DAIS - Digital Archive of the Serbian Academy of Sciences and Arts: Security: Difference between revisions
| Line 36: | Line 36: | ||
Two external applications ([[Ellena/en-gb|Ellena]] and [[NomadLite]]) for repository managers require authentication and authorization. In order to be able to use these applications, users must be registered in the repository. Passwords and permissions are assigned by the DAIS Administrator & RCUB user support coordinator in the Ellena Dashboard. Passwords are encrypted using the SHA-512 hashing algorithm. The same credentials are used to log in to Ellena and NomadLite. Authentication in these applications is independent from that in the repository. | Two external applications ([[Ellena/en-gb|Ellena]] and [[NomadLite]]) for repository managers require authentication and authorization. In order to be able to use these applications, users must be registered in the repository. Passwords and permissions are assigned by the DAIS Administrator & RCUB user support coordinator in the Ellena Dashboard. Passwords are encrypted using the SHA-512 hashing algorithm. The same credentials are used to log in to Ellena and NomadLite. Authentication in these applications is independent from that in the repository. | ||
Password handling is guided by the Terms of use and standard institutional policies applying to credentials for services (e.g. institutional e-mail, intranet, subscribed services, etc.). The credentials for the service backend, project management system and documentation, Git server and back-up facilities are managed in line with the internal document "Guidelines for Employees" (UP 101), adopted by RCUB. Passwords, authorization procedures, access to services, and related security measures are | Password handling is guided by the [[DAIS - Digital Archive of the Serbian Academy of Sciences and Arts: Terms of Service|Terms of use]] and standard institutional policies applying to credentials for services (e.g. institutional e-mail, intranet, subscribed services, etc.). The credentials for the service backend, project management system and documentation, Git server and back-up facilities are managed in line with the internal document "Guidelines for Employees" (UP 101), adopted by RCUB. Passwords, authorization procedures, access to services, and related security measures are defined in Article 3.10 of this document. | ||
== Hardware security == | == Hardware security == | ||
Hardware security is ensured based on a SLA between SASA and RCUB. The computer hardware that runs the repository is the property of RCUB. A dedicated team at RCUB takes care of the configuration, maintenance, security, software updates and development. RCUB has a dedicated team responsible for infrastructure security. RCUB security officers are responsible for general network security, server security, and service maintenance and they collaborate closely with the repository development team. Servers and network devices are kept in a dedicated area with physical access strictly limited to authorized staff. Access to the backup facilities is strictly limited access. The premises are equipped with fire alarms and a fire retardant system. Uninterrupted power supply is ensured by means of an automatic stand-by electric power generator. | Hardware security is ensured based on a SLA between SASA and RCUB. The computer hardware that runs the repository is the property of RCUB. A dedicated team at RCUB takes care of the configuration, maintenance, security, software updates and development. RCUB has a dedicated team responsible for infrastructure security. RCUB security officers are responsible for general network security, server security, and service maintenance and they collaborate closely with the repository development team. Servers and network devices are kept in a dedicated area with physical access strictly limited to authorized staff. Access to the backup facilities is strictly limited access. The premises are equipped with fire alarms and a fire retardant system. Uninterrupted power supply is ensured by means of an automatic stand-by electric power generator. | ||
Revision as of 11:14, 12 June 2022
This public wiki is about the DAIS – Digital Archive of the Serbian Academy of Sciences and Arts
See also:
- Mission
- General information
- Organization scheme
- Workflows
- Metadata
- Item lifecycle
- Preservation plan
- Terms of Service
- Helpdesk
Operational continuity and disaster recovery
DAIS is hosted by the University of Belgrade Computer Centre (RCUB) on a virtual machine in a Proxmox environment under a CentOS operating system. Hardware resources are incrementally adjusted to the database size and the number of visitors. The repository database is stored on a PostgreSQL 9.5 server inside the production-level virtual machine. Database export is enabled.
The software platform of DAIS is based on DSpace 5.10. The core DSpace code and Java code have not been modified to facilitate the implementation of DSpace upgrades. Major modifications have been made to the configuration, localization files and the XMLUI configuration. The system has been enriched with additional applications (displaying citation counts from the Web of Science, Scopus, Dimensions and Altmetric Attention Scores; displaying recommended citation; full ORCID integration; displaying human-readable funding information in the selected interface language). The source code of the customized version of DSpace and all additional applications is stored on a local Git server accessible only to the repository development team. Detailed documentation about software, installation, configuration, maintenance, and troubleshooting is available on Confluence. This enables easy replication of procedures and ensures continuity in case of staff changes.
Backups are regularly performed at the virtual machine level. Both live instances and their passive backups reside on hardware-enabled and redundant RAID setups. The monitoring and alerting service MONIT, maintained by the RCUB team, constantly monitors the operation of the repository and sends alerts to system administrators in case of unexpected events.
Local firewall appliances, such as Iptables and Fail2ban, are used to protect and restrict access to the DAIS instance.
Only authorized and authenticated users have access to the submission module.
The repository follows a regular upgrade cycle and, where possible, existing and widely accepted best practices.
In case of major software configuration changes or updates, the virtual machine is cloned and all changes are tested on the clone. Before any intervention on the production machine, a snapshot is created in the virtualization system, to enable roll-back and prevent data loss. End-users are duly informed about planned changes and upgrades.
Authentication and authorization
DAIS uses the Authentication by Password method, using the e-mail address/password-based log-in supported by DSpace. Users can register themselves without needing approval from the administrators, and can set their own passwords upon registration. DSpace supports multiple authentication methods. If a need arises, the authentication method in DAIS could be changed to ensure greater security.
Plain-text passwords are encrypted using the SHA-512 hashing algorithm. Passwords must be at least six characters long, and users are encouraged to use strong passwords. Password change may be prompted by the repository manager. When resetting a password the user will be sent an email containing a special link they can follow to choose a new password. The password change procedure can be launched by users, from the login page.
Users are not members of any special user groups upon registration, which means that they can access only publicly available features even when logged in. In order to authorize users to deposit content in a particular collection and access restricted content, the repository manager must first create appropriate user groups and then assign users to particular user groups. The repository managers will check the eligibility of registered users (institutional affiliation) and will remove (delete) from the system those who are not eligible.
Two external applications (Ellena and NomadLite) for repository managers require authentication and authorization. In order to be able to use these applications, users must be registered in the repository. Passwords and permissions are assigned by the DAIS Administrator & RCUB user support coordinator in the Ellena Dashboard. Passwords are encrypted using the SHA-512 hashing algorithm. The same credentials are used to log in to Ellena and NomadLite. Authentication in these applications is independent from that in the repository.
Password handling is guided by the Terms of use and standard institutional policies applying to credentials for services (e.g. institutional e-mail, intranet, subscribed services, etc.). The credentials for the service backend, project management system and documentation, Git server and back-up facilities are managed in line with the internal document "Guidelines for Employees" (UP 101), adopted by RCUB. Passwords, authorization procedures, access to services, and related security measures are defined in Article 3.10 of this document.
Hardware security
Hardware security is ensured based on a SLA between SASA and RCUB. The computer hardware that runs the repository is the property of RCUB. A dedicated team at RCUB takes care of the configuration, maintenance, security, software updates and development. RCUB has a dedicated team responsible for infrastructure security. RCUB security officers are responsible for general network security, server security, and service maintenance and they collaborate closely with the repository development team. Servers and network devices are kept in a dedicated area with physical access strictly limited to authorized staff. Access to the backup facilities is strictly limited access. The premises are equipped with fire alarms and a fire retardant system. Uninterrupted power supply is ensured by means of an automatic stand-by electric power generator.
Dedicated staff members are physically present on the premises 24/7. Remote security services are also provided.
