1. Verify that the webmo system user can submit jobs to batch queueing system
   Log into a shell as the webmo system user
   Use "qsub" to submit a computatinoal chemistry job
   Verify that the job completes successfully
2. Enable exterbal batch queuing system within WebMO
   Login to WebMO as admin
   Choose System Manager
   Under Sueueing system, choose External Batch Queue - PBS (or installed queueing system)
   Click "Submit" and "Return to Admin"
   
3. Configure and define one or more webmo queues
   Choose Batch Queue Manager
   On Settings tab, specify paths to qcommands, specify remote shell command (which must provide passwordless access), and click "Submit"
   On Queues tab, click "New Queue", enter new queue name (which must correspond to a system queue), and click "OK"
   Repeat for additional desired system queues
   Click "Returm to Admin"
   
4. Enable and configure computational engines for each defined webmo queue
   Choose Interface Manager
   Under Queue, select queue to edit, and click "Change"
   Click the Enable interface icon for each installed computational engine
   Click the Edit interface icon for each installed computational engine, enter configuration data, and click "Submit"
   Repeat for each queue
   Click "Return to Admin" and "Logout"
   Note: program file locations and scratch directory must be defined as all compute nodes would see them
   
5. Run a WebMO test job as webmo user for each queue and engine
   

Parallel versions of Gamess, Gaussian (SMP version), Molpro, and Q-Chem are supported on batch queues (which typically allocate computational resources on computer clusters).

1. Enable batch queuing (see above)
   
2. Login as admin, choose Interface Manager, select a queue to edit if appropriate, enable desired interface if necessary, and edit desired interface
   
3. Verify that the parallel version of the program is selected; if not, edit entries and click the Submit button
   
4. Under Nodes and Processors / node, set appropriate values for Min (typically 1), Max (which determines the largest parallel job permitted), and Default (typically 1); click Submit, Return to Admin, and Exit.

1. Login as admin, and select Group Manager
   
2. Click New Group button, enter {groupname} (e.g., organic, chem346, or xyz_college) and subadministrator password, and click Submit and Return to Admin
   
3. Click the Edit icon for the newly created group. On the Permissions tab, the webmo administrator may select a job time limit, computational engines, and batch queues for the group. If external authentication is enabled (see below), a password tab is displayed on which the webmo administrator may permit externally authenticated users to create accounts from themselves after providing a group newuser password. Select Return to Group Manager, Return to Admin, and Logout.
   
4. A group subadministrator with the username {groupname}_admin and subadministrator password has been created
   
5. New users may be added to the the newly created user group by the subadministrator or by external authentication with the group newuser password
   

1. Install relevant perl authentication libraries:
   
   Authen::Simple::LDAP
   Authen::Simple::POP3
   Authen::Simple::NIS
   Authen::Simple::Passwd
   Authen::Simple::PAM
   
   For example,
   # perl -MCPAN -e 'install Authen::Simple::PAM'
   Follow prompts and make reasonable choices
   Note: you might need to temporarily turn off your firewall to perform this installation
   
2. If using PAM+shadow authentication, install pam_authenticate.pl script
   $ mkdir /home/webmo/bin
   $ cp -p /WebMO.install/scripts/pam_authenticate.pl /home/webmo/bin/
   $ chmod 775 /home/webmo/bin/pam_authenticate.pl
   Edit {WebMO_CGI_dir}/interfaces/authen.conf to reflect the location of pam_authenticate.pl
   
3. If necessary, edit {WebMO_CGI_dir}/interfaces/authen.conf to reflect location of LDAP or POP3 server
   
4. Edit /etc/sudoers as necessary
   AUTHEN is needed for PAM+shadow authentication. SYSCMD and QCMD are needed for running jobs under UID's.
   # visudo
   

   # WebMO user
   Cmnd_Alias SYSCMD = /bin/chown,/bin/chmod,/bin/mkdir
   Cmnd_Alias QCMD = /usr/local/bin/qsub,/usr/local/bin/qstat,/usr/local/bin/qdel
   Cmnd_Alias AUTHEN = /home/webmo/bin/pam_authenticate.pl
   webmo   ALL=(ALL)               NOPASSWD: QCMD, SYSCMD, AUTHEN
   

5. Enable external authentication
   Choose System Manager
   Under Authentication, choose d esired type of authentication
   Click "Submit" and "Return to Admin"
   
6. Choose one or more groups that new users may join
   Login to WebMO as admin
   Choose Group Manager
   Edit desired group
   Check "Allow new users to join this group"
   Set password for joining group, if desires
   Click "Submit"
   Click "Return to Group Manager", and repeat as necessary
   Click "Return to Admin"
   
7. Verify that user will user external authentication
   (This is only for PRE-EXISTING WebMO users who now wish to CHANGE to external authentication; this step is normally unncessary. New users created automatically via external authentication will have this step preformed automatically.)
   Choose User Manager
   Edit user smith
   If necessary, check "Externally authenticate this user" and click "Submit"
   Click "Return to User Manager", "Return to Admin", and "Logout"
   (Note: new users which are added via external authentication will have this box set automatically.)
   
8. Test external authentication
   Login as user smith with external password
   If this is user smith's first login to WebMO, they will be prompted to join a group, and must provide the group password
   Run a test job
   
9. Run apache over SSL
   Since system passwords will be transmitted via the web, it is high recommended that your webserver be run as a secure server. On Fedora systems, this is as simple as using "https" instead of "http". Be sure that your firewall allows access to port 443 (https) in addition to port 80 (http). Also, the default certificate may cause warnings, in which case you can create a key, create a certificate, sign the certificate, edit httpd.conf to point to the new certificate, and restart your webserver.
   

In order for WebMO jobs to be run as system users rather than as the webmo user, the following criteria must be met:

• batch queueing must be selected (see above)
• a local system account must exist for the specified execution UID
• the execution UID must be > 100
• if the webserver (head) node home are NFS mounted, e.g., one has a separate file server node, then the mount must be mounted with the no_root_squash option

1. Edit /etc/sudoers as necessary. (This was already done to enable external authentication.)
   AUTHEN is needed for PAM+shadow authentication. SYSCMD and QCMD are needed for running jobs under UID's.
   # visudo
   

   # WebMO user
   Cmnd_Alias SYSCMD = /bin/chown,/bin/chmod,/bin/mkdir
   Cmnd_Alias QCMD = /usr/local/bin/qsub,/usr/local/bin/qstat,/usr/local/bin/qdel
   Cmnd_Alias AUTHEN = /home/webmo/bin/pam_authenticate.pl
   webmo   ALL=(ALL)               NOPASSWD: QCMD, SYSCMD, AUTHEN
   

2. Login to WebMO as admin
   Choose System Manager
   Check "Enable sudo mode"
   CLick "Submit", "Return to Admin"
3. Specify execution UID Choose Group Manager
   Edit the desired group, and choose the "Permissions" tab
   Under "Job execution UID", select:
   "Webserver UID" to run all jobs under the UID of the webserver (normally 'webmo')
   "WebMO username UID" to run jobs under the UID of the sytem user with the same name as the correpsonding WebMO user (assuming such a system user exists; i.e. WebMO user 'smith' job will under system UID 'smith')
   "Fixed execution UID" to run all submitted from this group under a single system UID (i.e. 'organic')
   
4. Login to WebMO as a system user. Submit a job. From a separate login shell, issue a "qstat" comand, and verify that the job is running as the system user and not as the webmo user
   

In addition to WebMO access, system users might wish to be able to directly access their output files from the command line.

Method I: Symbolic link from user home directory to WebMO jobs directory

This is simplest to implement, since it is just a single symbolic link that users can implement themselves

[webmo] $ su - smith
[smith] $ ln -s /home/webmo/webmo/smith /home/smith/my_webmo_jobs

This method is more complicated, and there is little advantage (even with disk quotas). But job files are physically stored in user directories, which might useful for tracking disk storage without quotas. In order for WebMO to store jobs in a user's home directory:

• jobs must be executed using "WebMO username UID" or a "fixed UID"
• other execute bit on user home directories must be set

1. Create a job directory in the user home directory
   [webmo] $ su - smith
   [smith] $ mkdir /home/smith/webmo
   [smith] $ mkdir /home/smith/webmo/smith
2. Make the directory writable by both webmo and the user
   If webmo and smith belong to the same group
   [smith] $ chmod 775 /home/smith/webmo/smith
   Or, if webmo and smith belong to different groups
   [smith] $ su -
   [root] # chown smith:{webmogroup} /home/smith/webmo/smith
   [root] # chmod 775 /home/smith/webmo/smith
   [root] # exit
   
3. Move user jobs from the WebMO job directory to the user job directory
   [smith] # exit
   [webmo] $ mv /home/webmo/webmo/smith/* /home/smith/webmo/smith/
   
4. Replace the WebMO job directory with a symbolic link
   [webmo] $ rmdir /home/webmo/webmo/smith/
   [webmo] $ ln -s /home/smith/webmo/smith /home/webmo/webmo/smith
   

Copyright © 2007, WebMO, LLC, all rights reserved.