7. septembar 2007 A E G I S Academic and Educational Grid Initiative of Serbia 2007 Annual Assembly AEGIS Certification Authority and Applications Branko Marović RCUB

A E G I S 7. Septembar AEGIS 2007 Annual Assembly AEGIS Certification Authority Primljen u EUGridPMA na skupu u Istanbulu AEGIS CA Certificate Policy and Certification Practice Statement

A E G I S 7. Septembar AEGIS 2007 Annual Assembly AEGIS Certification Authority Names  Issuer: C=RS, O=AEGIS, CN=AEGIS-CA  Subject: C=RS, O=AEGIS, OU=XXX, CN=Subject-name  Country: Must be “RS”  Organization: Must be “AEGIS”  OrganizationUnit: Must be the name of the subject's institute  CommonName: First name and last name of the subject for user certificates, DNS FQDN for server or service certificates End Entity Certificates  Maximum lifetime: 1 year  Key length: at least 1024 bits Person requesting a certificate  Presentation in person of valid official identification document Server/Host/Service certificate  Can be only requested by the administrator of the particular host  The administrator must already have a valid AEGIS certificate

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Izdavanje prvog sertifikata Videti instrukcije na Formirati PKCS#10 zahtev – najlakše je na nekom od AEGIS UI računara Poslati zahtev i lične podatke (ime i prezime, , institucija, adresa) preko AEGIS CA web interfejsa ili na Generiše se slučajni 10-ocifreni broj i šalje automatski odgovor gde se korisnik obaveštava  Da je vreme procesiranja sertifikata 3 radna dana  Da je potrebno da se lično pojavi u kancelariji AEGIS CA ili RA radi potvrde identiteta  O adresi i brojevima telefona AEGIS CA/RA  O procesu autentifikacije korisnikovog -a: generisani broj se deli na dva dela. U odgovoru se nalazi prvih 5 cifara, dok drugih 5 korisnik dobija kada se pojavi radi autentifikacije. Korisnik dolazi kod AEGIS CA ili RA sa validnim dokumentom za ličnu identifikaciju i dokazom veze sa institucijom navedenom u zahtevu. Šalje 10 cifara sa prijavljene adrese na AEGIS CA/RA Na ovako potvrđenu adresu se dostavlja potpisan sertifikat  Korisnik se obaveštava da treba da u roku od 5 dana pošalje potpisan dobijenim sertifikatom kojim prihvata svoj novi sertifikat i CP/CPS dokumenat Korisnik svoj sertifikat može koristiti za pristup Grid-u, za potpisivanje e- mail-ova, autentifikaciju preko Web-a i enkripciju podataka. Može sertifikat koristiti kroz AEGIS i SEE-GRID VOMS server

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Izdavanje narednih sertifikata Zahtevi za re-key sertifikata koji su potpisani važećim sertifikatom izdatim od CA akreditovanim od EUGridPMA će biti potpisani bez prethodne procedure jer je identitet korisnika već utvrđen. Korišćeni sertifikat i zahtev treba da se odnose na istu osobu, i instituciju. CA/RA i dalje mora da proveri da li osoba ima vezu sa institucijom navedenom u zahtevu – dovoljno je da je e- mail institucionalni.

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Generisanje sertifikata i sigurnost Sertifikati se generišu na izolovanom računaru, u kancelariji sa ograničenim pristupom. Koriste se lozinke od bar 15 karaktera. CA manager i CA operater jedini znaju root password. Na računaru je instaliran CentOS operativni sistem sa minimumom servisa - apliciraju se sve security zakrpe. Koristi se CSP softver. Računar ima CD-RW uređaj i USB konektore za backup. Hard disk se stavlja u HDD rack, čuva se na sigurnoj lokaciji. Vrši se backup na CD-ROM i USB flash-u koji se takođe čuvaju sigurnoj lokaciji. Postojaće i off-site backup. Na CA sajtu će biti omogućena isključivo pretraga (ne i listanje) izdatih sertifikata. Čuva se lista generisanih sertifikata. Kada se sertifikat povuče, obnavlja se CRL, koja se odmah objavljuje na CA sajtu. CRL se takodje obnavlja na svakih 30 dana, bez obzira da li je bilo povučenih sertifikata.

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Certificate Revocation Certificate Revocation List  Minimum/maximum lifetime: 7/30 days  CRL is updated immediately after every certificate revocation  CRL is issued at least 7 days before expiration Circumstances for revocation  Subscriber has ceased to be a member of, or associated with AEGIS related institution, program or activity  Subscriber key is lost or suspected to be compromised  Information in certificate is suspected to be inaccurate  Subscriber violated his/her obligations  Subscriber does not need the certificate any more

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Events Recorded events  Certification requests  Issued certificates  Requests for revocation  Issued CRL’s  Login/logout/reboot of the signing machine Archived events  Certification requests  Issued certificates  Requests for revocation  Issued CRL’s  All messages of correspondence between RA and CA

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Kontakt University of Belgrade Computer Center Kumanovska bb Beograd Serbia Phone: , Fax: Dušan Radovanović

A E G I S 7. Septembar AEGIS 2007 Annual Assembly SEE-GRID-2 Application Selection ARC (Application Review Committee) Large number of potential applications For the reason of scalability, it was decided that only a subset of the applications will be supported Candidate application developers fill online Continuous Grid Application Questionnaire submitting data on their applications  Application ranking criteria developed jointly trough discussion within the consortium WP4 partners from all countries. 32 applications in total were submitted initially. 23 were assessed with the questionnaire.

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Application Lifecycle

A E G I S 7. Septembar AEGIS 2007 Annual Assembly SEE-GRID2 Applications

A E G I S 7. Septembar AEGIS 2007 Annual Assembly SEE-GRID2 Applications

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Developer Resources Grid environment is constantly evolving, but  Useful features persist  New are constantly being added  Bugs are being fixed  Gained knowledge remains relevant, must be updated  Applications can be easily migrated to new/updated APIs gLite User Guide  SEE-GRID Gridification Guide  SEEGRID Wiki  gLite documentation 

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Application Gridification Guide Relevant topics for application developers identified trough online questionnaire system Some investigation areas identified as well – candidates for future GG topics Gridification guide will provide information on these topics GG collaboration medium – Wiki  see.org/index.php/SG_Gridification_Guide

A E G I S 7. Septembar AEGIS 2007 Annual Assembly SEE-GRID-2 Application Support Application support group (ASG) – experienced developers & admins  National level application support  SEE-GRID - global level application support Work in close collaboration with WP5 (training) and WP3 (software requirements, maintenance of performance)

A E G I S 7. Septembar AEGIS 2007 Annual Assembly Šta je Web za podatke, to će Grid biti za računarske resurse! Grid: naredni korak u evoluciji Interneta. Pristup računarima će postati usluga poput struje, telefona ili vode.