...
- Apache2
- PHP script for OCSP responses (contained in CAT distribution, utils/ocsp_web/*)
Logs:
- /var/log/apache2/*
Statistics for KPIs
The service statistics are collected with simple SQL queries from several databases.
Number of NROs and IdPs in the system
To be executed on the database "managed_idp" on hosted.eduroam.org. The data is cumulative since start of technical setup of the hosts.
SELECT count(distinct p.inst_id) AS active_inst, i.country AS federation
FROM silverbullet_user su, profile p, institution i
WHERE su.deactivation_status = "ACTIVE" AND su.profile_id = p.inst_id AND p.inst_id = i.inst_id
GROUP BY i.country
ORDER BY active_inst DESC;
Example output at service launch day (20 Mar 2019):
+-------------+------------+
| active_inst | federation |
+-------------+------------+
| 6 | LU |
| 5 | PL |
| 1 | AM |
| 1 | CA |
| 1 | ES |
| 1 | JP |
+-------------+------------+
Certificate count (issued/revoked/expired)
To be executed on the database "managed_idp" on hosted.eduroam.org. The data is cumulative since start of technical setup of the hosts.
Total issued certificates
SELECT count(*) AS certcount, ucase(substr(substr(cn,locate('.',cn)+1),1, 2)) AS userfed
FROM silverbullet_certificate
GROUP BY userfed
ORDER BY certcount DESC;
Example output at service launch day:
+-----------+---------+
| certcount | userfed |
+-----------+---------+
| 125 | PL |
| 60 | LU |
| 20 | NO |
| 13 | AM |
| 4 | JP |
| 2 | CA |
| 1 | UA |
+-----------+---------+
Total revoked certificates
SELECT count(*) AS certcount, ucase(substr(substr(cn,locate('.',cn)+1),1, 2)) AS userfed
FROM silverbullet_certificate
WHERE revocation_status = "REVOKED"
GROUP BY userfed
ORDER BY certcount DESC;
Example output at service launch day:
+-----------+---------+
| certcount | userfed |
+-----------+---------+
| 11 | AM |
| 5 | NO |
| 5 | PL |
| 3 | LU |
| 1 | JP |
+-----------+---------+
Total expired certificates (certificates which were revoked before they expired are always counted under 'revoked', even after expiry)
SELECT count(*) AS certcount, ucase(substr(substr(cn,locate('.',cn)+1),1, 2)) AS userfed
FROM silverbullet_certificate
WHERE expiry < NOW() AND revocation_status = "NOT_REVOKED"
GROUP BY userfed
ORDER BY certcount DESC;
Example output at service launch day:
+-----------+---------+
| certcount | userfed |
+-----------+---------+
| 11 | PL |
| 7 | LU |
+-----------+---------+
Interplay of the eduroam Managed IdP system components
eduroam Managed IdP includes multiple components which need to interwork correctly for the service as a whole to work. The following external dependencies between the components exist
eduroam Managed IdP web frontend → OCSP responder
issues OCSP statements for each of the certificates known to the system, using a cron job. See documentation on GitHub above. Make sure the cron job is running and verify that updated statements end up in the correct directory on the OCSP responder.
eduroam Managed IdP web frontend → CAT code signing cluster
- web frontend creates installers for Windows, macOS and iOS which are to be digitally signed. The actual signature on the files is offloaded to the existing eduroam CAT code signing cluster (machines located in SURFnet premises). Make sure HTTPS traffic from the web frontend to the signing cluster is allowed.
eduroam Managed IdP RADIUS Server → OCSP responder
makes request at OCSP responder during every user authentication. Make sure the HTTP communication between RADIUS server and OCSP Responder is possible.
Interplay of the eduroam Managed IdP system components
eduroam Managed IdP includes multiple components which need to interwork correctly for the service as a whole to work. The following external dependencies between the components exist
eduroam Managed IdP web frontend → OCSP responder
issues OCSP statements for each of the certificates known to the system, using a cron job. See documentation on GitHub above. Make sure the cron job is running and verify that updated statements end up in the correct directory on the OCSP responder.
eduroam Managed IdP web frontend → CAT code signing cluster
- web frontend creates installers for Windows, macOS and iOS which are to be digitally signed. The actual signature on the files is offloaded to the existing eduroam CAT code signing cluster (machines located in SURFnet premises). Make sure HTTPS traffic from the web frontend to the signing cluster is allowed.
eduroam Managed IdP RADIUS Server → OCSP responder
makes request at OCSP responder during every user authentication. Make sure the HTTP communication between RADIUS server and OCSP Responder is possible.