Authorized users of the ACNET console system can run an ACNET Console Instance and have it display on any workstation which supports the X Window protocol. This includes Linux and Unix workstations, PC's with X server software (such as Exceed, WRQ Reflection, or XMing), and Macs.
The ACNET control system is located behind a firewall. Kerberos authentication is required to access control system computers from outside the firewall. Two kerberized systems called OUTLAND.FNAL.GOV and OUTBACK.FNAL.GOV have been set up as gateway nodes. It is necessary to login to OUTLAND or OUTBACK in order to login to nodes inside the firewall. When users request a console account, they are also given accounts on outland and outback.
Most Accelerator Division PC's have Open Text Exceed, MIT Kerberos for Windows, and the Exceed Customizations for ACNET Users installed. This allows a user to start an ACNET console by clicking on an icon.
The Exceed Customizations for ACNET Users is a series of additions and configuration changes to Exceed which make running an ACNET console and developing ACNET programs eaiser. The modifications include:
New versions of the Exceed Customizations are released from time to time in order to fix bugs, add new features, or to track changes in the control system and other software. (Release Notes here) The latest version can be installed as follows:
For Windows Vista or Windows 7, you need Administrator privileges. Download and execute exceed-custom2_2_30.exe
To start an ACNET console, do one of the following:
To stop the console:
There are a few issues which can come up when running an ACNET console at home. If you have a home router, it will block outside connections to your PC's X server.
The easiest way to run a console behind a home router is to use the "CnsRun VIASSH" and "clx PuTTY" items in the Start->Programs->Acnet menu. These will use the ssh protocol, which is able to tunnel your X connection through your router. If you don't have "CnsRun VIASSH" in your Acnet menu, install the latest Exceed Customizations as described above.
Home users can use the Controls Web Proxy to access Fermilab web pages which are restriced to on-site access and web servers which are inside the controls firewall.
Another way around home router problems is to use the Fermilab VPN. The VPN will also allow you to access restricted Fermilab web pages as if you are at the lab.
Since Fermilab security policy does not permit open X servers, you need some way of authorizing the Acnet console host nodes to open windows on your X display. The easiest way to accomplish this is to tunnel your X connection using SSH. You can also specify the MIT-Magic-Cookie value needed to access your X display in the launch command (described below). Use the xauth command to list your cookie value.
Another way to handle X security is to add all the Acnet console hosts, to your X server's authorized xhost list. WRQ Reflection X users would edit their xhosts.txt file. Mac and Linux users would use the xhost utility.
First you need to login to outland.fnal.gov or outback.fnal.gov, the firewall gateway nodes, such that you have a forwardable Kerberos ticket there. You can login using: Kerberized ssh, Kerberized telnet, Kerberized rsh. or telnet with cryptocard. ssh has the advantage that it can forward your X connection. You can check that your Kerberos ticket has been forwarded to the gateway node by doing "klist -f"
Once you are logged into outland or outback, you can use the launch command to start a console or other program on a Linux node. The launch script does several things for the user:
The general form of the launch command is:
launch host display[:cookie] command
host can be:
display can be:
cookie is the MIT-Magic-Cookie used to get permission to access the X display.
Some useful launch commands are:
To stop the ACNET console:
Your X server should be configured to allow BackingStore. The ACNET graphics windows rely on it for repainting exposed windows.
ACNET consoles use several custom fonts. Accelerator Division Exceed users have these fonts installed on their PC's. For other users, ACNET adds a font server to the X server's font path in order to access these fonts. If the X server is configured to prohibit this, ACNET makes do with the available fonts, resulting in missing and substituted special characters.
Last updated 06-Sep-2011 by Jim Smedinghoff