CSI Services for ERP
Auth services for Systems and SFTP
IPA for Systems level access
IPA is based on freeIPA open-source software, professionally repackaged and distributed by Red Hat including 389-directory-server, kerberos-server, pki-server, apache-server, among others. For ERP System access at NCSU, the various sysadmins, developers, and SFTP users require seperate auth system than main campus for which currently is main purpose of NCSU’s IPA.
NCSU IPA server infrastructure is a clustered set of servers spread across multiple datacenters protected within a special Auth-oriented firewall. If one IPA server becomes unavailable, the other nodes within the cluster pick up the slack without disruption. For any ERP server or client requiring either SSH, SFTP, FTP, or console-TTY, IPA provides a secure and managebale authn/authz solution.
IPA for ERP at NCSU is often referred to as ‘RENVIPA’, signifying adhereance to NCSU’s Regulatory environment requirements.
Currently +450 users in IPA spread across ~39 groups in IPA. Over 600 servers at this juncture auth to IPA.
Related CSI internal docs for IPA are here.
MTA email relays
SMTP servers configured for relaying
System services and various business functions residing on servers for NCSU ERP frequently need to send email. CSI provides MTA relays for this purpose. MTA mail relays for ERP are defined in DNS ias domain ‘oit.ncsu.edu’ with MX records. Comprised of a redundant set of mail relays on Red Hat Linux using postfix sofftware, these CSI built servers relay mail from +700 servers to various campus and non-campus users. External DNS MX is configured to handle inbound oit.ncsu.edu mail through google services first before forwarding onto ERP MTA relays. Google is employed first for sanitizing, mainly anti-virus and spam filtering.
The relays are considered closed, meaining accepting traffic only from a restricted list of campus IP addresses.
The relays are in process of moving from Solaris to Linux.
SFTP Secure File Transfer
SFTP and FTP protocols
For moving data in and out of ERP there are two servers provided in a cluster behind a load balanced VIP. The services use both the SFTP and FTP protocols and are know as:
Hostname Protocol esftp.oit.ncsu.edu SFTP eftp.oit.ncsu.edu FTP
FTP users are in process of decommission. Users needing conversion to SFTP or just need a new SFTP account please send an email request to email@example.com stating the desired account userid and business purpose.
Server Build Infrastructure
Linux Build Environments
System builds performed by the AIS group for ERP applications utilize in part Linux build infrastructure provided by CSI. It’s worth mentioning the partnership between AIS and CSI here. Information for using CSI’s build system can be found on this site at Linux Build Services.
End-of-Support Services in process of decommission
Sparc/Solaris purchased from Oracle/Sun prior to year 2010 has entered into end-of-support phase because of age of equipment and software. NCSU has no plans to upgrade or purchase any replacement Sparc/Solaris hardware. Therefore the CSI unit has been busy decommissioning Sparc/Solaris, moving services therein to new and current certified x86/RedHat platform. The only exception holding up finishing this move to better supported platform is the service known as ‘System Access Request’ (SAR), still residing on Sparc/Solaris. Plans to move the SAR components continue to lose priority. Because the CSI group historically provided the build and support of underlying O/S on Sparc/Solaris, we want to mention some of the limitations of what we can continue to feasibly support, noting also no longer is there a vendor support contract with Oracle/Sun. Therefore if for some reason hardware or software for SAR would fail, CSI can only do a best-effort to fix with spare units on hand to resurrect failed components. However our replacement supplies are very limited and any repair may require many hours or several days. Management between the affected departments have agreed there is no longer any guarantee of up-time for SAR. The emphasis here is the need to move remaining systems such as SAR to any of the current affirmed and well-supported x86 platforms (RedHat-Linux, MS-Windows, or possibly an off-site clould service) as soon as possible.