Data transfer on the Secure Enclave is performed with the Globus data transfer service. The data transfer command and control mechanism uses the Globus cloud-based service to communicate with Globus endpoints (also called collections) to provide authentication and access control, get file listings, manage files (delete, rename, etc.), and transfer files between endpoints. Globus is essentially a high performance ftp Traditional file transfer tools such as SFTP or other utilities are not the perfered, approved, and documented way of transfering files and should not be used on the Secure Enclave. Please be aware that all data transfer operations should be done on the Secure Enclave Data Transfer Nodes (DTN). There are two: one for the Secure Enclave VMs and one for the HPC cluster.
The Globus endpoint names are “UTK Secure Enclave” for the VM side and “SIP ENCLAVE STORAGE” for the HPC cluster side.
GridFTP is a protocol defined by Global Grid Forum Recommendation GFD.020 and the following IETF standards (in RFC documents): RFC 959 (ftp), RFC 2228 (ftp security extensions), RFC 2389 (feature negotiation), RFC 3659 (Extensions), and RFC 4217 (TLS). Key features include::
To use Globus, access the Globus website and open the File Manager from the left-side of the interface.
Staff will be providing a Using Globus video which will show a user how to access and use Globus with the Secure Enclave. A short video is a better tool to explain how to use Globus than a text based documentation. Until this video is available, please contact the OIT Help Desk (see https://help.utk.edu) to request a short Secure Enclave Globus training session via Zoom videoconferencing.
It is important to note that Globus data transfers to and from outside the University network will only work if you are connected to the UTK VPN. If you are not and you initiate a transfer sending data to the Secure Enclave, Globus will create the file and it will look like it was successful, but the file will be empty and have a size of 0. This is because access for the command protocol to the Globus cloud is open but the connections to the Globus endpoint file transfer ports are only allowed from approved external endpoints and from endpoints from University IP addresses including the VPN. Avoid empty files fro file transfers by connecting to the VPN before you use Globus to transfer a file. To learn how to setup and configure the VPN on your device, please review OIT’s VPN User Guide. Transfers to or from approved external Globus endpoints and/or the Open Enclave endpoints do not require the use of the VPN.
For data that is not stored in encrypted space on the SIP, transfer it normally. The directories do not need to be mounted or decrypted. This applies to your NFS home directory and your personal Lustre project space. For more information on these directories, please review the File Systems document.
For data that is stored in encrypted space on the SIP, additional steps are necessary to initiate transfers to and from these spaces. These steps are outlined below.
sipmountcommand on the Secure Enclave DTN. Figure 4.2 shows how to use this command. When you execute it, you must provide your NetID password and authenticate with Duo TFA. Replace the <project-name> argument with your project identifier, such as UTK-9999. You can determine the name of the projects to which you belong in the User Portal. More information is available in the Navigating the User Portal document.
After you complete your data transfers, you may unmount the encrypted space on the SIP. Use the
sipunmount command to unmount this space. Its syntax and usage is the same as the
sipmount command. If you do not unmount the encrypted space, it will automatically be unmounted after fifteen minutes. For more information, please refer to the File Systems document.
Data transfer from the Secure Enclave to external non-UT Globus endpoints is only allowed after authorization. These external endpoints must be authorized before they can be used. If you have an external Globus endpoint that you would like to be allowed to transfer data to/from the Secure Enclave, please submit a service request to the OIT Help Desk for the HPSC service with the request details (hostname, IP address, external Globus administrator contact, and external organization security contact).
Globus can manage transfers of collections of files within subdirectories automatically. You may want to try using this capability by asking Globus to transfer an entire directory as a test to get famliar with it then make use of this capability for transfer of large data collections of large numbers of files on the Secure Enclave file systems.
Before you initiate data transfers to or from the Secure Enclave endpoints, you could consider preparing the data you wish to transfer by aggregating multiple files with tar and compressing it. When you aggregate data, several files and directories can be added to the same file. When you compress data, you reduce its total size. Both methods reduce the total amount of data that must be sent across the network and make it easier for you to organize the data you wish to transfer. At the time of this writing, the tar and zip utilities are the best methods for data archiving and compression for Secure Enclave users across Linux, MacOS, and Windows.
When you prepare your data, please avoid using a login node. Instead, use the SIP’s DTN (data transfer node). Figure 1.1 in the Introduction shows how to access the DTN.
The tar (tape archiver) utility uses simple command syntax and allows large amounts of data to be aggregated into the same archive. Linux, MacOS, and updated Windows 10 systems can use tar. Older Windows systems will be limited to the zip utility.
To create a tar archive, execute
tar czvf <archive-name> <dir-to-archive>. Replace the <archive-name> argument with the name of the new archive. Be sure to follow the name with the .tar.gz extension, as in my_archive.tar.gz. Replace the <dir-to-archive> argument with the directory you wish to place within the archive. If the directory you intend to archive is not within your working directory, specify the relative or absolute path to it. By default, tar will recursively place the directory and its contents into the new archive. Figure 2.1 shows the successful creation of a tar archive.
[user@sip-dtn1 ~]$ tar czvf new_archive.tar.gz Documents Documents/ Documents/IntroUnix.pdf Documents/JobSubData.zip Documents/MATLAB/ Documents/Scripts.zip Documents/PyLists.py
After the archive is created, execute
ls -l to verify that the archive exists. You can view its contents with the
tar tvf <archive-name> command. You may then transfer the archive using Globus. Please refer to the Configuring Globus section to learn how to configure it for your system.
On the remote system, execute
tar xvf <archive-name> to extract the contents of the archive. The files will be extracted into your working directory.
On older Windows systems, the zip utility should be used to archive and compress your data on the SIP.
To create a zip archive on the SIP, execute zip -r <archive-name>.zip <dir-to-archive>. Be sure that the directory you wish to archive is in your working directory. Otherwise, specify the relative or absolute path to the directory you wish to archive. Replace the <archive-name> argument with the name of the new zip archive. You may or may not include the .zip file extension to the archive’s name; if you do not, the zip utility will add it automatically. Replace the <dir-to-archive> argument with the directory you wish to place in the zip archive. The -r option ensures that the directory and its contents are archived and compressed. Figure 2.2 shows the successful creation of a zip archive.
[user@sip-dtn1 ~]$ zip -r Documents Documents adding: Documents/ (stored 0%) adding: Documents/IntroUnix.pdf (deflated 4%) adding: Documents/MATLAB/ (stored 0%) adding: Documents/PyLists.py (deflated 61%)
After the zip archive has been created, execute
ls -l in the directory from which you created it to ensure the archive exists. It will appear with the name you gave to the archive followed by the .zip extension.
With the zip archive created and verified, transfer it to your system using Globus. Please refer to the Configuring Globus section to learn how to use it on your system. Once you transfer the zip archive to your system, open the File Explorer and navigate to the directory in which you placed the archive. Right-click on the archive and select the “Extract All…” option in the submenu. Figure 2.3 shows where to locate this option. Specify the directory in which the contents should be extracted, then select “Extract.” You may then open the archive and peruse its contents.