Operational Test and Evaluation Environment (OT&E)
OT&E is an environment that contains data that is similar to the data that exists in ARIN’s production environment. The OT&E environment allows developers to experiment with ARIN interactions without affecting production data. OT&E allows for experimentation with the following main ARIN services:
- Whois RESTful Web Service (Whois-RWS)
- Registration RESTful Web Service (Reg-RWS)
- Resource Public Key Infrastructure (RPKI)
- Registration Data Access Protocol (RDAP)
Note: OT&E exists solely for experimental usage and research, and is not linked to ARIN’s production system. User data (including API keys) is copied from the production database to OT&E monthly. Note that email interactions are not supported in OT&E.
Benefits of using OT&E:
- RPKI is restricted to those organizations that have signed a Registration Services Agreement (RSA) with ARIN. However, OT&E can be used by those organizations without signing an RSA to experiment with these new services.
- When using RPKI, test Route Authorization Requests (ROAs) can be created and validated without impacting production RPKI data.
Drawbacks of using OT&E:
- Data is refreshed each month, so any data created in OT&E (e.g., resource certifications and ROAs) is deleted after the refresh and must be recreated.
- The Ask ARIN feature is not monitored in OT&E; questions or requests must be submitted in the production environment. (For example, you must log in to ARIN Online and create a ticket using Ask ARIN there.)
Before using OT&E, you need the following:
- ARIN Online user account: This account must have been created before the first of the month in which you are using OT&E. (User accounts [including API keys] are copied from ARIN Online’s production environment to the OT&E environment on the first Monday of every month.)
- Authority over resources in ARIN Online: Your user account in ARIN Online must be linked to a POC that has been associated with an Org with resources.
- API key: You must have an API key for your user account. Note: If you want to use a different API key for OT&E than the API key you use in the production system, you can change your API key in OT&E by choosing Settings - Profile and Security Information from the “Welcome, yourname” drop-down menu in OT&E. Under Security Info, choose Actions > Manage API Keys. Because user data (including account and API key information) is copied from the production database to OT&E at the beginning of each month, you will have to change your API key again after each monthly database refresh.
ARIN encourages all OT&E users to subscribe and participate on the ARIN Technical Discussions mailing list for information sharing and outage information.
Every month, you will need to reconfigure any changes that you made to your resources in OT&E, because OT&E data is replaced with new data during the refresh that occurs on the first Monday of the month.
The following URLs should be used when interacting with ARIN’s OT&E services in place of their production counterparts.
- whois.ote.arin.net: Whois-RWS functionality within OT&E is a mirror of production. Remember to use
http://whois.ote.arin.netin place of
http://whois.arin.net. For more information on Whois-RWS usage, visit Whois (ARIN Whois-RWS).
- www.ote.arin.net: An OT&E ARIN Online service
- reg.ote.arin.net: Reg-RWS functionality within OT&E is a mirror of production. Remember to use
https://reg.ote.arin.netas RESTful calls to
https://reg.arin.netwill affect production data. For more information on Reg-RWS usage, visit Automating Record Management with Reg-RWS.
- rpki.ote.arin.net: An OT&E RPKI service
- updown.ote.arin.net: An OT&E Up/Down RPKI service
- rdap.ote.arin.net: An OT&E RDAP service
Using RPKI in ARIN’s OT&E Environment
OT&E allows you to test RPKI in a non-production environment.
Signing up for RPKI in OT&E
To use RPKI in OT&E:
If you don’t have any resources covered under RPKI in production, you’ll first need to request access to RPKI. To request access to RPKI:
- Log in to ARIN Online in the OT&E environment and follow the steps to configure RPKI.
- When you submit your resource certificate request, a ticket will be created for you in the OT&E environment. Record this ticket number.
- Contact ARIN staff by submitting an Ask ARIN ticket as described in the next section.
Note: Specifically for customers who are already enrolled in Delegated (not Hosted) RPKI but would like to perform some testing in OT&E, our Registration Services Department will need to perform some additional steps to remove and re-add you before you can test in OT&E. Contact ARIN staff by submitting an Ask ARIN ticket as described in the next section.
Working with ARIN Staff for OT&E
The OT&E environment is not actively monitored by ARIN Staff. When you’ve requested a certificate, need resources re-enrolled in the OT&E environment, or are already signed up for delegated RPKI and need your account deleted/re-added to use OT&E, you will need to submit an Ask ARIN ticket in the production environment for ARIN Staff to process your request in OT&E. Follow these steps to complete your resource certificate request:
- Log in to ARIN Online in the production environment (www.arin.net).
- Use Ask ARIN to create a ticket. Be sure to use the following:
- Topic: Other
- Subject: OT&E approval requested
- Question: Provide the OT&E ticket number or function that ARIN staff needs to process for you.
After you receive notification that your resources have been certified, you can create ROAs in the OT&E environment.
Note: We do a refresh of the production database within OT&E on a monthly basis. All changes that were made prior to the OT&E environment refresh will be lost. Therefore, unless you have resources covered under RPKI in production, you will have to repeat the steps described in this section (starting with the request for access to RPKI). If you are already signed up for delegated RPKI, you will need to submit an Ask ARIN ticket each month after the refresh to request that your account be deleted and re-added before you can test in OT&E.
RPKI Repository Updates
In OT&E, the RPKI repository is updated every few minutes.
ROA Request Generation Key Pairs
OT&E ROA Requests should be signed using a separate ROA Request Generation Key Pair than the one you use in production. ARIN provides the following keys for testing purposes. The benefit to using these default keys is that they persist after the monthly data refresh. Therefore, if you use these default keys, you don’t have to recreate your RPKI certificate each month.
Note: You can use your own RPKI key, but you’ll then need to recreate your RPKI certificate after each monthly refresh of the OT&E database.
Public Key for Testing Purposes
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuC6QLHirotHv+XOpaFpN 9VHtBKp5WCj7bbhYNxuC77HRa9EOzOtzYAiSp2L2TaKndny/kRH7BBzYCQWSLSk3 woHL+Z4RgP+QSLnRsNibYXH9Sx6NCPZamHGsNC0IyJ9MWhtDikl1Tms6wVOSPqlz M1YMEm9Qv4WrCorlf9t1+owI+1MDYy/TlG0pnJ4xZnGGc1hq5kOTrsNmGEAyO+xi ZIXe86BPF4ZAjkUZSktfubX5br+qURwPR9mqCr2ckR0Uev1/pZRa9vCZXInkBMv0 rkogZLLnkXch/MceCnhBtgfVCVDR7ueRBv1qGtUgB8O9L1G4B7ybeAmcp6XN0kpp 7QIDAQAB -----END PUBLIC KEY-----
Private Key for Testing Purposes
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAuC6QLHirotHv+XOpaFpN9VHtBKp5WCj7bbhYNxuC77HRa9EO zOtzYAiSp2L2TaKndny/kRH7BBzYCQWSLSk3woHL+Z4RgP+QSLnRsNibYXH9Sx6N CPZamHGsNC0IyJ9MWhtDikl1Tms6wVOSPqlzM1YMEm9Qv4WrCorlf9t1+owI+1MD Yy/TlG0pnJ4xZnGGc1hq5kOTrsNmGEAyO+xiZIXe86BPF4ZAjkUZSktfubX5br+q URwPR9mqCr2ckR0Uev1/pZRa9vCZXInkBMv0rkogZLLnkXch/MceCnhBtgfVCVDR 7ueRBv1qGtUgB8O9L1G4B7ybeAmcp6XN0kpp7QIDAQABAoIBAQCEd0DMK1HOfc1p jO03l1NgcDbW10EEzhzfMemIYOoQOMTVFXvemCzX0fKgHsXk2mo1Bs3EqbjuoUwj WPVkM7Pd2fp5Il2WeLguBi8xUOiX8iLphySKYJyR7ZebwxQBLsj8OYWfDOwopWiR qOiS1s57CpUOIS9jP+DfaTxcc9vrgNhHyJXywuks2lmOQtUGaTlJQUvQuMV087ZO +ySOJ6Ow+mx/95ALp/Vcg/zkfMuILawkQKhsaW5DvcIidoVXHOUOl/I+FywuQMhQ Gg6lYDVKIQ43dDj0QnQILdGsuVzXnOQ7wTwE/zNofZpEUVAzFCHch1KJ4IaJG3Eh Oe/1iXklAoGBAO27MB3GYp9IzY3jUpYPJVo/zhVEDTY7VmCSk45DS5wMHLPqsapQ gIbKxbqvQP6pG4Tk8lr1ihsxx09u3SVez226npMTVHFWM9UJAgECDgc5CrQM4j4m oulMn+kcL8CpELTfUMnKBZtnT6sA/l5Sbqcr8V03hJWzqL5670rbw93fAoGBAMZV 6otOUOJfUdH//yfSxO/tuXXxnQqDLOplGz0dBYC4JspsJMxU7GvqY3Y3ytbfkyB1 Shacr4iYo0fuBTFIVL5dGsYxtSpdlgt0Ouf7vIcz61c+1aaeG7X6Kj/Aku+MeEZx 9KYzq67mdUjza7n6Q3IcrexCkTCa47catqsGxJmzAoGAapW9WewjNXUHq/DaiyrZ PWBT/lbXcZQjAwNUorjrQlhv2f6Ej26uYUCybCO9CTA6hVe8jSl/NPgZezSic+nR KEo+ZISLHJFghcgXHOqV7YkWkmkgWmsqKV1QaMxZYJCsS9u/tekcoHMuVeYJJbLh p5PdEEUe7ZtyMYyekrp7U5MCgYAftOp6/Lknh0+AP+mdhy9en+VvOoH9hTzv99vj 6DjR/B6Pa7xyQf1NvznJU2AE+9b8cGO4u7HAJ46q2B1SZJrPl/jIyHeK3002ZY1p OrBH+P/dgbkMGuiZLfYFHRcgXpd3w4315/rBSixjzi5hm+WeX4FabMXjPE+9HPMo 4jsZywKBgQC6KMe+pL3zjqWXkFINR5zoDwJW5WwJuiczzUEQGLKQIfqaKDyPyNBZ tvDBxQIw3m6mwXG7wLFpDr6ZphF6lkaFs4JS4ESWDfoDRv2QeeNg2wzlb8qpbYIv V2Jgt1V6zcwjLUWhtfG1xrAy1c9Oodz7J2BXBvGKeSfOjnz5Rg/VGA== -----END RSA PRIVATE KEY-----
Trust Anchor Locator (TAL)
In order to validate your ROAs using ARIN’s OT&E data, you must use one of the following TALs. Note that these TALs differ from the ARIN production TAL.
RFC 7730 format:
certificate.location = rsync://rpki.ote.arin.net/repository/arin-rpki-ta.cer
public.key.info = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA65jF7qjQzl77O5uaKPdisQu7apf9mhAtxH2fbckYL7CFEzrw/Z1XaSd2gmofJbtYBcpa3iqBGquKH0X+ab0sGolHedL+wipqgkH4zstk3AWc+lBd8e7sn0jSqnFL0xQaL2uoHtJetqus39ud0LsWi0OB+COyMXz2jA76j6WsNbE7VUwLLx1pNg7uGGcfFKrzqPvGMzWDynTC4fZfOe2UCtw2YgSsJdjEMdw1PT5RjDI5jtKemguPGeGp0YKmZguq1qgrl5rj2qEuF7hLkWxQsl/J5skfAVm8XjoNMhg069ojxeiQPToOFNlV2VliFenG8Zb3FRIRbbil1Q5l7qs1FQIDAQAB
The OT&E TAL is used with an RPKI validator to allow for the fetching and validation of ARIN OT&E repository objects. If you are using the RIPE NCC RPKI Validator, use the RIPE format TAL given in the previous section. If you are using another validator, use the RFC 7730 format. ARIN recommends the following validators: