dcache icon indicating copy to clipboard operation
dcache copied to clipboard

Published 20 hours ago verified publisher icon dCache

el9 SRM access failed with RHEL9+JAVA17 headnodes (9.2.33)

Open ageorget opened this issue 9 months ago • 4 comments

Hi,

Yesterday I upgraded our EGI dCache headnodes (9.2.33) from CentOS7 to RHEL9 + java-17-openjdk and SRM test access began to fail for el9 clients. https://argo.egi.eu/egi/report-status/ALL/SITES/IN2P3-CC/SRM/ccsrm02.in2p3.fr

From an old el7 client it still works :

> gfal-ls srm://ccsrm02.in2p3.fr:8443/pnfs/in2p3.fr/data/dteam
1M
ageorget
False
storage-descriptor.json
user

but from an el9 client it fails :

> gfal-ls srm://ccsrm02.in2p3.fr:8443/pnfs/in2p3.fr/data/
gfal-ls error: 70 (Communication error on send) - srm-ifce err: Communication error on send, err: [SE][Ls][] httpg://ccsrm02.in2p3.fr:8443/srm/managerv2: Unknown SOAP error (6)

My first reflex was to update crypto policies for SHA1 first but didn't help. Nothing in the srmDomain logs, srm started correctly :

Feb 18 10:01:52 ccdcamcli10 systemd[1]: Started dCache srmDomain domain.
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for @230a5fa3[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Acceptors should be <= availableProcessors: ServerConnector@71ed1829{SSL, (ssl, http/1.1)}{0.0.0.0:0}
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for @6a8dd85a[provider=null,keyStore=null,trustStore=null]
Feb 18 10:01:56 ccdcamcli10 dcache@srmDomain[73314]: 18 Feb 2025 10:01:56 (srm) [] Acceptors should be <= availableProcessors: ServerConnector@5f0f1a9b{SSL, (ssl, http/1.1)}{0.0.0.0:0}

Then I tried to downgrade Java to java-11-openjdk and restart SRM and it solved the access problem for RHEL9 clients.

ageorget avatar Feb 18 '25 10:02 ageorget