September 2002 Status report

Goals this month

  1. Hardware Security Modules
  2. Equipment status
  3. Submit new CP, Submit new Naming doc, Submit new Charter
  4. Certificate service Statistics as of end of August
  5. Roll out plan for version 2 of DOEGrids
  6. System Architecture - 10/15
  7. Data center design
  8. Project Schedule
  9. Problems

Achievements

Review Hardware Security Modules

Mike Helm and Dhiva have finished their evaluations of HSMs from: Rainbow, Chrysalis and Ncipher. The HSM is a requirement for the project, to meet the security requirements from EDG, for running an online CA .  In early September Mike and Dhiva demonstrated how the HSMs would work in our environment. Ncipher was the selected system.  They have been ordered and delivered.    They are being deployed as part of the 10/15 architecture.  The new architecture with the HSMs will begin testing in October - with production starting sometime in November.

Equipment status

Stan's group has been working with Plant engineering to get the ESnet Data Center racks secured and powered. The work continues. The new racks should be powered in the October time frame.  The servers should start being moved in October, as the schedule, work permits.  The October architecture will begin construction in early October.  The goal is to have the new systems in testing configurations by the end of October. The system should go into production in November or early December.  The current system will stay in production until the switch over.  This requires working with all our relying parties and the European Data Grid to insure continuous operation.

New Document set for PKI service:

To meet the October architecture we need to update our PKI document set: CP/CPS and PMA charter. As part of the October goal we need to modify the Naming used by the PKI Service.  Mike Helm has submitted a new naming document to the PMA for review.  The naming document describes the naming that the PMA has approved in earlier discussions this summer.  No new issues have come up, this naming will go into production with the new service.  The Naming changes and a number of minor edits have been done on our CP/CPS.   The new CP/CPS has been submitted to the PMA for approval.  No open issues are seen at this time.  The new CP/CPS will be used for the October architecture.  The GGF has produced a document to help develop PMA charters - This documented edited by Mike Helm and Peter Gietz was used to produce the new Charter for the DOEGrids PMA.  This document has been submitted to the PMA for approval. 

With the new document set and the equipment in place the October Architecture can be deployed.  The goal is to have the new system up and in testing mode by the end of October - the actual production date will most likely happen in November.

Roll out plan for version 2 of DOEGrids.

Tasks

Dates

Comments
Power Black Racks 10/21 This gates the project. Plant engineering needed to sign off racks. They are hoping to get power to at least one of the racks on the 21st.
Move servers 10/28 It is hoped that this happens earlier, but is dependent on the Racks. This includes the deployment of the HSMs. Ncipher is scheduled out in early October to help configure the new HSMs.
Configure new servers 11/4 Could configure servers not in the Racks but would be better if final configuration was in place. Vacations and conference meetings are delaying this date.
Test new servers 2 weeks Need a Globus configuration to test with.
Update EDG files 11/15  
Add Firewall policies 11/30 The new servers will be moved to the firewall subnet when they are racked in the Black racks.
Online 11/30  

Certificate service Statistics as of 9/27

Certs per month issued ~ 40 – 80
Total Certificates issued:  457
Certificates revoked:   44
People Certificates  216
Services Certificates  229
Host (internal usage)    18
Requests in Queue:    3

System Architecture

Current ESnet Data Center design:

Project Schedule

Item

Date

Comments

Install Hosts

Oct, 23

3 Systems have been racked

Root CA

November, 30

 

No significant work in December

 

Travel, vacation and laboratory seasonal closer.

RA for PPDG and NFC

January 15, 2002

Done 

Order equipment, servers etc.

February 8, 2002

Done - This is for the secure build out of the PKI in Room 2275.

RA for PNNL

February 15, 2002

Done  

Beta PPDG, NFC & PNNL certificates

February 15, 2002

Done

Hire developer

March 1, 2002

Done

Add a RM and Directory server to development environment March 15, 2002 Done

EDG participation

April 1, 2002

Done  

Deploy separate CM and RM services April 10, 2002 Done - these are evaluation services and will be deployed as the community requires
New UI for service April 15, 2002 Done - New UI based on V2 CP requirements. Under eval by PMA, will be deployed as appropriate.
RPM for RM April 22, 2002 First version is done - working with NERSC to finalize details of process.
Deploy LDAP service April 29, 2002 Done - this service is in eval and will be deployed as appropriate. The service is now available on the website
Version 2.0 of CP/CPS April 30, 2002 Done - Written needs PMA approval

Start adding new RAs as appropriate.

May 15, 2002

Done: This is an ongoing task now that we have added 2 new RAs.

CP/CPS – sign off

June 1, 2002

Done PMA approved 2.0 May 3

Issue EDG acceptable Certificates for Test Bed 2

July 1, 2002

Done - this requires EDG now to use it.

New naming structure September 30, 2002 Done: submitted to PMA for review.
Roll out plan for version 2 architecture September 30, 2002 Done: We need to maintain current PKI1 and deploy PKI2 to the community
Advance email notifications September 15, 2002 Postponed until after the upgrade to new system. Add additional information to the email request notifications
Add additional information to the Directory listings of certificates October 1, 2002 Postponed until after the upgrade to new system. Add information from the CSR to the directory listing of certificate.
All remaining tasks are listed in the Roll out plan at the top of the pages    

Problems

No significant issues open.