On 28/11/17 15:43, David Groep wrote:
> John Kewley did a summary now:
>> So, in simple terms, is the situation as follows:
>> * If client and server are using the same versions, all is well
>> * If client and server have different versions then some m/w [e.g. VOMS and ARGUS] have issues
Let's wait a minute here. Before we decide (and we may wish to relax the
drop-dead time on this, BTW) let's find a way to get to the bottom of
things.
Are we saying that this involves only VOMS clients and VOMS servers? I
think we are saying that. And I think we are saying that it doesn't
matter what OS version is on the server. So things that may matter are
OS version and CA Cert version on the client, and CA Cert version on the
server. Is that right? If so, the (in)compatibilities perhaps can be
summarised as:
CLIENT OS_ver | CLIENT CA_ver | SERVER CA_Ver | Result
-------------------------------------------------------------------------
SL7, DontCare, DontCare, Works
SL6, 1.87-1, DontCare, Works (this is the rollback option that Matt,
Robert and I am doing)
SL6, 1.88-1, 1.87-1, Fails (this is the position many of us were in this
morning)
SL6, 1.88-1, 1.88-1, Works (this is the position David Groep wants to
progress to )
Is that what we think? Or are there more things to think of?
If this is the picture, it makes most sense for all VOMS servers to
update first to 1.88-1. Once that's done, it's safe for T2s to go to
1.88-1 as we please (i.e. once this is all tested out).
Cheers,
Ste
>> which means that - given that now part of the Infra will have
>> moved to 1.88, some are still on 1.87 - moving back now to the old
>> SHA-1 version of the ICA will equally cause issues with sites that have
>> already moved to 1.88. It's one of those big bang situations that
>> was not foreseen for this parficular combination of Java/BC on this
>> version.
>>
>> I propose that, since moving back now is as painful as moving forward,
>> we might as well push forward vigurously and move everyone to 1.88
>> with the new SHA-256 UKeScienceCA-2B ICA.
>>
>> So for Joao: I propose that - unless Jens or the joint UK
>> really wants to move back - we
>> - STICK with release 1.88, including the SHA_256 UKeScienceCA-2B ICA
>> - the UK SENDS NOTICE to the sites to upgrade vigorously to 1.88
>> - if non-UK sites experience trouble in GGUS, we also send out an
>> announcement to EGI for this
>>
>
--
Steve Jones [log in to unmask]
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/
|