Thanks Henry, Andrew,
I've actually mentioned that (today) in the summary document, but I've
beefed it up a bit to make things plain. It's a bit rough and ready, but
it's all there.
<b>Important note</b>: rolling back to 1.87-1 got our site to run jobs
again, but it was only a temporary workaround. And for some sites it may
not work even as a temporary workaround in some circumstances. As an
example, consider a site with a CREAM CE that has been rolled back to
1.87-1, and that is used by a submission client on 1.88-1. But since I,
sj, don't run CREAM, I can't test that. We use ARC which has no link to
bouncycastle since it's written in C and Perl etc. UIs could also be
affected. On a related note, Andrew Lahiff suggests to use arcproxy
(written in, I think, C) instead of voms-proxy-init (nowadays written in
Java and hence susceptible to the issue).
Cheers,
Ste
https://www.gridpp.ac.uk/wiki/Problems_After_CA_1.88-1#Appendix_1_-_How_to_Roll_Back
On 2017-12-06 15:58, Andrew Lahiff wrote:
> Note that UIs frequently have "arcproxy" as well. This can do some of
> the same things as voms-proxy-init but is written in a different
> language.
>
> Regards,
> Andrew.
>
> ________________________________________
> From: Testbed Support for GridPP member institutes
> [[log in to unmask]] on behalf of Henry Nebrensky
> [[log in to unmask]]
> Sent: Wednesday, December 06, 2017 3:29 PM
> To: [log in to unmask]
> Subject: Re: Some facts we know about lcg-CA 1.88-1 and bouncycastle...
>
> Hi,
>
> One aspect that isn't very clear is that voms-proxy-init is Java and
> thus
> UIs are among the "services" affected.
>
> Thanks
>
> Henry
>
> On Tue, 5 Dec 2017, Stephen Jones wrote:
>> Hi,
>>
>> at the ops meeting, David asked me to write some facts for people to
>> read
>> about the authentication problems after lcg-CA 1.88-1, and options
>> that sites
>> might use. So I've put it on the main page of the Wiki:
>> https://www.gridpp.ac.uk/wiki/Main_Page
>>
>> It's under Security... click on "Info on some problems after the
>> release of
>> lcg-CA 1.88-1
>> <https://www.gridpp.ac.uk/wiki/Problems_After_CA_1.88-1>".
>>
>> Direct link: https://www.gridpp.ac.uk/wiki/Problems_After_CA_1.88-1
>>
>> Cheers,
>>
>> Ste
>>
>>
>> --
>> Steve Jones [log in to unmask]
>> Grid System Administrator office: 220
>> High Energy Physics Division tel (int): 43396
>> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
>> University of Liverpool
>> http://www.liv.ac.uk/physics/hep/
> --
> Dr. Henry Nebrensky [log in to unmask]
> http://people.brunel.ac.uk/~eesrjjn
> "The opossum is a very sophisticated animal.
> It doesn't even get up until 5 or 6 p.m."
|