Diapositiva 1
Download
Report
Transcript Diapositiva 1
UNLP CA (Argentina)
Universidad Nacional de La Plata
www.unlp.edu.ar
•
•
•
•
•
•
Was created as a national university in 1905
Is the 3rd largest university in Argentina
More than 90.000 enrolled students
More than 140 degree programs
More than 200 postgraduate programs
Produces about 20% of the academic research
in Argentina
[email protected]
UNLP CA (Argentina)
Centro Superior para el Procesamiento de la Información
www.cespi.unlp.edu.ar
Provides research network for UNLP
• 1991 (via BITNET)
• April 1994 connection to Internet
– Class B: 163.10.x.x.
– Domain unlp.edu.ar
– Autonomous Systems Number: 5692
• Since 2004 connected to Academic Research
Networks Ampath & CLARA (via RETINA)
– prefijo IPv6: 2001:1318:A001:: /64
[email protected]
UNLP CA (Argentina)
Ce.S.P.I
• Provides Network Monitoring & management:
– More than 3000 computers with public IP
– Tools used:
•
•
•
•
Mtrg
Nagios
Netflow
Ipaudit
• Administrative information systems
– Payroll & human resources
– Students system
– Statistics
[email protected]
UNLP CA (Argentina)
pkUNLPGrid CA
Following RFC 3647
OID pending in IANA since 12/jan/06
– To be requested from IGTF
• CP/CPS ver 0.91 (20/03/06)
• http://www.pkiUNLPGrid.unlp.edu.ar
• First checked by: Jorge Gomes (LIP)
• Reviewers:Tony J. Genovese & Alan Sill
[email protected]
UNLP CA (Argentina)
Persons involved with the computer network infrastructure
for the project
• Coordinating the CA for UNLP: Javier Díaz, Miguel
Luengo
• Policies, procedures & auditing: Viviana Ambrosi, Lia
Molinari
• PKI infraestructure for de CA: Paula Venosa, Viviana
Ambrosi, Einar Lanfranco
• Network administration (also working in an academic
IRT): Miguel Luengo, Nicolas Macia, Andres Barbieri,
Alejandro Veiga, Matias Zabaljauregui.
• RA administration: Maria del Carmen Lago, Teresa Di
Pietro, Fernanda Aday
[email protected]
UNLP CA (Argentina)
UNLP is working in cooperation with the ONTI ,
the agency of the federal government of
Argentina that coordinated used of information
system and technology.
– Security standars for the information systems.
– Arcert which is the only CERT in Argentina.
– pki.gov.ar which is the federal agency that promotes
the use of digital signature in the government.
– Providing digital signature support for the information
systems provided by SIU to the Universities.
[email protected]
UNLP CA (Argentina)
Initially only one RA related to UNLP
The information to contact initial RA is in the site:
http://www.pkiUNLPGrid.unlp.edu.ar
The concept is one RA per University or Academic
institution equivale
CA
Inst. 1
Inst. 2
Inst. 3
Inst. 4
RA
RA
RA
RA
RA
[email protected]
UNLP CA (Argentina)
Name Forms:
• PKUNLPGRID CA prefers that organizations use
domain component naming.
• Issuer:
DC=ar, DC=UNLPgrid, CN=UNLPGridCA
• Subject:
DC=ar, DC=UNLPgrid, O=string, CN=name.surname
DC=ar, DC=UNLPgrid, O=string, CN=FQDN
[email protected]
UNLP CA (Argentina)
Types of names
• For people the name and surname or a text
directly derived from their name
CN=JavierDiaz
• For Server the server fully qualified domain
name (FQDN).IP address are nor accepted
CN=pkigrid.unlp.edu.ar
• For Services the name of the service, the
character '/' and the FQDN of the server.
CN=ldap/ pkigrid.unlp.edu.ar
[email protected]
UNLP CA (Argentina)
Lifetime of certificates
CA key size 2048 bits,
Initial 10 years lifetime.
EE key size 1024 bits,
Certificates valid for 13 months (one year + one month).
CRL issued every 30 days (at least 7 day befores de
expiration of the previous CRL or upon demand)
[email protected]
UNLP CA (Argentina)
Guidelines
CA offline
CA online site supports :
Certificates signed by the UNLPCA
CRLs
CP/CPS
technical contacts of the CA
RA contact
pointer to the TAGPMA & IGTF
[email protected]
UNLP CA (Argentina)
Tools used
– CA offline: running Linux Debian stable, stored in a
safe; OpenCA versión 0.9.2.5 (latest release),
OpenSSL versión 0.9.7
using etokens-PRO de 32 K for holding private key of
CA operators keep in a separate safe (with
procedures for accessing the etoken and the
passphrase)
– CA online site
• In the Datacenter of the UNLP with access control, etc
• Behind a FW based on OpenBSD
• Traffic analyzer (on separate port SPAN using SNORT with a
correlation tool such as: ossim/sguil/prelude
[email protected]