VIEWS: 21 PAGES: 11 POSTED ON: 3/8/2010
University Information Technology Services Consolidated Hosting Environment Service Agreement September 8, 2008 Overview The Consolidated Hosting Environment enables clients to use desired technologies not available in any other hosting environment provided by University Information Technology Services, for as low a cost as possible, while maintaining an acceptable level of performance, reliability, and security. Applications requiring other levels of performance, reliability, or security must be hosted elsewhere. The unique features of this hosting environment are a Microsoft IIS web server with the ability to serve dynamic web pages written using Adobe ColdFusion, Microsoft ASP, and Microsoft .Net programming languages; and a Microsoft Windows Share with the ability to serve executables and files. The web pages, shared files, and executables hosted in this environment may access data in a Microsoft SQL Server that is part of this environment or may use other data stores as desired by the client and acceptable to the provider. The Consolidated Hosting Environment is available to departments on all campuses of Indiana University. The clients develop and maintain the applications, and University Information Technology Services provides the hardware, software, and system administration. This environment is provided by the combined efforts of the Enterprise Web Technical Services, Enterprise Server Administration, Enterprise Infrastructure, Enterprise Infrastructure Database Administration, Computer Operations, and Support Center groups of University Information Technology Services. The remainder of this document describes the environment, and the relationship between the service provider and the service clients. Definitions “Client” refers to the consumer of the services provided by this environment. A client is the organizational unit and all associated individuals served. “Provider” refers to the University Information Technology Services groups and personnel responsible for providing some aspect of this environment. “Workspace” refers to the total scope of a client’s use of this environment. A workspace is comprised of all file and database space provided to a client. “Project” refers to a sub-grouping of resources within a workspace. So a “Workspace” can have one or more “Projects”. File and database space are associated with a “Project”. The primary reason for multiple “Projects” would be security – to compartment access to files and data to different groups of people. Service Agreement The service provider agrees to: Provide the Consolidated Hosting Environment 24 hours a day, 7 days a week, except for maintenance and emergencies. See the Guidelines section for further information about scheduled and emergency maintenance. Provide a full range of support resources. The service provider responsibilities are divided between the Enterprise Web Technical Services (WebTech), Enterprise Server Administration (ESA), Enterprise Database Administration (EDBA), Storage and Virtualization (SAV), Computer Operations (OPS), and Support Center (SC) groups within University Information Technology Services (UITS). The WebTech group is the service owner and primary contact for all clients. The WebTech group will introduce new clients to the environment, and provide general information and consulting services to existing clients. The ESA group is the system administrator for the environment. The ESA group will install, configure, and maintain the development, test, and production hardware and operating system software. The EDBA group is the database administrator for the environment. The EDBA group will install, configure, and maintain the development, test, and production database software. The SAV group will provide virtual servers, allocate additional virtual resources as needed, and perform file and database backups. The OPS group also monitors server activity and will report problems as necessary to the system administrator. The Support Center will provide first tier support for the environment. The client agrees to: Secure their workspace and data. Assure your “Contacts”, “Permissions”, and “Access Control Lists” are up to date. “Contacts”, “Permissions”, and “Access Control Lists” are described in the Guidelines and Access Control sections of this agreement. Assure you are not storing the following personal information anywhere in your workspace without approval of University Counsel, Internal Audit, and the University Information Technology Security and Policy Office. o Social Security Numbers o Credit card numbers o Financial account numbers o Debit card numbers o Security codes, access codes and passwords o Drivers license numbers o State identification card numbers o HIPAA Please review the Knowledge Base article What is sensitive data, and how is it protected by law? (http://kb.iu.edu/data/augs.html). If you have any questions about whether your data can legally be hosted on CHE, please inform the service provider. Some sensitive data (like FERPA data) can be hosted with restrictions. Maintain their workspace in accordance with the terms of this agreement. The Consolidated Hosting Environment is shared by many clients. In order to provide a maintainable and acceptable level of performance, reliability, and security; the configuration of all applications is standardized. The client may request deviations to the standard but the provider reserves the right to deny any request for customization. Maintain their workspace to not adversely affect other client applications. All client applications must not adversely affect other client applications. If a client application does adversely affect other client applications, the provider may remove the offending client application from service. Maintain their workspace to be compatible with environment upgrades. Every software component employed in the environment will be patched, updated, or upgraded promptly. The client is responsible for making any changes necessary to their application to get it to function in the patched, updated, or upgraded environment. Use the following procedures to make changes. The Consolidated Hosting Environment is composed of development, test, and production areas. The client must develop only in the “development” area, and adequately test in the “test” area before moving changes to the production area, and only make tested changes to the production area. The first time files are moved into “production”, clients must submit a change request to firstname.lastname@example.org at least two weeks in advance. The actual date and time will be determined by the client and provider at least one week in advance. The first time database objects are moved into “production”, clients must submit a change request to email@example.com at least two weeks in advance. The actual date and time will be determined by the client and provider at least one week in advance. Routine file changes can be made to the “production” environment by using the web based self-administration tool or by submitting a change request to che- firstname.lastname@example.org. Requests must clearly specify the source and destination for all files. Routine database object changes can be made to the “production” environment by using the web based self-administration tool or by submitting a change request to email@example.com. Requests must clearly specify the source and destination for all database objects. Other changes can be made by submitting a change request to firstname.lastname@example.org. Requests must clearly specify the changes desired. The actual completion date and time will be determined upon review of each individual request. Any new component, software, or device that is needed by the new or modified scripts must be made available to the provider in advance for evaluation. If the provider approves the new component, software, or device for use and a license is necessary, three licenses must be provided for the development, test/staging, and production environments. Once installed, the client will be responsible for obtaining updates as necessary. The client must notify the provider of any anticipated “significant” changes in usage, such as a dramatic user base increase or the need for a dramatic increase in disk space, in order to ensure the environment has the resources to accommodate the changes. Designate at least one contact that can answer or find answers to any administrative or technical question related to the client workspace. Guidelines Intended Clients o IU Departments on all campuses o IU faculty and staff o IU students only when sponsored by IU faculty or staff o Vendors only when sponsored by IU faculty or staff Contacts and client access to the environment o The client must designate at least one individual as a contact for all matters related to their use of this service. The provider will only act on requests made by or approved by a designated contact. o The client is completely responsible for controlling access to their workspace. o The client is responsible for developing and maintaining their content for the entire application life-cycle. The client is also responsible for adapting their application to changes to the environment such as software and hardware updates and upgrades. Initiating Service o Express interest to WebTech (email@example.com). o Include a proposed name for the project and the network id and email address for the primary contact. o Development workspaces are available within a week. Ending Service o The client may end their use of the service at any time. WebTech reserves the right to end service to any application which violates any IU Policy, this Service Agreement, or adversely affects the performance of other users. o When a client ends their use of the service, the provider will archive all files on the file share and a complete backup of the database, and a copy of the archive will be made available to the client. The provider will keep a copy of the archived Project for one year. Consulting and Troubleshooting Services o Consulting and troubleshooting services are available upon request to WebTech. o Response time will vary based on personnel resources and volume of requests pending. o In general, all clients will have the same priority for services. o The service provider reserves the right to reprioritize pending requests for services as circumstances may require. o There is no additional fee for routine consulting and troubleshooting services. Extensive consulting and troubleshooting services may result in additional fees. Emergency communications o In case of an emergency, the client must first consult their developer to resolve the problem. o If the problem cannot be resolved by the client's developer, then the client may contact firstname.lastname@example.org for assistance. If the report is made during normal business hours, then the problem will be investigated. If the problem is reported outside of normal business hours, then the problem will be investigated the next business day. o If the problem is identified outside of business hours, then clients or users may contact the Support Center. If the Support Center is closed, then clients or users may report the problem to Operations. The Support Center or Operations will report the problem to the System Administrator. The System Administrator will only be able to perform high level functions such as restarting a problematic server. o When clients or users report a problem to email@example.com, Operations, or the Support Center, the following information is needed: That the application is part of the Consolidated Hosting Environment. The name of the application. The name, email address, and phone number of who to contact during troubleshooting. A description of the problem, including details such as: o The complete URL to the problem page. o The UNC path to the share containing the file with the problem. o The server and database name if the problem is a database connection. o A description of the aberrant behaviors. o You may refer your users to the KB article http://kb.iu.edu/data/arrv.html for instructions for user problem reporting for the Consolidated Hosting Environment. Virus Protection o Clients are responsible for assuring their files do not contain viruses. o The service provider may periodically scan files for viruses. Data Backup and Restoration o Trivoli Storage Manager (TSM) is now used for backups and restores. o Files on file shares are backed up as follows: First, TSM copies all your files and keeps that copy of each file until you modify or delete it. The previous 14 versions of your files are each kept for 14 days. When you delete a file the most recent 3 versions are kept for 14 days and the last version is kept for 60 days. Backups are first written to disk and then written to 2 tape pools. One tape pool is stored in Indianapolis and one is kept in Bloomington. Databases are backed up as follows: o A SQL Server full backup of each database is performed daily and written to a file server. o A SQL Server transaction log database backup of each database is performed daily for production databases only and written to a file server. o The backup files are kept for 5 days on the file server. Plus, the file server is backed up by TSM. So in addition to immediate access to 5 days of backups from the file server we have the TSM backups of the file server (as described above). o Send requests to restore files and databases to firstname.lastname@example.org. o Restorations may result in additional fees. Scheduled Jobs o To avoid conflicts with backups and scheduled maintenance, Operating system, ColdFusion, SQL Server, and any other jobs targeting the production servers in this environment must be scheduled to not conflict with the production server backup and scheduled maintenance. Backups and scheduled maintenance on production servers occurs from midnight to 6am (8am on Sundays). Therefore, scheduled jobs will not be allowed during these times. o To avoid conflicts with backups and scheduled maintenance, Operating system, ColdFusion, SQL Server, and any other jobs targeting the development and test servers in this environment must be scheduled to not conflict with the development and test server backup and scheduled maintenance. Backups on the development servers occur daily from 6 pm to 9 pm and database backups on the test servers occur daily from 9pm to Midnight. Scheduled maintenance occurs Tuesdays from Noon to 5 pm. Therefore, scheduled jobs will not be allowed during these times. o When job execution periods overlap and server performance is affected, then we may reschedule the jobs involved to spread the load. If this is necessary, then we will work with the affected job owners to reschedule the jobs. o Sql Server Integration Services (SSIS) packages should be completed before 9am each weekday. Any SSIS package running after 9am on a weekday that is having a negative impact on the CHE environment may be terminated at the service provider’s discretion. The service provider will make every effort to contact the affected client before, or immediately after, the SSIS package has been terminated. Scheduled Maintenance o If necessary, security updates to development and test servers will occur on the Wednesday following the second Tuesday of every month between Noon and 5 pm. If necessary, security updates to production severs will occur between 12am and 8am the following Sunday. The servers or affected services will be down for only the amount of time necessary for the updates – usually for only a few minutes. o If necessary, other maintenance to development and test servers will occur on Tuesdays between Noon and 5 pm. If necessary, other maintenance to production severs will occur on the second Sunday of the month between 12am and 8am. o All other scheduled maintenance will be announced at least three days in advance. Any maintenance likely to affect the availability of the servers will be performed on a weekday between 5am and 8am if possible. Emergency Maintenance o Emergency maintenance will occur as needed. The first priority will be to prevent service loss or to restore service. Consequently, emergency maintenance may be performed without advance notice to clients. Clients will be notified of the emergency maintenance as soon as possible, before or after, as the situation allows. o A System Administrator is on call 24 hours a day, 7 days a week. During an emergency the system administrator will give their best effort to restore service. However, there is no guaranteed response or recovery time during an emergency. Data Encryption o The production web servers have certificates to support SSL. o Encryption of direct communications with the database servers provided or encryption of communications with any client share must be requested explicitly and may require additional fees. Virtual Host Names o Sub-Domain names are available, for example, ProjectName.indiana.edu. o Designer Domain names are available for a fee, for example, ProjectName.org. o Certificates for virtual host names are also available for a fee. Central Authentication Service o The Consolidated Hosting Environment supports the use of the Central Authentication Server for limiting access to web pages. Security Scanning o Web applications hosted in the Consolidated Hosting Environment are subject to security scanning by the University Information Policy Office. The client is responsible for fixing vulnerabilities revealed by a security scan. Fees Note: The fee schedule will change for FY2010. Basic service fees o Web, Database, and Application: Departments (all campuses): $100 per month Auxiliaries (all campuses): $150 per month o Web only: Departments (all campuses): $40 per month Auxiliaries (all campuses): $60 per month o Database only: Departments (all campuses): $80 per month Auxiliaries (all campuses): $120 per month o Application Serving only: Departments (all campuses): $80 per month Auxiliaries (all campuses): $120 per month o Billing begins when the application goes into production and at the beginning of any subsequent fiscal year. o The annual billing rate is 10 times the monthly rate. o The minimum fee is the monthly rate. o An additional fee equal to the monthly rate is incurred each time the service is restored for intermittent use. Virtual web site hosting o No additional fee Secure Socket Layers (SSL) hosting o Cost of certificate Additional disk space fees o All workspaces include 1 GB of disk space. The space includes: Script, image, and data files on file share Database data, log, and backup files Development, test, and production o The cost for additional disk space is: $4 per year for each additional 1 GB of space o Charges for additional file spaces are based on average monthly usage during the previous fiscal year. o There is no monthly fee for additional disk space. Training and Experience o Developers must have the proper training and experience to use the environment effectively. o Classes covering the web design, database design, ASP/.Net and ColdFusion fundamentals are available from IT Training and Education. Access Control Access is controlled by Active Directory (ADS) domain groups. There is a group for the following roles: “Developers, Users, and Readers”. The groups have the following permissions. In addition, there are two database server logins available for use. Web Server File Permissions Development Test Production ADS\IU-CHE-ProjectName-Developers Change Read none ADS\IU-CHE-ProjectName-Users none none none ADS\IU-CHE-ProjectName-Readers none none none Database Server Permissions Development Test and Production ADS\IU-CHE-ProjectName-Developers database owner datareader ADS\IU-CHE-ProjectName-Users datareader and datawriter datareader and datawriter ADS\IU-CHE-ProjectName-Readers datareader datareader SQL Server\ProjectName-Owner database owner datareader and datawriter SQL Server\ProjectName-User datareader and datawriter datareader and datawriter Application Server File Permissions Development Test Production ADS\IU-CHE-ProjectName-Developers Change Change Change ADS\IU-CHE-ProjectName-Users Change Change Change ADS\IU-CHE-ProjectName-Readers Read Read Read Change – members of a group with this access can create, modify, delete, and read files. Read – members of a group with this access can only read files. Database Owner - members of a group with this access can create, alter, and drop database objects in addition to reading and writing all data in the database. Datareader - members of a group with this access can read data in all tables in the database. Datawriter - members of a group with this access can write (insert, update, and delete) data in all tables in the database. Web Site and Virtual Directory Settings Web accessibility is controlled by web site or virtual directory settings. These settings determine the type of file that can be served from a folder and the users that can access the folder. The use of .htm or .html files requires read access to the folder containing them. Any folder that allows read access to .htm and .html files also allows read access to many other file types. The use of .cfm, .asp, or .aspx files requires "Scripts Only" execute permission on the folder containing them. Also, a folder may be set to "Require Secure Socket Layers" to ensure the use of SSL is mandatory and not optional. In addition, access to each web accessible folder can be controlled by user account. By default the anonymous web user account (iusr_servername) has access to all web accessible folders. However, you may want to remove access by the anonymous web user in order to control access by Windows Integrated Security. This would require a user to have an ads domain account in order to log on. You would have to request these configuration changes to use Windows Integrated Security to protect your web accessible folders. You also have the ability to use the Central Authentication Service (CAS) to control access to web accessible folders. Placing a file named CasIsapiSecurity.txt (the file can be empty) in any folder would force any user to have a CAS ticket to access the folder. If the user doesn’t have a CAS ticket they are redirected to the CAS server to log on using their network id. You do not have to request configuration changes to use CAS to protect your web accessible folders. The default web site and virtual directory configuration settings are: Web server application configuration defaults: Enable session state: on Session timeout: 20 minutes Enable buffering: on Enable parent paths: on Asp Script Timeout: 90 seconds Documents Defaults: none Directory Security Defaults: Anonymous web access (iusr_servername): read access to all folders Integrated Windows Authentication: on Folder permissions: read and scripts execute access to all folders .Net Framework Defaults: All .Net applications will be configured to use the Framework version 1.1 by default. This can be changed to other versions upon request. ColdFusion Defaults: Debugging IP addresses on development and test server: none Data sources: Projects for clients using ColdFusion have a data source name configured for use. The data source name is the same as the Project name or has the form LocalProjectNameMssql. Additional data source names are available upon request. Approval An email response from a client contact accepting this agreement is all that is required. A signed copy of this agreement can be provided upon request.
Pages to are hidden for
"University Information Technology Services"Please download to view full document