[email protected] unlp ca (argentina) universidad nacional de la plata was created as a national...
TRANSCRIPT
UNLP CA (Argentina)
Universidad Nacional de La Platawww.unlp.edu.ar
• Was created as a national university in 1905• Is the 3rd largest university in Argentina• More than 90.000 enrolled students• More than 140 degree programs • More than 200 postgraduate programs• Produces about 20% of the academic research
in Argentina
UNLP CA (Argentina)Centro Superior para el Procesamiento de la Información
www.cespi.unlp.edu.ar
Provides research network for UNLP • 1991 (via BITNET)• April 1994 connection to Internet
– Class B: 163.10.x.x.– Domain unlp.edu.ar– Autonomous Systems Number: 5692
• Since 2004 connected to Academic Research Networks Ampath & CLARA (via RETINA)– prefijo IPv6: 2001:1318:A001:: /64
UNLP CA (Argentina)
Ce.S.P.I • Provides Network Monitoring & management:
– More than 3000 computers with public IP– Tools used:
• Mtrg
• Nagios
• Netflow
• Ipaudit
• Administrative information systems– Payroll & human resources– Students system– Statistics
UNLP CA (Argentina)
pkUNLPGrid CA Following RFC 3647
OID pending in IANA since 12/jan/06– To be requested from IGTF
• CP/CPS ver 0.91 (20/03/06)• http://www.pkiUNLPGrid.unlp.edu.ar • First checked by: Jorge Gomes (LIP)• Reviewers:Tony J. Genovese & Alan Sill
UNLP CA (Argentina)
Persons involved with the computer network infrastructure for the project
• Coordinating the CA for UNLP: Javier Díaz, Miguel Luengo
• Policies, procedures & auditing: Viviana Ambrosi, Lia Molinari
• PKI infraestructure for de CA: Paula Venosa, Viviana Ambrosi, Einar Lanfranco
• Network administration (also working in an academic IRT): Miguel Luengo, Nicolas Macia, Andres Barbieri, Alejandro Veiga, Matias Zabaljauregui.
• RA administration: Maria del Carmen Lago, Teresa Di Pietro, Fernanda Aday
UNLP CA (Argentina)
UNLP is working in cooperation with the ONTI , the agency of the federal government of Argentina that coordinated used of information system and technology.– Security standars for the information systems.– Arcert which is the only CERT in Argentina.– pki.gov.ar which is the federal agency that promotes
the use of digital signature in the government.– Providing digital signature support for the information
systems provided by SIU to the Universities.
UNLP CA (Argentina)
Initially only one RA related to UNLP
The information to contact initial RA is in the site:
http://www.pkiUNLPGrid.unlp.edu.ar
The concept is one RA per University or Academic institution equivale
CA
RA
RA
RA RA RA
Inst. 1 Inst. 2 Inst. 3 Inst. 4
UNLP CA (Argentina)
Name Forms:• PKUNLPGRID CA prefers that organizations use
domain component naming. • Issuer:
DC=ar, DC=UNLPgrid, CN=UNLPGridCA• Subject: DC=ar, DC=UNLPgrid, O=string, CN=name.surname
DC=ar, DC=UNLPgrid, O=string, CN=FQDN
UNLP CA (Argentina)
Types of names• For people the name and surname or a text
directly derived from their name CN=JavierDiaz
• For Server the server fully qualified domain name (FQDN).IP address are nor accepted CN=pkigrid.unlp.edu.ar
• For Services the name of the service, the character '/' and the FQDN of the server. CN=ldap/ pkigrid.unlp.edu.ar
UNLP CA (Argentina)
Lifetime of certificates
CA key size 2048 bits,
Initial 10 years lifetime.
EE key size 1024 bits,
Certificates valid for 13 months (one year + one month).
CRL issued every 30 days (at least 7 day befores de expiration of the previous CRL or upon demand)
UNLP CA (Argentina)
Guidelines
CA offline
CA online site supports :
Certificates signed by the UNLPCA
CRLs
CP/CPS
technical contacts of the CA
RA contact
pointer to the TAGPMA & IGTF
UNLP CA (Argentina)
Tools used– CA offline: running Linux Debian stable, stored in a
safe; OpenCA versión 0.9.2.5 (latest release), OpenSSL versión 0.9.7 using etokens-PRO de 32 K for holding private key of CA operators keep in a separate safe (with procedures for accessing the etoken and the passphrase)
– CA online site • In the Datacenter of the UNLP with access control, etc• Behind a FW based on OpenBSD• Traffic analyzer (on separate port SPAN using SNORT with a
correlation tool such as: ossim/sguil/prelude