JLab Server Certificate Renewals -- possible connection problems for browsers, subversion clients, etc.

A few months ago, TLS/SSL certificates for JLab internal web servers were renewed due to their imminent expiration. They are now (January/February 2017) being renewed again to upgrade them to use SHA2 Signatures, issued by our upgraded PKI. The use of SHA2 signatures for all end entity and intermediate certificates is required for all browsers and eventually other clients because the previous SHA1 signature algorithm has been effectively "broken" and is deprecated.

Automatic processes have already installed the new JLabCA root certificate on managed systems at JLab. This includes Windows domain members, Level I and II as well as "CUEified" Macs. The automated process installs the root certificate into the default locations on each platform (Windows, Linux and OS X) which makes it available to most applications on each platform, including Firefox/Thunderbird and the default Java JVM. For other applications which maintain their own key/certificate stores, users will need to install the new certificate manually.

Note that this change affects all JLab servers that use SSL/TLS, including those hosting subversion and other services. As a result, users may see warnings or failures to connect (depending on the configuration of the client application being used). To avoid these warnings, users must install the JLab PKI "root" certificate. Additional information regarding this issue and the root certificate and instructions for installing it are available at http://pki.jlab.org. As we transition all services to use these new certificates, client systems should install BOTH the new JLabCA root certificate as well as the legacy JLabWinCA root certificate.

Subversion Client Warnings

Several users have raised questions regarding the server certificates used on subversion servers recently. If the root Certificate is not installed in your subversion configuration, the subversion client generates a warning upon attempting to connect, and asks you if you wish to accept the certificate being used, either temporarily or permanently. To help you confirm that you are

Computer Survey in Progress


As part of an overall initiative to improve cyber security across the enterprise, the Department of Energy is currently rolling out a plan to deploy multi-factor authentication (MFA) to protect data and systems. MFA usually combines a pin or a password with some kind of hardware token or card, which makes it more difficult to compromise an account.

Working to Integrate macOS Sierra (10.12) into CUE

The latest version of macOS, Sierra (10.12), was released on Tuesday, September 20, 2016.  Starting today, Sierra will be available to customers as an automatic download.  If you're currently using a JLab-owned Mac, please do not install Sierra until further notice.

The IT Division is currently working to integrate Sierra into our common user environment (CUE) for JLab-owned Macs.  Once the IT Division has integrated Sierra into the CUE, an announcement of support will be made.  If you have any questions or concerns, please contact the IT Division Help Desk (x7155 or helpdesk@jlab.org).

BlueJeans App Required After September 10, 2016

Message from BlueJeans:

To ensure a consistent, reliable, and first-class Primetime experience, event moderators and presenters will be required to join through the BlueJeans App after 9/10. Attendees can still join through preferred browser options.

Over time, browser plugins have proven to be more insecure than browsers themselves.  Consequently, browsers such as Firefox, Internet Explorer, and Chrome are phasing out plugins.  Instead, features historically offered through plugins are now being introduced in the form of built-in browser features.

With that being said, BlueJeans will stop development for their plugin on September 10, 2016.  BlueJeans now recommends using their BlueJeans App instead.  The BlueJeans App works on the following operating systems:

  • Windows 10, 8, 7, and Vista
  • Mac OS X 10.7 and above
  • Linux - RHEL 7 and above and Fedora 22 (not available until 09/10/2016)

For a full list of BlueJeans App downloads, please visit the BlueJeans Download Our App webpage.  Once you have the BlueJeans App installed, please select the 'SIGN INTO MY ACCOUNT' option.  This should forward you to the MIS Portal webpage where you would use your JLab username and password to start the BlueJeans App.

If you have any questions or concerns regarding this change, please contact the IT Division Help Desk.

New Web Traffic Protections Launch

08/23/2016 8:00 am
America/New York

Jefferson Lab (JLab) uses several automated protection systems to scan web traffic for malware and viruses. The protection provided by these scans has become increasingly limited by the expanding use of encryption for web traffic on the Internet. To provide continued security for JLab systems, JLab will begin decrypting some web traffic.  Please see the table below for the schedule of network changes in the coming weeks.

 August 23, 2016  Desktop 1 and Business Services
 September 7, 2016  Desktop 2, DOE Site Office, and JLab Internal Wireless (not guest wireless)
 September 13, 2016   SENS Domain, All Central Networks, VDI Infrastructure
 October 4, 2016  All remaining networks; except guest

This change will allow the automated processes that the lab has in place to scan traffic and remove identified viruses and malware. Traffic from known medical and financial institutions, however, will be exempted from being decrypted, as these are generally not sites from which malware and viruses are deployed.

The CNI group is held two, one-hour informational meetings on Thursday, August 18th, and Friday, August 19th, in CEBAF Center room F113 at 11:30AM.  If you have any additional questions about this process, contact the IT Division Help Desk (helpdesk@jlab.org or x7155).

Syndicate content