INFRASTRUCTURE

This indicated that throughput using pooled connectionsis almost six times faster than non pooled connections andweb applications realize significant performanceimprovements by using connection pooling over noconnection pooling.

Using this OCA PKI setup, Digital Certificates have beentested as proof-of-concept for:

Reliable two factor user authentication - the first factor isproof of possession of private key and second factor isvalidation of public key belonging to specific identity byOCA ..

SSL communication for web server - client browservalidates identity of a web server and encrypts data flowbetween browser and web server.

OCA PKI setup will be used for deployment ofworkflow based applications in near future.

Figure 1.2. 7: Pooled connections throughput

Reported by:Alpana Rajan (alpana@rrcat.gov.in) and Anil Rawat

1.3: Development in Networking andCommunication at RRCAT

A) Email service enhancements:

In our endeavor to improve and secure the emailsservices at RRCAT, following enhancements were made tothe email services setup:

Figure 1.3.1: Email account details view

1) Enhancements to LDAP (Lightweight DirectoryAccess Protocol) setup:

Email accounts at RRCAT are being managed usingLDAP based directory service with "ou=People,o=cat,c=in"as the base Distinguished Name (DN). This setup wasupgraded by adding "Account Validity", "Account Status","Description" and "Internet Access" attributes to eachaccount record. Proper values of these attributes for everyaccount (1800) were verified and then inserted in the existingdatabase using PHP and shell scripts. Figure 1.3.1 depictsemail account details view showing newly added attributes.

20281130065S28Z

11~

,.co.

gidNumber

........,.. -- I :::s~i~

.~ ~OO~~~

"~~~:V~~~~~I~~;~:~ervef!ecHol,,*,,~"·""_:__ ""'''''' !

if ~Jo=cat,c=1n , en

I "' ••• ~M•••

I-"""""""'athI

lIescnpoorf

Figure 1.2.8: Non pooled connections throughput

Oracle 109 platform provides tightly integrated OracleCertifying Authority (OCA) and Oracle Single Sign-on. Theintegration of Single Sign-On with OCA enables less timeconsuming setup for SSL communication between client,application server and database server. Oracle PKI setupneeds combination of robust infrastructure for managing anddistributing digital certificates and also for enforcing policiesrelated to certificate strength and validity period.

D) Oracle Certifying Authority 109 setup for DigitalCertificate based Applications:

Infrastructure for Oracle 109 OCA (Oracle CertifyingAuthority) has been setup for issuing and managing DigitalCertificates. This PKI (Public Key Infrastructure) setup willbe used for management of Digital Certificates that providedigital identities required to automate Digital Signature basedprocesses.

We have configured OCA end-user interface to obtain acertificate which can be imported into user's internet browserusing Single Sign-on credentials. We have imposed 1024 bitsRSA key length for employees and 2048 bits RSA key lengthfor servers/ PCs. The certificate validity period can also bedefined. Unique certifIcate constraint has also been enabled toprevent OCA from issuing multiple certificates to the sameemployee.

l~fRRCAT NEWSLETTER Vol. 25 Issue 1, 20121

I INFRASTRUCTURE

The email account request form is modified to havethese fields for newly created accounts. The addition of theseattributes has allowed development of necessary applicationsfor automatic weeding out of expired accounts, thusenhancing security. The account validity for the employeeaccounts is taken as the superannuation date, while for nonemployee accounts it is to be specified by the account holderand approved by the division head with whom the person isworking. The above procedure is fully implemented as anautomated system for which necessary application has beendeveloped and commissioned. Figure 1.3.2 depicts theaccount validity expiry reminder and deletion alertsgenerated by the application for weeding out expiredaccounts. The email alerts are sent to the administrator'sinbox.

Loy.k.S:!!

I<w<~T •••

IUBQX

For modification and deletion of email accounts, webbased interfaces have been developed in-house - using LDAPAPls (Application Programming Interfaces) and PHPlanguage- and packaged as a software. The software has anadministrative and a guest interface. The administrativeinterface has different modules - a) Email accountmodification module: It is used to modify account attributeslike "Account validity", "Account status", "Description" and"Internet status". Figure 1.3.4 depicts the web based emailaccount modification interface.

Fig. 1.3.4: Email Account modification web interface

• "I~...I••ho~m"1.,,,,,.,,, ':26,. ArsID!JI.l.!U.rt.l!tltlut.Jk".rnIa~l!!rw..!."1_.6", ••',, •.•...,I.IO'-.ta ~:2~pm A((~"'I J"'_IIr(_h't!lull"'tltltll,,,,p~I,, •.!I.l.:i

Fr ••••• Oa ••• foivbJ•••.•

"",_adro;p@"nCi1I.!t"'"_n. Jail 17,;:OJ~ ~~tIl!MX..t\~~9\!!I!.Y!lJ.htj!l,~jfu~pir!J:9!~~"'1_admla@rrul.l"'.11 JI"I1. 2QIl £~i!l.!'.\ Af~O'"tll, blutktll I/u IIIac(ont nlldlt\· up""

T9J':j(I~_~_U \·i~will. M"'M"'~"': 1108 ($ ""al)

_~T ••

I"BOX ·~I_~~d.:DP.r~

b) Email account deletion module: It is used to archive anddelete inactive accounts. Figure 1.3.5 depicts email accountdeletion web interface.

lb ••.• SabJ •.•• E!8:",!'i" •• .!H'vn!.h!lIT"''':t4.'1I~4~1''Nli$/lIIII!IU2:-1 .• 1''' .\110111" I, ~'l/l~~~'!"-.!i.!!!!..~.il._,,-I!!~!,!I.!!!

1:06pm ~(( ••"II!!.~~~ilIH:d_•• ~A.I,•.If'~t.~.iI••h •,,416 pm J,H!I!lIIUUn:~h:.dtllltid.fJt4I.)1/r!llu

~,28 pili A!.~1!"_"U-"-"r:.{)!.h:t9-'!1!.491:!~!t."-L\.It~~bJ""~_~

!I:llp'" J,£ff'!!!!!J:L!!:!."'.d .!!.!!J!t!!Lfl.Il!'~!i!!P!"

homC

u'_lotmill1l:ma',,,ol'."••.I_.d"' ••'~.....,.'·lo.'.bo

••.•..•d••I.·.•rrrul .••••·.ho

••.• _.dmltli;i:m·'·K •••• ••

.N_,d ••'.·!i:ITU!.••••·.••

••. '_.d •••• ·O!fTut .••• ,-J •

Fig. 1.3.2: Account validity expiry reminder and deletion alert Fig. 1.3.5: Email Account deletion web interface

2) Development of Web interfaces for Email accountadministration:

For creation of email accounts the open-source package- PHPLDAP Admin (version 0.9.3) - is being used at RRCAT.The package has been enhanced and account creation pluginhas been modified to make it work as per our account creationpolicy. Figure 1.3.3 depicts the web based email accountcreation interface, listing all the attributes required to be filledup at the time of account creation.

c) Email account search module: It is used to search for emailaccounts based on various attributes ofLDAP, like UID (UserIdentifier), ccno, group, description and account status.Various reporting options have also been developed togenerate list of email accounts based on search options. GuestInterface is available to view various account reports. Thisdevelopment helps in better email administration byproviding convenient and user friendly web interfaces foremail account administration and management. Figure 1.3.6depicts search module interface.

Fig. 1.3.6: Email Account data search web interface

3) Development of unlock overquota email accountapplication:

Fig. 1.3.3: Em ail Account creation interface

For smooth functioning of the email services, RRCAThas an overquota account locking policy. A fixed disk quotahas been assigned to every user account and user .emailaccounts are automatically locked in case of over quota. Inearlier system, users were required to contact the emailadministrator to unlock such email accounts. A new

'-ftJRCATNEWSLETTER _ Vol. 25Issue I, ilimt

I INFRASTRUCTURE

Time of day usage pattern (~umber of minutes per hour that this user browses the internet)

Figure 1.3.9: Users daily, weekly and monthly Internetaccess reports

Weekly reports

MOil 02 .Ian 2012 - Sun OS JaIl 2012Mon 26 Dec 201 I • Sun 01 Jail 20121\101119Dec 2011 - sun 25 Dec 2011MOil 12 Dec 2011 - Sun IS Dec 2011MOil 05 Dec 2011 • Sun II Dec 2011MOll2S );0\' 2011 - SUIl04 Dec 2011Mou21 Xo\, 2011 - SUIl27 No\' 2011

Size Thu 05 Jan 1012 1300:21 50 2023 50 Mb:1es

rrj 06.Tan ~Ol~ 15~7:~0 64 ~575 47 Mb)1eS

Sat'07 jim2cm 'l446:~9 19-1460 "30 Mb;,es

Sun 08 Jan 2012 226:15 9 215 922 kb)1eS

5 .

Hour of day (S means OSbOO·OSb59)

o I ~ 3 4 5 6 7 8 910 11 l~ 13 14 15 16 17 18 19 ~O ~I ~~ l3 TotaJ

7•.. ~ a••••••• S_••••••••........ mi_44 7:u:~D••••••• _

Minutes Sites Pa~es

MOil Ol Jan ~Ol~ 499:07' 40 659 17 Mb)1e;

Tue 03 Jan ~01~: 403:~l' 43 5l3: 14 Mbj1eS

Wed OHan lOll 466:53 97 1169 '388 Mb)1eS

Date

Thu 01 Dec 2011 - Sat 31 Dec 2011Tue 01 No\' 2011 - Wed 30 No\' 2011

Monthly reports

Date

Mon O~)an ~Ol:!

: Tue 03 Jan lOll

W;d 04 J';';~oli..

Do;l\' (~Ion 02 Jail 2012 - !lloll 09 Jan 2012)

Daily report

B) Commissioning of a new Failover and load balancedproxy server setup:

The new proxy server setup at RRCAT has beenimplemented to provide a high speed, authenticated andn~dundant internet proxy service to the users at RRCAT. Themain objective ofthe implemented scheme is to maximize theutilization of two number ofIoad balanced internet links of34Mbps (1:4 shared) capacity each, with uninterruptedoperation, without any performance degradation and withminimal administrative intervention. The access log filesgenerated by the SQUID proxy servers are used forgenerating graphical pages using squint-0.3.18 package foranalysis of internet usage and utilization.

Two servers have been configured with Centos 6.0 andlatest SQUID proxy software (Version 3.2.0.13). Each serverhas been configured to run four number of squid processes toserve proxy requests for achieving maximized response time.Each squid process uses its own cache memory and generatesindividual log file. Multiple log files generated in the processare sorted and merged together for storing consolidatedaccess log. Ultra Monkey based load balancing package of thelinux OS has been used for failover and load balanced

operation. Figures 1.3.9 and 1.3.10 depict typical logprocessing performed on actual proxy server after the newsetup deployment.

4) Development of Password change reminderapplication:

RRCAT has an email password policy. As per the policyusers are required to change password of their single sign-onid (to access email, Internet, RRCATInfonet services) at leastonce in six months. If users do not change password for sixmonths, it will expire at the end of six months, after the lastchange, Users can change their password by using the optionavailable on the email login page. To help the user toremember the requirement to change password, first remindermail will be sent one month prior to the date of passwordexpiry. Second and third reminders will be sent fifteen daysand one day prior to the date of expiry of your password. Incase user still fails to change the password, though the accessto email and other services will be blocked, user can stillchange the password by using the change password option.The password policy is available for reference at:http://cati.cat.ernet.in/catintra/nhtml/chpass.html.

The above procedure is fully implemented as anautomated system. Figure 1.3.8 depicts a typical passwordexpiry email alert.

Fig. 1.3.7: Unlock email account page

application has been developed which empowers users tounlock their accounts without email administrator's

intervention. The users then have to prune the account till 4:00AM on the next day and bring the account disk usage withinlimits. After that the account starts to operate normally. Theapplication uses the concept of allowing temporary increasein user quota for a defined period. To avoid misuse, necessarychecks have been incorporated in the application. Theapplication has been deployed on mail server and is onlyaccessible after successful authentication. Figure 1.3.7 depictsthe webpage of this application.

Slbj"" Your acwmt paI,word _ill expirt L'itr Ida;;!

From: 1!t,_admin@m'I!O\'.in

To: CC!OfiWmll!OI'.in

Priority: ~ormol

Optlo":~I~'~

'1:t:: a::::o~t ~iU"''C:: v:.:: eIp~:e afu:: ~ da.}'s!~t::':'y:t.•r.16 ':.te ~iSS'a,::::j :;'S:'::1

":ttD:II!:lti.cl.t,t·r..t.:r./citir.t"ifr.ht .•e.l/c.":~ul.ht.~l1."FJ.!Note: You ::ar. ci':ar.;e you::: pU5\'tIrd ,,,en 'after ;au~oId expi:::a~ion!

Figure 1.3.8: Password expiry reminder alert

Figure 1.3.10: User's hourly Internet access statistics

In order to monitor the performance of squid s('rvers,Multi Router Traffic Grapher (MRTG) has been configured.Figure 1.3.11 depicts daily graph generated for HTTPHits/Requests being served by the four proxy server processesrunning on a server. Figure 1.3.12 depicts typical graphsshowing server traffic on the four proxy processes after thenew setup deployment.

RRCAT NEWSLETTER Vol. 25 Issue 1, 20121

$40.0

$, 630.02

i 42Q.()8. 210.0

0.0

t040.!)

•.• 780.0

§ 020.0

k "60.0

0.0

1240.0

•.• 930.0

.~ 6ZO 0i 310 ~O

0.0

960.0

~ 120.0

~4800i 240:0

0.0

Figure 1.3.11: HTTP Hits/Requests statistics per squidprocess in a server

56.1) "

~42'.6 "

2 le.O"..Ii

14.0 "().OI1

72.0. "

~54.0 n

~ Ii 0.1) n

72'.11) n

~~.I)"

..J:6.0"

Ii 1).0 "

~_O"

~42'.6 tI

28.0 nIi 0.0 "

Figure 1.3.12: Traffic In/Out statistics per squid process ina server

C) Commissioning of Virtual Private Network (VPN)setup for temporary access of XRD beam line (BL12)setup at Indus-2 over Internet:

VPN connectivity at RRCAT has been implemented forproviding remote connectivity ofRRCATNet resources overInternet. The VPN setup was used to provide VPNconnectivity to the PC on which a Linux based software"SPEC" from Mis. Certified Scientific Software, Cambridge,

ImRCAT NEWSLETTER __

INFRASTRUCTURE

MA., is installed. This software is being used on XRD beamline (BL12) at Indus-2. To enable the vendor, to upgrade thesoftware and test its working with new x-ray detector module,remotely, over Internet, the VPN connectivity was provided.

D) Network threat analysis setup enhancements:

Network threat analysis setup, is helpful in analyzingnetwork traffic and detecting intrusion attempts, including thezero day attacks and the virus attacks on a network. Theexisting network threat analysis setup at RRCAT wasupgraded to 64bit Open Source Security InformationManagement (OSSIM version 3.1), being offered as OpenSource Software by Alien Vault. All existing servers and othernetwork resources were migrated and new additional networkservers and switch resources were added. After the recentadditions the total number of network assets being monitoredfor their availability, totals to 13S which includes all networkservers, switches and routers. Figure 1.3.13 illustratesnetwork assets availability status page after addition of assets.

Fig. 1.3.13: Network assets availability status page

E) Commissioning of a new firewall on Anunet andDAEGRID networks:

A new firewall (model: Fortinet FG-3016B ) wascommissioned to act as a firewall between the RRCATIntranet, DAEGrid and Anunet networks. The new firewallwas used to replace the old firewall (model: Fortinet FG­SODA). The new firewall has provision for more number of1Gbps optical fiber and 1 Gbps Ethernet interfaces, whichwill be used for future expansion of AnunetiDAEGridnetwork. All configurations related to failover operations ofDAE Extranet connectivity based on multiple links, includingNKN, DAEgrid and Anunet links have been completed.

F) Expansion of communication network:

A remote shelf of Laboratory area telephone exchangewas commissioned at SCRF Lab, to provide voicecommunication facility to new buildings. This has increasedthe existing capacity of telephone exchange by 448 morelines, to a new total of 1886 lines. One MDF (MainDistribution Frame) of 800 pair capacity was installed fordistribution of the additional telephone lines. The laboratoryarea telephone exchange & residential area telephoneexchanges were upgraded to new OMNI PCX operatingsystem Release 9.1. One VoIP (Voice over Internet Protocol)card was installed in laboratory area telephone exchange forproviding VoIP services. New telephone connections wereprovided at various locations, including S in SCRF building, 9inR&DG BlockandS in Ferrite Lab buildings. 42 number of

Vol. 25 Issue 1, 201~'

•• .4'l]_tt:~

telephone connections were provided at other locations as peruser requirements. 22 number of new digital phones wereprovided and 31 number of new Digital Reflex Phones withvoice mail facility were installed. Figure 1.3.14 shows theview of the remote shelf installed at SCRF building. Figure1.3.15 shows the view of MDF commissioned at SCRFbuilding.

Fig. 1.3.14: Remote shelf installed at SCRF building

Fig. 1.3.15: MDF commissioned at SCRF building

G) RRCATNet Planning, Expansion and Upgradation:

Phase-V related Optical Fiber Cable (OFC termination)work was completed. Commissioning of 80 port SCRFbuilding network, 72 port PG Hostel network and 48 port RTSHostel building network was completed. Ferrite Lab buildingnetwork of 12 points was connected to RRCATNet usingOFC. Rack installation and rack end termination work at Fire

Station Extension building was completed. In LFL, 24 newlylaid network points have been connected and commissioned.In MIA building, 24-port switch was replaced with 48-portand newly laid points were commissioned. 05 number of newpoints were commissioned in Indus-I building for ISU users.A 10 Mbps connectIvity was provided in new CivilMaintenance building. Total number of 105 new network

.RRCAT NEWSLETTER

~ INFRASTRU,CTURE

points were added to RRCATNet. To strengthen the powerbackup setup at the IT building, the 200 KVA UPS setup wasinterconnected with the 80 KVA UPS setup to provideredundant main supply feed, in case of main supply failures.

Reported by:S. S. Tomar (tomar@rrcat.gov.in) and Anil Rawat

1.4: Development in Library & InformationResources at RRCAT

A) Institutional Publications Productivity

Quantitative analysis of publications written byScientists and Engineers of RRCAT and their citations wascarried out in September 2011. 'Web of Science' an onlinecitation database was searched to identify number ofpublications of RRCAT. It was found that total number of1725 papers have been published since 1987 and these papershave been cited 11038 times. Earliest publication fromRRCAT was in the year 1987. Publications have grownsteadily over the last twenty four years. It was found thathighest number of papers (172) were published in the year2010.

During the period 1987-2011, average number ofcitations for a paper as per database is 6040. Table 1.4.1 &Figure 104.1 show year wise number of publications andcitations.

Publiution :'iumb •• of:'iumbtrofA yua:gtYnr

PubliutDlUChtiomCit.ti.",,}'ub.1957

22Loo

19553155.00

198964"7-.53

1m

S344.251991

14lOP7.79

1992-

252439.721993

'735913301994

SO4;i9.541995

4435B5.&2

1996

443417,75199'

5155310,84I99S

~24306671999

71621S -~2000

6455887'2001

6463010.63

2002396437.28

2003&5753892

1004S37579.12

20051118'<U8

200612610698A5

20071443525.92

200S1446324.39

2(>091;W346H3

20101""~mLOI

2011-106210.20

Toral1726IlOJSun

-. till S"P'!m!;;!r 2011 0011'

Table 1.4.1: Year-wise Distribution of Publications andCitations of RRCAT

Vol. 25 Issue 1, 20121