Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

el9 SRM access failed with RHEL9+JAVA17 headnodes (9.2.33) #7748

Open
ageorget opened this issue Feb 18, 2025 · 2 comments
Open

el9 SRM access failed with RHEL9+JAVA17 headnodes (9.2.33) #7748

ageorget opened this issue Feb 18, 2025 · 2 comments

Comments

@ageorget
Copy link

ageorget commented Feb 18, 2025
edited
Loading

Hi,

Yesterday I upgraded our EGI dCache headnodes (9.2.33) from CentOS7 to RHEL9 + java-17-openjdk and SRM test access began to fail for el9 clients.
https://argo.egi.eu/egi/report-status/ALL/SITES/IN2P3-CC/SRM/ccsrm02.in2p3.fr

From an old el7 client it still works :

> gfal-ls srm://ccsrm02.in2p3.fr:8443/pnfs/in2p3.fr/data/dteam
1M
ageorget
False
storage-descriptor.json
user

but from an el9 client it fails :

> gfal-ls srm://ccsrm02.in2p3.fr:8443/pnfs/in2p3.fr/data/
gfal-ls error: 70 (Communication error on send) - srm-ifce err: Communication error on send, err: [SE][Ls][] httpg://ccsrm02.in2p3.fr:8443/srm/managerv2: Unknown SOAP error (6)

My first reflex was to update crypto policies for SHA1 first but didn't help.
Nothing in the srmDomain logs, srm started correctly :

Feb 18 10:01:52 ccdcamcli10 systemd[1]: Started dCache srmDomain domain.
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Acceptors should be <= availableProcessors: ServerConnector@71ed1829{SSL, (ssl, http/1.1)}{0.0.0.0:0}
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Acceptors should be <= availableProcessors: ServerConnector@5f0f1a9b{SSL, (ssl, http/1.1)}{0.0.0.0:0}

Then I tried to downgrade Java to java-11-openjdk and restart SRM and it solved the access problem for RHEL9 clients.
@kofemann
Copy link
Member

Hi @ageorget EL9 has a strict security policy, which is incompatible with SRM and some tools. Did you re-enable SHA1 on all dcache hosts?

update-crypto-policies --set DEFAULT:SHA1

@ageorget
Copy link
Author

ageorget commented Feb 18, 2025
edited
Loading

Hi @kofemann,

Yes I already enabled SHA1 on all head nodes and then I restarted dCache head nodes services.
But EL9 clients still failed to access SRM.
Only a downgrade to java-11 works.

EL9 clients have to enable SHA1 too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kofemann @ageorget