Get documents about "University Information Technology Services
Document Sample
University Information Technology Services
Consolidated Hosting Environment
Service Agreement
September 8, 2008
Overview
The Consolidated Hosting Environment enables clients to use desired technologies not
available in any other hosting environment provided by University Information
Technology Services, for as low a cost as possible, while maintaining an acceptable level
of performance, reliability, and security. Applications requiring other levels of
performance, reliability, or security must be hosted elsewhere.
The unique features of this hosting environment are a Microsoft IIS web server with the
ability to serve dynamic web pages written using Adobe ColdFusion, Microsoft ASP, and
Microsoft .Net programming languages; and a Microsoft Windows Share with the ability
to serve executables and files. The web pages, shared files, and executables hosted in this
environment may access data in a Microsoft SQL Server that is part of this environment
or may use other data stores as desired by the client and acceptable to the provider.
The Consolidated Hosting Environment is available to departments on all campuses of
Indiana University. The clients develop and maintain the applications, and University
Information Technology Services provides the hardware, software, and system
administration.
This environment is provided by the combined efforts of the Enterprise Web Technical
Services, Enterprise Server Administration, Enterprise Infrastructure, Enterprise
Infrastructure Database Administration, Computer Operations, and Support Center
groups of University Information Technology Services. The remainder of this document
describes the environment, and the relationship between the service provider and the
service clients.
Definitions
“Client” refers to the consumer of the services provided by this environment. A client is
the organizational unit and all associated individuals served.
“Provider” refers to the University Information Technology Services groups and
personnel responsible for providing some aspect of this environment.
“Workspace” refers to the total scope of a client’s use of this environment. A workspace
is comprised of all file and database space provided to a client.
“Project” refers to a sub-grouping of resources within a workspace. So a “Workspace”
can have one or more “Projects”. File and database space are associated with a “Project”.
The primary reason for multiple “Projects” would be security – to compartment access to
files and data to different groups of people.
Service Agreement
The service provider agrees to:
Provide the Consolidated Hosting Environment 24 hours a day, 7 days a week, except
for maintenance and emergencies. See the Guidelines section for further information
about scheduled and emergency maintenance.
Provide a full range of support resources. The service provider responsibilities are
divided between the Enterprise Web Technical Services (WebTech), Enterprise
Server Administration (ESA), Enterprise Database Administration (EDBA), Storage
and Virtualization (SAV), Computer Operations (OPS), and Support Center (SC)
groups within University Information Technology Services (UITS).
The WebTech group is the service owner and primary contact for all clients. The
WebTech group will introduce new clients to the environment, and provide
general information and consulting services to existing clients.
The ESA group is the system administrator for the environment. The ESA group
will install, configure, and maintain the development, test, and production
hardware and operating system software.
The EDBA group is the database administrator for the environment. The EDBA
group will install, configure, and maintain the development, test, and production
database software.
The SAV group will provide virtual servers, allocate additional virtual resources
as needed, and perform file and database backups.
The OPS group also monitors server activity and will report problems as
necessary to the system administrator.
The Support Center will provide first tier support for the environment.
The client agrees to:
Secure their workspace and data.
Assure your “Contacts”, “Permissions”, and “Access Control Lists” are up to
date. “Contacts”, “Permissions”, and “Access Control Lists” are described in the
Guidelines and Access Control sections of this agreement.
Assure you are not storing the following personal information anywhere in your
workspace without approval of University Counsel, Internal Audit, and the
University Information Technology Security and Policy Office.
o Social Security Numbers
o Credit card numbers
o Financial account numbers
o Debit card numbers
o Security codes, access codes and passwords
o Drivers license numbers
o State identification card numbers
o HIPAA
Please review the Knowledge Base article What is sensitive data, and how is it
protected by law? (http://kb.iu.edu/data/augs.html). If you have any questions
about whether your data can legally be hosted on CHE, please inform the service
provider. Some sensitive data (like FERPA data) can be hosted with restrictions.
Maintain their workspace in accordance with the terms of this agreement.
The Consolidated Hosting Environment is shared by many clients. In order to
provide a maintainable and acceptable level of performance, reliability, and
security; the configuration of all applications is standardized. The client may
request deviations to the standard but the provider reserves the right to deny any
request for customization.
Maintain their workspace to not adversely affect other client applications.
All client applications must not adversely affect other client applications. If a
client application does adversely affect other client applications, the provider may
remove the offending client application from service.
Maintain their workspace to be compatible with environment upgrades.
Every software component employed in the environment will be patched,
updated, or upgraded promptly. The client is responsible for making any changes
necessary to their application to get it to function in the patched, updated, or
upgraded environment.
Use the following procedures to make changes.
The Consolidated Hosting Environment is composed of development, test, and
production areas. The client must develop only in the “development” area, and
adequately test in the “test” area before moving changes to the production area,
and only make tested changes to the production area.
The first time files are moved into “production”, clients must submit a change
request to che-l@indiana.edu at least two weeks in advance. The actual date and
time will be determined by the client and provider at least one week in advance.
The first time database objects are moved into “production”, clients must submit a
change request to che-l@indiana.edu at least two weeks in advance. The actual
date and time will be determined by the client and provider at least one week in
advance.
Routine file changes can be made to the “production” environment by using the
web based self-administration tool or by submitting a change request to che-
l@indiana.edu. Requests must clearly specify the source and destination for all
files.
Routine database object changes can be made to the “production” environment by
using the web based self-administration tool or by submitting a change request to
che-l@indiana.edu. Requests must clearly specify the source and destination for
all database objects.
Other changes can be made by submitting a change request to che-l@indiana.edu.
Requests must clearly specify the changes desired. The actual completion date
and time will be determined upon review of each individual request.
Any new component, software, or device that is needed by the new or modified
scripts must be made available to the provider in advance for evaluation. If the
provider approves the new component, software, or device for use and a license is
necessary, three licenses must be provided for the development, test/staging, and
production environments. Once installed, the client will be responsible for obtaining
updates as necessary.
The client must notify the provider of any anticipated “significant” changes in usage,
such as a dramatic user base increase or the need for a dramatic increase in disk
space, in order to ensure the environment has the resources to accommodate the
changes.
Designate at least one contact that can answer or find answers to any administrative
or technical question related to the client workspace.
Guidelines
Intended Clients
o IU Departments on all campuses
o IU faculty and staff
o IU students only when sponsored by IU faculty or staff
o Vendors only when sponsored by IU faculty or staff
Contacts and client access to the environment
o The client must designate at least one individual as a contact for all matters
related to their use of this service. The provider will only act on requests made
by or approved by a designated contact.
o The client is completely responsible for controlling access to their workspace.
o The client is responsible for developing and maintaining their content for the
entire application life-cycle. The client is also responsible for adapting their
application to changes to the environment such as software and hardware
updates and upgrades.
Initiating Service
o Express interest to WebTech (che-l@indiana.edu).
o Include a proposed name for the project and the network id and email address
for the primary contact.
o Development workspaces are available within a week.
Ending Service
o The client may end their use of the service at any time. WebTech reserves the
right to end service to any application which violates any IU Policy, this
Service Agreement, or adversely affects the performance of other users.
o When a client ends their use of the service, the provider will archive all files
on the file share and a complete backup of the database, and a copy of the
archive will be made available to the client. The provider will keep a copy of
the archived Project for one year.
Consulting and Troubleshooting Services
o Consulting and troubleshooting services are available upon request to
WebTech.
o Response time will vary based on personnel resources and volume of requests
pending.
o In general, all clients will have the same priority for services.
o The service provider reserves the right to reprioritize pending requests for
services as circumstances may require.
o There is no additional fee for routine consulting and troubleshooting services.
Extensive consulting and troubleshooting services may result in additional
fees.
Emergency communications
o In case of an emergency, the client must first consult their developer to
resolve the problem.
o If the problem cannot be resolved by the client's developer, then the client
may contact che-l@indiana.edu for assistance. If the report is made during
normal business hours, then the problem will be investigated. If the problem is
reported outside of normal business hours, then the problem will be
investigated the next business day.
o If the problem is identified outside of business hours, then clients or users may
contact the Support Center. If the Support Center is closed, then clients or
users may report the problem to Operations. The Support Center or Operations
will report the problem to the System Administrator. The System
Administrator will only be able to perform high level functions such as
restarting a problematic server.
o When clients or users report a problem to che-l@indiana.edu, Operations, or
the Support Center, the following information is needed:
That the application is part of the Consolidated Hosting Environment.
The name of the application.
The name, email address, and phone number of who to contact during
troubleshooting.
A description of the problem, including details such as:
o The complete URL to the problem page.
o The UNC path to the share containing the file with the problem.
o The server and database name if the problem is a database
connection.
o A description of the aberrant behaviors.
o You may refer your users to the KB article http://kb.iu.edu/data/arrv.html for
instructions for user problem reporting for the Consolidated Hosting
Environment.
Virus Protection
o Clients are responsible for assuring their files do not contain viruses.
o The service provider may periodically scan files for viruses.
Data Backup and Restoration
o Trivoli Storage Manager (TSM) is now used for backups and restores.
o Files on file shares are backed up as follows:
First, TSM copies all your files and keeps that copy of each file until
you modify or delete it.
The previous 14 versions of your files are each kept for 14 days.
When you delete a file the most recent 3 versions are kept for 14 days
and the last version is kept for 60 days.
Backups are first written to disk and then written to 2 tape pools. One
tape pool is stored in Indianapolis and one is kept in Bloomington.
Databases are backed up as follows:
o A SQL Server full backup of each database is performed daily and written to a
file server.
o A SQL Server transaction log database backup of each database is performed
daily for production databases only and written to a file server.
o The backup files are kept for 5 days on the file server. Plus, the file server is
backed up by TSM. So in addition to immediate access to 5 days of backups
from the file server we have the TSM backups of the file server (as described
above).
o Send requests to restore files and databases to che-l@indiana.edu.
o Restorations may result in additional fees.
Scheduled Jobs
o To avoid conflicts with backups and scheduled maintenance, Operating
system, ColdFusion, SQL Server, and any other jobs targeting the production
servers in this environment must be scheduled to not conflict with the
production server backup and scheduled maintenance.
Backups and scheduled maintenance on production servers occurs
from midnight to 6am (8am on Sundays). Therefore, scheduled jobs
will not be allowed during these times.
o To avoid conflicts with backups and scheduled maintenance, Operating
system, ColdFusion, SQL Server, and any other jobs targeting the
development and test servers in this environment must be scheduled to not
conflict with the development and test server backup and scheduled
maintenance.
Backups on the development servers occur daily from 6 pm to 9 pm
and database backups on the test servers occur daily from 9pm to
Midnight. Scheduled maintenance occurs Tuesdays from Noon to 5
pm. Therefore, scheduled jobs will not be allowed during these times.
o When job execution periods overlap and server performance is affected, then
we may reschedule the jobs involved to spread the load. If this is necessary,
then we will work with the affected job owners to reschedule the jobs.
o Sql Server Integration Services (SSIS) packages should be completed before
9am each weekday. Any SSIS package running after 9am on a weekday that is
having a negative impact on the CHE environment may be terminated at the
service provider’s discretion. The service provider will make every effort to
contact the affected client before, or immediately after, the SSIS package has
been terminated.
Scheduled Maintenance
o If necessary, security updates to development and test servers will occur on
the Wednesday following the second Tuesday of every month between Noon
and 5 pm. If necessary, security updates to production severs will occur
between 12am and 8am the following Sunday. The servers or affected services
will be down for only the amount of time necessary for the updates – usually
for only a few minutes.
o If necessary, other maintenance to development and test servers will occur on
Tuesdays between Noon and 5 pm. If necessary, other maintenance to
production severs will occur on the second Sunday of the month between
12am and 8am.
o All other scheduled maintenance will be announced at least three days in
advance. Any maintenance likely to affect the availability of the servers will
be performed on a weekday between 5am and 8am if possible.
Emergency Maintenance
o Emergency maintenance will occur as needed. The first priority will be to
prevent service loss or to restore service. Consequently, emergency
maintenance may be performed without advance notice to clients. Clients will
be notified of the emergency maintenance as soon as possible, before or after,
as the situation allows.
o A System Administrator is on call 24 hours a day, 7 days a week. During an
emergency the system administrator will give their best effort to restore
service. However, there is no guaranteed response or recovery time during an
emergency.
Data Encryption
o The production web servers have certificates to support SSL.
o Encryption of direct communications with the database servers provided or
encryption of communications with any client share must be requested
explicitly and may require additional fees.
Virtual Host Names
o Sub-Domain names are available, for example, ProjectName.indiana.edu.
o Designer Domain names are available for a fee, for example,
ProjectName.org.
o Certificates for virtual host names are also available for a fee.
Central Authentication Service
o The Consolidated Hosting Environment supports the use of the Central
Authentication Server for limiting access to web pages.
Security Scanning
o Web applications hosted in the Consolidated Hosting Environment are subject
to security scanning by the University Information Policy Office. The client is
responsible for fixing vulnerabilities revealed by a security scan.
Fees
Note: The fee schedule will change for FY2010.
Basic service fees
o Web, Database, and Application:
Departments (all campuses): $100 per month
Auxiliaries (all campuses): $150 per month
o Web only:
Departments (all campuses): $40 per month
Auxiliaries (all campuses): $60 per month
o Database only:
Departments (all campuses): $80 per month
Auxiliaries (all campuses): $120 per month
o Application Serving only:
Departments (all campuses): $80 per month
Auxiliaries (all campuses): $120 per month
o Billing begins when the application goes into production and at the beginning
of any subsequent fiscal year.
o The annual billing rate is 10 times the monthly rate.
o The minimum fee is the monthly rate.
o An additional fee equal to the monthly rate is incurred each time the service is
restored for intermittent use.
Virtual web site hosting
o No additional fee
Secure Socket Layers (SSL) hosting
o Cost of certificate
Additional disk space fees
o All workspaces include 1 GB of disk space. The space includes:
Script, image, and data files on file share
Database data, log, and backup files
Development, test, and production
o The cost for additional disk space is:
$4 per year for each additional 1 GB of space
o Charges for additional file spaces are based on average monthly usage during
the previous fiscal year.
o There is no monthly fee for additional disk space.
Training and Experience
o Developers must have the proper training and experience to use the
environment effectively.
o Classes covering the web design, database design, ASP/.Net and ColdFusion
fundamentals are available from IT Training and Education.
Access Control
Access is controlled by Active Directory (ADS) domain groups. There is a group for the
following roles: “Developers, Users, and Readers”. The groups have the following
permissions. In addition, there are two database server logins available for use.
Web Server File Permissions Development Test Production
ADS\IU-CHE-ProjectName-Developers Change Read none
ADS\IU-CHE-ProjectName-Users none none none
ADS\IU-CHE-ProjectName-Readers none none none
Database Server Permissions Development Test and Production
ADS\IU-CHE-ProjectName-Developers database owner datareader
ADS\IU-CHE-ProjectName-Users datareader and datawriter datareader and datawriter
ADS\IU-CHE-ProjectName-Readers datareader datareader
SQL Server\ProjectName-Owner database owner datareader and datawriter
SQL Server\ProjectName-User datareader and datawriter datareader and datawriter
Application Server File Permissions Development Test Production
ADS\IU-CHE-ProjectName-Developers Change Change Change
ADS\IU-CHE-ProjectName-Users Change Change Change
ADS\IU-CHE-ProjectName-Readers Read Read Read
Change – members of a group with this access can create, modify, delete, and read files.
Read – members of a group with this access can only read files.
Database Owner - members of a group with this access can create, alter, and drop
database objects in addition to reading and writing all data in the database.
Datareader - members of a group with this access can read data in all tables in the
database.
Datawriter - members of a group with this access can write (insert, update, and delete)
data in all tables in the database.
Web Site and Virtual Directory Settings
Web accessibility is controlled by web site or virtual directory settings. These settings
determine the type of file that can be served from a folder and the users that can access
the folder. The use of .htm or .html files requires read access to the folder containing
them. Any folder that allows read access to .htm and .html files also allows read access to
many other file types. The use of .cfm, .asp, or .aspx files requires "Scripts Only" execute
permission on the folder containing them. Also, a folder may be set to "Require Secure
Socket Layers" to ensure the use of SSL is mandatory and not optional.
In addition, access to each web accessible folder can be controlled by user account. By
default the anonymous web user account (iusr_servername) has access to all web
accessible folders. However, you may want to remove access by the anonymous web user
in order to control access by Windows Integrated Security. This would require a user to
have an ads domain account in order to log on. You would have to request these
configuration changes to use Windows Integrated Security to protect your web accessible
folders.
You also have the ability to use the Central Authentication Service (CAS) to control
access to web accessible folders. Placing a file named CasIsapiSecurity.txt (the file can
be empty) in any folder would force any user to have a CAS ticket to access the folder. If
the user doesn’t have a CAS ticket they are redirected to the CAS server to log on using
their network id. You do not have to request configuration changes to use CAS to protect
your web accessible folders.
The default web site and virtual directory configuration settings are:
Web server application configuration defaults:
Enable session state: on
Session timeout: 20 minutes
Enable buffering: on
Enable parent paths: on
Asp Script Timeout: 90 seconds
Documents Defaults: none
Directory Security Defaults:
Anonymous web access (iusr_servername): read access to all folders
Integrated Windows Authentication: on
Folder permissions: read and scripts execute access to all folders
.Net Framework Defaults:
All .Net applications will be configured to use the Framework version 1.1 by default.
This can be changed to other versions upon request.
ColdFusion Defaults:
Debugging IP addresses on development and test server: none
Data sources: Projects for clients using ColdFusion have a data source name configured
for use. The data source name is the same as the Project name or has the form
LocalProjectNameMssql. Additional data source names are available upon request.
Approval
An email response from a client contact accepting this agreement is all that is required. A
signed copy of this agreement can be provided upon request.
