May Plan completion
Success: Critical servers have all be moved to the Netherlands on 1st October. Critical systems team has taken over system admin tasks from Philipp Gühring. Downtown was very limited to only one day.
Participants in this action plan are thanked for their cooperation. Sonance/FunkFuer, Mobach Systems, Oophaga Foundation are thanked for their support.
Rootkey Generation: On low priority Root Key generation was planned and exercised. Root Key and Sub-Root Key generation Sub-Cmtee has been raised by CAcert board to have keys generated at meeting 27-28th of November 2008.
15th of October 2008: Reflector CAcert machine turned off. Sonance/Funkfuer are thanked for their support. End of contract Sonance/Funkfuer-CAcert.
May Plan Update planning details
For the May Plan 2008 update email see: Rehosting/MayPlanUpdate .
The CAcert Rehosting days (CR-day) is scheduled to happen in "one" day:
Mon 29th of Sep 19:00 backups in Vienna (some temp down times)
Tue 30th of Sep is planned as travel day to Holland. ) 7:30 to stop systems.
Wed 1 Oct first day (hopefully successfully) full day at BIT Requires Oophaga presence. Off BIT location is Mobach Systems in Echteld. 09:00 start installation at BIT, afternoon tests at Mobach.
Thu 2 Oct operational overview, may require visit to BIT Requires ad hoc Oophaga presence. Location Mobach Systems.
Fri 3 Oct operational overview, may only require short visit to BIT for round up Oophaga event calls presence. Evening party for all eight participants in CR-day near Ede. On success 1-2 Oct, start key generation at location Mobach (or third party), afternoon installation of new root key CAcert. 6 pm closing party in Wambuis.
Sat 4 Oct travel home or extension day Oophaga event call presence
If there are any disasters that occur, we will have to fix them on the spot, there and then in Netherlands/Ede.
If this takes more than 4 days, then ... it will take more than 4 days. During that entire time the services will be down.
Participants on CR-Day are asked to be flexible on how many days they can make available.
Oophaga is asked to inform BIT and schedule Oophaga support presence. Inform BIT of visit(s) (Action by Rudi's). Done by teus 12 Sep. Hans will provide access to location and rack.
Locations
- Hotel accommodation (see below) will be close to Ede (hotel has wifi internet access).
- Fall back on accommodation is Teus home, address: de Bisweide 26, 5971AZ Grubbenvorst (close to Venlo, all highway to BIT/Ede). Grubbenvorst is 1.5 hour away from BIT location.
BIT address: http://www.bit.nl, Galileilaan 19, 6716 BP Ede, +31 318 648688, support@bit.nl
- Mobach Systemshouse location: den Akker 8, 4054 md Echteld, phone: 0344 617856, www.mobach.nl
- Mobach has wifi and internet access, and room for remote BIT access. Echteld is near Tiel right on the highway A15/E31 (do not use the highway from BIT to Mobach). 15 min drive from Ede.
Budgets
topic |
|
|
Euro |
allocated |
Euro |
accomodation |
3 pers X 100 per 4 nights |
=> |
1200 |
|
|
|
|
|
|
hotel Tiel |
1136 |
food |
6 pers X 30 X 5 meals |
=> |
1500 |
|
180 |
travel |
Austria (car)/Paris (railway)/Ede (cars) |
=> |
1000 |
|
|
|
|
|
|
train |
200 |
|
|
|
|
car |
318 |
Friday party |
8-10 persons |
=> |
800 |
|
|
|
|
|
|
8 pers. Wambuis |
580 |
unforeseen |
|
=> |
500 |
|
102 |
|
|
|
|
|
|
Total |
|
|
5000 |
|
2516 |
- Costs of 5000 Euro to be covered from audit project funding (3K over 2 funding phases) and CAcert (2K)
Costs are reimbursed from central point via Robert Cruikshank and form.
Guillaume has said he would try and be happy to attend. He has the 3-4 days available.
Preparation actions schedule
- Philipp makes system preparations so servers at BIT are tested and only awaiting final data reception.
- (September action by Philipp).
- Backups are done as per current practice. One sealed backup will remain in Vienna (Sonance/Subik).
- (Philipp).
- Sealed backups made available to team in NL as dual channel.
- (Philipp/NL-team-Mendel))
- Systems are shutdown under 4 eyes: Tuesday morning 7:30 am MET.
- (Sonance (2X Matthias), Philipp).
- All Disks are extracted and sealed (4e).
- (Sonance/FF, Philipp)
- Disks are transported from FF to BIT (4e).
- (Philipp/Ian)
- Disks delivered to NL team.
- (Philipp/Mendel-Ian)
- Transport team (both) sign off on report.
- (Philipp/Ian)
- Reflector installation for 2 weeks at FF (Philipp/Marco)
Remarks:
- Data will be copied to BIT servers at CR-Day under surveillance of auditor and Oophaga.
- Sonance/FF: Ian has inform and recruited both Matthias's of Sonance/FF (one will travel with Philipp/Ian, one as backup in Vienna.
- CAcert community to be informed of possible down time (blog 22nd Sep): 30th of Sept and 1st or October (maybe 2 days extension).
Action (4 days ahead) to brief community (action by Teus -> Mendel/Henrik)
- URL/site redirection of web site (Philipp, Maurice, Marco). DNS action (Philipp). Marco overviews actions.
Please acknowledge tasks explained and ack preparations/appointments made.
PR: announcement, blog, Press release: taken up by PR team Maurice Kellenaers & Henrik Heigl.
Complete
What is done so far:
- CR-day allocated and agreed by participants. BIT informed, Mobach informed.
- Wytze has informed his work to Philipp and Mendel.
- Mendel has got Tunix server access credentials, Mendel has been reviewed (Philipp, Guillaume)
- Decision to be taken by CAcert Board for down time and taking Vienna location down on 30th of Sept. (Action completed)
- firewall review by Marco/Philipp.
- progress metering on blog site (Henrik/Maurice).
- procedure for root key generation (CWI/KUN asked for support), policy group for O/CN/OU info on root cert.
Roots Creation
If and only if there is full success (e.g., good preparation, no hold-ups and completely online in 24 hours) CAcert may move to create new Root key with personnel available at that time. Schedule and plan for this needs to be prepared:
see Roots/NewRootsTaskForce for overall doco
Roots/CreationCeremony is the wip process for creating the new root
SecurityManual should be updated with the experience and wisdom generated.
- debate happening on the policy and sysadm lists (Ian is steering this).
- No action needed to inform community, policy group for O/CN/OU info on root cert.
- documentation (observers, reports, video) is requested (for audit and other purposes).
- decisions pending: Root Key structure, teamleader, hardware/software for key generation and password storage.
board needs to give final go Root Key generation. Decision taken, see board decisions m20080903.2
- procedure for root key generation (CWI/KUN asked for support; no reply). Teus/Ian/Guillaume develop scriots/procedure: ranom seed generation, openssl on std system.
- Guillaume is asked to lead the procedure that day
Bear in mind: creating a new root is a distant last priority to getting the servers fully up and online. It will be dropped in a heartbeat.
Teams and Persons involved
CAcert Dutch team: Wytze (temporary), Mendel, Marco Hermans (remote standby)
CAcert team leader: Philipp
Audit: Ian Grigg
Sonance/Funkfeuer overview Vienna team (dual control): Matthias G, Matthias Subic.
PR team Maurice Kellenaers, Henrik Heigl.
Oophaga support: Rudi v Drunen, Rudi Engelbertink, Hans Verbeek (management Teus)
- Hans (added to Oophaga team) will be present for Oophaga from 1-3 Oct
- BIT
- has been informed of visit
CAcert board: Teus, Guillaume
- firewall review Marco/Philipp.
It is unwise and not needed to have all persons at BIT all day (most can be on call). Make decision who really needs to be there: Ian, Philipp, one Rudi (access), one NL-team member (eg Mendel).
Phone numbers:
CAcert: |
|
+nn 6=GSM |
|
|
|
|
|
Oophaga: |
|
|
|
|
|
|
|
board |
|
|
|
|
|
|
Hotel accomodation
Hotel location: Hotel Tiel (vd Valk), Laan van Westroyen 10, 4003 AZ Tiel Resevations made by teus for CAcert.
- Philipp arrival 30th Sept, depart Saturday
- Ian arrival 30th Sept, depart Saturday (not before it is finished!)
- Guillaume arrival 1st Oct, depart Saturday (30th Sept night in Venlo).
no other reservations.
- Arrangements: breakfast included, included dinner 1st and 2nd of October, internet wifi access present.
travel arrangements
- Philipp: car from Vienna to Ede.
- Ian: travels with Philipp
- Matthias (Sonance) will accompany on travel
- Guillaume railway Paris-Venlo, car Venlo-Ede, railway Amsterdam-Paris.
- teus: car Ede
- Mendel: car Ede (local)
- Wytze: car Ede (local)
- Hans: car Ede (nearly local)
Completion Event
Friday, 3rd of Oct CR-Day party 5 pm near Ede: Action teus:
- participants: Ian, Philipp, Guillaume, Mendel, Wytze, Hans, Teus, ??
pressrelease
Pressrelease / Presseinformation - CAcert Server moving
----- german version see below -----
2008-09-22, Austria, From 29.September 2008 07.00PM till 4.October 2008, the mission-critical systems of CAcert.org will be moving from the current location in Austria to the new location in the Netherlands.
These servers are moved to meet the requirement of the audit for improvement and inclusion with the mainstream browsers and other vendors. The Netherlands location is planned to host the servers in a full dual control and 4 eyes environment, at both physical and logical levels. As an audit requirement, this is essential for balancing the security of certificates. Furthermore, all non-critical systems like the blog and the wiki are already hosted in the Netherlands. This location in the Netherlands does fully comply to the audit criteria for secure hosting.
A failure to move these servers has severe consequences for CAcert. In case there will be something going wrong the chance to pass the audit and ability to achieve RootKey inclusion in the mainstream browsers will fail. Also, the Austrian servers will be shut down at the end of October. If there is enough time, a new Rootkey will be created at the new serverlocation.
The plan is that the mission-critical systems will be up and running again within one day. If any disaster occur during the movement the team has to solve them there and then. An international team of many experts will be working on this relocation project. As well as our CAcert systems people, we will be supported in the Netherlands by people from BIT (ISP), Tunix (firewalls) and Oophaga (CAcert hosting in NL). In Austria, we will be supported by Funkfeuer (ISP) and Sonance (Verein). If the servers are moved succesfully, we're back on track with the audit and CAcert can move on.
The CAcert services can be off line on Friday evening, 26th at 19:00 for a brief period for backups and from Wed 1 Oct. 2008 until Sat 4 Oct. 2008. During that time, an alternative page will show the progress. No Account changes can be made, nor new Certificates or Assurer workings can be done. So please be aware of that down period. CAcert will inform all users via the blog as soon as the Services are again up and running.
With the re-hosting of the services to the Netherlands, the user data will be secured, be sealed and overviewed by multiple security experts. The user data will remain within the EU jurisdiction and privacy laws.
For more information you can contact CAcert at the following options
Contact information press related:
Henrik Heigl (Public Relations Officer)– Henrik@CAcert.org
Administrative Contact information:
Teus Hagen (Board Member)– Teus@CAcert.org
----- german version -----
CAcert.org Serverumzug
Österreich, 24.September 2008, Vom 29. September 2008 19:00 Abends bis 4. Oktober 2008, werden die Systemkritischen Server von CAcert.org von der gegenwärtigen Position im Rechenzentrum in Österreich in ein neues Rechenzentrum in den Niederlanden verlagert.
Der Standortwechsel war notwendig, um der Anforderung des gerade laufenden Audits, um u.a. die Einbeziehung des Root Zertifikates in den gängigen Standardbrowsern vorranzutreiben, zu genügen. Der niederländische Standort wurde gewählt, da hier die Server in einem immer von mindestens 2 Personen, sprich 4-Augenprinzip überwacht werden können.
Desweiteren sind bereits alle nichtkritischen System wie Blog und wiki in den Niederlanden untergebracht, weshalb dies der logische Schluss war.
Der neue Standort erfordert nach den Kriterien des Audits alle Erfordernisse in Punkto Sicherheit und Hostingumgebung.
Falls dieser Umzug nicht vollzogen werden würde, hätte dies strenge Konsequenzen für CAcert.org zufolge. Im Falle der Nichtdurchführung wäre das Audit und somit das Ziel der allgemeinen Akzeptanz von CAcert als vollwertige Communitybasierte Zertifizierungsstelle in Frage gestellt. Ebenso laufen die Wartungsverträge der Server in Österreich aus und Ende Oktober werden diese abgeschaltet. Falls der Umzug wie erwartet schnell und sicher durchgeführt wird bleibt auch noch Zeit den neuen Root-Key zu implementieren.
Der Plan sieht vor, dass die Systemkritischen Server wieder innerhalb eines Tages funktionsfähig und Einsatzbereit sind. Wenn irgendeine Unregelmässigkeit während des Umzuges auftreten sollte, steht eine mehrköpfige internationale Administrationsmanschaft bereit. Ebenso wie einige CAcert Mitarbeiter wird CAcert.org unter anderem von den Leuten von BIT (ISP), von Tunix (Firewalls) und von Oophaga, welche CAcert.org in den Niederlanden betreut, unterstützt. In Österreich wird CAcert.org durch Funkfeuer (ISP) und Sonance (Verein) unterstützt. Wenn die Server erfolgreich umgezogen werden, ist ein grosser Schritt in Richtung Fertigstellung des Audits getan und das Audit kann wie geplant weitergehen.
Die CAcert Dienste können bereits am Freitagabend, 26.Septemver gegen 19:00 Uhr für eine kurze Backupphase und dann von Mittwoch, den 1. Oktober 2008 bis Samstag, den 4. Oktober 2008 nicht erreichbar sein. Während dieser Zeit werden wir Sie auf einer Informationsseite über den aktuellen Stand der Arbeiten ständig auf dem laufenden halten. In dieser Zeit sind keine Accountänderungen möglich, noch können neue Zertifikate ausgestellt oder Assurertätigkeiten erfolgen. Bitte bedenken Sie das für eventuelle Tätigkeiten in diesem Zeitraum. CAcert informiert alle Benutzer über den Blog, sobald die Dienste wieder Funktionsfähig sind.
Mit dem Re-Hosting der Services in die Niederlande, werden auch die Benutzerdaten umgezogen. Diese werden unter Aufsicht von mehreren Sicherheitsexperten versiegelt und der Transport sowie die Wiedereinspielung unter höchsten Sicherheitsauflagen durchgeführt. Die Benutzerdaten bleiben innerhalb der EU-Jurisdiktion- und Privatlebengesetze.
Für mehr Informationen wenden Sie sich bitte an folgende Kontaktinformationen:
Pressekontakt & Public Relations: Henrik Heigl - Henrik@cacert.org
administrativer Kontakt: Teus Hagen - Teus@cacert.org
##* digg it * yigg.de it
comments
Any comments are welcomed, but they should be improvements 