7. septembar 2007
Acad
em
ic a
nd E
ducat ional Gr id Init iat ive o
f Serbia
A E G I S
A E G I SAcademic and Educational Grid Initiative of Serbia
2007 Annual Assembly
AEGIS Certification Authority and Applications
Branko Marović RCUB
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
AEGIS Certification AEGIS Certification AuthorityAuthority
Primljen u EUGridPMA na skupu u Istanbulu 31.5.2007.
AEGIS CA Certificate Policy and Certification Practice Statement
http://aegis-ca.rcub.bg.ac.yu/
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
AEGIS Certification AEGIS Certification AuthorityAuthority Names
Issuer: C=RS, O=AEGIS, CN=AEGIS-CA Subject: C=RS, O=AEGIS, OU=XXX, CN=Subject-name Country: Must be “RS” Organization: Must be “AEGIS” OrganizationUnit: Must be the name of the subject's
institute CommonName: First name and last name of the subject for
user certificates, DNS FQDN for server or service certificates
End Entity Certificates Maximum lifetime: 1 year Key length: at least 1024 bits
Person requesting a certificate Presentation in person of valid official identification
document Server/Host/Service certificate
Can be only requested by the administrator of the particular host
The administrator must already have a valid AEGIS certificate
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
Izdavanje prvog sertifikataIzdavanje prvog sertifikata Videti instrukcije na http://aegis-ca.rcub.bg.ac.yu/ Formirati PKCS#10 zahtev – najlakše je na nekom od AEGIS UI
računara Poslati zahtev i lične podatke (ime i prezime, e-mail, institucija,
adresa) preko AEGIS CA web interfejsa ili na [email protected].
Generiše se slučajni 10-ocifreni broj i šalje automatski e-mail odgovor gde se korisnik obaveštava Da je vreme procesiranja sertifikata 3 radna dana Da je potrebno da se lično pojavi u kancelariji AEGIS CA ili RA radi
potvrde identiteta O adresi i brojevima telefona AEGIS CA/RA O procesu autentifikacije korisnikovog e-mail-a: generisani broj se
deli na dva dela. U odgovoru se nalazi prvih 5 cifara, dok drugih 5 korisnik dobija kada se pojavi radi autentifikacije.
Korisnik dolazi kod AEGIS CA ili RA sa validnim dokumentom za ličnu identifikaciju i dokazom veze sa institucijom navedenom u zahtevu.
Šalje 10 cifara sa prijavljene e-mail adrese na e-mail AEGIS CA/RA Na ovako potvrđenu e-mail adresu se dostavlja potpisan sertifikat
Korisnik se obaveštava da treba da u roku od 5 dana pošalje e-mail potpisan dobijenim sertifikatom kojim prihvata svoj novi sertifikat i CP/CPS dokumenat
Korisnik svoj sertifikat može koristiti za pristup Grid-u, za potpisivanje e-mail-ova, autentifikaciju preko Web-a i enkripciju podataka. Može sertifikat koristiti kroz AEGIS i SEE-GRID VOMS server
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
Izdavanje narednih Izdavanje narednih sertifikatasertifikata Zahtevi za re-key sertifikata koji su potpisani
važećim sertifikatom izdatim od CA akreditovanim od EUGridPMA će biti potpisani bez prethodne procedure jer je identitet korisnika već utvrđen.
Korišćeni sertifikat i zahtev treba da se odnose na istu osobu, e-mail i instituciju.
CA/RA i dalje mora da proveri da li osoba ima vezu sa institucijom navedenom u zahtevu – dovoljno je da je e-mail institucionalni.
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
Generisanje sertifikata Generisanje sertifikata i sigurnosti sigurnost Sertifikati se generišu na izolovanom računaru, u
kancelariji sa ograničenim pristupom. Koriste se lozinke od bar 15 karaktera. CA manager i CA
operater jedini znaju root password. Na računaru je instaliran CentOS operativni sistem sa
minimumom servisa - apliciraju se sve security zakrpe. Koristi se CSP softver.
Računar ima CD-RW uređaj i USB konektore za backup. Hard disk se stavlja u HDD rack, čuva se na sigurnoj
lokaciji. Vrši se backup na CD-ROM i USB flash-u koji se takođe
čuvaju sigurnoj lokaciji. Postojaće i off-site backup. Na CA sajtu će biti omogućena isključivo pretraga (ne i
listanje) izdatih sertifikata. Čuva se lista generisanih sertifikata. Kada se sertifikat povuče, obnavlja se CRL, koja se odmah
objavljuje na CA sajtu. CRL se takodje obnavlja na svakih 30 dana, bez obzira da li je bilo povučenih sertifikata.
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
Certificate RevocationCertificate Revocation
Certificate Revocation List Minimum/maximum lifetime: 7/30 days CRL is updated immediately after every certificate
revocation CRL is issued at least 7 days before expiration
Circumstances for revocation Subscriber has ceased to be a member of, or
associated with AEGIS related institution, program or activity
Subscriber key is lost or suspected to be compromised Information in certificate is suspected to be inaccurate Subscriber violated his/her obligations Subscriber does not need the certificate any more
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
KontaktKontakt
http://aegis-ca.rcub.bg.ac.yu/
University of Belgrade Computer CenterKumanovska bbBeograd 126119Serbia
Phone: +381 11 3031257, +381 11 3031258Fax: +381 11 3031259e-mail: [email protected]
Dušan Radovanoviće-mail: [email protected]
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
SEE-GRID-2 SEE-GRID-2 Application Application SelectionSelection ARC (Application Review Committee) Large number of potential applications For the reason of scalability, it was decided that
only a subset of the applications will be supported Candidate application developers fill online
Continuous Grid Application Questionnaire submitting data on their applications http://questionnaire.rcub.bg.ac.yu//survey.php?sid=32
Application ranking criteria developed jointly trough e-mail discussion within the consortium WP4 partners from all countries.
32 applications in total were submitted initially. 23 were assessed with the questionnaire.
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
Application Lifecycle
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
SEE-GRID2 SEE-GRID2 AApplicationspplications
5%
9%
11%
12%
7%28%
9%
19%
Astrophysics
Physics
Biomedical
Earth sciences
Chemistry
Engineering / Computerscience
Arts & Humanities / Datamining
Other
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
SEE-GRID2 SEE-GRID2 AApplicationspplications
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
Developer ResourcesDeveloper Resources Grid environment is constantly evolving, but
Useful features persist New are constantly being added Bugs are being fixed Gained knowledge remains relevant, must be updated Applications can be easily migrated to new/updated
APIs gLite User Guide
https://edms.cern.ch/file/722398//gLite-3-UserGuide.pdf SEE-GRID Gridification Guide
http://wiki.egee-see.org/index.php/SG_Gridification_Guide
SEEGRID Wiki http://wiki.egee-see.org/index.php/SEE-GRID_Wiki
gLite documentation http://glite.web.cern.ch/glite/documentation/
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
SEE-GRID-2 SEE-GRID-2 Application SupportApplication Support
Application support group (ASG) – experienced developers & admins National level application support SEE-GRID - global level application support
Work in close collaboration with WP5 (training) and WP3 (software requirements, maintenance of performance)
AEGIS 2007 Annual Assembly
A E G I S
7. Septembar 2007.
Šta je Web za podatke, to će Grid biti za računarske resurse!
Grid: naredni korak u evoluciji Interneta.
Pristup računarima će postati usluga poput struje, telefona ili vode.