AEGIS Certification Authority and Applications Branko Marović RCUB

7. septembar 2007

Acad

em

ic a

nd E

ducat ional Gr id Init iat ive o

f Serbia

A E G I S

A E G I SAcademic and Educational Grid Initiative of Serbia

2007 Annual Assembly

AEGIS Certification Authority and Applications

Branko Marović RCUB

AEGIS 2007 Annual Assembly

A E G I S

7. Septembar 2007.

AEGIS Certification AEGIS Certification AuthorityAuthority

Primljen u EUGridPMA na skupu u Istanbulu 31.5.2007.

AEGIS CA Certificate Policy and Certification Practice Statement

http://aegis-ca.rcub.bg.ac.yu/


A E G I S

7. Septembar 2007.

AEGIS Certification AEGIS Certification AuthorityAuthority Names

Issuer: C=RS, O=AEGIS, CN=AEGIS-CA Subject: C=RS, O=AEGIS, OU=XXX, CN=Subject-name Country: Must be “RS” Organization: Must be “AEGIS” OrganizationUnit: Must be the name of the subject's

institute CommonName: First name and last name of the subject for

user certificates, DNS FQDN for server or service certificates

End Entity Certificates Maximum lifetime: 1 year Key length: at least 1024 bits

Person requesting a certificate Presentation in person of valid official identification

document Server/Host/Service certificate

Can be only requested by the administrator of the particular host

The administrator must already have a valid AEGIS certificate


A E G I S

7. Septembar 2007.

Izdavanje prvog sertifikataIzdavanje prvog sertifikata Videti instrukcije na http://aegis-ca.rcub.bg.ac.yu/ Formirati PKCS#10 zahtev – najlakše je na nekom od AEGIS UI

računara Poslati zahtev i lične podatke (ime i prezime, e-mail, institucija,

adresa) preko AEGIS CA web interfejsa ili na [email protected].

Generiše se slučajni 10-ocifreni broj i šalje automatski e-mail odgovor gde se korisnik obaveštava Da je vreme procesiranja sertifikata 3 radna dana Da je potrebno da se lično pojavi u kancelariji AEGIS CA ili RA radi

potvrde identiteta O adresi i brojevima telefona AEGIS CA/RA O procesu autentifikacije korisnikovog e-mail-a: generisani broj se

deli na dva dela. U odgovoru se nalazi prvih 5 cifara, dok drugih 5 korisnik dobija kada se pojavi radi autentifikacije.

Korisnik dolazi kod AEGIS CA ili RA sa validnim dokumentom za ličnu identifikaciju i dokazom veze sa institucijom navedenom u zahtevu.

Šalje 10 cifara sa prijavljene e-mail adrese na e-mail AEGIS CA/RA Na ovako potvrđenu e-mail adresu se dostavlja potpisan sertifikat

Korisnik se obaveštava da treba da u roku od 5 dana pošalje e-mail potpisan dobijenim sertifikatom kojim prihvata svoj novi sertifikat i CP/CPS dokumenat

Korisnik svoj sertifikat može koristiti za pristup Grid-u, za potpisivanje e-mail-ova, autentifikaciju preko Web-a i enkripciju podataka. Može sertifikat koristiti kroz AEGIS i SEE-GRID VOMS server


A E G I S

7. Septembar 2007.

Izdavanje narednih Izdavanje narednih sertifikatasertifikata Zahtevi za re-key sertifikata koji su potpisani

važećim sertifikatom izdatim od CA akreditovanim od EUGridPMA će biti potpisani bez prethodne procedure jer je identitet korisnika već utvrđen.

Korišćeni sertifikat i zahtev treba da se odnose na istu osobu, e-mail i instituciju.

CA/RA i dalje mora da proveri da li osoba ima vezu sa institucijom navedenom u zahtevu – dovoljno je da je e-mail institucionalni.


A E G I S

7. Septembar 2007.

Generisanje sertifikata Generisanje sertifikata i sigurnosti sigurnost Sertifikati se generišu na izolovanom računaru, u

kancelariji sa ograničenim pristupom. Koriste se lozinke od bar 15 karaktera. CA manager i CA

operater jedini znaju root password. Na računaru je instaliran CentOS operativni sistem sa

minimumom servisa - apliciraju se sve security zakrpe. Koristi se CSP softver.

Računar ima CD-RW uređaj i USB konektore za backup. Hard disk se stavlja u HDD rack, čuva se na sigurnoj

lokaciji. Vrši se backup na CD-ROM i USB flash-u koji se takođe

čuvaju sigurnoj lokaciji. Postojaće i off-site backup. Na CA sajtu će biti omogućena isključivo pretraga (ne i

listanje) izdatih sertifikata. Čuva se lista generisanih sertifikata. Kada se sertifikat povuče, obnavlja se CRL, koja se odmah

objavljuje na CA sajtu. CRL se takodje obnavlja na svakih 30 dana, bez obzira da li je bilo povučenih sertifikata.


A E G I S

7. Septembar 2007.

Certificate RevocationCertificate Revocation

Certificate Revocation List Minimum/maximum lifetime: 7/30 days CRL is updated immediately after every certificate

revocation CRL is issued at least 7 days before expiration

Circumstances for revocation Subscriber has ceased to be a member of, or

associated with AEGIS related institution, program or activity

Subscriber key is lost or suspected to be compromised Information in certificate is suspected to be inaccurate Subscriber violated his/her obligations Subscriber does not need the certificate any more


A E G I S

7. Septembar 2007.

KontaktKontakt

http://aegis-ca.rcub.bg.ac.yu/

University of Belgrade Computer CenterKumanovska bbBeograd 126119Serbia

Phone: +381 11 3031257, +381 11 3031258Fax: +381 11 3031259e-mail: [email protected]

Dušan Radovanoviće-mail: [email protected]


A E G I S

7. Septembar 2007.

SEE-GRID-2 SEE-GRID-2 Application Application SelectionSelection ARC (Application Review Committee) Large number of potential applications For the reason of scalability, it was decided that

only a subset of the applications will be supported Candidate application developers fill online

Continuous Grid Application Questionnaire submitting data on their applications http://questionnaire.rcub.bg.ac.yu//survey.php?sid=32

Application ranking criteria developed jointly trough e-mail discussion within the consortium WP4 partners from all countries.

32 applications in total were submitted initially. 23 were assessed with the questionnaire.


A E G I S

7. Septembar 2007.

Application Lifecycle


A E G I S

7. Septembar 2007.

SEE-GRID2 SEE-GRID2 AApplicationspplications

5%

9%

11%

12%

7%28%

9%

19%

Astrophysics

Physics

Biomedical

Earth sciences

Chemistry

Engineering / Computerscience

Arts & Humanities / Datamining

Other


A E G I S

7. Septembar 2007.

SEE-GRID2 SEE-GRID2 AApplicationspplications


A E G I S

7. Septembar 2007.

Developer ResourcesDeveloper Resources Grid environment is constantly evolving, but

Useful features persist New are constantly being added Bugs are being fixed Gained knowledge remains relevant, must be updated Applications can be easily migrated to new/updated

APIs gLite User Guide

https://edms.cern.ch/file/722398//gLite-3-UserGuide.pdf SEE-GRID Gridification Guide

http://wiki.egee-see.org/index.php/SG_Gridification_Guide

SEEGRID Wiki http://wiki.egee-see.org/index.php/SEE-GRID_Wiki

gLite documentation http://glite.web.cern.ch/glite/documentation/


A E G I S

7. Septembar 2007.

SEE-GRID-2 SEE-GRID-2 Application SupportApplication Support

Application support group (ASG) – experienced developers & admins National level application support SEE-GRID - global level application support

Work in close collaboration with WP5 (training) and WP3 (software requirements, maintenance of performance)


A E G I S

7. Septembar 2007.

Šta je Web za podatke, to će Grid biti za računarske resurse!

Grid: naredni korak u evoluciji Interneta.

Pristup računarima će postati usluga poput struje, telefona ili vode.

AEGIS Certification Authority and Applications Branko Marović RCUB

Documents

Transcript of AEGIS Certification Authority and Applications Branko Marović RCUB