Wednesday, November 21, 2012

Power Incident at UK data center

Dear OSG Sites,

The RAL Tier 1 center in the UK has had a major power incident. Their T1 network and CA services are currently down or recovering.

UK provides 4 Certificate Authorities, all IGTF-accredited and included in current OSG CA bundle. All 4 are affected by this event.  

As a result, OSG Site RSV probes checking CRL freshness will start failing. This has no adverse affect on OSG sites since RSV CRL probes are not rated as critical, and it does not affect WLCG sites availability calculations. Site admins are not expected to take any actions. 

If the CA services are restored by December 16, OSG sites will experience no adverse affects and site admins are not expected to take any action. If the services cannot be restored by then, we will send you another message describing the actions you need to take. Below we also list the expiration dates for the CRL files from these CAs. As seen, the earliest expiration date is Dec 16.

Currently, the CRL files are set to expire as follows: 
UKeScienceCA-2007 nextUpdate=Dec 16 10:41:55 2012 GMT
UKeScienceCA-2A nextUpdate=Dec 19 15:15:01 2012 GMT
UKeScienceCA-2B  nextUpdate=Dec 16 10:41:50 2012 GMT
UKeScienceRoot-2007 nextUpdate=Jan  2 16:35:43 2014 GMT

We do not anticipate further effects on OSG services but are monitoring the situation and will inform you of any developments.

Grid Operations Center Holiday Notice

From November 22 through November 25 the GOC will be operating on a Holiday
schedule. Staff will be available to respond to emergencies but
routine operations will resume at start of business Monday, November 26.

The GOC wishes its users and OSG staff a happy and satisfying
Thanksgiving Holiday.

Wednesday, November 7, 2012

OSG Software Release 3.1.11


We're pleased to announce OSG Software version 3.1.11. This is the new OSG Software distributed via RPMs for Scientific Linux 5 and 6, CentOS 5 and 6, and Red Hat Enterprise Linux 5 and 6. i

Major changes include:

CA cert updater: new package to update CA certificates
VOMS admin update
java security update
condor update
RSV updates for probe fixes

Release notes and pointers to documentation can be found at:

Need help? Let us know:

We look forward to your feedback on this new release.

Tuesday, November 6, 2012

OSG 1.2.31 Update Notification

OSG 1.2.31 Update Notification

Date: November 6, 2012

Affected Components

The following components are affected:

* Java (affects all OSG installs)


This release contains the following updates to address security

* Java 1.6.0_37

Update instructions can be found on the OSG Twiki under the OSG
1.2 update instructions ( ).

Additional Information
The release notes for the VDT 2.0.0p38 release underlying this
release can be found here ( ).

GOC Service Update - Tuesday, November 13th at 14:00 UTC

The GOC will upgrade the following services beginning Tuesday, November 13, 2012 at 14:00 UTC. The GOC reserves 8 hours (14:00 - 22:00 UTC) in the unlikely event that unexpected problems are encountered. We encourage users to test affected services before the production release.

GOC-TX 1.28

(patched) ServiceNow: Added connection timeout in order to contain attachment sync issue.
(patched) ServiceNow: Fixed the error handling issue.
ServiceNow: Updated to the latest WSDL from production instance.
Updated the log for missing submitter dn info
RT: Implemented ticket exchange veto-ing
XSEDE/BNL: Updated to allow basic auth for RT accessor.
XSEDE: Implemented accessor for XSEDE.
Added framework function to add veto-capability if destination is not reverse synced to source ticket
ServiceNow: Implemented ticket exchange veto-ing capability based on caller ID.
GGUS: Implemented ticket exchange veto-ing capability based on Origin support group.

OIM 3.9

Added check for invalidated session.
Fixed the timing when user cert status will be updated during request approval.
Changed so that GridAdmins will be not cc-ed to host certificate request ticket if the submitter is one of the Gridadmin for that domain [OSGPKI-230]
Added tool-tip for Contact DNs. Added number of DN to contact list [OSGPKI-204]
Added request_comment and request_ccs fields (optional) for host certificate request REST API. Added request_comment fiels for host certificate request form. [OSGPKI-222 / OSGPKI-229]
Added code to disable expired DN [OSGPKI-223]
Added code to update GOC ticket in case of host certificate issue failure [OSGPKI-219]
Implemented user_info REST API
Updated description made during request cancelation.
Changed the timing of user certificate counter to during RA approval [OSGPKI-168]
Updated the way host certificate timeout was implemented [OSGPKI-250]
Added reset code for user/host certificate during renewal requested.
Removed 60 seconds wait and simplified the delay logic between each loops during host certificate issuing.
Updated DOEGrids references inside RA enrollment agreement template with "OSG PKI" [OSGPKI-246]
Added precautionary check for missing user cert encryption password
Browser jump: added jump to "Other browser" in case of uknown browser
Added capability to list all enabled DN on DNModel
Updated user cert request model so that user can take over contact with nothing but disabled DN. Also fixed the bug where CN is created with null contact id during take over.
ContactModel: Submitter can now edit contact with associated disabled DN. Made isTWikiIDExist function only look for enabled contact
DNModel: Added capability to enumerate only enabled DNs.
Contact: added indicator for disabled DN
ContactForm: Allowed GOC to use duplicate twiki ID if duplicate is for disabled contact
Fixed typo [OSGPKI-233]
Added SmallTableModelBase.emptyAllCache() after resetting daily & yearly counters
Added code to post admin provided action note for revoke action (both user/host) to GOC ticket.
(patched) missing dn.disable = false during registration
Removed click event for edit - which was disallowing copy & paste for gridadmin list
(patched) Fixed incorrect user quota counter increment [OSGPKI-217]
Add a note that MIS VO can be used for certificates to access OSG web servers [OSGPKI-220]
Truncated OIMlog value at 2048 chars
Fixed the host quota check issue (off by 1)
(patched) added more log for issued cert
(patched) improved handling in case digicert returns unexpected pkcs7
Added -T option for cert-retrieve instruction if it's running in debug mode
Fixed the timing of dn.disable.
Other bug fixes.


Added a filter for disabled DN for user authentication.

GOC Ticket 1.58

Added PKI related notification destinations [OSGPKI-253]
Added assignee override on RestController (can only be done at the ticket creation time)
Added descriptive error message for auth check failure
(patched) updated ticket title label
Made config change so that quoted metadata won't be processed as real metadata
Adjusted style for past update description
Put redirect on various deprecated forms
Refactored initSubmit in order to set submitter information and streamlined it similar to Update controller

MyOSG 2.3

Fixed an issue where Campus Grid icons weren’t displayed in RSV status map on OSG display
Made disabled entities available on the entity selector in query wizard.
Fixed label display issue for Current RSV status page
(Patched) Fixed an issue where service availability was incorrectly displaying the AR information
Various cosmetic changes and fixed typos.

All Services

There will be OS updates; reboots will be required. Downtime should be minimal, and the usual high-availability mechanisms will be used to reduce service downtime even further and eliminate it in most cases. However, services may experience degraded performance, and the services without HA mechanisms (OIM and Twiki) will still experience brief downtimes.