UK eScience CA and JCS Migration Status Jensen
- Slides: 10
UK e-Science CA and JCS Migration Status Jensen, John Kewley EUGrid. PMA May 2015 København Your university or experiment logo here
Community • “UK e-Science” • Grid. PP • …? 24/11/2020 UK e. Science Status Your university or experiment logo here 2
Staff (alphabetically) • • • Jensen – CA manager, signing code, packaging scripts David Kelsey – representing CA with PMAs John Kewley – user support, packaging scripts David Meredith – code for caportal and CW Suleman Tariq – sysadmin and DR 24/11/2020 UK e. Science Status Your university or experiment logo here 3
Current Status • Currently continuing as before – – – ~1700 valid distinct host certs ~ 800 valid distinct user certs ~10 distinct robots Total issuance >37000 Still adding RAs – 200 distinct operators in database • Still working with JANET on migration opportunities – More on this in a later slide • Improving stuff – – Cert. Wizard CAPortal New CP has taken effect Tidying extensions 24/11/2020 Talk Title Goes Here Your university or experiment logo here 4
Renewals • Old stuff still around – Some SHA 1 s still alive, sign as SHA 2 upon renewal – Even a few Netscape extensions, removed upon renewal – Likewise email-in-DN, ancient and deprecated • Disaster Recovery – Improved DR for Root (ROBAB) – Improved DR for SARo. NGS – Already good DR for 2 B (semi-online, warm spare) • Future directions – Likely to retire 2 A (online) now – Reimplement HSM? – JCS migration 24/11/2020 Talk Title Goes Here Your university or experiment logo here 5
Risks • Not much effort – Development, support, proactive stuff – After the closure of NGS – Trying to understand user communities (other than Grid. PP ) • Ageing HSMs – No in-plan recovery, must rebuild – Considered “small” HSMs – Some funding made available by STFC – but need to consider future • Self audit 24/11/2020 Talk Title Goes Here Your university or experiment logo here 6
Original UK e. Science Certificate Hierarchy Dev CA* Training CA Root 2007 CA CA 2 A (online) CA 2 B (offline) SARo. NGS 24/11/2020 RIGroup Meeting SLCS Toplevel Climate CAs Your university or experiment logo here 7
Changes in the pipeline • Service certificate support (generally deprecated) • Turn off Open. CA i/f – Downloads of CRLs on ca. grid-support. ac. uk ~ 5200/day • New Pe. CR scripts + maybe Cert. Wizard CLI • SHA-2 (done) – Requires a port of Cert. Wizard to j. Globus 2 • IPv 6 – Our CRLs should probably be made available to test • Key-pair generation – inline in caportal • Tweak certificate format for new Grid Certificate Profile (done) 24/11/2020 RIGroup Meeting Your university or experiment logo here 8
When can we turn off Open. CA? Previous Open. CA Interfaces: 1. ca. grid-support. ac. uk: for Users 2. ca-ra. grid-support. ac. uk/ra: for RA Operators 3. ca-ra. grid-support. ac. uk/node: for CA Operators 1 and 2 replaced with caportal, 1 with CW Lots of downloads of CRLs from ca. grid-support. ac. uk (5200/d) “New” CDPs advertised for years – since 1. 32 or so!? 24/11/2020 RIGroup Meeting Your university or experiment logo here 9
JCS Migration • Aim is to migrate if possible – Interface to QV for certificate issuance • Interfacing to CA – Keep caportal and CW running, interfacing to QV? – Ke • Identity management options – interim/future – Keep existing RA network and identities (but DNs will change? ) – Use UKAMF (needs extra attributes – REFEDS) – Use JISC Assent • Migration – Change DNs!? – Continuing support for robots, services? 24/11/2020 UK e. Science Status Your university or experiment logo here 10
