ACNET Console User's Guide

Authorized users of the ACNET console system can run an ACNET Console Instance and have it display on any workstation which supports the X Window protocol. This includes Linux and Unix workstations, PC's with X server software (such as Exceed, WRQ Reflection, or XMing), and Macs.

Accounts

Controls Firewall and Gateway

The ACNET control system is located behind a firewall. Kerberos authentication is required to access control system computers from outside the firewall. Two kerberized systems called OUTLAND.FNAL.GOV and OUTBACK.FNAL.GOV have been set up as gateway nodes. It is necessary to login to OUTLAND or OUTBACK in order to login to nodes inside the firewall. When users request a console account, they are also given accounts on outland and outback.

Starting an ACNET Console -- Windows with Exceed

Most Accelerator Division PC's have Hummingbird Exceed, MIT Kerberos for Windows, and the Exceed Customizations for ACNET Users installed. This allows a user to start an ACNET console by clicking on an icon.

Exceed Customizations for ACNET Users

The Exceed Customizations for ACNET Users is a series of additions and configuration changes to Exceed which make running an ACNET console and developing ACNET programs eaiser. The modifications include:

• Start Menu and Desktop shortcuts for starting an ACNET console.
• Start Menu shortcuts for starting terminal windows and editors used for ACNET program development.
• Support for ACNET help to use the Windows default web browser.
• Enable xhost.txt and MIT-Magic-Cookie security.
• A Kerberized version of the PuTTY SSH client.
• Start Menu shortcut to start the Controls Web Proxy.

New versions of the Exceed Customizations are released from time to time in order to fix bugs, add new features, or to track changes in the control system and other software. (Release Notes here) The latest version can be installed as follows:

For Windows 2000 or Windows XP, you need to be either an Administrator or a Power User. Download and execute exceed-custom2_2_10.exe

For Windows Vista, you need Administrator privileges. Download and execute exceed-custom2_2_10-vista.exe.

To start an ACNET console, do one of the following:

• Double-click the "ACNET CnsRun" desktop icon.
• Select the "Cnsrun" item from the "Acnet" Start Menu.
• Select the "Cnsrun VIASSH" item from the "Acnet" Start Menu.

To stop the console:

• Click on "*Shutdown Console*" in the console Utilities window.

Network Identity Manager "Gotcha"

Newer PC images in the Accelerator Division use Network Identity Manager to get the Kerberos tickets needed to run an ACNET console. Network Identity Manager can deal with both standard Kerberos tickets (FNAL.GOV realm) and Windows tickets (FERMI.WIN.FNAL.GOV realm). Only the FNAL.GOV tickets are useful for running a console. Unfortunately Network Identify Manager defaults to using FERMI.WIN.FNAL.GOV tickets. If an attempt is made to start a console with tickets in the Windows realm, the console does not start and the error messages are not very informative.

To fix this problem, install the latest version of of the Exceed Customizations for ACNET Users as described above. V2.2.1 and higher automatically deal with the Network Identity Manager problems.

Running an ACNET Console at home

There are a few issues which can come up when running an ACNET console at home. If you have a home router, it will block outside connections to your PC's X server. It will also prevent the kerberized telnet protocol from forwarding your Kerberos ticket to outland or outback.

The easiest way to run a console behind a home router is to use the "CnsRun VIASSH" and "Linux PuTTY" items in the Start->Programs->Acnet menu. These will use the ssh protocol, which is able to forward your Kerberos ticket and tunnel your X connection through your router. If you don't have "CnsRun VIASSH" in your Acnet menu, install the latest Exceed Customizations as described above.

Home users can use the Controls Web Proxy to access Fermilab web pages which are restriced to on-site access and web servers which are inside the controls firewall.

Another way around home router problems is to use the Fermilab VPN. The VPN will also allow you to access restricted Fermilab web pages as if you are at the lab.

Starting an ACNET Console -- Other Platforms

Quick Guides

• WRQ Reflection X on Microsoft Windows
• Mac OS X

General Principles

X Security

Since Fermilab security policy does not permit open X servers, you need some way of authorizing the Acnet console host nodes to open windows on your display. The easiest way to accomplish this is to tunnel your X connection using SSH.

Another way to handle X security is to add all the Acnet console hosts, to your X server's authorized xhost list. WRQ Reflection X users would edit their xhosts.txt file. Mac and Linux users would use the xhost utility.

Getting Past The Firewall

First you need to login to outland.fnal.gov or outback.fnal.gov, the firewall gateway nodes, such that you have a forwardable Kerberos ticket there. You can login using: Kerberized ssh, Kerberized telnet, Kerberized rsh. or ssh or telnet with cryptocard. ssh has the advantage that it can forward your X connection. You can check that your Kerberos ticket has been forwared to the gateway node by doing "klist -f"

The Launch Command

Once you are logged into outland or outback, you can use the launch command to start a console or other program on a Linux or VAX node. The launch script does several things for the user:

• Assigns a console instance/node (host=auto)
• Determines a user's X-display address (FROM_IP). This works with DHCP, NAT, VPN, wireless, and multiple NICs.
• Sets a user's DISPLAY variable and xauth MIT-MAGIC-COOKIE on the target Linux node
• Runs a command on the appropriate node.

The general form of the launch command is:

launch host display command

host can be:

• auto -> Your assigned console instance's Linux node
• clxNN -> A specific Linux node
• cnsNN -> A specific VMS node

display can be:

• A normal DISPLAY designation such as mynode.fnal.gov:0
• "FROM_IP" This is the IP address from which you connected to outland/outback. This works even if you do not know your workstation's address. It works with DHCP, VPN, NAT, wireless, or multiple NICs.
• "VIASSH" Use ssh X forwarding for the X display. Outland or outback will use ssh with X forwarding to contact the target node.

Some useful launch commands are:

• launch auto VIASSH cnsrun # Starts an ACNET console using ssh X forwarding for the X display.
• launch auto VIASSH # Starts an interactive ssh session on the user's assigned node. The X display is forwarded.
• launch auto FROM_IP:0 cnsrun # Starts an ACNET console.
• launch auto FROM_IP:0 cnsrun mwm # Starts an ACNET console and the Motif Window Manager.
• launch auto FROM_IP:0 'xterm >/dev/null 2>&1 &' # Starts a Linux xterm on the user's assigned node.

To stop the console:

• Click on "*Shutdown Console*" in the console Utilities window.

X Server considerations

Your X server should be configured to allow BackingStore. The ACNET graphics windows rely on it for repainting exposed windows.

ACNET consoles use several custom fonts. Accelerator Division Exceed users have these fonts installed on their PC's. For other users, ACNET adds a font server to the X server's font path in order to access these fonts. If the X server is configured to prohibit this, ACNET makes do with the available fonts, resulting in missing and substituted special characters.

More Documentation

• File Transfer to/from CLX disks
• ACNET Keyboard Labels
• ELog AutoCopy
• Frequently Asked Questions
• Exceed Customizations

Last updated 04-Mar-2008 by Jim Smedinghoff