Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "2019-bidding/online-ca"

From EGIWiki
Jump to navigation Jump to search
Line 1: Line 1:
<img class="FCK__MWTemplate" src="https://wiki.egi.eu/w/extensions/FCKeditor/fckeditor/editor/images/spacer.gif" _fckfakelement="true" _fckrealelement="7" _fck_mw_template="true"><img class="FCK__MWTemplate" src="https://wiki.egi.eu/w/extensions/FCKeditor/fckeditor/editor/images/spacer.gif" _fckfakelement="true" _fckrealelement="4" _fck_mw_template="true"> <img class="FCK__MWTemplate" src="https://wiki.egi.eu/w/extensions/FCKeditor/fckeditor/editor/images/spacer.gif" _fckfakelement="true" _fckrealelement="1" _fck_mw_template="true"> '''Go back to the [https://wiki.egi.eu/wiki/EGI_Core_activities:Bidding#Phase_IV_January_2021_-_June_2023%7CEGI Core Activities Bidding page].'''  
'''Go back to the [https://wiki.egi.eu/wiki/EGI_Core_activities:Bidding#Phase_IV_January_2021_-_June_2023%7CEGI Core Activities Bidding page].'''  


= Service name: Online CA (RCauth)  =
= Service name: Online CA (RCauth)  =
Line 68: Line 68:
*Unless explicitly agreed, software being used and developed to provide the service should:  
*Unless explicitly agreed, software being used and developed to provide the service should:  
**Be licensed under an open source and permissive license (like MIT, BSD, Apache 2.0,...).  
**Be licensed under an open source and permissive license (like MIT, BSD, Apache 2.0,...).  
***The license should provide unlimited access rights to the EGI community.  
***The license should provide unlimited access rights to the EGI community.
**Have source code publicly available via a public source code repository (if needed a mirror can be put in place under the &lt;a href="https://github.com/EGI-Foundation"&gt;EGI organisation in GitHub&lt;/a&gt;.) All releases should be appropriately tagged.  
**Have source code publicly available via a public source code repository (if needed a mirror can be put in place under the &lt;a href="https://github.com/EGI-Foundation"&gt;EGI organisation in GitHub&lt;/a&gt;.) All releases should be appropriately tagged.  
**Adopt best practices:  
**Adopt best practices:  
Line 77: Line 77:
***Having automated testing in place.  
***Having automated testing in place.  
***Using code reviewing.  
***Using code reviewing.  
***Treating documentation as code.  
***Treating documentation as code.
****Documentation should be available for Developers, administrators and end users.
*Documentation should be available for Developers, administrators and end users.


== IT Service Management compliance  ==
== IT Service Management compliance  ==
Line 101: Line 101:
== References  ==
== References  ==


More information about the Online CA service are available at &lt;a href="http://rcauth.eu/"&gt;RCauth homepage&lt;/a&gt;
More information about the Online CA service are available at [http://rcauth.eu/ RCauth homepage]

Revision as of 14:41, 13 November 2019

Go back to the Core Activities Bidding page.

Service name: Online CA (RCauth)

Introduction

The Online CA capability is a Token Translation Service (TTS) provided through RCauth.eu, generating X.509 certificates upon user request and making long-lived X.509 proxies available through a delegation service.

The Online CA is a critical component to enable access to the EGI infrastructure by a wider range of users. This activity must be operated in tight collaboration with the EGI Check-in Activity.

Technical description

The components that are part of this core activity are:

  • Delegation component: provides the actual token translation between SAML and X.509.
    • Highly sensitive component that requires a secure hardware setup including adequate physical security.
    • Based on the CIlogon product, and the integration work done in AARC
  • Certificates signing component: is the certificate-generation component
    • Certificate creations must be protected by hardware security modules
  • The delegation component and certificate signing component must be run in accordance with the IGTF Guidelines for Online CAsand be capable of at least operations under model (A).

Policy requirements:

  • The Online CA must be certified as an at least an IOTA CA in IGTF, and may provide other assurance profiles, subject to eligibility.
  • The delegation service must be REFEDS R&Sand Sirtficompliant
  • The service should be registered as a Service Provider in a national federation participating to eduGAIN

Coordination

The Online CA activity will have to coordinate with the following stakeholders:

  • IdPs: register where necessary new IdPs
    • IdPs must self-certify that they are fulfilling the REFEDS Sirtfirequirements and must be confirmed by either their registrar federation or explicitly by agreement with RCauth that they fulfil the REFEDS R&Srequirements
    • Online CA operator must collect and manage the repository of explicitly connected IdPs based on the paperwork submitted by these IdPs based on their self-assessment
  • SPs: integrate with one or multiple Master portals

In case the OnlineCA contributes to an multi-e-infrastructure OnlineCA service, this may require an additional level of coordination with other entities contributing to the OnlineCA service:

  • The EGI Online CA activity must accommodate and be able to act in unison with and under the control of any Policy Management Authority that hold the administrative control over the CA service, its Policy, and its relevant accreditations.
  • The EGI Online CA activity must be able and willing to accommodate technical means to securely communicate with other parties that jointly provide the same Online CA service.
  • Use of the service component provided by the EGI Online CA activity shall be non-discriminatory and available to all eligible users of the Online CA activity as managed by its Policy Management Authority.

Operations

  • Operation of the delegation component and the online CA in high availability and in compliance with the IGTF and EGI security policies.
  • Creating an Availability and Continuity Plan and implementing countermeasures to mitigate the risks defined in the related risk assessment

Support

Support will be provided through GGUS.

Support hours: eight hours a day (for example 9-17 CE(S)T), Monday to Friday – excluding public holidays of the hosting organisation.

Examples of requested support:

  • e-infrastructure service providers, e.g. CRL publishing
  • EGI Security: e.g. credentials revocation
  • Incident support: to the integrated master portal (end users should not contact directly the OnlineCA, since users' requests for support are directed to the master portal

Maintenance

  • Maintenance of probes to test the functionality of the service
  • Requirements gathering
  • Documentation

Software Compliance

  • Unless explicitly agreed, software being used and developed to provide the service should:
    • Be licensed under an open source and permissive license (like MIT, BSD, Apache 2.0,...).
      • The license should provide unlimited access rights to the EGI community.
    • Have source code publicly available via a public source code repository (if needed a mirror can be put in place under the <a href="https://github.com/EGI-Foundation">EGI organisation in GitHub</a>.) All releases should be appropriately tagged.
    • Adopt best practices:
      • Defining and enforcing code style guidelines.
      • Using Semantic Versioning.
      • Using a Configuration Management framework such as Ansible.
      • Taking security aspects into consideration through at every point in time.
      • Having automated testing in place.
      • Using code reviewing.
      • Treating documentation as code.
  • Documentation should be available for Developers, administrators and end users.

IT Service Management compliance

  • Key staff who deliver services should have foundation or basic level ITSM training and certification.
    • ITSM training and certification could include FitSM, ITIL, ISO 20000 etc.
  • Key staff and service owners should have advanced/professional training and certification covering the key processes for their services.
  • Providers should have mature and well maintained ITSM process that are key to support the services they provide.

Service targets

Service must be provided with an availability and reliability of 95%. Support level through the helpdesk support unit: Medium.

Effort (EGI-related activities)

Bids planning a effort of 5 Person Months/year would allow these services and activities to be addressed appropriately. Effort may be provided as part of either the INFRAEOSC-07(a1) and INFRAEOSC-03 projects.

Effort (EOSC-related activities)

Partners are encouraged to submit details of activities and proposed costing of effort for EOSC Hub related activities. This may include activities related to development of new functionality required by EOSC communities (e.g. in the case of accounting, a separate accounting portal view for EOSC Hub) in addition to activities delivering services to these communities.

References

More information about the Online CA service are available at RCauth homepage