2019-11-12 Security Subcommittee Meeting Notes

Owned by Amy Zwarico
Last updated: Nov 14, 2019 by Paweł Pawlak
2 min read

Please see the Minutes of Meetings and recording for the  SECCOM meeting that was held on 12th of November 2019.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Java 13 assessment performed by CLAMP (Sebastian Determe)

Sebastian summarized the CLAMP experience of upgrading to Java 13. The results are in the deck posted on the CLAMP wiki

 

 

 

Java and Alpine upgrade for Frankfurt

SECCOM requires that Java projects upgrade to Java 11 (Java SE 11.0.5) and Alpine 3.10.3 in Frankfurt

-PTL feedback

  • No prebuilt Docker images for Java 11

  • Prebuilt Docker images for Java 12 and 13

  • Moving to later version than Java 11 may cause problem for oparent, which specifies Java 11

    • Frankfurt version of oparent is 3.x and specifies Java 11

    • All projects in El Alto use oparent 2.x

  • Distinction between the Java runtime and the Java source code versions

  • Java runtime is backward compatible

    • Source code can be Java 8 or higher

      • Runtime can be Java 11 or 13

      • Java 11: Java SE 11.0.5

      • Java 13: Java SE 13.0.1

-

 

SECCOM recommendation

  • No change needed for the requirement because it requires Java 11 but allows Java 13

  • Prebuilt images

    • Projects choosing Java 13 can use prebuilt images

    • CLAMP has a created a Java 11 Docker image that can be used by other projects

  • Java 12 or 13

    • AAF migrated to 12 with no problems; CLAMP has migrated to 13; changes can be made to override oparent

    • AAF migration to 13: will not require project to migrate to 13 because AAF-CADI can run on Java 8 - 13

    • Other dependencies – Portal SDK, ODL (CCSDK, APPC)

    • Oparent dependency

  • SECCOM will update REQ-192 with the following

    • Required version of Java 11 JDK: Java SE 11.0.5

    • Required version of Java 13 JDK: Java SE 13.0.1

    • Requirement that shared libraries must run in JDK 11

    • for JDK 13, override JDK 11 as specified by oparent

 

Password encryption

Passwords encrypted before putting passwords in OOM

  • Certificate, private key are on a shared volume

  • There should be no passwords in OOM, should use init config

  • Password and encryption key are both on the shared volume

 

Krzysztof, Jonathan, Samuli will discuss solutions and provide a recommendation