[
https://issues.apache.org/jira/browse/AIRAVATA-3609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17580860#comment-17580860
]
Marcus Christie commented on AIRAVATA-3609:
-------------------------------------------
The PGA needs TLS v1 and 1.1 enabled to be able to connect to the API server.
In Java 11 these algorithms are disabled. We had previously fixed this,
re-enabling TLSv1 and TLSv1.1 by modifying the Java 11 java.security
configuration file.
However, on our Rocky Linux VMs, there is a system-wide cryptographic policy
configuration. This configuration has highest precedence and overrides the
changes made to the Java 11 java.security configuration file.
Rather than change the Java 11 java.security file, I thought it better to just
enable TLS v1 and 1.1 for the API server only. For this I added
-enableLegacyTLS flag to airavata-server-start.sh. This flag adds
{{-Djava.security.properties=${AIRAVATA_HOME}/bin/enableLegacyTLS.security
-Djava.security.disableSystemPropertiesFile=true}} to the command line. The
first argument loads the enableLegacyTLS.security file to override whatever is
set in java.security. The second argument disables loading the system-wide
cryptographic policy configuration file.
See {{man update-crypto-policies}} or
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
for more information on system-wide crypto policy.
> Update Ansible scripts for Rocky Linux and Python 3
> ---------------------------------------------------
>
> Key: AIRAVATA-3609
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3609
> Project: Airavata
> Issue Type: Task
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> h3. TODO
> - (/) Fix delegation of database setup tasks (see
> https://github.com/ansible/ansible/issues/37995)
> - (/) Either install django apps as editable or figure out how to get built
> JS into the package. MANIFEST includes don't seem to apply to post install
> generated files.
> - (/) configure alternate gateway data store resource ids (moving portal to a
> new data storage resource means resource ids won't match, but we can map more
> than one to the same directory in settings_local.py)
> -- fixed:
> https://github.com/apache/airavata/commit/6521fc1fb75ea2562bb42224e021df7e6ad1bb66
> - [ ] nodejs/yarn install
> - [ ] with the upgraded Ansible, can add a check to see if Docker is running
> - (/) switch from yum-cron to dnf-automatic on Rocky Linux
> - (/) tusd updates for Rocky Linux/SELinux
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
