Fermilab is the first High Energy Physics institution to transition from X.509 user certificates to authentication tokens in production systems. All the experiments that Fermilab hosts are now using JSON Web Token (JWT) access tokens in their grid jobs. Many software components have been either updated or created for this transition, and most of the software is available to others as open source. The tokens are defined using the WLCG Common JWT Profile. Token attributes for all the tokens are stored in the Fermilab FERRY system which generates the configuration for the CILogon token issuer. High security-value refresh tokens are stored in Hashicorp Vault configured by htvault-config, and JWT access tokens are requested by the htgettoken client through its integration with HTCondor. The Fermilab job submission system jobsub was redesigned to be a lightweight wrapper around HTCondor. The grid workload management system GlideinWMS which is also based on HTCondor was updated to use tokens for pilot job submission. For automated job submissions a managed tokens service was created to reduce duplication of effort and knowledge of how to securely keep tokens active. The existing Fermilab file transfer tool ifdh was updated to work seamlessly with tokens, as well as the Fermilab POMS (Production Operations Management System) which is used to manage automatic job submission and the RCDS (Rapid Code Distribution System) which is used to distribute analysis code via the CernVM FileSystem. The dCache storage system was reconfigured to accept tokens for authentication in place of X.509 proxy certificates. As some services and sites have not yet implemented token support, proxy certificates are still sent with jobs for backwards compatibility, but some experiments are beginning to transition to stop using them.

翻译：费米实验室是首个在生产系统中从X.509用户证书转向认证令牌的高能物理研究机构。该实验室托管的所有实验项目现已在网格作业中使用JSON Web令牌（JWT）访问令牌。为此转型，众多软件组件已完成更新或新建，且大部分软件已作为开源项目对外提供。令牌采用WLCG通用JWT规范进行定义。所有令牌的属性信息存储于费米实验室FERRY系统，该系统为CILogon令牌颁发机构生成配置。高安全价值的刷新令牌存储于通过htvault-config配置的Hashicorp Vault中，JWT访问令牌则由htgettoken客户端通过其与HTCondor的集成功能进行请求。费米实验室作业提交系统jobsub被重新设计为HTCondor的轻量级封装器。同样基于HTCondor的网格工作负载管理系统GlideinWMS已升级为采用令牌提交引导作业。为实现自动化作业提交，实验室创建了托管令牌服务以减少重复劳动并降低维持令牌安全活跃状态的技术门槛。现有文件传输工具ifdh已升级为可无缝兼容令牌认证，同时完成升级的还包括用于管理自动作业提交的费米实验室POMS（生产运营管理系统），以及通过CernVM文件系统分发分析代码的RCDS（快速代码分发系统）。dCache存储系统已重新配置为接受令牌认证以替代X.509代理证书。鉴于部分服务与站点尚未实现令牌支持，目前仍会随作业发送代理证书以保持向后兼容性，但已有实验项目开始逐步停止使用代理证书。