Digital Certificate Service SLA 2017/19

1. General Overview

This is a Service Level Agreement (SLA) between the campus community and the Information Technology Services Division (ITS) to document:

  • The ITS Digital Certificate Service
  • The general levels of response, availability, and maintenance associated with this service
  • The responsibilities of ITS as a provider of this service
  • The responsibilities of the clients receiving this service
  • Deviations from the standard processes documented in the ITS and Campus SLA.

This Agreement is valid from July 2017. Review is every two years, or as otherwise needed.

2. Service Description

ITS documents services provided in the ITS service catalog (http://its.ucsc.edu/services/).
The direct link for the ITS Digital Certificate Service is http://its.ucsc.edu/certificates/.

2.1 Service Scope

ITS currently provides two types of digital certificates through the Digital Certificate Service: X.509 certificates for SSL servers and code-signing.

SSL/X.509 certificates are commonly used to encrypt web traffic. They are used to confirm identity, secure communications between parties, and ensure integrity of transmissions.

Code-signing certificates are used to identify the publisher of software (in this case, UC Santa Cruz) and to confirm the integrity of software by verifying that it has not been modified since it was signed.

Additional information about both types of certificates is available on the Digital Certificate Service pages at http://its.ucsc.edu/certificates/.

ITS Digital Certificate Service features include:

  • Order, revoke, renew, replace digital certificates at no charge to the requesting unit.

In addition, ITS provides infrastructure, people, and processes including:

  • Escalated support services
  • Web access to the InCommon Certificate Manager (CM)
  • Department Registration Authority Officers (DRAO) handle division/departmental certificate needs
  • Registration Authority Officers (RAO) handle campus certificate needs overall, and in particular those divisions/departments who do not have an assigned DRAO
  • Service Manager facilitates the ITS Certificate Service and planned service expansion/improvement, as well as the InCommon Certificate Subscription
  • Digital Certificate Policy (http://policy.ucsc.edu/policies/its/it0006.html)
  • Business Continuity if an outage occurs with InCommon and/or contracted Certificate Authorities (CA)

2.1.1 User Requirements

  • Adherence to the Digital Certificate Policy (http://policy.ucsc.edu/policies/its/it0006.html)
  • Only specifically identified, authorized and trained DRAOs and RAOs may order certificates through this service.
    • DRAOs are nominated by any campus employee, concurred by nominee’s Supervisor, approved by Service Manager
    • RAOs are nominated by Service Manager, concurred by nominee’s supervisor, approved by Service Steward
    • All DRAOs and RAOs receive training prior to obtaining access to the Certificate Manager

2.1.2 Boundaries of Service Features and Functions

  • Digital certificates through this service are available to members of the UCSC community for UCSC-related business, education and research purposes
    • Verification of university business purposes is required
    • Code-signing certificates are only available to UCSC faculty and administrative staff
  • Host names in the ucsc.edu domain must be approved by University Relations Communications and Marketing and granted via ITS Domain Name System (DNS) service request before digital certificates are requested. Host names in divisional sub-domains (example: host.xyz.ucsc.edu) are issued by divisional IT staff.

2.2 Service Level Performance

2.2.1 General Service Levels

  • Support response time for this service falls under the ITS and Campus SLA.  

2.2.2 Specific Service Levels

  • SSL/X.509 certificates and domains are available within three to five business days from submission of a request
  • Code-signing certificates may take up to 10 business days.
  • A new DRAO request may take up to two business weeks to complete.

3. Roles and Responsibilities

3.1 Parties

The following Service Owner(s) will be used as the basis of the Agreement and represent the primary stakeholders associated with this SLA:

Stakeholder

Title/Role

Contact Information

Lisa Gardner Service Manager gardnerl@ucsc.edu

Hilary Hamm
George Holbert
Scott Hovey

Campus Registration Authority Officers (RAO)
(see http://www.incommon.org/roles.html)
its-certificate-group@ucsc.edu
Various Department Registration Authority Officers (DRAO) see http://its.ucsc.edu/certificates/request-service.html#drao
Various ITS Divisional Liaisons http://its.ucsc.edu/get-help/dls.html
Byron Walker Service Sponsor, InCommon Executive btwalker@ucsc.edu

3.2 ITS Responsibilities

ITS will provide the infrastructure, technology, people, processes and monitoring tools necessary for the Digital Certificate Service and:

  • Clearly document services provided in the ITS Service Catalog and other documentation
  • Meet response times associated with the priority assigned to incidents and service requests
  • Generate and publish reports on service performance (see Sec 8.1)
  • Manage the service, including prioritizing and implementing service changes and improvements
  • The VC IT is responsible for UCSC’s subscription to InCommon

3.3 RAO and DRAO Responsibilities

RAO and DRAO responsibilities and/or requirements in support of this Agreement include (in addition to the Campus SLA):

  • Adhere to the Digital Certificate Policy and review certificate requests for appropriateness and compliance with the Policy (http://policy.ucsc.edu/policies/its/it0006.html)
  • Meet response times associated with the priority assigned to incidents and service requests.
  • Subscribe to the InCommon mailing list, cert-users@incommon.org, for service-related notifications and knowledge sharing
  • Utilize the Support Center/IT Request for Incidents, including requests for additions or changes to the service: itrequest.ucsc.edu
  • Utilize the Support Center/IT Request for Service Requests (required for code-signing certificates; recommended, not required for SSL/X.509 certificates)
  • Attend required training events
  • Specific RAO Responsibilities:
    • Manage the InCommon Certificate Manager configuration
    • Create accounts and reset passwords for DRAOs
    • Approve new top-level domains
    • Provide technical assistance related to the InCommon certificate service
    • Annual audit and validation of RAO and DRAO accounts
    • Annual review of certificate names

3.4 Customer Responsibilities

Customer responsibilities and/or requirements in support of this Agreement include (in addition to the Campus SLA):

4. Requesting Service

See the ITS and Campus SLA for standard methods of contacting ITS for service.

5. Hours of Coverage, Response Times and Escalation

For all requests, the ITS goal is to have a staff member assigned and acknowledge requests within 4 business hours of receipt. Campus priorities may require exceptions to this goal during certain times of the Academic year.

5.1 Hours of Coverage

Digital Certificate Service is provided 8AM - 5PM, Monday - Friday except for holidays, campus closure, and periods of planned maintenance.

5.2 Incident Response, Prioritization, Service Request, Escalation, Information

See the ITS and Campus SLA.

5.3 Other Requests

Requests for service features and functions not yet implemented can be submitted though IT request or directly to its-certificate-group@ucsc.edu

6. Maintenance and Service Changes

Maintenance windows for the Digital Certificate Service are determined by InCommon (the underlying service provider) and/or the issuing Certificate Authority. Announcements are made via the InCommon certificate email list, to which RAOs and DRAOs are required to subscribe. Current vendor-defined maintenance windows are Wednesdays from 11-11:30 PM and Saturdays from 3:59-4:30 PM and are included on the ITS Maintenance Calendar. Please contact the its-certificate-group@ucsc.edu for additional information or if you would like to subscribe to the InCommon certificate email list.

7. Pricing

Digital certificates ordered through this service are at no charge to the requester. The service is sponsored and funded through the office of the Vice Chancellor, Information Technology (VC IT).

Certificates ordered outside of this service require special approval and are subject to the fees of the issuing Certificate Authority. Please see the Digital Certificate Policy for additional information (http://policy.ucsc.edu/policies/its/it0006.html).

8. Review and Reporting

8.1 Service Performance and Availability Reporting

Service performance and availability reports will be published for review.

  • Quarterly metrics by division/department for quantities of certificates ordered, issued, renewed, revoked
  • Support response time will be tracked and reported separately as part of the ITS and Campus SLA.

8.2 SLA Reviews

The Designated Review Owner (“Document Owner”), below, is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the primary stakeholders and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required.

Designated Review Owner: Lisa Gardner, ITS Applications and Project Management
Initial Review Date: July 2017
Next Review Date: July 2019

This Agreement will be posted to the following location and will be made accessible to all stakeholders:

Document Location: http://its.ucsc.edu/sla/

9. Approvals

The Divisional Liaisons and ITS Senior Managers approve this document. This document is then published on the ITS Service Catalog web site along with other service level agreements. Service level information is integrated into the service page in the ITS Service Catalog.

10. Revision History

7/2013 - Lisa Gardner, Julie Goldstein - Initial Draft

7/30/13 - Julie Goldstein - Revisions based on Service Team input

9/3/13 - Julie Goldstein - Final revisions based on Service Team and Service Sponsor input. SLA ready to move into campus approval process.

12/2013 - Julie Goldstein - Added vendor-defined maintenance windows to Sec 6; Minor tweak to Sec 7 to keep SLA in sync with draft policy (removed reference to policy exceptions).

6/2015 - RAO and Service Team review. Added information about code-signing certificates, expanded identified RAO responsibilities, clarified approver/issuer of host names, removed “annual number of approved domains” from list of metrics, added Wikipedia links, additional minor clarifications.

3/2016 - Julie Goldstein - Updated Service Manager, RAOs, and Designated Review Owner

-----