Download
1 / 12
120 likes | 136 Views
Detailed report on PRAGMA-UCSD.CA operations and changes since the last APGrid meeting, including certificates issued, personnel updates, equipment status, and security measures.
E N D
PRAGMA-UCSD CA Status Update PRAGMA-UCSD CA Team http://www.pragma-grid.net/ca Pacific Rim Application and Grid Middleware Assembly http://www.pragma-grid.net http://goc.pragma-grid.net
Overview • Since The Last APGrid Meeting • Certificates Issued • Operations • Changes
Since The Last APGrid Meeting • 4/7/08 - Accredited in APGrid Taipei meeting • 4/20/08 - Yoshio informed us a resolution in APGrid Taipei meeting about best practice pertaining Issuer and Subject names • 4/24/08~6/24/08 – Worked with NAREGI-CA team for a new version of CA software and setup new CA with “Issuer: DC=NET, DC=PRAGMA-GRID, CN=PRAGMA-UCSD CA” • 6/25/08~6/26/08 - Updated CP/CPS, user guides and internal documentations to reflect the change in Issuer and Subject name • http://goc.pragma-grid.net/ca/ca-certs/ • http://goc.pragma-grid.net/ca/cp-cps/ • goc.pragma-grid.net/ca/internal/PRAGMA-UCSD-CA-operation.doc (require login) • http://goc.pragma-grid.net/secure/pragma-ucsd-ca-client.tar.gz • https://goc.pragma-grid.net/secure/pragma-ucsd-ca-client-user-guide.doc • 6/27/08 – Start operation • 7/28/08 – Included in IGTF distribution 1.23
Certificates Issued • 10 host certificates are issued for PRAGMA grid servers and clusters at SDSC • No user certificate have been issued so far • All 6 certificates (3 hosts and 3 users) used for testing during PRAGMA-UCSD CA server setup have been revoked
Operations • CRL updates have been done every 3 weeks • One failure of retrieval due to the web server 1 day outage • Backup has been performed according to CP/CPS and operation manual • User/host certificate requests and issuances have been done following the procedures and rules set in CP/CPS
No Change In Personnel • CA – Cindy Zheng, Mason Katz (UCSD) • RA – Mason Katz, Anoop Rajendra (UCSD) • PMA – Yoshio Tanaka (AIST) • Security Officer – Phil Papadopoulos (UCSD) • pragma-ucsd-ca@sdsc.edu reaches no more and no less than these 5 people
No Change In Equipment • CA server is dedicated and off-line • RA server is dedicated and on-line • CA software is naregi-wp5-nas-070112
One Change In Physical Security • CA and RA servers are in a lockable office • 2 keys (Cindy Zheng, Mason KatzKaran Bhatia) Karan has left and Mason is holding his key to the office • CA server is in a locked cabin in the office • Only Cindy (CA) has the key • Access log • logged by email at pragma-ucsd-ca@sdsc.edu • Email archive is included in monthly backup
No Change In CA Key and Passphrase • CA key length 2048 bits (6.1.5) • CP-CPS 6.4 describes CA key protection • Pass phrase >= 15 characters. • Only known by CA and RA. • In 2 sealed envelopes in 2 separate locked drawers in Cindy (CA) and Mason (RA)’s office. • Only Cindy and Mason have the keys to the drawers. • The sealed envelops are kept separated from the backed up private key.
No Change In Private Key Backup • On offline media – USB drives • Kept in a locked cabinet • Only Anoop (RA) has the key
No Change In Web RepositoryPolicies • Public accessible http://goc.pragma-grid.net/ca • CA root certificates • Certificates issued • CRL • CP/CPS • Contact info • Grant APGrid PMA and IGTF unlimited re-distribution • Internal only • Operation manuals • Canned emails • Forms • Check list • CA profiles • Only CA staff and auditors allowed access
Special Thanksto Naregi-CA developer, Takuto Okuno For upgrade Naregi-CA software which enabled us to implement the best practice set by APGrid PMA
