Wednesday, November 13, 2013

Workaround for OpenJDK 1.7.0_45 and BeStMan issues

The OSG Software team has found that the OpenJDK update to version 1.7.0_45 (on 21 October) tightened some security settings, thereby causing low-level authentication failures in the BeStMan server and clients.

The root cause of the failures is that Java no longer accepts RSA keys that are shorter than 1024 bits.  However, grid-proxy-init and other systems are creating proxies with 512 bits, triggering the issues.  In OpenJDK 1.7.0_25 and earlier, Java allowed 512-bit proxies to be used. OSG Security is not aware of any urgent security issues which would necessitate increasing proxy strength immediately.

For now, we have an easy workaround.  After updating to OpenJDK 1.7.0_45, which is still a recommended update, edit the Java security settings in:

/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45.x86_64/jre/lib/security/java.security

Find the line that looks like this:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

And change it to this:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512

This change should be applied to any machine running the BeStMan server or client tools.  After the change, restart the BeStMan server, if present.

The OSG Technology and Security teams are investigating more permanent solutions to the problem, including raising the default RSA key lengths throughout the software stack to 1024 bits.