 |
 |
Hi John, I agree that is confusing and I will check. The important point to note from my perspective is that being on EMI-2 CREAM is not sufficient as the version must be 1.14.4 (or higher). In the UK we still have quite a few CEs below this version and they would need to be updated by October. Jeremy On 18 Jul 2013, at 13:43, John Hill wrote: > Hi all, > I'm confused :-( According to https://wiki.egi.eu/wiki/SHA-2_support_middleware_baseline, CREAM 1.14.4 in EMI-2 *is* SHA-2 compliant - so why the statement below that there isn't a compliant version. What am I missing? > > John > > On 18/07/2013 11:08, Jeremy Coles wrote: >> Dear All, >> >> At Tuesday's ops meeting I mentioned an EGI discussion about moving towards SHA-2 compliance by October 2013. Here is an update based on a recent EGI communication following Tuesday's Ops management board meeting (you may have already seen this in some form so apologies for the repetition, however my action at our ops meeting was to clarify the situation directly): >> >> Middleware readiness >> ************************* >> >> For the majority of components/services the use of EMI-2 middleware provides the required compliance. However several EMI-2 services are still not SHA-2 compliant: >> >> . CREAM-CE (eu.egi.sec.CREAMCE-SHA-2) >> . StoRM (eu.egi.sec.StoRM-SHA-2) >> . VOMS (eu.egi.sec.VOMS-SHA-2) >> . WMS (eu.egi.sec.WMS-SHA-2) >> >> dCache will be added to the list, but to date has still no replacement version which is production quality and SHA-2 compliant. It is known that the latest release version of StoRM which supports SHA-2 is affected by a bug that makes it unsuitable for deployment at the current time. >> >> The list of SHA-2 compliant product versions is available at: https://wiki.egi.eu/wiki/SHA-2_support_middleware_baseline. >> >> >> Monitoring readiness >> *********************** >> >> CREAM-CE, VOMS and WMS SHA-2 compliance tests will be rolled into production in July and used to trigger alarms. (Note that decommissioning of EMI-1 services (these are not SHA-2 compliant) is almost complete across EGI). >> >> StoRM tests will continue to run on midmon Nagios (a central Nagios monitoring instance of EGI). These will keep returning WARNING when identifying a non-SHA-2 compliant version, and no alarms will be generated until a SHA-2 compliant version of this service seems is available. Likewise for dCache, a probe will be developed and deployed only when a SHA-2 version will be available in UMD (ETA mid-August). >> >> Site action needed >> ******************** >> >> Sites administrators receiving alarms are *recommended* to update their non-compliant middleware by the end of September. EGI highly recommends the decommissioning of non SHA-2 compliant software by 01 October, but this is not mandatory at this stage. Decisions on timeline and actions needed may be revised in August. I would suggest that if your site runs a non-compliant component and a compliant version is available that you consider upgrading as soon as possible - while it is unlikely, if SHA-1 were compromised there would be an accelerated campaign to move to SHA-2. >> >> >> Most of this information with dates is presented in a condensed form within this WLCG ops coordination area: https://twiki.cern.ch/twiki/bin/view/LCG/WLCGOpsMinutes130718#SHA_2_migration. >> >> regards, >> Jeremy