Collaboration meeting
Vidyo
# ARGUS Collaboration Meeting - 5/6/2015
Presents: Andrea, Ian, Michel, Vincent, Vincenzo, Mischa, Maarten
[Agenda](http://indico.cern.ch/event/396796/)
## General news
openssl plan to put a minimum size on DH (Diff-Hellman) RSA-based keys used as cipher when establishing the TLS connection in a short term future
* 1024 bits instead of 512
* This doesn't affect the certificate key length
* Java may be impacted as it tend to comes with lower requirement (512): may be changed in a future version of Java but to be checked
* Mischa: ARGUS uses RH ssl based on nss so not too much concerned, also the ARGUS services are all Java so should not be a problem for their
interaction
* pepd may be a problem as it is doesn't support the new key (in particular elliptic curve) and may talk to openssl client.
Still using an old version of Jetty
* Andrea: Java8 may help
## New OS/Java support
### Java8 support
Oracle Java 7 is end of life since last April.
* May not apply to openjdk: not really a crisis
Java8 not working out of the box: requires some work for pepd at least
- Java8 enables the use of elliptic-curve based DH keys: that breaks at
least the PEPd, and not the PAP. The PDP is a bit unclear.
It breaks due to the (old) BouncyCastle version. It can be disabled
in the java.security settings via jdk.tls.disabledAlgorithms
- The ECDH don't have the weak-cipher/small keyvlength problem
So, with the current version, we either break the PEPd by using ECDH and have no OpenSSL problem,
or we break the to-be-released OpenSSL interaction with the PEPd.
Also need to update to the last Jetty version: implies Java8 support
### EL7 support
1st version of UMD4 in September: not a requirement for ARGUS to be in the first version but would be a good message for ARGUS to be ready asap
### Timeline
Mischa checked C-based components developed by NIKHEF run properly against EPEL7
* argus-pep-api-c-library, pepcli and argus GSI callout.
* also checked lcmaps-plugins-c-pep which uses theargus-pep-api-c-library
Service side (pepd, papd, pdpd)
* Real work is about updating Jetty
* Java8: probably minor issues, mainly a testing work
* See Mischa's email from March
* bouncycastle can be an issue also
* Also need to move systemd but not an immediate requirement
Proposed plan
* By sept.: minimal work to get the current code working
* First thing is to complete an EL7 build
* Need to build a test infrastructure: NIKHEF may have something, to be checked, connected to Jenkins. Also John White did something in the past
to be checked with him: seems to be GitHub.
* Then do the other changes: Java8, systemd
Timeline : have run the tests and identified the issues with EL7 by mid-July
Ian: as soon as EL7 packages are made available, RAL should be able to carry out some testing
## INDIGO Datacloud
Meeting in July about Indigo architecture: will make more clear the role of ARGUS
Hiring process for 2 new people at CNAF is in progress: some part will be allocated to ARGUS support/development, exact figure to be determined later
Maarten: keep in mind that ARGUS currently bound to legacy services requiring gridmapdir but the idea was at some point to get rid of these
legacy services.
* Mischa: not sure to completly agree... should not make it mandatory to use it but would be good to keep the support.
* Andrea: agree that the service should remain but that the implementation could evolve to be based on something different than a gridmapdir like
a database to avoid the need of share file system for example
## Open issues
Still incidents at CERN: last one 2 days ago (LHC restart)
* Required a restart of all ARGUS servers
* Was not the proper day for trying to involve experts...
* Not clear if NFS shared file system played a role here...
* May ask service managers to make a snapshot of the VMs involved before killing them
* Not clear that this was related to a particularly high load
Readiness testbed would still be welcome but not a high priority for people who could do it...
## AOB
Next meeting July 3d 11 am