Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenSSL and Java 7 vs. 512-bit proxy keys

Published byAntony Thomas Modified over 6 years ago

Similar presentations

Presentation on theme: "OpenSSL and Java 7 vs. 512-bit proxy keys"— Presentation transcript:

1 OpenSSL and Java 7 vs. 512-bit proxy keys
Maarten Litmaath CERN GDB,

2 Nov 18 – GGUS:98964 opened by DESY-HH admin Dmitry Ozerov
Prologue Nov 18 – GGUS:98964 opened by DESY-HH admin Dmitry Ozerov WMS delegates proxies with 512-bit keys that are refused by Java 7 used by dCache /usr/lib/jvm/jre/lib/security/java.security: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 Workaround: remove second clause, or change 1024 to 512 GridSite developers accepted the bug

3 Dec 9 – WLCG ops meeting ATLAS report
Meetings and forums Dec 9 – WLCG ops meeting ATLAS report not working: openssl-1.0.1e-16.el6_5 (SL6.5) last version working ok: openssl el6 Long thread on LCG-Rollout started Dec 12 by DESY-ZN admin Andreas Haupt CREAM failures fully understood on Jan 9 Updates in ops meetings and ops coordination meeting on Dec 19 Try to stay on the old openssl during the break

4 Simon Fayer of Imperial College concluded:
Analysis (1) Simon Fayer of Imperial College concluded: If both endpoints are running the newest openssl, they negotiate TLS1.2 which doesn't support 512-bit keys... This is why only pairs of fully upgraded machines fail (if either end is older, TLS1.1 is used instead). And Java 7 by default refuses such keys Possibly affecting instances of Argus, BeStMan (including EOS), CREAM, dCache, StoRM, …

5 Delegations with 512-bit keys are coming from GridSite libraries
Analysis (2) Delegations with 512-bit keys are coming from GridSite libraries Used by WMS, CREAM, UI, FTS-3, PanDA, … New GridSite rpms available as of Dec 16 EMI-2 Update 21 EMI-3 Update 12 EGI broadcast sent Dec 16

6 Which node types need the fix?
WMS Both SL5 and SL6 CERN WMS (e.g. for SAM): Jan 21 FTS-3 CERN production instance re-installed with SLC6.4 before the break Other production instances? Pilot instance updated last Fri  all OK now ATLAS functional tests had been moved back to the FTS-2 temporarily after lots of errors during the break PanDA  done CREAM? EMI-2 CREAM on SL6 may be affected if proxy delegation bug workaround was not undone More?

7 More fall-out OSG have done an emergency release to fix Globus components (gatekeeper) affected by the OpenSSL change Fixed upstream in Globus Toolkit 5.2.5 Fixed packages in EPEL as of Dec 20 Failures for 512-bit-key proxies may (re)appear as services get updated or upgraded to SL6.5 We need to get rid of such proxies by updating GridSite on the relevant intermediary services

Download ppt "OpenSSL and Java 7 vs. 512-bit proxy keys"

Similar presentations

New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.

New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.
IPv6 testing plans 25 Jan 2013. Short term – next 6 weeks Add sites to testbed – Glasgow (DPM storage end point) – Fix DESY – Others? Is GridFTP mesh.

IPv6 testing plans 25 Jan Short term – next 6 weeks Add sites to testbed – Glasgow (DPM storage end point) – Fix DESY – Others? Is GridFTP mesh.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
MW Readiness Verification Status Andrea Manzi IT/SDC 21/01/2015 21/01/15 2.

MW Readiness Verification Status Andrea Manzi IT/SDC 21/01/ /01/15 2.
CERN Using the SAM framework for the CMS specific tests Andrea Sciabà System Analysis WG Meeting 15 November, 2007.

CERN Using the SAM framework for the CMS specific tests Andrea Sciabà System Analysis WG Meeting 15 November, 2007.
CERN11 th February 2015 1 WLCG Ops Coordination [GDB Report] Josep Flix (PIC/CIEMAT) On behalf of the WLCG Operations Coordination Team GDB – CERN.

CERN11 th February WLCG Ops Coordination [GDB Report] Josep Flix (PIC/CIEMAT) On behalf of the WLCG Operations Coordination Team GDB – CERN.
MW Readiness WG Update Andrea Manzi Maria Dimou Lionel Cons 10/12/2014.

MW Readiness WG Update Andrea Manzi Maria Dimou Lionel Cons 10/12/2014.
Information System Status and Evolution Maria Alandes Pradillo, CERN CERN IT Department, Grid Technology Group GDB 13 th June 2012.

Information System Status and Evolution Maria Alandes Pradillo, CERN CERN IT Department, Grid Technology Group GDB 13 th June 2012.
WLCG Middleware Support II Markus Schulz CERN-IT-GT May 2011.

WLCG Middleware Support II Markus Schulz CERN-IT-GT May 2011.
Top 10 Reasons to Upgrade to OSG Version 1.0.0 Rob Quick OSG Operations Coordinator.

Top 10 Reasons to Upgrade to OSG Version Rob Quick OSG Operations Coordinator.
LCG Introduction John Gordon, STFC GDB September 14 th 2011.

LCG Introduction John Gordon, STFC GDB September 14 th 2011.
LCG Introduction John Gordon, STFC GDB December14 th 2011.

LCG Introduction John Gordon, STFC GDB December14 th 2011.
LCG Introduction John Gordon, STFC GDB June 8 th 2011.

LCG Introduction John Gordon, STFC GDB June 8 th 2011.
Accounting Update John Gordon and Stuart Pullinger January 2014 GDB.

Accounting Update John Gordon and Stuart Pullinger January 2014 GDB.
LCG Report from GDB John Gordon, STFC-RAL MB meeting February24 th, 2009.

LCG Report from GDB John Gordon, STFC-RAL MB meeting February24 th, 2009.
EMI INFSO-RI-261611 European Middleware Initiative (EMI) Alberto Di Meglio (CERN)

EMI INFSO-RI European Middleware Initiative (EMI) Alberto Di Meglio (CERN)
Report from GSSD Storage Workshop Flavia Donno CERN WLCG GDB 4 July 2007.

Report from GSSD Storage Workshop Flavia Donno CERN WLCG GDB 4 July 2007.
SRM-2 Road Map and CASTOR Certification Shaun de Witt 3/3/08.

SRM-2 Road Map and CASTOR Certification Shaun de Witt 3/3/08.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t SL(C) 5 Migration at CERN CHEP 2009, Prague Ulrich SCHWICKERATH Ricardo SILVA CERN, IT-FIO-FS.

CERN IT Department CH-1211 Genève 23 Switzerland t SL(C) 5 Migration at CERN CHEP 2009, Prague Ulrich SCHWICKERATH Ricardo SILVA CERN, IT-FIO-FS.
Www.egi.euEGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 UMD 2 Decommissioning Status Cristina Aiftimiei EGI.eu.

RI EGI-InSPIRE RI UMD 2 Decommissioning Status Cristina Aiftimiei EGI.eu.

Similar presentations

Ads by Google