Search Docs by Keyword
FASSE Cluster – FAS Secure Environment
The FAS Secure Environment (FASSE) is a secure multi-tenant cluster environment to provide Harvard researchers access to a secure enclave for analysis of sensitive datasets with DUA‘s and IRB’s classified as Level 3. All servers in the FASSE environment are physically located inside an access-controlled data center. We have implemented security controls and access control lists to restrict access.
Access to the cluster is restricted via a Virtual Private Network (VPN) and only authorized users/groups will be added to the FASSE VPN realm. If you do not belong to a FASSE project group, you cannot access the FASSE VPN or cluster.
We provide different storage tiers based on project needs. Please review storage options.
Note: As this is a secure environment, your home folder on FASSE is separate from any home folder you might have on the FASRC (Cannon) cluster. Data from the secure level 3 (FASSE) environment should not be transferred into level 2 space (Cannon).
FASSE is not rated for Level 4/DSL 4 data If you require a Level 4 environment, you can contact FASRC to discuss your project, but please be aware that FASRC does not currently provide a Level 4 secure environment.
- Cluster Security Level Ratings
- Committee on the Use of Human Subjects – Investigator Manual: https://cuhs.harvard.edu/you-begin-prepare-your-irb-application
- Office of Regulatory Affairs and Research Compliance – Investigator Manual: https://www.hsph.harvard.edu/regulatory-affairs-and-research-compliance/investigator-manual/
STEP 0: HRDSP REQUIREMENTS
In order to have a FASSE DSL3 environment created for a project, the project owner or PI must first satisfy the HRDSP application requirements. FASRC (or the HRDSP section here) is required by the university to review any documents (DUA/DAT/IRB) before a new FASSE project is created and/or any data is copied to the cluster. This information will also help FASRC determine how the environment should be set up, who the contacts are, and how project group names should be constructed.
FASRC cannot advise you on this step, please contact VPR for assistance and guidance.
Step 1: Sign up for a FASRC Account
(if you do not already have one)
- If you are a Harvard faculty PI (or non-faculty researcher with explicit PI rights) you should have or request an account as a Faculty/Non-Faculty PI with FASRC. How Do I Get a FAS Research Computing Account?
- If you are not a Harvard faculty PI (or non-faculty researcher with explicit PI rights), you will need to have/sign up for an account under a Harvard PI/sponsor. How Do I Get a FAS Research Computing Account?
Before you can access the FASSE cluster you need to request a Research Computing account, selecting your PI as your sponsor (in this case, this is a Harvard faculty PI [or in some cases, a non-faculty researcher with PI rights], not necessarily the person listed on an IRB or DUA). See How Do I Get a Research Computing Account for instructions if you do not yet have an account. If your Harvard PI does not exist, please direct them to this same page and the directions in the previous paragraph.
If you have an existing account or have already completed the following three steps, you can skip this section. But please note the FASSE VPN realm (@fasse) noted below. You must connect to this realm to access any FASSE resources.
Once you have your FASRC account, you will receive an email with the same information as below, but step one is to set your password. This will be done using your email address and our password reset system.[wpfa5s icon=”fa-link”] See our Password Reset documentation for instructions.
To access FASSE and most FASRC services, including the FASRC VPN, you will need your personal FASRC OpenAuth two-factor (2FA) token. This can be set up on your smartphone using an app or downloaded as a Java applet to run on your desktop/laptop.[wpfa5s icon=”fa-link”] See our OpenAuth documentation for setup instructions.
In order to access any secure system or environment in FASRC, you will need to connect to the FASRC VPN. The FASRC VPN is separate from other Harvard VPNs you may already be using. To connect to a FASSE environment, you will connect to the FASRC VPN (vpn.rc.fas.harvard.edu) using the @fasse realm (ex. – jharvard@fasse), your FASRC password, and your OpenAuth 2FA code.[wpfa5s icon=”fa-link”] See our VPN documentation for setup instructions.
Step 2: Request a FASSE Project
If you have completed the HRDSP process and you and your PI have FASRC accounts, you can proceed to fill out the
FASSE New Project Request Form (Harvard Key login required)
To connect to a FASSE environment, you will connect to the FASRC VPN (vpn.rc.fas.harvard.edu) using the @fasse realm (ex. – jharvard@fasse), your FASRC password, and your OpenAuth 2FA code. If you’re used to using Cannon, note that the VPN realm, @fasse, is different from the @fasrc realm you’re used to using.
SLURM and Partitions
To manage the workload on the cluster we use SLURM. Partition is the term that Slurm uses for queues. Partitions can be thought of as a set of resources and parameters around their use. You can use
spart to find out what partitions you have access to. Following are the partitions available on the FASSE cluster.
To run jobs on the main cluster instead, please refer to Running Jobs (Cannon)
|Partition||Number of Nodes||Cores per Node||CPU Core Types||Mem per Node (GB)||Time Limit||Max Jobs||Max Cores||MPI Suitable?||GPU Capable?|
|fasse||42||48||Intel "Cascade Lake"||184||7 days||none||none||yes||No|
|fasse_bigmem||6||64||Intel "Ice Lake"||499||7 days||none||none||yes||No|
|fasse_ultramem||1||64||Intel "Ice Lake"||2000||7 days||none||none||no||No|
|fasse_gpu||4||32||Intel "Cascade Lake"||373||7 days||none||none||yes||Yes (4 V100/node)|
|test||5||48||Intel "Cascade Lake"||184||12 hours||5||96 cores||yes||No|
|remoteviz||1||32||Intel "Cascade Lake"||373||7 days||none||none||no||Shared V100 GPUs for rendering|
Do not use salloc
Do not use
salloc on FASSE. Salloc is not available on FASSE for security reasons. For interactive access, please use the FASSE VDI (see below).
Open OnDemand (OOD) Access
OpenOnDemand (OOD) or VDI (virtual desktop interface) is a virtual GUI interface that provides everything from pre-built apps to interactive command line access within a familiar desktop-like environment.
The FASSE OOD is available when connected to our @fasse VPN realm, through your web browser. Please visit to access the service: https://fasseood.rc.fas.harvard.edu
See our FASSE VDI documentation for further information. FASSE VDI/OpenOnDemand
Command Line Access
Command-line access is also available for those who need/want to run jobs using a CLI. Login nodes for FASSE can be accessed by SSH at fasselogin.rc.fas.harvard.edu:
Note that FASSE does not allow to run interactive jobs. Instead, you have to use OOD to run interactive jobs.
See our FASSE CLI documentation for further information. [Link Pending]
Interim Documentation: See the very similar main cluster doc in the interim
Level 3 and other sensitive files and data stored within the secure environment should never be transferred to storage on the FASRC main cluster or to outside storage which is not designed and approved to house secure data.
FASSE secure storage shares should be accessible via Globus to allow you to transfer your data.
Local Scratch on FASSE Nodes
Jobs on FASSE nodes should use /tmp for private temporary space. That space is accessible only by that job and not other jobs on the same node. We do not recommend using /scratch as any data there will be visible to any other job running on the same node.
Global scratch is available at
/n/holyscratch01 or using the
FASSE global scratch has the same 90-day retention policy. For policy details and more on the scratch variable, see: Scratch Policy
When logging into FASSE you will have a home directory that resides only on FASSE. When logging into the main cluster, you will find a different home directory. So bear this in mind if you do switch between the two.
FASSE is a secure environment and, as such, does not allow direct access to the Internet.
Accessing the internet while connected to the FASSE VPN realm (@fasse) and from FASSE nodes is must be done through a network proxy.
This should be a global environment variable which is picked up by modern browsers, but some applications, including some command-line tools will require you to manually provide the proxy settings before they will be able to access the Internet.
NOTE: Our proxy does not allow all traffic, but should allow access to most things necessary for your work.
To manually set the proxy in your terminal environment, enter the following:
You can add these lines to your .bashrc if you find yourself needing to set this regularly.
For web browsing, your browser should work if set to ‘Use system proxy settings’ / 'Auto-detect proxy’ (language may vary by browser). If this does not work automatically, you may need to manually add the proxies to your browser. You will need to disable this when not on the VPN.
HTTP Proxy: http://rcproxy.rc.fas.harvard.edu
HTTPS Proxy: https://rcproxy.rc.fas.harvard.edu
Bookmarkable Section Links
- 1 OVERVIEW
- 2 STEP 0: HRDSP REQUIREMENTS
- 3 Step 1: Sign up for a FASRC Account
- 4 (if you do not already have one)
- 5 Step 2: Request a FASSE Project
- 7 USING FASSE
- 7.1 FASSE VPN
- 7.2 SLURM and Partitions
- 7.3 Open OnDemand (OOD) Access
- 7.4 Command Line Access
- 7.5 FASSE FAQ