DAIS - Digital Archive of the Serbian Academy of Sciences and Arts: Security: Difference between revisions

This public wiki is about the DAIS – Digital Archive of the Serbian Academy of Sciences and Arts

See also:

• Mission
• General information
• Organization scheme
• Workflows
• Metadata
• Item lifecycle
• Preservation plan
• Terms of Service
• Helpdesk

Technology

DAIS is hosted by the University of Belgrade Computer Centre (RCUB) on a virtual machine in a Proxmox environment under a CentOS operating system. The repository database is stored on a PostgreSQL 9.5 server inside the production-level virtual machine. Database export is enabled.

The software platform of DAIS is based on the open-source software DSpace 5.10. The core DSpace code and Java code have not been modified, to facilitate the implementation of DSpace patches, updates, and upgrades. Major modifications have been made to the configuration, localization files and the XMLUI configuration. The system has been enriched with additional applications (displaying citation counts from the Web of Science, Scopus, Dimensions and Altmetric Attention Scores; displaying recommended citation; full ORCID integration; displaying human-readable funding information in the selected interface language). The customized version of DSpace and a set of additional applications are part of the software and workflow package developed by RCUB for setting up institutional repositories. Thirty institutional repositories have been developed using this package. The implementation is guided by the Policy for Transparent Access to Research Infrastructures at the Computer Centre of the University of Belgrade: TRAP-RCUB IT solution and organizational model for the implementation of institutional or thematic repositories.

The source code of the customized version of DSpace and all additional applications is not open source. It is stored on a local Git server accessible only to the repository development team. Detailed documentation about software, installation, configuration, maintenance, and troubleshooting available on Confluence and Jira is accessible only to the development team. This documentation enables easy replication of procedures and ensures continuity in case of staff changes.

The following main procedures are covered in the documentation:

• setting up the vitural machine
• setting up DSpace using the customized installation package stored on the internal Git server
• customizing the iterface design
• setting up the e-mail for the feedback form and registration alerts
• setting up APIs enabling integration with ORCID, Scopus, Web of Science, Dimensions and Altmetric
• installing additionall applications (APP, Ellena, NomadLite, RM)
• ingesting metadata and data (only in case curated metadata and data are available for import or harvesting)
• PID assignment
• migration to the production environment
• setting up service monitoring procedures
• testing according to a checklist
• preparing and uploading a stadardized repository policy
• defining a standard set od collections and user groups in DSpace
• unblocking robot.txt to enable indexing by search engines
• registering the repository with OpenDOAR, ROAR, BASE, CORE, and OpenAIRE
• setting up and launching the initial harvesting by WorldCat; defining the harvesting interval.

Backup and monitoring

Backups are regularly performed at the virtual machine level. Both live instances and their passive backups reside on hardware-enabled and redundant RAID setups. The monitoring and alerting service MONIT, maintained by the RCUB team, constantly monitors the operation of the repository and sends alerts to system administrators in case of unexpected events. RCUB also performs regular traffic monitoring.

The repository follows a regular upgrade cycle and, where possible, existing and widely accepted best practices.

In case of major software configuration changes or updates, the virtual machine is cloned and all changes are tested on the clone. Before any intervention on the production machine, a snapshot is created in the virtualization system, to enable roll-back and prevent data loss. End-users are duly informed about planned changes and upgrades.

Software Security

Local firewall appliances, such as Iptables and Fail2ban, are used to protect and restrict access to the DAIS instance.

Only authorized and authenticated users have access to the submission module.

Authentication and authorization

DAIS uses the Authentication by Password method, using the e-mail address/password-based log-in supported by DSpace. Users can register themselves without needing approval from the administrators, and can set their own passwords upon registration. DSpace supports multiple authentication methods. If a need arises, the authentication method in DAIS could be changed to ensure greater security.

Plain-text passwords are encrypted using the SHA-512 hashing algorithm. Passwords must be at least six characters long, and users are encouraged to use strong passwords. Password change may be prompted by the repository manager. When resetting a password the user will be sent an email containing a special link they can follow to choose a new password. The password change procedure can be launched by users, from the login page.

Users are not members of any special user groups upon registration, which means that they can access only publicly available features even when logged in. In order to authorize users to deposit content in a particular collection and access restricted content, the repository manager must first create appropriate user groups and then assign users to particular user groups. The repository managers will check the eligibility of registered users (institutional affiliation) and will remove (delete) from the system those who are not eligible.

Two external applications (Ellena and NomadLite) for repository managers require authentication and authorization. In order to be able to use these applications, users must be registered in the repository. Passwords and permissions are assigned by the DAIS Administrator & RCUB user support coordinator in the Ellena Dashboard. Passwords are encrypted using the SHA-512 hashing algorithm. The same credentials are used to log in to Ellena and NomadLite. Authentication in these applications is independent from that in the repository.

Password handling is guided by the Terms of Service and standard institutional policies applying to credentials for services (e.g. institutional e-mail, intranet, subscribed services, etc.). The credentials for the service backend, project management system and documentation, Git server and back-up facilities are managed in line with the internal document "Guidelines for Employees" (UP 101), adopted by RCUB. Passwords, authorization procedures, access to services, and related security measures are defined in Article 3.10 of this document.

Hardware ahd hardware security

Hardware resources are incrementally adjusted to the database size and the number of visitors. This is possible thanks to the fact that RCUB relies on the public infrastructure and services provided by the Academic Network of the Republic of Serbia (AMRES). Furthermore, according to the Policy for Transparent Access to Research Infrastructures at the Computer Centre of the University of Belgrade: TRAP-RCUB IT solution and organizational model for the implementation of institutional or thematic repositories (which also applies in the case of DAIS), 15% of the service fee paid by institutions are allocated for equipment purchase.

Hardware security is ensured based on a SLA between SASA and RCUB. The computer hardware that runs the repository is the property of RCUB. A dedicated team at RCUB takes care of the configuration, maintenance, security, software updates and development. RCUB has a dedicated team responsible for infrastructure security. RCUB security officers are responsible for general network security, server security, and service maintenance and they collaborate closely with the repository development team. Servers and network devices are kept in a dedicated area with physical access strictly limited to authorized staff. Access to the backup facilities is strictly limited access. The premises are equipped with fire alarms and a fire retardant system. Uninterrupted power supply is ensured by means of an automatic stand-by electric power generator.

Dedicated staff members are physically present on the premises 24/7. Remote security services are also provided.