Planning for Issuing eTokens in Northern Virginia
Conference call, 9:30-11:00am August 10, 2009
Attendees:
- Nick Stone, Deputy Director, National Capital Region Operations
- David Trauger, Associate Dean of Graduate Education in the NCR
- Justin Davenport, Director of Information Services, NCR
- Marija Telbis-Forster, Director of Graduate Student Services Office, NCR
- Denise Orden, Associate Director of Operations, NCR
- Frank Galligan, Project Manager, eProvisioning, SETI
- Ismael Alaoui, Computer Security Analyst, eProvisioning, SETI
- Karen Herrington, Director, Identity Management Services
- Pat Rodgers, Director of Business Technologies, CNS
- Mary Dunker, Director, Secure Enterprise Technology Initiatives
Agenda:
- Introductions
- Brief description of Graduate School project + timeline
- Equipment and eToken delivery to NCR
- Token Administration System (TAS) Roles
- TAS setup for laptops
- Training plans
- Other topics as needed
Notes:
- Introductions: The participants introduced themselves and described their roles relative to the distribution of eTokens in the NCR.
- Brief description of Graduate School project + timeline: Mary described her December 2008 meeting with Karen DePauw where Karen shared the Graduate School's plans to create an application (with workflow) that would use personal digital certificates (PDCs) to facilitate online signature/approval for many of the forms now posted on the Graduate School web site. PDCs on eTokens were already available to university employees with the proper affiliations, but they were only being distributed at the Blacksburg campus. The Graduate School application would require that eTokens be issued to employees in Northern Virginia (NCR). Estimated timeline for the Graduate School's application: Fall semester, 2009. Erv Blyth contacted Jim Bohland about providing the PDC/eToken issuing service. Jim designated Nick Stone to work with Mary Dunker to coordinate.
- Equipment and eToken delivery to NCR: Laptops, monitors and scanners have already been ordered and delivered to Falls Church and Alexandria. 200 eTokens will be manually recorded as they are removed from the Blacksburg inventory at Student Network Services. The eTokens will be picked up by David Trauger when he visits student Network Services to obtain his PDC and eToken August 17. Carol Cornish will call David to set up an appointment for his eToken to be issued and for him to review the issuance process from the perspective of the TAS Registration Authority Administrator (RAA) and Certification Authority Administrator (CAA). The issuance process is documented in the TAS Administrator's manual.
- Token Administration System (TAS) Roles: The TAS system requires that individuals be authorized to perfom RAA and CAA roles. The authorizationi is done by IMS, with Karen Herrington as contact. Mary will send an e-mail to the NCR people with information that needs to be sent to Karen in order to authorize the RAA and CAA. David and Nick will serve as the initial "bootstrap" RAA and CAA. They, in turn, will issue PDCs on eTokens to the other RAAs and CAAs. At least 2 individuals are required at each location, with additional backup personnel preferred.
- TAS setup for laptops: The windows system admistrator -- one of Justin Davenport's staff -- will need to install an Oracle client, the eToken client software and the Token Administration System (TAS). Installation documentation is provided on this wiki. Mary will ensure that everyone on today's call has access to the wiki. Other people who need access to the documentation can be authorized, or the documentation can be downloaded/printed as needed.
- Training plans: Once David has his eToken, we will set a date for training. Discussion of the need for face-to-face training ensued. We will try to train remotely, via conference call, using the TAS Administrator documentation.
- Other topics as needed: The group reviewed the list of tasks from the Project Initiation Form. User support can be obtained from 4Help at www.4Help.vt.edu, but many in the NCR are accustomed to contacting their local user support. Either procedure is fine, as an incident can always be opened with 4Help if the NCR support personnel need assistance. 4Help routes eToken questions they cannot answer to the eProvisioning team. Relative to coordinating eToken issuance with the Hokie Passport office operations on September 14-15, Hokie Passport staff will be in the Falls Church location, not Alexandria. Nick and David will work out how/when to issue the eTokens in Alexandria. We will still use September 14 as the target date for the NCR to be fully operational with issuing the PDCs on eTokens. TAS will be revised to improve usability with recording the 2 forms of photo ID, but this will not be ready by September 14. The current version will work, but the RAA will need to record one of the IDs in the "comment" field if a person does not have a Hokie Passport.
Concern was expressed that some adjunct faculty members may not have one of the appropriate affiliations (vt-employee-state, vt-employee-wage, vt-student-wage) to receive a PDC on an eToken. By examining the list of people who need to use the Graduate School's new application, IMS can check their affiliations and determine whether or not this will be an issue. Options for resolving the eligibility issue include:
- Department can hire the person in a way that will result in an eligible affiliation
- The Virginia Tech PKI Policy Management Authority could agree to change the policy regarding VT PDC eligibility
- Graduate School's application can accommodate the ineligible people using a method that does not require a VT PDC
Question: What kinds of problems might be anticipated?
Answer: People can forget their passwords, and may lose their eTokens or forget to bring it when needed. For password resets, the only option currently is to physically bring the eToken to the RAA or CAA to reset the password. Future plans for remote password reset procedures have been discussed and will be pursued as resources are available to work on another project. If an eToken is lost, the subscriber can obtain another, following the same procedure as for the original issuance. The PDC on the old one will be revoked when the PDC on the new eToken is issued.
Question: Does the eToken software work with Windows 7?
Answer: Windows 7 is not yet supported by the vendor, but chances are it will work. More testing needs to be done for Windows 7.
Question: Who should sign the project initiation form?
Answer: David and Nick will be requestors. Mary will find out who should be the approver(s).
Action items:
- David will send the list of people who need eTokens
- Mary will request wiki access for the people who participated in today's call.
- Mary will send e-mail to David and Nick describing how to request Oracle and TAS authorization from IMS (Karen Herrington's office).