Depending on the agreement between CNAF and experiments, data transfers can be performed with or without Storage Resource Manager (SRM), which at Tier-1 is StoRM. SRM is typically used when the experiment maintains a Virtual Organization (VO).

Other protocols which are commonly used at INFN-Tier-1 are posix, GridFTP, XrootD, WebDAV/http.

Data transfers without SRM

To transfer a file without SRM, globus-url-copy is commonly used. It is a command line program for file transfers which implements different protocols, among which gridFTP, an extension of FTP for file transfers. It supports parallel transfer streams and third-party-copy.

A personal certificate is required in order to use gridFTP. Also, the user DN has to be enabled on the gridFTP server by the sysadmin. The DN can be obtained from the certificate using the command:

openssl x509 -noout -in $HOME/.globus/usercert.pem -subject

Then, it should be communicated to the User Support team in order to be enabled.

Before performing the actual file transfer, it is necessary to generate a proxy with the command:


By default, the proxy lasts 12 hours. In order to extend proxy life time, the following options can be used:

    -valid HOURS:MINUTES
-hours HOURS

For example:

-bash-4.2$ grid-proxy-init -hours 48
Your identity: /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
Enter GRID pass phrase for this identity:
Creating proxy ...................................... Done
Your proxy is valid until: Sun Aug 2 17:47:32 2020

After that, we can perform the transfers. This depends on the permissions and the access control list on the filesystem.
To write:

globus-url-copy <local_path>/file gsi<remote_path>/file

To read, i.e. to get a local copy:

globus-url-copy gsi<remote_path>/file local_copy

The <remote_path> (something like: /storage/gpfs_data/experiment) will be communicated to the user by the User Support team.
Also, the 
globus-url-copy command allows to do a third-party-copy of a file without getting a local copy on your own device.
This works with a simple concatenation of read and write:

globus-url-copy gsi<source_remote_path_>/file gsi<destination_remote_path>/new_file

The full list of the additional options is available using:

man globus-url-copy

Some useful options:

You can also use the gfal tools, that are explained in the following paragraphs, for example to list the files of a directory or remove a file, respectively:

Data transfers with SRM

All the SRM specifications are available here [13].

In this case, a voms-proxy is needed (see in the previous sections for details on proxy generation).

-bash-4.2$ voms-proxy-init --voms virgo:/virgo/virgo
Enter GRID pass phrase for this identity:
Contacting [/DC=org/DC=terena/DC=tcs/C=IT/L=Frascati/O=Istituto Nazionale di Fisica Nucleare/] "virgo"...
Remote VOMS server contacted succesfully.

Created proxy in /tmp/x509up_u10162.

Your proxy is valid until Tue Aug 18 22:45:07 CEST 2020
-bash-4.2$ voms-proxy-info --all
subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
type : RFC3820 compliant impersonation proxy
strength : 1024
path : /tmp/x509up_u10162
timeleft : 11:57:53
key usage : Digital Signature, Key Encipherment
=== VO virgo extension information ===
VO : virgo
subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
issuer : /DC=org/DC=terena/DC=tcs/C=IT/L=Frascati/O=Istituto Nazionale di Fisica Nucleare/
attribute : /virgo/virgo/Role=NULL/Capability=NULL
attribute : /virgo/Role=NULL/Capability=NULL
timeleft : 11:57:53
uri :

In contrast to the gridFTP protocol, we have to contact a StoRM frontend on the door 8444. Then the frontend communicates the request to a backend [14].

The Virual Organizations use dedicated endpoint storm for data managemant and data transfer:






For example, AMS use storm-fe-ams for the disco area (/storage/gpfs_ams), but storm-archive to write on the buffer tape (/storage/gpfs_archive/ams).

Also, the path to read or write is not the real path on the filesystem, but all the experiments use a singular access path to the storage area.

Now we consider two tools for the SRM protocol: Gfal e ClientSRM.

Gfal utils

Documentation is available here [15]. However the user can get the full list using the command man gfal-copy.

Most used commands are:

These are the steps to install Gfal assuming the machine is CentOS7:

  1. Enable epel repo:
    curl >/tmp/epel-release-latest-7.noarch.rpm
    sudo rpm -ivh /tmp/epel-release-latest-7.noarch.rpm
  2. Enable egi repo:
    echo '\[EGI-trustanchors\]name=EGI-trustanchorsbaseurl=' | sudo tee /etc/yum.repos.d/egi.repo

  3. Install several tools:
    sudo yum install -y gfal2-util gfal2-all fetch-crl ca-policy-egi-core globus-proxy-utils
  4. Install personal certificate on the machine:
    cd $HOME
    mkdir -p .globus
    cd .globus
    openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem
    openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem
    chmod 600 usercert.pem
    chmod 400 userkey.pem

To check all is correctly working:

grid-proxy-init -valid 168:00
gfal-copy --version

The last command should produce a list of the available protocols. The list should include gridftp. If this is not the case, try to do: yum update.

Some examples of gfal utils below.

-bash-4.2$ gfal-ls srm://

-bash-4.2$ gfal-rm srm://
srm:// DELETED

-bash-4.2$ gfal-copy /home/USER-SUPPORT/arendina/sleep.sub srm://
Copying file:///home/USER-SUPPORT/arendina/sleep.sub [DONE] after 2s

-bash-4.2$ gfal-sum srm:// ADLER32
srm:// 2bca5372

For all the gfal commands see [16].

ClientSRM utils

In case of local to remote transfer, you have to request the storage space in the destination filesystem and this is done with the command clientSRM PtP, where PtP stands for Prepare to Put. For example:

$ clientSRM PtP -e httpg:// -s srm://


and the complete list of the options is listed by the command clientSRM PtP -help or in [17].
The output should be something like this:

-bash-4.2$ clientSRM PtP -e httpg:// -s srm://
Sending PtP request to: httpg://
Before execute:
Afer execute:
Request Status Code 17
Poll Flag 0
Request status:
SRM Response:
arrayOfFileStatuses (size=1)
[0] SURL="srm://"
[0] status: statusCode="SRM_REQUEST_QUEUED"(17)

It is important to pay attention to the request token (in this case 51e58c63-afdd-4ccb-8a6d-8551b4261c33), which will be used later. Then it is necessary to check the status of the request with clientSRM SPtP (Status of Prepare to Put) :

clientSRM SPTP -v -e httpg:// -t 51e58c63-afdd-4ccb-8a6d-8551b4261c33

where with -t you provide the token shown in the output of the clientSRM PtP command. The output will show you whether the request is successful in the status field.

-bash-4.2$ clientSRM SPTP -v -e httpg:// -t 51e58c63-afdd-4ccb-8a6d-8551b4261c33
Sending StatusPtP request to: httpg://
Before execute:
Afer execute:
Request Status Code 0
Poll Flag 0
Request status:
explanation="All chunks successfully handled!"
SRM Response:
arrayOfFileStatuses (size=1)
[0] SURL="srm://"
[0] status: statusCode="SRM_SPACE_AVAILABLE"(24)
explanation="srmPrepareToPut successfully handled!"
[0] TURL="gsi"

It is important to remember the TURL which will be used in transfer command with globus-url-copy command. After that, we can perform the file transfer:

bash-4.2$ globus-url-copy /home/USER-SUPPORT/arendina/sleep.sub gsi

Actually, with this command we overwrite the file "prova_andrea", prepared with the clientSRM PtP command, with the local file "sleep.sub".

At the end, in order to avoid the open request in the StoRM database, we have to finish with the clientSRM Pd command where Pd stands for Put done:

-bash-4.2$ clientSRM Pd -e httpg:// -t 51e58c63-afdd-4ccb-8a6d-8551b4261c33 -s srm://
Sending PutDone request to: httpg://
Before execute:
Afer execute:
Request Status Code 0
Poll Flag 0
Request status:
explanation="All file requests are successfully completed"
SRM Response:
arrayOfFileStatuses (size=1)
[0] SURL="srm://"
[0] status: statusCode="SRM_SUCCESS"(0)

Similarly, in case of remote to local transfer the command is clientSRM PtG, where PtG stands for Prepare to Get, and to check the preparation status is  clientSRM SPtG:

-bash-4.2$ clientSRM PTG -e httpg:// -s srm://
Sending PtG request to: httpg://
Before execute:
Afer execute:
Request Status Code 17
Poll Flag 0
Request status:
SRM Response:
arrayOfFileStatuses (size=1)
[0] status: statusCode="SRM_REQUEST_QUEUED"(17)
[0] sourceSURL="srm://"

-bash-4.2$ clientSRM SPtG -e httpg:// -t fe633fd3-de07-4a3e-a388-3cc2adf1fd3a
Sending StatusPtG request to: httpg://
Before execute:
Afer execute:
Request Status Code 0
Poll Flag 0
Request status:
explanation="All chunks successfully handled!"
SRM Response:
arrayOfFileStatuses (size=1)
[0] status: statusCode="SRM_FILE_PINNED"(22)
explanation="srmPrepareToGet successfully handled!"
[0] sourceSURL="srm://"
[0] fileSize=280
[0] transferURL="gsi"

So we can perform the transfer with a globus-url-copy command:

-bash-4.2$ globus-url-copy gsi copia
-bash-4.2$ ls
ce_testp308.sub copia pass sleep.sub test.sub

Finally, to list the file in a directory you can use the command clientSRM Ls.

-bash-4.2$ clientSRM Ls -e httpg:// -s srm://

More information on using SRM clients can be found here [18].

Data transfers using http endpoints


At INFN-Tier-1, valid WebDAV endpoints for the experiments’ storage areas are provided with StoRM WebDAV (third-party-copy supported) or Apache.

Then, the most common WebDAV clients can be used to access the storage areas, namely browsers and command-line tools such as curl and davix.

When StoRM WebDAV is used, VOMS proxies are supported only by command-line tool, and browsers can be used to navigate into the storage area content if anonymous read-only access is enabled (HTTP endpoint) or if VO users access through their X509 certificate is enabled (HTTPS endpoint).

A few useful commands follow and more info are available in the wiki [20]. Some examples follow below.

With a valid voms-proxy:

-bash-4.2$ voms-proxy-init --voms dteam
Enter GRID pass phrase for this identity:
Contacting [/C=GR/O=HellasGrid/] "dteam"...
Remote VOMS server contacted succesfully.

Created proxy in /tmp/x509up_u10162.

Your proxy is valid until Thu Aug 20 00:22:39 CEST 2020
-bash-4.2$ voms-proxy-info --all
subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
type : RFC3820 compliant impersonation proxy
strength : 1024
path : /tmp/x509up_u10162
timeleft : 11:59:11
key usage : Digital Signature, Key Encipherment
=== VO dteam extension information ===
VO : dteam
subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina
issuer : /C=GR/O=HellasGrid/
attribute : /dteam/Role=NULL/Capability=NULL
timeleft : 11:59:10
uri :


StoRM WebDAV also supports OpenID connect authentication and authorization on storage areas, so tokens can be used instead of proxies [19]. Dedicated IAM (Identity and Access Management) instances can be configured for the experiments upon requests (please contact the user support).

As currently StoRM WebDAV does not support group-based authorization, for such use-case we provide a dedicated Apache server and a catch-all IAM instance available at, where registered users are assigned to specific groups.

Once registered within IAM, an access token can be retrieved via browser or dedicated script from a registered IAM client, and such access token, exported in an environment variable, can be used instead of the VOMS proxy to access the storage area with http clients.

Via browser, the user can get the token by following the link https://iam-<experiment>

Otherwise, on the user interface is already installed the oidc-agent tool to retrieve an access token directly from the shell.
First of all, we have to start the process with the command

-bash-4.2$ eval $(oidc-agent)
Agent pid 23855

Then, to register the own client insert

-bash-4.2$ oidc-gen -w device virgo

and to get the access token:

-bash-4.2$ oidc-add virgo
Enter decryption password for account config 'virgo':
-bash-4.2$ oidc-token virgo

where virgo has to be changed with the experiment name.
Now, with the access token saved in the TOKEN environment variable

-bash-4.2$ export TOKEN=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIyNDZjZDNiYi0zNzBkLTRiM2YtOTY1Zi1iOGFiYjRjODZjNGYiLCJpc3MiOiJodHRwczpcL1wvaWFtLXZpcmdvLmNsb3VkLmNuYWYuaW5mbi5pdFwvIiwiZXhwIjoxNTk4NTQxMTYyLCJpYXQiOjE1OTg1Mzc1NjIsImp0aSI6IjIxMjc0ZTAyLTM1MDktNDZjZS04MzAwLTk5MzhkYzI2MTVmNiIsImNsaWVudF9pZCI6IjdjMDE4YWE3LTg2MTItNGYyMC1iNDQ4LWZjNjk0ZGQ1NDQ3YyJ9.f8tQa6Zol4fB95RJZK6QzNnuK9PoVyjiiQE2IbvCWJUHJHl7MNicqu8pFlHNSg4lv8yzdV2gAavyldA0E8mnkb3a2KCdmOBDi6FJp2pd3TKX4CzFMV-tY8LPIjHtGgonNprOp_TklCAijdjL7lYAchzb4nPsj2iz2DdmuydnPZs

there are some useful examples:


Check if the file is on the disk (using local POSIX commands)

-bash-4.2$ ls -ls /storage/gpfs_tsm_cms/cms/store/test/rucio/cms/store/mc/\

0 -rw-rwxr--+ 1 storm storm 1790274828 Jul 10 18:33 /storage/gpfs_tsm_cms/cms/store/test/rucio/cms/\
GEN-SIM/102X_upgrade2018_realistic_v11-v1/280000/A61D92B2-C74A-6045-8325-869194181F9E.root ## ON TAPE

Check if the file is on the disk (with Grid tools using VO based authentication)

Recall files from tape (without Grid tools)

To recall files from tape, it is necessary to provide the list of the file to be recalled. CNAF will recall them.

Recall file from tape (using Grid tools with VO-based authentication)

To recall files from tape, you can use clientSRM \[17\] command with the option bol (which stands for Bring On Line). 
*clientSRM* *bol -e httpg://*  *-s srm://*
Where –e option provides the end-point to contact, -s option provides the SURL of the files. Nw, your recall request is queued. N.B. Remember the requestToken (for example: requestToken="ea8b525d-1b12-47a5-b8d5-6935ebc53003") which appears in the output of the previous command, because you can later use it to know the status of your request, i.e.: 
*clientSRM* *sbol -e httpg://*  *-t "ea8b525d-1b12-47a5-b8d5-6935ebc53003"*