AEGIS Academic and Educational Grid Initiative of Serbia 2007 Annual Assembly AEGIS Certification Authority and Applications Branko Marović RCUB 7. septembar 2007
AEGIS Certification Authority n AEGIS n n 7. Septembar 2007. Primljen u EUGrid. PMA na skupu u Istanbulu 31. 5. 2007. AEGIS CA Certificate Policy and Certification Practice Statement http: //aegis-ca. rcub. bg. ac. yu/ AEGIS 2007 Annual Assembly
AEGIS Certification Authority n Names ¡ ¡ AEGIS ¡ ¡ n End Entity Certificates ¡ ¡ n Presentation in person of valid official identification document Server/Host/Service certificate ¡ ¡ 7. Septembar 2007. Maximum lifetime: 1 year Key length: at least 1024 bits Person requesting a certificate ¡ n Issuer: C=RS, O=AEGIS, CN=AEGIS-CA Subject: C=RS, O=AEGIS, OU=XXX, CN=Subject-name Country: Must be “RS” Organization: Must be “AEGIS” Organization. Unit: Must be the name of the subject's institute Common. Name: First name and last name of the subject for user certificates, DNS FQDN for server or service certificates Can be only requested by the administrator of the particular host The administrator must already have a valid AEGIS certificate AEGIS 2007 Annual Assembly
Izdavanje prvog sertifikata n n AEGIS n n 7. Septembar 2007. Videti instrukcije na http: //aegis-ca. rcub. bg. ac. yu/ Formirati PKCS#10 zahtev – najlakše je na nekom od AEGIS UI računara Poslati zahtev i lične podatke (ime i prezime, e-mail, institucija, adresa) preko AEGIS CA web interfejsa ili na aegis-ca@aegis-ca. rcub. bg. ac. yu. Generiše se slučajni 10 -ocifreni broj i šalje automatski e-mail odgovor gde se korisnik obaveštava ¡ Da je vreme procesiranja sertifikata 3 radna dana ¡ Da je potrebno da se lično pojavi u kancelariji AEGIS CA ili RA radi potvrde identiteta ¡ O adresi i brojevima telefona AEGIS CA/RA ¡ O procesu autentifikacije korisnikovog e-mail-a: generisani broj se deli na dva dela. U odgovoru se nalazi prvih 5 cifara, dok drugih 5 korisnik dobija kada se pojavi radi autentifikacije. Korisnik dolazi kod AEGIS CA ili RA sa validnim dokumentom za ličnu identifikaciju i dokazom veze sa institucijom navedenom u zahtevu. Šalje 10 cifara sa prijavljene e-mail adrese na e-mail AEGIS CA/RA Na ovako potvrđenu e-mail adresu se dostavlja potpisan sertifikat ¡ Korisnik se obaveštava da treba da u roku od 5 dana pošalje e-mail potpisan dobijenim sertifikatom kojim prihvata svoj novi sertifikat i CP/CPS dokumenat Korisnik svoj sertifikat može koristiti za pristup Grid-u, za potpisivanje e-mail -ova, autentifikaciju preko Web-a i enkripciju podataka. Može sertifikat koristiti kroz AEGIS i SEE-GRID VOMS server AEGIS 2007 Annual Assembly
Izdavanje narednih sertifikata n AEGIS n n 7. Septembar 2007. Zahtevi za re-key sertifikata koji su potpisani važećim sertifikatom izdatim od CA akreditovanim od EUGrid. PMA će biti potpisani bez prethodne procedure jer je identitet korisnika već utvrđen. Korišćeni sertifikat i zahtev treba da se odnose na istu osobu, e-mail i instituciju. CA/RA i dalje mora da proveri da li osoba ima vezu sa institucijom navedenom u zahtevu – dovoljno je da je email institucionalni. AEGIS 2007 Annual Assembly
Generisanje sertifikata i sigurnost n n AEGIS n n n n 7. Septembar 2007. Sertifikati se generišu na izolovanom računaru, u kancelariji sa ograničenim pristupom. Koriste se lozinke od bar 15 karaktera. CA manager i CA operater jedini znaju root password. Na računaru je instaliran Cent. OS operativni sistem sa minimumom servisa - apliciraju se sve security zakrpe. Koristi se CSP softver. Računar ima CD-RW uređaj i USB konektore za backup. Hard disk se stavlja u HDD rack, čuva se na sigurnoj lokaciji. Vrši se backup na CD-ROM i USB flash-u koji se takođe čuvaju sigurnoj lokaciji. Postojaće i off-site backup. Na CA sajtu će biti omogućena isključivo pretraga (ne i listanje) izdatih sertifikata. Čuva se lista generisanih sertifikata. Kada se sertifikat povuče, obnavlja se CRL, koja se odmah objavljuje na CA sajtu. CRL se takodje obnavlja na svakih 30 dana, bez obzira da li je bilo povučenih sertifikata. AEGIS 2007 Annual Assembly
Certificate Revocation n Certificate Revocation List ¡ AEGIS ¡ ¡ n Circumstances for revocation ¡ ¡ ¡ 7. Septembar 2007. Minimum/maximum lifetime: 7/30 days CRL is updated immediately after every certificate revocation CRL is issued at least 7 days before expiration Subscriber has ceased to be a member of, or associated with AEGIS related institution, program or activity Subscriber key is lost or suspected to be compromised Information in certificate is suspected to be inaccurate Subscriber violated his/her obligations Subscriber does not need the certificate any more AEGIS 2007 Annual Assembly
Kontakt AEGIS http: //aegis-ca. rcub. bg. ac. yu/ University of Belgrade Computer Center Kumanovska bb Beograd 126119 Serbia Phone: +381 11 3031257, +381 11 3031258 Fax: +381 11 3031259 e-mail: aegis-ca@aegis-ca. rcub. bg. ac. yu Dušan Radovanović e-mail: dusan. radovanovic@rcub. bg. ac. yu 7. Septembar 2007. AEGIS 2007 Annual Assembly
SEE-GRID-2 Application Selection n n AEGIS n n ARC (Application Review Committee) Large number of potential applications For the reason of scalability, it was decided that only a subset of the applications will be supported Candidate application developers fill online Continuous Grid Application Questionnaire submitting data on their applications ¡ n n 7. Septembar 2007. http: //questionnaire. rcub. bg. ac. yu//survey. php? sid=32 Application ranking criteria developed jointly trough e-mail discussion within the consortium WP 4 partners from all countries. 32 applications in total were submitted initially. 23 were assessed with the questionnaire. AEGIS 2007 Annual Assembly
Application Lifecycle AEGIS 7. Septembar 2007. AEGIS 2007 Annual Assembly
SEE-GRID 2 Applications AEGIS 7. Septembar 2007. AEGIS 2007 Annual Assembly
SEE-GRID 2 Applications AEGIS 7. Septembar 2007. AEGIS 2007 Annual Assembly
Developer Resources n Grid environment is constantly evolving, but ¡ AEGIS ¡ ¡ n g. Lite User Guide ¡ n http: //wiki. egee-see. org/index. php/SEE-GRID_Wiki g. Lite documentation ¡ 7. Septembar 2007. http: //wiki. egee-see. org/index. php/SG_Gridification_Guide SEEGRID Wiki ¡ n https: //edms. cern. ch/file/722398//g. Lite-3 -User. Guide. pdf SEE-GRID Gridification Guide ¡ n Useful features persist New are constantly being added Bugs are being fixed Gained knowledge remains relevant, must be updated Applications can be easily migrated to new/updated APIs http: //glite. web. cern. ch/glite/documentation/ AEGIS 2007 Annual Assembly
SEE-GRID-2 Application Support n AEGIS Application support group (ASG) – experienced developers & admins ¡ ¡ n 7. Septembar 2007. National level application support SEE-GRID - global level application support Work in close collaboration with WP 5 (training) and WP 3 (software requirements, maintenance of performance) AEGIS 2007 Annual Assembly
n n AEGIS 7. Septembar 2007. n Šta je Web za podatke, to će Grid biti za računarske resurse! Grid: naredni korak u evoluciji Interneta. Pristup računarima će postati usluga poput struje, telefona ili vode. AEGIS 2007 Annual Assembly
Скачать презентацию AEGIS Academic and Educational Grid Initiative of Serbia
e7d35abcc1fe89c165bf945b58ba3189.ppt