******************************
OSG 1.2.30 Update Notification
******************************
Date: September 26, 2012
Affected Components
The following components are affected:
* Java
Summary
This release contains the following updates to address security
vulnerabilities:
* Java 1.6.0_35
Update instructions can be found on the OSG Twiki under the OSG
1.2 update instructions ( https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/OSG12UpdateInstructions ).
Additional Information
The release notes for the VDT 2.0.0p37 release underlying this
release can be found here ( http://vdt.cs.wisc.edu/releases/2.0.0/release-p37.html ).
Thursday, September 27, 2012
Tuesday, September 25, 2012
OSG Software release 3.1.9
We are pleased to announce OSG Software release 3.1.9. This is the new OSG Software distributed via RPMs for Scientific Linux 5 and 6, CentOS 5 and 6, and Red Hat Enterprise Linux 5 and 6. The changes in this release affect both clients and compute elements:
• JDK 1.6.0_35 is a recommended security update
• Condor 7.8.4 contains a number of bug fixes and minor security updates
• GRAM updates that fix some critical bugs
• GSI-OpenSSH now sets the LCMAPS environment
• Several updates to networking tools: NDT, bwctl, and nuttcp
• Plus many other updates and fixes!
Release notes and pointers to documentation can be found at: https://twiki.grid.iu.edu/bin/view/Documentation/Release3/Release319 .
Need help? Let us know: https://twiki.grid.iu.edu/bin/view/Documentation/Release3/HelpProcedure .
We look forward to your feedback on this new release.
• JDK 1.6.0_35 is a recommended security update
• Condor 7.8.4 contains a number of bug fixes and minor security updates
• GRAM updates that fix some critical bugs
• GSI-OpenSSH now sets the LCMAPS environment
• Several updates to networking tools: NDT, bwctl, and nuttcp
• Plus many other updates and fixes!
Release notes and pointers to documentation can be found at: https://twiki.grid.iu.edu/bin/view/Documentation/Release3/Release319 .
Need help? Let us know: https://twiki.grid.iu.edu/bin/view/Documentation/Release3/HelpProcedure .
We look forward to your feedback on this new release.
Friday, September 21, 2012
OSG Campus Infrastructures Community Workshop at UC Santa Cruz
Dear Colleagues,
We would like to invite you to a workshop on shared campus high throughput computing infrastructures, and engagement of science communities that use them, to be held November 14-15, 2012 at the University of California, Santa Cruz. While we realize this comes at a non-ideal time for many (during SC12), the time and venue correspond to co-located meetings where there is overlap of interested groups and expertise, namely the U.S. ATLAS Distributed Computing Facilities meeting and the U.S. CMS Anydata Anywhere Anytime meeting. A second workshop is planned for March 2013, to be co-located with the OSG All Hands meeting in Indianapolis.
Registration, lodging and travel details, and a preliminary agenda are available at https://indico.fnal.gov/conferenceDisplay.py?confId=5927. While we hope most can attend in person there will be a video service for remote participants.
Best Regards,
Rob Gardner
We would like to invite you to a workshop on shared campus high throughput computing infrastructures, and engagement of science communities that use them, to be held November 14-15, 2012 at the University of California, Santa Cruz. While we realize this comes at a non-ideal time for many (during SC12), the time and venue correspond to co-located meetings where there is overlap of interested groups and expertise, namely the U.S. ATLAS Distributed Computing Facilities meeting and the U.S. CMS Anydata Anywhere Anytime meeting. A second workshop is planned for March 2013, to be co-located with the OSG All Hands meeting in Indianapolis.
Registration, lodging and travel details, and a preliminary agenda are available at https://indico.fnal.gov/conferenceDisplay.py?confId=5927. While we hope most can attend in person there will be a video service for remote participants.
Best Regards,
Rob Gardner
Wednesday, September 19, 2012
GOC Service Update - Tuesday, September 25th at 13:00 UTC
The GOC will upgrade the following services beginning Tuesday, September 25th, 2012 at 13:00 UTC. The GOC reserves 8 hours (13:00 - 21:00 UTC) in the unlikely event that unexpected problems are encountered. We encourage users to test affected services before the production release.
OIM 3.7
ITB version can be tested via https://oim-itb.grid.iu.edu
CampusGrid form is now in production. The information will eventually fed to MyOSG’s status map to render CampusGrid icons.
Applied various input from Derek
Added VO name in the title of the user certificate request email
GOC Ticket 1.56
ITB version is now available for testing at https://ticket-itb.grid.iu.edu
Updated to bootstrap styling.
(patched) Fixed incorrect assignment of ASSOCIATE_VO metadata during ticket submission.
RSV-SAM
ITB version is now publishing data to stomp://sam-validation.msg.cern.ch:6163
Updated logic used to determine which RSV records are sent to SAM. RSV-SAM is now capable of looking up OIM’s resource aliases as well as URI overrides in service detail to determine which resource group each metric record belongs. This change may require some sites to adjust OIM’s resource alias / URI override in order to ensure continued forwarding of the metrics. GOC will be identifying affected sites during the ITB window.
GOC-TX 1.27
Update will be released on 9/26 to coincide with GGUS SOAP upgrade (except the LVS update).
LVS enabling tx.grid.iu.edu (tx2 will be a standby)
Updating GGUS SOAP interface to use the new consolidated interface
JIRA
Internally, the JIRA server will be renamed to jira.grid.iu.edu rather than jira-osg.grid.iu.edu, but its jira.opensciencegrid.org will not change.
All Services
There will be OS updates; reboots will be required. Downtime should be minimal as the LVS and DNS-round-robin mechanisms will be used to reduce service downtime even further.
This update will see the completion of the transition from the old 129.79.14.* IP addresses to the new 129.79.53.* IP addresses with the removal of the logical network adapters that were listening on the old addresses. The old IP addresses will then be retired.
OIM 3.7
ITB version can be tested via https://oim-itb.grid.iu.edu
CampusGrid form is now in production. The information will eventually fed to MyOSG’s status map to render CampusGrid icons.
Applied various input from Derek
Added VO name in the title of the user certificate request email
GOC Ticket 1.56
ITB version is now available for testing at https://ticket-itb.grid.iu.edu
Updated to bootstrap styling.
(patched) Fixed incorrect assignment of ASSOCIATE_VO metadata during ticket submission.
RSV-SAM
ITB version is now publishing data to stomp://sam-validation.msg.cern.ch:6163
Updated logic used to determine which RSV records are sent to SAM. RSV-SAM is now capable of looking up OIM’s resource aliases as well as URI overrides in service detail to determine which resource group each metric record belongs. This change may require some sites to adjust OIM’s resource alias / URI override in order to ensure continued forwarding of the metrics. GOC will be identifying affected sites during the ITB window.
GOC-TX 1.27
Update will be released on 9/26 to coincide with GGUS SOAP upgrade (except the LVS update).
LVS enabling tx.grid.iu.edu (tx2 will be a standby)
Updating GGUS SOAP interface to use the new consolidated interface
JIRA
Internally, the JIRA server will be renamed to jira.grid.iu.edu rather than jira-osg.grid.iu.edu, but its jira.opensciencegrid.org will not change.
All Services
There will be OS updates; reboots will be required. Downtime should be minimal as the LVS and DNS-round-robin mechanisms will be used to reduce service downtime even further.
This update will see the completion of the transition from the old 129.79.14.* IP addresses to the new 129.79.53.* IP addresses with the removal of the logical network adapters that were listening on the old addresses. The old IP addresses will then be retired.
Tuesday, September 18, 2012
OSG PKI Training registration now available for RAs, Grid Admins
Dear prospective OSG PKI Registration Agents and Grid Admins,
The new OSG PKI that will go into operation in October, while being very similar to the DOE Grids PKI, will have changes to its interface and workflows. Hence the transition team is offering training to Registration Agents and Grid Admins.
Training sessions will be available via webcast and will involve hands-on approval of certificates via the OSG test PKI. Times and URLs for registration are below.
** Please register at least a week in advance so that we can grant you access to the training system. **
Note that one change is how responsibilities are divided between Grid Admins and Registration Agents. In the new OSG PKI, Registration Agents will be solely responsible for certificates for people, while Grid Admins will be responsible solely for host and service certificates. We expect some individuals will be both Registration Agents and Grid Admins.
If you have any questions, please feel feel to contain Von Welch (vwelch@indiana.edu), OSG PKI Transition Project Lead, Mine Altunay (maltunay@fnal.gov) or Jim Basney (jbasney@illinois.edu), OSG PKI Training Leads.
Thank you,
Von
* Monday Oct 1 12-4pm CT: Registration Agent Training Session 1
https://indico.fnal.gov/event/2012OSGRATrain1
* Monday Oct 8 12-4pm CT: Grid Admin Training Session 1
https://indico.fnal.gov/event/2012OSGGATrain1
* Monday Oct 22 12-4pm CT: Registration Agent Training Session 2
https://indico.fnal.gov/event/2012OSGRATrain2
* Friday Oct 26 12-4pm CT: Grid Admin Training Session 2
https://indico.fnal.gov/event/2012OSGGATrain2
For the latest information on OSG PKI training, please see https://twiki.grid.iu.edu/bin/view/Security/OSGPKITraining
The new OSG PKI that will go into operation in October, while being very similar to the DOE Grids PKI, will have changes to its interface and workflows. Hence the transition team is offering training to Registration Agents and Grid Admins.
Training sessions will be available via webcast and will involve hands-on approval of certificates via the OSG test PKI. Times and URLs for registration are below.
** Please register at least a week in advance so that we can grant you access to the training system. **
Note that one change is how responsibilities are divided between Grid Admins and Registration Agents. In the new OSG PKI, Registration Agents will be solely responsible for certificates for people, while Grid Admins will be responsible solely for host and service certificates. We expect some individuals will be both Registration Agents and Grid Admins.
If you have any questions, please feel feel to contain Von Welch (vwelch@indiana.edu), OSG PKI Transition Project Lead, Mine Altunay (maltunay@fnal.gov) or Jim Basney (jbasney@illinois.edu), OSG PKI Training Leads.
Thank you,
Von
* Monday Oct 1 12-4pm CT: Registration Agent Training Session 1
https://indico.fnal.gov/event/2012OSGRATrain1
* Monday Oct 8 12-4pm CT: Grid Admin Training Session 1
https://indico.fnal.gov/event/2012OSGGATrain1
* Monday Oct 22 12-4pm CT: Registration Agent Training Session 2
https://indico.fnal.gov/event/2012OSGRATrain2
* Friday Oct 26 12-4pm CT: Grid Admin Training Session 2
https://indico.fnal.gov/event/2012OSGGATrain2
For the latest information on OSG PKI training, please see https://twiki.grid.iu.edu/bin/view/Security/OSGPKITraining
Thursday, September 13, 2012
Special Maintenance window for GOC Production Glidein Factory - Tuesday, September 18, 2012 17:00 UTC
Operators will perform maintenance on the GOC Glidein Factory beginning Tuesday, September 18, 2012 from 17:00 - 18:00 UTC.
It has been discovered the factory will not work with any frontends that have already upgraded to GlideinWMS v2_6_1 until we also upgrade the factory to v2_6_1.
The upgrade will be quick and the factory should not be down for more than 20 minutes. It will not adversely affect any currently running glideins in any way and UCSD will continue to serve the frontends as usual while the GOC Factory is down.
It has been discovered the factory will not work with any frontends that have already upgraded to GlideinWMS v2_6_1 until we also upgrade the factory to v2_6_1.
The upgrade will be quick and the factory should not be down for more than 20 minutes. It will not adversely affect any currently running glideins in any way and UCSD will continue to serve the frontends as usual while the GOC Factory is down.
Monday, September 10, 2012
DOE Grids service transition
Dear colleagues,
As we have been communicating with you over the past several months, ESnet will be fully transitioning support for the DOE Grids certificate service to a new service operated by the Open Science Grid (OSG).
We have reached a critical juncture in the transition where it is necessary for you to begin solidifying your organization’s future certificate service plans to ensure no interruption of service. We encourage you to read the following information carefully.
In mid-March 2013 the DOE Grids PKI will cease issuing new certificates. The exact timing will coincide with the planned Large Hadron Collider (LHC) shutdown. The exact date of the shutdown is still being determined and we will share that specific date as soon as it is set. After DOE Grids concludes offering certificate services, all users will either need to use the OSG certificate service (the “OSG PKI”), or some other provider, to obtain or renew certificates. All certificates issued by DOE Grids prior to its cessation of service in mid-March 2013 will continue to function for 12 months after the date of issue.
To help ensure a seamless transition of service, beginning October 1, 2012, the OSG PKI will begin issuing production-ready certificates. This will allow you time to transition to the new service and resolve any issues that may arise before the DOE Grids service ends. The new OSG PKI will have a new look and feel, but effort has been made to keep the workflow and processes similar to the DOE Grids PKI. There is friendly testing already underway. If you would like to participate in this current trial, please contact Von Welch at vwelch@indiana.edu.
Your organization should begin planning for the effort involved in the transition. Specifically, please note the following action items that will need to be taken:
* Registration Authorities (RAs) and Grid Admins will need to register with the OSG PKI. This will involve making a formal request for the service and accepting the OSG/DigiCert agreement. A draft process can be found here: https://twiki.grid.iu.edu/bin/view/Operations/OSGPKITrustedAgent
* In the new OSG PKI, the role of the Grid Admin will change. Virtual Organization (VO) RAs will approve users in their VO and Grid Admins will approve hosts in a given domain (e.g., iu.edu).
* In the new service, users identities (distinguished names) will change. VOs will need to prepare for the extra effort for handling this change. For example, VOs will need to be prepared to re-register users in the Virtual Organization Management System (VOMS) or other access control mechanisms, if applicable.
* The DigiCert CA used by the new OSG PKI is in the IGTF CA distribution starting with the January 2012 v1.44 distribution. VOs and Sites should ensure they update as soon as possible. Please see: https://dist.eugridpma.info/distribution/igtf/current/accredited/
* Beginning in October 2012, training and other resources will be available to help organizations prepare for the service transition. We will be sending an update to this mail list when training is scheduled or otherwise available. Please contact Von (vwelch@indiana.edu) if you have interest in participating in this training so we can plan appropriate venues and delivery mechanisms. For more information, visit: https://opensciencegrid.org/bin/view/Security/DigiCertTrainingPlan
Von is also currently hosting weekly calls on Tuesdays at 3pm ET focused on details of the transition. All are invited to join these calls to discuss your needs and to learn the progress of the roll-out. Call-in details can be found below and on the OSG PKI Planning Website, which provides up to date information on all aspects of the transition.
Ruth Pordes (ruth@fnal.gov) and Von (vwelch@indiana.edu) together with our ESnet staff are available at anytime for individual conversations about the service to answer any questions you may have. We will be contacting each of you in the coming weeks to schedule a one-on-one conversation to answer questions and ensure your transition planning is underway. We look forward to speaking with you soon.
Regards,
Von Welch
OSG PKI Transition Project Lead
For the latest information:
https://twiki.grid.iu.edu/bin/view/Security/OSGCATransition2012
Conference call details:
Weekly calls Tuesday at 3pm ET
Phone Number: (800) 940-6112 or (812) 856-3600
Participant PIN: 001174#
As we have been communicating with you over the past several months, ESnet will be fully transitioning support for the DOE Grids certificate service to a new service operated by the Open Science Grid (OSG).
We have reached a critical juncture in the transition where it is necessary for you to begin solidifying your organization’s future certificate service plans to ensure no interruption of service. We encourage you to read the following information carefully.
In mid-March 2013 the DOE Grids PKI will cease issuing new certificates. The exact timing will coincide with the planned Large Hadron Collider (LHC) shutdown. The exact date of the shutdown is still being determined and we will share that specific date as soon as it is set. After DOE Grids concludes offering certificate services, all users will either need to use the OSG certificate service (the “OSG PKI”), or some other provider, to obtain or renew certificates. All certificates issued by DOE Grids prior to its cessation of service in mid-March 2013 will continue to function for 12 months after the date of issue.
To help ensure a seamless transition of service, beginning October 1, 2012, the OSG PKI will begin issuing production-ready certificates. This will allow you time to transition to the new service and resolve any issues that may arise before the DOE Grids service ends. The new OSG PKI will have a new look and feel, but effort has been made to keep the workflow and processes similar to the DOE Grids PKI. There is friendly testing already underway. If you would like to participate in this current trial, please contact Von Welch at vwelch@indiana.edu.
Your organization should begin planning for the effort involved in the transition. Specifically, please note the following action items that will need to be taken:
* Registration Authorities (RAs) and Grid Admins will need to register with the OSG PKI. This will involve making a formal request for the service and accepting the OSG/DigiCert agreement. A draft process can be found here: https://twiki.grid.iu.edu/bin/view/Operations/OSGPKITrustedAgent
* In the new OSG PKI, the role of the Grid Admin will change. Virtual Organization (VO) RAs will approve users in their VO and Grid Admins will approve hosts in a given domain (e.g., iu.edu).
* In the new service, users identities (distinguished names) will change. VOs will need to prepare for the extra effort for handling this change. For example, VOs will need to be prepared to re-register users in the Virtual Organization Management System (VOMS) or other access control mechanisms, if applicable.
* The DigiCert CA used by the new OSG PKI is in the IGTF CA distribution starting with the January 2012 v1.44 distribution. VOs and Sites should ensure they update as soon as possible. Please see: https://dist.eugridpma.info/distribution/igtf/current/accredited/
* Beginning in October 2012, training and other resources will be available to help organizations prepare for the service transition. We will be sending an update to this mail list when training is scheduled or otherwise available. Please contact Von (vwelch@indiana.edu) if you have interest in participating in this training so we can plan appropriate venues and delivery mechanisms. For more information, visit: https://opensciencegrid.org/bin/view/Security/DigiCertTrainingPlan
Von is also currently hosting weekly calls on Tuesdays at 3pm ET focused on details of the transition. All are invited to join these calls to discuss your needs and to learn the progress of the roll-out. Call-in details can be found below and on the OSG PKI Planning Website, which provides up to date information on all aspects of the transition.
Ruth Pordes (ruth@fnal.gov) and Von (vwelch@indiana.edu) together with our ESnet staff are available at anytime for individual conversations about the service to answer any questions you may have. We will be contacting each of you in the coming weeks to schedule a one-on-one conversation to answer questions and ensure your transition planning is underway. We look forward to speaking with you soon.
Regards,
Von Welch
OSG PKI Transition Project Lead
For the latest information:
https://twiki.grid.iu.edu/bin/view/Security/OSGCATransition2012
Conference call details:
Weekly calls Tuesday at 3pm ET
Phone Number: (800) 940-6112 or (812) 856-3600
Participant PIN: 001174#
Wednesday, September 5, 2012
GOC Service Update - Tuesday, September 11th at 13:00 UTC
The GOC will upgrade the following services beginning Tuesday, September 11th, 2012 at 13:00 UTC. The GOC reserves 8 hours (13:00 - 21:00 UTC) in the unlikely event that unexpected problems are encountered. We encourage users to test affected services before the production release.
MyOSG 2.1
ITB version is now available for testing at https://myosg-itb.grid.iu.edu
CPU count will be increased to 2 on myosg1/2
remove osg-xsede from the status board
Minor cosmetic updates on VO summary / resource list
Updated stylesheet for various error pages
(patched) Fixed the IE base url issue
(patched) Fixed broken status map url issue
Reports / Installed Capacity Report 1.0-12
Adding sites supported by USCMS_Tier2 Support Center to the report.
Moving report script from OIM to reports.grid.iu.edu
Add deprecation message to RSV reports.
RSV-Client
Rebuild VM instance using the latest install script which uses the RSV v2 RPMs.
OIM 3.6
ITB version can be tested via https://oim-itb.grid.iu.edu
Added display for log based on composite key (not through topology class yet) [OIM-23]
PKI / Added domain name validator for GridAdmin [OSGPKI-89]
PKI / Added search capability for user/host certificates [OSGPKI-105]
Added check for session destruction to report private key deletion [OSGPKI-80]
Improved the URL handling for login/out.
PKI / Differentiated the behavior of user certificate approval process between new approval and renew approval.
PKI / Reset CSR when user certificate renewal is requested.
PKI / Added serial number to log comment
PKI / Updated label from Serial ID to Serial Number
Updated the Google Map API from v2 to v3.
PKI / Added listing for "certificate I approve" for user/host certificates.
Updated returned content type to application/json for all REST APIs.
Removed error message in case of missing session for message (could happen on error page)
PKI / Removed the 500 error code reporting of the OIM Rest API error return.
PKI / Improved the way secure / guest URLs were composed.
Made IP address to be displayed at all time
PKI / Updated cert-retrieve-new to osg-cert-retrieve based on recent name change.
PKI / Added VO name in the title of GOC ticket generated for user certificate request
PKI / Added more checks for various error condition during host cert request.
PKI / Made read-only GridAdmin page for non PKI staff.
PKI / Added GridAdmin & RA enrollment request buttons.
PKI / Added capability to assign VO managers
PKI / Enabled user cert revoke capability
Implemented logout action to invalidate current session.
(patched) removed anti-session spoofing mechanism.
Other minor bug fixes
All Services
We will be updating all RHEL 5 and RHEL 6 hosts to the latest Red Hat packages, and we will be updating the firmware on physical hosts where updates are available. This will require reboots.
DOEGrids host certificates on ITB services will be changed to DOEGrids host certificates with SHA-2 signatures.
MyOSG 2.1
ITB version is now available for testing at https://myosg-itb.grid.iu.edu
CPU count will be increased to 2 on myosg1/2
remove osg-xsede from the status board
Minor cosmetic updates on VO summary / resource list
Updated stylesheet for various error pages
(patched) Fixed the IE base url issue
(patched) Fixed broken status map url issue
Reports / Installed Capacity Report 1.0-12
Adding sites supported by USCMS_Tier2 Support Center to the report.
Moving report script from OIM to reports.grid.iu.edu
Add deprecation message to RSV reports.
RSV-Client
Rebuild VM instance using the latest install script which uses the RSV v2 RPMs.
OIM 3.6
ITB version can be tested via https://oim-itb.grid.iu.edu
Added display for log based on composite key (not through topology class yet) [OIM-23]
PKI / Added domain name validator for GridAdmin [OSGPKI-89]
PKI / Added search capability for user/host certificates [OSGPKI-105]
Added check for session destruction to report private key deletion [OSGPKI-80]
Improved the URL handling for login/out.
PKI / Differentiated the behavior of user certificate approval process between new approval and renew approval.
PKI / Reset CSR when user certificate renewal is requested.
PKI / Added serial number to log comment
PKI / Updated label from Serial ID to Serial Number
Updated the Google Map API from v2 to v3.
PKI / Added listing for "certificate I approve" for user/host certificates.
Updated returned content type to application/json for all REST APIs.
Removed error message in case of missing session for message (could happen on error page)
PKI / Removed the 500 error code reporting of the OIM Rest API error return.
PKI / Improved the way secure / guest URLs were composed.
Made IP address to be displayed at all time
PKI / Updated cert-retrieve-new to osg-cert-retrieve based on recent name change.
PKI / Added VO name in the title of GOC ticket generated for user certificate request
PKI / Added more checks for various error condition during host cert request.
PKI / Made read-only GridAdmin page for non PKI staff.
PKI / Added GridAdmin & RA enrollment request buttons.
PKI / Added capability to assign VO managers
PKI / Enabled user cert revoke capability
Implemented logout action to invalidate current session.
(patched) removed anti-session spoofing mechanism.
Other minor bug fixes
All Services
We will be updating all RHEL 5 and RHEL 6 hosts to the latest Red Hat packages, and we will be updating the firmware on physical hosts where updates are available. This will require reboots.
DOEGrids host certificates on ITB services will be changed to DOEGrids host certificates with SHA-2 signatures.
Subscribe to:
Posts (Atom)