High-Level Architectural Overview


The following is a UML Deployment Diagram of the service components.


Infrastructure Requirements

Indicate requirements for VMs, grouping the requirements for multiple VMs in one column. Add as many columns as necessary, adding the sensible distinguisher for each group that will make it easier for later reference. 

VM requirementsWeb Frontend
RADIUS
OCSP ResponderClient Root CA
Description of usageprovides the web frontend functionality including creation of keys, certificates and OCSP statements.

authenticates EAP sessions.

serves OCSP statements on request of RADIUSend user certificates are issued from an online issuing CA, which is rooted in a root CA which should have minimum risk of compromise.
Number of VMs with same specification 12 (preferably in two different datacenters for disaster resilience)11 (hardware, not VM)
Hardware requirements (CPU, RAM, disk space) 2 CPU, 1G RAM, 30 GB disk 1 CPU, 512 MB RAM, 30 GB disk1 CPU, 512 MB RAM, 30 GB diskRaspberry Pi 3+ (with hardware random number generator)
Network connection requirements

incoming TCP/443 (from world)
outgoing TCP/25 (to world)

SSH to OCSP Responder VM

incoming TCP/2083 (from world)
TCP/80 to OCSP Responder

incoming TCP/80 (from world)
SSH from Web Frontend

none; system is operated offline
IP addressing requirements (IPv4, IPv6, public routable) yes, yes, yesyes, yes, yesyes, yes, yesno, no, no
IP addresses
  • 83.97.93.31
  • 2001:798:3::133
  • 83.97.93.56

  • 2001:798:3::14c

    ----

  • 83.97.93.57

  • 2001:798:3::14d

  • 83.97.93.32

  • 2001:798:3::134


N/A

Naming requirements1

DNS name: "hosted.eduroam.org" (A/AAAA, plus matching PTR)

DNS name: "auth-1/2.hosted.eduroam.org" (A/AAAA, plus matching PTR)

NAPTR: *.hosted.eduroam.org (wildcard!)
100 10 "s" "x-eduroam:radius.tls" "" _radsec._tcp.hosted.eduroam.org.

SRV: _radsec._tcp.hosted.eduroam.org.
0 0 2083 auth-1.hosted.eduroam.org.
10 0 2083 auth-2.hosted.eduroam.org.

DNS name: "ocsp.hosted.eduroam.org" (A/AAAA, plus matching PTR)N/A
Applicable if DNS records maintenance is required (naming scheme and type of records)

Indicate other specific-to-your-service resources requirements. Add as many columns as necessary, adding the sensible distinguisher for each group that will make it easier for later reference. 
Other resource requirementsSMS Gateway
Indicate which ones together with their specifics

needs an account on www.nexmo.com and sufficient funds to send SMSes

account should be created with an email address that is read to receive "low balance" alerts, alternatively enable the feature "Auto reload"

the accounts "key" and "secret" go into the product configuration ( CONFIG_CONFASSISTANT['SMSSETTINGS'] )

Infrastructure hosting requirements

Indicate requirements for infrastructure hosting, scoping by the above indicated infrastructure elements, as necessary. 

 

Hosting requirements

Applying to Web Frontend

Applying to RADIUSApplying to OCSP Responder

Availability

 99.9%

99.999% for the cluster as a whole

NAPTR/SRV records make sure that uptime is assured if at least 1 server is up

99.9%

Backup (what, frequency, retention period)

What: database contents, product configuration, product logs

Frequency: once per day

Period: 1 month

server configuration, authentication log

Frequency: hourly

Period: 6 months (this is recommendation of eduroam Service Definition)

Apache configuration, content of OCSP directory

Frequency: hourly

Period: 1 month

Monitoring and alerting1

IPv4 and IPv6 reachability

HTTPS on IPv4 and IPv6

MariaDB server running?

memory and disk usage

IPv4 and IPv6 reachability

RADIUS process (Status-Server via RADIUS/TLS; needs Icinga monitoring script)

memory and disk usage

IPv4 and IPv6 reachability

HTTP on IPv4 and IPv6

memory and disk usage

Measuring and Reporting2

number of institutions enrolled, monthly

number of eduroam credentials created, monthly

(both figures can be read from UI, cumulative; automated SQL queries can be crafted upon request)

 N/A N/A

Log retention3

for each month, 1 of the database backups should be retained "forever"

product logs should be retained for 6 months

 6 months (this is recommendation of eduroam Service Definition)not needed (1 day for debugging)

Security policy for access and usage4

The log and database should be accessible only to OT personnel.

There is next to no PII in the log files or database - limited to ePTID of administrators and local (opaque) identifiers of end users. They can only be traced back to actual humans with out-of-band processes involving the IdP administrator in person.

The authentication logs should be accessible only to OT personnel.

They contain pseudonyms of the local (opaque) identifiers of end users. They can only be traced back to actual humans with out-of-band processes involving the IdP administrator in person.

The authentication logs should be accessible only to OT personnel.

They contain pseudonyms of the local (opaque) identifiers of end users. They can only be traced back to actual humans with out-of-band processes involving the IdP administrator in person.

1 At minimum network accessibility (outside of LAN) and hardware resource usage must be monitored. Indicate if some of this resources can be deemed critical so that adequate thresholds for alerting are implemented. Additional, indicate which specific applications uptime and operational health must be monitored and alerting implemented.

2Define what should be measured, how and with what period in order to deliver appropriate reporting relating to KPIs, usage, etc.  

3Define which logs should be kept in order to have debugging data and data in case of misuse of the service, and how long logs should be retained

4Define the policy for limiting accessing to the infrastructure piece and where it should be implemented (system level, network level etc.)

System and Application maintenance requirements

Indicate requirements for system and application maintenance, scoping by the indicated infrastructure elements, as necessary. 

 

System and Application Requirements

Applying to Web Frontend

Applying to RADIUSApplying to OCSP Responder

Operating system

 RHEL / CentOS 7RHEL / CentOS 7RHEL / CentOS 7

Applications1

 Apache 2, PHP7, MariaDB, haveged FreeRADIUS 3Apache 2, PHP7
Maintenance hours2

 product is used world-wide - there is never a good time

any time so long as one cluster member remains in service at all timesany time

Configuration management3

currently none (Git desirable)currently none (Git desirable)currently none (Git desirable)

1 List the applications installed on a system, and add corresponding licenses where applicable.

Define window appropriate for regular maintenance. /give some recommendations

Applies for automatized configuration management. Describe system used.

Human resources requirements 

Indicate requirements both in skills and manpower needed, for personnel needed for devops team (that maintains service specific applications) and for L2 support.

Description

Manpower

Recommended number of persons (considering backups)
Skills
Operations FTE, inc CSI 0.2 FTE 2eduroam OT member
1st level support (production)0.2 FTE max. 50 tickets per month. Estimate 30 mins per ticket, so 25 hours per month = roughly just under 0.2 FTE 2GEANT FLS / eduroam OT member

2nd level support (production)0.1 FTE. Estimate 10% of L1 tickets escalated, so 5 tickets per month at 2 hours per ticket. 2eduroam OT member / development team member

Service mgr for production (the contracts with participating NRENs etc.) 0.1 FTE 1eduroam SM

 





  • No labels