Download
1 / 15
150 likes | 355 Views
AEGIS Certification Authority and Applications Branko Marović RCUB. AEGIS Certification Authority. Primljen u EUGridPMA na skupu u Istanbulu 31.5.2007. AEGIS CA Certificate Policy and Certification Practice Statement http://aegis-ca.rcub.bg.ac.yu/. AEGIS Certification Authority. Names
E N D
AEGIS Certification Authority and Applications Branko Marović RCUB
AEGIS Certification Authority • Primljen u EUGridPMA na skupu u Istanbulu 31.5.2007. • AEGIS CA Certificate Policy and Certification Practice Statement • http://aegis-ca.rcub.bg.ac.yu/ AEGIS 2007 Annual Assembly
AEGIS Certification Authority • Names • Issuer: C=RS, O=AEGIS, CN=AEGIS-CA • Subject: C=RS, O=AEGIS, OU=XXX, CN=Subject-name • Country: Must be “RS” • Organization: Must be “AEGIS” • OrganizationUnit: Must be the name of the subject's institute • CommonName: First name and last name of the subject for user certificates, DNS FQDN for server or service certificates • End Entity Certificates • Maximum lifetime: 1 year • Key length: at least 1024 bits • Person requesting a certificate • Presentation in person of valid official identification document • Server/Host/Service certificate • Can be only requested by the administrator of the particular host • The administrator must already have a valid AEGIS certificate AEGIS 2007 Annual Assembly
Izdavanje prvog sertifikata • Videti instrukcije na http://aegis-ca.rcub.bg.ac.yu/ • Formirati PKCS#10 zahtev – najlakše je na nekom od AEGIS UI računara • Poslati zahtev i lične podatke (ime i prezime, e-mail, institucija, adresa) preko AEGIS CA web interfejsa ili na aegis-ca@aegis-ca.rcub.bg.ac.yu. • Generiše se slučajni 10-ocifreni broj i šalje automatski e-mail odgovor gde se korisnik obaveštava • Da je vreme procesiranja sertifikata 3 radna dana • Da je potrebno da se lično pojavi u kancelarijiAEGIS CA ili RA radi potvrde identiteta • O adresi i brojevima telefona AEGIS CA/RA • O procesu autentifikacije korisnikovog e-mail-a: generisani broj se deli na dva dela. U odgovoru se nalazi prvih 5 cifara, dok drugih 5 korisnik dobija kada se pojavi radi autentifikacije. • Korisnik dolazi kod AEGIS CA ili RA sa validnim dokumentom za ličnu identifikaciju i dokazom veze sa institucijom navedenom u zahtevu. • Šalje 10 cifara sa prijavljene e-mail adrese na e-mail AEGIS CA/RA • Na ovako potvrđenu e-mail adresu se dostavlja potpisan sertifikat • Korisnik se obaveštava da treba da u roku od 5 dana pošalje e-mail potpisan dobijenim sertifikatom kojim prihvata svoj novi sertifikat i CP/CPS dokumenat • Korisnik svoj sertifikat može koristiti za pristup Grid-u, za potpisivanje e-mail-ova, autentifikaciju preko Web-a i enkripciju podataka. Može sertifikat koristiti kroz AEGIS i SEE-GRID VOMS server AEGIS 2007 Annual Assembly
Izdavanje narednih sertifikata • Zahtevi za re-key sertifikata koji su potpisani važećim sertifikatom izdatim od CA akreditovanim od EUGridPMA će biti potpisani bez prethodne procedure jer je identitet korisnika već utvrđen. • Korišćeni sertifikat i zahtev treba da se odnose na istu osobu, e-mail i instituciju. • CA/RA i dalje mora da proveri da li osoba ima vezu sa institucijom navedenom u zahtevu – dovoljno je da je e-mail institucionalni. AEGIS 2007 Annual Assembly
Generisanje sertifikata i sigurnost • Sertifikati se generišu na izolovanom računaru, u kancelariji sa ograničenim pristupom. • Koriste se lozinke od bar 15 karaktera. CA manager i CA operater jedini znaju root password. • Na računaru je instaliran CentOS operativni sistem sa minimumom servisa - apliciraju se sve security zakrpe. Koristi se CSP softver. • Računar ima CD-RW uređaj i USB konektore za backup. • Hard disk se stavlja u HDD rack, čuva se na sigurnoj lokaciji. • Vrši se backup na CD-ROM i USB flash-u koji se takođe čuvaju sigurnoj lokaciji. Postojaće i off-site backup. • Na CA sajtu će biti omogućena isključivo pretraga (ne i listanje) izdatih sertifikata. • Čuva se lista generisanih sertifikata. • Kada se sertifikat povuče, obnavlja se CRL, koja se odmah objavljuje na CA sajtu. CRL se takodje obnavlja na svakih 30 dana, bez obzira da li je bilo povučenih sertifikata. AEGIS 2007 Annual Assembly
Certificate Revocation • Certificate Revocation List • Minimum/maximum lifetime: 7/30 days • CRL is updated immediately after every certificate revocation • CRL is issued at least 7 days before expiration • Circumstances for revocation • Subscriber has ceased to be a member of, or associated with AEGIS related institution,program or activity • Subscriber key is lost or suspected to be compromised • Information in certificate is suspected to be inaccurate • Subscriber violated his/her obligations • Subscriber does not need the certificate any more AEGIS 2007 Annual Assembly
Kontakt http://aegis-ca.rcub.bg.ac.yu/ University of Belgrade Computer Center Kumanovska bb Beograd 126119 Serbia Phone: +381 11 3031257, +381 11 3031258 Fax: +381 11 3031259 e-mail: aegis-ca@aegis-ca.rcub.bg.ac.yu Dušan Radovanović e-mail: dusan.radovanovic@rcub.bg.ac.yu AEGIS 2007 Annual Assembly
SEE-GRID-2 Application Selection • ARC (Application Review Committee) • Large number of potential applications • For the reason of scalability, it was decided that only a subset of the applications will be supported • Candidate application developers fill online Continuous Grid Application Questionnaire submitting data on their applications • http://questionnaire.rcub.bg.ac.yu//survey.php?sid=32 • Application ranking criteria developed jointly trough e-mail discussion within the consortium WP4 partners from all countries. • 32 applications in total were submitted initially. 23 were assessed with the questionnaire. AEGIS 2007 Annual Assembly
Application Lifecycle AEGIS 2007 Annual Assembly
SEE-GRID2 Applications AEGIS 2007 Annual Assembly
SEE-GRID2 Applications AEGIS 2007 Annual Assembly
Developer Resources • Grid environment is constantly evolving, but • Useful features persist • New are constantly being added • Bugs are being fixed • Gained knowledge remains relevant, must be updated • Applications can be easily migrated to new/updated APIs • gLite User Guide • https://edms.cern.ch/file/722398//gLite-3-UserGuide.pdf • SEE-GRID Gridification Guide • http://wiki.egee-see.org/index.php/SG_Gridification_Guide • SEEGRID Wiki • http://wiki.egee-see.org/index.php/SEE-GRID_Wiki • gLite documentation • http://glite.web.cern.ch/glite/documentation/ AEGIS 2007 Annual Assembly
SEE-GRID-2 Application Support • Application support group (ASG) – experienced developers & admins • National level application support • SEE-GRID - global level application support • Work in close collaboration with WP5 (training) and WP3 (software requirements, maintenance of performance) AEGIS 2007 Annual Assembly
Šta je Web za podatke, to će Grid biti za računarske resurse! • Grid: naredni korak u evoluciji Interneta. • Pristup računarima će postati usluga poput struje, telefona ili vode. AEGIS 2007 Annual Assembly
