UNLP CA (Argentina) Universidad Nacional de La Plata Was created as a national university in 1905 Is the 3rd largest university in Argentina More than enrolled students More than 140 degree programs More than 200 postgraduate programs Produces about 20% of the academic research in Argentina
UNLP CA (Argentina) C entro S uperior para el P rocesamiento de la I nformación Provides research network for UNLP 1991 (via BITNET) April 1994 connection to Internet –Class B: x.x. –Domain unlp.edu.ar –Autonomous Systems Number: 5692 Since 2004 connected to Academic Research Networks Ampath & CLARA (viaRETINA) –prefijo IPv6: 2001:1318:A001:: /64
UNLP CA (Argentina) Ce.S.P.I Provides Network Monitoring & management: –More than 3000 computers with public IP –Tools used: Mtrg Nagios Netflow Ipaudit Administrative information systems –Payroll & human resources –Students system –Statistics
UNLP CA (Argentina) pkUNLPGrid CA Following RFC 3647 OID pending in IANA since 12/jan/06 –To be requested from IGTF CP/CPS ver 0.91 (20/03/06) First checked by: Jorge Gomes (LIP) Reviewers:Tony J. Genovese & Alan Sill
UNLP CA (Argentina) Persons involved with the computer network infrastructure for the project Coordinating the CA for UNLP: Javier Díaz, Miguel Luengo Policies, procedures & auditing: Viviana Ambrosi, Lia Molinari PKI infraestructure for de CA: Paula Venosa, Viviana Ambrosi, Einar Lanfranco Network administration (also working in an academic IRT): Miguel Luengo, Nicolas Macia, Andres Barbieri, Alejandro Veiga, Matias Zabaljauregui. RA administration: Maria del Carmen Lago, Teresa Di Pietro, Fernanda Aday
UNLP CA (Argentina) UNLP is working in cooperation with the ONTI, the agency of the federal government of Argentina that coordinated used of information system and technology. –Security standars for the information systems. –Arcert which is the only CERT in Argentina. –pki.gov.ar which is the federal agency that promotes the use of digital signature in the government. –Providing digital signature support for the information systems provided by SIU to the Universities.
UNLP CA (Argentina) Initially only one RA related to UNLP The information to contact initial RA is in the site: The concept is one RA per University or Academic institution equivale CA RA Inst. 1Inst. 2Inst. 3Inst. 4
UNLP CA (Argentina) Name Forms: PKUNLPGRID CA prefers that organizations use domain component naming. Issuer: DC=ar, DC=UNLPgrid, CN=UNLPGridCA Subject: DC=ar, DC=UNLPgrid, O=string, CN=name.surname DC=ar, DC=UNLPgrid, O=string, CN=FQDN
UNLP CA (Argentina) Types of names For people the name and surname or a text directly derived from their name CN=JavierDiaz For Server the server fully qualified domain name (FQDN).IP address are nor accepted CN=pkigrid.unlp.edu.ar For Services the name of the service, the character '/' and the FQDN of the server. CN=ldap/ pkigrid.unlp.edu.ar
UNLP CA (Argentina) Lifetime of certificates CA key size 2048 bits, Initial 10 years lifetime. EE key size 1024 bits, Certificates valid for 13 months (one year + one month). CRL issued every 30 days (at least 7 day befores de expiration of the previous CRL or upon demand)
UNLP CA (Argentina) Guidelines CA offline CA online site supports : Certificates signed by the UNLPCA CRLs CP/CPS technical contacts of the CA RA contact pointer to the TAGPMA & IGTF
UNLP CA (Argentina) Tools used –CA offline: running Linux Debian stable, stored in a safe; OpenCA versión (latest release), OpenSSL versión using etokens-PRO de 32 K for holding private key of CA operators keep in a separate safe (with procedures for accessing the etoken and the passphrase) –CA online site In the Datacenter of the UNLP with access control, etc Behind a FW based on OpenBSD Traffic analyzer (on separate port SPAN using SNORT with a correlation tool such as: ossim/sguil/prelude