July 2002 Status report

Goals this month

  1. Remote Registration Manager - NERSC update
  2. Review Hardware Security Modules - update
  3. Equipment status
  4. Review ESG application for RA
  5. GGF 5 meeting
  6. Certificate service Statistics as of 7/30
  7. System Architecture - 10/15
  8. Data center design
  9. Project Schedule
  10. Problems

Achievements

Remote Registration Manager - Update

Dhiva has set up a Remote RM on the development system Amber. Completed testing the interaction with the Certificate manager (CM). This work is rolled up in to the RPMs that is used to distribute the RM configuration. This type of configuration allows us to limit the interactions (i.e. Certificate Requests) between RAs. Steve Chan has asked for a Readme to cover the CMS and RPM installation and configuration.  This will be written and turned over to Steve for review early next month.

Review Hardware Security Modules

Mike Helm and Dhiva continue to evaluate products from: Rainbow, Chrysalis and Ncipher. The HSM is a requirement for the project, to meet the security requirement of EDG.  This is a long an detailed process, but should be finished by the October milestone. Rainbow evaluation is complete. Chrysalis and Ncipher evaluation is in progress and should be finished by the end of August.

Equipment status

The security Racks have arrived and are waiting installation in the ESnet Data Center.  We may run into a delay with the racks being deployed in time. We are looking at using non-secure racks for a period of time until Plant engineering approves the installation of the Secure racks. This should have no long term impact to the project.  The 1U Netras have arrived. These are going to be our offline Root CAs (one for the new and one for the old architecture.  

Review Earth System Grid II application for RA

ESG has asked to be added as a new Registration Authority of the DOEGrids Certificate service.
  1. Gary Strand: Point of Contact of ESG and RA for NCAR
  2. Alex Sim : RA for LBL/NERSC
  3. Kasidit Chanchio : RA for ORNL

Kasidit is representing ESG to the DOEGrids PMA. The PMA will be reviewing this application and will be voting on membership the first week of August, 2002.

Global Grid Forum Meeting

The Grid CP working group met. The goal of this meeting was to approve the Grid CP document and create a new working group focused on CA operations (CAops).  The WG decided the Grid CP document needed at least one more round of edits.  These edits were minor and should be approved on the list some time before the next meeting.  The WG approved the new charter for the CAops working group. The new charter can be found on the WG website: http://gridcp.es.net/  The WG also approved three new documents for output from the WG. The CP will continue with the new WG until it is approved. The new working docs and new charter are:

Certificate service Statistics as of 7/31

Certs per month issued ~ 40 – 80
Total Certificates issued:  341
Certificates revoked:   35
People Certificates  141
Services Certificates  150
Host (internal usage)    13
Requests in Queue:     9

System Architecture

Current ESnet Data Center design:

Project Schedule

Item

Date

Comments

Install Hosts

Oct, 23

3 Systems have been racked

Root CA

November, 30

 

No significant work in December

 

Travel, vacation and laboratory seasonal closer.

RA for PPDG and NFC

January 15, 2002

Done 

Order equipment, servers etc.

February 8, 2002

Done - This is for the secure build out of the PKI in Room 2275.

RA for PNNL

February 15, 2002

Done  

Beta PPDG, NFC & PNNL certificates

February 15, 2002

Done

Hire developer

March 1, 2002

Done

Add a RM and Directory server to development environment March 15, 2002 Done

EDG participation

April 1, 2002

Done  

Deploy separate CM and RM services April 10, 2002 Done - these are evaluation services and will be deployed as the community requires
New UI for service April 15, 2002 Done - New UI based on V2 CP requirements. Under eval by PMA, will be deployed as appropriate.
RPM for RM April 22, 2002 First version is done - working with NERSC to finalize details of process.
Deploy LDAP service April 29, 2002 Done - this service is in eval and will be deployed as appropriate. The service is now available on the website
Version 2.0 of CP/CPS April 30, 2002 Done - Written needs PMA approval

Start adding new RAs as appropriate.

May 15, 2002

Pending iVDGL approval and inclusion

CP/CPS – sign off

June 1, 2002

Done PMA approved 2.0 May 3

Issue EDG acceptable Certificates for Test Bed 2

July 1, 2002

Done - this requires EDG now to use it.

New naming structure August30, 2002 Need PMA to approve new naming and DIT.
Roll out plan for version 2 architecture August 30, 2002 We need to maintain current PKI1 and deploy PKI2 to the community
Advance email notifications August 15, 2002 Add additional information to the email request notifications
Add additional information to the Directory listings of certificates September 1, 2002 Add information from the CSR to the directory listing of certificate.
     
Secure Racks Sep 15, 2002 The Racks have arrived and are being installed. This will take some time, as it requires Plant engineer to approve and do the electrical...

General release of service

October 15, 2002

System support staff take over daily operation

Problems

No significant issues open.