High-Level Architectural Overview
The following is a UML Deployment Diagram of the service components.
This page is holding information about requirements for eduroam Managed IdP operations, in terms of required infrastructure and resources.
...
Infrastructure Requirements
Indicate requirements for VMs, grouping the requirements for multiple VMs in one column. Add as many columns as necessary, adding the sensible distinguisher for each group that will make it easier for later reference.
VM requirements | Web Frontend | RADIUS | OCSP Responder | Client Root CA |
---|---|---|---|---|
Description of usage | provides the web frontend functionality including creation of keys, certificates and OCSP statements. | authenticates EAP sessions. | serves OCSP statements on request of RADIUS | end user certificates are issued from an online issuing CA, which is rooted in a root CA which should have minimum risk of compromise. |
Number of VMs with same specification | 1 | 2 (preferably in two different datacenters for disaster resilience) | 1 | 1 (hardware, not VM) |
Hardware requirements (CPU, RAM, disk space) | 2 CPU, 1G RAM, 30 GB disk | 1 CPU, 512 MB RAM, 30 GB disk | 1 CPU, 512 MB RAM, 30 GB disk | Raspberry Pi 3+ (with hardware random number generator) |
Network connection requirements | incoming TCP/443 (from world) | incoming TCP/2083 (from world) | incoming TCP/80 (from world) | none; system is operated offline |
IP addressing requirements (IPv4, IPv6, public routable) | yes, yes, yes | yes, yes, yes | yes, yes, yes | no, no, no |
IP addresses |
|
|
| N/A |
Naming requirements1 | DNS name: "hosted.eduroam.org" (A/AAAA, plus matching PTR) | DNS name: "auth-1/2.hosted.eduroam.org" (A/AAAA, plus matching PTR) NAPTR: *.hosted.eduroam.org (wildcard!) SRV: _radsec._tcp.hosted.eduroam.org. | DNS name: "ocsp.hosted.eduroam.org" (A/AAAA, plus matching PTR) | N/A |
Other resource requirements | SMS Gateway |
---|---|
Indicate which ones together with their specifics | needs an account on www.nexmo.com and sufficient funds to send SMSes account should be created with an email address that is read to receive "low balance" alerts, alternatively enable the feature "Auto reload" the accounts "key" and "secret" go into the product configuration ( CONFIG_CONFASSISTANT['SMSSETTINGS'] ) |
Infrastructure hosting requirements
Hosting requirements | Applying to Web Frontend | Applying to RADIUS | Applying to OCSP Responder |
---|---|---|---|
Availability | 99.9% | 99.999% for the cluster as a whole NAPTR/SRV records make sure that uptime is assured if at least 1 server is up | 99.9% |
Backup (what, frequency, retention period) | What: database contents, product configuration, product logs Frequency: once per day Period: 1 month | server configuration, authentication log Frequency: hourly Period: 6 months (this is recommendation of eduroam Service Definition) | Apache configuration, content of OCSP directory Frequency: hourly Period: 1 month |
Monitoring and alerting1 | IPv4 and IPv6 reachability HTTPS on IPv4 and IPv6 MariaDB server running? memory and disk usage | IPv4 IPv4 and IPv6 reachability RADIUS process (Status-Server via RADIUS/TLS; needs Icinga monitoring script) memory and disk usage | IPv4 and IPv6 reachability HTTP on IPv4 and IPv6 memory and disk usage |
Measuring and Reporting2 | number of institutions enrolled, monthly number of eduroam credentials created, monthly (both figures can be read from UI, cumulative; automated SQL queries can be crafted upon request) | N/A | N/A |
Log retention3 | for each month, 1 of the database backups should be retained "forever" product logs should be retained for 6 months | 6 months (this is recommendation of eduroam Service Definition) | not needed (1 day for debugging) |
Security policy for access and usage4 | The log and database should be accessible only to OT personnel. There thereis next to no PII in the log files or database - limited to ePTID of administrators and local (opaque) identifiers of end users. They can only be traced back to actual humans with out-of-band processes involving the IdP administrator in person. So, no particular restrictions needed? | The authentication logs should be accessible only to OT personnel. They the authentication logscontain pseudonyms of the local (opaque) identifiers of end users. They can only be traced back to actual humans with out-of-band processes involving the IdP administrator in person. So, no particular restrictions needed?the authentication | The authentication logs should be accessible only to OT personnel. They logscontain pseudonyms of the local (opaque) identifiers of end users. They can only be traced back to actual humans with out-of-band processes involving the IdP administrator in person. So, no particular restrictions needed? |
1 At minimum network accessibility (outside of LAN) and hardware resource usage must be monitored. Indicate if some of this resources can be deemed critical so that adequate thresholds for alerting are implemented. Additional, indicate which specific applications uptime and operational health must be monitored and alerting implemented.
2Define what should be measured, how and with what period in order to deliver appropriate reporting relating to KPIs, usage, etc.
4Define the policy for limiting accessing to the infrastructure piece and where it should be implemented (system level, network level etc.)
System and Application maintenance requirements
System and Application Requirements | Applying to Web Frontend | Applying to RADIUS | Applying to OCSP Responder |
---|---|---|---|
Operating system | RHEL / CentOS 7 | RHEL / CentOS 7 | RHEL / CentOS 7 |
Applications1 | Apache 2, PHP7, MariaDB, haveged | FreeRADIUS 3 | Apache 2, PHP7 |
Maintenance hours2 | product is used world-wide - there is never a good time | any time so long as one cluster member remains in service at all times | any time |
Configuration management3 | currently none (Git desirable) | currently none (Git desirable) | currently none (Git desirable) |
1 List the applications installed on a system, and add corresponding licenses where applicable.
2 Define window appropriate for regular maintenance. /give some recommendations
3 Applies for automatized configuration management. Describe system used.
Human resources requirementsrequirements
Indicate requirements both in skills and manpower needed, for personnel needed for devops team (that maintains service specific applications) and for L2 support.
Human resources requirements
add_distinguisher
Description |
---|
Manpower |
Recommended number of persons (considering backups) |
Skills | ||||
Operations FTE, inc CSI | 0.2 FTE | 2 | eduroam OT member | |
---|---|---|---|---|
1st level support (production) | 0.2 FTE max. 50 tickets per month. Estimate 30 mins per ticket, so 25 hours per month = roughly just under 0.2 FTE | 2 | GEANT FLS / eduroam OT member | |
2nd level support (production) | 0.1 FTE. Estimate 10% of L1 tickets escalated, so 5 tickets per month at 2 hours per ticket. | 2 | eduroam OT member / development team member | |
Service mgr for production (the contracts with participating NRENs etc.) | 0.1 FTE | 1 | eduroam SM |