Using GridFTP

Setting up your environment

You may add the GridFTP client utilities to your environment by adding this to your .soft file (.soft.tukey on Tukey), on any line above the keyword @default:


Important note about file:// URLs

Use of file:// URLs (or paths without a transport specified) on the Mira, Cetus, Vesta, and Tukey logins is highly discouraged, since it puts excessive load on our login nodes. Please use gsiftp:// for the Mira/Vesta side of your file transfer when running globus-url-copy on the login nodes.


Trusting the ALCF CA

In order to use the ALCF MyProxy service to authenticate to our GridFTP servers and perform file transfers, your system administrator may need to add the ALCF CA (Certificate Authority) files to your GridFTP server's configuration, if this has not already been done previously.

  • Download the following tar.gz file containing ALCF CA files: 664c643b.tgz
  • Contents of archive:
    • ALCF CA Cert: 664c643b.0 (MD5 e790018fdae7419c732560a73a399321)
    • ALCF CA Signing Policy: 664c643b.signing_policy (MD5 ac0ed74fcbb8a6610b3c3ec057002057)
  • Your sysadmin will need to install the above files on their GridFTP servers in /etc/grid-security/certificates

Information about our CA

ALCF has a local certificate authority (CA) for the purpose of generating short-term certificates for GridFTP transactions. These certificates are held internally by our local myproxy server and are not directly accessible to the end user. In order to perform GridFTP transfers, users must authenticate to the myproxy server using the one-time password provided by their CryptoCard. The Registration Authority (RA) function for our CA is the identity verification we perform when issuing the CryptoCard to the user. Certificates are only issued to ALCF users with CryptoCards; they are held in the myproxy server, and are not distributed.

Performing GridFTP transfers

  • If you are using our myproxy server, first log in to the myproxy server:
myproxy-logon -s
  • When prompted for a password, type in your CryptoCard PIN and generated password.

  • Note - proxy certificates are temporary have a limited lifetime; the default is 12 hours for the command above.  You may request a shorter or longer certificate lifetime using the -t option followed by the number of hours desired, up to a maximum of 72 hours.  Certificates may be renewed to avoid interruption during longer transfer jobs by running myproxy-logon again before the certificate expires and re-authenticating.

  • Perform your transfer using the globus-url-copy command:

globus-url-copy <arguments> gsi gsiftp://dest...
  • For example:
globus-url-copy -vb -p 4 -tcp-bs 4M gsi gsi

This will issue a copy in verbose mode with transfer statistics (-vb), with four data streams (-p 4) and a 4MB block size. For very large files (over 100GB), add "-striped" to the globus-url-copy command to utilize all of our GridFTP servers. For files under 10GB, striping provides little benefit. For files between 10GB and 100GB, striping can provide some benefit, depending on the network.

If you are running a transfer between GPFS filesystems internally at ALCF (e.g. between /home and /projects on mira), the "-p 4" may be omitted, since multiple streams offer little benefit on internal transfers.

For additional documentation on the usage of myproxy, please refer to the MyProxy user documentation at

For additional documentation on GridFTP, please refer to the GridFTP user guide at

Associated Documents: