April 2002 Status report

Goals this month

  1. Develop a separate Certificate Manager and Registration Manager
  2. Develop an LDAP directory to publish, certificates, CRLs, etc
  3. Finish Version 2 of CP
  4. Develop the PMA guidelines document
  5. Equipment status

Achievements

Develop a separate Certificate Manager and Registration Manager

Dhiva has deployed a CM and RM on Test-pki2.es.net for review and testing by the community.  This architecture is needed for deploying remote RMs - as per the NERSC request.  We are nearing completion of the RPM for our configured RM.  The RPM would provide a shrink wrap version of the RM for ease of deployment to our customers.  There are still some minor issues still being worked out with NERSC for deployment. NERSC has volunteered to work with ESnet to determine the best solution for the community.

We are exploring the capabilities of the split model  for the CM/RM vs the integrated service of both these services.  The integrated service appears to provide the Registration Authority agent additional features that are not available when we split the service.  This situation is still being reviewed to determine the impact to the service.

Develop an LDAP directory to publish, subscriber certificates, CRLs, etc

A demo version of the Iplanet CMS LDAP directory was deployed on Quartz.es.net.  The CM was configured to publish subscriber certificates and CRLs to the LDAP directory.  This service will be evaluated and can be rolled out to the production side of the service when the community is ready.

Finish Version 2 of CP

The 2nd version of the CP was completed and put out for comment.  The PMA has opened 12 items against the new document.  PMA will be deciding to move this document into production or to continue working the open items.  The recommendation is to move this version into production and start to work on version 2.x.  The PMA will vote on this in early May.

Develop the PMA guidelines document

The initial draft of this document has been produced and turned over to the PMA for comments.  Currently we are working under ad-hoc set of rules, the goal of this document is to formalize this set of rules.  It also introduces the role ESnet plays as operator of the service.  In addition to this document that determines the rules and process of the PMA, we will need to provide an operational guide for ESnet .  This operational guide will describe the roles and responsibilities of ESnet to the PMA.

Equipment status

ESnet's NTSG has finished building out the server farm for the PKI service.  NTSG is currently doing an engineering design for the secure cabinets that will house the servers.  The deployment of the secure cabinets will happen in the summer time frame.  The installation of the cabinets and their associated UPS and power distribution systems will be turned over to LBNL plant engineering for approval and installation - this is a somewhat long process. The total server count is now at eleven. We are still reviewing hardware key storage systems.  We hope to be able to make a buy decision in the May time frame. 

System design

Current ESnet Data Center design:

Schedule

Item

Date

Comments

Install Hosts

Oct, 23

3 Systems have been racked

Root CA

November, 30

 

No significant work in December

 

Travel, vacation and laboratory seasonal closer.

RA for PPDG and NFC

January 15, 2002

 

Order equipment, servers etc.

February 8, 2002

Done - This is for the secure build out of the PKI in Room 2275.

RA for PNNL

February 15, 2002

Done  

Beta PPDG, NFC & PNNL certificates

February 15, 2002

Done

Hire developer

March 1, 2002

Done

Add a RM and Directory server to development environment March 15, 2002 Done

EDG participation

April 1, 2002

Done  

Deploy separate CM and RM services April 10, 2002 Done - these are evaluation services and will be deployed as the community requires
New UI for service April 15, 2002 Done - New UI based on V2 CP requirements. Under eval by PMA, will be deployed as appropriate.
RPM for RM April 22, 2002 First version is done - working with NERSC to finalize details of process.
Deploy LDAP service April 29, 2002 Done - this service is in eval and will be deployed as appropriate
Version 2.0 of CP/CPS April 30, 2002 Done - Written needs PMA approval

Start adding new RAs as appropriate.

May 15, 2002

New RAs will be added to schedule. This is dependent on the Secure servers being finished and configured.
Order secure Racks May 30, 2002 Task was postponed to research products.

CP/CPS – sign off

June 1, 2002

PMA is reviewing v2 CP, they have approved v 1.1

Migrate Beta CA/RAs systems to match final CP.

July 15, 2002

 

Issue EDG acceptable Certificates for Test Bed 2

July 1, 2002

 

General release of service

October 1, 2002

System support staff take over daily operation

Problems

Iplanet CMS is becoming a learning experience.  The capabilities and limitations of the system is still being explored.  The software meets current service requirements, but is a little difficult to fully understand - only time will help this.  Not sure if this is peculiar to Iplanet or the general field of software...