Second factor missing.]]

Use this '''[https://login.bwidm.de/user/twofa.xhtml link]''' or select '''Index -> My Tokens''' in the main menu.
To register a new token, please follow these '''[[Registration/2FA|instructions]]'''.
Please complete this step before continuing.

6. Read the Terms of Use ('''Nutzungsbedingungen und -richtlinien'''), place a check mark next to '''I have read and accepted the terms of use''' and click '''Register/Registrieren'''.

7. Set a service password for JUSTUS 2 and click '''Save/Speichern'''.
Be sure to use a secure password that is different from any other passwords you currently use or have used on other systems.
[[File:BwIDM-passwd.png|center|800px|Set service password]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Setting a service password is mandatory for access to any bwForCluster.
|}

----

[[Registration/bwForCluster| Go back to bwForCluster Registration Home]]

Registration/bwForCluster/JUSTUS2

2023-04-05T18:17:35Z

C Mosch:

= Registration at the bwForCluster JUSTUS 2 =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
You can return to the registration website at any time, in order to review your registration details, change/reset your service password or de-register from the service by yourself.
|}

After having completed steps A+B please visit the '''[https://login.bwidm.de bwForCluster JUSTUS 2 registration page]'''.

Do the following steps to complete registration:

1. Select your home organization from the list on the main page and click '''Proceed''' or '''Fortfahren'''.
[[File:BwIDM-login.png|center|600px|thumb|Select your home organization]]

2. You will be directed to the ''Identity Provider'' of your home organization.
Enter the username and password of your '''home organization''' (usually these credentials are also used for other services like email) and click '''Login/Einloggen'''.

3. You will be redirected back to the registration page '''https://login.bwidm.de'''.
When you log in to bwIDM for the first time, an overview will appear, with the account information that your home institution submits to the system.
Please verify that all data is valid and then click '''Continue/Weiter'''.

4. After you have successfully logged into the bwIDM system, you will be greeted by a welcome screen that displays all the statewide services you have access to.
There you will find a field labeled '''bwForCluster JUSTUS 2'''.
Click '''Register/Registrieren''' to start the registration process.
[[File:BwIDM-reg.png|center|frame|Register for JUSTUS 2]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* If you do not see the service, then you are probably missing the necessary entitlement. Go to [[Registration/bwForCluster/Entitlement|step A]] to check this.
* By clicking on '''Register''' you automatically subscribe to the '''[https://imap.uni-ulm.de/lists/info/justus2-users justus2-users]''' mailing list. It provides news and information related to the bwForCluster JUSTUS 2 for computational chemistry and quantum sciences in Ulm.
|}

5. JUSTUS 2 uses a '''2-factor authentication''' (2FA) mechanism to increase security.
If you have never registered a 2FA token on bwIDM, the following error message will appear:
[[File:Bwidm-3-red.png|center|600px|thumb|Second factor missing.]]

Use this '''[https://login.bwidm.de/user/twofa.xhtml link]''' or select '''Index -> My Tokens''' in the main menu.
To register a new token, please follow these '''[[Registration/2FA|instructions]]'''.
Please complete this step before continuing.

6. Read the Terms of Use ('''Nutzungsbedingungen und -richtlinien'''), place a check mark next to '''I have read and accepted the terms of use''' and click '''Register/Registrieren'''.

7. Set a service password for JUSTUS 2 and click '''Save/Speichern'''.
Be sure to use a secure password that is different from any other passwords you currently use or have used on other systems.
[[File:BwIDM-passwd.png|center|800px|Set service password]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Setting a service password is mandatory for access to any bwForCluster.
|}

----

[[Registration/bwForCluster| Go back to bwForCluster Registration Home]]

JUSTUS2

2022-07-19T14:12:35Z

C Mosch:

[[File:JUSTUS2_pre.jpg|right|frameless|thumb|alt=JUSTUS2 |upright=0.4| JUSTUS 2 ]]
Note: This page replaces replace [[:Category:BwForCluster_JUSTUS_2]] as an overview page.

The '''bwForCluster JUSTUS2''' is a high-performance computer dedicated to Computational Chemistry and Quantum Sciences and located at Ulm University.


{| style=" background:#eeeefe; width:100%;"
| style="padding:8px; background:#dedefe; font-size:120%; font-weight:bold; text-align:left" | Training & Support
|-
|
* [[JUSTUS2/Getting Started|Getting Started]]
* E-Learning Course [https://training.bwhpc.de/goto.php?target=crs_629_rcodeM6n48kAUsT&client_id=BWHPC Introduction to JUSTUS2 ] (URL will be a direct link to the course)
* [https://bw-support.scc.kit.edu/ Submit a Ticket] to support unit 'bwForCluster Justus'
|}

{| style=" background:#deffee; width:100%;"
| style="padding:8px; background:#cef2e0; font-size:120%; font-weight:bold; text-align:left" | User Documentation
|-
|
* [[JUSTUS2/Login|Login]]
* [[JUSTUS2/Hardware|Hardware ]]
* [[JUSTUS2/Hardware#Storage_Architecture|File Systems]]

* [[JUSTUS2/Software|Software]] - pre-installed (scientific) software
* [[JUSTUS2/Slurm|Batch System (Slurm)]] - running compute jobs
* [[JUSTUS2/Visualization|Visualisation]] - using graphical programs
* [[Development]] - compiling software, parallel programming, etc
|}

{| style=" background:#deffee; width:100%;"
| style="padding:8px; background:#cef2e0; font-size:120%; font-weight:bold; text-align:left" | Cluster Funding
|-
|
* [[JUSTUS2/Acknowledgement|Acknowledge]] the cluster in your publications
|}

Registration/2FA

2022-05-10T09:20:19Z

C Mosch: /* Lost Token */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
* '''Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.''' These tools prevent the registration website from generating new security tokens. When the problems remains (you can not generate the QR code or can not confirm it by clicking CHECK), please try once more with an entirely new unmodified web browser profile.
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

3. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

4. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

5. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster and JUSTUS 2) or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

3. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

4. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

5. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

3. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

4. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

5. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

6. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

7. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

8. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
Please disable all privacy tools, ad blockers and further add-ons when registering a new Backup TAN list.
|}

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

3. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

4. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

5. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".

'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN, i.e. lost or broken smartphone), you can not access the section "My Tokens" anymore.
In this case you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Open a ticket, include your user name, the name of the bwHPC cluster and ask for a reset of your 2FA tokens.
Please note that this process may take some time and also means additional work for the operators.

Registration/2FA

2022-05-10T09:17:38Z

C Mosch: /* Lost Token */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
* '''Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.''' These tools prevent the registration website from generating new security tokens. When the problems remains (you can not generate the QR code or can not confirm it by clicking CHECK), please try once more with an entirely new unmodified web browser profile.
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

3. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

4. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

5. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster and JUSTUS 2) or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

3. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

4. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

5. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

3. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

4. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

5. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

6. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

7. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

8. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
Please disable all privacy tools, ad blockers and further add-ons when registering a new Backup TAN list.
|}

1. Select the [[Registration/2FA#Token_Management|registration server]] of the cluster for which you want to create a second factor and login to it.

2. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

3. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

4. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

5. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".

'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Open a ticket, include your user name, the name of the bwHPC cluster and ask for a reset of your 2FA tokens.
Please note that this process may take some time and also means additional work for the operators.

JUSTUS2

2022-03-10T17:04:26Z

C Mosch:

[[File:JUSTUS2_pre.jpg|right|frameless|thumb|alt=JUSTUS2 |upright=0.4| JUSTUS 2 ]]
This page is supposed to replace [[:Category:BwForCluster_JUSTUS_2]] as an overview page. Please refer back to the category for now.

The '''bwForCluster JUSTUS2''' is a high-performance computer dedicated to Computational Chemistry and Quantum Sciences and located at Ulm University.


{| style=" background:#eeeefe; width:100%;"
| style="padding:8px; background:#dedefe; font-size:120%; font-weight:bold; text-align:left" | Training & Support
|-
|
* [[JUSTUS2/Getting Started|Getting Started]]
* E-Learning Course [https://training.bwhpc.de/ Introduction to JUSTUS2 ] (URL will be a direct link to the course)
* [https://bw-support.scc.kit.edu/ Submit a Ticket] to support unit 'bwForCluster Justus'
|}

{| style=" background:#deffee; width:100%;"
| style="padding:8px; background:#cef2e0; font-size:120%; font-weight:bold; text-align:left" | User Documentation
|-
|
* [[JUSTUS2/Login|Login]]
* [[JUSTUS2/Hardware|Hardware and Architecture]]
* [[JUSTUS2/Filesystems|File Systems and Workspaces]]

* [[JUSTUS2/Software|Software]]
* [[JUSTUS2/Slurm|Batch System]]
* [[JUSTUS2/Visualization|Visualisation]]
|}

{| style=" background:#deffee; width:100%;"
| style="padding:8px; background:#cef2e0; font-size:120%; font-weight:bold; text-align:left" | Cluster Funding
|-
|
* [[JUSTUS2/Acknowledgement|Acknowledge]] the cluster in your publications
|}

JUSTUS2/Software

2022-03-10T17:04:16Z

C Mosch:

== Environment Modules ==
Most software is provided as Modules.

Required reading to use: [[Environment Modules]]

== Software Search ==
Visit [https://www.bwhpc.de/software.php https://www.bwhpc.de/software.php], select <code>Cluster → bwForCluster JUSTUS2</code>

== Documentation ==
Documentation by the cluster operators:
{| style="width:100%;"
|- style="background:#eeeeee;" |
| <code>module help</code> || See section: [[Environment_Modules#module_help]]
|- style="background:#dddddd; " |
| examples in <code>$SOFTNAME_EXA_DIR</code> || See section: [[Environment_Modules#Software_job_examples]]
|- style="background:#eeeeee; " |
| this wiki || See below
|}

== Documentation in the Wiki ==
Modules with additional documentation here in the wiki:

* [[JUSTUS2/Software/ADF|ADF]]

* [[JUSTUS2/Software/Dalton|Dalton]]

* [[JUSTUS2/Software/Gaussian|Gaussian]]

* [[JUSTUS2/Software/Gaussview|Gaussview]]

* [[JUSTUS2/Software/Molden|Molden]]

* [[JUSTUS2/Software/Schrodinger|Schrodinger]]

* [[JUSTUS2/Software/VASP|VASP]]

JUSTUS2

2022-03-10T16:58:08Z

C Mosch:

JUSTUS2/Software

2022-03-10T16:57:35Z

C Mosch:

JUSTUS2/Software

2022-03-10T15:14:41Z

C Mosch: /* Documentation in the Wiki */

== Documentation ==
Documentation by the cluster operators is mainly provided in three forms:
* the <code>module help</code> of software modules
* examples in $SOFTNAME_EXA_DIR (replace SOFTNAME with name of the software)
* this wiki

Required reading for the first two forms of documentation:
* [[Environment Modules]]

=== Documentation in the Wiki ===
Modules with additional documentation here in the wiki:

* [[JUSTUS2/Software/ADF|ADF]]

* [[JUSTUS2/Software/Dalton|Dalton]]

* [[JUSTUS2/Software/Gaussian|Gaussian]]

* [[JUSTUS2/Software/Gaussview|Gaussview]]

* [[JUSTUS2/Software/Molden|Molden]]

* [[JUSTUS2/Software/Schrodinger|Schrodinger]]

* [[JUSTUS2/Software/VASP|VASP]]

VASP

2022-03-10T14:56:59Z

C Mosch: C Mosch moved page VASP to JUSTUS2/Software/VASP

#REDIRECT [[JUSTUS2/Software/VASP]]

JUSTUS2/Software/VASP

2022-03-10T14:56:59Z

C Mosch: C Mosch moved page VASP to JUSTUS2/Software/VASP

{{Softwarepage|chem/vasp}}

{| width=600px class="wikitable"
|-
! Description !! Content
|-
| module load
| chem/vasp
|-
| License
| Commercial VASP license. [[#License and Citing|See text]].
|-
| Citing
| [[#License and Citing|See VASP license and documentation]]
|-
| Links
| [https://www.vasp.at/ Homepage] | [https://www.vasp.at/index.php/documentation Documentation]
|-
| Graphical Interface
| No (only via 3rd party tools like VMD)
|}

= Description =
The Vienna Ab initio Simulation Package ('''VASP''') is an atomic scale materials modelling
program for e.g. electronic structure calculations and quantum-mechanical molecular dynamics.
Although the focus is on simulation of periodic structures like solids and surfaces, molecular
structures can be simulated as well by the so-called ''supercell approach''. VASP is a plane
wave code using PAW (projector augmented wave) pseudopotentials. Exchange and correlation
effects are described based on DFT (density functional theory) as well as Hartree-Fock
and post Hartree-Fock methods.

Some features of VASP:
* Functionals: LDA, GGAs, metaGGAs, Hartree-Fock, Hartree-Fock/DFT hybrids
* Dynamics: Born-Oppenheimer molecular dynamics
* Relaxation: Conjugate gradient, quasi-Newton or damped molecular dynamics
* Transition state search: Nudged elastic band methods, climbing dimer method
* Linear response to electric fields: Static dielectric properties, Born effective charge tensors, piezoelectric tensors
* Green's function methods: GW quasiparticles
* Magnetism: Collinear and non-collinear, spin-orbit coupling
* Linear response to ionic displacements: Phonons, elastic constants, internal strain tensors

For more information on VASP please
visit [https://www.vasp.at/index.php/about-vasp/59-about-vasp What is VASP?].
 
 

= License and Citing =
VASP is available only for groups with a valid group license. Furthermore every
scientist has to be registered with his group VASP license
at [http://vasp.at the VASP group in Vienna] before we can grant access to the
VASP binaries or pseudopotentials.

In future publications of work performed using VASP, the
use of the software shall be properly acknowledged, e.g. in the form:

The calculations have been performed using the ab-initio total-energy and
molecular-dynamics program VASP (Vienna ab-initio simulation program)
developed at the Institut für Materialphysik of the Universität Wien [1,2]. 
[1] G. Kresse and J. Furthmüller, Phys. Rev. B '''54''', 11169 (1996). 
If the PAW-version is used, an additional reference shell be made to: 
[2] G. Kresse and D. Joubert, Phys. Rev. '''59''', 1758 (1999).

If special features or method implemented in VASP are used,
reference should be made to the relevant publications
as listed on the [http://vasp.at VASP home-page] (see also
the [http://cms.mpi.univie.ac.at/vasp/vasp/Bibliography.html Bibliography]
of the [http://cms.mpi.univie.ac.at/vasp/vasp/vasp.html VASP manual]).
 
 

= Usage =

== Parallel computing and disk usage ==
Depending on the resources requested from the queueing system,
the ''vasp'' script automatically detects whether to run the
serial or the MPI-parallel version.

If running on multiple nodes, the job must run within
a common job directory visible on all nodes. So in case of
multi-node jobs, using ''/tmp/$USER'' is no option.

To lower the disk I/O demands of the VASP jobs one should
add the options
<pre>
LWAVE = .FALSE.; LCHARG = .FALSE.; LVTOT = .FALSE.
</pre>
to the ''INCAR'' file. For further hints on how to optimize
your VASP see the [http://cms.mpi.univie.ac.at/vasp/vasp/vasp.html VASP online manual]
and [http://cms.mpi.univie.ac.at/wiki/index.php/The_VASP_Manual VASP wiki] as well
as the module help of VASP:
<pre>
$ module help chem/vasp
</pre>
 

----
[[Category:Chemistry software]][[Category:bwUniCluster]]

Registration/bwUniCluster

2022-02-24T14:41:20Z

C Mosch: /* Three Steps for Registration */

= Registration bwUniCluster =

The [[bwUniCluster 2.0]] is the universal cluster for tier 3 high performance computing (HPC) in Baden-Württemberg.
It is co-financed by the Ministry of Science, Research and the Arts Baden-Württemberg and the shareholders:
* Universität Freiburg
* Universität Heidelberg
* Universität Hohenheim
* Karlsruhe Institute of Technology (KIT)
* Universität Konstanz
* Universität Mannheim
* Universität Stuttgart
* Universität Tübingen
* Universität Ulm
* [[Registration/HAW|HAW BW e.V.]] (an association of several universities of applied sciences in Baden-Württemberg)

All members of the shareholder universities can apply for an account.

The use of the bwUniCluster is free of charge.

== Three Steps for Registration ==

The registration process for the bwUniCluster is divided into three steps:

* Step A: You need to get the '''bwUniCluster Entitlement''' from your university/college. → '''[[Registration/bwUniCluster/Entitlement|Step A: bwUniCluster Entitlement]]
* Step B: You need to '''register for the service bwUniCluster'''. → '''[[Registration/bwUniCluster/Service|Step B: bwUniCluster Registration]]
* Step C: You need to fill out the '''bwUniCluster questionnaire within 14 days'''. → '''[[Registration/bwUniCluster/Questionnaire|Step C: bwUniCluster Questionnaire]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please fill out the bwUniCluster questionnaire within 14 days after registration. Otherwise your login to the cluster will be deactivated.
|}

After registering, please refer further to '''[[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]]''' at the bottom of the page and to the cluster-specific pages below '''bwHPC Systems''' in the menu on the left.

[[File:bwUniCluster-Registration.png|center|bwUniCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to the bwUniCluster, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]'''
* If you need to '''change or forgot your password''' for the bwUniCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on the bwUniCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]'''
* If you want do '''de-register your user account''' from the bwUniCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

== Contact / Support ==

If you have questions or problems concerning the bwUniCluster registration, please [[bwUniCluster 2.0 Support|contact your local hotline]].

Registration/bwUniCluster

2022-02-24T14:40:51Z

C Mosch: /* Three Steps for Registration */

= Registration bwUniCluster =

The [[bwUniCluster 2.0]] is the universal cluster for tier 3 high performance computing (HPC) in Baden-Württemberg.
It is co-financed by the Ministry of Science, Research and the Arts Baden-Württemberg and the shareholders:
* Universität Freiburg
* Universität Heidelberg
* Universität Hohenheim
* Karlsruhe Institute of Technology (KIT)
* Universität Konstanz
* Universität Mannheim
* Universität Stuttgart
* Universität Tübingen
* Universität Ulm
* [[Registration/HAW|HAW BW e.V.]] (an association of several universities of applied sciences in Baden-Württemberg)

All members of the shareholder universities can apply for an account.

The use of the bwUniCluster is free of charge.

== Three Steps for Registration ==

The registration process for the bwUniCluster is divided into three steps:

* Step A: You need to get the '''bwUniCluster Entitlement''' from your university/college. → '''[[Registration/bwUniCluster/Entitlement|Step A: bwUniCluster Entitlement]]
* Step B: You need to '''register for the service bwUniCluster'''. → '''[[Registration/bwUniCluster/Service|Step B: bwUniCluster Registration]]
* Step C: You need to fill out the '''bwUniCluster questionnaire within 14 days'''. → '''[[Registration/bwUniCluster/Questionnaire|Step C: bwUniCluster Questionnaire]]
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please fill out the bwUniCluster questionnaire within 14 days after registration. Otherwise your login to the cluster will be deactivated.
|}

After registering, please refer further to '''[[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]]''' at the bottom and the page or to the cluster-specific pages below '''bwHPC Systems''' in the menu on the left.

[[File:bwUniCluster-Registration.png|center|bwUniCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to the bwUniCluster, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]'''
* If you need to '''change or forgot your password''' for the bwUniCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on the bwUniCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]'''
* If you want do '''de-register your user account''' from the bwUniCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

== Contact / Support ==

If you have questions or problems concerning the bwUniCluster registration, please [[bwUniCluster 2.0 Support|contact your local hotline]].

Registration/bwForCluster

2022-02-24T14:40:09Z

C Mosch: /* Three Steps for Registration */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''

After registering, please refer further to '''[[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]]''' at the bottom of the page and to the cluster-specific pages below '''bwHPC Systems''' in the menu on the left.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T15:56:14Z

C Mosch: /* Three Steps for Registration */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''

After registering, please refer further to '''[[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]]''' at the bottom of the page or to the cluster-specific pages below '''bwHPC Systems''' in the menu on the left.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T11:29:14Z

C Mosch: /* Three Steps for Registration */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''

After registering, please refer further to [[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]] at the bottom of the page or to the cluster-specific pages below '''bwHPC Systems''' in the menu on the left.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T11:27:57Z

C Mosch: /* Information for already registered users */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''

After registering, please refer further to [[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]] at the bottom of the page or to the cluster-specific pages.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T11:27:41Z

C Mosch: /* Three Steps for Registration */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''

After registering, please refer further to [[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]] at the bottom of the page or to the cluster-specific pages.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* For cluster specific documentation see links below '''bwHPC Systems''' in the menu on the left.
* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T11:24:47Z

C Mosch: /* Information for already registered users */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''
* See next chapter 1.2 for further steps (e.g. login).

After registering, please refer further to [[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]] at the bottom of the page or to the cluster-specific pages.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* For cluster specific documentation see links below '''bwHPC Systems''' in the menu on the left.
* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T11:23:56Z

C Mosch: /* Information for already registered users */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''
* See next chapter 1.2 for further steps (e.g. login).

After registering, please refer further to [[Registration/bwForCluster#Information_for_already_registered_users|Information for already registered users]] at the bottom of the page or to the cluster-specific pages.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* For cluster specific documentation see '''bwHPC Systems''' in the menu on the left side.
* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T11:20:43Z

C Mosch: /* Three Steps for Registration */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''
* See next chapter 1.2 for further steps (e.g. login).

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/bwForCluster

2022-02-17T11:14:39Z

C Mosch: /* Three Steps for Registration */

= Registration bwForCluster =

A bwForCluster is a cluster for a specific [https://www.bwhpc.de/cluster.php research area].
You can apply for a bwForCluster and the "cluster assignment team" will assign you to the appropriate cluster for your research area, taking into account your specific hardware/software needs.
bwForClusters are funded by the German Research Foundation (DFG) and the Ministry of Science, Research and the Arts of Baden-Württemberg on the basis of grant applications (cf. proposals application guidelines according to Art. 91b GG).

All members of the universities in Baden-Württemberg can apply for an account.

The use of the bwForClusters is free of charge.

== Three Steps for Registration ==

The registration process for a bwForCluster is divided into three steps, whereby step A+B can be performed in parallel.
When both are completed, you can perform step C.
To which cluster you get access depends on your research area and will be decided in step B.

* Step A: You need to get the '''bwForCluster Entitlement''' from your university/college. → '''[[Registration/bwForCluster/Entitlement|bwForCluster User Access Step A]]'''
* Step B: You need to '''apply for a Rechenvorhaben/project''' on the "central application site" (ZAS). → '''[[Registration/bwForCluster/RV|bwForCluster User Access Step B]]'''
* Step C: You need to '''register for a bwForCluster'''. → '''[[Registration/bwForCluster/Service|bwForCluster User Access Step C]]'''
* See next chapter 1.2 below for further steps.

[[File:bwForCluster-Registration.png|center|bwForCluster Registration Process]]

== Information for already registered users ==

* If you want to '''login''' to one of the bwForClusters, please refer to the general → '''[[Registration/Login|Login Guide]]'''
* If you want to '''create a second factor''', please refer to → '''[[Registration/2FA|Generate a Second Factor (2FA)]]''' (only Justus 2 and MLS&WISO)
* If you need to '''change or forgot your password''' for a bwForCluster, please refer to the general → '''[[Registration/Password|Password Guide]]'''
* If you want to '''use SSH keys''' on a bwForCluster, please refer to → '''[[Registration/SSH|Registering SSH Keys with your Cluster]]''' (only MLS&WISO)
* If you want do '''de-register your user account''' from a bwForCluster, please refer to the general → '''[[Registration/Deregistration|De-registration Guide]]'''

Registration/Browser

2022-02-16T15:35:30Z

C Mosch: /* Firefox Troubleshoot Mode */

= Disabling Add Ons in Browsers =

Some user interfaces can be blocked by browser add-ons during the registration process or when changes are made afterwards, such as the "[[Registration/2FA|Second Factor (2FA)]]" and [[Registration/SSH|SSH]] settings.
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.

For Chrome, we recommend using "Incognito Mode" when configuring 2FA and SSH.
For Firefox, please use the "Troubleshoot Mode".

== Chrome Incognito Mode ==

By default, Chrome's incognito mode disables add-ons, but you can manually enable them for this mode as well.
If this is the case, please disable them manually again first.

You can start Chrome incognito mode by either, ...

1. pressing '''CTRL+SHIFT+N''' in an already open Chrome window, ...

2. typing <code>google-chrome --incognito</code> in a linux console or <code>chrome.exe --incognito</code> in a Windows console or ...

3. '''selecting "New Incognito Window" from the burger menu''' in the upper right corner.
[[File:Chrome-inc.png|center|400px|thumb|Chrome Incognito Mode.]]

== Firefox Troubleshoot Mode ==

For Firefox, we recommend using the "Troubleshoot Mode".
In this mode, all add-ons are disabled.

You can start Firefox "Troubleshoot Mode" or "Safe Mode" by either, ...

1. (Firefox NOT running) typing <code>firefox --safe-mode</code> in a linux console or <code>firefox.exe --safe-mode</code> in a Windows console or ...

2. (Firefox already running) '''selecting "Help" and then "Troubleshoot Mode" from the burger menu''' in the upper right corner.
[[File:Firefox-safe.png|center|400px|thumb|Firefox Troubleshoot Mode.]]

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Be careful: This step will reload all currently loaded browser tabs without any Add-Ons.
|}

Select '''Open''' to start "Troubleshoot Mode".
[[File:Firefox-safe-open.png|center|400px|thumb|Start Troubleshoot Mode by clicking Open.]]

Registration/Browser

2022-02-16T15:29:23Z

C Mosch: /* Firefox Troubleshoot Mode */

= Disabling Add Ons in Browsers =

Some user interfaces can be blocked by browser add-ons during the registration process or when changes are made afterwards, such as the "[[Registration/2FA|Second Factor (2FA)]]" and [[Registration/SSH|SSH]] settings.
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.

For Chrome, we recommend using "Incognito Mode" when configuring 2FA and SSH.
For Firefox, please use the "Troubleshoot Mode".

== Chrome Incognito Mode ==

By default, Chrome's incognito mode disables add-ons, but you can manually enable them for this mode as well.
If this is the case, please disable them manually again first.

You can start Chrome incognito mode by either, ...

1. pressing '''CTRL+SHIFT+N''' in an already open Chrome window, ...

2. typing <code>google-chrome --incognito</code> in a linux console or <code>chrome.exe --incognito</code> in a Windows console or ...

3. '''selecting "New Incognito Window" from the burger menu''' in the upper right corner.
[[File:Chrome-inc.png|center|400px|thumb|Chrome Incognito Mode.]]

== Firefox Troubleshoot Mode ==

For Firefox, we recommend using the "Troubleshoot Mode".
In this mode, all add-ons are disabled.

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Be careful: Following steps will reload all your browser windows.
|}

You can start Firefox "Troubleshoot Mode" or "Safe Mode" by either, ...

1. typing <code>firefox --safe-mode</code> in a linux console or <code>firefox.exe --safe-mode</code> in a Windows console or ...

2. '''selecting "Help" and then "Troubleshoot Mode" from the burger menu''' in the upper right corner.
[[File:Firefox-safe.png|center|400px|thumb|Firefox Troubleshoot Mode.]]
Select '''Open''' to start "Troubleshoot Mode".
[[File:Firefox-safe-open.png|center|400px|thumb|Start Troubleshoot Mode by clicking Open.]]

Registration/2FA

2022-02-15T20:00:02Z

C Mosch: /* Token Management */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
* '''Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.''' These tools prevent the registration website from generating new security tokens. When the problems remains (you can not generate the QR code or can not confirm it by clicking CHECK), please try once more with an entirely new unmodified web browser profile.
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster and JUSTUS 2) or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

4. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

5. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

4. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".
'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Please note that this process may take some time and also means additional work for the operators.

Registration/2FA

2022-02-15T19:23:46Z

C Mosch: /* Token Management */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
* '''Please disable all privacy tools, ad blockers and further add-ons when registering new tokens. These tools prevent the registration website from generating new security tokens. When the problems remains (you can not generate the QR code or can not confirm it by clicking CHECK), please try once more with an entirely new unmodified web browser profile.'''
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster and JUSTUS 2) or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

4. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

5. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

4. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".
'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Please note that this process may take some time and also means additional work for the operators.

Registration/2FA

2022-02-15T19:18:04Z

C Mosch: /* Token Management */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster and JUSTUS 2) or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
In case of problems when generating the QR code or when confirming it by clicking CHECK: Please disable all privacy tools, ad blockers and further add-ons when registering new tokens. These tools prevent the registration website from generating new security tokens. When the problems remains, please try again with an entirely new unmodified web browser profile.
|}

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

4. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

5. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

4. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".
'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Please note that this process may take some time and also means additional work for the operators.

Registration/2FA

2022-02-15T19:12:35Z

C Mosch: /* Registering a new Software Token using a Mobile APP */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please disable all privacy tools, ad blockers and further add-ons when registering new tokens. These tools prevent the registration website from generating new security tokens. When there are still problems to enter the TOTP activation code "Current code" please try again with a new clean web browser profile.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster and JUSTUS 2) or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

4. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

5. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

4. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".
'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Please note that this process may take some time and also means additional work for the operators.

Registration/2FA

2022-02-15T19:12:06Z

C Mosch: /* Registering a new Software Token using a Mobile APP */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please disable all privacy tools, ad blockers and further add-ons when registering new tokens. These tools prevent the registration website from generating new security tokens. When there are still problems to enter the TOTP activation code "Current code" please try again with a new clean web browser profile.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster and JUSTUS 2) or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''Check'''.

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

4. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

5. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

4. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".
'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Please note that this process may take some time and also means additional work for the operators.

Registration/2FA

2022-02-15T18:41:24Z

C Mosch: /* Token Management */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please disable all privacy tools, ad blockers and further add-ons when registering new tokens. These tools prevent the registration website from generating new security tokens. When there are still problems to enter the TOTP activation code "Current code" please try again with a new clean web browser profile.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''Check'''.

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

4. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

5. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

4. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".
'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Please note that this process may take some time and also means additional work for the operators.

Registration/2FA

2022-02-15T18:38:38Z

C Mosch: /* Token Management */

= Generate a Second Factor (2FA) =

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the '''second factor''', has to be entered on every login.

== How 2FA works ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same.
Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
|}

[[File:2fa token code.jpg|right|200px|thumb|Hardware Token for TOTP]]
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent '''one-time passwords''' (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a '''hardware token''') or of a normal application running on a common device (a '''software token''').

The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values (TOTPs) which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

Typically a new TOTP value is generated every 30 seconds. When the current TOTP value has once been used successfully for a login, it is depleted and one has to wait up to 30 seconds for the next TOTP value.

[[File:Otpapp.png|right|150px|thumb|Source: https://getaegis.app]]

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS]
* Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] or [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] ([https://www.microsoft.com/de-de/security/mobile-authenticator-app Web Page])
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/us/app/lastpass-authenticator/id1079110004 iOS] or [https://lastpass.com/auth/ Windows]
* Aegis Authenticator for [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Android (Google Play)] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ Android (F-Droid)] ([https://getaegis.app/ Web Page])
* andOTP Authenticator for [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android (Google Play)] or [https://f-droid.org/packages/org.shadowice.flocke.andotp/ Android (F-Droid)] ([https://github.com/andOTP/andOTP GitHub])
* OTP Auth for [https://apps.apple.com/app/otp-auth/id659877384 iOS]
* (Authy for [https://play.google.com/store/apps/details?id=com.authy.authy Android], [https://apps.apple.com/us/app/authy/id494168017 iOS], [https://authy.com/download/ Mac, Windows or Linux]) requires account
* (On Linux you can use [https://keepassxc.org/ KeepassXC] or [https://github.com/paolostivanin/OTPClient otpclient])

These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP] is also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit [https://www.yubico.com/resources/glossary/oath-totp/ TOTP].

= Token Management =

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please disable all privacy tools, ad blockers and further add-ons when registering new tokens. These tools prevent the registration website from generating new security tokens. When there are still problems please try again with a new clean web browser profile.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
|}

'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete tokens.

To activate the second factor, '''please perform the following steps:'''

1. '''Select the registration server of the cluster''' for which you want to create a second factor and login to it: → [https://login.bwidm.de/user/twofa.xhtml Registration server for '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (2FA tokens are valid for both clusters; KIT members can reuse their existing hardware and software tokens) → [https://bwservices.uni-heidelberg.de//user/twofa.xhtml Registration server for '''bwForCluster MLS&WISO''']
[[File:BwIDM-twofa.png|center|600px|thumb|My Tokens]]

2. '''Register a new "[[Registration/2FA#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"''' or if you own a [https://www.yubico.com/ Yubikey]''' register a new "[[Registration/2FA#Registering_a_new_Yubikey_OTP_Token|Yubikey Token]]"''' or '''"[[Registration/2FA#Registering_a_new_Yubikey_OATH_TOTP_Token|Yubikey OATH TOTP Token]]"'''.

3. '''Register a new "[[Registration/2FA#Backup_TAN_List|TAN List]]" (backup TAN list)'''.

4. Repeat step 2. for additional tokens.

== Registering a new Software Token using a Mobile APP ==

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''Check'''.

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OTP Token ==

[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code or extra software.
New Yubikeys are already configured to provide Yubikey OTP in slot 1.
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]].

1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead.
[[File:BwIDM-token.png|center|600px|thumb|Generate Yubikey OTP]]

2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey.
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey.
[[File:BwIDM-yubikey.png|center|400px|thumb|Yubikey OTP]]

3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey.
[[File:BwIDM-yubikey2.png|center|400px|thumb|Success]]

4. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Registering a new Yubikey OATH TOTP Token ==

[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes.
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first.
Insert your Yubikey in your computer.
"Yubikey OTP" (not "Yubikey OATH TOTP") is even easier and you don't need a device that displays the six-digit code or extra software (go to step [[Registration/2FA#Yubikey_OTP|Yubikey OTP]]).

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}

3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''.
[[File:BwIDM-yubi1.png|center|600px|thumb|QR Code and Yubico Authenticator on Linux]]

4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO).
Click '''Add account'''.
[[File:BwIDM-yubi2.png|center|600px|thumb|Create new TOTP on Yubico Authenticator]]

5. You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
[[File:BwIDM-yubi3.png|center|600px|thumb|Verify TOTP]]

6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

7. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

== Backup TAN List ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]

4. Repeat the process to register additional tokens.

== Deactivating a Token ==

Click '''Disable''' next to the Token entry on the '''My Tokens''' screen.

== Deleting a Token ==

After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token.

= Returning Users =

Returning users who have already activated one or more tokens must first verify their token before they can create new tokens or deactivate/delete old ones.
If you no longer have valid tokens, you will not be able to create or manage tokens.
In this case, read the section [[Registration/2FA#Lost_Token|Lost Token]].
[[File:BwIDM-totp.png|center|400px|thumb|Returning users must first verify their token.]]

= Lost Token =

If you have lost a token, please create a new one.
If you change your phone, please migrate your tokens first or register your new mobile app under "My Tokens".
'''If you no longer have valid tokens (mobile app, hardware token, Yubikey or backup TAN), you will need to contact the [https://bw-support.scc.kit.edu/ ticket system].'''
Please note that this process may take some time and also means additional work for the operators.

JUSTUS2/Login

2022-02-10T22:43:00Z

C Mosch: /* Further reading */

= Login to JUSTUS 2 =

== Prerequisites for login ==

* You have registered your account at the registration server for JUSTUS 2.
** If this is still missing, then please log in to the [https://wiki.bwhpc.de/e/Registration/bwForCluster/JUSTUS2 registration server of JUSTUS2] and click on "Register" in section "JUSTUS 2".

* You have set a service password for JUSTUS 2.
** If you have not done so already, then please log in to the [https://wiki.bwhpc.de/e/Registration/Password registration server of JUSTUS2] and select "Set Password" in section "JUSTUS 2".

* You have set up a time-based one-time password (TOTP) for the two factor authentication (2FA) log in.
** If this is still missing, then please follow the instructions for registering a new 2FA token on the following page: [https://wiki.bwhpc.de/e/Registration/2FA BwForCluster User Access/2FA Tokens].

* Your IP is within the IP range of your university. Either you are working on a computer on your campus or you are connected via a virtual private network (VPN) to your university.
** If you have an external IP (i.e. home office) and you are not connected via VPN to your university, you can not connect to JUSTUS 2. Please consult the documentation of your university how to connect to your university via VPN.

== Login to JUSTUS 2 ==

When all prerequisites are fulfilled you can access the bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences via [[ssh]]. Only the secure shell ssh is allowed for login.

From Linux machines, you can log in using

ssh <UserID>@justus2.uni-ulm.de

During log in you must enter the current TOTP value (6-digit number) created with help of the TOTP app on your smartphone and your service password.

To run graphical applications, you can use the -X flag to openssh:

ssh -X <UserID>@justus2.uni-ulm.de

For better performance on slow connections you should use e.g. [[VNC]].

The bwForCluster Chemistry in Ulm has four dedicated login nodes. The selection of the login node is done automatically. If you are logging in multiple times, different sessions might run
on different login nodes.

The names of the four login nodes are justus2-login01.rz.uni-ulm.de, justus2-login02.rz.uni-ulm.de, justus2-login03.rz.uni-ulm.de, justus2-login04.rz.uni-ulm.de.

These names can be used to access a specific one of the login nodes. In general, you should use justus2.uni-ulm.de to allow us to balance the load over the four login nodes.

== About UserID / Username ==

<UserID> of the ssh command is a placeholder for your username at your home
organization and a prefix denoting your organization. Prefixes and resulting user names are as follows:

{| style="border:3px solid darkgray; margin: 5em auto 5em auto;" width="60%"
|-
!scope="row" {{Darkgray}} | Site
!scope="row" {{Darkgray}}| Prefix
!scope="row" {{Darkgray}}| Username
|-
| Freiburg
| fr
| fr_username
|-
|Heidelberg
|hd
|hd_username
|-
|Hohenheim
|ho
|ho_username
|-
|Karlsruhe
|ka
|ka_username
|-
|Konstanz
|kn
|kn_username
|-
|Mannheim
|ma
|ma_username
|-
|Stuttgart
|st
|st_username
|-
|Tübingen
|tu
|tu_username
|-
|Ulm
|ul
|ul_username
|}

== Allowed activities on login nodes ==

The login nodes are the access point to the compute system and its $HOME directory. The login nodes are shared with all the users of the cluster. Therefore, your activities on the login nodes are limited to primarily set up your batch jobs. Your activities may also be:
* compilation of your program code and
* short pre- and postprocessing of your batch jobs.

To guarantee usability for all users of the bwForCluster you must not run your compute jobs on the login nodes. Compute jobs must be submitted as
[[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]. Any compute job running on the login nodes will be terminated without any notice.

= Further reading =

* Scientific software is made accessible using the [[Environment Modules]] system

* Compute jobs must be submitted as [[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]

* Jobs needing disk space will need to request it in their job script. See [[BwForCluster_JUSTUS_2_Slurm_HOWTO#How_to_request_local_scratch_.28SSD.2FNVMe.29_at_job_submission.3F|Batch Jobs - request local scratch]]

* What hardware is available is described in [https://wiki.bwhpc.de/e/Hardware_and_Architecture_(bwForCluster_JUSTUS_2) Hardware and Architecture of bwForCluster JUSTUS 2]

----
[[Category:BwForCluster_JUSTUS_2]][[Category:Access]]

JUSTUS2/Login

2022-02-10T22:41:14Z

C Mosch: /* Prerequisites for login */

= Login to JUSTUS 2 =

== Prerequisites for login ==

* You have registered your account at the registration server for JUSTUS 2.
** If this is still missing, then please log in to the [https://wiki.bwhpc.de/e/Registration/bwForCluster/JUSTUS2 registration server of JUSTUS2] and click on "Register" in section "JUSTUS 2".

* You have set a service password for JUSTUS 2.
** If you have not done so already, then please log in to the [https://wiki.bwhpc.de/e/Registration/Password registration server of JUSTUS2] and select "Set Password" in section "JUSTUS 2".

* You have set up a time-based one-time password (TOTP) for the two factor authentication (2FA) log in.
** If this is still missing, then please follow the instructions for registering a new 2FA token on the following page: [https://wiki.bwhpc.de/e/Registration/2FA BwForCluster User Access/2FA Tokens].

* Your IP is within the IP range of your university. Either you are working on a computer on your campus or you are connected via a virtual private network (VPN) to your university.
** If you have an external IP (i.e. home office) and you are not connected via VPN to your university, you can not connect to JUSTUS 2. Please consult the documentation of your university how to connect to your university via VPN.

== Login to JUSTUS 2 ==

When all prerequisites are fulfilled you can access the bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences via [[ssh]]. Only the secure shell ssh is allowed for login.

From Linux machines, you can log in using

ssh <UserID>@justus2.uni-ulm.de

During log in you must enter the current TOTP value (6-digit number) created with help of the TOTP app on your smartphone and your service password.

To run graphical applications, you can use the -X flag to openssh:

ssh -X <UserID>@justus2.uni-ulm.de

For better performance on slow connections you should use e.g. [[VNC]].

The bwForCluster Chemistry in Ulm has four dedicated login nodes. The selection of the login node is done automatically. If you are logging in multiple times, different sessions might run
on different login nodes.

The names of the four login nodes are justus2-login01.rz.uni-ulm.de, justus2-login02.rz.uni-ulm.de, justus2-login03.rz.uni-ulm.de, justus2-login04.rz.uni-ulm.de.

These names can be used to access a specific one of the login nodes. In general, you should use justus2.uni-ulm.de to allow us to balance the load over the four login nodes.

== About UserID / Username ==

<UserID> of the ssh command is a placeholder for your username at your home
organization and a prefix denoting your organization. Prefixes and resulting user names are as follows:

{| style="border:3px solid darkgray; margin: 5em auto 5em auto;" width="60%"
|-
!scope="row" {{Darkgray}} | Site
!scope="row" {{Darkgray}}| Prefix
!scope="row" {{Darkgray}}| Username
|-
| Freiburg
| fr
| fr_username
|-
|Heidelberg
|hd
|hd_username
|-
|Hohenheim
|ho
|ho_username
|-
|Karlsruhe
|ka
|ka_username
|-
|Konstanz
|kn
|kn_username
|-
|Mannheim
|ma
|ma_username
|-
|Stuttgart
|st
|st_username
|-
|Tübingen
|tu
|tu_username
|-
|Ulm
|ul
|ul_username
|}

== Allowed activities on login nodes ==

The login nodes are the access point to the compute system and its $HOME directory. The login nodes are shared with all the users of the cluster. Therefore, your activities on the login nodes are limited to primarily set up your batch jobs. Your activities may also be:
* compilation of your program code and
* short pre- and postprocessing of your batch jobs.

To guarantee usability for all users of the bwForCluster you must not run your compute jobs on the login nodes. Compute jobs must be submitted as
[[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]. Any compute job running on the login nodes will be terminated without any notice.

= Further reading =

* Scientific software is made accessible using the [[Environment Modules]] system

* Compute jobs must be submitted as [[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]

* Jobs needing disk space will need to request it in their job script. See [[BwForCluster_JUSTUS_2_Slurm_HOWTO#How_to_request_local_scratch_.28SSD.2FNVMe.29_at_job_submission.3F|Batch Jobs - request local scratch]]

* What hardware is available is described in [[Hardware and Architecture (bwForCluster JUSTUS 2]]

----
[[Category:BwForCluster_JUSTUS_2]][[Category:Access]]

JUSTUS2/Login

2022-02-10T22:39:39Z

C Mosch: /* Prerequisites for login */

= Login to JUSTUS 2 =

== Prerequisites for login ==

* You have registered your account at the registration server for JUSTUS 2.
** If this is still missing, then please log in to the [https://wiki.bwhpc.de/e/Registration/bwForCluster/JUSTUS2 registration server of JUSTUS2] and click on "Register" in section "JUSTUS 2".

* You have set a service password for JUSTUS 2.
** If you have not done so already, then please log in to the [https://wiki.bwhpc.de/e/Registration/Password registration server of JUSTUS2] and select "Set Password" in section "JUSTUS 2".

* You have set up a time-based one-time password (TOTP) for the two factor authentication (2FA) log in.
** If this is still missing, then please follow the instructions for registering a new 2FA token on the following page: [[BwForCluster User Access/2FA Tokens]].

* Your IP is within the IP range of your university. Either you are working on a computer on your campus or you are connected via a virtual private network (VPN) to your university.
** If you have an external IP (i.e. home office) and you are not connected via VPN to your university, you can not connect to JUSTUS 2. Please consult the documentation of your university how to connect to your university via VPN.

== Login to JUSTUS 2 ==

When all prerequisites are fulfilled you can access the bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences via [[ssh]]. Only the secure shell ssh is allowed for login.

From Linux machines, you can log in using

ssh <UserID>@justus2.uni-ulm.de

During log in you must enter the current TOTP value (6-digit number) created with help of the TOTP app on your smartphone and your service password.

To run graphical applications, you can use the -X flag to openssh:

ssh -X <UserID>@justus2.uni-ulm.de

For better performance on slow connections you should use e.g. [[VNC]].

The bwForCluster Chemistry in Ulm has four dedicated login nodes. The selection of the login node is done automatically. If you are logging in multiple times, different sessions might run
on different login nodes.

The names of the four login nodes are justus2-login01.rz.uni-ulm.de, justus2-login02.rz.uni-ulm.de, justus2-login03.rz.uni-ulm.de, justus2-login04.rz.uni-ulm.de.

These names can be used to access a specific one of the login nodes. In general, you should use justus2.uni-ulm.de to allow us to balance the load over the four login nodes.

== About UserID / Username ==

<UserID> of the ssh command is a placeholder for your username at your home
organization and a prefix denoting your organization. Prefixes and resulting user names are as follows:

{| style="border:3px solid darkgray; margin: 5em auto 5em auto;" width="60%"
|-
!scope="row" {{Darkgray}} | Site
!scope="row" {{Darkgray}}| Prefix
!scope="row" {{Darkgray}}| Username
|-
| Freiburg
| fr
| fr_username
|-
|Heidelberg
|hd
|hd_username
|-
|Hohenheim
|ho
|ho_username
|-
|Karlsruhe
|ka
|ka_username
|-
|Konstanz
|kn
|kn_username
|-
|Mannheim
|ma
|ma_username
|-
|Stuttgart
|st
|st_username
|-
|Tübingen
|tu
|tu_username
|-
|Ulm
|ul
|ul_username
|}

== Allowed activities on login nodes ==

The login nodes are the access point to the compute system and its $HOME directory. The login nodes are shared with all the users of the cluster. Therefore, your activities on the login nodes are limited to primarily set up your batch jobs. Your activities may also be:
* compilation of your program code and
* short pre- and postprocessing of your batch jobs.

To guarantee usability for all users of the bwForCluster you must not run your compute jobs on the login nodes. Compute jobs must be submitted as
[[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]. Any compute job running on the login nodes will be terminated without any notice.

= Further reading =

* Scientific software is made accessible using the [[Environment Modules]] system

* Compute jobs must be submitted as [[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]

* Jobs needing disk space will need to request it in their job script. See [[BwForCluster_JUSTUS_2_Slurm_HOWTO#How_to_request_local_scratch_.28SSD.2FNVMe.29_at_job_submission.3F|Batch Jobs - request local scratch]]

* What hardware is available is described in [[Hardware and Architecture (bwForCluster JUSTUS 2]]

----
[[Category:BwForCluster_JUSTUS_2]][[Category:Access]]

JUSTUS2/Login

2022-02-10T22:37:48Z

C Mosch: /* Prerequisites for login */

= Login to JUSTUS 2 =

== Prerequisites for login ==

* You have registered your account at the registration server for JUSTUS 2.
** If this is still missing, then please log in to the [https://wiki.bwhpc.de/e/Registration/bwForCluster/JUSTUS2 registration server of JUSTUS2] and click on "Register" in section "JUSTUS 2".

* You have set a service password for JUSTUS 2.
** If you have not done so already, then please log in to the [https://wiki.bwhpc.de/e/BwForCluster_User_Access#Personal_registration_at_a_bwForCluster_-_account_creation registration server of JUSTUS2] and select "Set Password" in section "JUSTUS 2".

* You have set up a time-based one-time password (TOTP) for the two factor authentication (2FA) log in.
** If this is still missing, then please follow the instructions for registering a new 2FA token on the following page: [[BwForCluster User Access/2FA Tokens]].

* Your IP is within the IP range of your university. Either you are working on a computer on your campus or you are connected via a virtual private network (VPN) to your university.
** If you have an external IP (i.e. home office) and you are not connected via VPN to your university, you can not connect to JUSTUS 2. Please consult the documentation of your university how to connect to your university via VPN.

== Login to JUSTUS 2 ==

When all prerequisites are fulfilled you can access the bwForCluster JUSTUS 2 for Computational Chemistry and Quantum Sciences via [[ssh]]. Only the secure shell ssh is allowed for login.

From Linux machines, you can log in using

ssh <UserID>@justus2.uni-ulm.de

During log in you must enter the current TOTP value (6-digit number) created with help of the TOTP app on your smartphone and your service password.

To run graphical applications, you can use the -X flag to openssh:

ssh -X <UserID>@justus2.uni-ulm.de

For better performance on slow connections you should use e.g. [[VNC]].

The bwForCluster Chemistry in Ulm has four dedicated login nodes. The selection of the login node is done automatically. If you are logging in multiple times, different sessions might run
on different login nodes.

The names of the four login nodes are justus2-login01.rz.uni-ulm.de, justus2-login02.rz.uni-ulm.de, justus2-login03.rz.uni-ulm.de, justus2-login04.rz.uni-ulm.de.

These names can be used to access a specific one of the login nodes. In general, you should use justus2.uni-ulm.de to allow us to balance the load over the four login nodes.

== About UserID / Username ==

<UserID> of the ssh command is a placeholder for your username at your home
organization and a prefix denoting your organization. Prefixes and resulting user names are as follows:

{| style="border:3px solid darkgray; margin: 5em auto 5em auto;" width="60%"
|-
!scope="row" {{Darkgray}} | Site
!scope="row" {{Darkgray}}| Prefix
!scope="row" {{Darkgray}}| Username
|-
| Freiburg
| fr
| fr_username
|-
|Heidelberg
|hd
|hd_username
|-
|Hohenheim
|ho
|ho_username
|-
|Karlsruhe
|ka
|ka_username
|-
|Konstanz
|kn
|kn_username
|-
|Mannheim
|ma
|ma_username
|-
|Stuttgart
|st
|st_username
|-
|Tübingen
|tu
|tu_username
|-
|Ulm
|ul
|ul_username
|}

== Allowed activities on login nodes ==

The login nodes are the access point to the compute system and its $HOME directory. The login nodes are shared with all the users of the cluster. Therefore, your activities on the login nodes are limited to primarily set up your batch jobs. Your activities may also be:
* compilation of your program code and
* short pre- and postprocessing of your batch jobs.

To guarantee usability for all users of the bwForCluster you must not run your compute jobs on the login nodes. Compute jobs must be submitted as
[[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]. Any compute job running on the login nodes will be terminated without any notice.

= Further reading =

* Scientific software is made accessible using the [[Environment Modules]] system

* Compute jobs must be submitted as [[BwForCluster_JUSTUS_2_Slurm_HOWTO|Batch Jobs]]

* Jobs needing disk space will need to request it in their job script. See [[BwForCluster_JUSTUS_2_Slurm_HOWTO#How_to_request_local_scratch_.28SSD.2FNVMe.29_at_job_submission.3F|Batch Jobs - request local scratch]]

* What hardware is available is described in [[Hardware and Architecture (bwForCluster JUSTUS 2]]

----
[[Category:BwForCluster_JUSTUS_2]][[Category:Access]]