Page MenuHomePhabricator
Create Task
Maniphest T420083

Create Java 21 security config in puppet
Closed, ResolvedPublic
Actions

Description

In the parent task we got:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, Could not find template 'java/java-21.security.erb' (file: /srv/puppet_code/environments/production/modules/java/manifests/package.pp, line: 50, column: 24) (file: /srv/puppet_code/environments/production/modules/java/manifests/init.pp, line: 21) on node deployment-kafka-logging01.deployment-prep.eqiad1.wikimedia.cloud

Kafka 3.7 on Trixie with Jdk 21 configured is missing the Security config.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
java: add java-21-security erb templateoperations/puppetproduction+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

elukey created this task.Mar 14 2026, 8:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2026, 8:36 AM
elukey added a comment.Mar 14 2026, 8:52 AM
  • Installed openjdk-21-jdk, got the security file and added it as erb file to puppet.
  • Removed comments and blank lines from both 17 and 21 security's erb files
  • Diffed them:
36c36
< sun.security.krb5.disableReferrals=true
---
> sun.security.krb5.disableReferrals=false
41,42c41,43
< jdk.security.legacyAlgorithms=SHA1, DSA, SHA224,\
<     RSA keySize < 2048, DSA keySize < 2048
---
> jdk.security.legacyAlgorithms=SHA1, SHA224,\
>     RSA keySize < 2048, DSA keySize < 2048, \
>     DES, DESede, MD5, RC2, ARCFOUR
45,46c46,50
< jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
<     DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
---
> http.auth.digest.disabledAlgorithms = MD5, SHA-1
> jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
>     MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
>     ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, \
>     ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature
72c76
< jdk.security.caDistrustPolicies=SYMANTEC_TLS
---
> jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS,CAMERFIRMA_TLS
74a79
> com.sun.security.allowedAIALocations=
gerritbot added a comment.Mar 14 2026, 8:54 AM

Change #1251836 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] java: add java-21-security erb template

https://gerrit.wikimedia.org/r/1251836

gerritbot added a project: Patch-For-Review.Mar 14 2026, 8:54 AM
elukey mentioned this in T420034: deployment-kafka-logging01 is down for maintenance because Trixie is not yet well supported.Mar 14 2026, 9:00 AM
elukey triaged this task as Medium priority.Mar 16 2026, 2:21 PM
gerritbot added a comment.Mar 16 2026, 3:17 PM

Change #1251836 merged by Elukey:

[operations/puppet@production] java: add java-21-security erb template

https://gerrit.wikimedia.org/r/1251836

Maintenance_bot removed a project: Patch-For-Review.Mar 16 2026, 3:31 PM
elukey closed this task as Resolved.Mar 16 2026, 4:27 PM
elukey claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits