Wednesday, November 27, 2013

OSG Operations Holiday Notice

From November 28 through December 1, the GOC will be operating on a Holiday
schedule. Staff will be available to respond to emergencies but
routine operations will resume at start of business Monday, December 2.

OSG Operations wishes its users and OSG staff a happy and satisfying
Thanksgiving Holiday.

Tuesday, November 19, 2013

GOC Service Update - Tuesday, November 26th, 2013 at 14:00 UTC

The GOC will upgrade the following services beginning Tuesday, November 26th, 2013 at 14:00 UTC. The GOC reserves 8 hours in the unlikely event that unexpected problems are encountered. We encourage users to test affected services before the production release.

All Services

There will be OS updates; reboots will be required. Downtime should be minimal, and the usual high-availability mechanisms will be used to reduce service downtime even further and eliminate it in most cases. However, services may experience degraded performance, and the services without HA mechanisms (OIM and Twiki) will still experience brief downtimes.

Wednesday, November 13, 2013

Workaround for OpenJDK 1.7.0_45 and BeStMan issues

The OSG Software team has found that the OpenJDK update to version 1.7.0_45 (on 21 October) tightened some security settings, thereby causing low-level authentication failures in the BeStMan server and clients.

The root cause of the failures is that Java no longer accepts RSA keys that are shorter than 1024 bits.  However, grid-proxy-init and other systems are creating proxies with 512 bits, triggering the issues.  In OpenJDK 1.7.0_25 and earlier, Java allowed 512-bit proxies to be used. OSG Security is not aware of any urgent security issues which would necessitate increasing proxy strength immediately.

For now, we have an easy workaround.  After updating to OpenJDK 1.7.0_45, which is still a recommended update, edit the Java security settings in:


Find the line that looks like this:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

And change it to this:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512

This change should be applied to any machine running the BeStMan server or client tools.  After the change, restart the BeStMan server, if present.

The OSG Technology and Security teams are investigating more permanent solutions to the problem, including raising the default RSA key lengths throughout the software stack to 1024 bits.

Tuesday, November 12, 2013

Announcing OSG Software version 3.1.26 and 3.2.0

We are pleased to announce OSG Software versions 3.1.26 and 3.2.0!

Today marks the beginning of a new 3.2 release series. The 3.2 releases will contain the entire OSG software stack, and thus are parallel to the current 3.1 release series. For now, most packages in 3.2 are identical to those in 3.1, but we expect the series to diverge over time. With a new and independent series, we can provide new or substantially updated software and can remove obsolete packages. Because these changes may be disruptive to a production site, you must take explicit action to update from the 3.1 to the 3.2 series; if you do nothing, package updates will continue to come from the 3.1 series.

The 3.1.26 and 3.2.0 releases both contain the following changes:

* CVMFS version 2.1.15
* Xrootd version 3.3.3
* VO Package v49
* OSG Info Services 0.12

The 3.2.0 release is the first in the 3.2 series and contains the
following major changes:

* glideinWMS version 3.2.0
* HTCondor version 8.0.4
* HTCondor-CE using HTCondor as a backend
* HDFS (Hadoop) version 2.0.0
* CEMon is not included (use OSG Info Services 0.12)

For further information on the new 3.2 series repositories and how
to upgrade please consult:

The OSG Software is distributed via RPMs for:

* Scientific Linux 5 and 6
* CentOS 5 and 6
* Red Hat Enterprise Linux 5 and 6

Release notes and pointers to more documentation can be found at:

Need help? Let us know:

We welcome feedback on this release!

Please submit problems, requests, and questions at:

Java Security Announcement

As you may know, the free edition of Oracle JDK 1.6 is no longer supported, and no patches are being released for it, even for known security vulnerabilities.  Further, the download page clearly states, "Oracle no longer posts updates of Java SE 6 to its public download sites.  All Java 6 releases ... have been moved to the Java Archive....Oracle recommends that users migrate to Java 7 in order to continue receiving public updates and security enhancements."

Consequently, many Java 6 exploits are publicly available and have been reported as being actively exploited in news media; for example:

Therefore, we strongly recommend that all OSG sites upgrade from Java 6 to Java 7 as soon as possible.

We are aware of issues with the latest OpenJDK 1.7.0_45 release and BeStMan which will be addressed in a follow-up email very soon. 

Recently, the OSG Technology area completed a thorough review, updates, and many tests to ensure that OSG software works with OpenJDK 1.7. The Java 7 migration project was released to production in the OSG 3.1.23 release on 10 September 2013.  Hence, when updating Java to 1.7, we urge sites to update their OSG software, too, if older than 3.1.23.

For more information, see:

Need help? Let us know:

Please submit problems, requests, and questions at:

Tuesday, November 5, 2013

GOC Service Update - Tuesday, November 12th at 14:00 UTC

The GOC will upgrade the following services beginning Tuesday, October 22nd, 2013 at 14:00 UTC. The GOC reserves 8 hours in the unlikely event that unexpected problems are encountered.  We encourage users to test affected services before the production release.

GOC Ticket 1.70
* Upgrading to RHEL6 OS. All instances(ticket1/2) will be rebuilt from the latest GOC stemcell.
* Various minor bug / cosmetic fixes.
* Updated notification tool to allow choosing preset email signature template (TICKET-74)
* Replaced comet with node/ based ticket presence.

* a duplicate stratum 0 server will be created as part of the process of implementing sub-catalogs. Sub-catalogs will not be implemented with this release and the change should not be visible to users.

* Adding VO=OSG as backup to FNAL

OIM 3.25
* Added capability to enter custom key/value for misc. service group in order to allow registering OSG rpm repo mirror sites (as requested by Carl Edquist)
* Increased the acceptable range of certificate life from 395+/-10 days from 15 days in order to suppress false(?) alarm from OIM service alert.
* Added label to ask user to enter institutional email address instead of personal one ( Please use email address issued by your organization (like, instead of a personal addresses like gmail, yahoo, etc (suggested by OSG/PKI team)
* Added GA/RA agreements for user cert renew (OSGPKI-178)
* Moved the user certificate download links under Action section, and move the entire action section toward the top of the page in order to make it easier for user to find appropriate button to push (OSGPKI-387)

MyOSG 2.18
* miscevent / fixed a bug where old events were not cleared from the queue
* miscuser / fixed a bug where disabled contacts are displayed on miscuser/xml when it’s shouldn’t.
* myosg2 will be moved from its current host to another host.

GratiaWeb 1.2-19 (Tentative)
* Added filter for Project Name (GRATIAWEB-42)
* Fixed a bug where FOS reports does not work for facility and probe (GRATIAWEB-44)