Indico celebrates its 20th anniversary! Check our blog post for more information!


Brian Paul Bockelman (University of Wisconsin Madison (US)), Maria Arsuaga Rios (CERN), Petr Vokac (Czech Technical University in Prague (CZ))

Topic: WLCG DOMA BDT Meeting (twiki)

    • 16:30 16:40
      News 10m

      Third meeting in November, because there'll be DOMA General first week in December.


      Added email alias wlcg-doma-bdt at for original TPC mailing list to make more consistent / expected email address.

    • 16:40 16:55
      Transfers with tokens 15m
      Speaker: Francesco Giacomini (INFN CNAF)

      WLCG JWT profile storage.* scope improvements (issue#21)


      Audience and global XRootD redirector (CMS AAA)

      StoRM config documentation for WLCG compliance tests

      TLS configuration for xroots protocol

      • Support for xroots:// protocol should be included in our configuration examples
        • Become ready not only for DC24 HTTP-TPC with tokens but also SE should be ready for tests with jobs
      • XRootD
        • XRootD client receives from storage - Authentication is required: &P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0&P=ztn,0:4096:
        • XRootD client asks for X.509 proxy even with BEARER_TOKEN set in the environment
          • no proxy & token => access denied
        • Even more weird behavior with gfal2 => more operations => more X.509 cert+key password questions
        • Fixed by changing order of sec.protocol configuration (ztn, gsi)
          • XRootD client receives from storage: Authentication is required: &P=ztn,0:4096:&P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0
      • dCache (host certificate required for all xroot doors)
        • 7.x - can be configured on dedicated port
          • xrootd.plugins=gplazma:ztn,authz:scitokens
        • 8.x - available with default configuration
          • xrootd.plugins=gplazma:gsi,gplazma:ztn,gplazma:none,authz:scitokens
            • XRootD client receives from storage - Authentication is required: &P=ztn,0:4096:&P=unix&P=gsi,v:10400,c:ssl,ca:dec71a0b
            • XRootD client asks for X.509 proxy even with BEARER_TOKEN set in the environment
            • operation than succeeds even without X.509 proxy and token (or bad token)
          • better configuration xrootd.plugins=gplazma:ztn,gplazma:gsi,authz:scitokens for X.509 to tokens transition
            • Authentication is required: &P=ztn,0:4096:&P=gsi,v:10400,c:ssl,ca:dec71a0b
            • Try WLCG JWT token first with fallback to X.509 proxy
              • fallback works when there is no token and also for bad token
            • gplazma:none is necessary for third-party-copy
            • There is environment variable for XRootD client not to ask for password for missing X.509 proxy
              • export XrdSecGSICREATEPROXY=0
          • dCache team is going to discuss if token should be first in the default dCache configuration
            • WLCG prefers token first with fallback to X.509
      • gfal2 currently reject roots:// scheme
        • we can't rely on root:// protocol and just hope TLS was negotiated before sending token
          • enforcing TLS for token is not yet enforced in XRootD client, details in xrootd#1842
        • fixed in develop branch & testing repo
      • EOS is not currently implementing ZTN protocol (EOS-5460)
    • 16:55 17:05
      Tape REST access 10m
      Speaker: Mihai PATRASCOIU (CERN)
    • 17:05 17:15
      Packet marking 10m
      Speakers: Marian Babik (CERN), Shawn Mc Kee (University of Michigan (US))
      • Successfully run all demos and achieved all the objectives that we had in the SC22 NRE. 
        • Demonstrated packet marking at 200Gbps using flowd (both with xrootd and iperf3)
        • SCInet and ESnet have setup packet collectors via sflow and have shown they can show it in real-time (transfers per experiment/activity; more details at )
        • We also run demo with SC22 booth, KIT, UVic and CERN running xroot transfers and showing the real time throughput using P4 switch at CERN
      • Submitted abstracts for CHEP23 and TNC
      • Plan to have the next WG meeting in Dec (main topic will be SC22 follow up)

    • 17:15 17:25
      WebDAV Error Message Improvement Project 10m

      Discuss with experts improvements in the error messages produced by failed transfers.

      Speaker: Stephan Lammel (Fermi National Accelerator Lab. (US))
    • 17:25 17:30
      AOB 5m

      HTTP-TPC Update#4 - LocalConnection perf marker

      • It's very useful for debugging to have final IP addresses of TPC transfer source and destination
      • Currently we have only RemoteConnections and because dCache doesn't redirect TPC client to the pool with files we don't know transfer address of active party
      • Proposed LocalConnection is not sufficiently generic
      • We decided it would be useful to have both (source + destination) addresses Perf Marker as a pair
        • Use new name not to break existing software (e.g. FTS/gfal/davix)
        • Same address format as in case of RemoteConnections
          • e.g. following pair "tcp:,tcp:[2600:900:6:1301:268a:7ff:fef6:a590]:2345"