technical.tex

\section{Requesting an IPA account}
\label{sec:IPA}

  To request an IPA account, it is required for the user to create a Service Request ticket inside the IT User Support Dashboard.
  Please check the example below.

  Head over to https://rubinobs.atlassian.net/ and log in with your domain account credentials.

\vspace{5 mm}

\begin{figure}
  \includegraphics[width=12cm]{Images/example1.png}
\end{figure}

\vspace{5 mm}

Once logged in the user will be prompted with the following windows if not similar. Before creating the ticket,  it is required for the user to check that he is in the proper dashboard for this particular case the IT Support Dashboard

\vspace{5 mm}

\begin{figure}
  \includegraphics[width=12cm]{Images/example2.png}
\end{figure}

\vspace{40 mm}

On the ticket creation window fill out the template using the information provided below:

\begin{itemize}
  \item Project: IT Helpdesk Support (IHS)
  \item Issue Type: Service Request
  \item Summary: IPA Account Creation / VPN Access - "Insert your name here"
  \item Component: AAA
  \item Description: Please use the template provided below.
\end{itemize}

\vspace{10 mm}

\begin{figure}
  \includegraphics[width=15cm]{Images/example4.png}
\end{figure}

\newpage

Once all the information is filled out, select the Create option located at the bottom to create the ticket inside IHS IT Support Dashboard.

\vspace{10 mm}

\begin{figure}
  \includegraphics[width=13cm]{Images/example3.png}
\end{figure}

\vspace{10 mm}
IT User support will receive the request and will proceed with the account creation process. Once the account has been created and the services have been provisioned IT Support will be in contact with you via email to provide you with the account credentials and services you've been granted access too along with the website where you can change your temporary password.

If you have any questions or concerns regarding the services provisioned please contact IT User Support at rubinobs-it-las@lsst.org


\subsection{Rubin Server Authentication}
\label{sec:SSH}

All  Rubin  Observatory’s  servers  are  set  to  authenticate  through  FreeIPA  and  Asymmetric Cryptography through  Secure  Shell  (ssh),  and all other  mechanisms  are  blocked.  This  means,  all  local accountsand password authentication are not allowed, so once the servers are admitted to IT’s network and infrastructure, all previous local accounts, passwords, permissions, users and groups IDs (uid and gid).

When  a  new user  arrives,  or  a  user  that  does  not  yet  have  credentials, it  is  requested  to  create  a  RIC (Request for IPA Credentials) following the instructions above.

Then,  comes  an important part of the process: setting and creation of the Asymmetric Cryptography, also known as public-key cryptography.

\begin{figure}
  \includegraphics[width=13cm]{Images/example5.png}
\end{figure}

(1) The user presents its private ssh-key, (2) If the primary IPA Server is reachable (ipa1.ls.lsst.org), the
Rubin’s Server (Server A) presents the user’s private key to ipa1, (3) The IPA Server checks against the
common database(among all replicas) if the users exists and matches the private against the stored public
key; if the user exists, it also checks if the group who it belongs has sufficient privileges to access, (4) The
Server fetches the Database information, (5) The IPA Server either grants or denied access to the User’s
Laptop to Server A, (10) The permission granted/denied is send to the User’s Laptop.
If the Primary IPA Server isn’t reachable after timeout, it does the same operation over the failover (red)
Server, following path 6 -> 7 -> 8 -> 9 instead of 2 -> 3 -> 4 -> 5.

\subsubsection{SSH Keys Creation}
\label{sec:SSH:}

Depending on your OS, is the instructions you will need to follow:

\subsubsection{Linux and MacOS}
\label{sec:SSH}

First, log into your local machine, then search and open a terminal window. Once there:

\begin{figure}
  \includegraphics[width=16cm]{Images/example6.png}
\end{figure}

If the John, already has a pair of private/public keys – and for personal reasons don’t want to reuse them –
you can set a new pair by changing the name of the keys and adding a config file, so that the local ssh agent
includes that key as well:

\begin{figure}
  \includegraphics[width=16cm]{Images/example7.png}
\end{figure}

The id rsa file contains your private key, which by no reason must be shared or known by another person, this will not only compromise the integrity of the server but also related user's data, account access etc. On the other hand, the id rsa pub contains the public key, whis is intended to be shared and publicly known.

\newpage
\subsubsection{Windows OS}
\label{sec:SSH}

Windows does not natively have a native ssh mechanism. There are several third-party applications,
designed to satisfy such need, but we are going to use PuTTY9, which is an Open-Source software SSH and
Telnet client \href{https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.74-installer.msi}{Putty Client}.


Once PuTTY is installed, we will use a complementary tool (already installed along with putty) called
PuTTYgen (you can open it by typing it into Windows Search box):

\vspace{5 mm}

\begin{figure}
  \includegraphics[width=13cm]{Images/example8.png}
  \centering
\end{figure}

\newpage

Click on generate:

\begin{figure}
  \includegraphics[width=13cm]{Images/example9.png}
  \centering
\end{figure}

In order to create a random key, you must move the mouse over the surface, so the progress bar moves.
\newpage

Once concluded, you should see something like:

\begin{figure}
  \includegraphics[width=13cm]{Images/example10.png}
  \centering
\end{figure}

\vspace{5 mm}
Now, save both keys into a well-known location. It is recommended (but not needed) to create a folder
named “ssh” in the user’s home directory, so when asked, you can easily find your keys in
“/Users/<username>/ssh/”.
\newpage

The next images will show you how to load the ssh private key in the Pageant app.

\begin{figure}
  \includegraphics[width=10cm]{Images/example17.png}
  \centering
\end{figure}
\vspace{5 mm}

\begin{figure}
  \includegraphics[width=10cm]{Images/example18.png}
  \centering
\end{figure}
\vspace{5 mm}

\begin{figure}
  \includegraphics[width=10cm]{Images/example19.png}
  \centering
\end{figure}
\vspace{5 mm}

\begin{figure}
  \includegraphics[width=10cm]{Images/example20.png}
  \centering
\end{figure}
\vspace{5 mm}

Once you have your private key loaded in the Pageant app, you need to upload your public ssh key to the jira ticket in order for the IT Team to format the ssh keys.

\newpage

\subsubsection{Add Public Key Into IPA}

The IPA infrastructure is composed of a master server and several replicas, meaning that it does
not matter in which one you modified your personal data, it will be propagated over the rest of the nodes.

\vspace{5 mm}

The IPA Topology (Image below) is designed in such way, that in the worst-case scenario, at least one source
of authentication will remain.

\begin{figure}
  \includegraphics[width=13cm]{Images/example11.png}
\end{figure}

The orange arrows represent the DL (Domain Link), meanwhile the blue arrows the CA (Certificate
Authority). The DL keeps the authenticity of the defined domain – i.e. server.local – and the CA is the
responsible of emitting and signing the hosts certificates, to validate their authenticity.

\vspace{5 mm}
\newpage

In order to add your public key into IPA, you must access through any of the http frontends, from either
the replicas or master. Bear in mind that you must be either inside the network or connected through VPN.
Let’s use the BDC (Base Data Center) replica: open a web-browser and navigate to \href{https://ipa1.cp.lsst.org}{IPA Website}.
You should see a welcoming screen:

\begin{figure}
  \includegraphics[width=15cm]{Images/example12.png}
\end{figure}


If it’s the first time you log in, the system will force you to change your password (also if it has expired).
Once successfully logged in the platform, (1) in the upper right corner click your username, (2) profile, and
then (3) Add:


\begin{figure}
  \includegraphics[width=15cm]{Images/example13.png}
\end{figure}

\newpage

A pop-up window will appear, in which you must paste your public key:

\begin{figure}
  \includegraphics[width=15cm]{Images/example14.png}
\end{figure}

If you are importing a key generated with PuTTY, must use only the selected section:

\begin{figure}
  \includegraphics[width=15cm]{Images/example15.png}
\end{figure}

\newpage

If everything was set correctly, click Set, and you will find yourself in the previous window:

\begin{figure}
  \includegraphics[width=16cm]{Images/example16.png}
\end{figure}

(1) A “New:key set” should now appear and in order for the changes to take place, (2) click on Save.

\newpage

\section{Requesting Domain Credentials}
\label{sec:Domain}

To request Domain Account Credentials, it is required that an Onboarding form is filled out by the manager or supervisor in charge at \href{https://project.lsst.org/onboarding/form}{Onboarding Form}. Once the onboarding form is filled out and submitted with the information requested, IT North will process the credentials and will contact the person requesting the access.

\newpage 

\section{Accesing the Rubin Observatory WIFI network}
  \label{sec:WIFI}
  Once the onboarding form is complete and the AUP form is submitted, IT will contact you to hand out your Domain account credentials concluding the onboarding process. These credentials depending on the level of access requested by the manager will give you access to services such as Jira, Confluence, Docushare, Exchange and most importantly the Rubin Observatory WIFI network named "LSST-WAP", this WIFI SSID can be found both at Cerro Pachon and La Serena Base facility.
  \vspace{180 mm}
  \subsection{Android Mobile Device}
  To connect your mobile device to the LSST-WAP wifi network please follow the instructions on the images below. 
  \begin{figure}
    \centering
    \begin{subfigure}{0.4\textwidth}
      \includegraphics[width=\textwidth]{Images/Android1.png}
      \centering
      1.) Select the LSST-WAP WIFI Network from the list.
    \end{subfigure}
      \hfill
    \begin{subfigure}{0.25\textwidth}
      \includegraphics[width=\textwidth]{Images/Android2.png}
      \centering
      2.) Fill out the fields highlighted in red as show on the image.
    \end{subfigure}
  \end{figure}
  \begin{figure}
    \centering
    \begin{subfigure}{0.40\textwidth}
      \includegraphics[width=\textwidth]{Images/Android3.png}
    \end{subfigure}
      \hfill
    \begin{subfigure}{0.40\textwidth}
      \includegraphics[width=\textwidth]{Images/Android4.png}
    \end{subfigure}
  \end{figure}

\newpage
  \subsection{Apple Mobile Device}
  \vspace{20 mm}
  \begin{figure}
    \centering
    \begin{subfigure}{0.30\textwidth}
      \includegraphics[width=\textwidth]{Images/ios1.png}
      \centering
      1.) Select the LSST-WAP WIFI Network from the list.
    \end{subfigure}
      \hfill
    \begin{subfigure}{0.30\textwidth}
      \includegraphics[width=\textwidth]{Images/ios2.png}
      \centering
      2.) Log in with your domain account credentials as shown on the images.
    \end{subfigure}
        \hfill
    \begin{subfigure}{0.30\textwidth}
      \includegraphics[width=\textwidth]{Images/ios3.png}
      \centering
      3.) Accept the certificate and hit on the trust button to connect. 
    \end{subfigure}
  \end{figure} 


\newpage
  
  \subsection{MacOS}
  \vspace{20 mm}
  \begin{figure}
    \centering
    \begin{subfigure}{0.40\textwidth}
      \includegraphics[width=\textwidth]{Images/Mac1.png}
      \centering
      1.) Select the LSST-WAP WIFI Network from the list.
    \end{subfigure}
      \hfill
    \begin{subfigure}{0.40\textwidth}
      \includegraphics[width=\textwidth]{Images/Mac3.png}
      \centering
      2.) Log in with your domain account credentials as shown on the images.
    \end{subfigure}
      \hfill
      \vspace{7mm}
    \begin{subfigure}{0.50\textwidth}
      \includegraphics[width=\textwidth]{Images/Mac4.png}
      \centering
      3.) Accept the certificate and hit continue to connect.
    \end{subfigure}
  \end{figure}

\newpage
  
  \vspace{20mm}
  \subsection{Linux}
  \begin{figure}
    \includegraphics[width=150mm]{Images/Linux2.png}
    \centering 
  \end{figure}

  Use the following network configurations settings to setup the LSST-WAP WIFI Network on Linux laptop computers. 

  \newpage
  \vspace{20mm}
  \subsection{Windows}
  \begin{figure}
    \centering
    \begin{subfigure}{0.35\textwidth}
      \includegraphics[width=\textwidth]{Images/Windows1.png}
      \centering
      1.) Select the LSST WAP WIFI Network from the list if at La Serena Base or Cerro Pachon.
    \end{subfigure}
      \hfill
    \begin{subfigure}{0.35\textwidth}
      \includegraphics[width=\textwidth]{Images/Windows2.png}
      \centering
      2.) Select connect, log in with your domain account credentials both username and password. 
    \end{subfigure}
  \end{figure}
 
  




\newpage
\section{Access to Nublado, EFD/Chronograph and other SQuaRE services}
\label{sec:Nublado}

To access your services you must first have a VPN account created and use your IPA account to create and generate VPN access. 

Please follow the following confluence page: \href{https://confluence.lsstcorp.org/display/IT/Rubin+VPN+user%27s+guide}{VPN Confluence Guide}.

Once you have the VPN account created you must request the necessary permissions on the same ticket as your VPN to access your services, these are the following:

\begin{itemize}
  \item RSP fo Cerro Pachon
  \item BTS for La Serena
  \item DEV for Dev
  \item TTS for Tucson
\end{itemize}

For security reasons, 2FA must be used to access each individual service, independent from each other. For example, if you need to access RSP you must create a 2FA entry for RSP and to access BTS you will also need to create a separate 2FA that is independent of the RSP entry. This 2FA works with the service called Keycloak. When you log in for the first time to one of these services you will be able to configure the Keycloak 2FA.

\newpage
\section{Software Deployment - Access and Prerequisites}

1. Follow instructions in \href{https://ittn-045.lsst.io}{ITTN-045}, file an IHS ticket (1 of 3) to request access to IPA, the VPN and the Resources and Bare-Metal Machines for

\begin{itemize}
	\item[a)] \href{https://obs-controls.lsst.io/System-Testing-Deployments-and-Upgrades/Control-System-Upgrade/Deployment-Activities/tucson-teststand/index.html}{TTS}.
	\begin{itemize}
		\item Include access to the ArgoCD Admin and Tucson Teststand (TTS) 1Password vaults in the request.
	\end{itemize}
	\item[b)] \href{https://obs-controls.lsst.io/System-Testing-Deployments-and-Upgrades/Control-System-Upgrade/Deployment-Activities/base-teststand/index.html#deployment-activities-bts-resources}{BTS}.
	\begin{itemize}
		\item Include access to the ArgoCD Admin and Base Teststand (TTS) 1Password vaults in the request.
	\end{itemize}
	\item[c)] \href{https://obs-controls.lsst.io/System-Testing-Deployments-and-Upgrades/Control-System-Upgrade/Deployment-Activities/summit/index.html}{Summit}.
	\begin{itemize}
		\item Include access to the ArgoCD Admin and Summit 1Password vaults in the request.
	\end{itemize}
\end{itemize}

2. Request for increased privileges.

\begin{itemize}
	\item[a)] For deployments and system administration, sudo privileges are required.
	\begin{itemize}
		\item File an IHS ticket (2 of 3).
	\end{itemize}
\end{itemize}

3.) Request access to the following Github Organizations.

\begin{itemize}
	\item[a)] \href{https://github.com/lsst-it}{lsst-it} (docker-compose-ops-repo, explicitly).
	\begin{itemize}
		\item File and IHS ticket (3 of 3).
	\end{itemize}
	\item[b)] \href{https://github.com/lsst-ts}{lsst-ts} (argocd-csc scripts).
	\begin{itemize}
		\item Submit and Email or Slack request to Rob Bovill (rbovill@lsst.org).
	\end{itemize}
\end{itemize}

\newpage

4.) Access to kubectl and argocd CLI tool.

\begin{itemize}
	\item[a)] Install to local machine.
	\begin{itemize}
		\item \href{https://kubernetes.io/docs/tasks/tools/#kubectl}{kubectl}
		\begin{itemize}
			\item \href{https://obs-controls.lsst.io/System-Testing-Deployments-and-Upgrades/Control-System-Upgrade/Deployment-Activities/tucson-teststand/index.html#resources}{TTS Configuration}
			\item \href{https://obs-controls.lsst.io/System-Testing-Deployments-and-Upgrades/Control-System-Upgrade/Deployment-Activities/base-teststand/index.html#deployment-activities-bts-resources}{BTS Configuration}
			\item \href{https://obs-controls.lsst.io/System-Testing-Deployments-and-Upgrades/Control-System-Upgrade/Deployment-Activities/summit/index.html#resources}{Summit Configuration}
		\end{itemize}
		\item \href{https://argo-cd.readthedocs.io/en/stable/cli\_installation/}{argocd}
		\begin{itemize}
			\item Checkout the \href{https://github.com/lsst-ts/argocd-csc}{argo-csc} repo, it contains scripts used during the deployment.
			\item Create the \$HOME/.argocd\_auth file 
		\end{itemize}
	\end{itemize}
\end{itemize}