fasse – FASRC DOCS https://docs.rc.fas.harvard.edu Thu, 22 Jan 2026 17:01:56 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.1 https://docs.rc.fas.harvard.edu/wp-content/uploads/2018/08/fasrc_64x64.png fasse – FASRC DOCS https://docs.rc.fas.harvard.edu 32 32 172380571 FASSE / Protected Data Transfers https://docs.rc.fas.harvard.edu/kb/fasse-protected-data-transfers/ Fri, 22 Mar 2024 18:19:52 +0000 https://docs.rc.fas.harvard.edu/?post_type=epkb_post_type_1&p=26875 FASSE / Protected Data Transfers

To preface this:  You are responsible for knowing, and complying with applicable Harvard Information Security Policy (controls that apply to DSL3 and lower), Harvard Research Data Security Policy, and any applicable contracts / data use agreements.

FASSE data transfers generally work the same as transfers for other environments.  For example:

  • When connected to the FASSE VPN realm, you can copy files to and from the FASSE cluster, assuming this meets policy/DUA compliance requirements.
  • While on FASSE nodes (compute, login, etc.) and the FASSE VPN, you have full access to the Internet through a proxy.
    • Generally, this means that you can push to or pull from any HTTPS, SFTP, or other service that supports a proxy.
    • For example, this means you should be able to pull data from data providers that provide an HTTPS, SFTP, or other service.  You may need to adjust certain configurations and workflows to use the proxy – Some details on this here

With that said, given that FASSE is rated for data security level (DSL) 3 data:

  • Do not store DSL 3 / FASSE data in your home directory.
  • If you have a DUA that requires encryption at rest, you must not use scratch for any data that the DUA applies to.  Neither local scratch, nor our global scratch, support encryption at rest.
  • FASSE VPN, login, compute, and VDI environments use a proxy.  Some transfer solutions do not work through a proxy.  If you run into this:
    • Please ensure you have tried to use a proxy, and if you still run into trouble,
    • Open a ticket with rchelp@rc.fas.harvard.edu indicating
      • What you have tried
      • What you expected to happen
      • What actually happened
      • Include specific commands, where these ran, and output messages including all errors.
  • Data security level 3 / FASSE storage is intentionally not included in Globus by default.  If you would like your FASSE project to be exposed through Globus, consider the following:
    • If any data in this project is governed by a contract / data use agreement (DUA), please review the DUA to ensure Globus is compliant.  You might consult your School Security Officer for this.
      • An example scenario where Globus would not be compliant:  DUAs indicating that a VPN or private network must be used for all access to the data.  Globus makes data available over the Internet without a VPN or private network
    • Please submit a ticket to rchelp@rc.fas.harvard.edu as follows:
      • This must include the path to the project to add to Globus (e.g. “/n/piname_project_l3”)
      • This must indicate that the PI attests to Globus being compliant with any contracts/DUAs governing the data in this project storage
      • This must be from, or receive a reply directly from the PI for this project confirming this information
  • For Storage, FASSE storage is intentionally not provided SMB shares by default.  If you need your FASSE project exposed through an SMB share, consider the following:
    • Please submit a ticket to rchelp@rc.fas.harvard.edu as follows:
      • This must include the path to the project (e.g. “/n/piname_project_l3”)
      • This must indicate that the PI attests to understanding and accepting the risks of enabling SMB access to this data, given that any system or network that can talk to this tiered storage, could access this data if the credentials from an account in the project were used.  Some example scenarios:
        • Someone with access to your storage accesses it / copies data down to an unmanaged lab computer without data security level controls
        • Someone with access to your storage accidentally clicks the wrong link on a computer with access to this storage. Their computer is compromised, malware identifies SMB access to your data, and compromises the confidentiality, integrity, and/or availability of your data – maybe ransomware, stealing the data, etc.
      • This must include a brief explanation of why SMB access is needed, and from where you will use this SMB access
      • This must be from, or receive a reply directly from the PI for this project confirming this information

If you have any questions or concerns, please do not hesitate to consult us at at security@rc.fas.harvard.edu, although in some cases we may end up pulling in or pointing you to your school privsec officer.

]]> 26875 FASSE Cluster (FAS Secure Environment) https://docs.rc.fas.harvard.edu/kb/fasse/ Wed, 24 Aug 2022 12:44:19 +0000 https://docs.rc.fas.harvard.edu/?post_type=epkb_post_type_1&p=23798 Overview

The FAS Secure Environment (FASSE) is a secure multi-tenant cluster environment to provide Harvard researchers access to a secure enclave for analysis of sensitive datasets with DUA‘s and IRB’s classified as Level 3. All servers in the FASSE environment are physically located inside an access-controlled data center. We have implemented security controls and access control lists to restrict access.

Access to the cluster is restricted via a Virtual Private Network (VPN) and only authorized users/groups will be added to the FASSE VPN realm. If you do not belong to a FASSE project group, you cannot access the FASSE VPN or cluster.

We provide different storage tiers based on project needs. Please review storage options. 

Note: As this is a secure environment, your home folder on FASSE is separate from any home folder you might have on the FASRC (Cannon) cluster. Data from the secure level 3 (FASSE) environment should not be transferred into level 2 space (Cannon).

FASSE is not rated for Level 4/DSL 4 data  If you require a Level 4 environment, please contact University RC (URC) to discuss options.
FASRC does not provide a Level 4 secure environment.

See also:

STEP 0: HRDSP REQUIREMENTS

In order to have a FASSE DSL3 environment created for a project, the project owner or PI must first satisfy the HRDSP application requirements. FASRC (or the HRDSP section here) is required by the university to review any documents (DUA/DAT/IRB) before a new FASSE project is created and/or any data is copied to the cluster. This information will also help FASRC determine how the environment should be set up, who the contacts are, and how project group names should be constructed.

FASRC cannot advise you on this step, please contact VPR for assistance and guidance.

HRDSP: Harvard Research Data Security Policy site
HRDSP: Applications Summary and Order of Reviews

 

Step 1: Sign up for a FASRC Account

If you do not already have a FASRC account (otherwise skip to Step 2):

PI/Project Owner

Users

Before you can access the FASSE cluster you need to request a Research Computing account, selecting your PI as your sponsor (in this case, this is a Harvard faculty PI [or in some cases, a non-faculty researcher with PI rights], not necessarily the person listed on an IRB or DUA). See How Do I Get a Research Computing Account for instructions if you do not yet have an account. If your Harvard PI does not exist, please direct them to this same page and the directions in the previous paragraph.

New Accounts

If you have an existing account or have already completed the following three steps, you can skip this section. But please note the FASSE VPN realm (@fasse) noted below. You must connect to this realm to access any FASSE resources.

Password Set

Once you have your FASRC account, you will receive an email with the same information as below, but step one is to set your password. This will be done using your email address and our password reset system.

See our Password Reset documentation for instructions.

OpenAuth (two-factor)

To access FASSE and most FASRC services, including the FASRC VPN, you will need your personal FASRC OpenAuth two-factor (2FA) token. This can be set up on your smartphone using an app or downloaded as a Java applet to run on your desktop/laptop.

See our OpenAuth documentation for setup instructions.

FASSE VPN

In order to access any secure system or environment in FASRC, you will need to connect to the FASRC VPN. The FASRC VPN is separate from other Harvard VPNs you may already be using.  To connect to a FASSE environment, you will connect to the FASRC VPN (vpn.rc.fas.harvard.edu) using the @fasse realm (ex. – jharvard@fasse), your FASRC password, and your OpenAuth 2FA code.

See our VPN documentation for setup instructions.

 

Step 2: Request a FASSE Project

If you have completed the HRDSP process and you and your PI have FASRC accounts, you can proceed to fill out the

FASSE New Project Request Form (Harvard Key login required)

 

USING FASSE

Accessing the FASSE environment.

FASSE VPN

To connect to a FASSE environment, you will connect to the FASRC VPN (vpn.rc.fas.harvard.edu) using the @fasse realm (ex. – jharvard@fasse), your FASRC password, and your OpenAuth 2FA code.  If you’re used to using Cannon, note that the VPN realm, @fasse, is different from the @fasrc realm you’re used to using.

SLURM and Partitions

To manage the workload on the cluster we use SLURM. Partition is the term that Slurm uses for queues. Partitions can be thought of as a set of resources and parameters around their use.  You can use spart to find out what partitions you have access to. Following are the partitions available on the FASSE cluster.

To run jobs on the main cluster instead, please refer to Running Jobs (Cannon)

PartitionNumber of NodesCores per NodeCPU Core TypesMem per Node (GB)Time LimitMax JobsMax CoresMPI Suitable?GPU Capable?/scratch size (GB)
fasse4248Intel "Cascade Lake"1847 daysnonenoneyesNo68
fasse_bigmem1864Intel "Ice Lake"4997 daysnonenoneyesNo172
fasse_ultramem164Intel "Ice Lake"20007 daysnonenonenoNo396
fasse_gpu264Intel "Ice Lake"4877 daysnonenoneyesYes (4 A100/node)172
fasse_gpu_h2002112Intel "Sapphire Rapids"9903 daysnonenoneyesYes (4 H200/node)843
test548Intel "Cascade Lake"18412 hours596 coresyesNo68
remoteviz132Intel "Cascade Lake"3737 daysnonenonenoShared V100 GPUs for rendering396
serial_requeuevariesvariesIntelvaries7 daysnonenoneNoYesvaries
PI/Lab nodesvariesvariesvariesvariesnonenonenonevariesvariesvaries

Do not use salloc

Do not use salloc on FASSE.  Salloc is not available on FASSE for security reasons.  For interactive access, please use the FASSE VDI (see below).

Open OnDemand (OOD) Access

OpenOnDemand (OOD) or VDI (virtual desktop interface) is a virtual GUI interface that provides everything from pre-built apps to interactive command line access within a familiar desktop-like environment.

The FASSE OOD is available when connected to our @fasse VPN realm, through your web browser.  Please visit to access the service: https://fasseood.rc.fas.harvard.edu

See the following documentation for further information on how to leverage OOD on FASRC clusters:

  1. OOD Dashboard and Remote Desktop
  2. R and RStudio Server
  3. OOD Remote Desktop and Software

Command Line Access

Command-line access is also available for those who need/want to run jobs using a CLI. Login nodes for FASSE can be accessed by SSH at fasselogin.rc.fas.harvard.edu:

ssh jharvard@fasselogin.rc.fas.harvard.edu

Note that FASSE does not allow to run interactive jobs. Instead, you have to use OOD to run interactive jobs.

See our FASSE CLI documentation for further information. [Link Pending] 

Interim Documentation: See the very similar main cluster doc in the interim

FASSE FAQ

Please see STEP 0: HRDSP REQUIREMENTS at the top of this page. You must complete the Harvard HRDSP requirements before proceeding. If you do not have a FASRC account yet, you should also see: Account Signup

Level 3 and other sensitive files and data stored within the secure environment should never be transferred to storage on the FASRC main cluster or to outside storage which is not designed and approved to house secure data.

FASSE secure storage shares should be accessible via Globus to allow you to transfer your data.

Local Scratch on FASSE Nodes
Jobs on FASSE nodes have local scratch space at /scratch. Data in this space is only retained for the length of the job, as such data that needs to be retained should be saved to long term storage.

Global Scratch
Global scratch is available at /n/netscratch or using the $SCRATCH variable.

FASSE global scratch has the same 90-day retention policy. For policy details and more on the scratch variable, see: Scratch Policy

Each user has a home directory that is accessible only when logged into the secure FASSE environment. This home directory cannot be accessed on the main cluster. While you can also log into the main FASRC cluster, your FASSE home directory and project storage will not be accessible there as the main cluster is only rated for level 2 or lower data.
Users of the FASSE secure cluster can also log into the main FASRC cluster. This may be necessary for some users who also work with level 2 jobs or data with their lab on the main cluster. But bear in mind that these are two separate environments and data from FASSE cannot be transferred onto the level 2 FASRC Cannon cluster.

When logging into FASSE you will have a home directory that resides only on FASSE. When logging into the main cluster, you will find a different home directory. So bear this in mind if you do switch between the two.
Your lab directory on FASSE is accessible only when logged into the secure FASSE environment. Your lab directory cannot be accessed on the main cluster. While you can also log into the main FASRC cluster, your FASSE lab directory/project storage will not be accessible there as the main cluster is only rated for level 2 or lower data.
(pending)

FASSE is a secure environment and, as such, does not allow direct access to the Internet.

Accessing the internet while connected to the FASSE VPN realm (@fasse) and from FASSE nodes is must be done through a network proxy.

This should be a global environment variable which is picked up by modern browsers, but some applications, including some command-line tools will require you to manually provide the proxy settings before they will be able to access the Internet.

NOTE: Our proxy does not allow all traffic, but should allow access to most things necessary for your work.

Command Line/Terminal
To manually set the proxy in your terminal environment, enter the following:
export http_proxy=http://rcproxy.rc.fas.harvard.edu:3128
export https_proxy=http://rcproxy.rc.fas.harvard.edu:3128

You can add these lines to your .bashrc if you find yourself needing to set this regularly.

 

Web Browsers
For web browsing, your browser should work if set to ‘Use system proxy settings’ / 'Auto-detect proxy’ (language may vary by browser). If this does not work automatically, you may need to manually add the proxies to your browser. You will need to disable this when not on the VPN.

HTTP Proxy: http://rcproxy.rc.fas.harvard.edu
Port: 3128

HTTPS Proxy: https://rcproxy.rc.fas.harvard.edu
Port: 3128

]]> 23798