# CYGNO DAQ SETUP ## Install IAM CA On Ubuntu for instance: ```bash wget --no-check-certificate "https://crt.sh/?d=2475254782" -O /usr/local/share/ca-certificates/ca.crt update-ca-certificates ``` On other OS install the ca provided here ([https://crt.sh/?d=2475254782]()), in the CA bundle of the system. ## Install oidc-agent ### Install packages Install the oidc-agent package following the instructions [here](https://indigo-dc.gitbook.io/oidc-agent/installation) And then follow the instructions [here](https://codimd.web.cern.ch/s/SL-cWzDZB) to `Configure the agent for a IAM-Profile token` ### Get client info from your local oidc-agent You will need: - a client id - a client secret - a refresh token You can get them from you personal oidc-agent using this command: ```bash oidc-gen -p infncloud-iam ``` You will get an output like: ```text { "name": "cloud", "client_name": "oidc-agent:cloud-DESKTOP-8AQE22V", "issuer_url": "https://iam.cloud.infn.it/", "device_authorization_endpoint": "https://iam.cloud.infn.it/devicecode", "daeSetByUser": 0, "client_id": "<your client id>", "client_secret": "<your client secret>", "refresh_token": "<your refresh token>", "cert_path": "/etc/ssl/certs/ca-certificates.crt", "scope": "address phone openid profile offline_access", "audience": "", "redirect_uris": ["edu.kit.data.oidc-agent:/redirect", "http://localhost:41788", "http://localhost:8080", "http://localhost:4242"], "username": "", "password": "" } ``` Then note down the content of the keys: client_id, client_secret, refresh_token ### Configure the agent on the remote server ```bash export IAM_CLIENT_ID=<ID from previous step> export IAM_CLIENT_SECRET=<secret from previous step> export REFRESH_TOKEN=<refresh token from previous step> export IAM_SERVER=https://iam.cloud.infn.it/ eval `oidc-agent` oidc-gen --client-id $IAM_CLIENT_ID --client-secret $IAM_CLIENT_SECRET --rt $REFRESH_TOKEN --manual --issuer $IAM_SERVER --pw-cmd="echo pwd" infncloud-iam ``` Type enter twice when prompted: ``` No account exists with this short name. Creating new configuration ... The following scopes are supported: openid profile email address phone offline_access eduperson_scoped_affiliation eduperson_entitlement Scopes or 'max' (space separated) [openid profile offline_access]: Redirect_uris (space separated): Generating account configuration ... success The generated account config was successfully added to oidc-agent. You don't have to run oidc-add. ``` Now everything should be ready, and you'll get a valid token with the following command: ```bash oidc-token infncloud-iam ```