Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA F2F Sapporo, 17 Oct
2 March 11 14:46: Earthquake. March 11 15:10: UPS battery ran out, power down. March 15 11:00: Started checking CA/RA systems. ■ No physical damage to CA/RA observed. March 15 15:00: CA/RA functions restored. ■ No downtime since then. Recovery of the whole computing system took several months. ■ Due to severe limitation to the power consumption. ■ Still foresee power shortage this winter (and next summer). Prof. Sasaki canceled the last F2F meeting at Taipei. Ranging from I/O bound to CPU bound The faster the network the higher the I/O rate The lower the network latency the higher the I/O rate The more disks the higher the I/O rate The more RAM the more can be cached The more CPUs the faster the processing After the Earthquake
3 Staff User administrator: ■ H.M. since July ■ Prof. Takashi Sasaki stepped down. Security officer: ■ Yoshimi Iida CA operator: ■ Minoru Nakaya, Yukinori Yokoshima RA operator: ■ 2 people Help Desk: ■ 4
Self-Audit Following “Guidelines for auditing Grid CAs version 1.0” (GFD 169) ■ Also using “Authentication Profile for Classic X.509 CAs version 4.2” and other relevant materials Performed in January 2010 ■ The last external audit was done in April 2007 Sasaki-san already presented the results in a video/phone meeting last year ■ Reiterate it in this F2F meeting 4
Summary of Audit Results Results ■ Score B: 2 ■ Score C: 1 ■ Score D: 1 ■ N/A: 2 Comments on the above items will be shown in the next slides. 5
Score B (Minor Change) CA-(5) ■ Whenever there is a change in the CP/CPS the OID of the document MUST change. ■ OID was not changed for minor corrections. CA-(34) ■ The EE certificate MUST have a maximum lifetime of 1 year plus 1 month. ■ Extended a lifetime from 365 days to 1 year plus 1 month. 6
Score C (Major Change) CA-(7) ■ CP/CPS documents SHOULD be structured as defined in RFC ■ Still in RFC Will be modified in the future, most likely in
Score D (Must Change) CA-(16) ■ The on-line CA architecture MUST provide for a log of issued certificates and revocations. The log SHOULD be tamper- protected. ■ Due to limitation of the hardware (nCipher HSM), the log is not tamper-protected. ■ HSM will be replaced when migrating to the new system. 8
N/A CA-(2) ■ There SHOULD be a single CA per country, region, or international organization. RA-(5) ■ RA MUST validate the association of the certificate signing request. ■ CA software does instead. 9
Status CP/CPS: ■ 2.1.1: Extend the certificate’s validity period ■ 2.1.2: Minor update on Certificate and CRL Profile Annual Identity Check ■ Performed in July and August 2011 ■ After the end of JFY 2010, but delayed due to disaster recovery ■ Based on self-declaration by users ■ Disabled 83 user accounts ■ Revoked 13 user certificates 10
11 Issued Certificates (as of 1 st Oct.) Users ■ Total: 279 ■ Valid: 157 User certificates ■ Total: 1096 ■ Valid: 125 Host certificates ■ Total: 1759 ■ Valid: 230
12 System Replacement Lease term of the current system ends in February 2012 Will migrate to the new system in coming winter ■ Started preparatory work for the migration ■ Continue to use NAREGI CA Tool ■ Software will be updated ■ New HSM will be used ■ System downtime expected twice during the migration ■ CA/RA will move to the new hardware in December ■ The whole computing system will migrate in February