Operational Test and Evaluation Environment (OT&E)

OT&E is an environment that contains data that is similar to the data that exists in ARIN’s production environment. The OT&E environment allows developers to experiment with ARIN interactions without affecting production data. OT&E allows for experimentation with the following main ARIN services:

Note: OT&E exists solely for experimental usage and research, and is not linked to ARIN’s production system. User data (including API keys) is copied from the production database to OT&E monthly. Note that email interactions are not supported in OT&E.

Benefits of using OT&E:

  • RPKI is restricted to those organizations that have signed a Registration Services Agreement (RSA) with ARIN. However, OT&E can be used by those organizations without signing an RSA to experiment with these new services.
  • When using RPKI, test Route Authorization Requests (ROAs) can be created and validated without impacting production RPKI data.

Drawbacks of using OT&E:

  • Data is refreshed each month, so any data created in OT&E (e.g., resource certifications and ROAs) is deleted after the refresh and must be recreated.
  • The Ask ARIN feature is not monitored in OT&E; questions or requests must be submitted in the production environment. (For example, you must log in to ARIN Online and create a ticket using Ask ARIN there.)


Before using OT&E, you need the following:

  • ARIN Online user account: This account must have been created before the first of the month in which you are using OT&E. (User accounts [including API keys] are copied from ARIN Online’s production environment to the OT&E environment on the first Monday of every month.)
  • Authority over resources in ARIN Online: Your user account in ARIN Online must be linked to a POC that has been associated with an Org with resources.
  • API key: You must have an API key for your user account. Note: If you want to use a different API key for OT&E than the API key you use in the production system, you can change your API key in OT&E by choosing Settings - Profile and Security Information from the “Welcome, yourname” drop-down menu in OT&E. Under Security Info, choose Actions > Manage API Keys. Because user data (including account and API key information) is copied from the production database to OT&E at the beginning of each month, you will have to change your API key again after each monthly database refresh.

Mailing List

ARIN encourages all OT&E users to subscribe and participate on the ARIN Technical Discussions mailing list for information sharing and outage information.

Data Refresh

Every month, you will need to reconfigure any changes that you made to your resources in OT&E, because OT&E data is replaced with new data during the refresh that occurs on the first Monday of the month.

OT&E Hosts

The following URLs should be used when interacting with ARIN’s OT&E services in place of their production counterparts.

  • whois.ote.arin.net: Whois-RWS functionality within OT&E is a mirror of production. Remember to use http://whois.ote.arin.net in place of http://whois.arin.net. For more information on Whois-RWS usage, visit Whois (ARIN Whois-RWS).
  • www.ote.arin.net: An OT&E ARIN Online service
  • reg.ote.arin.net: Reg-RWS functionality within OT&E is a mirror of production. Remember to use https://www.ote.arin.net or https://reg.ote.arin.net as RESTful calls to https://www.arin.net or https://reg.arin.net will affect production data. For more information on Reg-RWS usage, visit Automating Record Management with Reg-RWS.
  • rpki.ote.arin.net: An OT&E RPKI service
  • updown.ote.arin.net: An OT&E Up/Down RPKI service
  • rdap.ote.arin.net: An OT&E RDAP service

Using RPKI in ARIN’s OT&E Environment

To use RPKI in OT&E, if you don’t have any resources covered under RPKI in production, you’ll first need to request access to RPKI. To request access to RPKI:

  1. Log in to ARIN Online in the OT&E environment and follow the steps to configure RPKI.
  2. When you submit your resource certificate request, a ticket will be created for you in the OT&E environment. Record this ticket number.

The OT&E environment is not actively monitored by ARIN Staff. When you’ve requested a certificate or need resources re-enrolled in the OT&E environment, you will need to submit an Ask ARIN ticket in the production environment for ARIN Staff to process your request in OT&E. Follow these steps to complete your resource certificate request:

  1. Log in to ARIN Online in the production environment (www.arin.net).
  2. Use Ask ARIN to create a ticket. Be sure to use the following:
  • Topic: Other
  • Subject: OT&E approval requested
  • Question: Provide the OT&E ticket number or function that ARIN staff needs to process for you.

After you receive notification that your resources have been certified, you can create ROAs in the OT&E environment.

Note: We do a refresh of the production database within OT&E on a monthly basis. All changes that were made prior to the OT&E environment refresh will be lost. Therefore, unless you have resources covered under RPKI in production, you will have to repeat the steps described in this section (starting with the request for access to RPKI).

RPKI Repository Updates

In OT&E, the RPKI repository is updated every few minutes.

ROA Request Generation Key Pairs

OT&E ROA Requests should be signed using a separate ROA Request Generation Key Pair than the one you use in production. ARIN provides the following keys for testing purposes. The benefit to using these default keys is that they persist after the monthly data refresh. Therefore, if you use these default keys, you don’t have to recreate your RPKI certificate each month.

Note: You can use your own RPKI key, but you’ll then need to recreate your RPKI certificate after each monthly refresh of the OT&E database.

Public Key for Testing Purposes

Download the test public key file.

-----END PUBLIC KEY-----

Private Key for Testing Purposes

Download the test private key file.


Trust Anchor Locator (TAL)

In order to validate your ROAs using ARIN’s OT&E data, you must use one of the following TALs. Note that these TALs differ from the ARIN production TAL.

RFC 7730 format:

rsync://rpki.ote.arin.net/repository/arin-rpki-ta.cer https://rrdp.ote.arin.net/arin-rpki-ta.cer


RIPE format:

ca.name = ARIN OTE
certificate.location = rsync://rpki.ote.arin.net/repository/arin-rpki-ta.cer
public.key.info = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA65jF7qjQzl77O5uaKPdisQu7apf9mhAtxH2fbckYL7CFEzrw/Z1XaSd2gmofJbtYBcpa3iqBGquKH0X+ab0sGolHedL+wipqgkH4zstk3AWc+lBd8e7sn0jSqnFL0xQaL2uoHtJetqus39ud0LsWi0OB+COyMXz2jA76j6WsNbE7VUwLLx1pNg7uGGcfFKrzqPvGMzWDynTC4fZfOe2UCtw2YgSsJdjEMdw1PT5RjDI5jtKemguPGeGp0YKmZguq1qgrl5rj2qEuF7hLkWxQsl/J5skfAVm8XjoNMhg069ojxeiQPToOFNlV2VliFenG8Zb3FRIRbbil1Q5l7qs1FQIDAQAB


The OT&E TAL is used with an RPKI validator to allow for the fetching and validation of ARIN OT&E repository objects. If you are using the RIPE NCC RPKI Validator, use the RIPE format TAL given in the previous section. If you are using another validator, use the RFC 7730 format. ARIN recommends the following validators: