Dear all,

EUGridPMA have announced a new set of CA rpms. Based on this IGTF release a new set of CA RPMs have been packaged for EGI.
This release brings some changes at the level of the meta-pakage names so please read the release notes carefully and upgrade until 2018.12.03 at your earliest convenience. When this timeout is over, SAM will throw critical errors on CA tests if old CAs are still detected.

Please check https://wiki.egi.eu/wiki/EGI_IGTF_Release for more details

EGI UMD software provisioning Team

The following release notes accompany this release:
The following release notes accompany this version:

European Grid Infrastructure EGI Trust Anchor release 1.95 2018.11.26

------------------------------------------------------------------------------
For release DOCUMENTATION available on this EGI Trust Anchor release see
https://wiki.egi.eu/wiki/EGI_IGTF_Release
------------------------------------------------------------------------------

This is the EGI Trust Anchor release, based on the updated IGTF Accredited CA
distribution version 1.95-1 with Classic, SLCS and MICS profiles, encoded in
meta-package "ca-policy-egi-core-1.95-1" (new installs) and "lcg-CA-1.95-1"
(for sites upgrading from EGEE/JSPG releases).

IMPORTANT NOTICE:
Sites that need compliance with the WLCG policy should install BOTH packages,
or you will miss out the CERN WLCG IOTA CA specific exception. Details, see:
https://documents.egi.eu/document/2745

Please review the documentation for the new software that will be needed
to support differentiated assurance and the Collaborative Assurance Model.
We ask for your support in implementing the requisite changes, and deploy
new trust anchor meta-packages and the new local policies only in unison.

The following notices are republished from the IGTF, inasfar as pertinent to
this release. Details are found in the newsletter https://www.eugridpma.org/

Changes from 1.94 to 1.95
-------------------------
(26 Nov 2018)

* Updated namespaces and signing_policy files for CILogon Silver CA to
permit DNs without "/C=US" (US)

The CA modifications encoded in both "requires" and "obsoletes" clauses (RPM)
and Conflicts/Replaced clauses (Debian) have been incorporated in the above-
mentioned meta-packages. This release is best enjoyed with fetch-crl v3 or
better, available from GNU/Linux OS add-on repositories Fedora, EPEL, Debian,
and from the IGTF at https://www.igtf.net/fetch-crl

Version information: ca-policy-egi-core = 1.95-1

Dear all,

EUGridPMA have announced a new set of CA rpms. Based on this IGTF release a new set of CA RPMs have been packaged for EGI.
This release brings some changes at the level of the meta-pakage names so please read the release notes carefully and upgrade until 2018.11.05 at your earliest convenience. When this timeout is over, SAM will throw critical errors on CA tests if old CAs are still detected.

Please check https://wiki.egi.eu/wiki/EGI_IGTF_Release for more details

EGI UMD software provisioning Team

The following release notes accompany this release:
European Grid Infrastructure EGI Trust Anchor release 1.94 2018.10.29

------------------------------------------------------------------------------
For release DOCUMENTATION available on this EGI Trust Anchor release see
https://wiki.egi.eu/wiki/EGI_IGTF_Release
------------------------------------------------------------------------------

This is the EGI Trust Anchor release, based on the updated IGTF Accredited CA
distribution version 1.94-1 with Classic, SLCS and MICS profiles, encoded in
meta-package "ca-policy-egi-core-1.94-1" (new installs) and "lcg-CA-1.94-1"
(for sites upgrading from EGEE/JSPG releases).

IMPORTANT NOTICE:
Sites that need compliance with the WLCG policy should install BOTH packages,
or you will miss out the CERN WLCG IOTA CA specific exception. Details, see:
https://documents.egi.eu/document/2745

Please review the documentation for the new software that will be needed
to support differentiated assurance and the Collaborative Assurance Model.
We ask for your support in implementing the requisite changes, and deploy
new trust anchor meta-packages and the new local policies only in unison.

The following notices are republished from the IGTF, inasfar as pertinent to
this release. Details are found in the newsletter https://www.eugridpma.org/

Changes from 1.93 to 1.94
-------------------------
(29 Oct 2018)

* extended validity period for the ArmeSFo CA (AM)
* withdrawn expiring DFN-SLCS CA (DE)

The CA modifications encoded in both "requires" and "obsoletes" clauses (RPM)
and Conflicts/Replaced clauses (Debian) have been incorporated in the above-
mentioned meta-packages. This release is best enjoyed with fetch-crl v3 or
better, available from GNU/Linux OS add-on repositories Fedora, EPEL, Debian,
and from the IGTF at https://www.igtf.net/fetch-crl

Version information: ca-policy-egi-core = 1.94-1

Dear colleagues,
on Sep 21 a Globus update in the EPEL repositories made TLS v1.2
the only version to be supported for security handshakes in GSI.
The concerned package was globus-gssapi-gsi-13.10.

Unfortunately, it quickly became clear that a significant number
of grid services in EGI are not ready for that change and started
running into failures.

We therefore asked for the minimum supported version to be set to
TLS v1.0 again in /etc/grid-security/gsi.conf:

MIN_TLS_PROTOCOL=TLS1_VERSION_DEPRECATED

Version globus-gssapi-gsi-14.7-2 has that _temporary_ workaround
and is available in EPEL since Oct 16.

The UMD currently has globus-gssapi-gsi-13.5 which also is fine
for the time being.

However, as we still want to be able to exclude TLS < v1.2 in the
near future, all potentially affected services should be checked
and updated as needed.

Such services may directly depend on Globus themselves,
but could also be based on Java instead.

Of particular concern are SRM, GridFTP, CE and Argus services.

Standard SRM services listen on port 8443 (dCache), 8444 (StoRM) or
8446 (DPM), while the BeStMan SRM may listen on a non-standard port.
The CREAM CE service listens on port 8443. GridFTP servers used by
CREAM, ARC and SE head nodes listen on port 2811, while the port may
be unpredictable on SE disk servers. Argus listens on port 8154.

To test your SRM, CREAM, Argus or any other HTTPS service,
please run a command like this:

openssl s_client -tls1_2 -connect HOST:PORT 2>&1 < /dev/null |
egrep '^New|Protocol|known|Bad|refused|route'

The following output is a sign of _failure_:

New, (NONE), Cipher is (NONE)

To test a GridFTP server, you normally need a valid VOMS proxy:

env GLOBUS_GSSAPI_MIN_TLS_PROTOCOL=TLS1_2_VERSION uberftp HOST pwd

If any one of those commands fails due to the TLS v1.2 requirement:
please update Java/Globus on the affected service to a recent version,
restart the service and try again.

For the BeStMan SRM one would need to update the "jglobus" package to
version jglobus-2.1.0-10bh available from the EGI third party repository,
and restart the service:

http://repository.egi.eu/community/software/third.party.distribution/

As JGlobus and BeStMan are both unsupported, please look into replacing
such services with alternatives that are supported.

We will need to set a deadline for TLS v1.2 support to early 2019
and will let you know when the timeline has become clearer.

Please report issues you encounter through GGUS etc.

Dear,

On Friday 19th of October from 8 AM to 6 PM, we will switch our cloud end-point rocci.iihe.ac.be to occi-server version 2. As a result, during this downtime, it will not possible to create VMs or to manage the life cycle of your existing VMs in our site. However, this should not impact the VMs themselves.

Sorry for the inconvenience.

Regards,
Stéphane Gérard

Dear All,

This is to inform you that the following hosts (services) at TOKYO-LCG2 will be decommissioned.

lcg-ce11.icepp.jp (ARC-CE)
lcg-ce12.icepp.jp (ARC-CE)

The downtime will start on 26/10/2018 00:00 (UTC). The services will be disabled and removed directory after the downtime.

Best regards,
Tomoe

Dear all,

EUGridPMA have announced a new set of CA rpms. Based on this IGTF release a new set of CA RPMs have been packaged for EGI.
This release brings some changes at the level of the meta-pakage names so please read the release notes carefully and upgrade until 2018.10.01 at your earliest convenience. When this timeout is over, SAM will throw critical errors on CA tests if old CAs are still detected.

Please check https://wiki.egi.eu/wiki/EGI_IGTF_Release for more details

EGI UMD software provisioning Team

The following release notes accompany this version:
European Grid Infrastructure EGI Trust Anchor release 1.39 2018.09.24

------------------------------------------------------------------------------
For release DOCUMENTATION available on this EGI Trust Anchor release see
https://wiki.egi.eu/wiki/EGI_IGTF_Release
------------------------------------------------------------------------------

This is the EGI Trust Anchor release, based on the updated IGTF Accredited CA
distribution version 1.93-1 with Classic, SLCS and MICS profiles, encoded in
meta-package "ca-policy-egi-core-1.93-1" (new installs) and "lcg-CA-1.93-1"
(for sites upgrading from EGEE/JSPG releases).

IMPORTANT NOTICE:
Sites that need compliance with the WLCG policy should install BOTH packages,
or you will miss out the CERN WLCG IOTA CA specific exception. Details, see:
https://documents.egi.eu/document/2745

With the introduction of combined assurance/adequacy, the EGEE compatibility
RPM (lcg-CA) can no longer be supported, and -when still installed- will be
obsoleted. The proper dependency packages are: ca-policy-_body_-_class_ and
these have been installed automatically as dependencies since 2010.

Release 1.89 introduced support for differentiated assurance in the EGI
trust fabric infrastructure in the form of an additional trust anchor
meta-package, which replaces the specific policy mechanism described above.
Please review the documentation for the new software that will be needed
to support differentiated assurance and the Collaborative Assurance Model.
We ask for your support in implementing the requisite changes, and deploy
new trust anchor meta-packages and the new local policies only in unison.

The following notices are republished from the IGTF, inasfar as pertinent to
this release. Details are found in the newsletter https://www.eugridpma.org/

Changes from 1.92 to 1.93
-------------------------
(24 Sep 2018)

* Updated contact information for HellasGrid-CA (GR)
* Removed superseded IGCA CA (IN)

The CA modifications encoded in both "requires" and "obsoletes" clauses (RPM)
and Conflicts/Replaced clauses (Debian) have been incorporated in the above-
mentioned meta-packages. This release is best enjoyed with fetch-crl v3 or
better, available from GNU/Linux OS add-on repositories Fedora, EPEL, Debian,
and from the IGTF at https://www.igtf.net/fetch-crl

Version information: ca-policy-egi-core = 1.93-1


ChangeLog:
Update of the EGI Trust Anchors to release 1.93-1

Dear all,
An outage of the ARC-CE [node16] (and condor workernodes) at GRIF-IRFU is scheduled on Monday. September 17th at 9a.m. to Tuesday,September 18th at 4p.m. in order to upgrade all servers to **CentOS7**.
We will not drain the batch. Remaining idle or running jobs will be killed.
The CREAM-CE [node74] will remain in production in SL6, for the time being.

Best Regards,
The GRIF-IRFU team.

RAL's IPv6 issues have been resolved. All IPv6 reliant services are now back in production.

Tier-1 at RAL is currently experiencing an outage of IPv6. This is impacting some services including FTS and GOCDB. We are currently working on this issue and will provide status updates as appropriate.