From 8d141a6f41e1a7977e0dc437bdad559f80c6c455 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Tue, 25 Jun 2024 02:34:16 -0400 Subject: [PATCH 01/24] EIT reorg --- .../security/enable-encryption-in-transit.md | 704 ------------------ .../enable-encryption-in-transit/_index.md | 309 ++++++++ .../add-certificate-ca.md | 77 ++ .../add-certificate-hashicorp.md | 180 +++++ .../add-certificate-kubernetes.md | 64 ++ .../add-certificate-self.md | 96 +++ .../trust-store.md | 54 ++ 7 files changed, 780 insertions(+), 704 deletions(-) delete mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit.md create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit.md deleted file mode 100644 index fe140665b8f7..000000000000 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit.md +++ /dev/null @@ -1,704 +0,0 @@ ---- -title: Enable encryption in transit -headerTitle: Enable encryption in transit -linkTitle: Enable encryption in transit -description: Use YugabyteDB Anywhere to enable encryption in transit (TLS) on a YugabyteDB universe and connect to clients. -menu: - preview_yugabyte-platform: - parent: security - identifier: enable-encryption-in-transit - weight: 40 -rightNav: - hideH4: true -type: docs ---- - -YugabyteDB Anywhere allows you to protect data in transit by using the following: - -- Server-to-server encryption for intra-node communication between YB-Master and YB-TServer nodes. -- Client-to-server encryption for communication between clients and nodes when using CLIs, tools, and APIs for YSQL and YCQL. -- Encryption for communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. - -{{< note title="Note" >}} - -Before you can enable client-to-server encryption, you first must enable server-to-server encryption. - -{{< /note >}} - -YugabyteDB Anywhere lets you create a new self-signed certificate, use an existing self-signed certificate, or upload a third-party certificate from external providers, such as Venafi or DigiCert (which is only available for an on-premises cloud provider). - -You can enable encryption in transit (TLS) during universe creation and change these settings for an existing universe. - -## Self-signed certificates generated by YugabyteDB Anywhere - -YugabyteDB Anywhere can create self-signed certificates for each universe. These certificates may be shared between universes in a single instance of YugabyteDB Anywhere. The certificate name has the following format: - -`yb-environment-universe_name`, where *environment* is the environment type (either `dev`, `stg`, `demo`, or `prod`) that was used during the tenant registration (admin user creation), and *universe-name* is the provided universe name. YugabyteDB Anywhere generates the root certificate, root private key, and node-level certificates (assuming node-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: - -1. The root certificate (`ca.cert`). -1. The node certificate (`node.ip_address.crt`). -1. The node private key (`node.ip_address.key`). - -YugabyteDB Anywhere retains the root certificate and the root private key for all interactions with the cluster. - -### Customize the organization name in self-signed certificates - -YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. - -If you are using YugabyteDB Anywhere version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. - -Note that, for the change to take effect, you need to set the flag _before_ you run a workflow that generates a self-signed certificate. - -Customize the organization name as follows: - -1. In YugabyteDB Anywhere, navigate to **Admin** > **Advanced** and select the **Global Configuration** tab. -1. In the **Search** bar, enter `yb.tlsCertificate.organizationName` to view the flag, as per the following illustration: - - ![Custom Organization name](/images/yp/encryption-in-transit/custom-org-name.png) - -1. Click **Actions** > **Edit Configuration**, enter a new Config Value, and click **Save**. - -#### Validate custom organization name - -You can verify the organization name by running the following `openssl x509` command: - -```sh -openssl x509 -in ca.crt -text -``` - -```output {hl_lines=[6]} -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1683277970271 (0x187eb2f7b5f) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=yb-dev-sb-ybdemo-univ1~2, O=example.com - Validity - Not Before: May 5 09:12:50 2023 GMT - Not After : May 5 09:12:50 2027 GMT -``` - -Notice that default value is `O=example.com`. - -After setting the runtime configuration to a value of your choice, (`org-foo` in this example), you should see output similar to the following: - -```sh -openssl x509 -in ca.crt -text -noout -``` - -```output -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1689376612248 (0x18956b15f98) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo - Validity - Not Before: Jul 14 23:16:52 2023 GMT - Not After : Jul 14 23:16:52 2027 GMT - Subject: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: -``` - -### Use YugabyteDB Anywhere-generated certificates to enable TLS - -When you create a universe, you can enable TLS using certificates generated by YugabyteDB Anywhere, as follows: - -1. Create a new universe via **Universes > Create Universe** and then configure it. -1. Based on your requirements, select **Enable Node-to-Node TLS** or **Enable Client-to-Node TLS** or both. -1. Choose an existing certificate from the **Root Certificate** list or create a new certificate by accepting the default option **Create new certificate**. - -To view the certificate, navigate to **Configs > Security > Encryption in Transit > Self Signed**. - -You can also modify TLS settings for an existing universe, as follows: - -1. Navigate to either **Dashboard** or **Universes** and open a specific universe. - -1. Click **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog and then proceed as follows: - - - If encryption in transit is currently disabled for the universe, enable it via the **Encryption in Transit for this Universe** field, as per the following illustration: - - ![TLS Configuration](/images/yp/encryption-in-transit/tls-config1.png) - - Use the expanded **TLS Configuration** dialog shown in the following illustration to change the settings to meet your requirements: - - ![TLS Configuration Expanded](/images/yp/encryption-in-transit/tls-config2.png) - - - If encryption in transit is currently enabled for the universe, you can either disable or modify it, as follows: - - - To disable encryption in transit, disable the **Encryption in Transit for this Universe** field and then click **OK**. - - - To modify encryption in-transit settings, leave the **Encryption in Transit for this Universe** field enabled and make the necessary changes to other fields. - - If you are changing certificates, you need to be aware that this requires restart of the YB-Master and YB-TServer processes and can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). If you select the **Create new certificate** option when changing certificates, the corresponding certificates will be rotated, that is, replaced with new certificates. - -## Self-signed self-provided certificates - -Instead of using YugabyteDB Anywhere-provided certificates, you can use your own self-signed certificates that you upload to YugabyteDB Anywhere by following the procedure described in [Use self-signed self-provided certificates to enable TLS](#use-self-signed-self-provided-certificates-to-enable-tls). - -The certificates must meet the following criteria: - -- Be in the `.crt` format and the private key must be in the `.pem` format, with both of these artifacts available for upload. -- Contain IP addresses of the target database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). - -YugabyteDB Anywhere produces the node (leaf) certificates from the uploaded certificates and copies the certificate chain, leaf certificate, and private key to the nodes in the cluster. - -### Use self-signed self-provided certificates to enable TLS - -When you create a universe, you can enable TLS using your own certificates, as follows: - -1. Navigate to **Configs > Security > Encryption in Transit**. -1. Click **Add Certificate** to open the **Add Certificate** dialog. -1. Select **Self Signed**. -1. Click **Upload Root Certificate**, then browse to the root certificate file (`.crt`) and upload it. -1. Click **Upload Key**, then browse to the root certificate file (`.key`) and upload it. -1. In the **Certificate Name** field, enter a meaningful name for your certificate. -1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. -1. Click **Add** to make the certificate available. -1. Go to **Universes > Create Universe** to open the **Create Universe** dialog. -1. Configure the universe. -1. Based on your requirements, select **Enable Node-to-Node TLS** and **Enable Client-to-Node TLS**. -1. Select an existing certificate from the **Root Certificate** list and then select the certificate that you have uploaded. -1. Create the universe. - -You can also modify TLS settings for an existing universe by navigating to **Universes**, opening a specific universe, clicking **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog, and then following the procedure described in [Use YugabyteDB Anywhere-generated certificates to enable TLS](#use-yugabytedb-anywhere-generated-certificates-to-enable-tls) for an existing universe. - -## Custom CA-signed self-provided certificates - -For universes created with an on-premise cloud provider, instead of using self-signed certificates, you can use third-party certificates from external CAs. The third-party CA root certificate must be configured in YugabyteDB Anywhere. You have to copy the custom CA root certificate, node certificate, and node key to the appropriate database nodes using the procedure described in [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls). - -The certificates must adhere to the following criteria: - -- Be stored in a `.crt` file, with both the certificate and the private key being in the PEM format. - - If your certificates and keys are stored in the PKCS12 format, you can [convert them to the PEM format](#convert-certificates-and-keys-from-pkcs12-to-pem-format). - -- Contain IP addresses of the database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). - -### Use custom CA-signed certificates to enable TLS - -The following procedure describes how to install certificates on the database nodes. You have to repeat these steps for every database node that is to be used in the creation of a universe. - -**Step 1:** Obtain the keys and the custom CA-signed certificates for each of the on-premise nodes for which you are configuring node-to-node TLS. In addition, obtain the keys and the custom signed certificates for client access for configuring client-to-node TLS. - -**Step 2**: For each on-premise node, copy the custom CA root certificate, node certificate, and node key to that node's file system. - -If you are enabling client-to-node TLS, make sure to copy the client certificate and client key to each of the nodes. - -In addition, ensure the following: - -- The file names and file paths of different certificates and keys are identical across all the database nodes. For example, if you name your CA root certificate as `ca.crt` on one node, then you must name it `ca.crt` on all the nodes. Similarly, if you copy `ca.crt` to `/opt/yugabyte/keys` on one node, then you must copy `ca.crt` to the same path on other nodes. -- The yugabyte system user has read permissions to all the certificates and keys. - -**Step 3**: Create a CA-signed certificate in YugabyteDB Anywhere, as follows: - -1. Navigate to **Configs > Security > Encryption in Transit**. - -1. Click **Add Certificate** to open the **Add Certificate** dialog. - -1. Select **CA Signed**, as per the following illustration: - - ![add-cert](/images/yp/encryption-in-transit/add-cert.png) - -1. Upload the custom CA root certificate as the root certificate. - - If you use an intermediate CA/issuer, but do not have the complete chain of certificates, then you need to create a bundle by executing the `cat intermediate-ca.crt root-ca.crt > bundle.crt` command, and then use this bundle as the root certificate. You might also want to [verify the certificate chain](#verify-certificate-chain). - -1. Enter the file paths for each of the certificates on the nodes. These are the paths from the previous step. - -1. In the **Certificate Name** field, enter a meaningful name for your certificate. - -1. Use the **Expiration Date** field to specify the expiration date of the certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. - -1. Click **Add** to make the certificate available. - -1. Go to **Universes > Create Universe** to open the **Create Universe** dialog. - -1. Configure the universe. - -1. Based on your requirements, select **Enable Node-to-Node TLS** and **Enable Client-to-Node TLS**. - -1. Select an existing certificate from the **Root Certificate** list and then select the certificate that you have uploaded. - -1. Create the universe. - -You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. - -#### Convert certificates and keys from PKCS12 to PEM format - -If your certificates and keys are stored in the PKCS12 format, you can convert them to the PEM format using OpenSSL. - -You start by extracting the certificate via the following command: - -```sh -openssl pkcs12 -in cert-archive.pfx -out cert.pem -clcerts -nokeys -``` - -To extract the key and write it to the PEM file unencrypted, execute the following command: - -```sh -openssl pkcs12 -in cert-archive.pfx -out key.pem -nocerts -nodes -``` - -If the key is protected by a passphrase in the PKCS12 archive, you are prompted for the passphrase. - -#### Verify certificate chain - -Perform the following steps to verify your certificates: - -1. Execute the following verify command which checks the database node certificate (node.crt) against the root CA certificate (ca.crt): - - ```sh - openssl verify ca.crt node.crt - ``` - -1. Verify that the node certificate (`node.crt`) and the node private key (`node.key`) match. See [How do I verify that a private key matches a certificate?](https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hscaay/) - -1. Verify that the node certificate and Root CA certificate expiration is at least 3 months by checking the validity field in the output of the following commands: - - ```sh - openssl x509 -in node.crt -text -noout - ``` - - ```sh - openssl x509 -in ca.crt -text -noout - ``` - -1. Verify that the node certificate Common Name (CN) or Subject Alternate Name (SAN) contains the IP address or DNS name of each on-prem node on which the nodes are deployed. - - {{< note >}} -Each entry you provide for the CN or SAN must match the on-prem node as entered in the provider configuration. For example, if the node address is entered as a DNS address in the on-prem provider configuration, you must use the same DNS entry in the CN or SAN, not the resolved IP address. - {{< /note >}} - - If you face any issue with the above verification, you can customize the level of certificate validation while creating a universe that uses these certificates. Refer to [Customizing the verification of RPC server certificate by the client](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/#customizing-the-verification-of-rpc-server-certificate-by-the-client). - -{{< note >}} -The client certificates and keys are required only if you intend to use [PostgreSQL certificate-based authentication](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html#:~:text=independent%20authentication%20option-,clientcert,-%2C%20which%20can%20be). -{{< /note >}} - -### Rotate custom CA-signed certificates - -You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. - -You rotate the existing custom certificates and replace them with new database node certificates issued by the same custom CA that issued the original certificates as follows: - -**Step 1**: Follow Step 1 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to obtain a new set of certificates for each of the nodes. - -**Step 2**: Follow Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to copy the certificates to the respective nodes. - -**Step 3**: Follow Step 3 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to create a new CA-signed certificate in YugabyteDB Anywhere. - -**Step 4**: Edit the universe to use the new certificates, as follows: - -- Navigate to the universe for which you are rotating the keys. - -- Select **Actions > Edit Security**, as shown in the following illustration: - - ![edit-security](/images/yp/encryption-in-transit/edit-security.png) - -- Select **Encryption in-Transit** to open the **TLS Configuration** dialog. - -- Complete the **TLS Configuration** dialog shown in the following illustration: - - ![Configure TLS](/images/yp/encryption-in-transit/edit-tls-new.png) - - - Select the new certificate which you created in Step 3. - - - Modifying certificates requires restart of YB-Master and YB-TServer processes, which can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). - - - Click **OK**. - - Typically, this process takes time, as it needs to wait for the specified delay interval after each node is upgraded. - -### Expand the universe - -You can expand universes configured with custom CA-signed certificates. - -Before adding new nodes to expand an existing universe, you need to prepare those nodes by repeating Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) for each of the new nodes you plan to add to the universe. You need to ensure that the certificates are signed by the same external CA and have the same root certificate. In addition, ensure that you copy the certificates to the same locations that you originally used when creating the universe. - -When the universe is ready for expansion, complete the **Edit Universe** dialog to add new nodes. - -## Custom HashiCorp Vault-provided certificates - -YugabyteDB Anywhere allows you to add an encryption in transit configuration using HashiCorp Vault with a public key infrastructure (PKI) secret engine. This configuration can be used to enable TLS for different clusters and YugabyteDB instances. You can apply this configuration to node-to-node encryption, client-to-node encryption, or both. - -For the correct configuration, the following criteria must be met: - -- HashiCorp Vault is unsealed. - -- HashiCorp Vault with the PKI secret engine is configured and enabled. -- HashiCorp Vault URL is accessible by YugabyteDB Anywhere. -- Because HashiCorp Vault is accessed via an authentication token mechanism, a token must be created beforehand while creating a key provider with appropriate permissions. -- HashiCorp Vault needs to be running and always accessible to YugabyteDB Anywhere. -- HashiCorp PKI certificate revocation list (CRL) or CA URLs must be accessible from each node server. -- Appropriate certificates and roles have been created for YugabyteDB Anywhere usage. -- Node servers are able to validate certificates. -- Required permissions have been provided to perform various key management operations. - -### Configure HashiCorp Vault - -Before you can start configuring HashiCorp Vault, install it on a virtual machine, as per instructions provided in [Install Vault](https://www.vaultproject.io/docs/install). The vault can be set up as a multi-node cluster. Ensure that your vault installation meets the following requirements: - -- Has transit secret engine enabled. -- Its seal and unseal mechanism is secure and repeatable. -- Its token creation mechanism is repeatable. - -You need to configure HashiCorp Vault in order to use it with YugabyteDB Anywhere, as follows: - -1. Create a vault configuration file that references your nodes and specifies the address, as follows: - - ```properties - storage "raft" { - path = "./vault/data/" - node_id = "node1" - } - - listener "tcp" { - address = "127.0.0.1:8200" - tls_disable = "true" - } - - api_addr = "http://127.0.0.1:8200" - cluster_addr = "https://127.0.0.1:8201" - ui = true - disable_mlock = true - default_lease_ttl = "768h" - max_lease_ttl = "8760h" - ``` - - Replace `127.0.0.1` with the vault web address. - - For additional configuration options, see [Parameters](https://www.vaultproject.io/docs/configuration#parameters). - -1. Initialize the vault server by following instructions provided in [Operator init](https://www.vaultproject.io/docs/commands/operator/init). - -1. Allow access to the vault by following instructions provided in [Unsealing](https://www.vaultproject.io/docs/concepts/seal#unsealing). - -1. Enable the secret engine by executing the following command: - - ```shell - vault secrets enable pki - ``` - -1. Configure the secret engine, as follows: - - - Create a root CA or configure the top-level CA. - - - Optionally, create an intermediate CA chain and sign them. - - - Create an intermediate CA for YugabyteDB, as per the following example: - - ```sh - export pki=pki - export pki_int="pki_int" - export role_i=RoleName - export ip="s.test.com" - - vault secrets enable -path=$pki_int pki - vault secrets tune -max-lease-ttl=43800h $pki_int - vault write $pki_int/intermediate/generate/internal common_name="test.com Intermediate Authority" ttl=43800h -format=json | jq -r '.data.csr' > pki_int.csr - - \# *** dump the output of the preceding command in pki_int.csr - - vault write $pki/root/sign-intermediate csr=@pki_int.csr format=pem_bundle ttl=43800h -format=json | jq -r .data.certificate > i_signed.pem - - \# *** dump the output in i_signed.pem - - vault write $pki_int/intermediate/set-signed certificate=@i_signed.pem - vault write $pki_int/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki_int/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki_int/crl" - ``` - -1. Create the vault policy, as per the following example: - - ```properties - # Enable secrets engine - path "sys/mounts/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - - # List enabled secrets engine - path "sys/mounts" { - capabilities = ["read", "list"] - } - - # Work with pki secrets engine - path "pki*" { - capabilities = ["create", "read", "update", "delete", "list", "sudo"] - } - ``` - -1. Generate a token with appropriate permissions (as per the referenced policy) by executing the following command: - - ```shell - vault token create -no-default-policy -policy=pki_policy - ``` - - You may also specify the following for your token: - - - `ttl` — Time to live (TTL). If not specified, the default TTL of 32 days is used, which means that the generated token will expire after 32 days. - - `period` — If specified, the token can be infinitely renewed. - - YugabyteDB Anywhere automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours. - - For more information, refer to [Tokens](https://developer.hashicorp.com/vault/tutorials/tokens/tokens) in the Hashicorp documentation. - -1. Create a role that maps a name in the vault to a procedure for generating a certificate, as follows: - - ```sh - vault write /roles/ allow_any_name=true allow_subdomains=true max_ttl="8640h" - ``` - - Credentials are generated against this role. - -1. Issue certificates for nodes or a YugabyteDB client: - - - For a node, execute the following: - - ```sh - vault write /issue/ common_name="" ip_sans="" ttl="860h" - ``` - - - For YugabyteDB client, execute the following: - - ```sh - vault write /issue/ common_name="" - ``` - -### Use HashiCorp Vault-provided certificates to enable TLS - -When you create a universe, you can enable TLS using certificates provided by HashiCorp Vault, as follows: - -1. Navigate to **Configs > Security > Encryption in Transit**. -1. Click **Add Certificate** to open the **Add Certificate** dialog. -1. Select **Hashicorp**. -1. In the **Config Name** field, enter a meaningful name for your configuration. -1. In the **Vault Address** field, specify a valid URL that includes the port number. The format is `http://0.0.0.0:0000`, which corresponds to `VAULT_HOSTNAME:0000` -1. In the **Secret Token** field, specify the secret token for the vault. -1. In the **Role** field, specify the role used for creating certificates. -1. Optionally, provide the secret engine path on which the PKI is mounted. If you do not supply this information, `pki/` will be used. -1. Click **Add** to make the certificate available. -1. Go to **Universes > Create Universe** to open the **Create Universe** dialog. -1. Configure the universe. -1. Based on your requirements, select **Enable Node-to-Node TLS** and **Enable Client-to-Node TLS**. -1. Select an existing certificate from the **Root Certificate** list and then select the certificate that you have uploaded. -1. Create the universe. - -You can also edit TLS settings for an existing universe by navigating to **Universes**, opening a specific universe, clicking **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog, and then modifying the required settings. - -## Kubernetes cert-manager - -For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the [cert-manager](https://cert-manager.io/) as a TLS certificate provider for a cluster, assuming that the following criteria are met: - -- The cert-manager is running in the Kubernetes cluster. -- A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same root certificate file must be prepared for upload to YugabyteDB Anywhere. -- An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate. - -During the universe creation, you can enable TLS certificates issued by the cert-manager, as follows: - -1. Upload the root certificate to YugabyteDB Anywhere: - - - Prepare the root certificate in a file (for example, `root.crt`). - - Navigate to **Configs > Security > Encryption in Transit** and click **Add Certificate**. - - On the **Add Certificate** dialog shown in the following illustration, select **K8S cert-manager**: - - ![Add Certificate](/images/yp/security/kubernetes-cert-manager.png) - - - In the **Certificate Name** field, enter a meaningful name for your certificate configuration. - - Click **Upload Root Certificate** and select the root certificate file that you prepared. - - Click **Add** to make the certificate available. - -1. Configure the Kubernetes-based cloud provider by following instructions provided in [Configure region and zones](../../configure-yugabyte-platform/kubernetes/#configure-region-and-zones). In the **Add new region** dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the **Namespace** field value if an Issuer Kind is selected: - - ![Add new region](/images/yp/security/kubernetes-cert-manager-add-region.png) - -1. Create the universe: - - - Navigate to **Universes** and click **Create Universe**. - - In the **Provider** field, select the cloud provider that you have configured in step 2. - - Complete the fields based on your requirements, and select **Enable Node-to-Node TLS** or **Enable Client-to-Node TLS**. - - Select the root certificate that you have uploaded in step 1. - - Click **Create**. - -### Troubleshoot - -If you encounter problems, you should verify the name of Issuer or ClusterIssuer in the Kubernetes cluster, as well as ensure that the Kubernetes cluster is in Ready state. You can use the following commands: - -```sh -kubectl get ClusterIssuer -``` - -```sh -kubectl -n Issuer -``` - -## Connect to clusters - -Using TLS, you can connect to the YSQL and YCQL endpoints. - -### Connect to a YSQL endpoint with TLS - -If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: - -- Navigate to the **Certificates** page and then to your universe's certificate. - -- Click **Actions** and select **Download YSQL Cert**, as shown in the following illustration. This triggers the download of the `yugabytedb.crt` and `yugabytedb.key` files. - - ![download-ysql-cert](/images/yp/encryption-in-transit/download-ysql-cert.png) - -- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. - -- For testing with a `ysqlsh` client, paste the `yugabytedb.crt` and `yugabytedb.key` files into the `/.yugabytedb` directory and change the permissions to `0600`, as follows: - - ```sh - mkdir ~/.yugabytedb; cd ~/.yugabytedb - cp /yugabytedb.crt . - cp /yugabytedb.key . - chmod 600 yugabytedb.* - ``` - -- Run `ysqlsh` using the `sslmode=require` option, as follows: - - ```sh - cd - bin/ysqlsh -h 172.152.43.78 -p 5433 sslmode=require - ``` - - ```output - ysqlsh (11.2-YB-2.3.3.0-b0) - SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) - Type "help" for help. - - yugabyte=# - ``` - -To use TLS from a different client, consult the client-specific documentation. For example, if you are using a PostgreSQL JDBC driver to connect to YugabyteDB, see [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. - -If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates. - -### Connect to a YCQL endpoint with TLS - -If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: - -- Navigate to the **Certificates** page and then to your universe's certificate. - -- Click **Actions** and select **Download Root Cert**, as shown in the following illustration. This triggers the download of the `root.crt` file. - - ![download-root-cert](/images/yp/encryption-in-transit/download-root-cert.png) - -- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. - -- Set `SSL_CERTFILE` environment variable to point to the location of the downloaded root certificate. - -- Run `ycqlsh` using the `-ssl` option, as follows: - - ```sh - cp /root.crt ~/.yugabytedb/root.crt - export SSL_CERTFILE=~/.yugabytedb/root.crt - bin/ycqlsh 172.152.43.78 --ssl - ``` - - ```output - Connected to local cluster at 172.152.43.78:9042. - [ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4] - Use HELP for help. - ycqlsh> - ``` - -To use TLS from a different client, consult the client-specific documentation. For example, if you are using a Cassandra driver to connect to YugabyteDB, see [SSL](https://docs.datastax.com/en/developer/python-driver/3.19/security/#ssl). - -## Validate certificates - -When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: - -1. Verify that the CA CRT and CA private key match by executing the following commands: - - ```shell - openssl rsa -noout -modulus -in ca.key | openssl md5 - openssl x509 -noout -modulus -in ca.crt | openssl md5 - - \# outputs should match - ``` - -2. Verify that the CA CRT is actually a certificate authority by executing the following command: - - ```shell - openssl x509 -text -noout -in ca.crt - - \# Look for fields - - X509v3 Basic Constraints: - - CA:TRUE - ``` - -3. Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). - -4. Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). - -## Enforcing TLS versions - -As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. - -You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: - -```shell -ssl_protocols = tls12 -``` - -To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: - -```shell -ssl_protocols = tls12,tls13 -``` - -In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: - -```shell ---ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" -``` - -## Use self-signed and custom CA certificates - -YugabyteDB Anywhere uses TLS to protect data in transit when connecting to other services, including: - -- LDAP -- OIDC -- Webhook -- [S3 backup storage](../../back-up-restore-universes/configure-backup-storage/) -- Hashicorp Vault -- [YugabyteDB Anywhere high availability](../../administer-yugabyte-platform/high-availability/) - -If you are using self-signed or custom CA certificates, YugabyteDB cannot verify your TLS connections unless you add the certificates to the YugabyteDB Anywhere Trust Store. - -### Add certificates to your trust store - -To add a certificate to the YugabyteDB Anywhere Trust Store, do the following: - -1. Navigate to **Admin > CA Certificates**. - -1. Click **Upload Trusted CA Certificate**. - -1. Enter a name for the certificate. - -1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. - -### Rotate a certificate in your trust store - -To rotate a certificate in your YugabyteDB Anywhere Trust Store, do the following: - -1. Navigate to **Admin > CA Certificates**. - -1. Click the **...** button for the certificate and choose **Update Certificate**. - -1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. - -### Delete a certificate in your trust store - -To delete a certificate in your YugabyteDB Anywhere Trust Store, do the following: - -1. Navigate to **Admin > CA Certificates**. - -1. Click the **...** button for the certificate and choose **Delete**, then click **Delete CA Certificate**. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md new file mode 100644 index 000000000000..c76930f8e44d --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -0,0 +1,309 @@ +--- +title: Enable encryption in transit +headerTitle: Enable encryption in transit +linkTitle: Enable encryption in transit +description: Use YugabyteDB Anywhere to enable encryption in transit (TLS) on a YugabyteDB universe and connect to clients. +menu: + preview_yugabyte-platform: + parent: security + identifier: enable-encryption-in-transit + weight: 40 +rightNav: + hideH4: true +type: indexpage +--- + +YugabyteDB Anywhere allows you to protect data in transit by using the following: + +- Server-to-server encryption for intra-node communication between YB-Master and YB-TServer nodes. +- Client-to-server encryption for communication between clients and nodes when using CLIs, tools, and APIs for YSQL and YCQL. +- Encryption for communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. + +{{< note title="Note" >}} + +Before you can enable client-to-server encryption, you first must enable server-to-server encryption. + +{{< /note >}} + +YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit. Alternatively, you can use your own self-signed certificate or upload a third-party certificate from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) + +You can enable encryption in transit (TLS) during universe creation and change these settings for an existing universe. + +Enabling encryption-in-transit requires the following steps: + +1. If you are using a certificate that you provide, add your self- or CA-signed certificate to YugabyteDB Anywhere. +1. Enable encryption in transit on your universe. You can do this when creating the universe and on an existing universe. + +## Self-signed certificates generated by YugabyteDB Anywhere + +YugabyteDB Anywhere can create self-signed certificates for each universe. These certificates may be shared between universes in a single instance of YugabyteDB Anywhere. The certificate name has the following format: + +`yb-environment-universe_name`, where *environment* is the environment type (either `dev`, `stg`, `demo`, or `prod`) that was used during the tenant registration (admin user creation), and *universe-name* is the provided universe name. YugabyteDB Anywhere generates the root certificate, root private key, and node-level certificates (assuming node-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: + +1. The root certificate (`ca.cert`). +1. The node certificate (`node.ip_address.crt`). +1. The node private key (`node.ip_address.key`). + +YugabyteDB Anywhere retains the root certificate and the root private key for all interactions with the cluster. + +### Customize the organization name in self-signed certificates + +YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. + +If you are using YugabyteDB Anywhere version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. + +Note that, for the change to take effect, you need to set the flag _before_ you run a workflow that generates a self-signed certificate. + +Customize the organization name as follows: + +1. In YugabyteDB Anywhere, navigate to **Admin** > **Advanced** and select the **Global Configuration** tab. +1. In the **Search** bar, enter `yb.tlsCertificate.organizationName` to view the flag, as per the following illustration: + + ![Custom Organization name](/images/yp/encryption-in-transit/custom-org-name.png) + +1. Click **Actions** > **Edit Configuration**, enter a new Config Value, and click **Save**. + +#### Validate custom organization name + +You can verify the organization name by running the following `openssl x509` command: + +```sh +openssl x509 -in ca.crt -text +``` + +```output {hl_lines=[6]} +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1683277970271 (0x187eb2f7b5f) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=yb-dev-sb-ybdemo-univ1~2, O=example.com + Validity + Not Before: May 5 09:12:50 2023 GMT + Not After : May 5 09:12:50 2027 GMT +``` + +Notice that default value is `O=example.com`. + +After setting the runtime configuration to a value of your choice, (`org-foo` in this example), you should see output similar to the following: + +```sh +openssl x509 -in ca.crt -text -noout +``` + +```output +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1689376612248 (0x18956b15f98) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo + Validity + Not Before: Jul 14 23:16:52 2023 GMT + Not After : Jul 14 23:16:52 2027 GMT + Subject: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: +``` + +### Use YugabyteDB Anywhere-generated certificates to enable TLS + +When you create a universe, you can enable TLS using certificates generated by YugabyteDB Anywhere, as follows: + +1. Create a new universe via **Universes > Create Universe** and then configure it. +1. Based on your requirements, select **Enable Node-to-Node TLS** or **Enable Client-to-Node TLS** or both. +1. Choose an existing certificate from the **Root Certificate** list or create a new certificate by accepting the default option **Create new certificate**. + +To view the certificate, navigate to **Configs > Security > Encryption in Transit > Self Signed**. + +You can also modify TLS settings for an existing universe, as follows: + +1. Navigate to either **Dashboard** or **Universes** and open a specific universe. + +1. Click **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog and then proceed as follows: + + - If encryption in transit is currently disabled for the universe, enable it via the **Encryption in Transit for this Universe** field, as per the following illustration: + + ![TLS Configuration](/images/yp/encryption-in-transit/tls-config1.png) + + Use the expanded **TLS Configuration** dialog shown in the following illustration to change the settings to meet your requirements: + + ![TLS Configuration Expanded](/images/yp/encryption-in-transit/tls-config2.png) + + - If encryption in transit is currently enabled for the universe, you can either disable or modify it, as follows: + + - To disable encryption in transit, disable the **Encryption in Transit for this Universe** field and then click **OK**. + + - To modify encryption in-transit settings, leave the **Encryption in Transit for this Universe** field enabled and make the necessary changes to other fields. + + If you are changing certificates, you need to be aware that this requires restart of the YB-Master and YB-TServer processes and can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). If you select the **Create new certificate** option when changing certificates, the corresponding certificates will be rotated, that is, replaced with new certificates. + +### Rotate custom CA-signed certificates + +You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. + +You rotate the existing custom certificates and replace them with new database node certificates issued by the same custom CA that issued the original certificates as follows: + +**Step 1**: Follow Step 1 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to obtain a new set of certificates for each of the nodes. + +**Step 2**: Follow Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to copy the certificates to the respective nodes. + +**Step 3**: Follow Step 3 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to create a new CA-signed certificate in YugabyteDB Anywhere. + +**Step 4**: Edit the universe to use the new certificates, as follows: + +- Navigate to the universe for which you are rotating the keys. + +- Select **Actions > Edit Security**, as shown in the following illustration: + + ![edit-security](/images/yp/encryption-in-transit/edit-security.png) + +- Select **Encryption in-Transit** to open the **TLS Configuration** dialog. + +- Complete the **TLS Configuration** dialog shown in the following illustration: + + ![Configure TLS](/images/yp/encryption-in-transit/edit-tls-new.png) + + - Select the new certificate which you created in Step 3. + + - Modifying certificates requires restart of YB-Master and YB-TServer processes, which can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). + + - Click **OK**. + + Typically, this process takes time, as it needs to wait for the specified delay interval after each node is upgraded. + +### Expand the universe + +You can expand universes configured with custom CA-signed certificates. + +Before adding new nodes to expand an existing universe, you need to prepare those nodes by repeating Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) for each of the new nodes you plan to add to the universe. You need to ensure that the certificates are signed by the same external CA and have the same root certificate. In addition, ensure that you copy the certificates to the same locations that you originally used when creating the universe. + +When the universe is ready for expansion, complete the **Edit Universe** dialog to add new nodes. + +## Connect to clusters + +Using TLS, you can connect to the YSQL and YCQL endpoints. + +### Connect to a YSQL endpoint with TLS + +If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: + +- Navigate to the **Certificates** page and then to your universe's certificate. + +- Click **Actions** and select **Download YSQL Cert**, as shown in the following illustration. This triggers the download of the `yugabytedb.crt` and `yugabytedb.key` files. + + ![download-ysql-cert](/images/yp/encryption-in-transit/download-ysql-cert.png) + +- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. + +- For testing with a `ysqlsh` client, paste the `yugabytedb.crt` and `yugabytedb.key` files into the `/.yugabytedb` directory and change the permissions to `0600`, as follows: + + ```sh + mkdir ~/.yugabytedb; cd ~/.yugabytedb + cp /yugabytedb.crt . + cp /yugabytedb.key . + chmod 600 yugabytedb.* + ``` + +- Run `ysqlsh` using the `sslmode=require` option, as follows: + + ```sh + cd + bin/ysqlsh -h 172.152.43.78 -p 5433 sslmode=require + ``` + + ```output + ysqlsh (11.2-YB-2.3.3.0-b0) + SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) + Type "help" for help. + + yugabyte=# + ``` + +To use TLS from a different client, consult the client-specific documentation. For example, if you are using a PostgreSQL JDBC driver to connect to YugabyteDB, see [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. + +If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates. + +### Connect to a YCQL endpoint with TLS + +If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: + +- Navigate to the **Certificates** page and then to your universe's certificate. + +- Click **Actions** and select **Download Root Cert**, as shown in the following illustration. This triggers the download of the `root.crt` file. + + ![download-root-cert](/images/yp/encryption-in-transit/download-root-cert.png) + +- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. + +- Set `SSL_CERTFILE` environment variable to point to the location of the downloaded root certificate. + +- Run `ycqlsh` using the `-ssl` option, as follows: + + ```sh + cp /root.crt ~/.yugabytedb/root.crt + export SSL_CERTFILE=~/.yugabytedb/root.crt + bin/ycqlsh 172.152.43.78 --ssl + ``` + + ```output + Connected to local cluster at 172.152.43.78:9042. + [ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4] + Use HELP for help. + ycqlsh> + ``` + +To use TLS from a different client, consult the client-specific documentation. For example, if you are using a Cassandra driver to connect to YugabyteDB, see [SSL](https://docs.datastax.com/en/developer/python-driver/3.19/security/#ssl). + +## Validate certificates + +When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: + +1. Verify that the CA CRT and CA private key match by executing the following commands: + + ```shell + openssl rsa -noout -modulus -in ca.key | openssl md5 + openssl x509 -noout -modulus -in ca.crt | openssl md5 + + \# outputs should match + ``` + +2. Verify that the CA CRT is actually a certificate authority by executing the following command: + + ```shell + openssl x509 -text -noout -in ca.crt + + \# Look for fields + + X509v3 Basic Constraints: + + CA:TRUE + ``` + +3. Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). + +4. Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). + +## Enforcing TLS versions + +As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. + +You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: + +```shell +ssl_protocols = tls12 +``` + +To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: + +```shell +ssl_protocols = tls12,tls13 +``` + +In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: + +```shell +--ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" +``` diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md new file mode 100644 index 000000000000..a29fab83b4b7 --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md @@ -0,0 +1,77 @@ +--- +title: Add CA-signed certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add CA-signed certificates to YugabyteDB Anywhere. +headcontent: Add CA-signed certificates to YugabyteDB Anywhere +menu: + preview_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-2-ca + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +For universes created with an on-premises provider, instead of using self-signed certificates, you can use third-party certificates from external certificate authorities (CA). The third-party CA root certificate must be configured in YugabyteDB Anywhere. You also have to copy the custom CA root certificate, node certificate, and node key to the appropriate on-premises provider nodes. + +## Prerequisites + +The certificates must adhere to the following criteria: + +- Be stored in a `.crt` file, with both the certificate and the private key being in the PEM format. + + If your certificates and keys are stored in the PKCS12 format, you can [convert them to the PEM format](#convert-certificates-and-keys-from-pkcs12-to-pem-format). + +- Contain IP addresses of the database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). + +## Add CA-signed certificates + +The following procedure describes how to install certificates on the database nodes. You have to repeat these steps for every database node that is to be used in the creation of a universe. + +### Obtain certificates and keys + +Obtain the keys and the custom CA-signed certificates for each of the on-premise nodes for which you are configuring node-to-node TLS. In addition, obtain the keys and the custom signed certificates for client access for configuring client-to-node TLS. + +### Copy the certificates to each node + +For each on-premises provider node, copy the custom CA root certificate, node certificate, and node key to that node's file system. + +If you are enabling client-to-node TLS, make sure to copy the client certificate and client key to each of the nodes. + +In addition, ensure the following: + +- The file names and file paths of different certificates and keys are identical across all the database nodes. For example, if you name your CA root certificate as `ca.crt` on one node, then you must name it `ca.crt` on all the nodes. Similarly, if you copy `ca.crt` to `/opt/yugabyte/keys` on one node, then you must copy `ca.crt` to the same path on other nodes. +- The yugabyte system user has read permissions to all the certificates and keys. + +### Add the CA certificate to YugabyteDB Anywhere + +Add a CA-signed certificate in YugabyteDB Anywhere, as follows: + +1. Navigate to **Configs > Security > Encryption in Transit**. + +1. Click **Add Certificate** to open the **Add Certificate** dialog. + +1. Select **CA Signed**, as per the following illustration: + + ![add-cert](/images/yp/encryption-in-transit/add-cert.png) + +1. Upload the custom CA root certificate as the root certificate. + + If you use an intermediate CA/issuer, but do not have the complete chain of certificates, then you need to create a bundle by executing the `cat intermediate-ca.crt root-ca.crt > bundle.crt` command, and then use this bundle as the root certificate. You might also want to [verify the certificate chain](#verify-certificate-chain). + +1. Enter the file paths for each of the certificates on the nodes. These are the paths from the previous step. + +1. In the **Certificate Name** field, enter a meaningful name for your certificate. + +1. Use the **Expiration Date** field to specify the expiration date of the certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. + +1. Click **Add** to make the certificate available. + +You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md new file mode 100644 index 000000000000..6cab4dfd00f3 --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md @@ -0,0 +1,180 @@ +--- +title: Add Hashicorp Vault certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add Hashicorp Vault certificates to YugabyteDB Anywhere. +headcontent: Add Hashicorp Vault certificates to YugabyteDB Anywhere +menu: + preview_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-3-hashicorp + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +YugabyteDB Anywhere allows you to add an encryption in transit configuration using HashiCorp Vault with a public key infrastructure (PKI) secret engine. This configuration can be used to enable TLS for different clusters and YugabyteDB instances. You can apply this configuration to node-to-node encryption, client-to-node encryption, or both. + +## Prerequisites + +For the correct configuration, the following criteria must be met: + +- HashiCorp Vault is unsealed. + +- HashiCorp Vault with the PKI secret engine is configured and enabled. +- HashiCorp Vault URL is accessible by YugabyteDB Anywhere. +- Because HashiCorp Vault is accessed via an authentication token mechanism, a token must be created beforehand while creating a key provider with appropriate permissions. +- HashiCorp Vault needs to be running and always accessible to YugabyteDB Anywhere. +- HashiCorp PKI certificate revocation list (CRL) or CA URLs must be accessible from each node server. +- Appropriate certificates and roles have been created for YugabyteDB Anywhere usage. +- Node servers are able to validate certificates. +- Required permissions have been provided to perform various key management operations. + +## Configure HashiCorp Vault + +Before you can start configuring HashiCorp Vault, install it on a virtual machine, as per instructions provided in [Install Vault](https://www.vaultproject.io/docs/install). The vault can be set up as a multi-node cluster. Ensure that your vault installation meets the following requirements: + +- Has transit secret engine enabled. +- Its seal and unseal mechanism is secure and repeatable. +- Its token creation mechanism is repeatable. + +You need to configure HashiCorp Vault in order to use it with YugabyteDB Anywhere, as follows: + +1. Create a vault configuration file that references your nodes and specifies the address, as follows: + + ```properties + storage "raft" { + path = "./vault/data/" + node_id = "node1" + } + + listener "tcp" { + address = "127.0.0.1:8200" + tls_disable = "true" + } + + api_addr = "http://127.0.0.1:8200" + cluster_addr = "https://127.0.0.1:8201" + ui = true + disable_mlock = true + default_lease_ttl = "768h" + max_lease_ttl = "8760h" + ``` + + Replace `127.0.0.1` with the vault web address. + + For additional configuration options, see [Parameters](https://www.vaultproject.io/docs/configuration#parameters). + +1. Initialize the vault server by following instructions provided in [Operator init](https://www.vaultproject.io/docs/commands/operator/init). + +1. Allow access to the vault by following instructions provided in [Unsealing](https://www.vaultproject.io/docs/concepts/seal#unsealing). + +1. Enable the secret engine by executing the following command: + + ```shell + vault secrets enable pki + ``` + +1. Configure the secret engine, as follows: + + - Create a root CA or configure the top-level CA. + + - Optionally, create an intermediate CA chain and sign them. + + - Create an intermediate CA for YugabyteDB, as per the following example: + + ```sh + export pki=pki + export pki_int="pki_int" + export role_i=RoleName + export ip="s.test.com" + + vault secrets enable -path=$pki_int pki + vault secrets tune -max-lease-ttl=43800h $pki_int + vault write $pki_int/intermediate/generate/internal common_name="test.com Intermediate Authority" ttl=43800h -format=json | jq -r '.data.csr' > pki_int.csr + + \# *** dump the output of the preceding command in pki_int.csr + + vault write $pki/root/sign-intermediate csr=@pki_int.csr format=pem_bundle ttl=43800h -format=json | jq -r .data.certificate > i_signed.pem + + \# *** dump the output in i_signed.pem + + vault write $pki_int/intermediate/set-signed certificate=@i_signed.pem + vault write $pki_int/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki_int/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki_int/crl" + ``` + +1. Create the vault policy, as per the following example: + + ```properties + # Enable secrets engine + path "sys/mounts/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + + # List enabled secrets engine + path "sys/mounts" { + capabilities = ["read", "list"] + } + + # Work with pki secrets engine + path "pki*" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + ``` + +1. Generate a token with appropriate permissions (as per the referenced policy) by executing the following command: + + ```shell + vault token create -no-default-policy -policy=pki_policy + ``` + + You may also specify the following for your token: + + - `ttl` — Time to live (TTL). If not specified, the default TTL of 32 days is used, which means that the generated token will expire after 32 days. + - `period` — If specified, the token can be infinitely renewed. + + YugabyteDB Anywhere automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours. + + For more information, refer to [Tokens](https://developer.hashicorp.com/vault/tutorials/tokens/tokens) in the Hashicorp documentation. + +1. Create a role that maps a name in the vault to a procedure for generating a certificate, as follows: + + ```sh + vault write /roles/ allow_any_name=true allow_subdomains=true max_ttl="8640h" + ``` + + Credentials are generated against this role. + +1. Issue certificates for nodes or a YugabyteDB client: + + - For a node, execute the following: + + ```sh + vault write /issue/ common_name="" ip_sans="" ttl="860h" + ``` + + - For YugabyteDB client, execute the following: + + ```sh + vault write /issue/ common_name="" + ``` + +## Add HashiCorp Vault-provided certificates + +When you create a universe, you can enable TLS using certificates provided by HashiCorp Vault, as follows: + +1. Navigate to **Configs > Security > Encryption in Transit**. +1. Click **Add Certificate** to open the **Add Certificate** dialog. +1. Select **Hashicorp**. +1. In the **Config Name** field, enter a meaningful name for your configuration. +1. In the **Vault Address** field, specify a valid URL that includes the port number. The format is `http://0.0.0.0:0000`, which corresponds to `VAULT_HOSTNAME:0000` +1. In the **Secret Token** field, specify the secret token for the vault. +1. In the **Role** field, specify the role used for creating certificates. +1. Optionally, provide the secret engine path on which the PKI is mounted. If you do not supply this information, `pki/` will be used. +1. Click **Add** to make the certificate available. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md new file mode 100644 index 000000000000..cc0b77f58cfb --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md @@ -0,0 +1,64 @@ +--- +title: Add cert-manager certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add cert-manager certificates to YugabyteDB Anywhere. +headcontent: Add cert-manager certificates to YugabyteDB Anywhere +menu: + preview_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-4-kubernetes + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the [cert-manager](https://cert-manager.io/) as a TLS certificate provider for a cluster. + +## Prerequisites + +The following criteria must be met: + +- The cert-manager is running in the Kubernetes cluster. +- A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same root certificate file must be prepared for upload to YugabyteDB Anywhere. +- An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate. + +## Add certificates using cert-manager + +Add TLS certificates issued by the cert-manager as follows: + +1. Upload the root certificate to YugabyteDB Anywhere: + + - Prepare the root certificate in a file (for example, `root.crt`). + - Navigate to **Configs > Security > Encryption in Transit** and click **Add Certificate**. + - On the **Add Certificate** dialog shown in the following illustration, select **K8S cert-manager**: + + ![Add Certificate](/images/yp/security/kubernetes-cert-manager.png) + + - In the **Certificate Name** field, enter a meaningful name for your certificate configuration. + - Click **Upload Root Certificate** and select the root certificate file that you prepared. + - Click **Add** to make the certificate available. + +1. Configure the Kubernetes-based cloud provider by following instructions provided in [Configure region and zones](../../configure-yugabyte-platform/kubernetes/#configure-region-and-zones). + + In the **Add new region** dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the **Namespace** field value if an Issuer Kind is selected: + + ![Add new region](/images/yp/security/kubernetes-cert-manager-add-region.png) + +## Troubleshoot + +If you encounter problems, you should verify the name of Issuer or ClusterIssuer in the Kubernetes cluster, as well as ensure that the Kubernetes cluster is in Ready state. You can use the following commands: + +```sh +kubectl get ClusterIssuer +``` + +```sh +kubectl -n Issuer +``` diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md new file mode 100644 index 000000000000..119e339c20a7 --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md @@ -0,0 +1,96 @@ +--- +title: Add self-signed certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add self-signed certificates to YugabyteDB Anywhere. +headcontent: Add self-signed certificates to YugabyteDB Anywhere +menu: + preview_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-1-self + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +Instead of using YugabyteDB Anywhere-provided certificates, you can use your own self-signed certificates that you upload to YugabyteDB Anywhere. + +## Prerequisites + +The certificates must meet the following criteria: + +- Be in the `.crt` format and the private key must be in the `.pem` format, with both of these artifacts available for upload. +- Contain IP addresses of the target database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). + +YugabyteDB Anywhere produces the node (leaf) certificates from the uploaded certificates and copies the certificate chain, leaf certificate, and private key to the nodes in the cluster. + +### Convert certificates and keys from PKCS12 to PEM format + +If your certificates and keys are stored in the PKCS12 format, you can convert them to the PEM format using OpenSSL. + +Start by extracting the certificate via the following command: + +```sh +openssl pkcs12 -in cert-archive.pfx -out cert.pem -clcerts -nokeys +``` + +To extract the key and write it to the PEM file unencrypted, execute the following command: + +```sh +openssl pkcs12 -in cert-archive.pfx -out key.pem -nocerts -nodes +``` + +If the key is protected by a passphrase in the PKCS12 archive, you are prompted for the passphrase. + +### Verify certificate chain + +Perform the following steps to verify your certificates: + +1. Execute the following verify command which checks the database node certificate (node.crt) against the root CA certificate (ca.crt): + + ```sh + openssl verify ca.crt node.crt + ``` + +1. Verify that the node certificate (`node.crt`) and the node private key (`node.key`) match. See [How do I verify that a private key matches a certificate?](https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hscaay/) + +1. Verify that the node certificate and Root CA certificate expiration is at least 3 months by checking the validity field in the output of the following commands: + + ```sh + openssl x509 -in node.crt -text -noout + ``` + + ```sh + openssl x509 -in ca.crt -text -noout + ``` + +1. Verify that the node certificate Common Name (CN) or Subject Alternate Name (SAN) contains the IP address or DNS name of each on-prem node on which the nodes are deployed. + + {{< note >}} +Each entry you provide for the CN or SAN must match the on-prem node as entered in the provider configuration. For example, if the node address is entered as a DNS address in the on-prem provider configuration, you must use the same DNS entry in the CN or SAN, not the resolved IP address. + {{< /note >}} + + If you face any issue with the above verification, you can customize the level of certificate validation while creating a universe that uses these certificates. Refer to [Customizing the verification of RPC server certificate by the client](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/#customizing-the-verification-of-rpc-server-certificate-by-the-client). + +{{< note >}} +The client certificates and keys are required only if you intend to use [PostgreSQL certificate-based authentication](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html#:~:text=independent%20authentication%20option-,clientcert,-%2C%20which%20can%20be). +{{< /note >}} + +## Add self-signed certificates + +To add self-signed certificates to YugabyteDB Anywhere: + +1. Navigate to **Configs > Security > Encryption in Transit**. +1. Click **Add Certificate** to open the **Add Certificate** dialog. +1. Select **Self Signed**. +1. Click **Upload Root Certificate**, then browse to the root certificate file (`.crt`) and upload it. +1. Click **Upload Key**, then browse to the root certificate file (`.key`) and upload it. +1. In the **Certificate Name** field, enter a meaningful name for your certificate. +1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. +1. Click **Add** to make the certificate available. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md new file mode 100644 index 000000000000..a126d9423e89 --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md @@ -0,0 +1,54 @@ +--- +title: Add CA-signed certificates to YugabyteDB Anywhere +headerTitle: Add certificates to your trust store +linkTitle: Trust store +description: Add certificates to the YugabyteDB Anywhere trust store. +headcontent: Add certificates for third-party services +menu: + preview_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: trust-store + weight: 40 +type: docs +--- + +YugabyteDB Anywhere uses TLS to protect data in transit when connecting to other services, including: + +- LDAP +- OIDC +- Webhook +- [S3 backup storage](../../../back-up-restore-universes/configure-backup-storage/) +- Hashicorp Vault +- [YugabyteDB Anywhere high availability](../../../administer-yugabyte-platform/high-availability/) + +If you are using self-signed or custom CA certificates, YugabyteDB cannot verify your TLS connections unless you add the certificates to the YugabyteDB Anywhere Trust Store. + +## Add certificates to your trust store + +To add a certificate to the YugabyteDB Anywhere Trust Store, do the following: + +1. Navigate to **Admin > CA Certificates**. + +1. Click **Upload Trusted CA Certificate**. + +1. Enter a name for the certificate. + +1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. + +## Rotate a certificate in your trust store + +To rotate a certificate in your YugabyteDB Anywhere Trust Store, do the following: + +1. Navigate to **Admin > CA Certificates**. + +1. Click the **...** button for the certificate and choose **Update Certificate**. + +1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. + +## Delete a certificate in your trust store + +To delete a certificate in your YugabyteDB Anywhere Trust Store, do the following: + +1. Navigate to **Admin > CA Certificates**. + +1. Click the **...** button for the certificate and choose **Delete**, then click **Delete CA Certificate**. From 4cb5eec079d7e99a041c047409b83932d4f8e2aa Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 26 Jun 2024 13:29:30 -0400 Subject: [PATCH 02/24] Encryption in transit section update --- .../create-deployments/connect-to-universe.md | 31 +- .../create-universe-multi-zone.md | 21 +- .../enable-encryption-in-transit/_index.md | 286 +----------------- .../add-certificate-ca.md | 8 +- .../add-certificate-hashicorp.md | 12 +- .../add-certificate-kubernetes.md | 29 +- .../add-certificate-self.md | 13 +- .../auto-certificate.md | 146 +++++++++ .../rotate-certificates.md | 41 +++ .../yp/encryption-in-transit/add-cert.png | Bin 53355 -> 185808 bytes .../add-hashicorp-cert.png | Bin 0 -> 106654 bytes .../yp/encryption-in-transit/add-k8s-cert.png | Bin 0 -> 82889 bytes .../encryption-in-transit/add-self-cert.png | Bin 0 -> 106030 bytes .../yp/encryption-in-transit/rotate-cert.png | Bin 0 -> 156284 bytes 14 files changed, 285 insertions(+), 302 deletions(-) create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md create mode 100644 docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md create mode 100644 docs/static/images/yp/encryption-in-transit/add-hashicorp-cert.png create mode 100644 docs/static/images/yp/encryption-in-transit/add-k8s-cert.png create mode 100644 docs/static/images/yp/encryption-in-transit/add-self-cert.png create mode 100644 docs/static/images/yp/encryption-in-transit/rotate-cert.png diff --git a/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md b/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md index 2cbebd1cee32..2184a2a90823 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md @@ -21,13 +21,36 @@ You can connect to the database on a universe in the following ways: ## Download the universe certificate -If the universe uses encryption in transit, to connect you need to first download the universe TLS root certificate. Do the following: +If the universe uses Client-to-Node encryption in transit, to connect you need to first download the universe TLS certificate. Do the following: 1. Navigate to **Configs > Security > Encryption in Transit**. -1. Find the certificate for your universe in the list and click **Actions** and download the certificate. +1. Find your universe in the list. -For more information on connecting to TLS-enabled universes, refer to [Connect to clusters](../../security/enable-encryption-in-transit/#connect-to-clusters). +1. Download the certificate. + + - If you are connecting using a YSQL client (such as ysqlsh), click **Actions**, and choose **Download YSQL Cert**. + + This downloads the `yugabytedb.crt` and `yugabytedb.key` files. + + - If you are connecting using a YCQL client (such as ycqlsh), click **Actions**, and choose **Download Root Cert**. + + This downloads the `root.crt` file. + + - If you are connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. + +1. For connecting using a `ysqlsh` client, paste the `yugabytedb.crt` and `yugabytedb.key` files into the `/.yugabytedb` directory and change the permissions to `0600`, as follows: + + ```sh + mkdir ~/.yugabytedb; cd ~/.yugabytedb + cp /yugabytedb.crt . + cp /yugabytedb.key . + chmod 600 yugabytedb.* + ``` + +To use TLS from a different client, consult the client-specific documentation. For example, if you are using a PostgreSQL JDBC driver to connect to YugabyteDB, see [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. + +If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates. ## Connect to a universe node @@ -132,7 +155,7 @@ curl --location --request PUT 'http:///api/v1/customers//runt docker run -it yugabytedb/yugabyte-client ysqlsh -h -p ``` -- If your universe has TLS/SSL (encryption in-transit) enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer. +- If your universe has Client-to-Node encryption in-transit enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer. - The host address of an endpoint on your universe. diff --git a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md index edc814f8f993..c835c2bc2447 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md @@ -84,13 +84,32 @@ Specify the instance to use for the universe nodes: ### Security Configurations +#### IP Settings + To enable public access to the universe, select the **Assign Public IP** option. +#### Authentication Settings + Enable the YSQL and YCQL endpoints and database authentication. You can also enable and disable authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. Enter the password to use for the default database admin superuser (yugabyte for YSQL, and cassandra for YCQL). For more information, refer to [Database authorization](../../security/authorization-platform/). -Enable encryption in transit to encrypt universe traffic. Refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/). +#### Encryption Settings + +Enable encryption in transit to encrypt universe traffic. You can enable the following: + +- **Node-to-Node TLS** to encrypt traffic between universe nodes. +- **Client-to-Node TLS** to encrypt traffic between universe nodes and external clients. + + Note that if you want to enable Client-to-Node encryption, you first must enable Node-to-Node encryption. + +Encryption requires a certificate. YugabyteDB Anywhere can generate a self-signed certificate automatically, or you can use your own certificate. + +To use your own, you must first add it to YugabyteDB Anywhere; refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-self/). + +To have YugabyteDB Anywhere generate a certificate for the universe, use the default **Root Certificate** setting of **Create New Certificate**. To use a certificate you added or a previously generated certificate, select it from the **Root Certificate** menu. + +For more information on using and managing certificates, refer to [Encryption in transit](../../security/enable-encryption-in-transit/). Enable encryption at rest to encrypt the universe data. Refer to [Enable encryption at rest](../../security/enable-encryption-at-rest/). diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index c76930f8e44d..15ae7e509568 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -1,8 +1,8 @@ --- title: Enable encryption in transit -headerTitle: Enable encryption in transit -linkTitle: Enable encryption in transit -description: Use YugabyteDB Anywhere to enable encryption in transit (TLS) on a YugabyteDB universe and connect to clients. +headerTitle: Encryption in transit +linkTitle: Encryption in transit +description: Use encryption in transit (TLS) to secure data traffic. menu: preview_yugabyte-platform: parent: security @@ -15,17 +15,11 @@ type: indexpage YugabyteDB Anywhere allows you to protect data in transit by using the following: -- Server-to-server encryption for intra-node communication between YB-Master and YB-TServer nodes. -- Client-to-server encryption for communication between clients and nodes when using CLIs, tools, and APIs for YSQL and YCQL. -- Encryption for communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. +- Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes. +- Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs. +- Certificates added to the YugabyteDB Anywhere trust store to encrypt communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. -{{< note title="Note" >}} - -Before you can enable client-to-server encryption, you first must enable server-to-server encryption. - -{{< /note >}} - -YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit. Alternatively, you can use your own self-signed certificate or upload a third-party certificate from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) +YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit. Alternatively, you can use your own self-signed certificates. You can also upload a third-party CA-signed certificate from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) You can enable encryption in transit (TLS) during universe creation and change these settings for an existing universe. @@ -34,147 +28,8 @@ Enabling encryption-in-transit requires the following steps: 1. If you are using a certificate that you provide, add your self- or CA-signed certificate to YugabyteDB Anywhere. 1. Enable encryption in transit on your universe. You can do this when creating the universe and on an existing universe. -## Self-signed certificates generated by YugabyteDB Anywhere - -YugabyteDB Anywhere can create self-signed certificates for each universe. These certificates may be shared between universes in a single instance of YugabyteDB Anywhere. The certificate name has the following format: - -`yb-environment-universe_name`, where *environment* is the environment type (either `dev`, `stg`, `demo`, or `prod`) that was used during the tenant registration (admin user creation), and *universe-name* is the provided universe name. YugabyteDB Anywhere generates the root certificate, root private key, and node-level certificates (assuming node-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: - -1. The root certificate (`ca.cert`). -1. The node certificate (`node.ip_address.crt`). -1. The node private key (`node.ip_address.key`). - -YugabyteDB Anywhere retains the root certificate and the root private key for all interactions with the cluster. - -### Customize the organization name in self-signed certificates - -YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. - -If you are using YugabyteDB Anywhere version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. - -Note that, for the change to take effect, you need to set the flag _before_ you run a workflow that generates a self-signed certificate. - -Customize the organization name as follows: - -1. In YugabyteDB Anywhere, navigate to **Admin** > **Advanced** and select the **Global Configuration** tab. -1. In the **Search** bar, enter `yb.tlsCertificate.organizationName` to view the flag, as per the following illustration: - - ![Custom Organization name](/images/yp/encryption-in-transit/custom-org-name.png) - -1. Click **Actions** > **Edit Configuration**, enter a new Config Value, and click **Save**. - -#### Validate custom organization name - -You can verify the organization name by running the following `openssl x509` command: - -```sh -openssl x509 -in ca.crt -text -``` - -```output {hl_lines=[6]} -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1683277970271 (0x187eb2f7b5f) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=yb-dev-sb-ybdemo-univ1~2, O=example.com - Validity - Not Before: May 5 09:12:50 2023 GMT - Not After : May 5 09:12:50 2027 GMT -``` - -Notice that default value is `O=example.com`. - -After setting the runtime configuration to a value of your choice, (`org-foo` in this example), you should see output similar to the following: - -```sh -openssl x509 -in ca.crt -text -noout -``` - -```output -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1689376612248 (0x18956b15f98) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo - Validity - Not Before: Jul 14 23:16:52 2023 GMT - Not After : Jul 14 23:16:52 2027 GMT - Subject: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: -``` - -### Use YugabyteDB Anywhere-generated certificates to enable TLS - -When you create a universe, you can enable TLS using certificates generated by YugabyteDB Anywhere, as follows: - -1. Create a new universe via **Universes > Create Universe** and then configure it. -1. Based on your requirements, select **Enable Node-to-Node TLS** or **Enable Client-to-Node TLS** or both. -1. Choose an existing certificate from the **Root Certificate** list or create a new certificate by accepting the default option **Create new certificate**. - -To view the certificate, navigate to **Configs > Security > Encryption in Transit > Self Signed**. - -You can also modify TLS settings for an existing universe, as follows: - -1. Navigate to either **Dashboard** or **Universes** and open a specific universe. - -1. Click **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog and then proceed as follows: - - - If encryption in transit is currently disabled for the universe, enable it via the **Encryption in Transit for this Universe** field, as per the following illustration: - - ![TLS Configuration](/images/yp/encryption-in-transit/tls-config1.png) - - Use the expanded **TLS Configuration** dialog shown in the following illustration to change the settings to meet your requirements: - - ![TLS Configuration Expanded](/images/yp/encryption-in-transit/tls-config2.png) - - - If encryption in transit is currently enabled for the universe, you can either disable or modify it, as follows: - - - To disable encryption in transit, disable the **Encryption in Transit for this Universe** field and then click **OK**. - - - To modify encryption in-transit settings, leave the **Encryption in Transit for this Universe** field enabled and make the necessary changes to other fields. - - If you are changing certificates, you need to be aware that this requires restart of the YB-Master and YB-TServer processes and can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). If you select the **Create new certificate** option when changing certificates, the corresponding certificates will be rotated, that is, replaced with new certificates. - -### Rotate custom CA-signed certificates - -You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. - -You rotate the existing custom certificates and replace them with new database node certificates issued by the same custom CA that issued the original certificates as follows: - -**Step 1**: Follow Step 1 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to obtain a new set of certificates for each of the nodes. - -**Step 2**: Follow Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to copy the certificates to the respective nodes. - -**Step 3**: Follow Step 3 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to create a new CA-signed certificate in YugabyteDB Anywhere. - -**Step 4**: Edit the universe to use the new certificates, as follows: - -- Navigate to the universe for which you are rotating the keys. - -- Select **Actions > Edit Security**, as shown in the following illustration: - - ![edit-security](/images/yp/encryption-in-transit/edit-security.png) - -- Select **Encryption in-Transit** to open the **TLS Configuration** dialog. - -- Complete the **TLS Configuration** dialog shown in the following illustration: - - ![Configure TLS](/images/yp/encryption-in-transit/edit-tls-new.png) - - Select the new certificate which you created in Step 3. - - - Modifying certificates requires restart of YB-Master and YB-TServer processes, which can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). - - - Click **OK**. - - Typically, this process takes time, as it needs to wait for the specified delay interval after each node is upgraded. - -### Expand the universe +### Expand a universe You can expand universes configured with custom CA-signed certificates. @@ -182,128 +37,3 @@ Before adding new nodes to expand an existing universe, you need to prepare thos When the universe is ready for expansion, complete the **Edit Universe** dialog to add new nodes. -## Connect to clusters - -Using TLS, you can connect to the YSQL and YCQL endpoints. - -### Connect to a YSQL endpoint with TLS - -If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: - -- Navigate to the **Certificates** page and then to your universe's certificate. - -- Click **Actions** and select **Download YSQL Cert**, as shown in the following illustration. This triggers the download of the `yugabytedb.crt` and `yugabytedb.key` files. - - ![download-ysql-cert](/images/yp/encryption-in-transit/download-ysql-cert.png) - -- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. - -- For testing with a `ysqlsh` client, paste the `yugabytedb.crt` and `yugabytedb.key` files into the `/.yugabytedb` directory and change the permissions to `0600`, as follows: - - ```sh - mkdir ~/.yugabytedb; cd ~/.yugabytedb - cp /yugabytedb.crt . - cp /yugabytedb.key . - chmod 600 yugabytedb.* - ``` - -- Run `ysqlsh` using the `sslmode=require` option, as follows: - - ```sh - cd - bin/ysqlsh -h 172.152.43.78 -p 5433 sslmode=require - ``` - - ```output - ysqlsh (11.2-YB-2.3.3.0-b0) - SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) - Type "help" for help. - - yugabyte=# - ``` - -To use TLS from a different client, consult the client-specific documentation. For example, if you are using a PostgreSQL JDBC driver to connect to YugabyteDB, see [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. - -If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates. - -### Connect to a YCQL endpoint with TLS - -If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: - -- Navigate to the **Certificates** page and then to your universe's certificate. - -- Click **Actions** and select **Download Root Cert**, as shown in the following illustration. This triggers the download of the `root.crt` file. - - ![download-root-cert](/images/yp/encryption-in-transit/download-root-cert.png) - -- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. - -- Set `SSL_CERTFILE` environment variable to point to the location of the downloaded root certificate. - -- Run `ycqlsh` using the `-ssl` option, as follows: - - ```sh - cp /root.crt ~/.yugabytedb/root.crt - export SSL_CERTFILE=~/.yugabytedb/root.crt - bin/ycqlsh 172.152.43.78 --ssl - ``` - - ```output - Connected to local cluster at 172.152.43.78:9042. - [ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4] - Use HELP for help. - ycqlsh> - ``` - -To use TLS from a different client, consult the client-specific documentation. For example, if you are using a Cassandra driver to connect to YugabyteDB, see [SSL](https://docs.datastax.com/en/developer/python-driver/3.19/security/#ssl). - -## Validate certificates - -When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: - -1. Verify that the CA CRT and CA private key match by executing the following commands: - - ```shell - openssl rsa -noout -modulus -in ca.key | openssl md5 - openssl x509 -noout -modulus -in ca.crt | openssl md5 - - \# outputs should match - ``` - -2. Verify that the CA CRT is actually a certificate authority by executing the following command: - - ```shell - openssl x509 -text -noout -in ca.crt - - \# Look for fields - - X509v3 Basic Constraints: - - CA:TRUE - ``` - -3. Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). - -4. Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). - -## Enforcing TLS versions - -As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. - -You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: - -```shell -ssl_protocols = tls12 -``` - -To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: - -```shell -ssl_protocols = tls12,tls13 -``` - -In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: - -```shell ---ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" -``` diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md index a29fab83b4b7..abed124d0c46 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md @@ -3,7 +3,7 @@ title: Add CA-signed certificates to YugabyteDB Anywhere headerTitle: Add certificates linkTitle: Add certificates description: Add CA-signed certificates to YugabyteDB Anywhere. -headcontent: Add CA-signed certificates to YugabyteDB Anywhere +headcontent: Use your own certificates for encryption in transit menu: preview_yugabyte-platform: parent: enable-encryption-in-transit @@ -60,7 +60,9 @@ Add a CA-signed certificate in YugabyteDB Anywhere, as follows: 1. Select **CA Signed**, as per the following illustration: - ![add-cert](/images/yp/encryption-in-transit/add-cert.png) + ![Add CA certificate](/images/yp/encryption-in-transit/add-cert.png) + +1. In the **Certificate Name** field, enter a meaningful name for your certificate. 1. Upload the custom CA root certificate as the root certificate. @@ -68,8 +70,6 @@ Add a CA-signed certificate in YugabyteDB Anywhere, as follows: 1. Enter the file paths for each of the certificates on the nodes. These are the paths from the previous step. -1. In the **Certificate Name** field, enter a meaningful name for your certificate. - 1. Use the **Expiration Date** field to specify the expiration date of the certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. 1. Click **Add** to make the certificate available. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md index 6cab4dfd00f3..c3cd40b8859b 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md @@ -3,7 +3,7 @@ title: Add Hashicorp Vault certificates to YugabyteDB Anywhere headerTitle: Add certificates linkTitle: Add certificates description: Add Hashicorp Vault certificates to YugabyteDB Anywhere. -headcontent: Add Hashicorp Vault certificates to YugabyteDB Anywhere +headcontent: Use your own certificates for encryption in transit menu: preview_yugabyte-platform: parent: enable-encryption-in-transit @@ -170,11 +170,21 @@ You need to configure HashiCorp Vault in order to use it with YugabyteDB Anywher When you create a universe, you can enable TLS using certificates provided by HashiCorp Vault, as follows: 1. Navigate to **Configs > Security > Encryption in Transit**. + 1. Click **Add Certificate** to open the **Add Certificate** dialog. + 1. Select **Hashicorp**. + + ![Add Hashicorp certificate](/images/yp/encryption-in-transit/add-hashicorp-cert.png) + 1. In the **Config Name** field, enter a meaningful name for your configuration. + 1. In the **Vault Address** field, specify a valid URL that includes the port number. The format is `http://0.0.0.0:0000`, which corresponds to `VAULT_HOSTNAME:0000` + 1. In the **Secret Token** field, specify the secret token for the vault. + 1. In the **Role** field, specify the role used for creating certificates. + 1. Optionally, provide the secret engine path on which the PKI is mounted. If you do not supply this information, `pki/` will be used. + 1. Click **Add** to make the certificate available. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md index cc0b77f58cfb..887df52663be 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md @@ -3,7 +3,7 @@ title: Add cert-manager certificates to YugabyteDB Anywhere headerTitle: Add certificates linkTitle: Add certificates description: Add cert-manager certificates to YugabyteDB Anywhere. -headcontent: Add cert-manager certificates to YugabyteDB Anywhere +headcontent: Use your own certificates for encryption in transit menu: preview_yugabyte-platform: parent: enable-encryption-in-transit @@ -28,28 +28,33 @@ The following criteria must be met: - The cert-manager is running in the Kubernetes cluster. - A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same root certificate file must be prepared for upload to YugabyteDB Anywhere. - An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate. +- Prepare the root certificate in a file (for example, `root.crt`). ## Add certificates using cert-manager Add TLS certificates issued by the cert-manager as follows: -1. Upload the root certificate to YugabyteDB Anywhere: +1. Navigate to **Configs > Security > Encryption in Transit**. - - Prepare the root certificate in a file (for example, `root.crt`). - - Navigate to **Configs > Security > Encryption in Transit** and click **Add Certificate**. - - On the **Add Certificate** dialog shown in the following illustration, select **K8S cert-manager**: +1. Click **Add Certificate** to open the **Add Certificate** dialog. - ![Add Certificate](/images/yp/security/kubernetes-cert-manager.png) +1. Select **K8S cert-manager**. - - In the **Certificate Name** field, enter a meaningful name for your certificate configuration. - - Click **Upload Root Certificate** and select the root certificate file that you prepared. - - Click **Add** to make the certificate available. + ![Add Kubernetes Certificate](/images/yp/encryption-in-transit/add-k8s-cert.png) -1. Configure the Kubernetes-based cloud provider by following instructions provided in [Configure region and zones](../../configure-yugabyte-platform/kubernetes/#configure-region-and-zones). +1. In the **Certificate Name** field, enter a meaningful name for your certificate. - In the **Add new region** dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the **Namespace** field value if an Issuer Kind is selected: +1. Click **Upload Root Certificate** and select the root certificate file that you prepared. - ![Add new region](/images/yp/security/kubernetes-cert-manager-add-region.png) +1. Click **Add** to make the certificate available. + +## Configure the provider + +After the certificate is added to YugabyteDB Anywhere, configure the Kubernetes provider configuration by following instructions provided in [Configure region and zones](../../../configure-yugabyte-platform/kubernetes/#configure-region-and-zones). + +In the **Add new region** dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the **Namespace** field value if an Issuer Kind is selected. + +![Add new region](/images/yp/security/kubernetes-cert-manager-add-region.png) ## Troubleshoot diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md index 119e339c20a7..94dd6b04a7d6 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md @@ -3,7 +3,7 @@ title: Add self-signed certificates to YugabyteDB Anywhere headerTitle: Add certificates linkTitle: Add certificates description: Add self-signed certificates to YugabyteDB Anywhere. -headcontent: Add self-signed certificates to YugabyteDB Anywhere +headcontent: Use your own certificates for encryption in transit menu: preview_yugabyte-platform: parent: enable-encryption-in-transit @@ -87,10 +87,19 @@ The client certificates and keys are required only if you intend to use [Postgre To add self-signed certificates to YugabyteDB Anywhere: 1. Navigate to **Configs > Security > Encryption in Transit**. + 1. Click **Add Certificate** to open the **Add Certificate** dialog. + 1. Select **Self Signed**. + + ![Add Self Signed certificate](/images/yp/encryption-in-transit/add-self-cert.png) + +1. In the **Certificate Name** field, enter a meaningful name for your certificate. + 1. Click **Upload Root Certificate**, then browse to the root certificate file (`.crt`) and upload it. + 1. Click **Upload Key**, then browse to the root certificate file (`.key`) and upload it. -1. In the **Certificate Name** field, enter a meaningful name for your certificate. + 1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. + 1. Click **Add** to make the certificate available. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md new file mode 100644 index 000000000000..74f5731d00a5 --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md @@ -0,0 +1,146 @@ +--- +title: Automatically generated certificates on YugabyteDB Anywhere +headerTitle: Auto-generated certificates +linkTitle: Auto-generated certificates +description: YugabyteDB Anywhere-generated self-signed certificates. +headcontent: Let YugabyteDB Anywhere manage certificates for your universe +menu: + preview_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: auto-certificate + weight: 10 +type: docs +--- + +YugabyteDB Anywhere can automatically create and manage self-signed certificates for universes when you create them. These certificates may be shared between universes in a single instance of YugabyteDB Anywhere. + +Automatically generated certificates are named using the following convention: + +```sh +yb-environment-universe_name +``` + +where *environment* is the environment type (either `dev`, `stg`, `demo`, or `prod`) that was used during the tenant registration (admin user creation), and *universe_name* is the provided universe name. + +YugabyteDB Anywhere generates the root certificate, root private key, and node-level certificates (assuming node-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: + +1. The root certificate (`ca.cert`). +1. The node certificate (`node.ip_address.crt`). +1. The node private key (`node.ip_address.key`). + +YugabyteDB Anywhere retains the root certificate and the root private key for all interactions with the cluster. + +To view the certificate details, navigate to **Configs > Security > Encryption in Transit** and click **Show details**. + +### Customize the organization name in self-signed certificates + +YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. + +If you are using YugabyteDB Anywhere version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. + +Note that, for the change to take effect, you need to set the flag _before_ you run a workflow that generates a self-signed certificate. + +Customize the organization name as follows: + +1. In YugabyteDB Anywhere, navigate to **Admin** > **Advanced** and select the **Global Configuration** tab. +1. In the **Search** bar, enter `yb.tlsCertificate.organizationName` to view the flag, as per the following illustration: + + ![Custom Organization name](/images/yp/encryption-in-transit/custom-org-name.png) + +1. Click **Actions** > **Edit Configuration**, enter a new Config Value, and click **Save**. + +### Validate custom organization name + +You can verify the organization name by running the following `openssl x509` command: + +```sh +openssl x509 -in ca.crt -text +``` + +```output {hl_lines=[6]} +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1683277970271 (0x187eb2f7b5f) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=yb-dev-sb-ybdemo-univ1~2, O=example.com + Validity + Not Before: May 5 09:12:50 2023 GMT + Not After : May 5 09:12:50 2027 GMT +``` + +Notice that default value is `O=example.com`. + +After setting the runtime configuration to a value of your choice, (`org-foo` in this example), you should see output similar to the following: + +```sh +openssl x509 -in ca.crt -text -noout +``` + +```output +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1689376612248 (0x18956b15f98) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo + Validity + Not Before: Jul 14 23:16:52 2023 GMT + Not After : Jul 14 23:16:52 2027 GMT + Subject: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: +``` + +## Validate certificates + +When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: + +- Verify that the CA CRT and CA private key match by executing the following commands: + + ```shell + openssl rsa -noout -modulus -in ca.key | openssl md5 + openssl x509 -noout -modulus -in ca.crt | openssl md5 + + \# outputs should match + ``` + +- Verify that the CA CRT is actually a certificate authority by executing the following command: + + ```shell + openssl x509 -text -noout -in ca.crt + + \# Look for fields + + X509v3 Basic Constraints: + + CA:TRUE + ``` + +- Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). + +- Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). + +## Enforce TLS versions + +As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. + +You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: + +```shell +ssl_protocols = tls12 +``` + +To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: + +```shell +ssl_protocols = tls12,tls13 +``` + +In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: + +```shell +--ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" +``` diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md new file mode 100644 index 000000000000..8f759e0c4707 --- /dev/null +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md @@ -0,0 +1,41 @@ +--- +title: Rotate certificates on YugabyteDB Anywhere +headerTitle: Rotate certificates +linkTitle: Rotate certificates +description: Rotate certificates on YugabyteDB Anywhere. +headcontent: Rotate certificates used by a universe +menu: + preview_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: rotate-certificates + weight: 30 +type: docs +--- + +You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. + +Before rotating certificates, ensure that you have added the certificates to YugabyteDB Anywhere. Refer to [Add certificates](../add-certificate-self/). + +Rotating certificates requires restart of the YB-Master and YB-TServer processes and can result in downtime. To avoid downtime, you can opt to perform a rolling upgrade, which stops, updates, and restarts each node in the universe with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node is updated at the same time). + +## Rotate certificates + +To modify encryption in transit settings and rotate certificates for a universe, do the following: + +1. Navigate to your universe. + +1. Click **Actions > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog. + + ![Rotate certificates](/images/yp/encryption-in-transit/rotate-cert.png) + +1. Enable or disable encryption in transit. + +1. To rotate the root certificate, on the **Certificate Authority** tab, select the new root certificate(s). + + Delete the root certificate to create a new [self-signed certificate](../auto-certificate/). + +1. To rotate the server certificates, on the **Server Certificate** tab, select the **Rotate Node-to-Node Server Certificate** and **Rotate Client-to-Node Server Certificate** options as appropriate. + +1. Select the **Use rolling upgrade to apply this change** option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades. + +1. Click **Apply**. diff --git a/docs/static/images/yp/encryption-in-transit/add-cert.png b/docs/static/images/yp/encryption-in-transit/add-cert.png index 25dbaf2e456f91f7c666f62ee980b59307388ea7..68690f671a60051db48c77e52ea2dc5d5954020c 100644 GIT binary patch literal 185808 zcmeFZbx>W)5;sZ+BtU`$4FqT7mf-FLHttRc!JXhv2o{2G+$Fd>!IKc&J$Qn66BCI5?CdGf`0msHiBZf}M@AnWYgNoMcc;+(Q**O{{mj?#wBEu^2pla|r7Q z5tt&6(n*Od{UAa#WDnkdM2&32(RoBio`+OVm-$l*PLn?K2QDJc)-%H=3gd0>QDbiJ z1^(RezPS~=O=h)e=1kyq-r+x8>An9hvll0LMBfOGMQjqb2S@VKQit!pAl&PBaFj>+ z{mVu{n)>==a51!(&aU%_>2KXT-1sJ1Zg2F&{h2!#?!ozIBzF!h7^Qn)j^Xi@L!QAI zGH-Bd!5E2G)uPQXtAwI=!|e|s=%Mxt2nJuoWDL2U84T3)!&9ykn;Q9=`+#pUxsw*x@LXJ`9Kxz2pbqovOMFve==RD?D|#l4{AcIkYK~aD z%-gW%ZvEIM+2RQD9c9a2L2Np&T7Zq&KIk9Muzvv1wD=~P2tsT5&E9k zpMXPO8p^zPoD>!W>j-U&h+j1NpWTZTa9)lRo?diSLyOU(0H%oe^GNHOmnP)*c19 zBMp_xUyj4z_Ao+2LsJq?5WOG#%(@2$nXDQp!h#b&n$es67A0jz<%#8t{77=`77o=E zp8qvMuMd0K!~QQsF82j75JZF_AMQW8ho1HBan%9kYebFvD8es(Jg)JzQ$RlP5&cQS zg+}ld-}Z^lJFQetdGXBQE z^)$>6?@QO-8!kMicbwmhY}q{!tlu$zdnq; zx96?#HX0~u4=wy1TkXoqe;96IT9VaZyTiGoxZ}H{PX~I2xBgn=VoiR;gn<_*-Nx8q z^<}$#Y?0|Fk8RWECw#=ELABr9e~RwwcyKghv|xE7coWYD?Y4SDXfTeDPY}FC_=Lqe zsiQH`u==0yAYc0_X0i8DP`CHfMzA_Yr@EftS!F%=fYH?)i@-Kun|JQ)tsW|9ec zmIb|PD|DqwB?92^*AMCv@ZS#Jc8c z3ck_QRZq!gQqU`Xl{=SzBP^=jsx6wXn59_yR(`RPN_0e?Rn|V(_|pm&V@PcFxK1&p zmU|VG1*+Ld)oiuvl=xIfHOa;oo>-n=JUxyl>ocSHLt`VTgE*TzqfJ@7SrQY6X#HmWre9bT zuqPulU8YHj!9!)`&HI*%IPKN#=&~QEWTLR6h^VZnNM!nC3}hw}I1f6;u-ILzRrJyYYyn8KjUK+j;K`Bkl7O{8#Ejfl03RmbFmvC6<& z4V89fk$sUxvAg9O2N}mXM<_?BF~LAcTAh*cbgxZ~T+MpTr4`9!{uJWm@-+K&Q+aLG z>ZJOQdB=3FGu|R6Q#+S!(`6dlnMIfRpbfTZvlQjv5p@$hlOX$)!}Q>C>GwTMan@9! z`0X=a8aF;V9>3Myc56S5N~+YZnSNW_GE+P|GK1cL-pi6i8DH(KRvMV`aN<+9=t|d~ z%-+lYLVka`$@fGayrw7Pli{oJy-)hg9wTNX4;E+0f9w5*8+grw$H{4F-8QrO%jp;Ww`uac zC&A=s5{=XmYM?0_jx#zD*ajD?X!E%t-SZ^@Vs6BoK*cH}M1SNmh z4Ql1%uz9#kIiJ)LDoC@35sh>a#RrpuJ%I7UYN^n3T(YBc9wSeFv-`C<`en3x6x}St z?BPf|n4+7kNchP3x#9(xY>E~+uU3Y8(aK{!D==tp)wo zv*^jdjDgL-=87w8IV=q<>8DPtFEh6%q==;Hog);vBOfh162*&RKB-|acXgmW8J-=lE8dRtW!7t2@LpDWR=9no8eV8p zQm4!7nc~{CA8;5NkR-<`f4y=vo$s`I5}?ggn`qrIXT1|Y_O@iC@Nj`>o>zUxZfEW@ z=jtm7b(M+ho%7j>%d5-#=))w9Uh#*vM~ZU>TZ@_0-SSdt8+^q#vkRwg36)!x;Wh(( zCQk;4j}P4RZX%C6;+o&DMz3aHUtF`_Ke=!6;QFCWOZ;i(ZuZ&on!>L%I`17fqnnK- zy*ck$!Z4y8cScwK6XRCxzS@WL+|3sF$j@9a1QxH?0yD!CNzgstc$r@k9@cp~bm3ja zRg~iDCAA=WyYt1q;GkNO`ixZ!_ns~}8sSTlFPy>xT>9M0%Rtwt>mxs*sChUngc~gR zlNqdq$3jHr?bGBZh;U&U=81tTFC7~xKOQ|O^Yzuqb(;?o@YJzg!|Qo9|JJR{QJDBF zQ08QBe(YNQQF|rNd+#aldr7Dd_TMXtLIHgJXruu(mX(F01II{k2=@r!5W&$s@DaH8 z?BB;P@6o{B|KmJ799*Co9Kv7s$bs*>p9t`|YxC##eOLh8L+}?S__(CQ|Lbl9So-~c z9Y5#=*WiSeMWJ_{P&TkLGP1TewQ&%Udld;zAlpi6+QY%&Qr>;;L6snT;Q2qyR5Tnk zWMy~^Y^<2{4Q<{SF}YaT-aQA7&xHpZS{XU$le$=0THEuu@RR>>2M;*DJIzc^`o}E} z7X0KIvI?Z4Hg-m&98Axdo|6lpkdl(}*%=!1D2cuNt2y|KpWM{J!Ip=a+1c5d$(fbO z#?FNK1vfW0^K%wv78XWu2cx~KwS&G3qqRN7pAY%hbHt474eZQp9n5U3N$;Mk|Hj7A zfuEfG?nVFp`Lmx!E@uDtP1g2*4GRpA`R)qy3#RAH|9&=T%6E5`N5Ra+$Wl|x%nHa1 zyhGpxC);zrKN|ekrT_cN|7fc5A5C9y{;lbMT>8DKs=bk&sErkPse{1(RoGwe{m+Yk zHRNNy8~cCA;!i>UaTZ8g0ELhF-&zwu@##z@0E#3u6O&f~-@wf7e(oECUo?MygX4Q| zq*so=;lRNO!9m4@Rb1|Er95oJX`2iTG#1YKkoiVstNhugApR3fZS2t5AL7Cvf0U7Z z{P^)*Q?RbVE;|*0!F5r2M*t1Vd!_FpwwSE2l0`A7f zt1Y{YBj&HLAK!z=cn60-3U?1l2<|@*LorPKBSw+P&_w@s`d>F|z#~DgF#fyQ-E|c5 zcM&QWROG_{*pd{o|Lh;%h(YrKPDDvK{sY4Aefi_1?;^h2{Nn?K(n&#Q5cSD1|6v%Q zsR(AvKRyu7=RFcB1jjE(@?V4cy9B@hAN+5C{~(+HpKH+PIeaCxJli5O@$336uV_uv zzR*_8pcHnSaT(T|1FSyy!Xk@$OK+hq(`Ak)FuIP|Xp8tSMVgf%H^U;+HCBBdhkbEQ z@z?()IACtQsVrR~&nnUqc&!RT=ZkOsDTASyk?p9wGra_d8M2j!sZE7cRAdmGqaQ&k z^a!c0EBJ>um%Anv6y>=l1F1RotNjU{Q2LP^S=QQFrzF?IKF+=$N<-5+HP(C-=s9ot{J?Z-(xznihJ?ry_rQxls34xp*r^|-EkBo&> zkfwuf`jz?Ho7x0^cc&HOscH+8npr39%9TV5Y?7lN4+2Lx|tLhxDJJucRB)vnftvx7A~_S?4SNp8<1D!ZtX;&)~n z@RE)bKir;7+a%33xhIi$U%iM*QnDM-ux!#jFHcswsMFXUF_Z}{>?=8kJ$>;_EAwn! z(jnqZK`KwIp1|C3HN`nGl0pJExf+$@#}`89nYTF-;lzk(%8#Dxw%mHLI;;&A6`Su8LD%>J4US6c{ZP&2CGKh{nm-Cr8wwP($a4iEd%v?kWl_q$SyU-ESSRbL zL^Ge$&p8qJ_XS{Z23h0DddPL(4DCFw1O4m;D(9o(YUtc&|BsSPkxZ9IoGG-#Dg>6sv& z`)zok7fnO6ovVXyf*I9np4lVEDDS;BGuP~Qp!Az@p7-=RNN_~G)^;3I?NgFwG|G`n zF~7N-zfJ6lqBaTZP-kPaK3|Rt-z}-zR>)WkB=LHVMJ3ZY6P|2!yTaMhWqC<|z+Bxy z?0(j;busHaKf4tGzcM36!7Fmk0b>Xx`)zSee*$0GlJdGeLJOq~wT>&%Xp_?~pro}ICTX6=0_RIu^c6*A-%wt9 z6Y)A#^$>ZtR`kVvl63<&*9B-PSas7Okd~MzF%%)KvP4LRLHlg}z!24z- z@9={mKd+s8|-W_0=S8{Q}ev7b*%iM)RX0 z*@vpkMl1=Di6(TNb=5rjemeKQ=rG)l+FRs(Gg0J?MJ?C+{jFI8Q6i#TtTsw%^M!es zP05&=c3-mdoGX*thSJ1n^|MFa;S5=ZuDOEOD|osNiX+t)>K4$I)u!?)2c1=rU%oWH zI@@1q*llKIHSR4tZP}{mNu0kqsZE%7RMJ}hnG{`;T4{_in)aiI$GUDgwlem$)pU(4 zkH6<{PD+c<2RPxA!t0@sXHK6J*jHLJxtwOQE68Ci%8F!AqVrcx6|(uG`xASGDNa+g z58LnD`{)oeBu|vSkWljo;$J=SYWgEm{kT=_Y%C7te32E9Fa7eD!Vgqq} zRL4Wc$O`hSij2uAu%09&i`LJ_sK4SiX>pP?3CRddepto#?@u zV%JUU^kL3^fZybm`*t-$aQ-vv&tC~028E$r%d^xz8$%K#ecz$=tJ5|uvqe?IQfdy9 z#z|HcB}v>bUQ?!3Zl`(QOwQQ#Fs^jdm-Z%Ac<`(@$Gvh}Z`_ASh7$8n#fEx_;!#o& zxo?#l&pJ-@Ny)=cf%dW0r4gZAdbi2)g4d%rYI7ckvfj?)^&Sc-4#UtK_tPEC%gO&j zjs_xaS>xNh*!*lIizR{aB@Kj%Z?|x8V2~retG!lD&Y?;Zc~;Xw(odT0H|GQ1#zZ4* z+n6W>k1)f-1aHn>BHj;DBjR!Bd?GvSmnD^*ci&R6c1v+)e4qzTcDA6yngWH% zPcq^6S&uG4J+AgUtVfubn~sz!zdm@TF|UXT>&6*2#=2^`y%c11+54G1uiCts>aq}I zJivb{6LPQ|r#FRvx$yqYn2SG&*4#uxfuRL%$nKbG9;&Z>69t(2S=`AZDoeYhl zO4zQQ7qFM>l!7TJ=Q|uO?|upwV7c6?l$XQSbb)XOg-IlH+N2WU=IR?WRas2*qu^Sb zrk&8IdLU+N+SJ)c#X`qrp(0AdbvMm!Phe~Y$weU|BE$A$yVj?(&NeF8vh{OqczVeR zF(t_&umHkWZ`*L7alH-9>o*6fUxa`2J&b-rlxE;gphl9K1Oo_gYTuQ;HfcH@@0ld25FM9l*s72Y`;wlaSfO-4WRa^WX(l-nt8JZ7=V2f+%(Gc! zK$I%|Qz61JnlNxvOKvS<{?plEBx2GP!@2%1e>{$6(Nzx-Sbvld?F)%tz`b-q<=@C( z)qiwfNiZQecRCQ&ksL1L*PQ+C8!%>O8kcNI-#IWIK_(hv92y*Ww$}$C(LB(nRP03W zo_=@l{*|uN?0MjD0HJ+c_vxT0I=fBNvD&yJger`Hovz0u)=T}s8<)iRX-i9y-;dus z!r(XLXl0p=s!jb!%3*y~YON<^w6gJ$_s!P zqKONY`OwjW;+SDSNH+af{o^rp=dNrf(cD}c8Oa0Yv#Y~_>B-$IPs}>DMiycSM%y)S zn|~H$lPoB{qT(Q5AC7P7b*U zjAx^HFa1#$rWmVpo9|WY_rT09XC>G!X*NFIJ+|oWRQH{(ilVm@5k|vkyju~hqqIyA zRXW|c@G7Ik2!}rQiTL^J9cQy#oNB>!O|HOIC^BVVCzX$6bD@qT7HsKZzQV04nMh#C ze6$G6SkD~*Wx@vyqs@>P;t$zBy_#`tEGk)g+!RmxWF1&~jhge@z!?c5$LL5LMLxeh z&+Frfz9$lf?q_i$j;NtBCXq?aNLm!d(&V&R zZEGJn@AAq0!(^p#Q6oIqN`H!liOt1Il1&9m0hx5ec8&J9fYl7Z`74>hOx;r?r@@P8 zRI=A437Kp~G>niGEIb%&A(~>gim&e43=E)W*f!G+A;`|oa_8as%PI51;w#+*M_K+f zwj=4x55`}V!I)D$4xp8ttdZdP$iXf z&Sf$Adh0j4hVyvIl7JeP{FmrmJwUR6}_|~wu#v2pRv!4x6$Vz^cr%2mP1ezYUpd(wq+-;F} zfY)Q%e1VFkto8O*?ELA52Dg6}Kn)XGr|eFB?O`CU+cz$4Ix%M;==co;S4qPEJMh)t zyXMS}S8*a+FRJX9B1DNY3|;yFER=5xV62rN2H|~EDG>5x+i%E0l`?f$?AkvR7 zB!@Me=3qv3(?Pn*_W)>F*~!n!PJY_+vCDZXiLG@EKqD(O?xl!P3$yle5FfK{y68w2 zsMKrX$^MYUq6QP}IWL9UH(Jex;pD{2OnDf3L6I2BkHN}_RwGU;Pibrz!06UX^EAX# z_yJsAS1!CsDFIkih}~Q=3)OG&ansUSa$OMrga-WzuQqMub1XwTWHo~=Mt%w4hkwjx9k`88A>8B zjm}kt<_JT6r}gYOstabi)gr3{`)IZq+r6J(je%c~>#H!fNqS-Ma>b?AdN!n}9ec@P zI_+zp_{KzO+EB#zGZ|Z`==0zwFoH$;++%{dm4}+zZA7b=9gCX>_m+cO_7^RGOGlap zA<&VLbBB%L-l^nxW2^^zk-B5nVTwhdb?kUT&!(8=>TDxk@a(6rrbr-fs_{OU?;u^# zBhhRG8~k(@dOjEF9}@70O0!bZQrlrjeA|fqNJ=D_1k&G@LU-BmOq)3{A{xT8l0??K zoSzRSs^I!*3LC=6^6^f?E=NWGzAr;aNy83LgY>w2#loRzA`R6Gx-K8b#0czfoK|_+ zSDfb}nQ40CzuCVKsi2S4N6DS;zoP4)>7um?OOau9Jx?PiAnoK{a}AXYvbp?m*BhDF z(2;!lFouse2XQT??DQcZJAu~KJ%w-e-5+4qXD!ylcW5Y)OFA(}KJLdSecAo=^`Dog zyJ<92Z6=M<72S$%2h!Cb{OgFSVGRI?Ti3WhnLEKC$+|v&(rMa?b$S^CHZ1n&d~M&8 z&xq-wM@kt5is=gJZS%c-=Gd`xX$q{zHYs5lI74IW`gN*LCZD^g>il&qqq=2aqi^ zIofHSR~|9Gf0AM*pUBo_N~5i`HeFkqa$PJP$MiBY))+rZTvF-7BPa-R)~EJ81+R~y zQi2$)jM+6Ci|RKD)N~@1x6uW!2IsV4YdKYmH)d?p@y2bz9eO4yjztQ~16ik~-q$^* z?ZqxXK)Rv#4w6plqLI;(9A2MH4@lZ7t_^1R64m68DWk~JLb8MG5_J{A3YJGqPqrr2 zLZXnKo|? zAC9bsArSJ%L4> zKcNv9+o-s{hdYs+KR=!ouYwDJ8d4~4{gP;hV55GEO{svBPNAAZ<||Z1X+%1p;|%{u2zlr6c*QX<1fTQAhbRp?2NDTOJQ!@d!N!( zSbq62jqZi;IR9NT@=C#2+skrk;H5wU3M#=H$4;`q`0-+GlN2Q;GH4JLcUFJBMwOzp z2<+elQ{ zBf&b#zxU<-cw(8tS0|7gtZD9M!;bt7a-~yZovj39tOTwSGoc8tww%1st&!$nL&AxQ z#Xrw88+jXm;Vo%}qLr`iAlD za2*1pOB6-tXQL0h>Vt4UP@jsCnpkcqUj_;EBAV0hSn^NLLqE9}Ok35a9OF|y z?C=jbo%f#aUpN8CggTXc$RLo&sjT?}TL>*JjULFxxx}84MMAnH)P~RZJr_H|YvqP0 z2d{R$Z+oQF2bB8r-H+Dv<%5G`dAz_Q6Ce-n5E;(5tAy<(UrDcb3&H}`5RJNY2P56Z zOGLYls?ot0ePOxyw*r@2thWlrx@aSJaUgHQD*<|nqUyl&k@zEhEje(A5fa+((F;^a-d0-yKqn^{@?!3i}=##{9>zBW=X7;l<-^( z5+_vtM(OgnmMxgXwI(P4uMW~(!w?*yQZs`y&9pDMqR`!lHo- z6L-m7N_5u{zv>Q&-smJpWcy*v&ab9Cz(&)@ASqTA>vUjGNuQ-vz8Cq)S+jfHnMUGgy+jQAwKdY;ycI~k zM#%nL9hm3TOS5m+CS||R^-b^ zs0k4Ps#!vk%k`VPaT~l*$`*$#-zV$h|F1m8ACoRU1Y!7l7RHkaUppS*`q6C!-U-3>eI@>Y;~vP+h-CQ2F>_sR9=-s(_Mw{Q?QPLtFM+`uNXY;gFKP zFuQVH@sA<{rlZAHU$`g@aqJqYsTe}ny>W`A>B|1;x% z&+h*h=d4!fGfwMQ!}m`9nLi=)h5B8@(#UI~f1cGbaH7*nL$?3Sl=y#YDxyS3fcDQ0 z;SBf^4}zlK!mqy!BnuOG3-Q)}OXu%?E)7luChzO`&wf({_|1G%uHRtCU)}$SB_w%Z zR`wfq{FhUe0!|eN_2J)N_OG{ifaeOJ{#V%bXImv?Qb=~@uYYu@@7~G7k#*&M<@slK zOb6Vt3LD{XGvlxB?}6u@vuXTRPyOqnBqi|G9|P|H%fWa;#YeLQDy@a)E zdSYsZGd!87WryDjdBMk6r_m0apW9=Dn^T3dH;WhSzvEZSrGxZ=^SmsFa;{wA@g=1< zMxHi&3a>MZZoLE3`3>Z$Y|@GE`L93{X}Mrv+JNOk#8VZHu;3qpkfU^e+ddzGn*<(2 zW$KqjItr=M?zqXQ_mHq(rY9e(>8nH3>?ss*$<_-?o5Px&`m0WvHjy-;pw?Q$!2G2T zmFC=Es2WLf4~)I0`X&k|{e2Ov-dT@@>ygxI!*0&Ybq)J$Alp)3byZ*&f32 z99H!S0@odRgtcMA>l!D&?D`@ZT?2%wk=I&#Yv<*{n5MfsS@I1!(1bP9J<-0kLosOR zee9|SqE{;fa4`YyI>4Y&Z;DyPBrLcOPl*g=HR)$tZ1=Q!0T>@-8y+?J_aQUz2#M4_ zla(eCtwUaA33}%FJK~obims__W*_;zhr}DOJ-rUIUY3w4Bq124u$jTWLkw`Wi=>Ct zpj89a=Q>@gJrD)+ONKN_Jx}(zZ`!6A{^WY*R@zjOI|T3;c?9=b=7voJ?JnOGPleiM ze0)L!l}zN?pYC+iulM|FHQ(&n#sd8YM5>RlMCd+Vln`kXgJuj~i|aJZT%IG7fUC)V zO~`$r`$dZa$B`wH49=$lizZuUSRn5DZ3HQT6uE-brHm^RGCwu&?>-1p`L*!OU1ohB zgrFj@=CCz-WIc(*AuQ@bM_HlDLLggoV;{s7PHCn(F~w7!w+qfrPBkUEyoX~MGi$e!z#4dp+6nGPXaKOAUz zZig{dZjjq4q12S|%ZqgI3Mr4z>-PHeWmtKfuG4y^_0P>x>X!nsD+!db8l$Otqg`Sk z!swP0T6VoUgDSdO;>7f{eU$R-8`Vmyu;D&B^lDUjHd;lbpo=GL>WGYYQv1@wUS_T9NAZN=3m z_&^PWK7)49OPx9sk!}nmN{lH1`Oh@p`wVEYWB z2v)UfsjPf>3?`B|X_e0KJ_8DCB$)yZe8x8GavfcGU@%w&kP$>Si~X{GsG0yTzp>?G z$BThfyeG3AYkM}*|3c9ub;_5oNx48z{c3>X6c&;n-b0F(BCVREJFZXGy9Avz zzr~Lf{bOj~(6`HQW4OsdWAP_QjByTp!QW&IkyQMJOo3sQbT9rQ2j&S6#6(X<>okTB z7EvDe^cge+5&Ek^H2UwrBD?==M}I0Ki4UKFATn*zZBO&IAIv`~N(?QV7&qPiQcuv? z>f4Y`vOk9QE6_={Gk@^Xs%U&ys|Noifg5sm{upi%A7Uj z{c;K8ZfJifM%*Z@6Es#t5b2>L8pwQ(g%7Vv_J=(b9=Lo)0**=uh)GKFqpssiII{eH zVw&3fe_8{|TO^@$yFc4?^J6Im2+{nZ7DB1yL!cEUWWRCk>{oGz763CTZ3|M^A>9q_ zPBG(|EE0yGF%5jiGAztQF+S+APXWds_Mqy@r-J~GAxR3vLARw z(R8{$?Ln0o9nS|20TT&`2^m^m*bgG-vB~?(PGIPF)<6c3qDt7G?fy4S|6`ga+%a-` z6WM#fn)S8He5?R}DV~9Y@=v3jiazbGCR5n`(=6R?jcmR9BLA=u>oEBwKGAf6J9!_! zJ)IF3027cn1=RJ1JZ{e8*LLkk>g@4GK1rZgo-G8ci#39+yCwLnE3EFvAh-05p=wa% zl^lUu+8vMeY%x56R+(y=s93v}V>Q)1b$v8nS#HLIccm}Mq&@t0$^+Ezj4zJXjVF!V z#k_kG5pgw0_u1N7R#O}LK$7n@pbNTJ&be(;w-a_JpIDUb2w)k<%I!5u5jU8^IEs1H+`LD3S^b@6tu z6`kYyj&sCN(MfLHhNB+h6(^lD4pq*Pc>#E2DNUumXgr;B+H;RayM*~i0KH_YLDOwL z+v>bHN}DxfxgwP}wbEoDEcJBtW}N#GgfYvc++m^kaO|_Ur?vkeTb*$@x=2-vgRP~aQq8{ z-kCakhNBW)JXsItvC9>8y--#X&!h683qY-WAz-jp=KxHn`F6u`amIe2{LO-m*Wok!jr?5Bo@s}c zMbOilysJAOUN4FDGWLVp9mAG7&4Z zsprqZhh4(Ha&m}XyG^HJR@+!7E)7oGy|lT>v4`Sfv2_a1GG6_V})f0D7%a(it<)o1tNX}I9c=enDVO;$5=%6vI3 zP;lsjQl~^4L646{bp}5FV{wL<<)qO>wO}kFAXiS7ZZ{yhfk|i$e_EF9VCK- zPD|p7xZVC51~GEU*xdj&iK@{r*I|&Y>)l?M9KG@k6wj&I{EqcdlisC6p=A-&th+kv z`w`oe_vV{!&pJ?h=Wm=8`X6F>LYmfdp7qj~HZI83_GCHP1vA#Lx$m4$B(qh>SsFhB zW@U7gu@0ZK>2-ZULB(0QIzd?ZOv{G7!<}-V?TP7-$ndny?SzigWOi(Pb9`R8Vk`UY z)#0-s+TG^MFusL{QzD_Ud~}`}~Y zd6ptXD;6xvzCQSqHlg0z4hogT$hECov;|RYe6sH&HXuRzHjVo)4fD@Fp97ka6``g) z(cAA&5~NK{-z}`Aa?aR_Qta1JBKT#^|+u@@WY?0Ui!&Odz+dxQtD02dxlNGRVAtHrfaDt;bUJ?-K{0K$qz3_sc5{N-5syq zJl>PvWoQjxZ%iZfbRel5*RmLEwR(%rE(0)D!7puc3nTKuO#iH3tpl~qO5c@QW(=}=%})LW;JQm@>N}wp(i(% z7{G6NNgkl&J`m@cdrtwndI>(4ZF;067CNRmgxD;f)Z)|GqcZP)Q0y@dtT0RauBOSm z9=rzlC;({*T4!tm`c3`$PhWJ)qeo1iNjK?Bq(vQv0lUoPFrNoHVX-cE_5?Olx;Sy? zdA$1+&&RbYB2)xEW{qP1CCfu(sCmQ7P=d&>1763 zJ?aqELIxk-vdJQJXrjz!q44_ay2d`*! z+(_X5S)BI*kX+RJz6W7#zdAQOzuujwOfg5rPv)>Pci2|_#4KKD*bh6j&E7l-ZUw!? zBAa@ZvRr&<(i@MD+Oc6BcpIc{Ak0h)N~D+$II||P!$EbA;;WSK zCU7%#y38kO49SM;S@T)a%(S7mSF3_6fFoHR*w3{X60(atCW_9t_s&tP9&B=fd|do^ zS1Bjp-W$iz;6|Eg+9+K4{C2VTj#NDo(?WxHuN0eVHC0u9deJa{&7{b7IHK@y;r3?twinQf4E#OMvxZ$O8kMen!Xas~ zL8(2fP7>u&tcJNtN!l@(u+fq=&Ybxi2Ji23R_Rp9l1a%TeoL$`W1H>H3OS&1RdHJ8 zv=k(g(A73iNY^)olsz!iw9ry#OihVRPGa;6xGX!meXUj}n8=lBjK*l5V5wF3R`=D^3 z82R9XpzwpND7mVr&b*LhCoNx_1{bkx%1uZU-YZ*SUlNfvMSLQ*HOMpFsIQ&gW?G*Y z!>0RyvhX#DnX#7+E28aGws_4OJwDrIN8WogTe(VnvKV>sz|0e&E>FX*i*m#^YiGi< zJ1u5PBSyAqq*MM=_i6~f;IzOOz;#J|yPe_evMjy3gGKFSz(_FxP$!{x;SFL;O==t1 z;$Xgs>v^T5o6eUj>!lEOBhu-p+x)EGv$f*vWEy&Mqps_CoR@a!u3dZH3!{>az$mC! zWN`G#l}lly7|Vrj+g)+z-NZQpkaZcmt!^$Rqbv)Lt!2X<%di z40a(v=g^Fs)7~X3>$$B{COjAoFMPQN+)NOUX5nSScF#(LUa}Q$a2Dj@^bHi4hxDiZ zhd6rQCIADx(`Q}SRm9#y$MQFTH?p+KJH2k{3R8M=6y1px10 z+om}}|Lw_lKW~DZ9JHbh$g(c3TpPl=d`y`{JK3O{)P7K%v# z@7b!9>4ZYtuhzin+2uXu<=pwvO|I#FPxxhA7{p};Og&8j?W@89!i`TdF#k*eI9;#v z>;!$b{lf>SJe0YgmZpS}WikCm^*=rw%tnJTIG z=s9qY)4h39(s*$2-AxiL_P9j3^lm=%0HS;bDn1JrtA__*P|D$OAM2!SB04q)qFFu7 z#POc}T5^fV zqkhXwZ1}=sF_cqd|GAgU^aUIPN!9)-k-B`q37$x4A>aDVQHE}&E}vxYP~hnk3W7QA zi{obzht~Pw4g_9n-3@60JIY0)oQK6-*Q>UGzmf%x~=bg`T_Nz zOJN?iaf4^nlB@?zbe0qX&&jAYOmC?9))TX-;SAA%?naDtaoL#WB8MxKwWTQeJ`G%2 z*_Lm%BCz(*Tfoh)TIIfddGY2`X%foD8V*apwy3?~aA7*W`4N0_&e^mi@~sYH3Eu2k z5zFa}eXZ+8J~gWe^lW{~ame&#a`}n42x{1&L=+W-R<9sWHKW_E&}y1vT;!Xh?Xjv7 zRnLBact8FaXW##@A0JKi0cfn^$L^~o}(^H+R9!rOhc^(^@>lS4e*p6Y% zD9;&3iZq_ceqq{Y&pDxj*qN&mTj?C^TOgJk=y zU)BSe>f!xfzABcIXl+S5Q7awXv4FKxT4~PHX%+1(j;`8x5Xo2ORoa&D_IVk_KBfOU zUQKKMsh`Kfblg^JqWNO`=dd)hLC@%FT6kBqVzuIGnjoKaydzORgpBq^AhX7GNF1+H z4Q@vuTGO$45q^w)LdS|RWVY`!^Hu?;PQ<`>iZHHWtEp^eNL`KI9T{b2E)WYvr@3w1 zrtmn7;t_qVd=Rk*pkIiOmtws$)GbS}@pI}l&*noXjOVvVy4p_x&S#uCjkquEw$T8B zy_0xKYsT@*`?ld1#RAwyP+2tYnE73E0y^)$>)E&R;*lOFe&|B|sY!7heY8@T$h@NN zxdQ)UcfrQPCJBb-Gt3hK)%nf^4bR{#fp37#l}v-l+1|Dr{`nyPM0fmyxq+_2D?l$d zK_olfDX#BdR^NYsEUMDspJ-^NVx6CeG|O;g{~;xRDPYQ z^+98WZtru%lJ^tEPvnu^O&W!*&WoX+DvgH$C+@piC^SvLla(s-MrRSzxgsyl zjZ@kGRfIg>epX)OwmC@@os*_R*Qknqlq^TJa?4ccTAJXiIevQ7I(xnQ3$ap2&@i3D zSLQCUUe5?_*j|5mS1}X9aDXOo_L^R2t=4-z8x`%6olRUI3>);DdGlxUk4G0G5&f$8 zQEgES!Buk_djqHbkfx`{+tZwfZzz1s0iCOlYjHfdfuSZDu4pq08OoF6rqsGOgP{_{ zmz!)SwPN)4Xl)3e)unA>@F&O;h!#4>Dd;e) zUZ#SJK%!ddFO69sg#^KiP7}~vUFhk>jnOKtZhd58?oBVTshhC zi{4E|(xlfV5zFeF*Jbf|ftpn}0Q_lVL5GaKht{p@{NbbagMSpqa-Zj6ll29|I`+a%Zs)I3n6zUY)`_X6U?D&g5 znY>eeK|Ydmb=cYFw}VLkl#*gLorZ-loCbz$!kB}wjX3mK-z({JYqG0L8VQoG@&mi! zrndkK<7l4m7=6l1`}714^Rw;`{XoHIs0OMEv*f|ufh5*tS0@8w`<49!Z~WgB_rRNg zjpY4&6l08b)EO3Qnjj#L`522_LXt_;c7i8Wx3e}hVKNh(hXxWO*IO9U%c9Hb6g<)C0o)aW$iA^ml2~${N@EjInKWE-E zDUim3u~|Bd<|)=N4YBKf1{+%Yzy?xd&X}+be7qw<2SNIxGLfTfYtxnNZleFg-dl!6 z`L6H6KLZ0qkW`Q!K$K8Yx?zUy9#H9)ZV(Vu5EzD%uAxim5HRTOE~R5Y>1N-fYrpT3 z<^R)ryvP2q*B6gNVCK1>JFfeR^E@w2FM407toHS`-bz3Hwg#<4?9OtRR{EH^$Lzzh zOR29YSCC@R!vF~o&vM{pzI{+9i5$Dc$h=VVvhL=p3lS+2LXsmVYo>e^MnNLnLe=u( z!pT~dT~;kf^dZY`B2x14B!8y3T!t%(^Bk8Cl@;NlpA?onJ;@9c_D+#kur8arrS}~D zL=U=&mB@L5fz%g~k+)^Lb7ZHaV>EeDn*z_D_)8+E!pF+3Nww3xP0X9U z?r`m1g9Pe%pa)~a$baq^{}W#0%lW9+Cu^%a>S5mW@Zsti%~p87@YG24nFnj;T_*S* zIi8!e)8c&!uav=uKTDNhG)&8rn(6ecN5+AcgZzt0{LIq#oHd^1u7>hvrV1&as%zGR zRC)Q$-j0!d&Ft}=JEL2(bv3*Q!r{w#6 z)DHT4S`GiSkGFT?@*d9MO>;=_(FnTBI@j2&c2MnLzIu=jBnTm?L!@@{#P?NoO+(j( zFRJIOpl1D$9!#7?^ZklccX_|*w@EpCy}e_+`f-blFX!i$@#J%0k47e8A?5!?!=wigy0Jx;KOHBPM9{!Ja^GDuXDR%?*w%0|7eU^({iyk_ zAr@Ps@>Tui`z>x&%t8@O#zYjjF_pb3}U+56d5iL}_4bXZQ##))ec!&mPSx`)qP(Q)Y+&gK6OZRN4tm)L5go`XftuXjHb)j7?5v0Hy8R`Uj?Pg~G&)m}#n?1tAl#!xV=BWn6Kc*)Qe6v&=&Da~Zr!E_Npwws4Z< zjB12CdqMq-0iC%Zx|(drbs-j)3VYUzLzu$naVZ<*U^(bB@P zEDiy&ycavgh&6mWIERb`>y1}4g-bp>=2{tGy^Zed3#&VKU9ap`H^3XX_1Z@{G-dhs5@MVg`BJ&iH}Q#-Zk&mTI_3*H>e#DjQ(%2xMP@Bjr)wNGgz;q9{^JWYY=XR&| z3mOO)er{B#Y2Vg;r{rmpR(nxvEyHhBi>KD@)%06*ll&G!cK!3B zLxoh{`@Usn{cEOm^(;{?*U5{`SRgN>(^W8T`0JQelmO3=bPxY~DV;eSGKHEZGRv`h z-aZYaZ%(#6b}U>CrXdU5UmC-U9&2ZTQ;&O+_sC>zmxUQX95x*$8r93FgPMr`TYN;=srb(_%Guyy^MsYEU4<_NvRQaa z{aNDAH;}A;`xbJ%uHi6dOEDAu;H*VkS!mx|bAo6hHAdKNdy)V^U(I)Ov_bCAXBCxF zdA@%t)xb&9N}7G_z=hsZmZmUvIS@lKryAW-mwPTg3%MtF>gqpQDSJik!gTJZz>z{Kjxm66redcWz|ZA_Y8TI<3{ z;w&3nTH8BYD)eKEaAetf&5hf9rBCvQs2%o%#-o8!R={fP^ zgUHdqg<*E4rBmZ?St)qrm#$JKb0nytM}B-;G|gW$l3dR>MfSbjh`8+pgpo{yt~7i3 zHO|(cRoax9HnOYh9#FxY-nJ*}a)W)QRGOC_8?_ZMRU6iNBe{K;%Fg^HHf#m2#Rn`W8!&d1BX~ev3lB24~kt|Xd>gmT^y}i`8_C)fQ8>lPUw+z2wCc2eyVkyC7#Fo za32fC1lw$|o#^me?TMeh7=I5vzKM0_C-P z?jOufoUBdA^}_b}3Gfg=L?kJ4zO+!UvRcDr!-eYsJ2ZUZpVF%H7fvN{CYFJ0KXE)0DYD zljExd+(2@B)v2?2A|!-1(QCKoE!Io>`wtksw1+zk zgjYppMF~I(-n^+3-tg%Oq5aLdsUg z9Nr|81{CRt<#e!`LL zody|Q9#an4i6-@X%%HS)(?mW&@Exeqe-JPSZ2dmlbpVfMCs zV;Lk{JAuNgHA`~R@Helr?L$YJdO58P=6#d()FJzMa&Z5x3i)+y%9a65acEx$JKTGl zco`J8OXBOQ+>nSlo?=Y)SBl8NyeeZl1*B*6-)#r~ckMC}LA2+Pv-fqY zi=T(X*nN!uJEjhQ`ZFwREnNV}<8W|jG$t23=543<;jYBUK^+m-pMj9-*p_TLl;?uC11`xImF$ zV&riVEs%CAb9$M$dku)`&^vs^9UlMcExFjVnfK-K+3~j=1Ae2)lu_klMA4Uf>QH-* z)+P54uU=L00&Ln-zl7bi)ysD#OO9zEPEfdi_G%0`(K=l^_mY$8ytvf;DU%zULv%Hy zbxitT-gl20&+l}W zUAgBnKc2NSL8`b}oj};Tu|U%u^-YP(zg!t?RLX zxdZ-Am;9DG>QIzp@O}%Md<-i*KO>6p^=2&&%nG@Ln!!<^5$iiWqIy!`Z~bgaxNO@0 zN}^fpfr44>y-shgU(OD%Jhachw{}@j-dK`mT~qDIvz?w-H73AKeSWr4NDYSXi-EuoS8e0Z^{`dQHT>?jeRK_zZZG>7*34wWZ{X9AK}ZWZ z_XyKhf$ zP0}FvGpm4_IrYCGFezj`ZruchPM?SfKd6`P! znxam908zqlw&BA{15hezo{vjMlt&v-2X` z87McHXLt5L%%u@0n_%C!Lk`I@NoRaaC!vEJq(guZfhJwOSqA3*i?Ml)0Q~@}zCH%? zA7T=;LAl{*-U8PgEV^-gABwf{_tRI5v*PdvQkpLU05 zmX&yp@~MQ;e6G6|M@cKTMk-=)rcfIVvKQ)TPy5;xLNhQ&N(O}T%53crEMhbDrj-V> zplP5s z2oxJ{ZUVe+r%`$@^JfcSR+KI50#(Y7UT)5@!Sw=}wM!NgRb-1{={a@8+bT?~WQ%#D z)&o_~fNWh3R|y4=jh>OYeSAR!u_op!6Bj%l9;VYCGaI5I1@@BTh*W9Fx&iguh%wO^#jt%(k>mu-jpPhpke$y8VeiVmk9YoP*X6KfVhY4!s^!HmB@ zg)fc3ZTljvZ*x@9VA^OZ=UjUL*yqjjbgiUjbFR8<-wDD&a4{(t$6A0<29aYjP{3Z% zgWlBvhzfKy(C;6H$1bLu0`L`8Oo-W)&S8#{*__!baPLVQyBM}FVx-Q%b*sxzr~&r; zbIhJ!{T6AS4kWuaCbSdPanqN3(_c|c{NcItG>Kd45 zxYffyvK)Sv2=NtJdLSN{=W3k%j<-t=01$>F3yYXG`lmOvrHSVY7^v^6itVZT}?a#C`O5!5y@qXs|I>E zTJA!%n0{rwb>1RS0(=i(Wm$2ORpPG#()UJ*(_J>L?6|*?I5^L*hE=xE01+%Fr^L46 z{I*K^pp2;~??hIRkhXyQio z)1RaYk}BebMG@7nT$S8`Ad{n!)AJlbH3b^jb(!qG+s=ENl=XGxgYR$NbxkO!JefT_ zeB}DWyjQJkG~`8a`Zt@&Y8D%oID8~+q*G}9T;?DXM>LF9O+-Dl+w>jKLY&bbz&2M=KtHU{gN8s~D#YR) zoH40RB8ON*i-w?^{O)A5DzvZ6^VP^t%NpwgMdY9|Fx<>-M%vLN=yS7c z*NKU)k9?2XeWc&yDT^muSMS|$OFGVJ_@uV}L3?o(LVJ9mD=4cZyF-R~Oz9}mgoZL~ z{BFf>GmLW!q_>wRb)spo?b=;y{o$TJv)>A5lrCoDQ4}-BXw6;qI#!Yvp7uxy-Z0s4 z8V_Iw<~4OAyYU*V`jxIt6|en|Grb{nL%_Rye>d*U9q9@4R57Gb<}|?Fvc@K4Bo%lt zhAq}3-1|-_Pg1R`p-jVr2ZzrYEpt)R?^Yga15SLP7?4&In%+w)kMI-HTS`il)TimD zVM?@E!zrl94d*HBEyV!6Alt=iZoqbRT*8}(QBFRQPK#m9X*`gVR=<9FvQc5$DL2!H zp#E^QE=b4tA+H87ZZvNbWKSS?DAY`q*vhfNu)5SGUAqNcv@LP0k3`w*5B<_d;mD>R z7S1G2bv%=f9QF?(O3E6L}oKm0pc<@!8Sjd~l2^-x?=!QOY&M z{_fCBQDK~)Mz+g+9Fw8ko#c_}Jk}@?RbTh%P?XtyZ=H}=v+lEZ@8E8VDC3cGT&KHP zfI(PE`2n6hTgA#gMjeb-EQC+JIDZ_NJiyC!m+{TKwFfvb;FbouOEL%MA#+#Qv)hEq6z3=F-0>G>Go2w~&UAR>D9Ir*j z%S%(lR1%t&eY4+OV|La{BGwddNb){3A7_OU^$jd|BhDU`mDoL%a0=kVK738IN3R9t z&rZcF78&4w{gRjzR5t7_-N>m}7XehCo8^A9i&1{Tr1y1B0$SBd&`0oNaQFj}20#X%aLwQT76Gv8k66iR@c zHsLSzDva6$*_dbpZ!G>B?C8%eOuHCGo8{M*Bs^swShEv7W_*v(wxilqRffeX;JR^o zE0MDQo|;tJSfeY{Sb2%raq>|a4uFiy&Efp$&MCpEsWis~+AaJRhVy($irVz8(~%Rf z%A@YZS!VCL`otpP@87H5n0>c-IPnt$>)gpQsS!YzezvKAuhgyrRCw1h$%N<*>Gl*& zubyaE<;iHuFR%GgPCdRmJVyAW352H8;lzE?q`Q%+9QL{RRzb0$VSpXze2Xe0l^ifg00_wzN~N)2@~x!}f2^3;t9YiL|jgh46_6*LFT~ zJ~h%~xFqsNdW`*b=!zM!DkHIn^#Pl`_(e~eoDoN|;G#q5@y$2+BOBVEnt4DpvMsrVYzGjhn#S`v9wt?!T@WAzDo)=Z`2yWzHzsQ;cHlHmz$o>|8*0`9({LUz4hO{`oS5w$-<+EklC#;OXY8 zJ1y)pD|toSWT9F3F0Sw&0k5^3e^azZsj#j`i-7mNppPNXv3_fA&cVOu_afo*Y9dTS z91Jaa)F?up!*rEG<}1@i^{PURV%oR0lsQXVIh5P$3o?4u_Ehd`2Dt!rmQ_=?eO=etFr7plw>ACQ4V0eicrxyW*IN+8m zD4nmponS5ZY%{;7U*l|D5T;SfQAItSYpx;7svyV=4w-wU%Q}rPVAdUbK8_O+c?O_D z@W{uO@oBPpe8)fNia|LJ^0g5AUxYj2YFuQ&KfVBKENrjlBQ3=lWbmw@Y$zy`lM2Bh zs~|u*KKL)n;>I1jj3&&G9%5sL6mr(|`hu_ht)8VI%fhPrTfG8Fg$&e7Ky7X(gIri6 zY#hYRg2gjQ#o!~xTTk+?U9?xrUmg%X{&C48I^lw4=3C=vZ9aSV$-38(uXPmuwZ{_N z7z^465%awO?M>FXvK?1O8#yc8i9`wWZZQmy{3gqlCmG6iW7PTSvPuX$zTmiU=H(a5 z1UKHo@J4ml6a&d^#V*=MvfyNN3mpyYT5gA;yhEb{ldzZO8r^`tGCR}G)fr$2_Tdnb_YEW`{yDqAoQ{94`OEb(5GqQ zDGrz$3_DKuw!RJNMRmZY1f)=nokw<$t`SN6BIS|3i~&tBM6fVCFX9$#*wAh8Suzi5 zqpQDokQg#*#zM>%AX+;9-lKe~p&}_cznOrU?$7i{FJgFr)S71)3hUV&hgU3be{&D5 zpSo7Tuc-m9Du&B9*xb-at%U!ZiHfg}=@3GUVJ)gtKY(Z(Vi=`sz6gq6EK>}JFgnhl z3vgijuKyx;F3a&=^v$IG#j}iGd1D6$1gFv|KfMzS=l0CBgQEQ5zt$(<+q^T4lKStV zs#6h?`iqGECJ>6cz5(4u)Lvkyv%dKVqYw;h@xxUy=U*J&UwmB)Z?K8+p^U#~DU)OV z+T}RFL<9%XCYQ0v2~0tcJC6MhhAMfQ{K#eG%fINEB!MyG0V3+ZhpO%+r+4Eb)~#Rk zOssG8pficm1q|a6t5^)lh2exYQC=JM#ZWJQ(JXTg<~_mNB>tME*se%Ae6#z%moz8o z_He*Im<4V5?}Gk!LH|#mP@r|^v^Mg{K^G)d+Ve{Q0az^=9CTstV@Uic=SdJiBc4%FvLg%2cW7Pe29_XzbJav^mN?9@adC20X>T~ zn4mke>HtXe^CY}Ns1b1k@^Kn?-atlsQFMKP-gBTYz#V7%NUz1M0Wgs<^n480{1;Om zqfY_&mcr_x8gU|eukFWm%55g88Om%X$AV;1-L8X|yU9zF12PA6mZ+*bd61XsJe_Z}wrJXj|lc9WV4XFJy73df}4y?qalN%8D>|4rsuL5Q_%|*bD2UM!Dmziv0KmE%&_}s@@hiAB|B#eKJ^FNf&|w1 z8is`ft9y;om4N0>`7g-)?O}k%4r=awENXK1q0pdUX!VPi5VxafNtNbM981!_x7JFL zx-J*LTU!RT7%qJ3sw)s5@ER6^4TI4lSqEm!Jh;VF68Ogd`mih4!KMI=+M#dGDkS8D z5u4aBb6VtXJFWSy70`%V`nyJ4nbapzBoLuVley0XFUk&t(kj{6H`hiUJhoKP! z)&H|#e~2)JeHzH=?*L*orbb}mU^FmJnXyGAj2M~lWRBKid1K29LIXL7{JYpunY4&l zpXXK?haD9R_C>i*Xj1vJ7?O>4Sz=n6Kn(f%ubsn0&;-xLRFGk)%I8GW&Mr~+AdQlA zlDm86lT>3vRSt|Xl(K&vsxKMjp>f*)rWCI=S5%YFxE?H#>c;A)+vIXEZUa6Xh?r~n z@K@!(GMI>%ilLS%QudG<|V}E z_ea+mz8~2Kmh+~zB+l5@II)0S4N%>2?$rj~*k6`%fZDe;A`5cUdaIGv2VQ|Fp?D+a z#)3TlY6F+`F(VgK!9C?``D-_`AJ?GJ%~$2T;Vmr0g9eHdp%SS8aZxbVz7JlM~I*K$Y&e_=W3M$N#J-0qmr3=&gvM zNg)>U!17LR4%27hbDxU;z9=$aQT)SD<(W>aL%d&Pi{gE2EQ0XkwM~2=H|8nE7G9?BtBCbs#7)B>%*eYMe|=~Q_jM@L;z#&E7qH@EChT>ZI5rfX_)Q2Qb2Y9=rX#sH#ZMIMaGbp4?R#H0RGmW)Ui9DgzsYgwwX%+ka% zWPQ?-)%Y8!prxS`K)h%j-36-nY1x3vHm9VX5lL` z7=SV;KzdV*1xl*0922!%`rB@5QKSa9`yH|`3xOZ1GR8Ml9FNdF+>H2D{-@=-!<)lS zhX1-AtU+3t>+f^r{4Xomn{RDR`!k!S2vi4x%x5LPBgBT_hvPafX<&)|2VFX)W=tTn|IOa=FHj#Ve5SG79 zp_2JUO!2}$@cn^o&CmAJk6qN<#K_^C zE&y$b99|)=O`vl0mv09B7gY#F7LorkDBm;F4WXI*?5?vgVdk3m+f%`5)c1D%wBFN3 zkJP~4lBK_SbLFIQU(*oA43p!GlSr2ed1S#EJ@Sl{_?F}vE>`$d-up;n7vD31tKG)V z>l34+lQkX->z)fce*E(t9kF{=?UP6I9d|C{-;=oDhZ3{m0t!GEuTj7F$AXk?Xift~g4j07~7qbJcwgMtj z(qT09TEHI`IG>b8i#qX>4IrGETCSlQm)SsYj zjoTub?7MguTL6V51`E^qstsWC8Gw?6zR5Ufn#KY|GLjlbg-cYiO>%Q{jey^`ATwTS zPUm&Fo%1ud?BjZtYQ6Uf3aDRmt&5+3B}Z(02=S8|%al#fU`v%j?j63)5zxU_^*(4f zXan?(JJo`)2VB(E0Q|_IPA2UA@p|JLHk?w>y%gT@@pMJAo;_7n{>aoB+A7zx3IwMk zL3v+F|KyhR-KQ6MSx_5!fcPs^EI@v4Hv1lkAk;*x>+NQx2&<1lH=|(nRpFCm#o}r2 zqsIH=_yHRES~SA@pYb|U`5l+2&p^w+VudY$sBQ%`eaj)BC=LfH@ns88SKcj2ZUqRZ zh*8^Vue~T-a_$!67&t?%`wlX0w|i~mH3!)b(5s}L!&G4A#ico5+bl{;>JJv;?Ln6s zldg(>1^!mhuuQv?v*hRa9Y0jcwf1wXTXp#w(!Le)`~<*&SU{6M>9RO;rAJ0B_`L}8 z&AHZ1kXF_82xG*v<=a;65ubcQ!UQ&iHt|+0O2D=y=fOQm0x#s_y1i zW%k^N5my3a+jwfs^wW2XG~VALEyZQ6+kfWJ1dv+>Ku|wZir?cQw2#mL(8TPU?wHQy zUlLVOAmcu_@h*e0U8IJ=!86$A0r}oL(>;;T3F)z3)%^BNr1o+rQ23E$tv|N!-Q+W` z0z%M2#nM4cBmej`UPq=W)J;FRNbjw_;?0s(_t$G+hj|Jha*@iY~(jA8Y;l z{s(&pxM|R!Pq03QS~$!jeq+7Q>S!)1#$POA|Z5fq5af4IxJLh*K365Lwtz@U8fKuYZZL-aL-3kR( z&=!m1`4&gF0G;JnhJw4c>E->g2+N)nQ578>vU{~|${vzAM?h`J z_~-Y=zG^2+2iZjT-StTi2T|K~p!C3A@y&en42W`=#NTxG0!)QiH^FJp#z5bi3f?no zv5#`<-^w`yB^_!^t0^L4V&kYVom)e6uy(xL4@I^G)BTIDW<3@~mbYSB*sWx50pIV@ z4*yb$zu5GHQ|DfX4L}1jF+fM{f*yVGzTaNql54PBgI7LJ^#nZ(~AJwAIou?HhaGn%DHH`?4lt?GrXZp$x%+=%C?Em;? z4?d{zpwM7!C&zTmpUJ9EH`V)imde!Y&Tv+S7vMvikk)o8G~X}wjVc@%A8@on0af}( zYwt}G10V2}hb!=%hKKs2A_AG+I{-IA*86lTIo_%2)E#7Ws!(lQ@&+a^{0i(qAHS-0U!D)<*PCu6jq9b0w9$|{0Z6~5I))f4U-wu z%dd>R`bV(Av6uosn$r!;n*7Wi=9Ei5)1a?S9}r}kVc44L6`e=#VBzRFbaD;4mts|v zoHO@I9^e`ni|0C|bhjJ>aQ;}{qChO=TC>t8+S;)l3B3Jl>9tCwiy?`Q<9I&%;vB5u zaMIn}3;y1B_7qR4VIKI)Xwy@eKLkymRvTq6A94q>tlIwN;tik4(wK0e6M2sdqsyQ@ zYQ*%}>7MhW#Z{O3Bltl*Xz*5Y0(MJGyrEXdOp4~Z77)k~t zMvmtgg1cS6Eu$*FMny)xbMu*b;sIG^anT{g&9PD>#q~J$4Xm|hvhs0wvQhMNwz++& zHyxdJ*K50%p|od;g{%_n$Fr8pcinNK^z#(P(q;S~j`vGmJr)9>8%dAmC6*Uq0-LYR zDh;zR3ORaVH(d*d3o3M$sTcV|Za)&Usr+^YSc9C=@zQOLPk>G_oj+X9`J-3g#JwhA zDl?ePB@fku$a!JpP_vMlNlO~nvowFmv=0T#+zqJ z1}~^{P6KhhFQao(YwtT^dw(lLx1Q9huI+PvHZ&`W1CWvjC1Yo$oIVI5Zf*q=M%yN1 z1d65wFxr!Ix`35^0CsB&^Y|Tf8A=f0*q0=Y9W8?Vvh0kjB%lK^LQGL9wS5~5c4X~OgBYGX?DXr`T-Q1zs@J|jL)&Q zelbiK+BYS#dt$kVSI1Kt6NwvC`gV7{??*S;>WH>;$|lAa=qG2o{e5)Sa(^eC>ZFDF ziihkd`$yVyFRBk-bk`)Lt{EtAF=HOaTQt=~Xu6i97d0>*u{}hSi18O3WOcMgG41L~ zbed0>$I9}wcdx=u+4f?;)Wts0>Uk%KJgz7kTo`(2u+y0@ghqo3Hv(X`#{`_@Y_0nd z4Z?7rlO20N(lpT+B!V2QX7VqOz@GNcwMKAMRG5dQ0RdM?zE+tNSYZ~FVEdYu1lf}l zKsMn*lQBZ$9vKFjd2OqIrNCWTD{v{lc!=Wj+Dujerf}NSy(ZSDPxND1MSSA%(+qf4 zg=y$F zJxr#8U%AbmppMM$sr9RkQ@0va#D!W{G~?o@`$4??;-|z+ZTI@ew;TnSDVp1E#!-F@ zQ1~j0n_{(Zwo14g2Ud5gIQwXb3yQt#hn*+=99}q1>p!n0b?yXfgY`0@Tckf0)GK9o zf1oB`@nrc$gFAnO0^h^3E4TQT3G>&`Vtfk<^3Ag+&Up@g?m-vm@Zz|U9}gGo z4B+<&V8N+@YdT3wp=5$k5#g%nn zGzJUHa&u)ce)Cp~>tssB7xV51^<_4Dcw+_g+*Tt`nwEjL8p0}d1;+QHLddv7*bC5$ zVkw_hPf>l^Z(p|7JKW|*pG2&-x}I+GQ87aMR)>l&AVtHqC-s3c&PT^40VYd z1WJ=8QCDDO_`r3Iogcdl)6qnKcm@K2{vrcmOiXg|YOM*yHJvQI*$D}>&wP|-8@N|( zcQs#um8czy7%y#(279-;LQ(Muh|t{!&S0{(4{*ZTG2z()+JNsz)y)?+Sx>?sK8XVx zAZG0<4WC>D!50!V`;L{Y6_mBD-Fzj9L(0lY6JosqTyC9EzLk459$mx0ZC)2J?Yg_A zRyyN*EQ%C9dm&EdMj?-1kG$gBq)O=BKcRe)|fk zH3g@xcrb?6H1<#bn8SR6L)V8_`GdD%)%~%iNwIF#F+=JeSj!`VWGYK@cyK>K%@uM8 z3%q*ZrHS(~m0-Po-W6^#_WfkqtZ!q$&yi2uzWxlvU3Ia;^`(nLAS9s&S258fiD#tO zLnyY8wwyeKv=O6oB3-?PmJZekj+{Uh6T#fw6qx4RK0 ze7GQi(HFcCxNo zYmcqAPOD~e3nI54pZ*M7v*Tj^@KjFx3d~)owib4^t6b2-isHEFaJv}TXI74(&`?;0 z;cYA`+l^^c(0(g+JkL)Q8NC(8X0+Gu+f_yymT1x$XZ$5LyV_hE_tNZ*`vu09gb?eA z%HGTDd|ik{u=Zo-ub1!`t$Do$_ulO$6z^bOth>M(RU7)nrn?{QjD025S+M9_yzWE@ zax3xi{k5f8L0354gQHFeY#$hTOq$_^lv|IF4Qdzhb%jmQqI|5nNp+$AlxUdagk3WX z273dy*2nl*R%1YLC)XNJw`b}BpH%pnfML_yZ~#_)$Jm|-B5M;KT-jrP5zB)(8|!|? z{`s-#A<5>qeRgTbzHe;$$0u(JZY%Y-w@p!+?e(UJ+4A)3^Pj?OFAZ!hb1hej@&#bQ z#w?{gwgnEC(qp-?J%YwS9NKC9@>I8B?EuL9(T{}!39I5f3(o?11nO$PzV2ApuGjXb zOL(sXjhy?kQ0Dhcu9^++jPb+9WjwHQ0!_qB#Q&X}AO7pVe1Oa~Qz zl5zs}a;1!WeAE?eKJ(Y8=A6z)-xH+U&AOvOiVHX(mSv17jg$3t^PH|dl$>PG%w7)w zOc@zojxS=jqxT8SpW0_5pUhwFnNEIa^- zj|x8LbYoH(n`|P8NFUYE*MCMt7+;JN2COQ>XuclNpKb}}FA+ZAcgOMe5`Rt_#w@46 zKn9Jg)nq>Hk6hs|i|u<1&eZ&LB;7e@50k`^R{?ej#{GcwKa+#k=787Bbe4Jd)}MAC zU@XWtHcObxjMIu1z(gNApCV9?0Vuo@+N)2tRXOfoq z)5XEeR~!liDiKy1tl0lKlom`7b1KhE`=9gG0|CnuXH;UZ{FkBp|Fv{I`If`c?O;o0 zeDqArH>jUF9<8)9B&=j-y>M>uzK7R2Er;adcx+i48yowIjd7S*SfW4|y}^wXrm1-9 zoEPLi^KI-PNl47_`2I|L%F6lI0Ax>P3a<{^ zKAbM%0gg)7c&!HyI9X2q!>LROV8^}CvFnU0%Vb1qRF#%yEC--2Ae~$Lm0$)tVe+~- zOMTh*{~RO0jxnTMKn6-3N;i`XX~MInONI;b9xkGL)Ain^u(Y-Lv4--eVwaIJ& zhV7Wsg834kiOO_c?T4V>>B=?+FTU}044?|-2-XbcRT;!U_C%R*EJFssJv`d8T}i+0WQ77r`gcjtm(a33 zBfRqmGXI75;*_I@ZonRAg;VjfMj4LX=Vzy0%au>VFM{Oi1q6yEI;sFkFB=`lSmLxk z(JFvMBtc=8^eg^xv=S(K}&N*ojTZjHvddqto!0dWdl$S+-CLN25GxBTqF2kr-9o5o7$bz8RFSLep!da+!yFOJL7Xtdb2<2^gbvon9hF@H%$2;sVD z@1^iGd1xqIn#VymUMM5v`nhul?C*mVL;9$gnD#VDSriI2;^D5Fe4Lc>=57cz(>GjR zuR}T2uK_4DX;KxXAL@q*Jrvso)}iBvYT(2o7X8yyntcJ5_a|8lHB(YViOOYI*Anle zKhKd!5XjVj=i(Ms5nwdUxQ0yVb$E8}c|_m_ZnU)WL%Aw+$=rhQrY|;}djlo{kbNH> z0gp;Zh@yqsOLf0FcmJtCL=Z$pAFd<6^YT8BM9jTSBBc8>(SU-2yG7rS5Yp&iuMtGu zdPk7)Txbgo2iELk69Y78aW0=o6v^SPa4v6(pasX?HAEgk)ZMDh9~QX|@Y>ULLY`b{~M}-JuPCeC~b( z0g?JAD#)_S21~`-v>IEP{;(uMjjb+l+HH5ON=03r9(WpvXck=p2$uk_>AA8rH1)+5 z*!=ve(PzJaOgia$Z!eW>r7e0w$e`6+X~Rc19HYr z$Hb!Tz#q#1p7C&Mx~XdIfIFO2RHb&G%zH6IHm0>L%DAr(t_zyEaEPjWjc~Yf{szZ3 z1GR@%0AEIlzuN7qa>ydOKj7JV8OBA<%c88W&$_k97KubY1Kl}dK<16N0FP1nPe%e^ zxv&9kRulk|&(J^E1?7tXjw^Aemcb8oh|T@w)M23`0{FRrcU@CzGnspT^Z!JEg#{3;>mVTMM&TVS}tiL9k+I@Mslkso3bqLkb(VF^oT`y%0E5+pXV*i*+ z@Ey>a7gr?tIOV{3E43Q^GSS&z?UYwqGH`Hs9l0Xc9Qq#%_d=u^IH-MtQ+h0aI1%0f8X9fwY+j7cMjo?P6NlJ9TWkQz-L)>%Mn1*vW2w`Sdsa% z;U<%4w4Awl&Rxfz3(m?KMfxm;&7tk!!ysSNdf_Ul&>Iit4sJG)kIs*kn?E>0*V|@J z0872O5I@V&?wko9FK2&N-#HHuWlXcp^~OA=`uwG~Y)5M~E+%dVo3?Z43PvOFh~}FV zMjKwc#lgi^qxP{6za@4QCoWIql-!uMde&PZC(LNW)+dcBCM{WqOQi8eohsmKHte=j0tZX!itJ!Orrk*(L(V@g z30k8ic^=z2SAmGP6~I~|nRq;Q?;Ze}1Ln^ZlZA=_IBi5SmdmmnbV6HpTx!zg0QF14TtKhZoaGD`*kd>CfBU=p= z!i%!xG1L9o|7t5BTC?soqS%ZN-`;U{Sa51Vd@df;xWwLW;L6Z17(as==6mufI(E<^ zf9SLMQV-fFnB~w^!)LQKi`}$q0(>(Vd}`mX8q?IJL;Y(CKnlu#8we?u90CB!?v(Bp zSTPeI0v!pir*X-R+T(C$t@qU6C4uma>GEJ+7Cdrq`b>m`RWA~}WX*bY@b=p1S5|jn z@s0NHjlq~tyKI=I*X(gT%X&jN9R-prV~riFlpbpglhxL&JWsz!Y?yj!o75!U5%PTJ z2r#0o?q?<+=>Tl68@%I_s-Lsd(ZmllMml4My*~Qr^0}ThjVyzbJTmHmCio`H_Ywz59-y}mS8ZFsHN5t0VdurkUc`{K zj%jrBTQ~Sn!2`^L{BH_~$mm9mNdiHAuA+%*Fg3jUDVH*g&1GxuvDI=)<>ubUyv$sS zKjtE>S&H&#e4rTx-Z}l|9i~S5MrUQv1BiaZ!ByO3wCk?((mf^%eIwFZd$zdl)s7%r z)0@I;O6D2^9n8z7)zLT#)jK~PC(nQPil(wNGjS=X*Oz{N-)7xQipm{o;?&i>DN+>_ zSR|CKrq(Vc$e_Cin6Rx9hql&(rb5wC`w7<(5X>byWgCw$`bLKEWI5)}Y%p zbt~*%+C`7G*3s>@-euFQn)&q;1q%KaeUFVOUj0J*M1H4Dq4vFw$o8E(lV!4|cghzR zx{vkdtDVp*UeOy#yi;NuCC4ZKi@mpu%Bt=6*@AVhQ7vXVO#w0j+w5inyr-DB z3=`LscWhuJ3v9Myuay_q4M3;N?b-uE^c4!%h-*#kP$aJ;Ig-+23r*Fiw6rec1waWrod$ zN2M#97Mld4P=MIQJMA}{Peucj9ojnEx=~Uv$DBH&itRg-LrzP&%fNLt<`CFaGoz~u zgBDzI%&Oa|KjC=0Yb}TG=UKI(rbWQC4Q#%iGhnUT+_sHfv$I^)UA~-kUkP0l9yL1H zWUM={+bwNUwvunZBn7`x|G4Ha9l_i4U~ui_d3d0LnY`3VYlhvpKTK9JaQkf8ynvm= z=J8phEAyMuUQMR+L*@B{70#Bn+biz|b(d92f^7zzDo(a08imy_8fJL~9$yxS zQ(YH`Lz6ER`@7o*;?$KbE~d%eRer-=9&vWk!7_J2;Ks~y_L{Q#*+pdm1OK(NYNeBG zDisA&^JoCltW34m&ea-{gXu8!G%#LmnUsHqhZ>T`KIWwrM$(e2BM3~@2J5qUSLU15x} zQ=@2xN%0*8K$&yg}rS>yyKaXp!WO1vI{}t1Q*!-aiuFwi(KM|Spzok z19xIc!d*r|=}vAhuHSkaOqz=6v>raUU9W>9R*4p<*s%>&G8XUr0fToO#gaxp!<625 zm9+D&ElAymomtvv`SZj1pr#qLtZRk6L17}b>f_pt(Kh^C-DjA+@b?^BVf?&RtWkrc z0Y!tPfy46SXn~>KJExiMpWzE9eV};ag}@8txq+ASHQ#6@vb{*RM%k2n{8#G6`_z4M z`8I>vzdFN2u#lk)Ejq4mU1So)+gc0(u*%LN_Z-1|Q2SddhK0JM=WCkC{F?4p#A7?9 zwC~<;)}XnDRp)tjDU}rU`R8ccX48pnJ_2b>F)bGq(N;a3XzxwpEv63ENA;{)|5`f z^Qu2kargMmTtX~XVwb0bmRTQf9y@>S{p;Cetqr1!pAET@i0n)H1nO33V^hx`!4r4` zYF&#gm`^g_pgmxC<4FlsX!R|KqE~o1$^8tBZ@I*WdJ@T9H_>n7;`xVwypqQD#-$c& ztw)9aLvdUYaVJqEqN>tioNB$f#&WYK-(bmFq`o{j*I2ATR#ldHJDDl+YkFx0GJ?|P z3FHc1R5d5vbbwf{^|FDukwPhxx~53 zi<}OzDL)?Py(um(P9vUVbxK(FL!aZ$7S`1#-|Sj}q>QM=t$?KC#-AQD{iDNW7xd=( zi>^NEo@-50YWh$fjGf9aEPJGKZ2IkLem=QXzwpNDtY6kg)AN6Q8y6P<@~Y4paFU>q zUvy(-gxC6MH4_o)Sqe&T0GwrQfVG3m&x@qcTnuh29N2C`JrxWxE@OWHGK2{7EO5%@ zgUgyP7TXDSFKw!TJoZ6%jvd$EpE&93RYM0)OtHL+hW+HYzUR8aat>x?qal3$b^eG; z{Ntcc>9nHal5%%W{yBJOVqD3Ps~z`8n`3UsKF-UlxVZ;qo}w73D${P{vj6$^Ha{yg zZ~t=yRGt`3{A(^nGg@BUS3QH!BODMT5&fS3UQTAaNq+dnh2v(bCmRpog`W!Hff&V- zg-|i{RbHj zoj=ER$Qj9i+~R^9Nv`)&24qpfp5p!X0_1&=y-3Rc_apeEOjj)?`V(@NiVwaE6b#KB zS=sPFiHr^lB2i zm)G!ryB1Uo#W1E=hj0^GQPV+8`GdQSWMNv6JPizqQP_9sV)P$d0z=tLDH%i3Nsn?| z^{8(+*I|<1!!oc#kPebDdiAeINLlVZoN6wT&>gpkIruKz_*>EO@z=>}VVrnmn*yN5AlSs+ifgAMEcU*^>I(ooirsQN$biqO+5|2~(UPeul>TATs1 z{+~`mXz|`GH1{WJV-WU#yB5N-<}jvPo7aZKeZH3-J-E4hdA?XONPPXzL?yEK^uMHu z<^J0*?J;ISjg8aS4~iY3=qn*Hu_r1ld5T?PKJtv2Rjl`wl{gke1r2a#a`;;U2^&JXzq#V0*L5eyF!)!{y70zeEOpRCC50(iA#HUcs!Vw5dO8V zj~S7(zq2p>SG)87v$*Zz(Xp|z$W?;Gz&7*r?$RJ7GyZ}3=^an#{}lo^#-#=wO>X(}G7MT*@TCPIWC${g|-^=}i)`#(CHt(s6 z%171rZ!S?pIh${SiaEG>9C+=-G(ATMe|t6)dA9E#o_&Myo8Nstuzdw6wIK`;N==z>S8ft3?Eb;tXbA36TZ201#_s!skwAQ!wB$+A% zgO>JlO?vQ%3gm;0pN2}y_{jSa_U+F{&)#|CxoCcso0y`@FEF1k9c=I5MYuayUMfrY z_y;FO)9jyvGtTzUL<9XU*N888?5|ul==2YLu2c;Dv{wv|`VzGf%VX{<%kS;D6(i>n0|A@>dm;o;}16_00ZSK+z(h8*4Z57Ktum-TH;Uj(&pdciCS$kLojq zCpnF>!EfL91gICWk@R1>kAdVd35~Mx?@vN8BJu3sT9SeIF}&0C_b2Jz%k{-(?0-HZ zJ>66t=hrnS6pHCfM5Ao>`@@WI0reNsG5O@2MA4SU;QA5`3dx^9);L=1D2n-JcHwVZ zcTNVxvp@8&?TCJfkK(wQJ@fmcBFLj~8z0!Y=%e^Z?f?i24O5bnMVA!}g4y+&J7cr{ z6{l~$jBs>t;85_Gi+&7`e(x;~=m+eFZ)e@O2>0zOJt7Ri_p~U--&^JUzSL$(d$Ls<>q!DRkGapz_U7rEYAL9F5qU-rD?DKEmv!KS z;hdeVa8;|S-leb=nr@3$dy(VEX37)o9mKtQTMy%Z_}a_&kfs6KY&070hdqm zX?vVV!Oc!@@qJsWSst-jRDJ)}47eo8>FNHg72!n1%yZ)8*Gh78*^Qsn{xZRYF5rUH zU-$G6MGzu9m|v!(9s!+3<`i0By@jKzce z3Jj@5Yss`fo_|4=qIsYD7t(5l1mLP!RGa%a4WCCK3k$2%f2-i=P*6!6$4~E@9eSpS zg(xNdw>B5zfHxSNXWF-%njc~&N`@F@YELv%OO1st+E4>Tu>H|ftt;J@N1{zd_Z9de z6~H2KZXVxvtAsH2<`(x4+V9{Rz!Hb~{L>P{&91FUyTAKbh$IfU{k8i~g_2=P^!SYX z`i$Nh20n2S^|yg|9oF-@^1XdWNT?D(mAAO4|5hx7m*6|KAH?_Pgr~k|D*k#dAV8sU z`rlS7l`2S3pBu;isb;5j_VxXiXwGd@a@r-n^e$(;Gg#$S0de~oh&yN)*9Km;;4gI# zrQ3KWl>cCwr-J#aFru-KHgvwYr;FqNK^My-0OhJmsG&#pNb0smt$)gx%Jbvotq(I9 zqDZg%_{%h4Upwt;#C7PB`~GpGIsw~lBlMkcf5fOedvnA4Z>#~Bh)4fYmxrA1z?|-! zR{S-?1$cXll;~f&64wpyQGelGfz3y<6ZwUVKnDGSn3T&~HQaQ698}G?$X|Z>hpm-% zhLl?!fbL9qcXMU>0y(c`?kj>t6-dYd2TJYqyAq4(OZ>Lx zCkQeYZE21_-+$w&Q;0M_Q1Xwe18MfwawUI8l~Sq4eHqzJp;ILHO08c)%=+@Yl9H?} zjVsOxgJvO}TK_EVf#Su|t}@jEmR5i@mQn^C*mJ9Q~^46P@5mZ%*APi(t$T! zk)k_w#(nvokKWzdEgfP>T#4kj^FmUkPQ|5-CIth8`h(%lWlJ8lm3zt|G#A9mdI`MP z1O5#0Qz4smmG!AKeF7CZ@}XpOMR_d0|Kb%W^Q;NyUb<;wX!u1R46IwOm;V*7d2t%K z`x!2qPxwr@Fbp6U#&g}@E(}rs_ef5;H+PaiosJw;Vm2;4CIdtUh7KiRt3s*C_vj$G zd0EEc74ID@2bOfFT}No$ySZ`R#o?Dx_H6G)(fRuzP&rpYtPs`9o03ewdGt}GX>qCM z$J;6C>Bst@FAfN(e~{~*&Sa-X^hVWRdczrm=rIY31mmQzEOjoC#hxIEx*&EP<6oLh z=r96*H)e8)@8^895AJ&pTI+k)mq#iW#o+7Xxi5qdk3vjA zH$&?gE(A=5un-_8)jn*~hu%4n2mwT@@>onge8gqkPY;o6K<;PXnLd0Z-yg~$f{hTm z3jH=6ahvtt^lVHqWmNjU14sn`b%t>Fe>#_;*L~WHEf{-jr!!LZ4ZY)Q{3=rOrAc`# zXXv*#R#NiI!B2n$RZcID8X(JQG_m$I-5Xe>uY7+iL@cUiVwZTpt=64ZT~15PDDy=W zPM$?^bD5nIKpjN#Rz^ohAzy`7Qcc4DeTedi>eSf=^>V!+$$=J`|KVf#5ewL{wtH*y zl1LA9BqYI)QSga^%W^fJQ8C>gmKCyLkW*wl%bsjIpYZur&=(ghe4{t@jKZ?dU49`G zXpl<~bwUeuYpD?N^~wp75AVtNS6udIRAPA+(X)`Z69d!ZAz;NrxJ=3?eu`+yxgRGl zRTmpbC@d_pUuqB!5p*ioJCQhi(}$Q?^X$G^^BB(SW73j93Nb~R7(fCaH9C{JR|ViB zitHB$CX2A_jbu|vdDuAoACJfORoi z3v-h7nq(N(ug&f$b>ZF@0m3f~aIQ^Tg9-M>s;H>Qopt0_G$Gmt(>!{z$ZWiBakLIU zrI$dl3y|0nP!yTUkCj;|UFH1Cr@4-JJW>+|i&hL^sN_8Ixo{H2fy;=q=MafHgZ|=S zU`0>!&px_=m&v(F^vWYtEKM;Z9&9+f3x@l)k05B_4DV z0Xm=IASeWaUVE04DOgSng}uFK8o*vOoU=HA-DfOsEWLjn?A-~-KR%|1!DZiuh{l1{ z-gl|?w(`Ff-umAU=`b>;g?Bk0jI>eta3WSwu9|83G=PUbf6pWo_T{x}{FlrA%K-3E zheNiIPxrUI`tMlOe=Cr)X9HaV;qi4z%h;xch}~fN-8GH3v$sdb9{&2)zRM3WD^kRX zHaYayo$;T@)!sM%R{}N2)$@OjX)d(q|Lc*w?Ce?_@`Ev>Lm2vqQ6b$&TV1T~5`Rx} z4(}wYC}+I>z`Q5HQ@}H^`yU@`VENI@H2w6VOz!u%@v;1Yy&d1UhJBoLuK7nsVzbyr(s!_BaN3H@hH^-m*s zYUvUm&R)|EKG18+=+pmsV(%vebA)GN^8c^;e;L>R|J16tQ{4feCFBfGZd)0GHIfY! zQ%gzD2fFtZSF;-ypfWCQB!P1hi~a&6m=_Wfn8OxG%=B@=3c*A~gGCEOBkaTI_w92~ zV<;UubmVHcr6WK0IVhk}(tv9A><70(NU1U|ve&XQiy#@6(DbL+65y3Uk!Ww2PfCqC zJtdtpn0wk4H5|p`*-A%TrBqATmbv|87iu1G~Q`e z^-ClqVdc0;&=#z~2`rIY&Oi#er%Qd9qhneZM~6g}doJa?)2<6_%`+t3S)vZ}0MB?B zDHJ&u`RC~0(?wTov8v>DZ#9`h!R+!x%fM@!uZ$m<_J!*mrnzJp6u{YNO)G?|rw^1^ zv1PrpOeBQgHa|sdioyeS%n;rL^P>&?isxb(ss({S7randXXWMV01GWh}8$F^cPNOXR% zY~tnjV&Q9u^WXdlGgr5@zi6q!$QX%nfl$=2a(`61F z1w_Pn^&ns;oeq~J7(o^@w&MHRbeD+7t97A_ic2DUcNH$)#62;<^s?a(#Qoh+S^D-hCwc|74>#f(N$`fx4*&(y<>Gv%CjjC zITXh+b4h2?mCYnsy9FFJtjqk)%e%)q_SvQtXk? z?Y82dR+lVuw6_*yo)#k8JLLdx8)AUZLb10{PcUoixeBrFVS1}XnT!XJCt#nvK;@lWk9Aq6XBi;2e! z4KpW$DoQ1R@9%7zC{Q*9IPEOW-9F*hK6}EcPz=BV-xI@(Uu-|O+4@2EaHjhSpiD)% z7r$J1Fi%<#-6=M``U?GewH!q{c4!JnV-nKU%Tyef!qVd9lDwX<4)~XR_pM7PE#)(( zBzMX*`LnLWxE|+sHKu*WY=qfHiJ;JdSiK*JG z^3Y4b&t!D<;TMhdo+d{k6)EyNE8~I{$-Vhx#y>N{AAfkFGXN+AT43L+naQfwG&m1? zQT1eu373kHV9J`AAza#_E=)qG>E4p5KkeFLZN zIu5@#lH#xOwCljR{Ut%mqp<3vnxy6=OKtjVW^sFT}$r~PUB<8#oc zuLR4=^VwnVR9s zK6%EmUFF&SqMY+)^>>l74buAyY?J*(et@JKz_;XjRxEPl{~B2mEOz+RGF8rOhKrD<8_%2AyhFx^^4S z$4P~CnszGd0+EfKcvq&HWK;YJ!L56MtHcU{_!`4f8d_~EU|qPZF~mEf+RNcaqrhf$ zHZ)tYJ3O-;MQzIwc=~ z23oTcZ@ek;cRkK?X9wtfUhJe}CUF>ceu2Jw)PMsi?OC2iqiKPjPQUVjXYp3Ap;lS` zhS)=&c#_oQp6JkcUQc1&diu{2I0k zugNz(*i8oe(eZc3mrlmte_VMhu|T2Kmh7{0ef3H;w|Cmrf9XIZ*|59`+UB>+yl9?~ zuWNiSq*1BKE=U@@pqd28l0VRIHE(`%deL=6i;K+?0j9Gc-KZz5xe+|n_G(|(vG$1R zI*0HpzRQyeJQHg{Xz5jq=g)M)qmA;aA{1t&M8$A!tf@&b2YKqM)$%m7LDR|)WZ@gi>l@Sh*{0edUDyr{PY0?g>|PhmHAmPp!Z~K#;Le)m zG3e3o zU--NTI?>(-+9N!aWk9R&Rx=Enq6}c`-`^iuJ24TOPCM(&ynw_(iYgxwfWR|dgOsYvs$piKC(Sii%6EJnWn8JMoB^rpyR7I+VR5d^ou z_Oh7`aM((2gZhZCzrtEFL&N};E_Jqb-voD_MA^&(^OSC|MemJCZ>Q3ldcnmnaXR;t zp=Gq{vO}idVCPR)O8cRDARk(9(n@sig=Vlb9Y$&Ow!4yVnJw%y)GT{yO2^Ie5(X;r z1=;e79PN%f49HjOmag@Qgsk;N3m<8qn!4d`e9o>OJ-EUr>^psWcndck$qN;4@8?U% zx#pPV+`oQw=gz{1FqZT3Q53gmwpLhsg2M8T!BcczTrvu2bvqohZG^(D99{QKY+df# z&1RLoGc2x!&PbFhp5&I@!W8xkQ96gdX*h?v#3x1CR+W^E`wkn2j811&C`xl{%gIF4 zix0hCl`oo13^P04on9aftw5v9iYt~|85i54)Q5S$jrE+ouo?gXzPmsHC#NSH1)vvW zqa0nnwf?ADIGkfx%t0OmR5P3o+YKg}b+41YqqCOIMe_d~-oA*5Z=6%dL(%qgR~}Qq^3Mz_evL0PSks&aGbC>4F*7K@Y%bGzqs8FwNHe{9)2z``Btzoo_1n!suAo zZm@+{=%9!a+99EcnZ-ISWL7h-47ithJ{{Yc6)Yq-nc0|jVgDPBdRr&W7w!){q}&XwyvC&Z;B zw$F@%!RK+;g9fqhKjOkpwGI+1sjV0;xh3?fZ|C_FJD6T(0=3Blw zAXio__~?TNKI{2eeg`A29texVsBg}9##e-BT(20OzQyhGfa^Y2$#}x8ZVc< zUoMN6`B}WwDCO zKHm1uq&Q1uDoJj3ie-JwlQVPA?7xS&>SxigjqgPb_aLYMhA=LN5G zg{YoIQiwo>73+dBdIiQ|Wj{so5lc#ocB}d)V9BNCjmEfpU8Ob{iyo9zbJ8&|+qM;$ zt+cGaLKn(oTr?V(sMH;4cbx4=eZ`Neu))n`eK}@=1!y>)b(S}$^(z`v?D!9E4h-Cf znC7qf6OmN<@97v>I-l=U4Cz$*4p zD&^AXps{M6K|q(BmQ&6y*omyb7H!yhkCzkG>;T0&g}v`TL;m5i7EwbazlixR+yng6 zb?LiT=4@ZXc?6KuB$lT8q<$&k>`;es&63l4#b{tyy^&txaDkJ8qN1&E?V99?(`BNRRM#`Nb`k&qjXD;@DnCc8!78VxteZN6U_bBI3Nm*r@opQmQ=IsqD8*OoZUUdh?{ zOd6G8nHIduAItw@u54}ojb;`z<&5xmLH$gsn!tBjsO=x#T-MHa^K%00NKpEO2}bKs z0rdi#{oI$y*_S($zy}`qigm|HrvnaRfQ^cVgOkqk(VV+&9^EUV`|rBd=SZ@E?BuN%1@HQ59FgWeAvTI8RB$(l7@r$1Q8;dj%HX&XqL z)1JqbJz0J=%a9cAzoOlHns4F#jru}?O2T?U#U{qAQhIP;^GY77=ixMbb*D74RhX!K zj^}HBEIMlI`XuRIu&B#HUj-K43!?OKxwm@eH=y6(Kjo2+&ZS zwC1hY=m<#siO-t6-npa3wzRr>#i-h9C}J4Pgf_&8M{bBp|AX7h!C7tH;2%$c8gA5} zI&<2EU^92E0ljN$R@LCdN6_2IwK?h2n2eKezB9g!yXU2c1VY zNs;9QQD06~l&SGoms^SI z5hdo*54V$nBa7V##H%>Z1PI{HF#&CLNesF*FCS9LgR@e+!5$Sm8;q?5CQd?lk##(*t zBO(RcV|_oK?+ophblZh*_T*c4PJcWhNTYQBT}pwx1F(6TgJM74c;0DygCP6y*XwM0 zt7U6DZJ0vESFQ!;?ygpZMvmzm;V)~D`N+-du)C=n(pM5o!Ih<5S65f2`hk-`nxd0s zg}~Q*VHKaHuzA`jFRg2ON?5gwr($DzbKYrap5RNFU87dd@EsE@J7^$ub@b6?qWe({ zgu(Ad)v&~LBP_f~^~xtbl~%Rbuw|odLq0<;(b`qDY0-8m@1?_Z%m8;+(`#dIv+aB@ zQZ@G8{_FbQWcD3*4BL}0)K75@p1DwFw|4xr{<5}9{B62%H;B5OYTkX^q7VL{gJB2~ zSU^&Q;1I?T+{hyoeF-M)z`0^-*Z6Dbt(DG8Wdmc4yt@~1DD5@IXgP_M* zuXj{InJ?mSuN?Kgeqv5FrGP=rVTD9FrgwX7w-3K8lY_rN-TLd@GYWQ;ms4EUgTL+6PZWWZxKldS zG&|zGTg`X(vJ$yPcpjK{AN@U-aw4X$t>2dcz>Jg^WKi=+ki^h~KVpnRsc?#?I=2YU zq9PnO)+E22RLB9Fsp{Arhp*2BgMikORgRrWG~3zb_@i{0>@@xCf~03y)El%vdvwu0 z@3e*%u-SG#^;ey?VCCnYYnzJ1g76WEP(ja=OT-`{J7(Mj-N?_6nJkr zxW@09_U7x>Y-1hOlojaNZVTlzf;&dsBd;ktZIv9FChcVC$X-uS4Lpey(5)N4AX>|D zI-s)-J7ULqY}<%iryf81^XZm?uai$cB!U&yJ<@Kzy)*dSGU{3u&+sa>`|H$0p1#_nriJ36lR&>5C$^z||P{H%I}!NDW)c;O?uvRnGi z(at*Oqams?^-T3dSfnh_1>^J%8Wnui2?{k1YI_n2#u=SlzJRc7w_NSAzMeb92D#ZI zhtz(n3cJ*@*Y#-*GaJz7V${>qOiah2`!zP^4fnZ6oIOt^qZT+GbtkIg7#1rI{AhA2 z?;tar;52!ZdTP|Fq9ngpADB7UT{EFevzqPd%-z|ad1`OxFAT`^@z2H2bKAX&C%BDA zExK4R`st;Kjpn_i!k};lrLL&6c88_|7)6)5?tUzW$Z@yY1+>#z$#k~u$gR0%A+n>s z=Wqi*LP(Seao2&E;Wy+wxa*i=7KV;x0n@{-T%L!Qp;?x^-3R6NlP7p*=tFocQr!k> zAG*c^EA%J3n``LU<679S97hALm~O9h*=n7O2xcHVjasMd+8GUs(&0B^&dK45JAyM` zx->VoO1fLfzw=ZCyh!ysV2>(w1{sonQkfn-;k*3vT;@d3Ab5e@ygP}}U!2r==bc*b zmAj(&s{@pFZd2G!Xtqh{ZvEuS#wMs3@hYhw854Qk-DMZst(LD6lZD7*=D$;0)^?U}Qs_k* zpFU4Y%Ou*$DKPw0s^DEau`MuxHIaRs(2x^xQnpj|>y*mq%QMui#oWza!BZcy8Q;FI z?zpao&wPk?{hD;#zHK z1vDBL=iXkP4`uE>H7hiqV$ajTPFTc1yco21Ok1b=R)6ri-B+AQMV3$)SwgY8Zk|r| zo!~&J-kU!Dxu;_UaQBE6ihlv5|G|T$6}8=*JvylMfprbrIFhm#7fgjXK4@YoEk7rvYT5^vU=4)FxE*+U<#Qx9nJyMI`n9# z>h9PxyrOE8)_k%n-=a0#?H5#p+#!0|H8ld8Pfr{_|GtV-mrSd1>@ugW zR_vFHXCxbisoV~|d3MOzG*D5W#4?Wvy(^KLm|viqZ)Is^YdMxOWKtk!@hmAdDQRb^ zQ`NnfQE=zS=-3B*wyfZBV=IghFFHxZTj z<-}QT#Oa2<7sU5U2hfay zGr08$d>Nc#4#I_VYxVR5)r_j!10FBjDQra-!UvN39=Lv5gUa`Z#LikK24jA>VhzWF zze97|bj(Yq6}qRlH=H*4sip~NEl*OXyeG472o1$xrT*-C2-71(C6@xl znj$m(! z-#IM<9j-%r95;<-Jv5N!Jf;gs*w}?Zt*ehuo8w8JkrRHziA}60*L@Qe^tnx>f=U)^ zqukP7f&YpfTRort+3OnwMYSx_?_E7AmK|NRwHSr1cxpG_b+ON6SA+GwK;^ON2%)=Qzeds9&$PGsnmBHbm_q)X1*7ROw2 zft{bH7|-|z6%>?1m1U6|Dj_4=qu_&C6Tdd+fcdGCEGN_BI|K8P4;=8tzOR3z%p}MN z{B+kPD90WdWGFnxSlTsJ!#mr8SdYsrc59y+7osQ_f3Tt>`XR);zR#TcDxY__1Mj`m#n zrg~WXltY^omz&Yd;u{U?&m@BQn{Svj?1zN2pZczZAz5i9^NRa|9&5TLEp~ z<#)dO$*@DZ`SIs>ePhJF{*^~gY_aLptvrZxqfzGIp1#3P8id~Q^T|lOG1Vil=b?L1 zY&#%mXoy`(Hj2D4^bR96vMkOotTSSu4OoON=mw?_m9m;x)IqN4m)SGY0P8y^ zpOJCO_u+bU<&Tp2azmU1yP0?HEr)iXqt?;3x`#GCVxqFQRkUYbvo+?WrA}IJ&K4A4 z)IeqsBZ`Z1!avW=SL>@6dDn^Ovo!>}(BsCb9&};G=xe4}lq`f`syUxy;=Lpaog<+` z)m&My8FvsoZ(cVgzLT-F1qq(8259wVJlzw1-S^%X<&FL#Gp(dPsVISu=PlabQJdtc zK{-i%7h2{WhTo<0x(&I90|tJUqRtqVuaD&ughyYf{0ae`RN4pYYiY0D$yXyD2k?Ck zYUZ?@F+9sWw6(dtJvGIlc8DWi_7v&aq&KPeK@DiqZ`H1^Mhm;v zLx&^71QIUK?3nAmwIecC?eA`KDSrkw2uq&ardsataLQ{>Og2)CI9-RMR2yWfQ?n9# z#k*JfWF4$Nz2NU>wwzu&9HBSC7H2n=R`HF#FyMS%Ryhp?;HXbT$wW|c7zi>F-u`?| zP2vI-DnU4c57aU}^yj00vr>&K_TxU@*i32Bl996Q>Xh2?7p!E;4LmI%nzaDCbIRZ-NO3$0MF zQ+x7RrUAUa(~(|`hSu*QBcP!W9iisji-_Boz6yW4*Pr`QFFU)p7-AxQxv^a+!rH7h zVVsP$pi#8d@nqWi0kbCZorKq$L{uHR_9vH=DvEjDYN%G=smZ>IN5Y_a$6nRZ`+1{C zm9+1urXEvqXg+b_2&I0-)@V}$fRwk|zB+0}g=|dCU-j)yX9$`yArjq=ZiJMT4&%0q2nAN)T@aa5K)3srdilr?H#DXiVGRlqpTM{!4NVsH z$*cic(y93~Rbe`Upzh5QtbmP#YM$MO-r_A`r!X$a^WzZ+6FC z-S2Vqh5`4QdYNqxrygXPzR`R!kXSPmSMAH!K0NJAkeS6)Hr5nHDVbtmxFi#9^ZZ5j zozPR)M6%NFpY%`hoa`$wkxrvX-CjPMZEus%0LTbWm)s4vw$!T+quTWO@qtpIz(EHH zg1z3leI z3OAqj@1kOa7=(I<4l5ef9ml6;;Eig}qCq7LViF(1pp}Zg1MQF-^TT3eLR)(*<@~E< zE=Y?mX62kfTD1m4BTN!GLs?SXTs}~GJ$=Xi>CX!W&*?fie-V%6z7D0V8EiAK;aX;> zA(TE1isR^QBIy0Cf(t@X7po9d!KMdR+spq`yeQH`vJ3ghgu`=~mL9OF^FYnJW*hr?g`ZAu8Y`=<;w*Xv-nu zspteuOIj}a*6ydJE9sA7!i#i})}hDlh!H_^cFE`mEgK5gHdp4uen!fAynvIIQKlm$ zkarz&_NVo~893ut=t|w|IeTm}4>1eLY^7Pk` zU=ZGu5t2}Lf~F{yL^G~o+BL@4ZtV9xj>TLa1V6agVIDX(sBA;DkPe|X7oPeMd!M6b zh?J-dza@GJ%2ufe>BTV2#v9o1hJaIzvjn;1^qIeGnfbBx%ql;lX4;2P=_pNtPu-4s2>!T{(%PT2`9X_%V z1{U>$ES428U|}&ZsNULI1VBb3Q@<-S0uHOpVgDC2Ftmi*8vTVo@@o+xG*FO{N4v$} z3~qh(Db;B59i1+&(EDJB_yvRA9IWmfJOH32ANZra2C5P75ytUbpC5pL(X~OGPp8TI z7!~vezIpVmfvUggtd?7RFCX3az%Z}0?!W55uUu-d5KhtBzgp=+oUe0?6Ssmlnlk|?=D;JH zHCx zqr~~E^$b*lSR$n0g`t=9TR|?Vnl&&;UR|2u-`-d=S}03+eB`>UbHQRL2M3n=bq}1w zxc(T29V(*)og5diDyqz9x+|Bbt0nS?dn0&|2De{GkyfrodZ{f@YI@k+!%k5S5gx{UNKG{z4>4`5Bd!6rU9m8bcYz29V5qF;03y)& zMLS7S?@Hx2_=pc4qDs4==kt=-_ND8xQ&K{Q;aIt0E=w$VkOXvk`#RbLzI7|~C!}aW z-a^c9_~q>lzxfNwsp3MuqnALpJ{6)qB_vuq$OHGmdb}eEHN(oqXwa&Nw)jt1<2%=p zlgh>U=ZXLQ33%9_5E+f9=l*=EU!OIsyZqqOLVMkH7}S5>wg2O1>F5V{pJhC#*l~DO zmdf36f|`Nu(RztKxZ7LWx1|pb0RHG6hPHP4_48dMgudUBiJQ6M5E>lwz&Q9~+8c0L zl&75Z{Z>R=uk04@qK}97_d_?4hu-Z!)MH~d-j}^R(~+Z5dsFxyhAO_N8VwNDn6B_h zzKqcK+_S886P=FyFMd;x9m;R;zCB-;TIqDO`uK4(#6{5Y?wX{$(&@RW}Gt_qWPN*qZW)TmK6W+$!;WjVi!`Y%V})ExXH3AiAc zQ4e5BpM@CW<>2CMKj)8i@ImosFj9Mo3&6?G5S)W6hSf$)jQQ6?$aL(rem%4_)>xoD z`5&=9@M({L_YgBM>bULIpLQ>;JK2^R#es)j8mdn<#QALP(7%A z{&=s@Q9?u}zWl!}6Tgg|zm6<&8tq`lhz-?oMXRd!>gzLC_*Syvk~?r9o(jD?m3&WL zGp#$zY3Mr3@KU!?R-@!j2(>!Jq4=5R8uxZUu-wJ-YdJs!60`5~? z=rg4Ow@8=^1L;3~h0Ga{e!;-eS_4ecz2Fg_{H$1ZG3CT{SwD?O)OlhTe|ML)PN$C;d-Kl>3I70**Rd6g`GnCljG}3zi(q z-}(fcPz(|hlG_5lw#yU7tI#FxL7KW>JA@j?*k17k3>$GF6(VYrfv>%STU zRC-@M=YE2m=M!|0UZs`3P`>eNF~Ygc8oskuT>Z#-R%c^nTJ`cM;{G03bLR)BJ8Ej$ z4ydo{7t1a7v|D43$!ldfIk{`2F{rxsm4SBQF@&t_8)PT#1P~87=w6#l1jpo1}gb@6U69Y&898 z3~=(<@J};chSrrSmFF1j(h#3P?y{0nR_0Zc3jV<_JYtN6c|bs>QG5F@ZFvZTIp96; zDF9p7aDoTGmleefVQly0WK!ik)K{lY+b1w5`I)DW{HwmqXyL z?7?M%tLmEb(Nlw5h~148z8~XSWjE@3Q1~W80(5emoJN;oh6>3GF)h!0sH|aw)WMNJ zF|5wp#5f0)l?wJ@Wg4mA1?Py?&J;P3ocZ$2V8DRqz5bANPuwk@`0Kdu3Yf?BWG1f( z>@Ri%L(i~K{?#*$TMhSxOivt?7=LzWzzn`efcG9EaNQU|M_c(;K3_!&Y6gZB3=bs* z1*0l&r>;OfuoAK4ul{}e5$c`AWbf1c_Nl2JFzR1o6$$jNy2WF^zZ9QrOk1FsA^A46 zZ^M^4xT2XU>%KAI9*rqoR%h!%HWWoYZz~@VU?D0KOm+(?eE6(F$mdt2VNmfB0;oOO z^K=FJZNS_&z+*DX5crzV*CU!X&$o|jD4lI&$gzv*Ug2A5&xd*KKmf3?1wj}i%GiZZ z&m;InW;AV=XHG^^kXdJ-v(5FbXDnBbhkIL04>pkZrdX<6x^ix{$BwlvPqk}dIk;;G z*DbSlp?h|Q@ze(vwf-2J*}N+{pFK#vzU%8T8G4iGr)%(YiZLrBz}e+IK^&k}&5w;0 z6fZ!k7MqeHZ9ub-Ut{-fqJ#VD*B=l}IdA`7-o4s*JlgemGKb7605q>clKM%|$5~+< z@-v?p@x7y*c5d-vUEzDDIqq}gI9_-`9)XPD=FE}~;AG&N+{?|bA5UD1u-ll_9Y|2= zyWn*#z4M7&RU6K{SyR~^MhEg-0!0Eo6nzx_H)@ua=6s_NAbmdau?;NHF#wPs_a2Zg z$+jGec0KXfJ-@8oxaE%e;NW@d;pBx}M`3H)37nSZ7zZ3cRBb*>>HxPsHb$%ZxK4Yr z$%uZy^DbA%a|FOK%egsMAY-i}JwIeU(g2GCzE*rS>q!c9)bCqTnb)8ti*Wm=>yxHR)Ga^lfc%HPx-m1LhJ@3{vAf2VoKWl!^ zsuZHo(2{jJgKU7?Xmfc|%W}w}YoUE>9lstTpUA7q9X2spznP5G2*;c!xqZXj`Dss% zZWv&R>CZJBJM;GL@TO7q!WMX74epeko?MTIg>pu``rLm&G)5mnw0i4+M6%mf(GlvTH8qbSSD8-(Xv>%c=)%=(8};1{Yerf^JhYE4}ic zTM}&RX;~k%3UWT54hw^pvF+rcVt(b9(N5bIa18U0wYFyGv)FS!@eR3Zk;;3l0FJG~ zouHVn?;JBuh3R$cgk{t>#|%|%ejkx(SU$@Z+k#Qm7h37cb-XF9q203OEkxi#J-K!` z2i=9yAtcKodfiXl$?M+>ANkM*2*?;f+DpTCERSy;HD({~vpzM5AFkgRHqPSSr)D`= zvpkgSWW6Hz(m7t94VEt5 zcmc*Z>J1jBl@9oy*>k+bjU`(hU9Q%QaWx?mC0l@)hreH`s6*R-)s`!}SXr{QKCGth zH>^fcdc@GhN|PPJn%~uSBo|mtl)t)lV|nk#p@mI!MlwQ=uAhL$agC&1{oYl#f9)>=Uh9tZcMLJ%-8E*3<@5v_x`-k{v!SU;Ui6#1d5UBG}42!pdeL zyzDHWNz0va7-rm%hmA;=O%QA9W)?dR!*U0(xnxlu+%GF*lu9w&wEU-io4~|mNvb8jyTN}Nt8+>%Yvo%d#SUrJlXPnsnU0Iqx;teUa5r>_v2L&g zWyM0=vh$_VxLPE&`m$Q)eAWg989~Whw#33fwA1Cz>p~vcVz#e+{Qc$eUnB{K3$(9b z$+*10o+ZLq?bfntgF?Eu*dcE56G82-(E_fA->OHle9@H)_lbATreqxnYI5Kp&2yv{ z^J;?2W+s~>q&(gWuUyjnSh;*5WHox7cDE&=T>U=#QmaJPy#yXaJH9`%$~Ee25rp4_ zgBCD+P;O6g9#>3T%q`y4l{HFx2v4jD6D>fCdHbWLJH-PPJ4)jX*%a2Gmd8IeD}$Ok zH*AXpP$zw_I<6lp|1?#XjxSbWuS4uh<05Bap|C)^LK0+OD8+=r@|r(>%#EMa7hjC= z2=%0em1^PancUsvXv#vL<^PAhw~UIqZU4P3MBqY{5CxPPL|S3!P8qs!NRjTAkdRaa zWEi@nhX$p~K~P${q`RfNpL4GJO7Fd%H_x;7+H39q@`WyhAHO;Ci0|<^+D#w&WLr|b zUFUGHjnR4R+D-+*I`7z@FfDql2ma?N6=W?=LVBg=Yse4Bu*aX}t|)JaNRvG{RClCS ztrhzGDq;N1#zNXK3G>XgG%p`SsU;yb!!wHKF}f}{`x1!WUfBTo2IYG5!S5o{$Jt)g z<^Z_8kRB#{v(JSeeEGN(e7STzrav12wO(=BS^gHp8fQly%00h2)xMZf$(AgBmD)US z6I}%UQVBso0j`W{BHEy~H3EE+;A(vp?oq1<@U3?Y1R9mc%zgkPD&$-z7Rs<3(ePYE##FRRx(HfEW~jdXo_#5JqFKI;7_I7cIO?N z!N)r+5Qzjc_JokF54@U)KcWWm2)p)^}dH-ks=(b`? zZf@IB5it8ups?$R?Gi60?DbFcP$Ys-MA||nu_NZkkiNIIg@wfnj-~OMie+%c{VaPS z#NaanWW!MK1WwRJ_iSFZ+CRef&>rK?0|ZY~7;=2b11)Rp7$t zXp3T6RWqIX;uBpDH%*HAfxD1=ahe5^!soY8dr2D}&8I7xb+}>VC4Ch0)^cuSjvK|s z?cXnBQ`~xJUynr^y8$FA)1O|R?^o2tfjhBmkoUg8Znro}vq*1mLVr<8;a5LS1i+av zq3sqO#C&^9!r8&3u%mxV6woLP=z#79C~(AwGcDhLPtM&5%1Fw}FA+Afe%|d(#HGzk zm1V8^29j%^Cr%DVZH0G0)ys%NUM|}w3RWvZJZst1Y<ncb{r#0y&wB>)0o7hYabx z0{tciV?i1=Y%rH~^lUoRZKCRMCb*;2yw9r8`)pOe17tk6b*>cu9y$Np8R}*SQI4|L zFW=$92nC@cn%RYgT)@!f0^+sz@LE^lMbi+KHO3xM>_HE;mj z>6TNbUY?K9FPz1e7V;_tWO&+1C~FIDHYiP9e>`9ff;^bP3td@n098Py(6Y9obY_#e zghlW3MQ)4zb+h1vi?rD z9V`H%J}-Q+BOJ;cPHc4Bu@^=^?0L{d`fQB10yNZpQw8cZ3>)bi!;=$|&wiR}_&XdN zYU2;uRxdy71AK(d-PtfMhA;|ir1EZZ#-e`EP0dy`g@Y+qM40s_!Ax_FYTF%?XB)Sf&h;IZmn4J?2 zLU4~n53+@D2`3@BeU00<6)a!*FLKLp;AL%{DXX&_0%Uu@%GogrJ? z5V40?r43)2HYoMxmXPjsbX~7n9MtA2`z#^&N6zBUyA_0`KnnJX7H1A9xNUe3=IWzV zF&dFfi3J}q8;QmPO1^v&1+HNuBK`pB7p>odh}MkdVMym7e{51C^NeL-)|PEpUXl58 z);De7HkuR<7wb!zD}vpjo%GlVEi>wk%)#8J6G9Gi(vIWKL&KhpK?>XsZj}Y652_e6 z_~xf(YDM%p7Dj*Q+Tk#)8hD^$a0Xof!8bcRjQc;1#E|B95ZIu@dTH1S&!U3V>o<~ zSt9LlPzUZ1sX=*Mi}cB}b(fcuwu_Y~B(OWSE1K~%St)2bOD?#8d6bYmM=c0Qu5q62 zB)yQWtp(MB4VHv#oKf;KsT4hV6beQv4{YKyj$ivGzN?A46!rcGV@r6YhOpXj>ANJ< zCB~Lw+0GWuOnK)a8J8D}Vyb(}F%LkZ^v@CheN_dBfo!&t7L6?L3K4RS`)QuB`R2;? zuVns~Q)|&h2T3@xI@Q43us9;^rP980UqNjPdz6srbf6vb*leChxE8bpUjWtdIEs>4 z$X0sQ!n|_HfFv+i%)16eCb3`NU;Eh3TJwE^L2sLGPJ%@qJK{!qN{)=fN)i<6>~?1E zKxk?dG~2e^wyS@!r=My|Q|9OYFd!R|kpl$L&XF|*om@dBYjR=;!kr}Rrv-sJCUNTr zCvRukd^?Yf9S(8{7(VzOrw~0A1~vKonX1}wBXhE3%6`g=jf?ZH5AU=&yS;@xeA+Un z4@htdfWGC`{Yf~1z^2I3+-EvoG8bo~U-lLi4mg}3kt*+rNRS?~skyniN~c@F%Zir4 zthO84`G*H)?_yBy3@rrV*PCz&Z2&r9^2Zry2BqCR(8<^MVQjODa!$5oGk{JX@|L{i zWLe@MeLjYE9M^WW2c%M1cOsMMA3&1=fkIcNb+ ztfzf3I-3On5V6mj4S4G+1=dcPPq;&yT{1BBbZ=B+EXFA)#yk(k2jLZ+mdEk=A9Tz@ z5T!<~NV`V1OnM(#F-=2Xk1YzjFP9AnE5;mxhk+WcVRmURJ3#&J6O$~4c5OJ^JnLC zVxA|WS53VU%WF}lnswWR;#%c8 zO)sIieb07Ued!VFit+E0z$TWf7~V0*g~6DMib?d)NznQ4M`CTn+?WrcjdDs~Oc2`) zLA5^lx3A<=3gir#<5zID!+;IRQ~h$yVk44c)v=Sexg}m&G@4J#xr0=4j;WQmdIES1 z`Lx#LyxX>&iM(Z}i!I2U+S)OU;oJn*GCS@k@Y?iiNm?ZU@s@k(>R*XV-4pU%G4q!J zJOpLIF18pT*dVSUn&;{WB? zSL3^*DzP>a0ZD!u@ld{aAXw||fTk($o0$1TN+_Lj=f`;^J#>Rj?UvLlUQ%k9R}6-m zurb6j_d!^=ZV8Q&X$$AYWR?Gsm=Jja^f_Rr;^d`Ow&u-F8t~YDvrLOB^f3JzpSBPz ztkuZaIT_|r-O^g_Ydeq@RaMHE;F~CDIijqC;4q|rAbFpKTSK~6MoTMBRX<-R#OW|RGNh1&G zgmrQEc(E$NxlSWu8H3puAL%iXw!I0z1|dbCZnt+ADYJ?puc;lSs@Ub7RFw|@;u-!f z6J<#$TO~rOVHN1n;Zb10UkH#LwuBqM6YHN0W9HZg_w%cc3m0G+-mM6!-MBS+@Co7r z8-#(XsV!ShE#7so6Y#QzCGQiSh#@sX`(%vpae5f^My*Oh!$IGU^yFw%bPlTx-v^Ho z9%{KQsjvqCr?e%62kV{N*`IKb9sAs2JoFES42A3V2kuPUN$Hv&Dr3_@x@wdV~ zTEwJYL<&DUh{+xjB*X&ZrXpQ(4^eSHD;$j;x}UmZa@v#26*JO5dtXmZL^CwV%FttdHXtq8TKr0OElOB^$#Umo~&VsW$%^*vugwqzu_>bNypQj`H%M zM?GO)#0mpD_tQ?sA`YdI1aylCZPk^;kF%QjRUj;8;nE|-+&o*%rB&i#!ruj>bL-|!pJp0X=%l zMpZ1_U&PcN<+vT3nd4sE6#ip=NZU71f;J!!7v|+LUgXq22rihy@s&ijYO|49kV?w$ z5W;96pUETmTT|Pr1KvtBU`sWY?hgF(YCvLpv2ZJU_ zm6?TRsqa3z)5q&wo%WvYN6z{Rc|0p)9zQ8W2bS?)3yJIZg(Mk)3)5QB@zW+vQ^?^Q zUwJioqW9=srR%xI)dS$q3K8p_TAuGhFKX+&dn8HYN;>)4g-O;=`o4|9@DG#xY+P7J zHT?F0{iGL-Z%0C*fvE!M-DnH9SRyvL1M!+LN;csfQ)&8Md$X_V$ay z?|U9jzgbuN$;J5mut5n~%tR?a?%>n1P|ULuy<-C%@U6>D;wK%?)hYH3PI!4QwEfphAX*BTXIQ1r zRH$L<;o@cmBMZLyJfMDW`DVd9BA?A;6-PHR0EzNweMd8T>DeILwmfkeZtrvLw2rN2 zO3DS2@o?i%3J2L*`#VBf#tIsu_&D1>(3d}-t=ege!JuXx4xt9e!{n*-Eg?YzQ&EJ^@`tiro*G+B@4S=fTYh$%;vD0yj@etGpW>bayAPZO5P1J z-R7M0Ws^A;L*_e`0}G3^pk4@>cECivN3>@Er$4$QU5(=UJcpG1zK~#B_*F|(EWB+k z_<6A!KZp=@!03~R3#ISULl{y4)2ZQjaQozCe|`0ciYorz;&C{W|F#Ob*|9Dh9>?Et z=a&tnjL~%FF39QK3sQ~8eTYYVB(pM9q(76n78Q(Y>qy}4(mIjO?xo_(5x!ecocU@# z@!0{VNq2#I2Q(#SDkVo+MltPKY9Q)S5$bzRC!t4Md%N{$6+?(T+!lwg*dgL$Hpw=! z+*UP8^eFEG$lRkqL=VU>xq&HPn#1j8AID`K5880XfDWNbpSRL)gM6^@N!ACv$*@>T zMNdt145-I4Qp}rVsPo|1ZvQ6q%LVU&(T`voZ~yZi{Od}T6af=|gDjl!ms9ljZ}$10 zAN?Z>{eR&w*@FhZCIh+ZCO|V-@^Ve<7mN?p=!gHB6`Qky3NRk#cLx zw)W9D5TZ!{umdP-4$;tU-tdh0So%$IB6*&qo48zqPcS!!1ID<;^io&DbZ}&s9 zKv39vEEYby1lrnSMauwjz(-@_P(*+6NIM4O5BddkzjTjVXr(9uDiWX9{fwuU2I^^* z|FRb``^3kDo@%S*tU$M>^L^0}&;ad#CY)i*{W*puF{yXifjuc&Q0XwwXc?42QvtM> z1qcXLD?~93S$^zjVTqSZCK>S8cKh?;Q1Z(-(uASA^pg!ED~V0R>goerlb{#N3_pV? z9uTqJ1KJK4J2%*lMv@J1D*gYMq>W& z{adOBAch7#P08lKb(FG%zJTX*=8C zz-~wf^vXnD{qZ0d!9}pcK|tQ3qWg{4;82Y+OxLWI$?7TV^Q*i#{K*S4P(%e!o-t+;DNx6ulU#u#gfwR zE-{pToo{FA0M$-E+pGj%?SGUdd=aE(Rv_W_tDqz$lMoRL@rD6GNxfA{;~*j(;32`; ztH4qw)1hVKpJCECdiafw1}2B}TLW5|XOB3kx$&=`{Lj*YvRpor(faIO2GIAZ3`~~f z`4e0p%{d++`!R1ooh27%BFpn!@{OPiL*f$85D40sR~`DJrwCzm{WzT@7G?o7M3Wk4< z!|&qMRx%(?y_ePhf*O(;_#x!iGbRO~J|J|KR{j}Ai7LSXh)6Pbc1&TzKNVvC(Wd4D zZ7R}UhUJc!ip5gv-G9#&P}gHrp~XOX_&+c7|Jw*^d4uX;0JQfaRn4Bp%~!30MRWS8|BgxPXWPB!XnF^bTWM(|!q*~_!X zDrw|F{}3u7$Ux}JXz4#INn=E;7eE`HgYE_|R=q)LBmpS%GMi{vXE9kAUdM$Wvf!|S zf}=DzSYuHqbtq54XUBC0lz)Dza$fFjOmtt#ar=HWny-_*`r}jj@=(!a1!=s!qNh2) zL36#4=N|6|;w_(-7a&Q-1sH+lC(ZX=5qX1o9 zU2C95b>n!o|5Iy=wRW>XtJxkq?pQ@dfTO3YHN;P2!Be_okY+(G8LA#mKwRrhkNV~%k z%c8h4%b}6V^E#`8D%ZGUWKHK_td4Mv!Qbasd<5q0s{eR9d1`Z@%3A>7#xmzgi@bvG zfOwTa_D1gBBKuu)oV_-+NsmMq8in{fu)^Pth>-wrYtG@gAQyZH@I4&B;Qn-y$qFIq z+d)c5gCWoQ4y0oZPYcA~+ z33O$KfH7b@Tuo{J?Y2pGifE2~OQb!kn2Kz+ChB-$wwB0VMqauasI=rkP+-r;sf{7a zKU-E;nh~`~7lfEQuH$=s=Pn{@7C>tZP69jWfIwxBZd~!1B2`S6&5yq>51$24s1_OW z_>X0-Dt&xVcVWHInPj=@g-MqKN1@RHB&h?zrc(S4*hFhko};p5AR)j+P1*S#>Xlo; zc|y$=lU%s2UjOZ}gGGLQV?zL*wa~UpDUhYb8hi~LXgvV9o(eBZBbHA_t%R>WgNWZk z-qoW|_k=uLlTMsy3iY;!rW4<_^t!{1;`Rq4mTcsjUYP@Y(# zdXt0q8_+y|I-2q$2q|a9k1}5^sNe#LH+a*&(^YeNNJp~pWO?YZZ^8l(NL&MXAOFZe z$0;tLW4%dL4?8s7p`Tl!^5z5?#Jqx8AkepR=%kSdQMbiv&2iOab^b*Arh9|1eGug^tpFLG zT4FVC(p`#b_S}nA4mr;PVBm7SBMNj!HM`_~~9;;eK~pl0ABRY$xBmJN*j%S@F8+tLzY& zjTYLl(yokG8V*N4ZRC4Wi@vrOn5U-Yfk%seL~m_Xgg_fA?Pa{4gaw`b~_-V%;>% zmVPucyV5;}70?Y6?9bG%cFSG)1~}{mcBr3FyBOj70T5rmnX1#XsCuUfEc}=M|KdvxV^Xbim_Js>~!x|&4tFsaoAzw)g`2Zu2BAj4#RWf6M#)z;m}J#8ZhTD8=~Ng>46eOqV~D|?U5UjS&~xLW1TzRe$Wd7pC-tI|EkU>4Vr zf^5{%V&*zZb)!KQWLDH@;@FC_ldTH^|YTf%MWj-GA%u|Yt6!*KnFLd)k&m!J9pj@fvhqVTxhkQ;o}15EvXj4QYF z;H9V0*KmuK?4rf?zXf^^uVnfpU3bMLyRpp1ItBvAgYhCm9zCf-_4S$a*B5dlv|mi< zMr0zd50F7>sDxD9bOoLDnh6bO{4?m2J&HSJREtG!Ys1+pQyc+rJRaod6{LGbMsO^v zAC(uUz2&3Yzb8G``&vcxC<&y+UJ4&8YT!7S`wX(|oRkHUTH}le}Xw;$`}U$>Tjvynoxw9iqS&yay_+ zF$Q&1G-6IWS_0e7cMC+|Msi3-hF&jbr@znT42AWv5;tSv_n+oKK#}~+p`R!IIdOA^ zQcr)>Qe;Ws@oAO4P52<0%)Ls`ML~`V+QgEjh;c(yl zkZ%lR9;-2_ADk0sT8pKQm|864q8(S*aKRK^CyXRE;(WAPZ?@S^dB8grqwE{_4NKnJ zVH(5j$Xb#NU~LRfnPDd543#r>@_qjSTVB^uL#oHLmlPQp-8)2Fw$v}A>qs30NC!ic zT)+|;jDZjfZhirb8*ZbPTeS7fg4*svbi~VW&CNz`&z$hLYlW~I{7Wf*4a>FfHne3| zs-o0YdsB7?9uz9Rt@wa-@I6~_ch={FH&)q@OWn!%<0Fs|@3QnfudEKZ&HWR)Tf*-y z-2A7RBa*_4ai7vb#q;lW4k2>P=^lPJkQ9w+?Hv?QIZ-nbR<#uKgf|BI=2JltF4T;W zRuxe{l-Xv$ZG7VNK^pw~Ax3#I+h`zD`sx#(?+lII_S2_7x-nuHCfLv(ckRvNhQK7b zJFxRF`d7W+&x7hHck4m4)ijBi1PQ$rr4QMPdYr;8<#!6NTDBlufKKiB5!pK_+_^@0 zD^2u{Az5Ue0PZ#pgy}I>UB_IC?u;)bl*(B(bmkjYqqA`f1adUUMfg}vYO>+m{370m zVq#>Y67*0NXW)afiT&C!=yVq#R2Hc>)?d&RtsF9*8$@`e3s6MNdaTKLL=^|M(1?ek z4M*g`tL=oGrDAdZlt(mDih*n7K&T857NB_B7d6K0T6+p)ARj*Py#7{R4}j zVb7~G9{UroR}w5Dx*kE#j!*41g1qX$mWSkdaP5|iM)|P(<+z$DfJ8;>5)FiIHc~4e z>JRaL{g8CK z36@7X6#7>0h{V&@7^kItU*p-+APYGq?Q_Gb5yJEbvrt7vlPiPsq*D$Z>#+t2?cw>vuK#~c2-wQ zh0;R3|mq{NCqXk)J&ap zA=8b#Nf^CX5>OLnxC+opb}&PyUYX?~B`ACITxPOb(--sCC*lfE))>7Fwzp=)P+l3U z^2$>BPQmZI&K+;l6Ca61x6!Wh1=+|vy+gkjaQuO^&MSUoMbSKu&06=M-~#Hba>l~i zQoR8Dw6d5vwb6pHMLbxXM1z@oVS%&IN~Iv#knnzT2k^;uXOEG#t#LW}CvFdiNv{TV z#mnR_Dtk4J^>d6D-?Nup6dU-P)Jk4V z`((0A`Z6uqE`wPVZD`2K1_No=k+3n!&>N84G{1ddAqGE>}!qj|;-e)G>|uS0FnYbFQLS}pm0w2Z`r&Zzb%Wr0o&W7^QJ>rE*7GTYgTQJS0Wiy#k?)n zwVXx~FYVXD*Q!EL8y<>wk^7ica?MMb?t4oRdXB@B0Z%6tW!e2dVaS5R~WUMr2Af!1R`1G@JDw&N3 z3My%}#Hx1B3YcV_y6LAyZ&r;H^Ikky%PWA;w8+4yZA4Zj5+U<;eqGrusikN26$vk9 z72mX(1WdJo;*9N+lx-O@Xh1LTgCRk5QFSe+6G8AKa9d2@h z#Uni83PSipDaK$ue+NF+IzB?a8D9U0uZuf2#< zGyDC}yr38bVWCiFC^;GA!BHP$`oU`4fN2GuX|iW|**C}L;qpR3sIF#%kvO1DhzH&N zGZ*e722_8M`RX7l1j2e6=m1E;T~w40aavj^*uuRn3!@TS01{xB#AZ2}d>u^F@G0{$ z+G<8zg_;5OIWorA7Cz-qcEsGH_8F5-o zP?rnv;%y)olEt{l`JihA@az^9N$Lb}Fx;$iD%&dvp1Gb3+`sB@$LCn4_4C054ro^T zpZ4`n+91e7PbIGs=xYVSG>sSNomn|Q8+~a)q9dnXHKxT?sSwUGCbIb45HCs>&o1vm zicz!k9z%J{M35Z}PnlNqR;e{3gJE{EJyW&hPS^wfCu%b$y#tMqE4hk~4!cCDpFswO zVoq~X9Nranbp~ELitpRyApItGb8fy{PxWN1;SzcyN6vF3bK3T7AE7kS4P*mKFTVY? z>TY39KueN8j6GZG)(R>l(Hejaoqy44=Wj2DsBXr%#n=)Z@hEQwKzJtyh^yp8WnZ@! zg^BgMH&7axme|2m*b?dkz0aS^rF8>EvE}`#6^Do3k3mo`_Xr>ft#Hp*RLGH~T#4S+&Jf!6UO3S1jDgr3N4oI+WX~~?2}+*T>T7o^aN!Sq zq}>?%=^;nH@P~t|s%_``R~_-Y)AMkTU5?Il(H_@-yZiifpo*A#rABrUjHFC^P)KoL zM9WgNPnXgCtXIWYL9cUTj(vTvaqT&hA_drlNa1U(?nTt~8+ldFpd|4KHGTcHsyvC(@!&2xA@wE#5$d#jE} zhVC&0fZ~S^&=z;`rM|*a4y_i~y-*)k8uH6zoY)@{6vmU)r=VFS<*xTNDsVaEtxJ^f!mt8qU zkngP9=}qTQIaTx})3K+%LV^PyIv&X&?~Un`C4RwAb|?&Z`GY>?vK)+eVRw5{G^jh{ zTaweVc=m8$gqMtcNOa*H$u`+e?7XkuH>v6b$kEIn=QZ(6%JRJ@-(0<_=c%Oe02jml zbEdE+sP#sBr&^Pr6E<{NO2x)@6GlqC06>NI!}DVuIrJ-wqB9EX-z_=!uIMbIFVj= zCdC*U(-T)Z+T{5pqAGao#TV6Y;@@p-htpIZf~~a3S=s9((yYFiSh;Y$k8crtmhA#u zC;8tXcUmtO`Lj-XBYS~3*5ODRf{+Y*W+BNl8Rx>4M>o0Bm>JdauBmbBY@_7@nXjxy zIcY&Rf=w6LQY?*5f$qs&wXI9+@%bd|`J_5Nf$2?o95d2M-kLS_8!wwCeBh~$zOB{0 zs5f{vDeLdktv5Pr3T)5PDhVn3CyF<3lbfoi9i9^p1PZXZ57J$)I$s$P>3aLYetz}? zb`lY}aEsP5sLZ&b*h*+(M#Z-}Yg^{PDaWh49mGJDjohcp z+)x~dxMoSjomshkL09(-SJ{%*v;1w0&<5m|xt6uDac1c1xnuyO?t%LU zx|HMkLO4sW!q9aJF?=ULBOnH%4a(&y z3{L=-+R=)5a_eL86oD4G7F$dch#%%ZTX@eIFbm?`FW-F9o(zNOT!VLlkUqc0>$gNm zCq+*k<6$~`aY{SoC!#N+uAzB)TBDvGRoA<5QNz++UwcH4tUNg@m}!w|#-Tswtk^hd z?X7}DQ=#_)WS@>^J0rg#0BgD}jIf6C{w`xLs8_KVr5=TfHMT#5ELUIOAhb@5B_wGh zQCkD@2Qs-?dmmRqu*6`9K?J-9gNz&&kK~4 zn6yoN4u4EA0)od-7PY?T$M)lJaU9L|;$08%=o(J#Fy;6&y! z#^otp*A7mT*9u1NkT}mW3q%zP2e7INDO*)0E6iF zP>mvWtNe*s3tQXvRoXh?9{mO^xxUmnY>BJUz*~plNEC}9sHU!qu%aahj{3qSWy(`7 zm*?Z3UQQ$5oL6Cs8CvQ|7w@54SsHB&vZ1@y8unHL?I0=^eEMan3!jez2Uh)5EbMwn zasF*0{BMn_zHhIwaDNQNg;i^A8Bnhzcs-VxBLiy4(r#&VtXt{?|uuhU>LQgI3`PgDB)8B|1a$9AP$7?fd zAp3$r0R;l#87FBk+On0?#Vko(KBpRoL_hTuJL?Is8nkD9fBZVXKW!~*)dKHG`yFm+ zl>i&zxmsQJQnpvoJ~G{TK8B%XG2%R}t8S)UOgZ_ovH?F(6)!KB$fzDe&$_VSV(;%h zX}CW)e5`snw)if%AAz1*?}-#VdfU7B9J=Hv+Sds+=3#BIkj_8r;%n?P^^q{~yvb+D zp)ajMG1*1VCEr!Pg_k38r>v0BfUhpKOJVK!7n^+_o6CB4jPiYgNsdUw48 z%P%bL*!V5PWU6f5ml(XMhEa7A?P>LCvC`k)67{8RkvsfMRBpzBvEG*t=waW8&&^n7 zBMc-{@rrq0PBta`Bb+3%w|7b?fduJYv_XmzVj{Z`swmp;FQtUXEwia2-cnB#r>Tru zzSBk>qK)5dRM4xA$UCE{jYAf4Oy&BPh*x$D?tIoel+ym7Hb;J#ik!@4Q`OFQ)WwNCn zFA5g5^PTm3yYB8`3D(4oOwOk}>AuRgIzF{a&S6zhwV4&FNnrQv_5CZA55okiQXw(S zB=rZoFZcN~(M)`!S4@o%=Bp}0dm5Lmuv|KA#_bo@+>;58X>`@q@Bb$EYOp%lZ|~YR z9ptDz&Q$AmHp3_+0?{Ao_Nbt#zdacMjUWyl<71*4a>Z)hZ0B(jx8O0DKz{inLg%qu zg$~_voxXz@w=l=!M9b>XsxDspq32px3}kNrP~NGq3b6{gh+>i7_YS$N+LK3!#DYy zV$%4{WDV`!NGP1JRYuIMnxs&NtGK+U6v~bD$R?ASwBlAdx=hLw{dOC!XWBz|Arg<) zT&hpzqqjtsT%F|JgGbJ(Wa%Ww=xj4aztYmuXS}oC|F?1nijB!>s{N6>M*Bm8NEM*w zoy&MPjnMuXfrIS@U*=CJd!Vc=ePB#x5c%XD!W?bd-h|Om{N^JeWw_DJZ1w!@9zFb= z8pp_jZQfvs@nrLX&w&}^YWBuQnZ>XW^P8e5hPIqVWmP6RilehnLdgoDtu?7#vWA#9 z(iQ`6H2BXq;>Ns@|6gyE;i36hANY7HB+e%JujqOc9oiT)TFj-js+yu)H-Xr@k&o@5 zFEW`N&P=x#JTo~uc5=SGz{|Cp$G&jK>~UzdLgp<^al+0DE2HiG64 z&gY-k>{~j3_6*MK1P}y1Y24LoVk!n@*qQ%Tz&-Q3PYfuc|08wz-zo-@PvRTT<{%)0 ze!(bNNo(LAWr@xQ&giJ6>NVj{^#oEUgFZe;Y1;K8={x z2XGSN;3W%Ic5HoqD_DP z`ad6~X`p0#Ia6vQrQ*x^h1{CN=kIT0ySI4w%zLg7FVV%`2u zf5u2Y5EIC*|Axc}AXhel?&S%n47w?ixsRnP^uI#NIb9*s27M)3jwMv!C;MxLe9jGQ zD#(}O(lTN>UuM)ai$3L=11$>+_|N(JV*j-@ebAIVU)6>=3OB#!(apbd6@R=@hL}j; zT{7XJ{(Mfb0Lt%3gT+|R4Aww_kCdC68>6vhP#g`U?3>1@(gFtD0N_!9xE6SYxRU?9 zFy=xUXKuXq>M`b9h90i|P8Bo_y>vafF(ZTt3A}{%<&{L&K7aIH_ zSsor101M}lGc)fHVC|VYjotWl5-?AY2?oIe^D^$Tzw_b$crY&pUwZF8cVj&OHC&<| z#jpT=sona00DO8e>*)Zs34gztn-!%UFHGQab8iHUuSK*LaMf(KRrbDhlT**GAG3l3~3kfpbg z)#b2hsHw#QCgg}w4FE|VgZh(xI7DUxAUdDud+tR6uhJw_A5&WJXHVgmW?5JuOV2&DiGAn0= z6?=|jqN3tH2)>F3RRUz5C=|&;M}jG+O|U3Y-2R@WuCV=&%i@tWID}bJ&On3u4iKkU zVad7v4iJHAd8b}qT_L%@BF`LfqsJYHR%;j{)9i``&UX7cfJb5FqrkTe*#QC+9?NNr z&UR-f`C_aIfM7p=2Mndf{H=uJ8GtvU#3jYZo2q^mx5x7Z=Pv_-NhfIiL$rWF?5LvT za)>l%MgU{dsGY7oN$e&e)*eNT-JfWs^=_MsU(iY>KRy}&>#XZHEYxjUsaVidgUxv+ zx)zpJT^l9;5l(=2Yrjt zb2l%bX*u3pN)Ic)qh4({AEl`k{zI}CS`O$mqxZG&ph0hd>4?)Pu;qHZoMoMe!QAKo zsE)yD=}U+Q?5AqwQd)5S$C#pGK#J3W1MxN`hU~$a6C0Vajz&P;cg;$GTDFqrA0j!7 z)Akp7D*KB=0}j3aou?Q~7Z7LPWYIiTi=QR6KGWLB7X(-zK#M$rb6E&$DT4L{pumw1 z8kz&rC!Z2!)uoYiNQoeTl&HBAWB8u8$*Oj%N$P9`1J+6Q*oGCX%8z?n(&=^iTw{~x zR{a6m^NMXX*I5JImZ(InW#%#}y;MW(i#J29o5t0%;I--RhK2QoraatpI_m7Qn+2WDY}NgGcP40DEb= zs_7>rhhI#^@P;GX-!_K`8W<__!A`W>LAcCpb*II9^V9SUc!3~v+h?>)I5j*6V){pX_d9{?F^{l;>)GiHMFz80F7RxG!#Y{TiDxpo%RbdbRJ?n8r#~f zz_M5^AO|js{b80KnqQZ7`ResbvuQ3ZML48YGX!-Rlqj2OTte`m%)N@Ct#`=cE0PB> z(%-S=2wC```q?nAoI$`2_c#qqbXsK0u|!hW-GxGQvHUWxXNG}+OM zSd|C_gaM6EnL|*>*wRjL>!mx@4cUI)C_CNQ%lF(k*%UYsP#se5`srCzwy$M*aWJC2 zx>0>T1V9$u`PvlcA1U?AA@t z<=qj_32SkC777{k4eN3g!#0_3i|PR7fY)d8b~YWwYBvY%9o~NA99#nBfwi#7PaeWw ze#RQUU$*>8u&{?IHK?V1`<6`~T{{gIW9)w{_JiD)l-B6|#}d%IwH6}_@7)5&j^zzD zLtRm`Y00Gtv3&CzS|QHYKiuW<2J3m5;!3!4%d6KeBw{1|hVFvaX2GdN^Ln0BH5LQ8 zYK0e(mUrsS(U&p&vMipXN0S5#^&VgPIbTzq3aAkk<&W^=>pj1LHoLR+TV;&B|Ja^q z?rqqVuhPlhkbd%_D@HsI=B-LBx^r=5LY5|IuSx6Za5k)OWV)vHWTvts_8H*H`-o88 zy7AXvsv=ZxGZmg7JS%^?OFKv1iJ zt!I|p&6MCwkEl(0KphY6miXXq6Vdd{4h*ht0bq>GpnW=S$=}K4AF|sWIGUGW+$>N_#^LoGiofB5PM?+d(*u^BO}&6DQ!d$TC)g zLsf-m1YFdPM9qc(_1#f!J?h}*cE$X%n-4?ICb)Egdc#QoSBq;EsUvvrKRym{d>jI*W%7yGzf6{6fXFSF zW57@5eQiQ!T?s;R38?azlOsOd_dqE$aciG~n(5`wAK{;`Nl_!ax6JYCdY^bWt{KmJ ziZS;~s;nIen@kQA+4FR zFyHXQT&lJalai3nV5ITM_eC{?Tx^4z$>P2W1SiI<-e$Y4uQ^|mc|T|6&25jS5*&gY z138$gfXxpNmwOx7{+9x=-xK-)@~b3Gef9AVP*m%8JtBb+cFTcodBt^!W7~3%hlK`5 zQCJ#}p5FPUyI!Em`;)V~0n!ajH;~^1%bkSW-yaME0@n|Ump=@&#@q`x`lx7NtqPwn z%*Sd7VXj&D?vsb_#hcz>{W4O0Qeat|(+V}Y($)7$LY`bpg<5%FnzZKf0?#fx>?sZ&rjMb~kc{%XJWEZE0#F;wqYeM@&8fq*y5!T&V@&(!M$4E2%~eK;e) zH5|5i$g@`3N7nGUyTs>_9j#TPq<{NK2EIRzSeyUPTN6Gp$TzD>MRB1I?~xlAa+%oN zVtp?CmNJ#cHHe4zl1Yq?1I*&x;M&_8=r-ty|(0>HYAd`9cRb+K^acO0?Fhf>4)A@=>j|3 zo>vayr?FryY$)HUzDgI*g^(_n1k=Wvt`dMidb<5e#&a1*2L9}y#~C=>9uM94{{OJ| zl~Gl0UAUqMNFz!&o01L*Dd`3Q=~5ag5s(JyZjcmEN?N)%9a3BA5~NGqbjMx$e8=;h z8spxd_s93gfeiM$*SpqSGoSfPl-Ph$Nf=B; z13vkY^NE(LZ|7^G$6uthF>bC3f2qWhy5ern$z7T6stFz3wlzs+R@BS2Shy>Up|>$5 z&7X808tA;d#bVkUzW=rNt-ifGYyGTBa+(|TfaM_90$BkLoTL3hC!SZ#MlfM3$`!9^ zdXbX*+pWEM8E(`oA_L3}S}I&MZp14hw%keQ2l%v2!@?=3k}xN|raFs94^JN{Ow4hs zBzDw^?3nnehLdj$@(>Ba=T^<@)G7zLrR7N^O z=VaUU2f0TNEizuz52@Tkot_SwC>q`cde9sm>d%2{l^ zzU?TV3)R?64Qs85y26^V;MHkSO3irp3=^YgTZ}N+?BcyewF&3g;Zjz4GKpJO7RwG( zITisHb{(k??dyqcU)-)fF0ipMwfUL0>r6g$*vw7nwc1p9ajZ6oHV8dVa3&=9uWkCx zQYn%m@srh&@srn)ueqfkJ5cnxy^muzhN52h4147yCFag=_vDo;$4>-d+2|6=92!uH zUP)&ij1qU#T7mTHAW)`BkJ|Q;ls-Ji#38wg77emMPi1=%Z*JQ`dJ{&8qtg+86Lzn- zNrlS+(Qfg`^HFW&%RXoq&R9Uo*H4T@Jg*Ci0*(0J(>Eeo#Zp z;9)lL63ys#kV}-uJ6D};?ftA)(%U$U$L-V?x8c-h*88##noCCGrF+JHSQM6+rERQ& zK0+m>I}GjFIirIM!fSJQDBYv#$ZeKJKCa21yseL;gGuX5TuDxo3$j)yvFasNf-HDT zt&BDUvo9C!2P@ypvsMv~tCOipLm@U^a&3HurnF?Gmg=5gClgouwb+)#d*zU9tWxG- z9M1q|G?mbdyaWygoD!3jjaH)%9KFGObm@SZyB8@NW^sn4CCNMQvyHJ+%lA-~fbs?c z!fSHzB}|wEA;;RI%{z%s(Q?~GuS*@vyaXG6z7si2slDU1|8CbUYR|T8P@wN`I@i|$ zHyJBBhbpdH%saqZ-p`DPCKQ)vepD3b4W^M4?9Z#8n|xD$L)ab7*sE(o4xS6yMAlRf zeqofn`-n#bg}5Ef*70WN+6S7(6|V{%>5e=eF8-8bl?Ub{LwQXQUTN~QNXLTO&dbUa zI>pGysv!5%^ru>(yrw@2rA8?PFq+1H^M!;(}`I_0QRq!bDlW(KoY1rsr|8!w&`JKjzNC z>gI6_Xi0ciy=akfIKy_Ys?8YuA;-A-2a{AI4T|&mr8T%!A-VVsI@9{!1eX|N19pU` zuH~0JqLfKN(_QVu)om@_(D}c*X}+!LG`Nz(>Ft7o?~;%e2x9|WLfp-Fe8wIg@=?%% z&IkRukm|u#`ZRai(Qq($`we(QWZP+Pe#;%+=@aAb!um!+s7T>rb2dEKd|V>KqXGD_ zN>{-o=E1Jbt~d-qkUk%f&|1hA`)nYPUJY0**8axd!tYp)#k^l~c%kG#iba@I{})j5m$~)#mx= zIN?gjqQt8)*_`?&mu`xKfr6fsnuZ~LT)FEG$Q9Nf-Ya60lG$#GL6ivL<qlWHUN*XNNj*k|NdQ6Z-iD^$RnLzy{IU3^LmSjaNA&ribg`1n=+E|x>s*e>)Y@g`7*=~pJ`zL7#5e3*?~;QMk?D55g@g%a zZ(6F@>o-_=l5y_xVo*%{picJ#+=^*!!@SObpd~l2?U0ZB3*Ipa2xjI~m6Q$Ki-w45 zxf8k?Q9QYZQqUs2u?lACt~ZS7i*6iCWNHo4hQg7iz;F&|kekYm_y}Aq!^YvmaU|{; z2)R@BK)LLbz}b4X`dj(lkyPMoa+~AIJzUOa`BMbo`}i4@8pxKX2TkH>ggm4iNv8ic zEl+1Ctx)2Q_f8C>5dW8I2ep7BddNFx?{4Zio-Uyr3;9G*0_kNx_{4$V1*gSPf8H-zxqG=z6PFMnNsEC~H&s!3Z1sg7 zI1k-8G*(~KLmK`P{P>>wwc6my#a0i#CU&$ktTR~kC-(IP69TyafnF5ldABuY^b0&5E? z)R)SubLf#a$oQdQYQfAs$oa;Nb{QJ^rr%^!-^M?q{}8#$oz`B>oQD%6HScbT~Fvn$LO?-(^3^ zqOafKKFs1>%(^;bZmO=%5|J~gbl;v9_NqSPWv1y}=6SKfX=&+BHg5I?A)Jc!F-30I zLGy85jE4gz@x0K6~`$@s-+AglyI}blOq6e=PNm^wmvv@ zC+O5|)Scq_`OX1V*fBF{L)R>VMR7cQiRkYJ8_Rd9cbY(Qm`t=Z?imwbIWDD5@nq{6 zeWXdsDi~Bg8B(CbuZt7cdHxZ|^w)x1ejhODdH*nPBKupuT4-QrzzL&^z>~_#kF#Y;;d30jf!J6c?EKYCqbDPOXxId0a^4hB7Q<~6n zo_CEKIEPd&qg2=zx={q)$wk!dRYL*I=e#>MM{eWO(xH$?fFDS`)WVKV$Mn6K7qW@1 z?aH0|47etbc(-aG0!oUF7CH-O)4plbfH&xsFi~Ov;qm9@b8TFEyX?Di(-{v{X%!C) z(v)aIkLTdN*-(jDoMn<@xa|Np$G24*PtgN|x|xvq;iI45W@@nqI&4rD4C3+;6IG^^ z4v#;<)wdU|W(Ak9-B(4*sN%>%`BDC2NPjRRoBPX#727)gFwzXFiB(10Cc!jFQ;QCH zCEhL@Y-o;3%ba9eVHI}}_T@we>gnchhq=HuofH(Ai}8a}iAkCGL+?6%eQ&vKOj;x< zpZk7->Uz54kW~bx^+#GoMcXHqX|=TdgpQ|xHd~$2Fp3`g!vX~_-{;Ail%eS-2P&_* zko#@@GrJEI4MsuhyO&%{lH&kcSb9yyylH}7v%51oH*Eywb2C2L^Hfs1x;7tdA#Bnx zlN?2pv}I_7hZ!2lv_`;ST?T$Kb;H0TB)+RzZTyheMPKSSS-wVnlB$?}e@Cj&V>~)F zs75vF=w1U46zZBGq;*h_rU8-2oZzelv6dHOGZUpcw~ia}F>p33x|>2sxbC`7QXUqQ z@4If{EAzFpgtBB0u1LGyhog$Gu6XUSQ58o47-0%l5RCL&bBhWw)8<^9%rXknaHZ&!~qnbk>mn+p*DBv4-Rbc)QcZjy@#Q3I0;$ z;3qXhOVe!DPr$kA5&aQ)l#$_6J&-Zdj=cw1G15~(7% z&$2bb{Gqr%B2*=ZX4xuf7jux5{!V|Atq$t?o+pTX%{1oWakx+YOp}XkoltawaqCGS za{v>e{*_AYxf)F<(u?J^p+LuqopQTx^q1am*f%!ceL3(}cr`A5t@gsBtc?70&SoAe zjQ^yXSC_Z%JZIwcl;@|{7w%&>0NlkxKtBXqYL86DlmUUOVk!bE011}9AzfoTI+6psOip0nhRjQcnBuH?JN?@G_AD`s~21Q1HPABi#rQ>=I<@6Y}GYscdJS=mymAnc6oX= zTdfMv-EZ{*8B1@gJra^G+E7Ig(^+*BPmDF|9c48f$TSrRPPwiJ0SLi%a7~)2EPtBo zDp?6#4}Lv}BdNGOE^9STn6s`bL!O(2DMSf!ht9kc$0F+~=bj0&i$3T(b3y;eqDUgL zC?AAj-Nq6Y?VU{9&V;8=(;iW4h+ZD3JAxQIucZQuRHOHHFF9|oEwYrG!D*T|6&1gD za^ix!nTNLu7w^PfbZLHqP8jGF=RcTLx@I(}wSZ;tu*yP)!*FQWUhHRXarMfn&F$N` zdIMH2TUlR`h}eZ6!2eNPMm1f+lOf|AF!QoS+cw^QoP|sB`6L`%C2Q`_I2pHKH`Jn? zdr}ufWH?8*=iId}7JVyq6h69?M-*z`zt9~b1m1R1Tt#jfx)d}aRk z0-#e_kp11kd0SmEt&fN;91Rxh5_^O@aDFrUZiLl04*|Oi?7#S!XvnL#fR{NKoR91H zH*@!=zk4Q%NTyzXr|!CU>u>J+f8CB`95m!u9?A^y0qVb8fWKrhE^qi!#U1$v-&4o@ z)ARrGCy$?rP;rn-4*MY8xN&`bWH2Z6YvjX^cc@Kt8t>MMHtbSo@21l8$aRJg-{&@0 z6%*@>Aab$bjcgR;PP2GzJ`q{j$lWN|Xf4?lLKB7*5x_}H^9T(sE-hUGRovbS$E)<( zrD1c<{rH>rG1R5y8n)J4sOMZbBrxw-I49V0E_z*QI?|yjRfLlpy**QiD5MmjQn+SK ze|m0G-9ypX)&DK&4KjoZ5X?Qkc{k?2KPGeB1c_I@YU8e&F_3*P1Y>3J`{D4UH{!#KwtCj||9C9;BWd}^)K)qC%_;x(wc1U{_u>fb zXLPy$z97WoIn-{V%h7gi4F1c4V_FyKvSO-SXU0?I{`xAvEzCFe?h{!OCT077T@wL2 zQeaNkOwG9BUpC?QSBgjg?<4Er{;zBLb7`G z9D?dcUZzqSZ)85l>VtorO)}L@P;x8)3`%z1)`aW9kCIqENYdho#Fg z5b!@m5D^q8I-P;!X{j#oj}p&YDCF=*^a&*Y{;+OYDhw&b+2=ydfbj4^bPBNyD5`mE z7gQNX(CKUIFhf|2j|zV_A44|*jfC7giV30F-M4Jt@(5zy9(WUIC$g0OL(HBP;XfAY z69p{XPe_b@%Y4j(;9O(7ZV6kj88e*vR$$KU(XiuhwQO!Qs>|Coda+G0xG^t3OFT91 zSJBiXd@{yT_%9E|d;D0OXEAuP-A16BAG8TYGR=<_9rL_a3nq9XyLrRvZk)|*UAb=K zQPAjDRXM;zRUU7ZdF+6f5U-MZe^c@X0mpjG#c4I>LGlgUC#hkV7C;W4P+`d2F1%xCMRMf3Br_?#5&WagD9m+{JcCG<1a#lAgP%(F$9hqu4vJYW@6)efUDenX&CL$6^i9ny8UNTRp_^088vvnE1p1Yu?r9=;uXJ7S zrv%?+h78_Xt~ZUw)lJZ02M*)qn*}ELVfbp z>{fKSeK9v|H&bdbyxc2&oEJ69@Skd79q~~#IWXG6OCHgHcc36ry>>5-zG>q=_{aBO zUK#zSfbwwlM5)rDs_Y9p&A=RUHhjmY)K@9nHQ$j0BZJ|bwe~|Km7>`n04a!S`AP8v^0TEP?*llGa9*QdUA|_ zOO1g+W(j8q=EiRY8);{1`4|k4uYmWbsLXSPxqt^?W?mj1#?UJCuhXE&?u z1!lz*kCz$<(tbOiJBAWxrioM?=H^w!yZ-04Ch+;Oaq7Upveg@4ti8wrUA600bF&)`+R%EsmC)b zJZ5w}X-}A-U6b01x+=~r;df>AY!tYI4R{)|o84A61>H=LOE7w?*!!e|GOwX!Q=_a9 zP$+Z%Z6OwT7SjPa(O@jt7}$mwW2)v2CHu|y8Lz3WIEC2_0&-@rH*T5jiR! z<>Mchl6|qIpx^RDk=p8gRl>?2U!H*Y@~=<-_;NhU!yr;SS!W+W%c;kzQ;`$f@o++4 z9bC|sLSWg4c(9`CcmW1P=CCSXxa1+nu7S(9u{7xeuyNJXfJEbg9|hTL|Zb6eBkn{zcueKkpddk)G1Wo&id{laXasAlf7 zOB7ndo2t<-Y+*t%L*m1L1vOzh2pW?wfWXs?0j029)u2<{%I>`zo}q%CtW=crSbSz`{ zSQxF(VA`fnR-fXgkV&-XGOc=A;&FebV~an`_s~gbnvZ0WXeIm74tlx@3HgF^1iXmO z;QO0rIwSkT2_oast)oIMRpcv__ZlM(galhIx9vUDVXie`QVV<(_E9e$uOs9rPgG># zj><>GxThSAwvspox|CDT9>9mdR6iEsnVc<)SOJ)Ml8b#4C42}m>W;~N z&KEf)m=13DbK;@28cPoc%!oyO#JkBS37R1O_j2)HR)FN~6L&WEfX z47LamoR>-olKF>^P< z!p0#LX{i>xzf-#X1+nZ()|8nsawMPts}X1HBk;doHF21+mw&3>{IOp~WG^<15ViY8 zmC~D&HXQGm0PbPVmkb%$<5DlF42DEYF}rtdUh)Ho?0yex4YF^ydPL$Fnzy$xIkGUx zt$KUUB~oELj*R~E<;V#o^_>Go2zB9;d3uwV(fPUr?y?9pZJoGcJ58Ds)dkHFW>aNb znw8l+(3*SiyKMzR@|%@~4@bvELU03RyISiqIg?jWJ-%%jCTSM;Z=hB)-(*~TR`bfa z<9S~Q?kgbKxq3B+@#*tm{M~6ra@d>GKioU15xkJBN1R`#S&k>_n@}@= z39_etxpILkfVYd=lo}y&wn*5*e}`;W2*zU8frc`;#`1X8>3}c;RVeIi%Gz*0)lf9= znr2dZ!IM{9Z35aU7+GUg$mcfl79q!^;lkipq10Y)p);l&Yt7y0QQCT+wx6H9R`<5; zX&9|6uFRhdfyu=bSPt(Sru)l@GyOqsC{D2JULn89j#KH zKvZ;_(>xKva`=FrmQGXcGS4ef-Aov!O4 zsG0XJS^V(mH{xowyuYj%9YhKi_v!{}1Y+Rs*!nj zdXAaXvJ=RDfbt1(kv-Ji)%?!12;%lE@_fIS$KFQI8|B2pZNruL{=79UQcQ4UePLRAP~v3JMm#6!)~ch zR3xdMDoRs_Zqh)hH5}3XG^)X1aYZ%b3}*W1Y9f`k)yU`G z=wLKgRORK(%h-_w!1r^4emqLzYClLFy{>w*tLhI*_TU&a#3M>>(3#?X!TfFAXoX*w z+7*ov;%uz|eCqV>w=eX?)iT&RZY&tU-6tZ>WZ2P^6KGVGBYN&okP;cMCyzUIN#Ejd2noaNETUCz<1oxmutTij*YX@YF5cQiPe!I!XD*nWn zBbF4vfK{&fN|E*F1W&Vhsab%7;X^#?9S|f~=p2lq=zQtWV@9`{;tmQ=J>#MfEq)TT zBf(O^qTQ`{Cd^*$t>1C4p5E6zv$@iH<( zL)Yi*PgwmuP)>>F*aWUrAlwz|+npxazX1(~3&U)1ZP7HzBvU_34D4(l1iVG;ePsRDK;P0=2`lgCi z;}yw4Q|Ivwq-vwH;UwNUlD06B;9Zf=#_B9aI<>CZjK!TB4&|OohtbEq=l|K}7k615 z1uC`FnW&^!JD?u>&7ZeAA3;feq_QYyG6&|U9&G0c?U!rAo}YpJReLMErfP@U?AUkU z{VQwm%mJi>H^)nVg#-aPj69M!ewftVC65ChM_5)S^P*5kU9a!LGQO?W zw`HF5zf7(vFw6<{-+$GonSSFlLajoM2~z4Br}4>)2G!a7P{jHeY?rJaPtbIUES zh=VSQ|FPD%?_ed-IAnPlNh2OryOde)XYd!_1y%8#pEeG-eWPS~>!#uA^E*MU%pa=s zgLtW#j+mz_KBv*o$5&7>R+slJiqD)*mUd#$ifGl;cz2$H9SyU~T_?;8r+?3geZ+(_ z=Nw`;8(bjbZ}VmU?pDv}IDf9~mu3OV=Ii7~az55vXPaP3Y^<`BDiyk%EzNVcmf3MK z_FJ_{R!cw%j~dzLTNI35>@P!%kX@Tz^;vLmQLcU?ZJwPL`tYhbyGMI@=u|rjA-63+ zZYlE+9)hZ8gj>S7|D1rCyXYTkg#S0G)%rtf?>dAMNj_6*Gt3Tt5|1hqaNne^lb>am z(#tsY``B0WB!kyFdq)eN#LV>AuTjC&kj=#XXmzV(JO5vz&8o`nO$4^-lEh6Ohm3wHv5@AvS!)EgA{(V z+=3q~UNZqXlc@U-4Qdo4BmAV&&3i_Lgy!VKw{ZxX4+(EA5V>%Y}i1s+wtA`h!dGfDkM=9UG~5n?Wj177TC)E z#9Q7upJar!ttuhYU41uiW(!Z}YR;tly&j{T{+r8O^t;Q9P0fU3JRK0gScNN;RA6OG zkpH~PK4?kwOi8S2>GA`ks=L{Mv@FTfvUCQdsNJL15ORqdMiCpjt~DHW%>F2jBIwwc zD53rVIm7s29!YQe)xtQ@aFCaW)R+6VESXU*+@y-V#nqBtnQ~^`6X@l`hK5#3rGib& z+~Ko)LU{g6r^h=pMLgwJbUa)4BN}hDkyl&g2K^rU5gcZf5oS^is)?MX?MeA0cL#*Z zB**Q)_fv}dMImO}3$s^MU>DoDuD=g{8?4U4))~PD_w}Z5(wlYN_nqywT}zAVsZdOf z;hBMs!pURjHGpM5ALW40ov>~5nPDEG#h}FkP22S<2btU_5oR=FwtLlaP;zoCMO_eC z(erD&ED;$%NwajPn|*|te@C2n89|r-5^Kpn&rb_SF|$O88vsf z@vc8<WpYn%2AkE?2@FuLyzoiUU>fl4T?$Ld;)JF zSGP#UxuIt%*9_P79`^`IS;J-_Iw!Sgi-3|_G#gBz*k~lo?sU#}h9!u`j`y~wT>~~= zjEHa7+OxYtze^x6xV@gqF7{eTccJC;!1l28=x2!TSyi}R|E3v1_Dpipo7+!2mU0K;>v8t>aI0uQK6zCMa?S)L{_eRALOYXNf z7)o(8-Bmi?J>`?%|vSnmG{uCe9vI!>L5N+$S zM(;E-&0Z(U9XVAFYm>{JcW2i_4(@##x0f`^Tk!jX>1LKT^>bKFTpVnknk^gZn089s zj>RiaqB^pjbI>1w;UX0fdLcp9!AtFo$ehFDvjZZ@9FePwWnr6 z5wJ~rgm)Xc6L+za=XOx{t;JDw6(z-fBzv%9$hQ6u@}5zP>^wHfB~)NhAQojZ_;jk3 zBcJVl9 z*0*%3Tk}=jGA3q}-CHBVWEheYqs79kP82#5fJH*K>fV{mztKL}vQzw9Lq$G49&>(| zHCkz>zfPt3V1zfxEgaFK^5_!79Y4b5esi0pEZ(CLu4HGX*~kwO^;D`kreT&p8CGtH z=36L4ke==KB{Gxd|Dcwn_I~Did$$R(g`E~!k_081Qi}}h6;bI;QS@q5TA+RhWh_b-+)BltO5POf4 z+^10|f5Rc>E6?pHF^XFRLX;eNS}Q9Hr)1Y(*SN2nC|zb9^jM_GlSJ+J^uvrbMA?%{ z4?nO>?Tw~gq=1_)iutfLhn1eq|cY{L-PA%#${?Jl!LMs~XUjgeAV)A!{W% z$pko0rZ=x2J-L2xn^uw!rCK|lPc{96Osbgp-CH_BpZXHV7M&!1ju8B)SCr8$R?6`_ zvC&wWRPeMT+1dBY$GMA-ZmlOT+)eo4TqYt=Bkb`;UYbw!9l7)7A^&n_fnxju5>#o|tmO$(v6*&k}1p3IH!DjV?cP!bq~wQwZ)J)w&p|@)C8o1CpY3Xoq z@r3J890J7Hi>l4=LdDQ;{aCNQcl{N1EOYNUv12D8GLG@(vPVpwRo3TS#*-iQYZ**I z=oE~>WUtWjEjp2bfpcnGH3B0CJ=0tJRqTYqC5|q!S>WBs!Gbhvz z+&>>bK+QdMo$V%K>NIL64Lp-9ORT`53Hojz#=@AF!FikG?S3x1msNwx5QDPOkJ{9y zqST?hGK`*s)d^W?ZI7tkFM1Eio{Ne69q!0}mPVjnB12?QIUo`U0{G#PX@78U}+|-in zM_RIx!rC7@^r7&=D=Z6Ja#VcjU_O3r9~*1(e|(Y!9jUYH!Gse2kNVu*%zGxvtyx|k3- zlof7)`DvFog}ELSfr5i7HinS>=ZHm0cCmnnLP1D4xe ze^eMrG6!xjgCCloCdK4i@w*do8Dho<-3$CjA7z9e+zuM*cR$9D3z6|(muO6&KtI3> zz!Vaggj=|BEPM-m=tfaxfYD>`b3Vg;hFs*4IP!zYW*D{dSgDDULOdkKbxAT@ody+) z2e|FCwPZUKV0x9XeUhhljakHsS*D1X&%iiLkS+f`&i7o+8p<^*j78SOo7)^P4F8v# zT47NK9@F8Ex0WZ&J3SZkJ+I`VgK6Mz)FvsUWf#4hijs$W4q9wN=oQOeRPql#XwiB# zt$IxNQ&3ixX7Cf-u(a!=s8{0;QXv>9DR9RJGr=DeZwSXKkG2H4UDdt4Pri|+9seZ_ z@&66Im3hKBB!l8D!TkPaMcUtCFRkqm;4GGW11V`xcP<1Zv9BV~P;6WwgWW{woR(%U zgV%lY(P?DTsxPx)--9Mu_4|c!mCQ}_VQ)xbr~xE4Y=>dDdR>~g47~DN5>_Bk3`Jb- z)XpldOB<23XQLqP0>vqRtG)WJK)w@IoM@BJi@|83%Ipn{3WJ^TXV-UVCZSrBOa#`$ z-f()uq+=_UJd*{pZk04@<5p7k2h$l$ytW%Y7fX~3@1s1r>V$2NDaLlE63PeSEh4O( zCbNjlSE{QhZPqc0p9I&9j1#WzHBqf{(uIn)?%3}=e$Y=KIx>_H>)q|>U#q<_NHhX7 z%M{vqv`qY=xMRBROpOh0Gv9pL(6r*_E8$(^1`RHMe#Q%zJ(F)~xnIxXxUF|8Vo+l+ zFJSP~jO14_o`3*Raox`SPsMdGDdt`h_u7o5(EXY`V7Ib|9Knu^jD|Q%e%~swb>%Ei zy+5a7OM^y%3@9daAIK9wcDGKlPX>*B=%u#kXF>zQYwk+ei&4pbkLz$**y`uT1np`L zQ~US1W|{~T&H^Ws2rxXhsQ*AINh<*m5vl6$ktN_2q`cY*zR!&Fe4leNlbzaX(tUTE zPb}cHn+(KsiOLZ>g#FdrbXY1h(Dw|mrgn`X6gW~|?h4amr6S^$s`yWlb0q%8c!L&h zl`@38zR6I&4TAikg*&eoLm6t^?+xa%b%?M#es+9s)cECWSbWX)^jDM-(>jh2oygMP zqcS7$yNgl;N_z>PN^~{=^`g06S<_9ei0V$BQc$OOZM`UaEKSzlNZp-6ZSRfyHre~G z)-=uAJ4M=qG9H6@djgiMD@#)8CAMSDp57w0uHLG=LUGf1u3%-Udy8(SFX-A;e?6j2N`s^y`}(CQq6tO zy7j|l_w)Fg3)C^Ar0&EPLy9u$AuI}o?5O5@`$Vs=)8;SCodMy+P+j`t zZe*VE2K;Bluk!??^(xJk4hyxKA5gq9`lA4k0CEuFAw+`eKah*Ut_Kjj@D)UASzqUK zvA%{iS?e9${#J6aJ4m4`t%!=hZ&6%iLosr*Sr@P7!*)R?kHhbYk~NK)avFPM`G-{sXI+7jr{=`0S9h5VT2f3cUJJI}cTt zef~1>ejExniFH`Dwf#q4o5?2tMBz~l7~UU1BC8(`=>L5g1k8X)4LBdQ4J&W;iU49z zRnX~2^F!PD%7E*{|a0FHGDsbTBu8Iu0>ZZLBY`@hPYe zZQWBN(l-mtX^ZGiH3p1@V}}#-+N?&bbIJh8!Bb-JATbEWimmQhDT9_;vl%DsZWH*H^;3HIK5E%`^G}3e81w>Ed-?% zB1&igMA+2sD`Cw5Ztsx!ham)>()c!?pAYeY^@r5%_CHqr%f{cNe+jxZwOr=hv~*{~ zCObpqbOphce$9*TLJynBc{XF;;&+gaHdmZV};&Vl0O{qFtzI+=*Du~Ry_aR zeSiefE&;3qZd8Z~%86#DduE@-OaRitglR^60ATH?Yo=GZ5EBx|0D5Oi{R!bq4VH#~ zE^rRb2Cxw^U2$-RICmzKzYffq+D+{pWh|^)0gtB+m1ofkSuFe~cscLg4RO5p&jFvO zW{GyWZR%iU2lkAL;M@0GWidQFkJx`nvN(=*e*O3A-u6@iZNeGgK{ zSdl{*f7sbS0sLB>fR;@yJ*uhshlGN&er5@5pG5Y)_&+WIcm#(5NYUgKHJ6n9_SVdQcp-nfuR#E~_`g^E->Lo*@&5_%f3DyE?&>eF z-~X#x`h<4JX7bbfMGFuq6#{#nCZ#P=1o?~3QA7u-NX{x0Y2{?w-bWA7KcSbSTVX0! z4SF&1GJz$sbMSso9&+e;kWJbAB}{a9Z|-FW))+wSCH|}j)CyX_5E{&%$G^4y1X#h| z1KhvT{6V&e8~C*bf?=s)o0eiX1Ob#Kb0&EAvlh&M-30A)WdIwh_YF+%8!OZ(D(n$j z^m& zul6&IE-%(Z%dQsLuV~1x^REvwHC5dD)ZMM}92i7Y%r2AIjSRN|B6f_e@rT;3^1JY_ zYa%cSUL;+j&*)kZKTep_sQ3!bYKG>5eb3H-u@D~xboOIoi3ijnAmGG;`06y6qkvyk> z4s_erz6e1g^fYTJS`>PgEqay>4HR68;4btzEW6T>-%no?%0DY=IV*y0$aw8>XPzpm z)VcQS&8b~3`CLTHypx(g2Z4^n*hYS);XBZyIR^0g4F zJOjveo>3Nu^VjD-Myx^XvajC#fi$4xN}`V-_T&+R;E!5hU4lbbPS|Kx5ZYXPTXKg^?UK;Cx+;8?dV{k=fP>r+I@ z8s`d4J2%W(%nn&^_dt6r`2Mc8z| z)(wOR#p2R=gQO1Z`|k7vv}PLcFFrUMgLxlS0?6&zSj2wz&lYYwk?*(s2uB7#5rTUp zyvtzt8ieGUM(5KLaV}pGh|RDKt*If=>x)eD?P5tT?8={IW4Lj`^MMY)M1}%y_)T^ZH zJtK40o7AgbTYB^I@Xv_lnA~S^G^<(l5M29O6FHj}kYfb!9b*WL>D-Fz2xo4*RnVUr zR$5H~q9S$Rb&6`C+OtytLT~I6opR+!cN&(vKVnd^ka7TywUpt}%97)h-5`>jj!Ixo zium2_Zl~z$6Uu876MW^On1fT85A+OneJXmK{Jr{i_Ny}z@e#_a1xig<_UDKLwNT96 z`1XwAbpx8*W!UbZy*IZTQ>;1J2+?_B$$Y&Wptnbk%yVJ%4z^v zPEa~&*zCktDYgS6rJP7RUm?!{low7z$=aX%&2Cw65h8XP%?;355E;A)1QvMn8{FIF zO8YX~=OEhLb7n?R6^=W3hAMg@cE;=dt-+Zo84jSKCp;Xi`NrRg+eFV@1y+2{b|d=K zXFeo79WntS+kJI{o#cko)ih8e1PI=Di^6zL)m0T4XmXul&q;9Sb!l%Y6UujlWV@7SDtR`HG#GAeDkI&=CKpK*}0d|xw+gtMjQ zlK)1yRS4-`m{t=Fh5WfeAmpYottqI+REM&U*kcPU$K1<8X!>u9(A^vU+o17Tup0IF z{Ur{F`|f2HSw}$5#D_9pw_E>2p!1zukx&m-Nc&@tQx*ejl?j5AYosZ^fgS|MIO3VT z(>GHT9zQr~u_zfQj-kiR2NAfEh-q@AmI{)A^wP*jtM#49Ts>8l3T*W`XA3w!$u;b* zZ5R*olD?MVR=Ltw)Z%)j`ie-4`ZJ)cfy55|HZ9dKjvMw)DNPLTTDhyRm25bk5p#I? zj@Mp%W_nbQky$3)cOLkg9^s!3xBTN_tCwN|j5vx`w=mn-RmM7*i#Ae%2r(BF256?= zG+^TQ3X7;HiQhG&d2;SCx1V81420==Z45LNxGU#!Iaw`D5;8LQ(H%wFduBHrj_ZwF z0VO`5>H9#G6cTYsZJ>Rfigo;aZpJJ#OC@qsn4o?hy!n{m{OM2zAra?52y0j6xVgbR zc@rU;ri#I*?5IbDWAXUZsmCNm3EvwWdqbK0+mh4=gfcwy0#gDS3^SEzg@hy_V1wqOr zOQ)q3wwE8Uygs^bs%NH7V+YxGKTe)B)5h#pnvb~2y_Pa`c;0e-UgAZd ztlx1%aGC=iO;pA-#|%$eWE|zG1 zVjfk`_g5(#5{q16bt)-+8-5Ar0D!5bvL3pzv#L{kBN7Dz-=vlJ?qfpTIVb(qN4M~Ql9K~ zxb}6aE!l_^H4_DcQPaczXTz>`)NvLaTM=hi{a(EA?Nit2HgY`N*d1V2UYDAONsZZy zg+8Anzh1k($ecURvOTl7hlNNT7iP-NFc%B{Df~Zl-K=r%ZmnU;U@ZEPbL-zkzo5%fUT6?$YB9I9kGQXT+Q$AKx-|h48*KRD8}x zMzH#G3v}2rd@AmIzZl89;^~U`Z2b6Od=l`IHe}e_J3iJ8h(vh68~na+HZT>no{@+R zrHw_0__m2|C>|S=Ac>3d=9Mf{wVMgc`9BkV?tOti2w#=Wf+!^{l#|(O2uyg$Q5OC7e+$;a2`D4M<<~{ z5`G41cfUawgOJXdIDD6xry}A+ac>a6ajARbIwTkF`{H2e~UzUhD>_yL;?OO(ZMel=F|s!HmpPh3bc zp=&AB0@1FLz8letvav~_&q4+#R-p4Yp0*~8X6A|CIey_s^Y z?R2ph$*Aps3d-AO=e4A9zJ6NIWjr+hr>s!xTR_SR;pCrwieqPfF-r55-h0z0V?^aL zdK2-J&4>ysg>3^I>YRp1BxBbC87-mMa*KHZ#YK-#h3D*c+*= zE%o!oI6RyA6oW*qmzT^mT%DiX7{wGg?_%`@l0NM``A)MUtc7=fk9_@;WPdcm zcd5|GWM28HPtgQ*7iSvW4-=g=PP%+K=MyjLx0P`=RP}awtFX!RzPBAu7n^zoL*^^m~mo=S)1luZT z_NJ?yL6BG@&bCeU$bqZwai2cTk>)^Ihc|*X4*&ZiJhTSKE#g^sD`M%4a<$!b|D)ES zJ|oLKXO<+d+3@HkF~`VA8@uHL;T%5wE1J7FWQH%-0p0SeN5V3oTTZg_2ctCewa*UT z%Pjh8+N52hp)=J=AM!v+bJgYBEni-&>g*KEM+DY*LBa#2Uy8)HsYBBfY4gW%vkc~U zEYr*sgWlm}#m!*)nCX}|H#MFhQ{ZX{EHX!MxD)T5Ap! z%rQ(9c&ks-=-P}^yK0eTqFK(9{n*vTeN1g~u>u43DmDM9D&#IUC+LfWR3 zveYwEzM`~@Fa6>`SEo%p$gY~@8HM+i(Gok~Cy6-GS$1<-BlVipP%ZaOdz(K)O`lUO z(9Oix@aF)?6+=NzcV;HVgh&Mv6P2mstiZFZWCkq~eAi7{SOJ2(8bLX-fzWw2F zd0kW>oAF7m!P$NJhuz3KF9kXkFf4FHn3twGLBR6_bBKTTWU zf9CoXCvJQEFmC85mOMH*+rueGO|Uh3DZ(j$By~L7{)Ik605T$~#N?vc98S1V${M%d zhQ|5hDU!m_W^-d6W~6=8P1fZ4nj9To40p0{I9)}v@k2SnCtFT;BXK>W4VUD;cMq2a z8&@ey&FU)!nJHb%yfAuqTjl-^dxFCAb54eXShEPJyC==VuAwbeKipt5exq^*Ojh|D zA=|aRb}<@XgEm4Qr+63D{MO)u)bU@5hnIApQL(}|(fpGMTyu$I&Rf%dq>-FGwI&^Y zW2i}XqruPG^C-(LY!5qp)305mYSwMDlgw0xYj*g@>yD;{o?2S#eXNdy5FMi&3`t{< zsH$!H7MS7i;tQHh^5!AI6Psy5U&?%n5c!b8CNrcdQ0TC3Gzv;z%)-T4JSP*l0Q-eKn|pOrq>ya_AB%zP&uS2hJ-Jo?J4$B!ov zisX;H#k+58KrcXLJDxZH4(G%&;$zs3^+fOd8D>j3H5r|AYstI;@y319R(N)e>8Kg27jAhQ?Zs3`}b~x-+_@~0K}tt-I|gYhLc6E zB*6cui2JtJ!&mS=H5x+}eQrd37}TYVwV6mL0brYc*5$?J!oA+sl{Zp@UW+=}zMldb z@PQnO$F2TaDyQN#QNq z%{Z((^|3M>PyL;l{I5-cdE$!tT3$!#V3h~wdKxY7o=zMJW{B|8*mg-m#WAK6DU5?a zcCZNvjPq`!(br*X;0JDSY@93_9m;8y#)6qO$C=U7hH}66rI1)BaIoNu%F0lRm+^tl*;4o9l@p3Gjfk-3lh;EKaO;&!y`%7g4_e+D$n{qE(2JeN+{Au z6V%Fs>LqL_oFW+~1P!ScGt_5;#FVw^h!p`>qgFBoxQA3GoZ(~HS>=2AREy8dy}inY zRot9MMlMRM$v;~Yyr@3ss*1@Zrrj-~T_Lz8eSkH@hZxwi7if|w3)?z(N+GR7JjttX zS)Z4zLqzSx)oPorI6BoW^Y*$n1sZDE5mejCf*Z;#`tk|pvq(4y=KFLjHOjOPSMG%# z^uTwbryGur+i4dRuk0z^74fr6wzTlHonA90$*<*CKE6%J)m?$!P;X{@hQPr6{Vkk4 z#-+~NYJ|RdZ<`nghdLuojZDyAgV+@B*j+^U+eLLq2R&_Ar($~BcE6(Hg1+d*fZJz`icbpBhKZ?yZ@jKqXb{5q2cWbCa`_ z&tro~R3zd(MoTPh|Bsu^SEcXuQIo7&Y2`6qc)Cm#4T{UjG$4PL3V9zME0)Jh>D(b+Z@`Sm@Y#~1JkTXjUrCCrg%X|*>H~4 z-pdcf-dvAE)oR*PNYp)=B(~1|z}j4PvtLcqAJeo6gco%<9(-O_pE%02FgjUK!${~a zy|)4lf1#J=`dg2EGY_sb^q9Uj+6r`M>(CW})?#7}^|`LM72ES4VfU1NWKNmvp9WhT z^NkK8^E3TjaoA)5x%2B^v1L3nh?>b=Sw7#7QD=&AV!nPI$>`hi($fSC=~!wGMvXM*<{=IJi;GF|itY>IZi!HC}IDnnZp zFuu}fm|PZO4u;k3d>Z}yy+d+Ql#!A^spXq5ql4wPPMwU6n%xNvkLhe@qaGF9gA9peQ@B%)D?tj^YGA zUYCo5TXN^hHhk2y#$w`=EHA!Uoz29{DWw;oZrMv?ci}Fm1*7d(n8y!8h+3-CR@r&# zdEE_l*q#4K6un1>_Kp1UvM9K8G;6q~(o=|>Fyj2VTAZI;0mCefxWuZEcNAdyMgz|t z$`KeD6S;0S+_5p%3Q1YN1##jeL=vEmd`-6N@WG^d$~!o^7H&!ahrB2C%WgcWrJ(4uc3W> z#+({(=Z2l3fkMB-v(Rz^&jE`DhU;3?uVg`Nu<44?Uh|2j4W%rm5yhAp1#{~UTbmK~ zV>JS&%VI7sT$Rr)oZrF5)mTnMpXz%!g&&8;CU{lNuDx)|@t~ zDw>>pu6a?JCCI{byKE3u0fij^_FRB%*nk88vq2}jatD9-YW*kW>w2hEpgb=-h{Vn}5~d1@&}Xz5vBQOPpV ziC!LVSHwp@N8a|QP2+^r*H0M-`q4Gxm~K6oKRT_%L97ly2D`DJeW|2Af27ZMB78@S zo6=9lDeHP@<<7{M6#FVG>x8BQD-y5wBpT554y#=Bcj_Ox4n!aH{LCgIe$3?98nsN$ za@2!ufE{oks*(GMl$ZPZNizL`$i|v(n@wGtrqAm;(#2$!0w5bBM9~zI#-4FB`p?=&4ZUDP$g8Jm%>b#<~$2&q7I|SZ5{0}wVB{~@f;LgYLRnaTOX7UOsI%34pSq6ZUC&>ST zZ^F}Bmov{w`lySknt?S~Ul|ASaR}&2iGGG%^^wB6nip*ZRq*o%p+c;?vnX#4lmvVk z*V+tz7$_FYbXm2{twOGBiu4)~@q9kJH)SbePxTXlKK+qVP1w_Vh^#RVtkt$>7|R^{ z8j8@6YFl`s>9QCxCsT)1`jn>@G$Z`*1{U0EC^712t#L+J^I4cR~BV}|=c^<&y+`AxUsbv~M0VstGrr68wTJe?YY$(f%d zKlxdtIX*2J6X`mO@N;b1&Xvx-$+seiI*7#p@s=i6)B>;k(NijS-B{*&V;@w(tX#FX z41M_>qNH>-8~T~FoZP_E!Eq->BULE+Az=0JBu~G#%IL-}Q<=?N>oed$Bz-DusS9vU zFphL9gE5#@JhQ*dRR2%PLceO73y3Y*bn*|!XKC}X-JHm z=E<_a+Mrtr4tkX+Y4_0EC+mlxKBiK8)MLF~iUU)W>-lplF;xVmuKn&B(O<$R&+B5O z3REp8Th~YqzaZSN75|&;83D<*ipHDzFN^Ce2nde%Fhg%yr{j+%PQx5wf2whtfKuyj zNP@NMMD5R0^cVOTH|-8eYXB&BqN?6r*?~n9Ihb zRYXbr>JP=SVKnqoZ*>2-yzIycdIC$sGNU^W5JuUftU!4-@l;gjZyDI`fKDUk@TDXZ;c2{Q6_UjVBwFV(9<@DimBgk~a~i{*cDB zKc4fXJqI1^7=kaT=W%k2fhUqx$2If$&ZL3p-r%tG*Bo?tPk8?MZH8o+?E{lVu`j{y zOQU2CIx-4g!JM*uRim63b4B}WW|Q4aX)`no+^pj3JNkW^CB}inO9V|gdH<@D^S|c{ zDYjwv+2(Fp@ZPiMggKzYnZAV>=5fKv`}~Pii#l2M6*hAcAcam|j@EfDPhSi)P5I{1 zq5|)z^P(6+|2g{@R1y57n`Hrv`Jn*e;{K2J!e>LoLkfIr6_0XD)VlJ*O4PP`&ldco z{G<^_VJ0z25!_gwrJVm|yOMbL+Wa|#ZOh>a!1m>3m96OlGQsn-$|LgXKnN2`OJDjS z05H_@?ZejAf&)2b)=akkHBvK}?fTNd0@1*J!pb52GaI1fjWp)A^G9lunG=)tQ3cj$ zPb?4R_Lp#}n-Bc+(~y{!@v0FOkPX*WEoJKD0Lar&ZuuJDI4W)jXtScOAuFhu%~5Rx z^CEY>y-Ve5!42l3mVc9v86F_WSsP#HHbp9|0OFzb`srmBlI!YH@#vj)?G(49ErwU; zO3HX%>?;3j9E63yM;}U6f%=R}5okkwZ?K&$kQK%;BM(%`Gq<1o`;nC}+HJz~YhPLA zgo-NL72l`iw2O;Py9rptIR9o5#IS;E&FCn$)MTj zTMNVxgDUrD?*lm9?13+Ex-IZ(Y`K$qWxrFSu4vpOMz8;z<1Bsw?pp;gaY6;e&Wj%g znL`AR7Zv2E24i^j9+3GD7Z?~o!c6H59&oDWW&!Hdj&>1{pyZ8%+IFdFPy8}ZpHpwm zg4J(^xf}#Ue{NOq*Hj01)nibVP}8$%xs!bk94C!R!NwL6EUwau`s$|~=^5Zz=c?!H zjzwAq8Uv~)<4yihWGFM6ISF=K_%et@clZ}ht3TPMOgw&jF9&F^F4mjXC)1eSX0cPG zcvxPzgEV~je*MY!4RuIjH!cJOpFne}Zq=eJw~&X|wbNMb^$G?Z)qp_sp4n0?2z+G% zIHN4g(xC(d_nh6p+p@aB$XCjt-=X#y=rL7m&h{q?c(>ar;CUbYUO_E`D((=`(tfqD ztyc$Tda1Jg@)8no44?ni#sy7)2nAj`H~Jb7I;dL%QCwT=2gW%_F2@VRp#4iUf?NJW z#X!ANmd+lc=v-@x^D0?L&MPdkYZKfqQhCo0=it6yAlc$FL>qCc1(&V@H2%#mB?V!s zYJu}kBKRVt4aYY`QQiWO=Bqu3%wDpkQNLnaRaO_-$Ly0Q+AsQ)s*CnlK>Fn)G>0gD zwW0;9NI_-dTt$%J%3g;=hq-t))7OpXzD94cfDeAu&~by$IpW&1F1?HFVo4G02R@2> z%aE^~9{`v-Xn<>k{K)_lC1WN$BQR{Yw7@M7+BBU*#{n}lC6jOA8sLh8|HwumMi~$< zeTZU6yF9znAYOCu$G<6#Q2logpd49-&eRH=)dJL5xiANq}-JbX9y5NH6Gy_a8ckMwOjsOX;G zhG79#gd}ghQAigC2(f_-+kcpn$apINapy^a%;Ic%+6nwtZQYR&-VtXZX0& z%U4jf)k;X8NmO>dxem(ZI12YEq z8~y{}r@RbgfwtP;8PunNs#&}*7y0~b_QpIfM!_55y1^|;p<|^gy?qo<*1cA#5!@^) z;1G*XLCWPcP`*h^@MQOUpWC_}ofeOHQD9i)2?h6iV#IkSD=rgCCiJVxg%DITyQlMH zzOQns0sh6Amw1ivwoTCXH+N9Dw!;!zL)EE8_Gh1#oXllNRwRQ6lMTj0w$TIh zB%G6zfLgS?HrtF}2Luxi%VvXl9e$6+Tn0!|HhpMR0n*sIKgVTPYkUT%+FfpjyDh|- zWiqmcx8F)TA9F;rBUrkqX^sx>mYwJxtgXPcba- ze4y1qJx>U2v8tz2lHW^Z0t$A?`}#!q*S>OHorSceSiMqhUy>YoHSroeU-Dd3u;I5A zH_QNY&_0s#Q7pu}imdAD6o*HUXA8ycOM2;x){Y*McEW;$%;_a1DN)rAb@Hv##EPX1 zyI~7$LgzLuhNyv-{hphFqwJf#NYvaznQFy>A}9#_*B)`lN*H z>JTRK#6PH|_|p`#WR9E!ZcxL34c3F%BU&yD)c8KF*WF8t%>3w%ID5q-H4B`z?s6C6 zpMx8ZEPc}R-TWQyS`DaLZ)Y-+oGnUnc z*#1D7e)$V!`efK>B}RtKe1$z(1#J$LrFDfV8}WU1ZabN?qM^X?H@BN2{T@6ZFT-Mu zP8BCJKiZx*|J>$;RCf9>85!m1?)phtc`aiS93RFDH7^_w^P`6!mBsxh&9vpccLVa9 z!>?tNd*Hon1z1-V((*9N%#2IABuJ=J577vFmAs3Za)J1K+6^B zcIR81F-_tN(HxL5PYloRItxH|%rkKTO7`z7W=EQny%JK(<1y2bN1F`Wy5Ew&jU%pA z*0@w&0HjnDEQOUBCK>6;)nIf4>VZXTZ{5y~ct%65bZ$zsJQSPVKt{FyXKM_)Hs-t25Uzr{Vbq9L$pCg{%miRY%GY_T@&x=O?XNl!F9 zPRczJDmKwifjtwa@m*}VR79|+cA^ZHZ+ap%+CIV8Fly(IEcO|Rwp+FMeJC9$qO$P9n-E+AXWk?P4+&uk*c>>t^#PXPbQrj)j~2?sOO zlc!bq7~=O>UpZ;zuCr<7-cIij#X1=UjW=pDh3}AcHmdUvj*)p1MA0*>Lw*d`KeW zEti=^8YFIk9Ud!j=fo_+kT-^H)?UJu9F>{kK@@JS0U9dICcUZn%_(b5>n6*GdP9DL zlB-@=Z$?OA-We_1+_lI?1en}gkBoV>%TmsFvuf#_Gro%7MLOYE!B+_Z$ze1n;@GO_ z+MrG|wt(BZeP?m0>I!Rfx@BPVwH>cW3Jx1AWwyB}(lcz}qYdPd6KNr&AJ?6#{WcMN zvaO%7wo@!ZPzPeC0~lsHa8NOtie1@}B>rYJAwhNn)BivN7jX%Dx9ik>j@Zw}FG4Fl zO^6?8u$TATGKpum;(R-|$L_YA&=0q`UEUS{lVTApE7dt*f=^nrqPG#Rbg_87!C#rO z(|_whgYmVdTV9^7fZs=+j7EGbL;SIir_mB48}OhosBJ$1;h~Ja!s=XJlQ5Mw1Ukik z|HJ~DX#1$fY6ozJJdjQu4I6~+GIQ}i+Ad$t2y4C)SRu7(@s)<8*I7zK-%QP{J8*VxfgYn$4Rn|CwhFDT_>;e>0f^+-Hut?l?znNf$ zOQGgk0)XFydw!omFU51?2~)BgTiEYt0;NvnKlF)V`n#~0#2=8T2Z${hp4}=Wwyr%r z56I;RnLUfz`CW$j(g@in2ca_+bR3Vj|)zUJDW)MGUrLTW=CtaqKq) z090Q}By!a71f+Mmc*v&|+vM2BNTe3jDW77I%E)T~{;^owanb1PA- zsS-2vcka1AT09l#D5IP>-9oxi9>{iQJk@HR(X6-C1sA;9=~2{m0zjWTv^`A&pv{|F zj`U<#BBQ$=p{3hZ(N=Mmswm)fd9`(c?t)|2obq5Jl?Z(0GWy2btW`yv{!)pA;snKE zO=mJ6{LI4~^$q3EuJqy7tg;xLLqIL_`jrBaK3P|EjG99TC^eUd`3X3vZbUF}wQNV( z2XY5A$|Mrwb&aTAIEL2LmxA8x-3;n)Y%%OEoKXlyPXt%1xu+6p6h6)6Hsp8A?pFRJ zc0KQ8CkeC)4D*R0-Dq14?r_1w%+6jNa|v=lSFsr5(z48bAi!P6{>IINa~{t6ds#ru za?jV&f8F;UN(G2M+$C+tFw#X8^UEBvj_+?JZ3b>GSh?GKmUFvtY_F6UEGoy|#zm^$kC4@yH3r~h#eU$LIHS%`9ksi`l)E{yAjif;U zh^p^oqKImNWn1LeM4GdEMKgqHQ>AGGyxlsz9qy$P z9*`0DlK$j(vX*ixm=nIV?v>mS%2X)3eTezI4|1gFqJ1h>_(7hM0Z_8y=S-&e*?`?+ zN{{=<{E5SotW|R2kH9OTBZ^0;05x0Vk`|+rAgP+~u!|o!$wSh`Is#{gskj$B{nBA3T-mA`RN7P`HDjoLq-l(06j?lb&ff4TwKh^me=C z{sU&Sk+GRYF$Y%I;YK9gBQM9ugTx!i6^f0Y5ffWyw7g>MBTMF#&!+fJ+lepUWE*de zOW2;f8#0G4G5yM@F;c>nd7St$9n$BJB_s%z+hbgNxsA1H{C*Gc+2(1r_D*yK zJ*>=)C!)>cVOl)$1Q&E9BqdZKM6A652vqIHgi45wuI$L*1W`1(n^-Gh-BtvZrM|OSNlxX(0= zl9z}y@%p0Ny_@-8hj<&UCm=HcRH`A&)Fvznpi+zC?_L|Xl;h_89Ae<3fsssuLTvMT zR1s_?Z@1mXBsNkr&Dr3Ib_(`eEqGb7+h3T`gm2U-e3_)~3K|y+A4T3G7u{Vpnt%Dw z=pK}QTIw%zWL1*#y1|+h`^@*FUqfuRUPf?EP+=&%4lgCQyR5tZw7aAg((m3b+u2DN zh&)&XoXTU)yv68^?`1tkw6mrvU*MT57+06DHC@rDMWo`b43-ZyvbD-c2_7xNUr;rHr&`TT)*BXq$ace8W@^xVLIztSMh2M+U?G`h$mkTR zm$;?G4%-`&WdZzBxP!^1p!swxbZQ)QJW9EMbYV&Bfd6U&(l+ZGEI6j&_WdVT2$)Vr zKxIlBTUzLTsBq>1e;_cQX^Z5dm=;4&}Nh=k=Z51Ap(CB7UvcbfIvIu~zGG&}4NstI_g+PG0n;Q%ez>@4E{5 zQPLT*5sKDkX}ss>zGgjfX324ad)SzpcfIJh3?V0jdoG!5Ui^tX8^qz{AwdyA4nyvZ^rC`x`L`1&IJ8)H@c%v)phC$@Fy zI+;Uc%|^}AX^M}bbfJ9*RZO~@S1bvzW;CxqZF!yiQm!R{*hI;4aRhnx%*Z1#*fGkN ze|?BjxTlo4g{^3cnlcK)P$z?q^xEva=If~&+*-OHidM}awyjfnDWfR92l}?mdq=I= z+jxv+HbNrFX5MuzqE~9n;u&BTTpI4$5l%BpK(9X;EYv%=+<@u{Bl{YnRkfO20 zXMSPDF#O^Lzt*~&Q^U`nB1`7)@go$tMG{OgMKCdWzFe54Na=IE8Bg}X2 zqeqk%rZ>ZXfL9Sni8bdtpV?HA9hl$R*UhA09Hv$lbS=xVU8NG_zJ2J_Fo3)z{AD~^ zIdsdn^BmLoaTNKZs-*=35DsRgO?$=4Y_9Rs-V-OVd(@TjtBz}sexD<%m`q*K5q*Mnitj{H=+8&?cjKo8MRX1$eqyO<{2x*5o31n2Gz z6j=FR;GW3SAxL`0I54<{WLtbQBDD!A-}8M8VhZLzV~Rtex2&y@;ofzj#rN0Fg8whJ!u2!-&A3nFc>b z^DSnaW;F~9OiZ3;Y_ZC>GtrL?(M&gmtYro-Rua2&K7CrxU(Y{qNnX$C3~Kjtq+qL_ z9Wiiat-Z@4T?$+uDZg3;#>xF;y<(T;RPC4$heq;?i0zW18%)OS7U}5VzKcy~X$aAm zH6in7!w?^BCEB{);H@cibT_de{;4hhO+lUKl_r=EucPD4J~KQk$!*_kFQ~9k6I3vq z-%baZ*KO~=Fs}j-=CzqlTT5z|s1d*G7v}ZCmsya1JC}j7<$+M}PG*O)~r z%K0LU8=H%sRD6vshOqB7(WxV{b?Q#a@u6)a_};$Kq%hhN8t1&oHc}&$2$>ojP3Kmu zFPeQ1(Rk7;6qsn33|7k$RJqCg1%F~*v+0c~L-#~hVplpXAk1s!1`qCSCALtW{@FrF zk2&9~3BX0OG=iTgVj1o}qi?31(q^%KZ5?ynrnBSVC+5{UW5fNRI_V)p#&`3)#qQd7 zZ5FOb&3cs8{C*9*B=eUBBv@64d(q9Hra~N*WjsBTNUETHVx>{n z3K1pzOpe%PeV~feY2o%BFt4FE>QhbDb;0N(FbZW+%E1b69|@#S*7GBj3+OaLXuOJG zkW8sQmxF2yqa>U-+`;XKx^CSLNV zY(95BO`T+{`r{QOP1#+rD{Q`G(Af>6O9@N?Xpw27ICH^aSnAfD6ytM?QyY3tuWN{f>c{z<#TcKhrK=r1g~+ez1Ok z{4p*WU0ZsZ;QZ^2Zzl{R<);CTesEe?fc@~ok(vYJZyy$xJ&}sr zQM8?mba2DlWu2-0zY)Hj!`~A2Gm9+WTc@VP3`P3()}79UmPG=CZS%*p8+ViUjSZ$x zt4?1TNr(V5W|Gy|>w9fy*D3}ZzW3M(wLZ4>H8H6go75JncR@n^gJ8t`T}@c$fogZr zvHHi(*>IsQNh{(Us}A=@MdBOQ*D>0a7Y`H-Fs!o~zLr%QV4OcS(0ch~a=-vlJFAA5 zVgXxd{v>7Bk#-xE_SS@a^P8M)NA<$=(0PwB40%m`H8UF?E%*E%C36DN704o z{n7GN$hexHt0Lt97zH*qMVj4F-%F%b_;fb3a8AL@$IHf5SoC$G#ConDzP*DJN|7I0 zks=OD{VeIe#r@W%g*`Q))Xm+#Ium{=b%?F{xiEr%FAU`n*(RUcq3P~H9Rv~T)K~n7 z9dk%+2eq`MIpyEVZ@w`2c7vHSQ?sS^#!CM0Q!(jOm7K4r^PyFvWXaCbpr4L1-&? znm#4QoO|Ck_Wb?{!(q9#k@Vn}5pmb|!)vG)_tDdBzt5T-$MLfDR#PzWr#SLpZG2xwm#OmasFgv5xoPhf8&WgF>&$-ngmdPSBH2FHdxo)YOIA4ilP3 z`+$9s(Q)RETumuH_5NbUF4Hqk;HQm+^X`JJWoOD?gksOxrT10 z#3u>_1I3b=mgeW`jzUBJq>dQCX48N!r!jrwV_Hc3;I!^!^wY{E3N*zcw5C?SiMx_UZ^+vR%EC7h`9Kwz&_#83psegbR>-8g zq-4N~p@-ufdn`Ho_%yzq%f;%i@b=3`P(H0ZUW*jKggr7-}jDb zd)ZvsU~FDv3}Vjlx{C$w`nczs)wQoU5D2ipYFa3~wi?x1z_&VCD^~;-rkeaeT!0Fb z=*HpcUCCH|nO`sG_Rn9-@$1)S-jr@Osx(~N@4@Gbi*gvcuOPS0>^010Bl$>F*obcv za!rNjKbg~$_ktA}6IS1yNs6p>-jpFfe6SUdq5!ifFWJi17+5Jh!4)Ojqj-b8RfcrK zbh2bJE_xj}hAU|3+K6K!#yM)OTDGif0iF$u4I-E2(SA;r@L!Wf#W(%K z)ucDq0b6!xUSj|wOYPE9=obg>ku->nvATGX?}QJFu$7_#iD};XXRhCBkY7K>!v6Cy zfm2R~gNXAb3jo^mLG9`3BICbMrxJeP0#w|qF7>R{{Ao5$_?tH{ugkR3Z+fT?P_%Nc zSpGG3|NEl<_c2-q2B1cC>sn3q*)2TupgAnKlE0hf<^g)jcg zpipiC2d^v;?XJDsWYfXZmu4?a@-732*+*UxVHeRlxLI$BooTH~hoa5BZ{x~|`s4l$ z^u8Qhd`1Lx!3zHG?kD#w?(r<(66y!5uOyTMEhSIxhYWCuM;^H6FsX%jG7dcCN1UlD z?IynRHvN0k{XxU0?g9Zz2kF&}f$Y^=VV6h1#(Ak@Uc4Gf~lPKpVUkm7lIMpvRJ->D0nXH~b zvBeDn-F_oGdLwKKYV$p?VJwfyRkAzPQs2?}Y$!4l$6*oOHJPa^sYUkBL5$r-d@)E$ z-M>9gA5e8Sra~)*j*@eZ!$g^k8k5=oYCX((B||*0Oq2e8PYT;!G5O_W_$|)%%vN|^ zxd%9Zdd*^~`QQRYYgO^V=3V@5f~YdKj0!_fjvD%%oFyBdxcTIZ}dCXxodx1mzgqEKT2MbG{*NZA!yfpo< zjM+4(S)t^3V)(x@W{1J6(N1IkEoS<2G{HOsG~%JDvP)N!-|rZjsU?u?>24CiKet?H zQGIy|^*rRAmzDnceV5DbJtruw3@>(HO1XYL-CwIwA`tLrpYE0C{oQWy$9Lp`Gon<& z?3a!8e|(UVMH@VeL~gy+9|V)Xf8r@b%je`}|F5I)4ftenXrEbG{I`b@wgAJB_bpE8 zujBaFJN)%9L68T)w`FUcKf0y<{t0a;iV5xw`r`?H|Ix4n98JOM9uwOCTmjHme+3xc z|Gm=xz0#l4%=3S%6de7Y{~xSUzD7id&|Tu57R+_`@l7thf39gH;G4jKQcDJ}1$y58 zU~X7!G=o++h+|?PeNG7wzh?5-EesB?LQOE`FlP%J_Xe-)<{)@qOg{rA)Um*EJ~RW8 zFfBp8s@f$_mEecyae zB+D+`;~Z|jzdB~Td;x&<8GzV%Aq|MF&$FhuCoGF!9xr8O`QF0Y?-p7xa=+YEf5$TK zKpBhU_S-M$9*0dYJL$60q3@0=^#HV-cQBwm1Z}kA=1DtH=>#A!VX8z^K!|wjohLdZ zfdzWcM>J>BG)a-}8wc(MJ5HH34fJpb>dL!TGSKf0;u3{oK&7pI2~uBKU^JfJQ!-6z zekdq>0ZA9v2WKG*bHL$u<4wVQ2boJ#w#t^=<{Bl{d(m)x3DWV6oU(>){Cl6p0IW=j zxoO~RZgt#DBlr#o;zj}9u0HDwC_3f(dCAQ8mWKeH3D``5UmLIs@I@X``k=o!w1e*x zIwXl37^&MYO?C8n2PG-h)F3DMT}XKb!FmODgrE**D91R!663k|?BF){WLOCQcDsU( zAo!PzHt^n(`ZVvH4N}0l2FKj5)6UQ$L^DZ3i}m?S%5Wy*%HndoAvePzaFn z&nQQ}%w7gDl#g`esS<_hFSn=v}*y z3R2`(8yi6?CJ9o6LvmQ=o+Q5V27EkT4Sm>nqC2;%P)k^|VRn{g)fW8z8 zy`Qp1sgZKTD}z^KCQFddBGhr)53p^!th%#~W1uZC zppYHRHCFSgd6I}1SVA@1Q3Y}%1|Duovk-~T$W_s33zzCY&Ug?9>48(q-jh8_0h--X z1x`H{ylUjVx3_{Y_)=%Ayty%#So}+~_d>x_>-XDKxyt(ZJoZ&~zM^xR@!Z@N_+Nv%U zrhgr#X$l~Si4S@W=)*!XkYJmybZsHq^PuOOBuUabV4;u;G@>NSYI2h;0ZfJ*!$srf z;F$ADUf{vjNE5n{Zu2nc?RO7H*_V%po^=Tl2xq|2mTt_-zp(IfsRx2cDd34A1tlu0 zW&`N4Jo8C*V%yRouW@4p4;AV{H;iV8jR0WMXCFVd)}5>;95!gW<9hqzA=A4njX=OT zy9Hln*T>F%F0hDB7!S|Ytt?3Ik4v)E3rXa+vsnv(?}FLP)mL4Ndl59I=)N71RM^#DTT>EzumkTSi71%bdO%(LCuHR31b=T0Vjwq)gi})YG8*bJ=A=wU9 zcBcSJY;nf8|r5QW-MoL3qbhOgDny zLV&NG4(EsSY(3f{-U=~^a(es47Gd-hOjr#dHYXn9X~FNCHG>;EdVeh$QrEE$DIo|= z>aM$N*8RN&t3yHcL9h%lg?W`+iPygj2DHOD2v} z3!kI4?MiW9!s-C^H3)+#F{+FgCR-L+#f;$(H7 zGAc$T-|mAX+G&fyX-n+;Dft~TYBEhW!9sV?+c3BF?*0k+KbJov6mTPQ$Bm6<2Y=7~ z{9HCKelR;YOcf@P%!{!bPi577$4HWM_UK8M7fMQ6SY%%@V&J_QuE`foFF{E*2-76> z0B6K>32TJ<6=o||Jp_k!gsyN@?o|XM?Xojccq_w<2H$yV+%b%bej;*a?v;U~HxoiD z->_z_vH5IkAWr7LgJQ8N+GhK}E5q(KVs7RdQ*jTmG|$BeKzr}bGke6P_NSaLrQib6 zL|+jff6VfB#2b@9M=ld|GBJ`_IdFC<_>SD=Yc8ZjPrC>D9`$J+xa|5h@&y)pIS}p{ z`A-U+HVNSz9p3S60v$GY+HPbfw@9>}gZ>C@BAP?KE=**C&=%j*f9;Nc-AA~c2rlLg z&Z*o0)}8sLE6~*@p0975=iAR%`J_XQO-m5WHh>KiNi(_Z#Y`is{o$&a(8LX8d4A$( z#>XawUKth)Q33l=1+EzsOr$c8^h-p%6sCYR;?i|yM-jMfWR&sxOSJthq<3>rxyY9E zS<970q9G}J_hnY$Y0OL-i5_{e@Z_qz$uKzEJ=Hk3_mg*Z@pX-cj{3q=Q$ zf^$DBc+1N;djf)HEAUB!d+G_E*C=$Z?E+$Rg{Hpb=WXaDEFASYj5ZcmTWcJlAKfRN zvyl@&{rgt)>&SD18iWYPewg{m*2FXQyA` zEp5yV0qm2qVF{@K*(eBhq22KM`&f}1SbVgzWKk_4Rfh^t??!Jt#4=fS{Yhr zo7ln%2Lb8u*nDVbl+9hJ#go-(kmwvOl$9tfJcDQ)#j)4nKfj_jJ_LCj0_VC$^gYd z8ax%pt1TJNldx~YFmBznj(2Cc>7gWLbintjW5u)yD?Al`XRoX4Yt;~EvJQ}96v~n| zw7O^!l9`8Xjphm_U-k?9-tyMLmRGeChh=u-QFnO0B}4Z3lL+~3a5_-QMyJ!~SEN2@ zQ_ip909%I`Lt;%Z-`l>7(B8H~WEqoP>${=`g>gJqlJ9hp zta!nR%LhL{@VMZ{oInB3T6j$dS3c*J-dq)Qzkt-GGnGx-)s}ONlxk~0KAPjg$UG#9 z2-#Jznc@{C;)TWouK=#ANz_Bi#jb1vv=w04rsx_8vmL6ee*fyDZ%fDbrv+cF*Kl8b}0Kt*%VfwHGymJSf>d?Y9XD%NvsJpS)4&SKv2%chq zLdJ7Xwg|;b06Z1B4k6hRT3O*C8WC>>5v8~>0Tfy5(yamU-ypdc|Sex81IMsi^DOfwdR`VoJahR-(RN& z)8nV)3eg~3=0c}YCK`(?EJst*jG!Wy%$H3m;6w0-EjD<7srq9t$?29YHW=r5pY)xch8$V%$VnvDP*zQQ%^CXUWlNDK92AU!qqeuk|} z0r|}jel#YsAZrn0+L7`+rt%Hza=&Zz&$Q?*DX1>Jo(YHvovrNA&#lzB9eG#SD#^Hu zv^;3R_fRHmX+%aYtK8m&FcSh^=YhD3nli}%WB|eZ%9F?lvnE7DTK@EKjgIAT>}&8g znG+6CQwa1c;g4Dq_J@Lw{l1GUG9sd%vAfUT#+B$y6L1s^1RmuBeu4Me$YhR#C=GnA zy#Q8qJMplW8dBE5Ygz#ymPgpzf_cG6G@m=M2R1{ve&!13(nBUQxp3iTuY=0WbS#dF zL}m7J>g5f{@-<;}>CHC*OocD^K!4$^e3>~5#FzUeoLSn2d3+#W^*4?asW%Zcxmg~^ z>_*z*h!UY9gDFgAJsOshTOHek+1$jAdCxuJ1y26Dh))UA?aUHWUYCbn1PTv!QLqKS zC7(niPnYP%$8r);zAq-X?Lyj~mO6YkB8yzIKGFTxJp<|Y$x9idAG{#EMgiGnuLTjo z8Rl8{P9|DJZL5Z4)zJuuho)HhtliP0Wt2cGpB zBg%rp7uzo-HE15a=INY-%mJi0Y#YOSI{Du*HA|aR}dynR+c=LL+T-pB^biU z%+Ryp{N~o&WR9@^)2_}_Wb?a`VE*(r0UL{FkP=U{3=3TXd=?n3NOK0s#fc0psSzra z;IqRF;KJp&Un$H>^r{PW0s?f}h8d??9jZLTat#pD5*+gn^lhs(^*~!eEb&>~YvJkH z_n*|Lq?kJ=LFvG#3R|mb9jYo&ZQ^B7dv`$&F8e(d1IK{IK;Yi3pXinJ-;Uc)cc3y# zyU^Dke@{ezFW-8jpn@@srYYi|M;Nq^ljgyNVgbK7E&SgqyBsj^)y~kIiGQXIzYcot zG*JG&vt^u0|DSXJFBOJPs5lOf-V^*!75Oi>gmC}}1XAWnZFc|i6aV?|Cpc7+XODr& z{&QbK-_rLIJZ{{LzP1_v?F|vKgRd?~53l|6DTT`G-b7Gt9^hQo|6dwOkFG61?T1D= zSJMBw7VRLt=-<9qoRRa)tO98%?eyi;Y;(NhJ00?1{s2{*8;&4&KYSjtt{QUS-7hyTmC$YZ8|Z;(gMP+v(o z)viGv<@+V)Ar#oAjm62=KOd7^Ihfv(`=DLQwu*RbRA%g%BIIn>vtSgN!#HB7CH2oG z43ML^EzL6XRI~{i_FnGm%O+ses~cChn!~c@ZwdkI5!iV=a1(8XATsxT$tHwnP+;iz zK<}!R*0N>F!|v68_gU!Dt^jh6Zsm`86VG$dB_&t_qvlyv^8v()a8e72tGDDw-V>0! zzjT=omWp2<%+!WcQc}#v1inWwi|N{?%P3VA{(I>#sNcNtdxpR)_jg$$++B}n*1o@F z2fC}B%Fn+57u&lOO8zt-w2B{x60kGg5M)|8SsP@%=D+mjsqP~+sgzqy=A{4JAjXB* zpXcO)k0_*%e)YRR9?&-tI<$)?tAL5bG3-5*w~M?Dp5<`=;s036SAnFIUpX zTvH=}XT&By#ft&o6UeF^VlB{=s) zKwl9g^ahPwb=Wa@QF)Kqbus_>)FdgR?Qqqy(1G^qx&QmB4*c6Aoy0GA(o?t!oIw9k zW9FP7K+SbTsTOaIZ!#t7tK3>?i|2fBPSB{BisQc@U#_b^W?J;;YMyV{*)flRyMfgN zbE|IQ0D|}A0x1SgRKWr2;xsWAqDFm9w%zULW3HhY#kDHjkJt z@bSUVxwdH2p)A&68Dd+0!&IJk`(W2RY4kNB!N%YWzA~L^Q(-?JE@f={7f9WorN?X*FL>c2V_5cRq$l4C8G*dHr1SzG2NqElZ zc%vf^l?6eds|_BQfvMT)8scx)EIy9`2Tiyv%9eD2(DU zZ)gko=LYz62WsLLIo|&zvtj~Do_DqXl6nwQg44fW5X^ZJ<-f}XGLHwYU@Z9W_k=e# zl$;b*{_ijP|K}P#sEGpS4`y!VfZ&H`mmuLu069Y9yK=%oAIs+-J7b3!U~8)%N|k}h zS?Msy0)`<1ysDIODlyJBQ3V@Aa#1e`Sh_ub%z!4 zziY7qSZO#5L_r=AasXNRa?8l26l^?*^bUCmXgipBthF;-q%S{RU9j)Aatw!zpMZI@ zFpy%1HElYTrthWv+*1((2WLPXCEx;c0ZjYJpwAknBqtv!tW01YB3`Kgrnos~<+e{uH z2~z}@7+LHl@abAe8q_4GTTR|AQ1K`{viww}TM3Fv>7$G%yP22nClKY*9rmJWf0%e~ zJ7A!`V8?=R;q{jql`cWdDT`g`GfV0QQE19O7+m`$X}6(V0co+kyDH?7IRbnZR^Qpb zXFdYA(PPNpBxD5grW}Ss|ArjX2$lWU;RWk7UP-qk)Jod3$@bsB8da55y5*e-h)XM3 zp=?Y&P;&r$vKu^%OM0L8XgGdyn`QauJe`sBSnJE{DLC%(g*O$V zVSZBlb&NUxe)<$Xy(Nz+y!}Ys9f?6~II9k}q7qz?U zawotbF^#Q$F(zvR?8UEfcLpYZy`BeCZ}jzFUZ@E_ml%dR$5pQTt5w}}sbHlAERqb3 zC)LwF!G$HWusE?5rguDqbxqdc9LY?xb5e3W?giY$s^9OP0-L%lc)&~WLV3X2*@2Q; zYEMGF@^~F7CO&vg3qy9LkkHIH4|ozjAFupl!*lrOKrCsi?igC>>EOyojs8p@fhpez z)E9aMQpNk18#E>T`1&@{2LRe+q6Uk%Tp7+yHB|$w=+yd`%?Kz84?kp_^gjl*DD7FkNKaBv6*NBV351_#*dxMwR@Pu zo3-COr3Dc3N1!#N)#wEkXLzTcWg|U~2^4N`f;u%-#s~zL+F3zze_S;HV~^5j^ix63 zcfvAGM)T=R#Lu?_#T3CWaVuXeW1~0#9l=znYKO3HzTxBwfLciqGidC<@QuxsDak8X;FR^GUOD5iEQVSud>v7^V0ykK<%MUsDCcKLn3sevx=D7 z(D3C~{u`45w>X0;i1gvN_P9DXmq7=aO4oo&K+X+aD*{{0U(gmj+R{RyzPUza{o*e{ z3pSs?dq6=xByxuQ7-lMP_mJo#J7;wNLX6*W29wcmDt^$nV8C+n#pWevUxS60%9N$v zK7uj^BvyIh0kBAfH^9laNH<$SbK5MPhvYK}VK3w&I4(b8(U>sZ*VJ0+{i$n@af2x` z+5JUp+Nlre2|k-a5*g@X(wLY&EHAW_6Cf{gA$vlw>D(O0LFbZZf60R#bFxtidWAyO z^?@g>`7>Igd`~4B;H7G8gD#u)M~5NyiOCnBI&pVAbNS%SLnb1WxqdUA0 z=^1_!WY~svL7jL1#DUB6Z za$hp2s#)NLWp8@4EELZ~G+6dXjn|j3{!Xs(?gp}r(Xh%tPBTTy7050HWuC&W24+ha z1@9bXor5ls0Ls5`;7FnyQD>uw1{Lp-9GBhwM!dZ%M}3P2;2T^_Vp3RdIQ4fSt!pnW zw5mgE+}BOXnd#gN0)wT~ub@C%vNWkLHi8|A7->yL|6)zQQ7A_eqcA_^GS%fQCF+ePI9(LSYSc?5(pm(Uf-dTqEw@N{<^X*6e4+CgA6bL9SXFig)Cmj~Fek9Fjd( zSJq5*<+R#4L;{wcGUY36Lvr!o%4_Y;c36afpYN?`wjYs)6hiSR0ms1=cnQZn6vL{; z`kRDIXW?b6g9S026YLnI2zjPJ`5E0p{OmkDL-qr14Dwvs zxWqC&TNZG;b^j*W@mR5;BF8aKIHl;ex;aEA#Jw!&4S{};@t`${|Pl}_f(0oOG8@C}50+svSt^sTOm?R1mMgI-`DW&=$s^1W-beuZr z+n)sJh;;Wp$J)OZ>G3vp6e*BAhhe<>;__@XHLTQvIv|qWRG>+H)Np$WpPb2Tzk`{)7plcWD=eFB0IMjFa<3} z+-T-PkGF7b=U?zS^|kgoo+1NooJUN%huf9fcIn&5lCUpzpTAYMOj}{xUI6ZZ_p+#STV4rfg7u&2`2-!P(pdn{cA!QT6qE>zm5}Nx z?4AoFc~_5w+RXK!T@Go4X`4T%cpEp3%1mLSY(EeQ zJlhOCoo06;?}S|%XxnCn%XKf}W`~3P+!`f%+2h3E7Pq+D*x77$hpSV^Gkyb-T+P30 zv!p{)tf}~tG_p7mt0G#T^p;YXB0-8cN5mdydYqcEGvgf$y^_W1T|c1@lZ1K|0}ZMR z3&kC(s2HZ}DdSNg%`S98%pPb1hkbhRq2XpF{bS|9op{Kn>DUx?0xsq&Sa0#`1X_Uy)P$`Qn471_V6iffoQw-wS5z0aK5`l@`99(cE}_(2peI> zGyN89y)y2rOA4>?Z#xhPe>Kj$ya9rT7#seK~Ly;uio#CXdi1p7b8E9XeOI{rj0x1UWSf z6L%DnaZtZStbL*1Q*u%4IBgP^kIZ1$Gbh7j@$QX<(Y04yWj1pA0-YIgM)dd2e6EM9%o>C$)}7wU+2}hUi+8s|j^7Te8D4l);0(dj!YjutO}X&TNvBk#PA&ZTVA> zRuxiTLkZ~Pg(8o_6@u!zh+151mKqyn%DG%WBHW^0IU#wME0n6DM%R*Y6YX{libELj zFHx$^rBmqgzH`(ln4js`Hx)m2sSWqY_(Z1I((XE1!}Pm?zuyuj$G+nNu-?O8WknA6 zYiH@m(>2yw7B;5J-GN9l&)huYyP(ixoR46-3jjbyjR3vD5Yp)tag50&Lt%5Fu4fJc z1Ko>Kt1}a#mLf{DMj%lrO(S_Z%ikL0bA1_HV6N4nYtn;Z6;BYy!jnHdTz2^0NBQMr z*{he?eO#1&nl0?jz;$?ZKN;H~DM?{yC($Ir=|k6;w$Uuc`bYJk`~G~o5ndX!c+!-i zmsQ;5%=#sgAX<{HE%XHX4yS^hI7&mj)Iz#?)PwUH`iOd7ux(hlf;VeY4e-Plq=YMf z?mwU(4C+!v2!muusJ9}*h&VRXKCt8RtTKo7<{e7`BGfYuWPtq(V?fqXpt_+UHg4P4 zxs1NFWNx#xX2}_GA-RaG?m_Cj*XtxWtz4ZXZ2I0~Z*1a%{tTUbvS%>Hy>Z&Q_JYc& z)b0Ir^+G*tY0m`b5{C8UBO9R*6}?AzE3X?#2gMwVZ8$8jJOiO)TK^DVIX!Gj-7jE7g1NkQs_d_YI6H-?DD;FTbr^X0#)*@uXT*l#FUH^O&cOOTOAeJrbAJ( zp3;#benuDFc(z~cg?_?AH+~){5)BG=Ss(wd>j;2a$hzbpt6$)$(rCwuK_ZHuOFS^e zq>y+uy~2ljN0iPRhk=AMtckl?2{p}CnOW}2@l^# z#kG8P?Eg80-3#V>F(V!HM7hOH1+FR}gMuAEWctbksevJI94d?(QgKtKQFNjm_bPKJ z38yFi)t3vK67~gz3h#S_j$Sqy1PW3zMlhdnv0qZZn0$XbwxU7aEQ4n}ec9D^8hX}% zex;~*Ae*T+aVcOOD_|^qD=op5Qm+Cn+LLDPrUHItxfyq-LGU%}Fqed;M>-eYpZ$~k zI~qJeU-Bn98mEqZbQw}xY~i7(Y!)1gomiw$M_CmUTM(sG4sVR4S!zK|JQx>dNeND403MD}!Mzww6^#JUJpUCn}1$S78rXZe2l< z72(GAF8#2)*7XrXV#ysv1oHD{&oOTLh>3<}qxzYhWl#Sc9gAt`uGLg9b|lTNy`PGS zpsmTV;by z6<(x1c-oO}^|dK{NlWLfLZ;}}>$QT)pF>Yz2{`neO@2ABjh?0DZq7_ynbt%XmWB)M z4K^O=;|kMKVhg$DXC%O;q^U=zyhmrHA?4V6j+G>S| zv+TVrN~OTt-4=~>nwwY(JyiO&>V?bP6PxDe0LRk@n}}Fm5E)*C(Y(NGq?eF;@T&2l zt?c5LJy@vAA37oRM5r*=3_xYjkYoTQ4YqIK<&$v?4Ao}^q0}+n9p*Zy7B^I{UhO5! zA)P;%oxNif+?it~2FpLMw;|FogcA~pDWu|jTOB+b{c`v*mK!t^*3|G#x3x@$(-J?& z?^c9iso*w>mK6p+zEGRVA#;h*zOTTnT)3lFP`CazbvtqG2|Y~*r;eRz?I6p$KJPC1 zz?-*liNlWM(W#uq^F);B%T>`rGTiJj6xp|0KG(3&P?F7KJh9w+c<5eJ=gvyr+bc*U z8Foqdk&fLvY+u?>ioXwLt^1~DV!`Rx4dW!C=I)88aBC{ntC?OS!s#+6+jUw((CV90 zS_z+gm=KX_>da2_OnS9jRkRQ{t?Jyo3O}13+an8`NS324n1Hr2uY$OhEVz$ZxE+4( zi_TFiZAzE$4N0gq-kc7r&D#jF*&!@Gb-O=u^7|>1_ba9F0B|^{w4+oLCG|_15yd(1n$|!w`r(l_)5&g)>Sb8z!KeRhj(S%RHJW2sKXXLBz%q&z zdM(kVXtm`t$qOc$CH8dt3dsu=jZqi7s2icU*#<4&(uq!K(@j~ZC#`JHs2Y9H)55>E z-_y)IommcH0g7uTdxpez>pix@Deq+X&P0hi%zK& zmcE_UVUDkflvkY26DcokaG{aDN_R`16CY1OaG_#Ahi^`HFbZCZoz227Kus#~z=z2D zi|%UdZ#}Y4vqPlK{OPYEC%{024jj(;RMObog~Y>G^(LCarV&fc2mZ1H?KBOCqHoZZ z?<9fKd$?1xxhKxI)n&jABO2lKREV{dBS~yZu*Z%|&8-4DxXuqPuCtO0s>&^jg|F+G zue>^rmv%(!t4lRbWa%JWp7eg$baP>!4lvLTRmVK=6Yt<+hP0HQ>$QLe_zd*gbit4PaLTxYF0i+`UiFkS_%@aN;Qf0Vh*Zp#n(zGv%{#ZwHD_p4L4v`;-G ze8cCdOZ}cnVR1FAI33`ofWF7m3KV;p=XO8*`he0yOFVGt$JQJ7AeJ{J-BTxAL|w7- z%)|Ge_W*^(?=9e}bSvTgykrgs^d_>qdl(;ZgB%2!nv=S^Ybk|&xsUwT-*pN#%7h>40Z$T<{|3_gzL-@NyVp!Qf&VXXvZAuI~ zo%q0kx6nX$>PUL-HJ{5sAkRag>PS2T5%!wA>@xA`P(7SPQfGjf?3o3#cX04^PB zOS*I^Ia$R$+%zXVuv-H+##O`-31azg)QNUmr}tw_l5Mx5=?p})W0)7y$ne26n@8yhbB8?Kq%v!eA5oHezG zObs*mqIT@-jy-g3bREJB-O)tBSEnXkW18BuuWj3qF?GmK)Gb-d^15;%LZVK%ceB20 zl&D-t=!=rAVTo9~V#v=TwWU$n1NwC1@w8zG+csAv21lV)L?T0(MzBtO6WU||b8q4H zr{IOS*@%j=`=%a?jhdylQ?VjUbubqz(k>)T#2}DB;wWASU#y{Z^26$706^~TI*?1| ze;o?p8A1-cA}I|qmn6jshIf3xz{X&{O=omEHGwmo>NvRUIuX7+GiVFAH4&p2@}ryw z`lOP>t=RLS-?t~#Ll<&xDlM0bcV zj>J}pw8VT36jgcFCG~mm7BGa82g;cr;YJtIEzuF_^I6ODAUzO6Y927<+G%peq=-6Z z)#|yEA$UjFOdRHkZfPTr&DXT$sJ^{Dlp{Hv-R#JdP@Apmw=Hr5moc~?SXw5U@c(j@ zHMi`XpMlY2g7{gNWm%Q;$C&Q|Zpll&nNx|51tcr>wk5;59;X468b7QWErPw?J$Xri zt#gM-Shk{r-I`OgZh(Q-U1vi>&ldU-{TeiTvb%zOcw;J({st+y=!b209weeW zd_xsIUD4y2io9uFvvbc;DTA^stj$O>j5r}-c-duL4c6%OpA!$4u8RGl={?RQ(d7)i zE!1PCdtvQMT+7TTO$+;#a2RsWfRR-YRgG;f22Nt$B+QV4xtdeCwA#`VWZ9DJ4@^rL1c?hV`Lhy zBlFF$F`|QtTeJD(&MFd0BN^Iah?>`_;aG7zM!r0nxabkGt%2;L?(?0$`OA}xt9%T( z6L}V5G`fodK6sPamr)n1q^g?;<8PS^_!&XOc5tX|4kaehESCkAVsH7MWHb3^CXZ zfUBYgxGI$AHVYL#9vP=%oT&(=z+x0qu)e6yy}U71Us>JLb|iyee8F{3$i4>1t`op) z->~jnTrbmYd6LKsa`zuFpPTznXP$;t3Lj)eX&msHDB>iBotmML9V<}%Z&l4;G1^Fz zOg=3{A^FJQVSwoj$*{31!|`nNw{x;rAajxfOswIr4>H`YNJdHGSsau0ZA&5PL+h53 zjLty|N9U1l&<>oRGK@mYUi6S?x%{(bBNU?WJQFzQn16B2 zGZ@V6V^E<20xyy-{?ATWB@#fA2IpH=iFfLcyhiM#j0)r({;t7Qw1ryyC$hiSG*UqQ zJcPOACkyNMmee4wS(eVJ0);NK#3R{tJbYG9T}hqKs6dmHqvnBZZywIK&I7pg)aNzK zM$~pL1LaD5vpl2#dwl$A$vR9(E&j@2GN{}XCCO zw!Tz+*T%Oosc+n(rP<%@o6nGSm&9AKfLyt6MfN4pee*(p60|s(GQ$qttP^=;AgiHU z;H_n^{m|21y#cqLiZI|URazw(IsGH#ZiQW3lnMnLC%Nq(;ER~y)adrVW@h+t!jLvq4eRwx|%+mp3l5{ASKc4W`|;r1JzY|gHEyRdoYF1+jx2wz^7}>Sr)7Lg~7_e zMsPo`uqH;LWnrF6L~TC{!!{uUB%nFx%DTP6)s`+Nmw7mFWs4xfU7yl`S#4) zjP5bpzune)`&MfrJBIm!0Ae@59=Euk8!h9^OeNJ_L<*-91^JC;k&%?{Tp^CUcAg z;-`21<9J!gX06%8hs{-$GXaeTzQGP+GM-X|bk^=eoj0ts(+D*-1jmZ)6t5Y#SEC%WH>ZjLYPagR`BigHJkDYPX2$?}6~vJ)N#} zc6ElP#p;(l(D(@L=(Oz{%-7a=>$ZQ+rh9k81{F+yJq8{1gt$>0FtHj2g9`tEQ^ zonm+$7g}@1v-Z&7%SQ|68uUKjNfBK1cQ~mw$GM00tsT$nJotJ^@_k-L`_^$2Nm8tL z1q_iP2|4XIf7rLjbdm(6Us+*EAHG4)@tNCfdpQ5ceY0V&mODFrD=j?#(eQnNoEf+s z{>*SN@h+eUAAa#`R;i;mpwq1l%<*D~X#8rpsW%*&+i9Iv3Pg}UH3C~Q*kz7OHQFXfWk+tRIk;}3EKOsB6RM5|5)c&~WSb&WyF~2T|rZ=c+uC`WZ zQw{@!7iTz<1L1D_jrvEreJ4?TYwyBCJ}}VOW@^R6f*ZPz^q8p;%%pzA>is-FTgm?b z@x5Y}5Sl@jespMO^+zY^Po=5`NJI;NsEHOvY0zYX~OF6<%Y;FnD zRphm%1VfG|;^h?3%ip}ECiKkXM!%Tml%!1&blsxI^%J%lhrRz?A->l@3P9yKxo@V z{J!mgScbl&Np%eS_??-(?2Xgf1`} zEY{kXt>|hTzwm-j=kZINoo^1k$X_DL;+iQg+p<<4d4?gX|7__02x7CPzqj5@%m=gi zrp440W3m|jQ~+>L$8#^*^XGxQs-X}Q6K*`IQ2ZD z9BAUIl}SR!1?_D(7N+=NcYy$xJqFi3eLWswZ1KeUpQ{0eIl?f#X%#l*dK1}I)=I_r z=0Cj~gH9n!?%aVQASDD!51aD9B`F>VkZ)xr<1SyuSpZaTUSXqlf+74 zO?1UN6wCam+BtrBhzd*mv<*4x~+` zh=3XO6)>;HI>4?|MzK-WelNYs=nP3P0!j7vj=ID|n|9N;6oF)UH7(WZ1+ei=_B`%2 z!e0jlyWetvf#}fn7A4+Evnd`Y07zXq-}3Sj1mh0FtvAWjF3tuog&{(y;yF369^Qin z^;dv;dSmYtc=aYgZVgp{0g`dtWnhCQdIr?B%3v(7#D?+kb|0Ad^X=I^CjlOw%p)!5 z(=GRPFV+VyST+D}=-e#R-irFLOZW$8^Da*CpUiiPp730ewg4}HKS)m5)uqpZJ*MViodM6#gD$)lbH-{-;#eAEcN2(2W zEJQ?q+^_%bWV~%8!bEKE9cC`ngj9R}61=kf-!O&C>~$donpnV#g)nQ}W?;$p7{cO& zvOuh8h%+^!a$v9G1}gis2v!?lf~y1uPFCv@Rh?V84h1PO%I{tkAvR$j{O#`}c1Z?c zQDS@D-VS5o>*V3x#k?gj%AKqHz6 z00z_De0_ZACXiq~l&S0v`im&fjSROd(S;3zkgy_p{x<9Mv%bu!Xr9K2v&+H}CwIRFM&I&)SMycFBy&$fY&Hln7Br;`MOI5jEZ1hQ;4Z{wL&7%b8(=PK5s8{6R0{AkfrO5oahtmcS=X zh`PKM-~}D(CTdi*-jNWgg0N0@i;qH7OnaSmd9C9`9vwJ)9XhMeS(m9l{Tq0|_y$Ny zQ|QujTlKp`C6)d`o;^YVbdH_M!AU8Q6;&MiR8yyspw2is|sfnbnhp@ zkPRPA!j?H3N!MQ(XK6*o0xW|?;?w6UmwPJGZqM$(L?;(=M(P+(ED8Zf!{>$qa2PbP zqUhvmg$$4ZZo{=>dF8|!bR(cP(+K(b5V_Nr3cPIqKKK-e-5_*-H~g=;wu~QmzW< zOjdsLJat0SgOLpt=2hLqOl#@v7A)nzL(eqJZ5&`e-nbem&AkeAsB769U>reTdEBLg zID+#OP-QB(U+Xp`Cf1-lA*#t<7us7bmG{fapBgJnWs4 z4xdWypx4E2@TU=-W6__1LJCtlybWNudk=a%JNA#_{fYg45;XmkPG2~_YwB|vLopfl zFhOI7gyM``4c|vKK4^yta-$n)n_&m;q@PVNBg~aJ zlV0#qVz8&Pd`$zUMpj_u2-Q2mfs%3Y9rNNXZzq<5dr%WDeT*VM7^JZzn0TrN4I~LS zfssG5N?`^9wR>sA3!fKxQ2T$<*T^w7n=d0Tk0SlH14K6MBbkv!ao2;BqSH5$(k$C| zLxVl57BDHz}o4lWSwq%8~6lQGRv&y^Q(ZDHvsUrD_@DZPA9nG?Dcr+dbd zzsxN$qNQ&;CNO3p{F+OxE75qlN;Ey^oR z->(b8XrqfPbg&zM1GIpscl=71{Wdg<4K#?IGRv zSCbW8^$!aXk3#uVy2za7VP=fa2gAuu^!$-^y7TEtfu3ZILpW)1yS(sWqh#j-}9Rb(1xDMvESt`I#)Gr2H$LU`f za2*{?p7Foklr8r$f24?Pxc)IBOG#ZkH|v4vJ=Oem>|J1f%ZVE4-EMAG_^o{{_zGe& zsg4gLqHptMvXDzQ{Ef3ziF)%U97A4p@$*DPDHwfkv_Lxaz{8I&*e{Umop48<{=g(Z zp0-sSV&^KEpNa~*5w##ykPFDdq4(N7=@5# z#GCN@kN}>MVCdKYKc=MVU`k?Uh335rZbx+rO?tcL45|m|5}SEnSO|)7^f0AN5ZEMQ zUFoX^je7yPpVq%7iKJj@V1MJdhFZ9^ z1vN(vP;*vyQ0^7x;(kD=(X))=`h@$Yn?&JB76WcmejP9FGuzW%kK0=$ zue`wgp8uDaF0@`FY}ilo1Ys&W$_fip0UZ|sT~Pv~-kI*eF4#c?4Qnr{uArV}H2p&K z8EB%al%s{e*$GmtpA+^1e7cLAI*mPElSzXEgTAF1FqG+^sB_U5Bawi7{?{TCp*e^i zM&2I&BHnR&w+5xQ*-6_Lhez!J;B7uPN`lbXWvb2pc9+IHnAo$SmwTunr&Hq>-*L-? zuUvy^O1pU{KBDduP1H`-U7S}9!q_=QB#!h6Lwh1rUEq&u)5wl8xviJ6Yyw2YmZF|6 z#J20`W+V9dkZ}Vdrm@g0)gX+gx8PkuIO0XwPQB#4GFa`Q)UK_RS!HR=Dg%FD?Ff-w z5MNTto%mV{t{D9Tq<+MG&Fb4mrN+|$wxkoeb6W9M^}Y=;XV{WEy457rA#{8I(x5e0 z-ZooX))T~X#h19XAS?lN=M(J6GMjp@9ZT2(j;cusXR}F}>oA25j`iISyW5P)0Y>JV z5D?DNJ*p^?;7R?aYFb~%+1aw#7MvIrb_`5Ebi*rHkcm=%3iRo~>S= z8@-h~{0RLJxJp<*%TAP-YwdQu6?xYya{$}A^@58fq{3YW0S#jIO=qe6Or;wSb<=%P zfD?mE3WDjByZdzgBDTG2$aMjuLcKG+%k>jjg^ncecU*+2Q2cE{wg)dR4_++MbS&4A zMC+Kd+(u*_X?ix#dwllrpN}SJ>Im_@_$y!I6FQj0NV$<7aT5(C&Ox`QL?5ZC1jaf# zXt|-u&0^zE5$coZatgvZ6<<{ezG1NY*#I%sW)ekT6Iy&)>1s8L8Yd;~_t(T9kC36a z*+bJ3Nq-iur&yP)u)Huuf&uAJ^YB)Jaje3 zAnZNEO4SMJVAFG#srr0FGJ#ThjTR!!nF=fcbw#*?tCaLAne$I;5K$QF$}zbOmD_N1 z{S2{Ly_Q}(Kc^ta6p7KeS(p%Cahqh}IyKo);`oiSO>?EXg|WaRb=sMVcB%|7LZFCZ zw6@=lHiF`6dNy4=*@74N+!%$Cvbb8Fug|`L$xFeEq)3A)g1_ECVR)bsWA$a0h52Og z@@z0G4?#j1Ag2$ONLs}&Z^_~p6tI*}RRV`IAt*lPE;~h|_ms|_`?D0WTVAsW-@>)K z3UVPC+M^$OgmMd;j|r#0a@W&;g|kDmGhAdJ$MS>UihBy1>39Y#E8#`+PgF&^<(f{? zWHATS-bICGIg>gC*%!$1p&tSPkBj0H7<+cal6j$~OJQ9lOT?pnPBJ3z@`Yvh;-Bvl zBKKXxuMYPPzHbzwfF&6an_5cv3H?29kpngw55lfp!>i0;){h8{5z}tMAv^?16$WJh z@M2ebPECV-oBqW@gykd6D@X^@?KVn$RhJm8gOu)LI)J7+84C6N{z*~IjVSggS0NF< zH63Fo)cHD0%ceVmQ+`0fw81d+&7wrEP%4U~ zNFbA{`Hpx9>PEXz@K$<9pUXBZj?}z_3P**)rgFcQgE{~cm0QMQ zg7xwQ3Km065vw7Ce&Y3qI5F@HtV~v7g-ur?&g!78@!p=91qWG^Vo08mu0Zi5K_p`C zbnfuAPmg0JZ?Lxv5n`_=;8R+c8GdqB5`jpP1KHomTE9G;^27%dJCY!nDN9Y~rq(`# zgj8t~kS$1{m#YAUwn43H+!~Djv0_dXo+-X<&7_5Y{+-^<)uP6#prnUrVV&H8kA?_2 zy^(0On|dfXJBlK2$z#2}@avPNuUyCdA7}T8ZG<-ObPl`#KsCvF*Z9m*fM?(oZweOh zy{WpWlvc#T0f>n=h$7?TJr|92zdWP*no#=tws3iHO^tW8%_DPxyMtmghbYbs*pd;d zstPl8arW-p?CSj>OH@kJ4+zcVHI>814K7@mM*wRPD z`yLY}^B>=5&S4XKf4!WNf!t;ETW6m9JT{aPR}C zYnJw-u@Y+oXQ+4sv5|$HkqO_L5chUWl>BoF(}z8s{ZGCvnF|CxB0v5t+qo{0;J7e} z$~bJy$2B0a+ivgSRM$DF*dNzlE=t$#F+JoJ)E@JObAA~zSPewBFTSrhjOqt8a9WmPc#&FgjO9)NV zD!IkK#jart(8)230^l226M-AkC6oC8jYFThAg zYdy$mKw$Y5n=Wj4rwe4~!Ec)g$sSxrHVIvg%`Q9?^`wjKHdFa5LGcJZgxJSe%Iv-> z*7ayE{#v&4ZDoy)0q zy4RrB^TLJ?iOHMECmGA~4IfuW4+>T@N{liEa}yqlvZRQ4d5%(bok0p^e=uNAQ@B-2 zJ=f}>L3xl_nprg)Z?lFGb7nhOt#@k1PM;uFFk%0eA}2e$y-=EU zdRzi3mX?FPVl&Ms3}C;~Mxf!v51+a$7c(z&yj8PspCTtlb$ z^-q-cRi7O3s^#-pf17G2iF{G_(HI%}uLq$Goog|7&KSqc=%nz27E!~Zbfj*GAeGjmr-?Tvc~*Djy#r6) zsPZFwp~}`dw=#9iNkfMF8hiB> z0GTR%s>K?u@k;S0j)K3I)+@$jwo`Xdu*{CAK6jJDzwodfL6BEAoF>?$1a6k(eJm?;N)<3#{F+NQi($h3_Bf0&zAyEm!a_S$(yIeubBKvd5gv7_dIf* zHU4;~uv*mqB2^~wEh(tT9#kN+^;q8f`(ZW>)2Xdpzb@0P={q)-%PUx4gO9~4eDNM@ z@Q^w7p;_6n#?6>G)#&|G)G zhkX^^f6wvhW?+0mwiU7~J0Lf{$XjM=??HwWxn*(wxYw=zqNC}NX%4rdMb&OYpz5%% zX1}F&W=Q3v_#TtWn)Aon$+D>8L3?b5rIWUZ$32}VADl+guijTHeE%>{k0^mz&~rfa zbRE_eU0O;Z?;R8Wyrw;G9{Va9)}t%G{_%dt_6V469F{5Pyc%`}uIGms+@mp%iv35` zjMu-Gd(P>$6HL+dtLrP=|%9UW!MYK*!_DpDRUt;;?8&@81KhvVP+1HuR=YyMq`FD z?^t1LZC|KHXNZcaA;KkWT^ zIMnU?2M*tfk|kt~Y-Qgo6lKje_I(*4+4mCJ2_a-@WQpu!H})ZWQAze)h>$S$Wh{g7 zTvPY`y{o%_p5u7_cz(z4^N(X?p67Kguk&>-TptI3<{y_bu^nqN2jkSQ07togPG9h)MQ$0cJB{+Z|GmKkAE;~ z9+p!g+qjDBDjU2O8xSxBIEET`%2!c&7P4!Zo?5**JtvyeXWVB>i|z-kzd4<~o6vR1 zzdcXjhMo$$gOL?_JO9q!s6`BE9EaLwu#ZGyI-VFWs@T*oRqLPS#jSCM;v<%Vw!4~= zI=vYk6}oN?u17jkaz{pP?NI_7xFID~bRkM7%Ww0mCXRrqR@dw|;5V)fRU%Nv@|>MS zDsGF*=^bo?+y*?__zYrik)Cr57noHnJ=n|FF_s_1cg3ochV|9?#E>s!hqFP8e&Z7(e}21gC^sOxDh0wiV@%Nh88V<_jRb@+Z=ZD{ z+$*w#;Ss$b%<6|);Aq&_+-qK4fR(lXZS-)KkBx|&jlDvM{QH;5@Nk}V)eDqGJH}s| z`2l@Nf5|3oL z_EqJCdx8sNGqLm$cdF}0?&;Sj$vSgRGerISeQ6qCg87sOWpMIO=Zc4V>H`o3=3wAm zU+QA@n0=9IswX=9et-wiXR5G_9(yjlg#6ed^M`F3?{13iv_mDNW1pWWpe`&n zt`Pv{Nl?5u9u`g4N8wIo%@}I*NbboXkx!)iZ*puaa>5}BP7X17w~#K&ZnBzN6yPQ) z;fG1++kaSu@Zm*}$!PPgL|s|h?7aFQEBLk_t5JXw>i#73A_YtQ8w;x6H7y0d*c~Pd zM=y;i&X0kTZPaRLiDX>$q_?=f6;RHPU#dQGeNJ`i%X+6p3_nBpUOq_{vn1U$qb|MM-(?`)<1@HAT~JJNG|d< zN!(qT?#9E;JD=hHCN4p6|2ag!H=<`$90kEE8?$Zlh-ZW4q6Giw$^Tu6{!&KAgj*bM zYCtJ~MBTF+eOTjyj{MEr+UAN7zT|}vlF{_8W{KwA7GyxbBCc2{~DN3AJ7H&fvw+tzXq% z`cCheg-y}VZ`2GDnC^I^@aUpVERe(?Y=+4&~1V_}Qbz3>PU%$fr>%;$rH;3=$ zl@bIOdyp1c2tu9exx)E}7i6>}*Sv$k+sgdsZDYyH{9$Q+51p$d@FDH>@hse*a;!qn zu^~H4?#TZpJ)vcP$!J%ns>D9;DzHNm!jctwf_~FcS2mzBPBxTmRuAl<{6X;CzREkl zs$AfOGvsVmGN3s;yZS&Fnx{)l3c;K%OMP;-_^KyqSD%sOZ5G(w;L?51g ze-yR6Q4`}!d$%ji!7=Te)QZ9P$`Qw>f zxpA^k^FtPJw-PUC0%LBoR;Iv&rcfZvx-~@Xt^O%0KPKEkjpMwtvdMWp1F#J`Nq}Cv)SENi*R^y6B8XYKIuB?u zBm7Bh9UO>pgn}xOfGQ?{5i}s4Yjk#TAp@0MAC+0?9Hg-g5!8Sy(Dr>(eQ|~T!u_`t zhzh&n(>VL`nuP-RY}MI>unI8|gnnf(9ETggSh;j2U7iL(fK&3Vu^`-FfqP(9p?tOn znDKfpAhEA$f5p{4h%x@Abs*0$LDqrkhv;$cmr(H1>9^| zmJTb{U>)2ZW6#2pH<$`X;Cj)IRRn6;iVe#zLQ`D>dqMC+gX1p+KG0{Ip$;{h_=BaZ zocu}v&4i`K&C{^mCTTOjdtcv=t#GsjK@FDz_yhap2B=7VBPuyzU{fFf#dLe_G zrrQdb=q@-N08YWpb#Rp?yR&x0CG1M{B;)bbjVCWpG<~>MDGx)mN}qy&!G_E&l|7OS z6ibQTM|U-3SRfe`>8!W-mFyowVD48#tw6R0J0KoSFTzvDH#~ezC3es(UCd4fHmt^< zzr1nK8?tynOQTJk3%J2xNs@lvnw35Tx4`-TltU{(5tq6h1$%_)oO!0mbf&IYx;e-= zoeURzx$1eL1`Et_Ehtx0Pq8^AVhYRD-=PV>Uk+r8PG>&V8w#PL+V6|XDm22e5v^fBB?cZu#iD7=>vp@>nS@^S`@m?NwEDulST zOl#`NIuUSuBoiY_h8W;A-H0dyO$&Le8V46$WcqM4P#6V`*xB_d z`=ond;FqcW(4~Ntu&TS`8U9LuJ$FQI+!LTn6owFMbmtxF^>hUh4-5lHP~BQY!Bvio z#`fHr1q-8%%M~42_Skdn-qnh!@kRN^REPlpRibdR5f<7>cSKN5;K&=b6z9u%`cxXF zmK$?B?6xHbJ}0_ebZE=r8S~+hBull#vAD~a7M31yGb6?Y>X*+|_4sME&4R@KF$1Z# znI52FD`IAp*j;06JPqbn9!t6lzrNtc*F4AXvZ#}nFe}p3?XL3WcE>3k0@iznpclcmcBSH?XaCM39I6Z2Tcuy!YY2I0-&lv;hsMqx@ODHe~0vSekBs5Zkf;v)0b%9UezlDw`A!8_@gN?!Kskyq4up zmD$Y}W7k~!=ZoI&YcJhjnm6x3PVu0h!Fwd!l}eb;>VolOiRkj;;S7oZUPlH`Ih;>n zTLL@@(Ey-^>S{$poh%Tu_uDzDoHjT(9rMYkgU@S?jv@m8Z~^$!ZnFy^7Kn4ypU%p2 z;sF+B3t_|NuVaZ_o)V42?FjMCK}aF>R6!BxR?M7#m+F{+QwIfmN=HV?4 zX7zdN>DX=ny(_1}+o7*r3`s!fUxRo=Y|6lzwjF%pBGgF+wY!3thH60%Lr{}uk!OnS zqXP}rCk==X#)3l2}z!dXij;ynqkGNDKVZs%h>^m z8txF3T3LO9n@CE<#NiY+nLTEJDwUU)$ycZH>uayXJgSJ}lGimigj*|+{m4tADTnInR{*zg9?%1v-e+OhNSDC{IYYI?- zl3Kl~!T|*IL_P!2W_}5c8&NJ#WyPf$1ISS7R^Cpl`WorHV+QtGx+M!|ZFju#dc+70 zu%{F3f#9U=ri=OS8%2YBj(Ylh6Py5oJ%a7jh;>|vo4n*diMcNy=se~TyqB|yyinus zbM&COIZk|h*k31=4tM>Y_aO2aw zY}$PgPi+LcwUvnP7n9hFF`h*OT3(us$Q_&R1RdQ_4NX4?CJGWPtoLr#R$ z30t{XcmlDwQGcR2?`B`=x9U{-k`eKC4I&s0S1IX1uC2oMY0ktr27N$@skUc?7Z2j>QpL%eB=HjbuYZ z7n914GA-W7KKG1;I}M0pvMiJkyl$QQufOAOhltj}G$ggf$GvL~DT%Tg^$)T_*&96$ zAqh~){o$bRGV_+XRQ&9AlNO6DKg>osBjrziZ{^ch6$S|@0YgL zK*d0>bT@iftu5#H_P~6+pZfb?ICR$lxt0k{%wE~ffrX>qPZjNWA$F6*@=Xu-dW9I% zub_bl8ypKa3K9{Bf+5HKEXPdSZBKX>+Rl&;V22MDHai4kaw~h78#UMM<^cX!z>n#Z z(6J#1Ja%4KY^jKwqSHn;P&G!;brhk;nK{EO+;%UFrY>O{Z3EJ)_%Y)M_p0s=r-MUM z(n1MmCniXYe?VI>8>0=;Ge?u{Yns;{^kR$(hB79bsjGdNz6Vpuf;hLC8MrDSghE&Y zA$==|eRrGAJ}@JJkOy<_;Rn{RZTmn>g|h)B8g(72 zNI$mtaRC!lR>xJ{ep#Ahb{(^c7%A*teiOFnno@r|4D+olRypy_!Z|SlejcJTgCE}r z%ng)z#(rJHgKu2Xdy+>fK%L4`VD%*R6+4otoP|3%V?ABqRaK5iQROK|%_vO8@;(~N7%SxcF(1&=FK~<=VN;?d|P%w|tj)e_CxxgQi zgiR{i^^6LLUV!T*b{R!pF+O8*4$jgN?PD^z4}jh!gBLXt&vTPkQo1n$lJ&Rh>)mMxdQ~vRC1+PNJ0W{c?}`?&GGiML(fL7`R${hME$~NL z0aA^&anMIE_4D|A)G3URPFtcZA#oDAwm@a1I9}_pa=iJph+vmlV*VnX60Z?PNjbSX znWbRDCOZ07qs_ACkWD_G>D9jZSJ78}G}>Bgph0l&sY@HXS&|NDk6Y=}Jed02Uc-P} zdcvk{ehs?f&a>#*(j)AS42%z5(<3X($mxANHl@&&XBzB{)qh(PJn}tk>7oQ~yS2uT z7&)1mZPDNc0gbqk#3DS-+o`$9(Zq8)B*%Os_JczHyKrb){z9T|>IdWSfJI$m0>AUo zv;kQKlz&Y@<=jCL;-gdIHxKOod}7nfB4l)vBW9)s;)lOzIjGzy1CufzIg{UHX>53> zqxW>m@=D@9P6hkf~nK%jSRE$EA{V~;i4l)_q&De+x({;y(HIt7gfyYameS< z{Qm6b=b8sso%MTm;HiVpX_^)xwJh!FFIPbX*f%G_t6Muy^+%pZ<8Ku|29wji$c95(f?AOxvp!~604tI2Z8u&0-e_@+rJ&y?y4lS*y$IqL zvCk|yvsUzD`>~B&ZSdxFq9!W)aUVYaf{NS@*NH+?=*Gc#5SxROH7l$sX5soKE9{#= zsfD?prb7D^f;-5VzX;_I>if^d|>%&wW-k(x{mZ$hW|_aRHMAciBu00Y(p=rkrpA zyMc%K3$9ntirHEIt=p5DULc=w&TY|DBxhm+C8bz(v;HZ+WB~DO)iIUp;^l%p3)aOe zlFd?ak_>*luRNuM{Jq38_14YVu|{`WJ0udu&5}#{eex$7j$SEu6j;t2o95qIsp=l3 zcC|Mv`Y;T=u&>_WZdc^uzA&QWSG?%zKs_bfR%$lfqte_3F%L5<32<(E5gMP;&1?fn z7sDJ5&POZPTHH!R^9&j+83yP?K!ezfccHlRg3e`#&gnz$v2UaVK{JuNZ^7;>^nr1D ztvBJs=Mrmac2`7WDyvoSR!;|V{mICX zLu$sNE1uso{d6uc-b(--9!K?cl-4U%^R4lt{e1_2`|yl&WMaO@MyS6=rc6FuJ04-z z-MF!5>;HXUrAn#ycK-l?}HWQIK$oz`^ zMb}%OSykCr_Nwckf*}cY_*w^Ae$N+R^1OAH1G}{|C-tZ1Um)@N*sX|asjLh3+#6Tx zmXuEft`%P|Oj_VJZl#nv0yJj@9n{1q~JAd-55)|VCC@clK?>u6Fi5d1!LpI zElu+nL7Wfi-Q2vg7IY-7BOqu0IB>W%;MCw|O^*w4&ySP-5;*C*QvVMAFDYp^%hkP< zW?x*jY6{WpFD+o|NM~7Eb*h_Ceg~A&jJnQP1G>RaKa-fV7nh_gqn)!-F*n{`Zn~7H z;`hQ}qiZs5RX`WFkr{F70$J4ej*XgyA?|2-=z+$OF1K_=2jRrmoIDWthnz$`uD%U1 zwwV%teJs8r_y7X+Fiz;Ywj%eDIapLJL6N`$D>rCno%rxf_&4LFoxQkZD3ooVT<@rE zVR*ytUGoS`mc0JyG8n$fhi;7*Ed`Fl!KunGBjZN*Ecp|C2^}~`>Mn3EmbiR(;@DOM zbnD*LV`z%1*^pd?+vjJDsX36<>q}pZtwG5ey)4L|*YERTIA?NB_sYiF(B6HkCC$}7 z%sCzdPRVYwpciO~g?V$Cn9z9Q$A`k+&TVyRd1~`h*M4jR#&@`ZH{L#&t+`WqYiIVz zhpod$YXI}Qz8UTV$kRbx9CKW5E|Bm>cvOxUS7e;EUSl*oG zw>x@5m()zsQA4+GCf;%6U9i6=XuY9QUU&w^cGYHgW(QDLWRb#JMP%`C!QqE^$yO4}Y=Q-X`~liliOTyO zw?7gD{7{lpv*U)VNP*1lqr3S85$cY*g8?wSXI0uAJC+jRXx3Pl+IhjifJ^ zQc{N%yb>C9jy3%@PoxA^k~EB?n=N^n*hKCI=y{XbHPV;Av{(IztWteYv7*F~ESd?rfiz!q@Em4oSATlg9-Uhwm~O{^ zO;_<b=x);R$^ZF)Y3Zh_#%=>yX_N^uUl9lj*D@9O@}P0>`U$5Qb-%LS+b43HQ|_Sf zLny@GBiQYRcQew>0!~4&e$Tfhw-QN;q_~cv5Y@U2Y$7ufu(`(kmG!m#K-*_+Hwhky=$jxT;Dc&MJWd&na=GP5vkSn7#GDa15LFt2q5b zr%Aul4Oo>talIjSS3CKdhx*NuJh;)rqaYm1p2r9}#6GvGSH8-BbAxjT)9(d19q>aS zJa(Kl{46-ry|`(6_x15NSlXedZSM~&zZEp=IT9=d)@ewu=p4dE zdt(Q}8ZO1!@9AEMP)XPA$Gd2(o)dQ`;0nyzX^Uq!|B*cB;6^>shttf~ zZsPIYYk8Td)%6_MpkQKpjER1(xgG-;Ic9ek?3giV?Q=SU*N3-slsl!{>iln_}+IWE;Vdmq7m}gL^FcKQ8yLh#Yxpbq)V@-S23n>FLvqpT^ z97JV6%(e#*Illnz0)MtXAN3}Edh;TVa+Kc8!xW zQSDlsfv5|UP&60DH3`eQNA}-(e<%QFjPd-IQ``sC-?Adg$v4^~u&hu?EXFLxu*385l56PJ zzzFCfrAXzXLNfr6Yboh=9L5o<*sLibtPYwoBJ8KX^y*o^?cOIbT*Fk94i zqO;MQ=c^*=FQD_WGAf$MPw~KCt`XHpYF&dBiUp5sO(qEGIJOMZ9XWbec@&nDne@Bruron|q}L&W;P)&*RF zJHrcC)?PmIy^1yr3QA3D7mnp`+RdUvR5@?$yfe!T%k6_CW9T)HxoIwPv-Kn1_&Jat z=L~!+)s#!@%nu32BXd`_-_lHlQxcNy2F5gLE)my2GZxs?bCOpgI7YYAkF%UxW5m8C zN%B)WzHEApsvrmm%18HxKWZqJqAFr0g9+b$lca9lrPs=LyV6Wsq*M8((k3EGSp5`H zdv`tsnToDOX-B&i=O(l<$?e_TH$)xm0Ug_Q08z$Va z&^$U?cq`p3TqOTg{rQnMZeUuUucH`t^WEO(iDLD`@`RNQPR``?oqEhCz}qCBbj`(d zag)PX|E5y^y{XMxrD#)F*sx+-YDDza8#}(SR4z_%3+*G=qTdyd)rs|m>==cmb6u8z z?2R8L{L$&OmDh&f||gUD8zj~wR7+sDrkK{~vr{}~2FI)r! z12AV$rU;|SPJ+sve7dD70!=d>mASC;Jh^CoY>VmwRyXhLp6y!S{%j2kh-^Uzz8YK zNVp2-t9ZCweBpMk#Ez%7&?*tb*cYDYJCq(p9im6Hx6Lk!u&sUAuO|R9g=u(P^{vMJ zhq{W1?3h>~)1KY9ocl)p)4K@v!^0Uw+_%mbl%OXQYR10db(mW{teFhpWyV18Z^0sDM48{$UV zln;<4PiRff=EU7Kfzb$V2&Q7(jRK`_{-w2$iFF&im~&f;nCmEFxp{9qhX4uu;3dFa z!4)E~5#5APKh%+~gA2^6Rvt`3uNDs`^yK7TFF>81rbt!6Szh-ps;b-<$D;mEA(Ks(?q zaand(T_{o8=vW5nG7F)}8I>*lCz<5hGEst9*ayB7kJGCYRjxWMUA7% z1W{3`5H|5>zkywo3o$sB0j zn>sUOprXH0zemPm6chrVTXablh#KavOe6C4vNv(KiIT7<2=u=gjVa`nxzsN$l+nH@YHi-wdP~lT_&^RM58>SeBMQ& zMoLT!_Rd`|7};*%A|kPjwe+KWdtm&bLU23B_)SRDTkdU5m3TM}sc2~xkeL3G4kuy6 zw@k`8`-ofv!t6K^KQY|`oBG3WnSPVJkBAg?Jj<-Oez*`~qALEqkzyUtJ+&gi);h*| z0hvB4Rie<3CJE*P02cXH&1@CzKh)sXuU|q9OAlLH%ht~Sl2jepI4*Xze- zB0CC(?#Z7FgjAhV8w?`((jUK;tgl?`NG+}iQT8(Bbgw1cC0^Gk5!GqAsIDO z9$}jnTm(~{5_c~t@vIGOm!G6&E0~KEch!f~SL$54+#dv25V*Bf2-elg9%Z1wXtwL2 z#mjMohZxqdV|@ZWy?BL_I)no2EOFH6kL;Y9YBEj~tCqcI-mI`>sd~a(B|{$n!d0Tf)H! zNgjTWqGSJ#qIF}x8eb)O+m4kcfFPX{{Vy9FQ(=a5*cV}i3d~ffV}(R`fmNu#)zB5R zO1+@HQ+7xHa(^`Z2FpIC%YQW>q_kQv3wztcp)aR9!F}I!xc})&EdViPbw5Ey+ws@= z28a~qb=wpBv+hI2z@GR_C^Le1-qPUEmNT!c6* zP2}HaR0hZ?(b6Q3vYQ{(_JL*8t2e15Kngt5j(f;k_f)0EY;`T`o>DXP0DG&-@kpl( zKFl#37BwtC5|3JyJ6Yab`03#ipWad)*{bS_o=~zSlSWpzNmp!TBqO)kSIOw{Y)9d&vid={Iz$f}|^t z^{awT{8-K(Nr`9wx17Sg4A(Wm;XR&%r5miR79_HZmc%UhuY|o3)G(i%OEgOx^{Oqs zX5E>T|4y6tHpjOSm7XJ~BBz()`Fe`T;PR@LoxN_Wj`JW9S)vuTI)@TE``yRez(cIp zWNjF~y8u#rfrsC*j`M%7QvN9j%3?O5#iUr*jk9vk1erx~@-SVT#Nb$t=s6WjSJLH6 z%Yf5}dQEwFVMur0xy~Y`oB7?Eq25~cRf+H6rD&l3zVS0B zr-JX`@mLNJ?sE+IT$j;yiAnGg(G7+t1UpYtYujorZWhs)`spK>@wZQ_Cz_$os{hie zVEYtz%qjjj=Hz1sg}rH>{)!Qfy@V6u8!10loq|myDvjW$mN1;0e^tT(j=DL10FLk> zYS}h#zE?5+{ULS^hd!(P;WyLBXb&tH3E^Jk-+M_%e^2Q-{=fE7hL=BSoM!Aac9D=E zVV1lJS^z|xObmZprN8iQ>AeOh%-uAx2k$jM57t!!^sPV>Hhu4f&9}!TB_(BZ2?Me= zHk>lr$8nYTKR}%SK!5`;5OFC%E3KV?5AQ!1YXN3ue$14eQ{zx7bQ~O{e=y%o>@ZS7 zs*|UF*5dtBRwaAXj^?MeB_y)t!?VyPXr#%-4jzByJAu=yf6>3Vej6AS3!&+9y9 z#_4_zKunEA5Z^w=7vT`#Ps9&EU(I5OK4hX648REfUHnPJP9PPuFGa7euF77DE(lS$ zkR3K5Drz502%~5J)U#Et4-rpt*VOrW1-{=s<1*gXHwk9_Qd35SrwfGkuVo;#EK15X zb_JK0h7rVd!71X$Sp%gBVQzbeaX78=8by%4~+RQTCBIX`a@jm`n&v2i5H}UNAGbNvaJ5wTfkIvbQTj9(bG&iAz4V?%- z+0@u5p_(e5L(UWB_yTS5JBFOx*8N1PvEc1jTqsJ&Qr-SHoz|qw+mX+$nkm?u8KG#C_zs~_A z93QejHs#3w`!WIdsS-R$mz(O7|31f86(CJ!2Pp{oU!NVPK=z>ftMEninLj*-FE}gb z90Dql|18nJSC;Mq4Mr{o9y7! zD?REO{=;I45R?CJ(|%sf|83fD`u;yn`&FC%r)j?l$p6gaZvrBn@xL?e*Td`o8E0Bx z0wHV|Va&{-FdqgWgueo@w1!m+AwqZM6zL>=J#9f(k(1Lqt7<22*p973?uHXX zc#&#z8<052WNF{m^drLYoSIbC> za`FGVH-F)sGX#SLKsiOA-lZaaXR$UMqQdv7I=ZbmD-omrv|E|{we5lHu zc36&<&|qI51yX^2odv@GoKFe0x*8$iqBFon^sCH$_o$?o2;JP>sRbO2O&1vKJTo1# z?#9B06|nuH4t|y~&;$6q9#W}aH6rm9H8Ua|UQ&YAQdFC58{mN`{9y$$^zcE%Ml&eU zw?54n5-=>KeOalZj0>CZUSp2+>XLz3XR$zdvn(B2Lsx|!@})X=g#1FK@MATqf*ygV z7cG_`dgfLmYBHRgMFXLsdB+?%OH3^q-@hkIoE=49z4+#RqUrd(W5btObZkaRa2AL= zC~klvV1K9QA1=xwl!5orE=+%JL z5{~B>k}{dBzCRnvrKugqjiBR?dz!5HU!VHU7yRc#`Rp)y?DlrJFrWQ1xODzr=_|>c zN46}%Y=|UKf{ovXg81uIobmm(b*cYuVDA*3{g>YXqNkwEI)Dw(JmYcuD2_vW`rSf$ZFJZMDd`G=7;bwzw{F|&d=i@Cf%N!bsSh;i zB^xB3()FDe7Z)dD7#w)1+>!PBafrL6C8Z`!_LqFny$>|Tg!LwrwoxEdfrg3Nn8hv$ zsn9>65~xY);TV}K$k&j|0-H%XTy#XEGoYA4?d0~4JX znf{sg=5MtUdXCSx9PScFI+A^CKoU!J0nOx$fDvtI4PJq4@v0lVtV~aj;*DNB^AbZM z_*f)d2F5d%zuh*oEHa5TO0wjKMYKk4@r0^1rqj;%R`U6DeTQUxSDb%;NNc^8W!~bd z7UmJ=<)QK^!B*(?1m(;KH@31588psVY=n2+z#0})6UP(DXuJdO0u?#7)xnsDBx{)f zC7XT*Wk;77+-793=ABQR3)}c!9{x30`VjYs;D&$7k&sV`BFGSwYqm2HU)H1&u)D3{ zciiBS^mS>mHbRY7LJ(g}bM`b|%~rql|batWo5!wOcw)B%`WPr;|_NW904B zx}tS;;6ch*=y*1iqrmWvZt-}%zsBc$`^Dy}=^Ub)zqRz^>|^MwM`ZU7bM0S6=?Hx_ z+r?LvV1?yIjnwR;N!CoHB%8MD$j2;+V8VfVD+h)zO?+R4Ktv~Gb7mSM21bwd+f29q z5L~ioQkA`KyIE}Y%+%O(P$$oW%d*ueIc=nI$<9<%y+;qzAb@`zw<4Kp&JX$=7_4Qq z*Ss5P4D9>h;`-jXHLN%P5b^DwdlGhi%$qn^wFNb5kr^5lAs$Kf^|#;LkAo zMtyCh(fFdBID^a9ir43wl2VtBD$I^}p$_4F?{iGoI3!2GqweIlFV}W;nI7B^fjXa& z7}%y?_(sj#?eJfF#3G0Xk%_KuT)XGsK6s5KB23BOTZ;L3Vx;eZ8D;|6rGQ~kYCT+1 z?%`M69N4#;3DgEdh_1){CQIO-(xwD6tQs-5wC{Zlqjtb7R^A-ZZ8GiIBx)r-p|NHy z>+IFM@?!#(&GGoMU#+3GO((b!%M|G=wj6Fz>dG^%evjN zG`oS&wt1tMDm}+~1dwDtekx_=$x0zJPRY_VXkXH#pw}OKg|F%voO>H7tG8H4cS~2a ztD9PVz75s;_uMlMWp-&@E_aNDE62BhPTHed{*t|grB6w4bJ6HO7;csxJjk@VuOX5Z zcJrV++okO5=c2PP;rlnYH%gDTJU_#E2WHSmAOEDwfCh<$>Cjdc`bhV}2qnq8yr|~r zk&z|O0y;LkAb1(4WHDxBLvQg&T(Wu6;!iI@ViE|CZF518#R%UtZ5|teY^`@x&c6s^ z(^DsUIMd40sGbsoP}PoPXK4F_JjN;pdfI*^oe6yQ{#}@!cdBrdS!h6-m{PyoMh4eX z8GNxncj(?9Jq5EsPp+>HZ`qyEw3LK8 z5dNCeZXAZPV$9uVA5w!xlNO09^*^>_)j+m(bam**{$Yv#3e1wO{le*V8+^rRgo@2B z)Gkv?VzytuYNDb)*ZlhL7L1TZC<(tGFWq%q(>WR17H?w83jbtSB3pYuo&zCly49_n zHzEF`F7umljg+pv_ko0Gs6coUbXpodh-8zh9)B=_2Y(1nR|b!Vi?+ zul87o3LkYQ5cNW|tHcbn1kh#1Le~Fa{Yail2jDAJe>(z~ligOz|0?47JADthuCRKB zRO_YYgp)LE`ypcwTG->h{6u^9PiE%>hmdBbR{xl=h>|ii6B zE&{K2_5<;w$pUJOT-0%tT-2E)Bp~FNi?AwR+Sr)TDdZT0voxV(%ru~=LXvtZv}R#! z#}qL{HbF5w;qzc2ZP#tI%++r6m8(2g!@jq{3^g8tt+$V2Od*D}_5D+_72{6AOExRC z3XS%qCroYy!B5OtoB#AS+tiwxRle_%Wgk_E5=CQ%?-1ezYuwph=oWHb&QCDjAT3G= zvl=lWAD+B#Lbx=7oWPXJ66*2`-L+hp*y=JrG>#^2Rfs9_-n8cg1p@u2n4hjKta%5G zat|T5b1xX``|#{iE2ynx=`*gZtjHV>js*uv7ZGt0uB@&`W4TF8koJ015%zxW%RH(e z=$0EW2(TEzlx-$Vh3W-h^hRG`LVcDVd`<^$lkuo*D=o_Q#|ik zdJUvy77zD(Xz>QnTFlCE98shzAx+OuRk(Ep)RABGV|BcJ-Gzm=qk`PFPh^!d&ZYaH8-zFOE1G`!Fuosok-#-Ty1Be@?e?^FJ-) zA|6WRTL`WGW35+rTCFMDb`Hv$%YFO| z-QKs|+8u}?V}*zk1fuXmyF4LDo8ebwjeTY@suz_CotZTm{yEFOm$AUOEJ}SU?4oP+ z;y?{unf`f^QX$HVz0xO;s>wGzOx<3jh<_P2`HZRLYsSu$p~i?Y4=6er0%cf*Fkfa{ zUY(3_8m&9WCh`<^{-^?-43@|W`g@qLyZ!HNq4kqz%D3>V5K3{Ip z{OJIr=O}x)g28Eo(8J}?7LzfKYmQBwgn@5(GU{J}L6lciUkY)!JrpgWyyI2ebi7lx zJa5KaEL?mI?}$SP3m<67H`yuh!Qw;QDX*OT>AD|@N3EQ6a#aOxf4o}lYxVwO?8(5n zj>NDKVp`f&)9V+XGGD99H14!=BAv6ezNM6*l~_Z;Mw%HMr1r1NVXGD>ADI|dQnI?B z?v$E(4!f|!5|WSx%7%>(bib-zbz)U2Oo=`JlQ3zT zz7B$e(P-7a@?h;Q1p*Ezp0P2z6b;7({hs5|K+;s^tGDiOol!k_gLZd0E2I7SapzB7 zao{HKwC4QiQZ#V&)K!n_x?1pyF0{?!Pv*!HS4Ms-m-7-=s&x#jtmS6~Y^CSw1LJ>6 z_h&Q!hscZh{Wl%ppQRt9BAjsyD-Vv0elE7Z0M+j+m$kTUz)i%)ryZSD0GJ#c4pn?(^NzeJo)r*CI=cS~Kcf|psDjB=KRX+xoR9QZy zkN1$7Ox7CgLIh4hdc=)Q3iqSn|Z&F_Kj(uJW)SB7hkIW;CZACrETXhnHe&n0$~U9xGo znS5&`%WL|D2D3hTB2;5s+;L0F;CZgk>cKJf@J&yfMG=jDu=)K?bix0I5z-xmU)hzQ zHO?k`fbjnItDP|^xgDZNz>Xi+a`whDxk42EdF+0VVhfJop`;FlDs!DH6teDIxVKs> zb+**!vxBj<8L}k;;00=EzXdG6##qPB7Thqabx6XtGw)Cs-s`JriAX73zS@v*0w03R z7jdQ!g1oNoY!%{s%`Ac$kgntpQWEZNk4 z_wjQ?dfqd92ztdS2o60OYw3L8BDj6y`91Er_fgXYF-_c#hK+^8FA{SBidIW_?u?AK z&ZrUBPo{I|%vV+=Fi}sE(xgHZKy=oN%uHfO&vBPL1QV~rz$AjNw(DTHqGA$Y&udUN ztgy7(`@B{{6eEdQTmKqYncXp6{rRDS=lJ+pqDt$=It@QkT(x9xa<}^_h6dAVqaOb4 zJ{Z~kxcO*hb$z|{nB=N;C)aJ~-H3Z%pM}v1)IRWg!`97DCD49g@Ct)+Xqk4agBA?)1=IbH z25jnp{PF|Li$zA;y3mxmZP`zA^zf}F{;?d4=nbK}MJxZG_Rc&W>aOqOw=P9V zB1@4-sO%xhHnuREQ4F zeZZe`FGzmJ`w27qA*s_poEWhoFt8k4%7qpfj6 zjer)<*&#jMX3ri*!EqG`X3!_0SCi(L4se0K*0}$<3Yb!Q2v8By$&R& zs?z{V+S=G5ixogPQvjJh+a+f_(t51MN2ygBn7W-ydb7p~Eb1y{M!+i6bAV(VyQ!@yW-9?}W zI!$AwCx1mlm}?Kf0;O+nVz^AfH!WT8c%hRKv6v4>YNbBwxgsTy2X6G$ z%*o$m5wWW-cOi}DtpmTtJiXjB!NMAuMAsj7pB(BAS14xzoNF>;;c)*FZ|q}n$aRo= zdGuNOXys-gKA3e}k9}_>9z*MRZO^f5=GpK;CrbvRb+v+DXrI)tRd^WffZ12NT#Iwg zP~zw>q!(PR|pFp2&SXx-Qry`xrf4N->=TXexY4 z(R_B=*cGB+j3nl8N0wV|tE~k6Qy#n0Hy*+86ky9lgKWZeoJRrV(l4V6)02Vjnj2Wp z5KS^N4HT&yM(!d%wN3&#NTlJhxm*x%VY|)l(ac#M&!9#LJi?Hie`HjY(J4qNI+4|4g{ zhMkkBqcnFZIG4;5gZcy;f9D#+N)~LVyZ9`4&W-%MwC*%=F>hin_Xh0jZA_>6BzjMgaVzDN`+ifGxELrTjC{VFCf&fcs`X&PxZlHVP2_zYAQnfg z_G7qj7Z{Q5f}6(xIfEqhicMEzMd?jR^_-I=3CJUa{K9}9>%Jhuc!4+quM^EfE^}q{ zBg8$iI9xB~R#{Qc(gWi|UZLuJHpEb_dz+uhz&;%oz|Uxa@|>TDmL#Xq1U{@_7O^PX zANp?nZJRCb4CvXn1QbBp`0CVix*er96^2nR8ChAFVPUiE>Yk(Y(Oz`pvBM<5 zuo`E)1b&&&R2D*iW1I50+P$&8X2N=&p63|pZuc`EDDo!BCwrzR*Ya>Edll$@pbH}I zsKc{SHIK{wDS62InLZ8SG0R`8{T4h$dku1dm><7yevIFjxOrQ={uedrr?5wR>wQ( zsiJk@=O^J1nS(pvTs9Eod;2hWnC9xk8r#?0x2dwS+d8pGiiT%%xq`%?q*X5bpb9u}Geixkxd+A1jhKFP z!t2DL*+do=eDfqft*5(@IdR*ahk25(xpP$YH$b@bfJflOKCa6zAoUvW;Uq&pIvlxt zNgtyK=2jJzdf=J-ZXK-kmB!v*zq6XD#znxehoQK4vUTF-ej6G3!9T+;MAZQ|L^L3Z z$K5S0G6e>V1F-U1oXlDWclEEFo&)z0b- z@fh(epmxOg-X*4uU$F6lG9U?=Pqum?I5$iAVoAiJKT6_lQmN$vG5Y3O(m;8nK-=C} zX)3buS9SpqPFq!Pt-cLf!m{j+GO-?rkqid)3r9trHX4$DzM_WmmA%oUjS^teKcQ9# zn56^rJ+u*6A^TM<6<~>#znR`gjt_3%?Kd}}wX$G+R9+X#+-Qy@!f_QZr}c#JMw7RuyQ^T2rMPP-)HWScextAru7FQa{~v4n;Nkb zs16d^4>n-(ad{qvAkI{Xm)UqNTqfMRBJ^&&;*K0CwXwJsh1^C=>2uK~)K(5C)t+fP zTn%m<@*g$MTRI9Cv6LmxDnm4IpHert9cC-bgUfc_*^lhcVdy(is~Yz_I(zVIWaZ1) z=7tQgmEn8yZ|e&J{i@lI5a!hZqne)RHR-Cvqns?%9dpmY8SDNhUi5Jm2% z3VEa~;lWL!gCoi%!0PUxIuk{wm!<`wLq6W# zg2z}iW8V4?Z&+_matY8|xPND8`~tCHs$CsGR2LDAQIFW!7+yPl`zu1)5&yPCY8^9l z7#qY~$fc~6863{zi+04en#*HO-K4*vv8ZFX%A#a&pR?&is<4aaln-r`6szg2M0Wzd z8@ARLH5Z3H@R@YB|K8d&Rjm}~k0cLML>GfKrcvvEN;E3b)Mgm23^`IB)7mRsDV^2N zP4?FRhudO~<+(UZ)C0-S-QfDvekub}Xv76ak8WMyXOTIm69DQ8zB+dFg(fVcNX5jb zl)409iQUvSHg>JgXCij}r+7pxm_1uk0zU`yDb%>ec|&$c#Fe=6b&fQX#iq zAV5$V25araaH!Q)3=~FYdhc(k2do}!dtdh2e{ zx@%GeW*qHqZ3@AG?co$Z2L%0F8mP^#tdRC$cyjAtZ}D#8@j8b&w3lSa#~E2xO1o>1 z3Lsz7tOufwK2{ zgMT1^zRyi|$c7?Q0b!baE-n(ubDqPfruRXQ@Z%z}YcOn{d zP`EzH;9qZa6H&8GXvH~XA@3lLN(+(qfyZ{WW?Tz?@-t<8Y_zHAW$(+Yl<{b!*A9ua zEFF@ttu&STTJ4W>FDxT8b@US?d1zyUHm}}J&!%NRCCXzE8+C>`FO!)$HpYMo`sZeW zKx(X_uz}Jah7TVYetfN(Z_^x-^y^@`dW*FB!NiSC7N5-N>s8`QE@d7aTV7snv+EE& zXk8xB5^asvJ8F@}!iJ4-DZL;y1%3LmkQz$oLWiDdvdoTEp!k0ig1GAI!m-=gA57>3 zJ+Zg$Cf$qG+m+kDef#aZ%WF1VW`eEPj$V=yU#6gpH>Yt-wCcQNs zkY~QN%C{r!Z_#LHTmonzDdkTD@?at2I{~=qTZ#~@b#+&oU6%*$q&Xe#lY4JGbMOI# zMB(upIqp5l$=3!eHY64|N}y>P@Ve2F5#F^Lw-MS8?vsbR@CbR|g|2!_#!a7FYP4iQ(f>m#PowqImySs3oh~pIOvvCa;S!tG> zTW(7z_OB5L3AZ%;?!B`B*P0#BmPW=dGPi?F=tp$JNkNJ;%lhvT>2p>u1hR~lYXoR6 z$cf(6O{{oo3eE~{nw9yPtb}cM3wE@NNW0G$EsqXAx!|ffx4oGBq}r36d}#p=8^%)X zTs!5x;&eHP@M>7*%5-x$RQjq2CIPuVn?NxXMAup6Nz1tY>RSGNW_r3=FZ(bY^@7@H zM%g3f-YG!o>dfhK((=jZUf$Y&40+|XK4Cqx-YTdpdDxO@@f~b76Zn|o2hA(oYcCYA z5-0}9!n!)Lb9guL-44H2F!+}tbAW~@T>4~9(0F+eg<)1RnAy#wS@c?HvKzkzNtTkA zyj3eJ)sbU?U8Qmu{;G4TbmRUEf~b#0Xy>owR`VV;42QWH(?xBEq?r2jZnRhs=SSP_ zalhvfV6~lR5N&Dc9{;g;=r6*S09$=hP_J|>&(Ur;nPp#PSvQN2^yPQIMHnB42Wk~R zHe9*cdwpYX1R`eFj~#jmhhq}ud^FiPIBbcFkDBTp80XsA#iOp~7Z!F_d-=a>*t(~*+3rr96b z4fFgz`q zaBVm2V&no@agzO)D}S@H{_p}R#~N9$?GXj4SG;5=hbvSP;6dWbkH52`7hM3#Br25u z&w>iIKe+LCe^*lX0}z#8Y53>af2ZEZShzJdS4XkZth@zrkXoh!f`_Dkpc_l#oTK|DJ3q(jRE^15s z7GA)H*E1X954--52sS|(^shO^7He}<4b7w6uG1EKL$(Yc$v;>X}Q&A+^AcRhHKRA#$><< zmrwO^UtFv*8LF%H$E#e|FcrT}e_|)}(8S7JNO-~B$kfa%J@vYNrMMmAdO&?kOLn?} z3R8HWCJ$qY`!}4Zr`FDz|JScN>?$ej)Gr{#x*rv=HvhIf?u2&ydP|^cn*PG_a`u0I zUka9zXj@|9;QTrIBA)pb@Idq=spyR46+i;Zx}6*c#pQ^k|-nCn4h zv;kHcL)Dg1irxzi!b$|5gG%ZXIU+}v%U601~l52jp=7cNu(Vjn_7>CD0 zLvosj*o9De`GMc2VSHyT7(Xx;Ef!0SvMVuR1Wt^*s~5Y*hcdCXI+P*-Je7;{q-KDV zr{+GnlO5^k=os-(%w7w!b>nvB`k$h2vf;tgG*shs*>F0T??Fl+`$yqaFf{~5s-5U8 zA1tl>vU{`*frw>r+%|){Lah`c7@Hi zwiMUx&8K5GCS(KVpCqKe?2&41(uuIW!bg81W`1a*xE33u8HWFAn#3I53~;u!|7=7} z>bJvJBviL>qZV-^T>RBCd)hg4>+~*lX8uv^5iH*o&0Au z{2E{0Mg{%1uU3Riy=P~SR!+4KgyL;E1fyr|(t?6dZ)>JEG|)xqX7$<0bLR`6ZC2PK z_4=^z%kzBiwq~Fscu=$6yl4;A9Daw3ygXcApYqG~{tdYoupBQTRRMY#ui2RN9T;2ukC->!4^kFS zpW2XdAazJE=@xwT%cF+Ak0x-RD0_=;{-T4ox3X)GPns)FWW?+&|5^0%pr7~AHT~bH zmZ&#LHRtK+TL%Uzy6t(HqB5IgnpM&Xug^{2h(dT~{nEn-v246i>^m0-Cq+p5uiPnR z%ISW8hlzKvQ8VrDMTJ&Kn>#5v>Q3p|@-Y=P3K$mCk>&PZjnJCcOEKpKV_Es3`Ad8$ zkZKue0!2JNub9DrU!r9H=0#c!9>(a$UuO{>YXoHI>G-{2LGcYTTe`G@XHMb`>d&g& z4~<1VIO=#jyzKrUr7!20sv?;d06@_)S~b~{ZuBVHO`ZIe1j8$+GA_q>cy zTQKto-YCES1J0XOig!4q@?`Kp$JPQ6 z9y%cAr=@VC_)>E#!p6*p9-upk=+fQ_{ zzqT`LAVl!-TAlwll7xwDunMP*jGX^_nE&;(4vxm7yyo7W1SS79rM?3t{{PGVY7JWM d|BGfkU~op`(xeUV2mAy4pbvCa3zV&1{Re-16HNdB literal 53355 zcmeFZbySq!`z}mLNr!+#w+a%<(2a~7et(>G);a6_<6ZCj8P>x9CBLy+>yMR-Pkyg2dRX_LI9qzXc#LeWkLxdlQBNh20tM_&{4 zHve!5)e`&XPi3FWKAV0kn~$XwdH%dq|NY8y$v{j?zq!|6F(og$EqWvANoVnN^Oq&Ca2y_ zFdg?)9d)@tIiYLH-FZHA0(uUgAAAT5Epu8f%9NYDbb3>S6cMZNgH7}42U|zh+bi9h znWfpw+S8%OtH-ul-M`x6KZO&b8eEnu=!il;N<&CVNv-BOzb>^1R5|#OF*TQwCVL!} z4uAOJaeS2Mymnvf(WCK~t%30*s6p2Ag};#1%(_P?%!74cuS{e6UHpv{N1)qdONYL z7`{4|IJoT9Qdc}!aq1Ln#cW*>eHd@O#}5!I0e*)nB?Iv*un8`N9hjIvS>ouD^*R7l(P zsozZ{?=>u29~ovr(*_?Rk%o1?Ur5_zkINGT4ZR?;?&aeHeGV%l^52Waqzb*EIIxL`(^_x?VJW2v`ZqxqB?9M z;d*9@X`GX@Z$KLosk+`0_&aE%R_@zR)ar8t{M-OJIhoRl7~@mzGaU3ogjL9_jWM- zD3}u3$)13d9U`|$)x<6KN`L=Ym^k7gA*tExxz3*_6AZRFJ-zXkN?hv2?Tfi#)jn_Q z{c^aWYxn7riJw5{^@xSCOMu&*1>U|keo#(7^PdDm{Yme{26JI2$!mTTTNd-4wtp) z=3~i`J)Qop`>Y8gxm?sP{L$^6FN5lpXYx#qd6oYL_r{A@e59<~>2rj>GxFE>INY3x zXBc$-d+UO%I5Llt==TMwYw4fYVa(FDV?Hjc^>l}YV0G*+q@v|~Mrcz9KdU9bmVCY7 zk0QP&Qf@lyLlH=-P0{#CV~!(qn~^&-bJ!nyzOMG|#fsY;6W%>Q`rNn2-#>26DxHM9lpjR8aWZ`49YjeX z`&!py3f4W2){}$iASIiYxZEx*=!?}g#;Gsc+mdCMA+RLx0BRoSoF{|jjUT(8EHwS? zHQYukN$z=Td4?pE+ihD}wrm9oi6U!cf>dkzo?k^89==M5HaAq^LRKR;xG-H}JFeXMGFV_= zthR1x={^kAlKxH;&BUVpsy;K%|QmMOqL1>X|Qz{5t zfR7c$=YckrG!?%ie?CMvd2T*av|)v6FOH0i`g)=8Yiok()YN?Z2EVR1J6WMSh<&MW z{nrl z@Q}reyz}1B4X$c-1N)Dm?SWXZ zbbPZ&|N5Uqw1Iavria=V(D94W|I+@3{#uYwD<3?r2wVm()ZVSHv(hgt!JY}hU z845OToYCV}$z`R<)gh(O9956g{QfOa4w`EFW0+;IuB>?Qcb%lpeH%YUXzEi~|VxNYA2`{Bt3YCm#|Yinozq`5sEbqb4%WnU0g4Pme} z{pw5lk?#T}JW7m)vVbMbXR`-IV{TaE6pv22{2dbJTli;orkdKCr19aM46 z*Uphvdz2h66#OnKEc+kaD+u@GPh-8w34KQRsQ1=6j*O?O&Noz0Y~j7XI}`X1Xk8>y zffZ1s!foXCkO50Gh;BqCH1#?BO2(B>gQq9PA!^ zzlFE=>6MeLk6ETEgg8`?TXK&s{rmC((M?JSfF!mOC^`H8`lM*urv#vz^gr|d>yIbl zO|_9|ExkWUAyYzE-u~+*5|0xa$o1LvUk9Bj!_iF_BdPwuN}79MIJE7WdHxLt9YP(p z56jGjhCE{OGm7u9Lt_+8NP2B=b@e(Hp|7&UjG{vF+@b15+)M>B-LO$kRiTuB8 zgc@R9x%=twHjL)2`ul%~-Hy^M0$t*|oA>?ucPEfd9YsVM9XXpkg$(%UBXviovig?} zcJZC2eu*=g)OxNO=+c~w@-reDerUFC>D(>l=ZDTc?KV$uGYA^+Q7{GH|KusJ_+p^c zUi48xHkT6SE1Y6fm$4p$1=>D`7kCLWaO<8~RC1G%Dt&?~Leh*VMD@kHs)iCl8Dh++ zsE3?fBj1vy;cnzDWC#62qn;*dhq3^wdpK@QF zw7)<8NX9rd2D86n02E|cDC8|Pi$wD-%HGk5=0^T`lKvRvb2%OAaCA7@Y+n5HULIIh zO*qQ2U_)F@@TUd@6p7Y3*AfyG9_!-`}>QYKTsNu~gk;8Xqm86^ec$;og3 z%tflwPTU5QCHvqm7wES$m|9NgRqO62=0RN0Zw>}s{9q08fCf@MyoK3Vks92%sV_0z zOO)#hB&`fVc7{bgx$FF9qj2Jw$MRtcN;$#c2^SaxA_`tfB+_}^$!cZ9xWkFM`pWgwIMz{bTd0om=x?J#DM z_kH;={g7;jb$;Y-@3`*8lvKLyH$)cq?E|*)gA@WSc(zN!hy3#m z{!L`Y21KnBu2@^jbJKY*eLpYn_ zU^T*O%Yr0{-1*_00u|YzFjMDo{%!9r|kqA0m zTSQ#0LG9SeXx;0dqtPHo`q6PgM6H6e8`UWIQ&YZt{b~!Qdh=%}qj*QtU(cO5z%1&F z6(sr;SO-7dPZ)3-cAMsYkT|oo*x%Fi*KV%!ia>Ca%ihN97b3#XmiW=8Y5<+~QG7vZA>y(ag;9~Dldn%nlzv6x)wn9v9PdE26UOheS0JQPUL|8@t#)l1EadM zQ-sDFC-*dfltj3JS@BoR5GgguLWY5WFT>`opcuG!n+r80(PMiMYCXdL{J?Q}=x`~k zcxcV{f{f34`B)XP)MoDX50HGk}Hz|`ur@-Iv7>U(D ziWNI`5c7QQ@|?t73Pc_igquWg3oa^nL~j;zMdlzkxvK01IRSw(qqiqQKnbSJ#P{2E zvx`w*M%ibc8%l98%F^6EN9fH4 zy~lK*ZG$n=Zt|*ixpN*~O%2mRk>&7y$=64p_f0MZJ5?It3du2i*YcQ;6+_!JQw!kY zlfXEkypa|3D7FU+U!!dpxFXT4EVU*x?H;9%KDUY`5j!7l_8i)gC=lQ(C&Le7+;GZs zxRHp|mkP)YgdirxLjcd$_bLJOw?E%BY??&|VFXc8OOon+F_rhLK8Ywsgo4SR5Sl`z z0N5X8k|vOPDu#arG_tcGYv@_o&8|(7GfRn4@e@+cr47Qan`BP(nh7iYIKiaOlm^#u z^h_46HioS=PbP|{zmC=Wrlo}MR6&R%Gw}4KcHWDp6VFHXh4{#dixvi@5qotlRF63VK%KIfLM`cEYJoBqyeT$$g$LUC86kOUcc_+)_TE3H+C|` zJs@8dena8gPon~;|0L1x{mjE_NUTmG424&(Bfj_(Bncu9MWWtfiMbz?s9g#qE$5NC z@8yTPTI~!)*8CMH3ib-m4M~k^8zS#-Y96ARqVJ(p=c`wNp>C@zW8g8XEDnakJ_kGN zU|Jx#CLoZMnjbDQ78d!8v4wlr^-pX@+g4z%xYLpmC*Ig><+1zc?FVSb;GP2W8+o6K z9k$-=Z9I*g)loIC3V__xnd?cfH04ONgA*%|E7NPuh_^5l3Eh08C&jyvpX+J!b2BO^ zBVVhJ;re^Dqh8MQvTn1dyusHtOPSsHMKq!T5>&sAw<2~70`1C>yA^SZ0xYU;=h7qQ zB$D#Wd>=LzdRttskTJXd@Jovm?!T%g?jKT=II_@F9fVpVg@}t6H|q4~G4W^JGfK2sj1%u%CNfaDP*$hcw*rVAd};ZE&;H&14u!`bWud$ z>%t6#B8s5D6DJqmmHDb^fcZ|~_$OTuvnJK#j1-O14ouDOKI273yhA(@y~X+#{Qa9I zY=w4cRk0zn{J4%Gc_(hx?XNQ*x6w!O_IUg1(%WH4%o%%~e9vGj)QhgGv;_JsS!u5H zjN*2`j^PZl2A7zrAQ^kb<{#|nlWoc!hTunmesD7~PFVtG8CUI2H8C14sJis+(9V({ zKh~Fiy??`G(g2h)?#595R-;?H3)tg(mNt>L1=KSh>QpuX}SmVQSi3! zw%~+zh?I8fobe)0tgYkK%8&-N`iYN!Gtuw^!e4)JG;V0x&39+%PF{WRPfRB!GC2N& z{T42|Mga+V3-SeRE2HC`vp=tKQUr#$UbsDED=rg~uD=?n@)*7Y(`+fwkUe`MRu3Gshl3}7#?39O7uP?tA`yY9 zHUS~O1RWor-R;{4z--qxttPmjN!L@Qj=pueY%i5TL<@o+E>hn;JgW#G#J~+DMphr* zb%)$qr-7)&s`DmVla~QSsocGS?wnwMvBTUBG`Ik{mG3sK`~*oUvvzr@Cmj7{?P>bb zS^wq8aI&sKVO72XA@e2C<-YLPDD8^UbIP-R6aW^Z(xUP``ShOb;S>lc z4aA8l`pQ50pB_|gjIFIoEeWn782!U+|jU$qpi(C{RgMQI_eD*E5 zk9ZHSKwnu{40e8f^c*0nK{V2MaCN*fh#AiZHCX19c3?l<>Ii_M(FWh@{&LlFlJgXU zsLhC+(?~V;_JDm`DK*anrP+(p0X?zSM;LMeiUj-mqlHpYx5~(vrOaYCuAYq(7f-kZ z5>eB*!$BxmAW**I6e8NX3J<+NvRz>Q_dw^nMSUP`c4}%3OFF?DB%7Xo zjxhuq4fC7a*Mn5>* z-`;L;J=j@YYEM{d#Bc6W#mA;1COM{hz z6Qy>Ocj+@ufDQ$MhDs$GE#^2EC3*yBto7`{Rt#Mcv{nMun)2{!F`YNrY)`a_8AM)1 z)j>Kc-CR5@(Yc0tN~{l)JdT_jAKnK!%+<{spVZEupqx2MOG|5-;xha(Z`dSbwpy~x zplA>m`4GnwiW`Z^vK}(VZl!&YElQ;P(}Dmf2Oj_eN$&vV+uLf_+mn;Par^k8pcvqr zN@>D^?B`|5ZU%RJtA(i+7khG&1#rpV;rZQ8JCXdupW%F^f`C}E?km`%HduAEH&0dv z!$t@hRAU{-*azn_Jh|QwE20Xc@GHit3u^QR2v7>gkP*jtqA5aV5Ui9zaN7fM1%HR4 zPRbksEf+UzwWBz634HY<9a$80AgNDxD3c_+z=cf>fz7`>lDDH+CG=btMf8RD)%+Dz z*$l)ma%fnZs}ix>S!Gp40HGN`x{fn4+C(FmPJfSt^P`vd_P_^f3dq7bq2j>K^ff4^ zprfy+9rIzFc6Vny4AeaqT@MQoTo)Cz_3al6*We<^no=Sn)CH4-a8Tg9f7LOA??&vRJ)evqp@q_?xO8h~bA+N>HSHpYG!3Tj^c!(ASYKym$qX z8v6RnZIqP$zF?v5ZNK#=jd{asJzD#gQj&g*N#nGLeEPJ$?@43nm7uTeOs$ulxky-K z1|TlM{JxjctZm-|3HJv2==dh2@+n(blsc%96Fh_ zyFR_|FxBhd6Z^elv>-Hy6kmo00)M0m*DZU^-#75gADtpoF2}dn+1a_{Cg{&5#eJgW zu;R>efqh-mfvbSa;cr_%vc}AzW{`~SbcnJw5bOPQr->8Vnj{U0u3uBV4%kboYB?d^ zmL)4+Ny9rLJuDnGTkXRl=T4MzdFANVK;bpMuy$M}H?FvHe8) z9ai+~@k^=f_N|u|)RXK6&n| z1~)TYE7Uy84Oia*4eAzI!e#!m02!?a^hLXdyZmSRFd~pM{29{raE}!1=jB%xY9;aU zZKU?Tn|NFB{^X_v?yQZ_uNE*ikZq4PFx6nv`XK zVCCn|m@P+fidHJ7zd&F}O!B6hW5uFPDWPF2rt)}3St?oZHYsr{cnwx z<_|PRshaQ2|2*IIJ$64rBmL29Dc7BLj84I_y*%vXv^?b4lcQgp9#DQ4#_9Du`m~t9 zsg&}rUU`4(xW{q%=#$I({ZIhViGH(TB;_-lrJ0AGX;1auHrrSl?627D)`{i-*hLMl zcCQuO=6s(KVLzeIb-P3G1gbr1kTJgctx>U&*gwlx>P=_CTiR>Txw$!N{buvPM_Ol? zG{uq7U;^oO$4?W3|Ex>$P3Ozs-Mw5scLpO7-JG61SP6cM_axHq!m!FJkIKv7NH+7O zZ-8Z;lv$odV-=AlXpylw8sTPW>3g((uK@XePbAHbp0Mz=I4Ots?Cwa7w;x%*@9i{Q zAAGmFAJDl7R2E9&62uhF`NWUjjO_HIxyM-jNqQ(b?w})}w_h_Tgu<)!EbM?r!sK2_ zL$drdxz0k9C!r6BJPMa3{$XBTaS&+UaXdzxg(g-UHt>sZ-~Vdl?gJ2LCR84${38-7 zfUc#do`zDeH4yKBe$FfYke2ss?18l;98G9GqkHzir)2GJsOE)#m7xFcbwl&dt~UYs z0Fc4IeYrh%T3eILz~H!)d|U#u;81|0%YcWb7`^}~<;>DRX=Hw4U*9uP$2rZOGAC=% z*9+QC0BI)9+TUX5TpFr?aJ`pw%ElNVn0myAJdWMAf8A)?ac35@sg?#RlQZZr>emxrv!(ZQtQ9W@F5NXLfZnW3?!rgXb zZopRzwgDiQ2+m=;@$y%bs7s^+{W!qPrSb9c+_t};`)_00<^qq$RNf?$nm(mtoiC~V z;oj!@^u{3|BEMr0{zmSw-n@+7g41GXvP+}JbF#fckOQLToEO4*;=p# zq+$#I!xn{bSK}sZk+h`_>u)!_y2VqhufnA`toELF55XTFxsMf5ZH40YQ({UVFJ!Yp z`3566ZoBHQFjB59;_8AT2(13i)cb}H4*f-z_6bl+JGhCN@h6JqYe~d=p}7TEE)BN7 z;)I4IaS3oH*`X9yxWx>-=#3K1yfX^(P6<`C66>ZBu9if$GmdXG`60mRKLDoLU1ySf zJrNAbeCrBcu5kXb27gJNu@x~NY~wp_gyieW8#90EAYTNfdnm3Ah=g4hX%^ToupS=L zAHN=tjZ*0#AjvLtX-|Z#sln->btshjM{*avPI!!cy?W zonczU2$e%9kLwhVhw!E&5UgdSElm@7(*O>y)a&~Vr;78A3Sxa;_$oS?8b16bc9nHe za=AQBT8z!+14fggL1+esq$>JJY>C_O{PdG@;U&ze*op@!$MmKr%Ge-2s09FBt3e6< z+eKWLnj5|tW%3z}ocKBHLcs+#a=R_tE_Pv%CHey!g0Y?J|47b{c|2yQCk^-(4H$f?JFpvQG?Xs)DdcX&6B>EF>xt3l%gV@i zo#0O=PenJ0EH$ubsL1gNdW^9}qO1QZxx8lyCP*TN&@~I@+;(MnYs;$d=2nr@u-8m~ z6+^@2xTsVz&?98|fN~w-Rsgzo6dJ)Jy5p%|4!6A-I$&bA2;6&5$0@K&QNGUDd0B%x z74(`)7YH0XloiZqvJ7p)MVY0%-`d9Qf<8d%LC;Dvv6{GlXZkv!smutIhdrV zeg*F#KlHk8$%t&H&=6h>4Fw&X1Fah%lv4&7P%Ii_LA*IHxpz94h!4+fzwHvprW5mgH|XopMqIdDTk zsD5RQwnpLa-xG{~o!cp&lG9n^`vB$ReDRktg2I?_MJ&8^X->S26H2_O*d)?}_MJ6z zx{j=&x@eCbh99ip>rXOtqmodnBOWamOwq_pw$+7x^eC9XymueLYE=1e0TrSRswpnJ zwy$dvsbP&|PfHWDkiiT%CjvqJSFb>bx{iXpWRCJOJxOzY(+V^0`>(JqB?AXSP(T!k zVbA1?F|`XI#UpZzpZ1h|<#VA&5I!J8eTo0sM2_tsG%OzN-$Q3gS=2+fH9>CVy;h66 zjN9_CU^s?{f;C;91o)J5uzGq`Um>>rL*P~ZV6(IJz&&bh$^U8)ED9UGupARvxaNAL zZmXQ44c?d5je3+FKsv^w8aKj_tL9%l1c4aGu{}BU96Tff7;8dOg`Oo;l}(GW7KNwu zsa&^ZVmG&desrpm@mB{_>q*>o_Xm(0r4y9*OZ(`;t`$_QzJBq>+Q?h-&6e;Bh@Yx+ z=@T=ST06TC%eZW=X(`)C%TRS$)w*igFQ<7AsM;ZSS!%9Yc<@5MWm?RIVt`OO#!&Fe zuTn~~^@D5+XOZjUq%6(vrvQ%_Q`slv&-mxu;f(_q*EB_)gFB@Z3P3O3wm$^kfiua@ z3s4Z6U{!`QlqrYzf7VF)6IfzZ`^eU@4a#!YDz?95)`iKa{iVI9c;kRE+35nfOql)v zwj#*|^jCYAZI;)hq_KwrcApGWx*FHms>ySNw&MU&VY2^q=Y)ZMd5LpE0pt4~bxD1i z)44$TMclplVkq&ey!aEf?gBLcG1Zp82h+U>qo@%T`(ze(G7|BXEP=?uD~?e(x_{d0 zU-Op}rz}C+^e)QUq$kFw7o9}2JD3T~6$;z5yFkgygR{*dWixC!`1ry7hdP*%0KV;q zTu}I&l005>gy+;t@zB6NPOv4fg5k?x|7xd{aslAkXIN@a0p@K6h7ILj@`%fE_~6gx z^d_4ccpVt)OoeeyQY--1cP!3GFBSAMtwYf;)GWq^W-SwRCR zR!g82gs{jCg)m8WXMwtnt!clmcCpn5Nq}Qza&Jfb2g2WTF8dBI*H*iVDi}Q%|yJvyJKtz-3#iX}n&0qrAdvPNqmeO?ZI^(k9MZ9lk3=-q<0KK| zH3H+%;=8mgP%K{S$qWXNcss}Au;ufubnPzyxv;-j9jgzW^e!NvzI1%Fe7tnDIDEuU zby=4@r(&h{;;qzo=VmHRLa+pI2ws6vv)Wl1T>>WD`*!RkCG)qmS>@hrEzG_pAW{U{ zR13fl=2xA_vqY(L%^v_;C}NL|9%1k{2` zQU>1NFnz;@5}#z1lK~hyxm8L)_wynlZQuPqfIXpKZ``Ll+OIn97l>eOdc8C-+xGOK zVJ{vVr~$q9IFdbHm%U{e@!z^S2WDGO#lUmbj!&nEuaCZ|gZR4RMfhb37CdUm!ZNEs z5-yI5AO+2^$8p85r2GK6?7_&mN{e1Frrx}bntY~ABn^2X=De1k6C^>Qkg8&MT+9Rga$=0)_~J;V?jg3-oTg_J0~WD$;Fru7^iK3DzrKs(^_?9Bn+jDof`!tsFX3x z?25mTa?Z8rxxP$kV2y_@kGPFRS&Q(OV`aUp3Ikr}R{i{&vaY(}}B|8bj2MxcIWrywK zZkoT7^;oXhK9~on|DZu*O#jVn#z!;IgSYoFHnpohV3}j%z9qz*E=ao{3umIh29oyL z{uK&Za6AL%F!EFoi7@rqXbfYqj>2#At{1s^^9Ag2s*y23w3T|q#!vk+F3n|JFQ@HA zDFe4P<22LCNGd*HV(}?*vR6su>HVb19&gzd`TF_Vx{=V*yI>NkLclwgm8MeYfRoa z;x$r;mK>j%3i^61RWMf81niP7fqqtY{~O2}J<>h{wd`Ci?+Q-BE7_|m{A#7?;v>BV zy?Es0Nu;f-u$5QfpUGa8bv}(@5bg3XhC^lU7RN35++l3WY6M+%_x#V=cX%JG$5hk^ z>+zKnLlV;2_!H#$eQZ&Wk}hmn+k{Mp!{uNUjffq2R@Ntc?aDebqqH@~YRS3eJ{4RO zw{%(4&2pj}eYK@T&B?$ZIB#@0fkBAD48l8BwXhfa4J!TNy}BR(3~%{LKa!Aw&>zA_ zo_(5Mb$CDY_qx=T_fj0`#XLrQ0xim`7MEg+dWH{|oXEmxnK_cAMj7QBu6+#oU7DD{ zdnGDt3r2HSbrw9y)c`P^Tp=-i@$}d+bwh63gD=UMz4^Jpd@J5}#?1Fya6v|JRNvDs zOeOaXyi1%?MH+18PBm<7UIGxTCk2ULc>{240S3j4Kkup*-bpmZ;^P82_=_00f>!j! zD;p8;AYU3Z9w&oFftu$V(f*x~6QgFx?|gd(R(Tgl!UYmWk6Cek14+XyDdHhWQkvH> zyqAA?@#>!B)vHeaU2AqcHpex%+k@TDCx=uE)i5eYAUDu0k;i@<*{P#;e{!QV@Sb^B z*Za0u9V0lhGzywA5+Wjx6akJX z$PEhU`=#NkWl)=(4g+Xhg2^aF{Pd%4ZeP7X5BFTN9CM3_Tnpknq(k>n=9 z>F26DnZe&&OCZ&MaF+N*R+Lxz`QpLJ{^!qFI)xE4>4-x! zU!_EIeA9#ZwD5e9A|gGspW2(&Oq}wY@|=G!0anD<6f$i(X!Sdy(!(o6LUZpF&kj zopLx5BK^i8e^z+%_iIaVZV+Qgyx*(~81+1;i#m`12OlW$rr!Ahn|xUoYA6eET&vwB zaE{_c7o7W^BQZA!KwIlZ@7&lPF!v6CZ@C>k{{EyC6Q8XBsJmVGHyqowU`48H_B0>FDlQ zkifw3(N^)xzb4HIi_bu69RQheAYB!&-M&qFnj4Tf(DU*6NojUYou|9HEHbVo^WcHI zg()6&u7e7m_+CFa`LnHmys2;1mL&ajec~IPkYPE1+Oq)tG7#a+$(ymMjMWg3lRKv|lrYxwI0^q<4^ z!VL3Au88qzOn`q!* z_m@$LjQ9CgyeUh#P6_cRSSk_HrSGKEgR`yS`51X;&@b%>S*7p)w#G=ckm+ek<(O?k z1V#w759T!fm4~wS*w;z+c*T*BVED*yB ztk>{E9v&`xEKBoE)YK`;(6h#jsFXXWQ#b`TVorwDvzs5UhI#DV>?FU}z&<2eVSRWk zDdgU)4NP5%EDCF|9dXZ;YC;ephpUc{_LmP`^c0b+v!9dS)S0rR!=b;zF{N6|zJj0A zjn@>M;j|_BQ;f?*yMq4y?_fZSpup-3qT~|rs%aJ?$D3rO5*#TV`$FBOP-H?=eqo_2 zSEgP+3#QYYsu#Qi>?Q0-$~U%6Y6+GMTr@PLV+KLtxqGXDtWbEE8B&^MBYDl7z!r0^ zF3p67o+FSV4kg5$Zo-(QTOlLjW%LKice1^)qu7Bxnn+f+P8veL)!rTvTDA$Q=b}^) zdXM0b(cU$6afUGQA?Il(4}wsG5s7=`ueYt8;cn}{Me_qm*KD0ar@hvn=D*zC%VfNf z7geW60*#sqdN}B5WI2?Rc2o z+cDF$J?3fQPrBq^2QMcdxZ;;Yx^+2M*I*Vc=_xc$D|)PBT`}36r86xmYquSSHfX~! zhuwKw&Ufp@I>-XNd@K&Yu-nrptXR&t#bq-Qm{zH4PrlU%Ym3cldwwOyWv=Ve&uKNd<3B>B?N2(C~r!gYUE zDp({tGi9?POkGBgDrqAH22G`k1^wRjDJXx~ia8=se_=8=Q(g!DqOepf2|7wdt)s_U z!6bD#_=_RO)lF83Uy3V>#ly-bRiLUMA21ht?gena0<85+m6_n^gefhgAc)6;0?$@n z!9&|>6<7hQ*cFdYQ*57)HTwDqk;kGhJ!(ZN52-kpD-=O#we zK*td@T1#PT!xQE&7@Ej&`PX8rY;5U}Q2A(D4h*k8?jf0Tk@fIW%joL8Y)ZdaZ;1tS zS`sU5=;R~^)Qn~E=jgsv^Ula5!DLu{KKZOrRT{q$RL49W1`qDGGE zoP5#{adQrK)+FC~;1qHGX=*8_4bZw%CFyeIezrhZxyNpc{y}K~sf#YXhCGA6fDel~ z1MXIpcG<==^l=D0+EOXw@SBrz3HQy1 zF2?8z*ZY}^e@@)V!|f^MXp2ss47F*yRX*T4od2{V*iuR@yF^ui}F!64XO1$FRAw2QA{f7!S6P7|1iJK_ElUxzz7%FRw)FH8E1$A!Lps; z710#%+oj6{Yvz!oPRVVyBJKhYi>b%vcl}cRgE6`#9@*Uhl<$%J_idH}{>DpMvMv|; z@*Z?$lztZv55+V%J}rA(>ax{qdg!!~YpatKLN(Ae$0EaYymHwzBp-u(sO(dy>KoKN z_8wKSeK4Vc0)1NrHe;oG1}aj5r{yq1a=h2G)F^v|)K@UPa?2;04K zQp%^mRixz%QtqHslC!@|{toj1Od;S7n2#Jo8{#f4MCxs=FtPpn zYCABg0-LH30Z_?Sbt)I`RbY@MC|+IZ;@3z&Lqy@tC(vf?Rsy=Ah|KjXkN(onSXY^& z+BUyXf#U)JoZp?CF&bB!^TD|#$pFqJPR-9#A29bV{RQy*lPE1-?kMWJb08FCfBM87 z9ayBxUDlUMu6JrCDN4pg%fMKR+RKTu%--C%^n5dkbU!2p16&_{esBlY^!D3%KfZ~3 zF4p1axw0W6G%gk%7?oJ3rKYky22Vp_=|R9YWt0uBRJXFn>W`gpC*^Z~>;j!h;m=5! zQGX2%dc=&hKmRu*SEsO`0_Hi&S21ssK;h3n29yBOjT2I{jJzO z_|Uc_tkEgSuj-&<)R3Y?90yHiE3R&2fq8)?Pn8S|rE@w9o1jUIgQl+gtpe~Elcql@ zN%V^K-n@qI#q>jp3RM%EH1l5`n!5?OFB@~s(a`=hL`B^Z*Oi-st6x`OaWO(8TRwsO zS%SQbuA~3yq$vPO?0WIpX#%Z1!A%Tpz;~+?%x?|w!;Ey<;>5Sjl`KFVc!oQY2 zHRl_CDAHPYnAt=I-DgC}pLSAW%CooB&iQ^Jnm1NnUGkip#bdbH`ph@$b8d!@;bsOD zop|Tm>?Po4T~a^h63)39HkeysdOVSH(fZqaz|BO$viHupnF)p>lHkkVKc|SVFck53 z+V{$HipYSWh~Dz*)c=ca1X4l-DmL<5HoLNytUX+QJ1*|U??-HM9K`ppY%A{=(z|#1 zHlL{dCp5F;Rti1x55R~$z^jg_i*I-9Sl@xATQq+uK7TfP(DPdOmBN391q66lV!Tfi zXBV*Iyu}=`432&H&lW)gRDd)&gS*$yEez`aPc{F?y^2M@@^$# z6cdza2xD0W@mh~JpL=$f3B&MimNM&o$;xsB`(<-@Rp!hIAlR48BK@Yb*b?B@`(tBt z0H%)0fY*a;gM$9P9Z;e!tG(NH@xiNlZj2E21ESP0)i%IPWu{5a4aJtgV6aqAr|+OE z09Dtzw??OvvvxXdoQj|;<3MyBGBZ-W4J7BC2)f{zgWYuUc=HwM67}u%O(Sh^5hwby=6u;EP zmI7dAEe7VoZ|IPrR`{kXWHyIwr4Z&Bg=A4~?)nvw$aDlH;nPYRvWqDW9 zvCL)+MI;K&hl|=z{o)?-Q?-1opiN|M`U{NdJsAyj&RBXb+m;9jpW?>xc0eWT2I z{S!Df8B$kf2Lx?pH%W(?aJ4Wr(q?zfq!?4`9|qFntJpzsyMevUc_syL6jK~%zu&cT zwj4F4y)In*xB-a#>qzeVc0j_m1BJ?f?D@0TG^`P&>%m6uS6`E>CNwTsrFWR`{+*n! z8*wc=JG=EF(b{O?NUJOfc-_p}py$zU|n;)KrqAz5a`tpFdFo8ZAqw0->~6+|k-OUT5Tjf5T^eBHjdfL<^>Wig75n6g>!OB~`;7U3mO_%`%SD$k&T@PStXq<(Y{rpi+MPM&KlVfrH0qC2LY9-{fj4EM;bEyacw={suEqI#U;E zw6=K*sm$LCTZhfEvZKVa0?T6o}=Fx)IqBBo8^ zatSj?Ra+28a2XM``JYBRIY$bhl^GC%0<&t;Rl_Pz2CHnOstwSWWIIa7DDa9Rs040F zfn(?iiFkrIQF>U9Bd8pG zvERVbGA~KTU z{eWrGN;5OYq@8(+n=#q1cl>krSyGYf#n|HZ*&gCzWL=CvnukfkTRUGj&lA-a9(egi zPWf8k@bpgq@KN_+)0>~lDw5ibrq7eSD{wOhAH6?M5dLyM2x&N=?f_x`NIqOJT@tO@ z4H*ac`MJGv#kmF83v-E{`>x40kbL$8{1knyo~qn?JiK}rwo;(#b|?;BCh*j0wu9?f zWXLtT_&)?vUvW>%x`wWvWC2KpMliZMp{C7rB@$v?vH8R#fYhg<)PDM~$6`H!TPofn zY<_NYHm${o?b4~77%fVG!C&qQI67L_z0$z;eZb@-!S&jsUWkTT~9?zeKoD59y zn>g@7j7BCJU1XU6Tx!n{g(CM`W8*Pz%Q@cBp?3iYK=jSV40li6%`9j4y$y4H49^a`3BygDK&8o~sO7g7?Lr~4OT!Zk@UDsVvX2M0` zlEpi!vvoNy!W!2tJW+liq`LO&mg}zy*Or5~(>Z|yORx^D z4%9r-6)ud?F4sZf@-V2!w93eA*E!@f(fGmv@PNJUn-Q5{QXU!oc}Y0h#L_^@oWn9% z)H+G$f3Ww~QBl2p->5W5gCaU~OCvZ8-QA#cBT_?&l(Zn--Hm`s3P_1G2nYx&okI&q zcbsd~-+kZfIqx}Vt>>)uuJ?~;t@+E@jI*!3=i1-zr@k%Tp5I!yK3$B&Y=KfBJv1s- zO4spqV`y>9$u!P>*AU_oXLShR20nXmmj}klvq;Gr6Ux;uq{8@{Paw-YE{=Dr1^Jin zF;!RKN8M~a?{J&;WhKq#Ow$;U8Hk26&+*TBBM`s_erK81WDVam>?sI?yL$UA?0g}F zI-jY!x$Pm|@M2d4#1jQ6SetqpMvPC&q`b4^Rp1F2{4zOh5gSzRdN?JWy~x z?Q2l!O@nXc<9XEMF?9}3QD{aquO1L2WE1M%lO7uSt!bG3q?m`XxQVB!#_eQ%7T^<-r zG=eH!T@QJqlUJAn3X&Kv4g-(YeXo8|fO|5OupLx37a_1;4HlgzdwCAsoXrt6P3Cwc z`JH&E?%mo{mYO+t=Z3jS?}X!{6K-{~IFE(*1T?C^k=*`=BUPiKO;+BBvlsBCQ`#6Y6h>8^H4kEN`GAP0gB`!BJ9JrAd zk?w)l7>0#MW+QbBbuYS*Pi!Ynt z`<$ucz&~C37Qet!_RiO~XEy@)YCb2+gU*Avh@MKLV@A}cHqb3?KHq1lrwJKKXdz8)G|JA_EZ1%a( zEydwFahBeujpxG-+Tsxt;Qe%1ugV51_mOU7H9T0;b> zkIR&Kgm<2Mv51!4SE0Vp-C4!;Ku zn~65PxL5?NmtMTOB>5F}j+jh9O;LU&4-cX*aUqt+LOyo78`P@;aK#*MI32z(Y&8YgDRV`Za8n4ZaqU~hwV>xB z@;#)~?6u>XG4}5YDLvrqL72nPOifG_GYq>B7cz-xVItRp%%jJ ztuqf~(+RB!2ESlLp-A4SG-+K#{5)ntWl14CsZXtH<%`XWArF|zbk@>HI^-+dYxiEqerLAC=Aa>gcgK7E1rvrk!1(oHD7f)hiB8W$bL%t$7A8J(=#d=WW(;f)YC=dLU z)L+zH{QQG+#PkN@az+?SMtT~L^)FgDywqNR_0ZDF77Db7*jV5Tnjpz zh?C*rRmR!ZOJ-%WSmB{j{b~g^{!Bqw%sjqbHAP4RK?l&sX%;^)%a7Key$)D`aTZ$J}iUl^!?M$(E9K6b$N+4Mv zk)=K5;8421kRa^#F?Gy*GBM1Z$MplB+I@kV8je2DaH-GyeiY3~cFE?cbY41eo=fiQ zzc?b;S(2^){B1GaYgv_wet_hrc?VURJ*SDwZsO;b1j!&B7t1=n7K*8FBck^|A?wS; zbnyEx4O`JLwu^`oPS0idTW=3P1)o2OcQ_i(0L`u*PWw}f9)j*d-Zb*RYe%an6N%dw zVj{7Q|7&jpAy)LQ$2)*rClKcNOd92_f@c3>XMUHU!~c<>jKgP=*P=?|)p1pi>w(f}4!c0zm2P5VE~F(I`8|ns#ubzOr&ym~@ zLDBe^^h6hR^Hpoz!dI3%c@iezNcatBwyNl^?z`EVU;nMgND>7NLCi5T)2HX=M^K5Turh0x1k$+iVR$E3g0^ zi~|7gwih}=1c*eU8oiFo`+IWrL_pQ%ncfgJh$Op{IgKVu>VSB3ZWVM0e2v*d85#w$ z4FKs|NvP4dr;8M!j!gj#EHdV}dHf+Og9orWWm#teNOnHkYg@n_K#n=)fcL(-x&hKy58~3oC&vx-b{if7Ery)f?_Mw$D6bWN zD<#chk$Te;ZV+xec6qKQcF9*!1^S-?2=7zn_cmqO43QYY$)dro^knrvK%y0V3W1aD zbEL-)9!w|8nZI~`AW<#Xmdm55Z2rRzArrGZ+D^dKW%2{mm=~630VU>pB#rLBwvicW z+((IGHX{r`>_bYXF?kqHC^6iOXSMxY7f1JpF?MjBF$+~x`( z+&LX|hHRoqC*TMRVGgcq$5O)ysQD&i(0+=b&$-~Kl98I_aPARHj7&X zoLcn&-aUJswnBEOMQzM_mJpP(sqo?8x7V42DfR^@aJcDE)v!-XvJu zET25P6^@U`I*YlnKJ}sEmlr^so6S05AQi8x=McDCKaF7S!{<2`d_VvM9W)QCi~pOz z5P_qVa4Z>=yBOaogxB5^>({a>YJvQRE(#m7i__Jd zb5;dh3sl*xW28sQN;b>s>0(DEs5pJs10U!<$XDK=CA1K~#1`r_0IB8PO<}xDX4DAt zKv-XK%mM!Fw+<3qgmeZDSQpn}?e4%v&zO0Q-#=GH2IQjT`hc8Y0)A*f(CO}NoEZU&%!Y#H=+vL&yr|1&H3PY45o%Ya zo%QG4f#Os^`5`e^?|ZUimV<`Uc@AXf0!N}w(K-R9rvsJd7eGIGQOL9^)8mhVmVfLf zY2w1cuLs##BmxLvMBaz}N=G1qR+4&wN@ogwc~_ZYi88*3V4Xn!G0YCN%S^<~LXtms zM+xa-KZ^$$@N*IG%ICttQsg4mFyJX2NT9twixsNsLK0Q8-!WX=Oh zsP;=f-dxc!-~I&o-T)oS;Hl665Dp9x-f{2}U233TM#~Pg#E_h(d7@-z-f=`8d&i>N zh?Ukrw3)!;Zb?Fu@$?C~ekaZtw^Jw%!E6jUPkYLpE1s&hhZ_up{kIBxDytIx)p5`~ zxl49olTxCcAd)jPfgg@03!_>?qe_JbykP0?TSz))=jnWfZh4Ch8VRxNM(d__)BwAf z2>k{>3h^C?hgthkyZ^DXS|Bjlz*42y`Snai=Xt8H;=7aO7F{A>8SYEP?4&B%*?-ij zn%ID`aB}~Gb*^LLv)qFx<&QGi4mpte_!$Lc9onN1V%kdZrXmJj$n0agB-61 z1onheeFEm}cuY`_cnoJU%nU1}v}*Bdvurn)=m%?qwV60zP2K?3*+BqWl^JHL=m=r<22Hd}G9#>qhDyk7z>C=f zn2w6sS#sRssWg(;9Wn&Dr;*_lvp3ITcx1lOh({9I=c)z~TsAl@NXk~3QIQ=znpX+M zjfeNM9OUriI>1bu*9k3RoN&)o1d&AbD;9Gcv?@t}i}0Ut-y!ek2GPq^WZes2^6_+A z{g)};<~(1RUi|po%2FOqj`O=(r$h1*qP+s#n&i#Hl+pa{i_V@d4(4cxL9a+AS_6IF z*X$O$dLHNlFw1^9VI^2HR#h7%Ux1KBHC=E7GXqUv_fowI+1J;1r8264sSZChr~lP5*J~9{-Pb4 z4yX56Q}_uY$5INf}U=^m762y5rq#9#q@a9bDdh zNy*KH_@f4%4SO1Lb!U3_!kT`S4M>{Yy--H!NGNucyXEjUw1}s9qtzIRjU@N#S>|xvZ7j%Av3OXo7a>iPXzaTv; zQUr}bn4SI)8J&bA+DT*;?EeH&0ILy_YG?~Ae*F*Cz(^!tHeT<08H|kVt*vD?RQclk zAIjlfmm3+u07p;K0znz`1~j0|ZUA2BMx;%oqHN{uTi1Up3?2djEd*NLa^*d-7WM5P zjGeG-_u-_s3?HiWf9Q*m(F0~vCp;Q(qXz6~0Etg4S`Ga;%`qnQ+s}s==KRh6ph0D% z@sC1$sM&E!?1)zcb^cG?`d$V;Mec;he};L8>-{Hq{u@|N_$R9BzXI#`kC^)ss93)L zVY&d7Ptv+#2AUS&QPY=Hc+pq-Hnp zzQOVt7;^mFcPpvFohNlp(fPAN> z44AWdLQ6c8am;c@0?*R{@*HMP=$c8h==p7_{vkVI6>_Upz(>@L%2v?+;zlJ@tBWmV zw?jiHKy1#NJ@==9v993A2PkBH;UGtTSQ-f@kM&t>Kf(P*N}a>aVNVMJB-74_S3bCG zg!)Z6z^*~?)<(k9j8W}q2Xl# z-4H>{4N>y013AKG!D)lp_PhHL79)iUv!jxQVaO3A(!1nxXT}BwKP%$q zP}f;NT0@z}i@rh;^vP==*f@brwmnlICvpHS#$JkKl?3HZ$GKGKd!`}8uhXGfroFFE z-}-?FV+Zi9T7=Innzt@N1Ty7TA>odNO^>AT;7UN$A>crLT0k`{gK&uC8D~}%zEVN$ z3-f|X5@=KHhh5Z&!QC@uV85){Y}VO4?;1?r9;||2R{BobHB(ur3h(1+zz>(wNB`6W z@r=k2oa_Gr#GjbTc@qIn79qCjIYdd_okHlxdvC!gcc#lcmWc7`d_8a79!tX6z)5g$ zTD>})#>09Q0REKjSsoN6Q=Q#FN#SE)!|SEa{f14a{9p@O#e+0F9&PINyb#0e0!TdJ ze<1N@?o&u4J|2W~{ud;k{{IDuZx1;#lg9afK;r#B_(R)UyYB@OI8F{oWbDGp2~A>M zI1|RP1#~^Ri-o(H<~*$sA1rzZ=0YkyT}|@xSH-=h{vqmBbh%^UiN_=1N1TE_&RbXW zU6>_pr6#Ee7~cbyz{7!o8xydn$bPDu%A!4_Y^H1kqZ50KoAW96K$o(xY)2;=W<*V1 zQ+CtNa0vyd8;T`_O=%STK%J}BkM}+gw+nNbMqiR%?jsYFoeNoWlZ9;J)QlZ^fV}3%&=YbfNBd1<_f&l4HcH%*$HH zBtW===UFT}a-Ti9Ll5OPB!BeMr*hJWa%_ObRQSt{S4JJy7V;ez3s}6e*l3mkVF5Y; zD#6}sA($K~Kb#^%yaB8&^?I*ls+l#@D#QI-7&9|or~)aZ0c;pND@>g2utCIrj9oHwrqHf8 zlKG6KK%UR|9aiWL=MHU*SC*-Jfd?;p<)-+(MQ(Dl7bASD6XJNAlePWf`xQ$P*z=zA z)2QwP3t5bkm=?<1g#F+~U~k~+=)?>r&NI!pdPhK#F%G84nBMJ{CK=P^G*<{Z1KA=^ zJ~tELia@X_MxNr5w*qg7>{quB14crd13QqPmE|m>2?=of#heI#l<8*A_grJb_nl|S zm(`clD@0x@8}^F56H9>6h?)RCCAL)9g9aKYQ|B4dgXL@)aK)>Nyk;GHJGO^GUho~$ ziHj6aAg>#uvj+aABOU=d;uZBLudeSy@u=>86ds~*fp*YqTy-u~_n4+y1qo@*QiIHy zU(DPU@+?HH<}pv>p@uh+PM4t}QS?aOSsVZk+?)(Yk!`MY54>Q4UR@u}9xA+HH9Fq9 zw)7LEc7NVEQFRlKI<@_60FzUpKaIm$@~e zbBUw9oR*N0mLMV`mLS4d()NFJTb<@uD3bJ(hVbW-&jauJ-laX{Wy>MvVY3<(DF3v( z;+=CEou-G48XXriEKK|o{v>djFdr2@jo+{Ll{p{nn_R>5b^n%OEDAo?{bsDwlWweN zMJ16JmGQoXW@q05)&sOQXlUP=Mv=dy+&sKctQDmtS{IUxyz&O{O_kUIR}BAU;q^fn z6l5SgN^=RiiRdCIaR=kL;slg9JQw{%iOpJ>MvC~Ntx`0qDfTu3>CFQl^=~uq5!(ts zi4f0!w^H!~R!_7WiBtE+Z4I(z-hr(uqcYMEo+cGKV66l#L-;;KAq7w=8H8~_>Z5sJ zL?vg<2B&*J%!acPzR4C8*&%*or`dndYU~#yYDo(2bM1i=O3o9wO}nRU+DkVlCYTf> z1;rd)o+`z|RYoWgE9~)E7hC&F-*~4L3az=`K&@gCMjS>eQDst9@>RvVL0AeDFxl(S z(AY;<6^eRT!SChRX&zO-yNgSpu5f61-bs>}Ot2O>S<#Fw$~4=Zi&u%L3Wc3p zopBycs`R9V;~xr%7D_z&Berc7$(D8CQhS362#QLO#Og0<2AUZ_?|Y_x*q zXT9;;DEc8PYv!1SjlPz?*YA5SXVH~&4N<+fcYQ3GuLotL?wShF4ee^P#fL}PdX6C2 zd3OAb(nAS|T*1^l6l&XcTCHFfG`d%-y!HJmeqWxIxLWS-;*$pHGzP_e;Y~bdFDjfX zAy-VZ^}M&PMfJ<}kbmDJjv{?RZOk5(Y4{4A9jchx@q!+5=oYurBzbh0{Ma{}ay|p{ zf<>(-WH0<#C(iqzm*c}aPeU~8w5c|h8WLUv>6D#?!^XmWSj`Q~JJ6L|(Zd&82SB&xqQf5H22qrp!z;Plj2%@1|K*O zdF*TAdH3f#K9~Cdmz7xFe)Wv!kS8R4F1nQ#gbHx%iDO&{XQAw`8a_!ct!8} z>hHHVMZFJ}I5GJ6&pLurzR3)(1x!=N`hPy+|HoQPrMChId#dqzyZQHxtc^;^2qoVH zHbb2WKnRcmTK1 zZmqj{&8I+vM+OW@4-(&@?X}u|fAhF%M(k=gW+BUc_AW^iN)m%3=;CzKia~5v5cTDn z+ybB|Q0s8HC<3IL?#Hc}%?3N<+ z{)T>~sYE>@TIePseoS_jXM))+uf}tKW!znqP!)OCsPhFxlR$v<8V6P=NA1IRG4<)v zfSljK&>K05(pBCNX;FCv%tM6fI$QH#dd7nFU5iPmd4L57Jg8_A`Y_{WpbKn-M$1k= z)WFmi_BvOdP)(>8kxdp)*iIeibjZ@DRQWm0p-}7 z`oL9|Uw#QN>1^2pOinv@jzR{Dkqr;zLJ-Az-6=Bn^1XwLMU@+Edfase% z27%-eN;!<1>z^7M4LCF4;ULXR1nC5q0PJ95VJ4o57D+4hkz_9nahM~)_ebpf5JdG zzQ?dwcVX|#$sa$FWBbxZOc-@(U|@m{Ibo3x4QhTUv7|Xrd7)s*U)P^!3%c5}pM$xL zSQ{Etk;j+Ea}@))ap)tUC&miJ*QFN+3Tc?Qlh5_#vGY4@c{(P;RKaxeS7{U1k zHu4&bfM~#@;J8#Vj!3kx&s#geuyKz7A8;?3U5|va2SfsrQmU3UH>M&=N&_EkD%C%- zLu1Z=zlkK;j#6CAm>|%isjRHT~9)!&8 zPFuu?keS$M#o^~OHs|o!XueXpClN-8Pg_kt8LP7N3V&c7ZF)i3#P_&q?$yt+ik>xe zd#6ZwZ1?NP5Q}f8K$51tcW`hZ-J@bmehuPKyx{T8+)N9Zo?<{m)Efz1h+OE{0fXiu z`?0>Y#S^=Z5Ll+7O@{C;Znd0mM_jICrWRU&%Q&bZX2GBl?N${IqvSS3!@nw*HN=v1JZ6oP3y*POCJ%jJA#(ZBssU_TXdR`FG@wU5zei z48O57VU>f=9v54m0mfK*O|KH9N0jDMO;{${db;xX0WiTrWZM3j#@M;-a{bRDkr@F* zW`o_*U@`*6OLDm2y`+w4gZMegPVbUPR8z#I64%FDKb5ZK;ZBjz`yCH3PMy_*wwxc>-?D7Bgtok%1zB@W@d&bBGp-Szr%Cl-swWyxIp%#$K;;}GY#YLu6baS9cQ}Xl7gYB zv$zSEdyJRkQl36ulB{#brF}q=opfh-$<*E{I|Sk!1baw_q%;VVpLwWCLKbN=)=1;< zNd`lkTq&@YKXWbQH9gPd+}gn>%Npgy68Pw`Mt0JH@*oF?q z6l)8G`qyw~dTGmBQyfS|b7T~!j}!4rN0RKT2u){2+_w;if3?!ohF2O&%#F5G$B4@( zbYjjuk;t?p-Fi$4Spw5*bP94UC(ylUKZ{=PrF@e9T57G8JzmoFa4TXnVO4gG%|c4v zg4A65%MaZj78KZwn@s&Q_C3F=D;iYF`%vAURTLPNTSowi%#9!lF2aL_Sf^@3T}EiV z1+!q=s}^mrD>uBiw2{nnq+&07Od$7Cw>9nA*J6|K`gtNG145KvJol_6UD;Txs?AIC zEHVJUiq@)~{4Unq#yrJ&(9T3p)z(ZCzbvx{S5?~w_L3amcxsK;jNvteH35hg;N!Na zdAW-ia8ku4+RY=Z2^%&O26o#1+mP_e9c2vnZ&J4*2Vnxa_OSW2yM!(=yed5^qG9+P zRtwE~PbJ>PrtC%Hi;knZq%i^Wf9(Oq`5UR8(O%4+TaRg|CHU?&&Cyl|y*TR%k$ZyG-M|aDH2PBJng8}7%Fii&n8tSFcd<^jK2_J9@Ps7^&1IRwqPgDB zM<}amiw5M0X3aK>Q#=$_o=h27JaNYZn9Ibxi?W`{ujgeyrTInk7@x6L1xS5=mhAgJ zs5hjZn@gBF4*V>_?^zCwYM1q5o)U}H(6>pNoGP+fP8=kecVgaOZa=p*v{-@oJ;@<~ zP$XBbOk}me@vCG^Qn8qkRXX`iWZ5BwB1x6`ii%<&dBNeqWm~bn=Y6GFzE2x(A4fyq z)DDecuSUo#`x>{mJ+{la@U~-gR0ivzT4!6TPrbK?@V9A->-5;G2a_^|zsf>{OVY9} zYzoOzWX~Rcdr-rM63>y)Q$$rhadyy>UM6z*P0M**=JdiASqTRcSB{fM#twm^UK&-p zJ2Z&+yLy5ta&G~Cf8u8||0Q**`DWnp=rU`$3bjSW;^_jQPTkL3XwStlwo4io3O<6Co3^?d7 zr-^^JTPUO~{x?JkOyq(JZYMty1POc5GNA*K1vix3ZvR;*4wV}wAwwO>KrmJje8u6P4o5cVhA82jj+?DC`~nQn!?ozS zV!Bx2hZBZSTNAAZJ`8g7P=6KGX59Gv{;+Nu&b+bYeHYB>y5Co$Ri31Ewf60J{m=5I zjt;^YTtv4B365wbV61>V<#<2esz zefis`$tM2(<6j^7W%)vFmD8V8@#F_1x^{2=+N?Zfsrx#suxo% z`~m1t^9JpuPQlDS$l2N1JyxM~bY()H&L#bcyrU^Vmf%X?bql3Og+R-o|2 z|I!Z(c~mWD8*g8}Sg-|a(Z@7AXpU$(KkLHOh?={qLj%}f8>n9)ro3nPaVS_)B^S|H zpV;CrRbl|MBvTxX)_x-q3Lhsz7V&dW`<>K1J-@f~tt_kgF+TLl_8aav?ooUTW8;OI)j6{L2(Ohq=y(z#*Zg*tR+}~mo3t(+y&v_uC`aJu54!+8Ltp;NhHSbF`@ZD=A`2xraL`;tJc7|h1 zsV;p#grY;Cd4Es{E&m3HfDZG~dMe!k-nzT*(xZF@vXOg6FR;Y7-<3vyoD!QPYQ2PU zT_8|e79NbNatH0GMWPNJ^`XObeN}vp;5uR06`}?vE2hh-K-#_q(kG%rG^->aJM?E# zebuj(uho8O{~}#pdq3&7RXf%W^q+u7>~^LS zd|vY4*SC&fZkSWBjr0SLq)oft+0(LxsA<+5s+S2F~k4i=fC zwMmK1fwsJUMYS`aju9$)x|A@kb2h-s0{aelu})tlIA}rWpS!zb{Wy0vBvFLX1YzL# z*3e^hvI&!8g*jUfutR{5kEx|trRc-#3%1H>@sZSe`jlZJNViH3a_>zsT;n}es6CTz z0h$jP;?SKuzwpQ>o_;`T6({EM95j`^=@$%xJldI@J~aB`)MmL2-FbVFXg*I1hNPjL z^xC&1dr2YpvA$!uY*;u1+q$QJ0#dae9&a#FGOi)hr_8y;4`lJ=s%~oTcY45j##4d5 zY;~OSxM5|0LZ8|d_|5gMw}# z8SSuWUycD+Ra&z%KYhlmKtH&^h?DahW0i&-#e^>%OQl|)AD9)BG>Xl6<^s0xn}m~w z0FxL9^pVfp8)l=M{tU1(Z`3VLsE2kSVTzaw^fP=BIih|6D9?#QCN&YOAdJ6=g^wD%GFxoJDs->m!%&UDxV*!@1s2Y8V zyob{|0{>jgJX_#(!+cVMnLvm%gUS)s9hvq=vlZZ3yG#V2)BvxKpkKx{G{vb%c+RiL zClzLiwdX_-61T!UWEzLx*$N<}(v3whj2%^)YFuYATJMf~H0_i6`Gi|$0zPLo)jfg? zP^TN%7?)!PwGvOm@F{Xh2Bql2ET&7V86>>`f}mN)(mB$LiCX-_h=afh5c^4cAlVJ1J_UQI9EnTOVOiiLm1<4F{lm2Pq9P&Kr zL6v3k1V(6GWLzbIE#`HsSdtUV<9-U47OkP6MH)ULcKn<%-|D=zYm+W*QA7{nM7`ZU*X%2x{1hYvJ zPdydDP__9MdQqcff&{ts1O2;XarV_g>N;H}zM9L2$b^;rzV4P}YA15TOiyF+)%QP- zNl?B;ti@XNFSg#TD#BSUwY)jmmNt)<bbKE309L6bIC3(#QO3x(Z`JVi| z4IZO!jbII<2=mO>-^_M8eP7V3?rS8wz>eRM(^9Y2uepq6rPSPt7YVVJFCf4sl`-n= z7f23zgQRa-|I#-wPn=>v-`sb7P0I!MJH$}1n>L%GUrIcrBzA}0}hx+yuwVM)_qdGyR#&_x1u(Q8mjy{{^2knmM zUk<0d=Y;GsdG!0+%enaizsspIktKJi;3A4fGW{OKuQK_wm_qXc{pF42AAoHnDUXLiX_Wo#KSj;S=wBaD&o?7U{H`;3>eUFv<0`bXt+ z_B?dneoE_!SQ;MiC8%`>!s=&}miPG4gWLsOkwgmjokLmZ#unXz`>V~L9B(h)rR+Op zQz?E2xO6^+b31z;4fG&sA}_HlDMZk7yO3((@!J-}?9}?d}7&B}&THPoT z&f%y9uaK93cLH9e(H=Wp__q;y#0YqY+ba92x^TXjGCSyRYQ|dRH>(&1jvt=+bELQp zl5-Mw1SH&Zew*LbwE8{pgeMs`fG6IVQ2|90=n@hEP*i|^0Qeqp_k=%9MG@%WSWtX) z#sa3P=~?sG{<1=?=;^Bdb8T(NW@AI{J)Km5bWs4)6hbgb4&ZosMnMt*LIkbI{Sd%x*- z@B7WCYodR8z*`djeon!T^!Z;|B?FyZGslOYkZ7AzMqpW;B!~aIYjXo#oBs8F*fLjE z@0?rBxIFED@H(F8g3#)(!iD7%|4=snLSh$;V8#n(&^=N{{y^oKq zk^X)URj_DIh2_Kl^AR|={+nwNMKJN{#i4CTdBBAdN;6p&Q_z3tK%%zIQ?z0VWFHcYJf!|j!_dU+@%yAG{ zF890+HnE!R#d&ekBNqLO-+uBIhZzuc?ZOqMGX2E`FXXeVVpsQ@$8XyKwy$614`OG7 z!AArGJ4Og_TRw^=jY4K;dw`Jbc97zC`-PVmq5;U51cd<+v>+#Trjg2HA^UtMNs<30$4(1$h5+YTQqhBFyyf;~(UVEj@dJz5lCn7FK zyv9=H31TALgDhY!(l0m6s3jzxzbrxj6-GhC(Eye_zZGO+ zT#@)^y#^(HSMz!`)~fT_`O#K{p58`o3pjtlA1czaF9Q+MlDhY3UsgT&9DkAxMfTeL zc6flHAatMgv?}6?yt^Rnrx2NQR+8gf`3dwaV9e?vAoVV2lf6I&riJeY^KvcN!~dd$ z{y5JmkZ_sZk9T3JVBGTi$ISYJX?W{b!1fL@k($--_cVxsFx6d=XuWf3JP$SLfJb(B zF;HHrmn4U>sNW$*CmE8X;Upqs7!&~wxwDC1b^pC}a$RE$^pK0vadIIy_^rFxoFs9# z=^i$(ro{uKpa%g=C(&DU+VVDDfrtELJJf%$l4$y24RfilICK=>H8(PAhh{{gjfS*X zUP#>X?`#0;t@DPVkH>Mg`J^Rz+*BY~@NE&8OWN638Uy{ljl}CChRcIOHsrI!diXGp z-iF~v5$?vNAUk;K*N@L@*mmRU_;vmEH;#Dz{C8i~atk`UL6}a#{z^kQA1$_1I=fZj zpuo(kgeDcsvL3$uvwFQ^u}4*HF1HdbaiqdTiDV?ycVbyq^~%*Vnpxk(+NTI=f*}ge z@xFIro|4ajK!Fm6AP}_B>E>}2=;z21lYxpsP&kl@birH%EYZ2+FeD%$>#Ug>AQ$2JuTP8R`)cG zy$%ofD^#g@e?O1OMbHKH;gQ)k2l9WBuv}LhU3ks*biLJ|XFL-(E2vf?!)*>|{&yeo z{M|UrWd**rzK(BXgw+mo(;xqhjDGx$jGokMD^fB;Pv%%Yew1rp=$P3R%h>8*ThJjMe8V0h&>Oq*-g&#dOk>gV&){4Y&w;a$eDp&zHOJFj_ z`m&&)6Vt3{dpo;T3}@6&)&B0pYV@DSdMb#_*>OG*q@yUSEF1x#sVjT?6S8|4dhg$Y zf*3&S)_VU5sbX2FzX(z1p1EW z7AthSdB1#Tr-KkHsJq@d1{A6G%Kw6a_poc;BXL~cDjtAU?ex-KJKx@U(wTyCMisJ#fzigJYa4WK zYESs%Y1w`bFm8@Fy4o?~=HD>rDc=_r0#80d@Z2a}8k!OS)BV_oR$qVkz~B11sY!^- z&Zq}D0bzJ_R7)pKKP{rXLfb&p3iS}Ej7m~;QBF_K2(06g3OVbJeK-x#X zH?ydD`mbL1R9W;ab|v6CPsZRwph4hi-}9#05?0dOY-_UhUlCYp|Nk`ti;xuijlfoH zKaZT)pE$Oav#ehA%vsJ#ky|c}*`E;prV)i3M_b2dRPRLVV=$q%s*hEwbGqM&Ns;z} z@B3o*m`>kH?U!Bn+^E~Pii6Z~>*-2^dM7gvPz$h4UtJx4lFKk|_Soex54;! zX~lFKvZU2i+xKK&!z#T5Q9EXgE3Lh^p|t>W?Lv5J;iAn|cN zeFEa|0?NvKCHP!frPAP>OorsH%$+iRv(26wd`@G*L|-wsz$Lrs*t{#dEWCV+RrJ}C zd=cLAi1iI6KJe6!`Q*?iz!{_%6erOA>K73B;7rTh-xYheu2`;sUrQ zVv0`*{in?|?*OEFl=agZnDgL$y4UBKiEaTBk-~deDx^g>W`GNVQOtFOn&cAc=|u>f z#Tju*)PDpH-N0xa;qRQPX>RrXjNk8Z?Oy=p(c`m_Kr{A2;EO;{c1~QQcVAG1f$~YG z`vb`FkB;ox8dVdE>S>r-8INaFTKtJDm}0b|&tN@6d*}pbEWv-gkjl z)KX~sE4?)oFl^+`OSEsAUUUU>vTSgwh6#B}j=*8|fE@*eQ&$AhuLl1`?}ifliE74d zHF^kej+m{qzr__HkU7){JzByB<+uK0Ao{Q0SukyocUjFaR(B3QND|%0yBQrDA*f)E z#vDlx^FDEEK2K1Wgw4;(?-WobC(Adt2Rg@+hjd3;&^#LSntb#E%#%SibJr}}Z71!? zOAL={>+XMmhH3!)oyc}T51}ey9GE~;vh2{Aw&-52VYz;->%{!E&QI}B4mmoBLMqv-tVNS%3hGm2 z58ns5Nng8D)uZ5B!JURn=o~!33mew&Yp?cjf zKgO2CL=ABsMN;+}-#1{Zru7n!9ARot6$q#hox_F<@@%(lDCvQIvyZ0ruqQ5xm}#!} zK_5~tHJBZNdxvVK_Nx!4H3cHSAcFV~9V0~}=Q|k9-fJ^E3j9F>oK<-$ihCNjj+RYr z!|*p2UMh(tTJrNtEmzY8ber7lH%a|UB77C#K=`8|Osg)hx80X9rZZ?c^}50) zQ8}~Mz>dNb@ft5bE>s7)9ERV`u^Pi|F%XK$=)uEp%f<$Mv~seGxcvkBy-WmI7c0@d z^?e#@?;VLq@i)Gmvb9+GRdbK#H8IZv2=`;`TVX1-V4Ltnt{MP0P!DARJ9Tb2u0Voo zh@GT68@vClOMca(%Z5~jrqr7iT2Jnhr`^t7@3C7+X*PARs0}iJEAAKWoJlv8;!EmS?51#%q~msvsR`F)hIB9*UFM)Ez>U>m$SU zgb*|V1RPmhwMAo_hV;Sp3EGPE5N!RkV48Vz33Fi*d%Y@+w-t$B>QqdCsN?8uh4I)u zxs8MGj>aLZP$JDz7N*5~0d=1m4YumM2jS(VnZ_aX(8@XZ6SO9+C-h#?P!6c{Y(<$o z0A7OhO8Kh;-uD|DI;peYcS;!w4jg$Fg!D3Gj>-`Ch{vN%fKJ|!N#ha2ZR{nj)SL)z z!emzGycP23S49+@Z(vd+gD+baV~Mz4z%+pq#UeV6usB!?;L=XMuxC)t+;u7UppP~g z&z@b?urY@eI{ z48@UQqQ;Ew{TE!Qm8fgwXMO zL*6@SZRK~F5lT~v$B!|;D&Fn9;WIWeU}`Qk#Kz-5vP?9_Fe6NZDp0ZdoI$>e%ZXDVnv;z3Wyz907`cqo-fO@hRSKO54*)3zS#wP5fW&eRn*S zfB(NxqU@|3TSJJ1V~-qrOGUCrWMpQ=K_pu~M6$D$P!fe>)3HTXS;r>gn8!H3_oZ=v z?)!V+fBg0zzhBosJ#?yTywCN1y`Jl3j_j-G^GElx!LzTB`VI4a{p>8yiSwpZQWHB~ zt~T|yZqAS_s8w25%&+{bqQopm%9~A_?!6ka1hu-HB0av}S^xl+;x;2F1o+(;hF9FY znvctAEi{KoahmM+NiXaFM8zki=PJ$Jwv&@Q=F)zm;^KmTN5vx`RD2Fz**16X7^8Ap zUjKp%%ZVrSx-9ID)u}qIxo{Gg;I7NHA8guO=qIci#kh$lon}t23m@;E#XU(9Z)GaV z<=?KZ{bCP$JzQH{Dd|;miC~)CdJ35;N{qre#Dt!3Gz1;8tJbx z(GF&TWx_sl@N*DLzgltG=N zUN^`Sazr$|5(Sv{<+HzFZgZj=pxeE!^tt*p1FX|(>G@9}*C-Z()7>rq2LbV#|B9`T z58ThpVkh9udie(<57i1}?`il4Mt)+SZ|TkCNB<+x1$2<-2~(wiN^&qA$#1hhe!Q@q zAKso$`UeJAqBSQwp7D5ZUDa98%<-MlH$J}^YUXrgb@Fh^x!nnKUVl+rF4N{ctXzy6Ot`bdd{%h2Hu zSWrBy$Zl3XS^wLvVNTS^-BT79J8B#|KiH~tDHL!lmlwAUNofxc6!Ar`rj?J`jpR9zJ6;V6D!{QjOvZuHpL*pTh8 z>P(2&&lOoj3!yZahT$n|S5L@|f!PDb1SM6FrykMj6O1qgCFc!qghY^jbG?DaDMo>) z?{XVGh{L(m&*@`7(YY@Mr~6MMG-Y1cQb$xBrO0AM+ZATpCWjvs2BHR5&`6iCg_FPMS6@)({z`U($A>Zb!V|I@qO36p^D&f(H$COGc+8*3m;=-x$25x%TLM;~; zOJg!O>2<0-an4kluJCO|%CN+*pv~8t*q;#$sG7Ow4N~rfoIfmIMY%kLpnVhT!eCtG zQvSV_SLejVwa;KDN7czh4LK0HL{Auz=~N`{ZScDPbfyO*soR?I{|ju1(0M&;=>Btn_eo54;-# z51{q;RDw$(VX)f>TPVAxE;kO0B`1lGy`aU)TazF18}x3yP>P&l8Um{SZmXN&>Pp=| zbs*<^E*=9?OTgcpmka?Z`8U(dBy6wb?1kXWyeA*2OLRel*CJM3`A6ooleWL6#oJ%X zp4f1>ROVuq#!EQ5c@ z+`p+IuCtg|TmCJ{)b}F8WNPZ`#Wu+s(LvaOrqGthJ8c>uax;wTv;EiK+{5P&pFfz( z%iXXYu|?-t25+PA2djl4Wj9vLnY zR0-?Rq)u)z;?MdQsBSoxhU(l(yqqvk?DdWGWFmohEauuD8Y3V5pJ)u1iZHUxTUI)w zuve(3=y+RBIyJTKT>n|`n~ogF`S_;iTqNTDT&$4Kz}TKkCw(Zh%Ltpi^+?hu?5X0$ z$*c8ll;O_2oZ_FWEHVyDn-uo=U;cP5OMLp&UM%!3_n?N@rw%?UBe%5+<(=z+V_0={ zR+A60+%0PpfDaKDeVSEkZ%J&?xC`RDn$LyzSG+c^qJ4CHDr8Qq5@D+rxbORn+BS4& z;tZuCnKrGh2D+lX45V5-2J3!g^=c>gA;wn0%u6m<0pJbN5H`8 z3P6P|3|SP;srO-)^S}CJ(8FBx>8>ge^fm~Mz12K_0Ys30w=Le)+>77Bg5e=?azv4` zKT3;c39=q>WV4d-)EagAaKVoJZatrl0XHVKf{NWlx$7};-?8?qIWYp?=6uM=2+^Db zq)GA9F4n5zJeRV8^v_@feYCCk^%1 zI(H^<_1ukQik4Pkvi?t@**VVT%?57w_aX9R?>Bj}ev%tl2E_O7X86SFX8ZfMKeh_v zj&aovcU~&UaN7VMLwR%#1`i93+nJ4-jhWNl=pdcjh^eH}g#jO#T%g@CzkQkv{A$IRb$&7|H9RdOG zWlxe(=T3Pcyt_gR9v=z0JtRT5rv08E_P1{Pxh80VKLwi9`~uqlw|pSes<{OyO%Xae z&hv|s)PTBP?Ib_))do6ces?0s2z733eRmB=HR@yeH@DcxKmcJY-Vu!#Tf0L7+_!;1 z>3-SBF%Ulz9Sfu!BUgO0fqq^A(-xP#CKtROAhHv1=3f|^9T7hm{($-a3_}CHbAC(H z0IIbS_WE7$UgiR9$xiJX{Z>fCp5Wy6tKtTT^#qn5t{kxy?Mbk5E`cU=W%g%Hqs|@J z{dS1SVxIxVP5!kLGBN-`jXHQf$H0&NRZ#P9`iFm`%@N~;@8~6fqDJIhE1*UwfP_KI zDcfk~mpc8G=ZA}}2E|77V6xCy!iU>6eMas;S-Ro^<^bhUWZfL?wA%owL_wEQY615B z1B~Ldp`!Bc?iR30s$RcMIPH8M#yq#=12$h+4;4x%$n!kZJ}ry#!ezl$cNx$b7TeEG z4TFsPsb=Bg<@w(1$pHhini=os`N@0Z{@W&ws5p4#<$yoB^#A32N&M|Qpgx(578`4m znF~JO6LaL8f2RzJuV6^8-ea{=G4w_ag>eNVS8gL24uEW9ZR*n_CSu)@QVYa0U;_4g zxh~oIa(%tXKdrkx<51mxOB$c~7<(5KaB>9ktOgY^<;!43Q3G&iI-lY5dGo!1g%Jlt z5Up2y?&n)|q<7aENb$zYbno%6R!j5h_@{QyX2sYWhmn`%E`adIg;6w8a!^vW2Ay#M zKG9a4TgU*q@oVrBrx@G4^ond`Zflb=CKSqvY}{K#nN4nitxjfS1JrcRG_Yyg!?KSe zHgdv+LmU|+#W&8U#7cfvWCcNuMjUVcGB8UYYMZsHeS?kbM5GjI<@y6%Qq)<(Wols6 zSgd5vy?wUgwJH5E8(xR%5j%UTfY3MMRmiZ+G)vr`UMZuB*{>hOED@bY}p;G-dpU zA#isX5G|<*za;J25C6TS9R(zqYb*zC0!bWSAy@R(R=#xmq)6%SE=d|iqNcOEHQQq^ zH>gfD8mfX!QBr;kPp`^K!&8?8sLFK)F_|o9B1a+HYAm*X@_(8mx%9w5E;*n01TKIr z+4l`l>Yk3$r(~vykty5<+MgHM+RdROGfxvP#Usc6d30bRk1M~cH!Q> z8W;%CC{Pf)KHMz}kD^x0)Hi$A?PP?4I4b}rM2W0XzxeRdz|p0CjwrXO`SBmJ_H4qONy>kw zGF95CorX5<;YI&FFxi(2maZr6I;Ch{NT6~qrM*j(DBhFiDwz3WcN-LC8?cz?*&s{^ z9>dvQbJOhN6Q`8gK6nM75Nz1KTIuG5loVM3@UF|Wx7U1K5HUjR6Zg~jC0yjLW^BR3ZK`H6o2g@+tyu;{qcI1@x=MLd@1BQ z=Znh5FO{Njvf^c9;SaQm}O2UE$0(Wnl@ z4i#+4i@0n0EGpO)nBkW7wXu6^t?Vk33N_D{s=JFvHeZq@T!prrMaYO?U0E7m+1933 zxX178LO%ED5${rg%g9&4+!ZSrcXMbt$$yC~9wF7g{tPDMUqa9oJBnj!z_-QGbQ9|o!iRhS-rB&&g+xwXL zEWsbvlp<^+clP^ZF_@KfBqlTL>}6%z2G#bnQG~ZMDZO)Jbgi<|s>?7eYQt6M1DJgu zAD=k~H+&Ps*-Gtku@wSwi@*FE;zaR36DJTq#^8Q{QTE?T4(@+FY&&K@T=w&35R7_Q zTZMcY1hIA+lP`iXTnn#L?Luk2s-`Ddy7)SE((Adv`~@(~<=Q~A0h;4jm~?4LQ(Cq_ z0gFCQs=tz zJJdwwCG(G#vp{-qRxUQTV&i!lm}d~jkt_11K263SLG4n;A;cD5@oK1GzyN&*;@qr> z_XZ3~z(Tr@TNEn+W(Ly2>vX4Gdszx(M+)eNb2>hb)DIuWvLyn0tc0dODzT?;S5tT;Xefe>A8fp{L? zzfK-ozu3{O^z4Mj(@I@;^45lHl#GZ}&hSW1|7K23(+!s#z__%qaI;DAlJ!s-N~ySbVNU0xo0~ZA;;awV`da6S)F3v?r;T~+3nmxtUxx|CF)VT!Yh}y} zt_}mtJEY6vDm(S*2z5onPi{{V13{}Nc(r98n_fWwuf&O~Sccdj>517`+(iDGQ1?bk zMVO1w&1Y+-mfXIo@_&~INi|Z11um+ zU5{j;F%TJN1=67qr$(iOt%T_)SBAR{h3Gg8hw7BP%!ba=ToHnCw>-Ui&5dnNopmFY zhv2@O-UT2;&?cpvwnb2{7loL==(?`UsomE`gPE&Y>_Or>Lb)y!F zn&ry0VO|%0FK+7p^29y+l(JH_--Oc!*{J3ox-y|C8lf#Gb&u>iE~U%)rsKrC%?0~Y zoJBSQXzbr86mHpnrBEWiuHBk&*90ZjYB+x{NnH7|ZALePXJX#(^>-Fpe>wiy#UK!h z(MuxI(W~m?)WeLt4Ta`!U0SKhcYSv!f9Tw=A-_6W|hDth~64&J%s59zOlDl&$dE{=$e6dE{| zvSgj=)BW%~B06h&j`AiI`l6hd|JS>&y+y5RZiG4HdL)V`v+MCR1an+Qp>JEIFs)Ue?KW#8JgZP+`EC)?Y-F}9;h zIN!HfxyIxydGWbm-*#R(hxrinrfyLT)yz}7lMR6`a+V0QWLEWIBcFo!IqgLnQ$VbD zznk*@dc zWC)NW6Y58O8-cJ?F_8W)bPwReC*^b#Qy#r;RmbsFGxO!sF!KomOfPZl@s-x!9%9Kz z0wg0;Ap_CzY{ziVw{QA`CC3wGuKr<7m^tMM2>yF%6-LAu{;SHhp z3h_+>s!%Uv`o`jKU8Xrvc6=Ss1rkdJK8>kvQywdD2#eMw3#VpNs zlKwya4UiR{j z>v~_@K&{Bi&8jG+t1#B_Gu+`waBM}qvwBD$DZF-uLWV8^)g5V19mRCVn%hLZYO^Z( za9){LysLGSMY5%3&=cs)Yiv3_w6^Ps+Gk)8eb^C)&EUjMe^x-WsOF|+&1 zJW#o5i^gUQ+NnC`bl=NqzsQr0>`Q}|wD#4Uw0e+{)o-kUxZ!{>TwE^mH5*3-B;jJK%f8{Gxki%8MaN9Z4< zy{2;_4&JqT!4zSwYHgjQy-3eY5l-PRd``#ZhX-%k6d`Q|ax%-{%Y(mPx=}aD^vk^i zFBJPK{)-x}Gu~by8!cwqdq#)?)H7Eo{XDbrFH3LLXW7t8Cf++BQdDRvnYH*O^sWfH z`8KHE*?}FEesAaC@cS$xYd*NX?@2QWeeOdm^AOA|BKvNBwVcae9gWhz;Y=APc`mDo zLF30K%8<3-NGamQPW+j$r3wAL&L`%Fn@P6f`j zA0>f!R8UO3$2K=>vCAnwinDewbS#KTiKhA@ks-$S=QftVrD)q8+>>-Hi-Wg~Xh|VF z#{Fsj@ucjD3zMAv@C;?H06v)b1JgpQkq1q3j|K)}%TNA&Ra6AMaICXzoI+3a9i0TU zVzu58MpD2G^(kKQ+*tPYdu(%bM@I%p_~Fp;>t5Btd#=Muhf0G)2kQJT^woNCrAu|E z0jyUyfx^%cI-q~+2>;D2gqxRH5IYnF(dR~(#IBYe{ak);B(OOYI(|i=43RvyCuV@b zOY@kYttyUeYd5*iRYCVW;te<<==gIRLrlGkB@XAToWBjXoXrh_p9>*DJ+k2=rTQ*uYdJR?t#gr1JvvTCDUI%9)OchPK ziRg|l8?qxTtABeXx+9}GlvN86`Z=tuO7npdk@BeDTIq|7ULGC0o^`NQ5n+46oW2K4 zfDjf2YM6AwXxsiR@K{Bx#iN;0+JSZ8F0tQIQ=uPG2jZKj%WTdgWj@kqn18{8!>;s` z3@`@RX26fmj*gKY@T|~`%p0Il`ubQp(z~M3GMhp$Fk16@ySRcmtYG|TVMVxy`}tpN2eir*GVyHoEissgeGE(nIrMktW>sJvQhX7#!c* zI1XL<&jZ{5@Tm2jG9Am-0B!y_R@UfD?T)4U0&3e8xPM9?Y^PuAKY`VKALbnFoXz5c zO?L5{obC}FGVlo4%|MJl44@j9c@VH7=18fD3$Tb&m{e1wmVvr%%&>QHLZ)NVRTCjG$}c#1ZgFYgNr3y;=? z4a?uMv|8+6m^8z0*1LenjtIm^mAmauEPgEjb*|xR(Oa55WLCj=$5q&EByx_u#;{^6Ov#C zAR^7<{X&`Khbz~hE8~c$r&Wj7Y<@`vDUSwgm!~i&{B}SDjB7etEbrzUd^<{-8ce8u z>N4tt7gbgSQ?05Z2sl4Soq227AA$unjv4Ux6ekQwEas(y?YG4}#*q%Y{O|?2fp!|{ zV2LT&oTpQaA5|3UAa7zP3D0f3D65+sf9k>eR(~Zp<-y8@$&sqh2XiH6RE$(BF?-pf zZ-hX-RJRozhnx7wDs=|D70k~%Ws;ZG2T0oNT97vdQMw=m2t^Le7Lju|i;Y-UJ}ix?Pg{b`buv!n{LL;JJv|ZY;Wslv4Gn6M z(Nj$%mO&mXOWla=$kS7YpF}lyEiqpQ53s&lFDWMXX5KcwYfrLd3y*$jtMl09z?VbP zZ8kC%BYTD)&NAr|(g@zFb_f^`!jZbHZjwqAGFSj-q1Z_}na@E(J+hnpM&)O#af=Ct z=eh%a)D_ZdTmlB0O1BkkH;S~sFq-Go6!^A?m$~|49>;lYpF+hD5er?-QP7KZVC;I# zmyar`mV>XB2!U3w+c$Oi!)v$0{S_qV-Ll?L#^ku_2X41(Z@;G~&!b4-gm-1gu_wu% zCFwI@W4U4U_Kwp|egJN+a&6-L9w`y6C8jPY7|o38UGLKfh+M_*W~`Fd)QBZ%@g^&f zre?Eov5z2epFa}gXTKet(D$j`FxIQ}46n^1S5bTTl}Mt81i)6 zphPaNu$$rT%z?1*i`D5^;)1NOE`vWeC3z@v(AU4Te9*J10q zE|aI9Q(+N9&qNm1N`0`2>Jn@u1H!P>+f{BiW{f{rm4UJ09M7*RSQ`(axbOMSD)dI& z<_3kVkTRU@u+{Kzxnh&P%oXW{cb8^>IeEverQLBDyX$KzEy#VB7|a-Fk)m>58QFC5 z;OD>pgMyxmY8m_ebb2osgX=A=Q;Yw>e)t~Ur&iq75<$=2@>szqJ-FOua_X|@GPi4n zyY#s0#(eJ%n-F$%T$X105*!TVo%7rfw73|dcT2L$TUIuue$Rc}F`|Qpu5~;G*)9xQ zo9tN{B&Lb}oKgHk7{=|R=W^Rq0eUy}LSL`C&!w6TVoKh3h%B!52bEOuu9;tGU9H4) z?L@T(Q^l}S4~u)uKY2rGs606Vq(n5$*kXwx@y*D%ZJYQ(l35_Z^jRu2lz5k z3<{*aR6KVUJ{6oUJ-xf`j2XNo$of4XCR9Ri`k}2%TfqD$DdJwLbBV^P2{-(Uw?^7* z_3^Ogab?%077gNxAU!8yn+OUC+S_rH}f{> z-gQg&e}6SH!KirR^f42vgTWnnyLWzmCW+(21)jA}V+LgcJ_&{yIS%#q2M}Hs7Ixr< z*&Q#_OK7||=PP-`vHUMXrh8_gd~gtjr3VtXxv5QBI0HuImqvju(?OLkGTJiHC6tdT zRKGTE$>c+nWm&JX*WGB%iuUqa#0HC~a|~39gksE1w(?Z%rzLI5EP^I;2}b2rhK`Dg z-dg`*Su3lr&Gv9k4)5~}j3?Pg@t7)? z8G?f%%IN3TVqSTXDYUV{vN6W8Uot{DYSf0MQx&QvEUm;Tzt}jRe7fN-+V8Id=hx-e zbtGoB0Hq5!$i3xn0v{nSH#81l#kkJGm1vNYVuT5FYh%WHXkZu(B~g9RA~5U1nWoIMWD z!VMMHu0%XiX$P zyReMGiQsm`xo2x!SU9RV{<)ZR0p#-yq|C;9)Il+R$)TvJdR6M~pW2WdswZCENh!K> zz{z^}xSzbU2YLy6!Q>t1Cw0N|lIH(i?}K8s5)`XL1t-OdJPjsRP^(-{M}gsGf9k_u zrDRavNMI9*2DD1bLR40^(t=}ToB3)gIDA+r>xRN z)aYNCXNJUSp}fD=7z=mtrB;E zRVq1_zHVqi1>1ZCTQkNJR4T_RKydP2;`i4dS57)Y)_I$~;cg^D-}ijEgS!P@d!KZW zw14l*Lhlf7;%=?y*FHb!PijZa?IIV57LF~DERfc4i6DV>zoiWX%P|d4u;+pS^cU}e zew*A8*ENN0c!_S9^XO4Dwcx3UlV52iOdom@fM04#+KR6g%pd+Y DB84a! diff --git a/docs/static/images/yp/encryption-in-transit/add-hashicorp-cert.png b/docs/static/images/yp/encryption-in-transit/add-hashicorp-cert.png new file mode 100644 index 0000000000000000000000000000000000000000..2b5294620c534aa117f2238b5985b44b01b8860e GIT binary patch literal 106654 zcmeFZWmr^e8#W9IQUVGB(jlEncS}m=kRmyBcc*}W)X*T(B{6ggNOwz)ba(f+*n2$5BY z92{yfSWHY&T1<>g(cZ=cY-tP!Clwl>fTXGd!uH+wU`Y#vJmU>qK-fh1j3tWpg^buT zkW!eI{E2@UdUOYl4jMg0K5{+%*I!z2Acn6$aS?HL2#uaAPImaC$KS(;{Mz%myBE4o zWwUAKO5$_b6F6V%f9(6UA18dwz!;8Id^+X;j#R=@hySq<+Nvc>Lv*gm6YITU=T(OeE{- zabT=U;kf-Mha*bN2!|yE!|&qnjJOGn3E&V|6BwkQ`1T9mej?IiO%BmK^sg?j88l0SSia@PZE#m!|<{OUel&lT@{XBYX}eei{8 z&RYb9uCi6{P<9=?7U37a*aS*jJa_Ryuo8{#=%@kt(5G>wX?(gZ!atG+lW-VHBUlbj zQzAoSy27DeD-NM!?JI}=CvbH_3^byGoP+|O#|+z7JQ91+QByvAf09H-tcLR5_u0t+ zp08!==+0qK8CypmW!p-eQ3%aerEoP>HHkCZB0PsYF< zJd22kNJ~0H^m+0t8y=2wx^k!(8}9ANoc?@Utc*Ri7q$xun$*TU9J<*ff%gdgejH^; zgWri=9}7K05EY^P_!tcyGu!uR${aLCjTSWVI)0&g9DOJqR#?DXrJMX2A+^(ccWH>Bz~q@K?)LHR3wUnqY|T#LM`!~ z6zxz%QN>Ub;TUEa25(R}qHp<<2n!68ojkdE`sy`)ZfkuR9Y3~78zcA2$UwaBJqI7S z@tA$N+Kg>EJQ1vYS=zXMd6Yf%Mu{SWQxe|z2>&7C^>a?Fuph6aKO%sFUXbTVaVUqd zzq0Bk77u<(p7EOdDNg%$O~bi2eu=bCF`+M^s8D#7NS;9O_sS1@@7-UwC)#MDsv}th zIknrDmH#x_!LlT;e&GS2s6bv!wnpS587Ao!5LLigK!C~2RapqwH2i1LewchkgSVPFqF=S8^< zRQk#~61XApl(GH8+CK!BXr+UUB#y}5#wbf$NEv7Ijv9{|j%p(!B8nku z1l6I62Jr{61{tDi;JCjKj8^M`7;(A@f@Bt?1f`mVy@kDHGZo*_EyTIXa2mhL3APVC ziaSz@E;P&PR$5{Bre3UQsko!+nIo>ss`P=5NwrsvUX3@?Q5Gzfly6zsuf9fKs{Bn+ zuw<@;|Es84xeAI}kK*(fd(GA4USE2>3DpUO_)@Je^$Mpk<}5gw1WMDYBu-3DLZ_@% zQNdYBBixm$T5on~OVT)ta|_qyK0uP9(%;mNm!gpZ ztNIRl%{0pBtUXs9$dtyY!pOjA18P+tR2MCpS0`pGW79GHXrel_QBAE4Ep{ljDDkk| z;3Vg~7FGTU!cEnmG^eQiZLT`+?Tnd>C{el z*S+&JHU+9(J!@CfGFLJ`Hiy}O+0U9nm00DYUK)~#G?mpWw$^j-?qF`4?wIvp$z9Du z;F$Ah&4ct{&lFUq43g9=^|bV&6wLD!ESvwyFpcN=90muYfH@1Pwa~WMx8&Ug-}T&8 z-L=EZ!}mRAM)>eJ;BgItvx6fKzdX7rcQ=)pv7*Im9&U@Bw5 zQ;(pCvUob$`BksI7N_6Jgx7}4Q@+RkfQ3QhxfpC;RQD=0^@na~J3prl(moX|r6od$ z_TX6@@>MKKQSkHL z7Jg+{vdGn28|}v^kFQl^)ZVFfyk1;8>`i6dRQkYay1%=uA}1m^rm>H8=V; zidjfmj85J_Y*O@N?yar*XVxCg`#1V8kUsLxXHsR1d*NK_ps#WHYE5!6YImD>a$o1Z zT;V?R5yBX(0#xpt>N%`(o+RdrbOWn#t0%*8B}Kx;TH z4J{dF&aAJ$?oP=N%QCopc9wGK?iKA#b|%=LYdn^9leug{%?P{Ff=- zPp_Am?_KI0@(A+S*FaR|P)$)!*lXYIn?CpSIk~IOND`VN8s=5>{IxAIA~KzMAXdV` z%)t@jgke({WRX)9Ah||b=QVzArjq8Qt0vIYeDRW-THtIcAyB_Q5{cA?r{<~_yKG~qnO-nwj%7jI`H)>Hurr+vx`MlEHnht}HBZ5=p zxfE{KPG$?7*Uy5rnQM}*8y2kh5-04wjTId)5ySX2_U!i-YPr_+BsEm0Zuc(dE3R*@ zA7hS^HhL!>+ny*b815{8rRi0W$=KpAxtm`)cTa-uSVq|l4VXS3A~`*B*T0KC?Mi6& zUyobQxxKpOczpKQ^vNxfO-thW*ZrJ})eXhP40@kEcjLRQ75xRDd7?<-Jr5=~fishK z?SUF37*DeWJ_@1RmEiL2M#$HwWKvA858me2M8|bLjy-rc2^FQd`YA1lJ|6s#H=NXK zGPT$xaQ^hEaR}d20^k&v;Jz$KT!*;D-kt;s$HL&S5$>=R&gQU}o(dD2cg|9rA;Lvw znkR>>NjNo9g`GSp3kcB3bBBcrdg<71;PvUj?A*(oL`W_|-klx5CT zDd`SSQ5*NFMRGdK|yG3kdzs2JKC z8(TY=**M16JtG5dpx8=*9N^$^sUAM?(#n(v!1zDGs+x|Pa_@KzZLF9LjBGv_GrL;Z z0JXdytMDW^y#W@B$m#>xDe z`89j<{7CVLpy;De2mqW}fP!$kl5`*WSfuHb*o zWbN?RYXL9F^6-S^4fAW3e~t}w<$t)#s|a>AwgicTtpJ(ZT0y1wCJ|M#x{_UQMnY7WNsVm4O5q>h6B+OWSm|NFzgI`XqTy!*e=;!i^VaTlPp zASyr0KX*+KwHV8a4cJH`u(*OM@C_WZhrdVTz(2Hqem`8Vpb|0{0ndfuq{T&4UEz1q zkQ#A1rbCbr&?q|mJHw>eClw5(cbcff%Fh@0K6C`r(yN!9lgL_*yyU3P4=wK?u@Dy@ z`S?f~A^vXH=Nq(ty1}D&PT)MB7Zw98RH@0@5KCbVaOD|WiJ9FV*i8A|6KDk$OZb} zZ3H|r!gFCw)V5CPzb7`b?9G$EAJHF~j1kdbneuP<_hI`U|NV&n4{x7eFY-H5u9;8u zH{4?mA?*W=45ixBJ^1COaw+B#x?UAY*BV7h>Ds$#&x_m}o1Zfz_d=Q%scu`J0bSN)mZAEDR-x-Rp^3+~%Y$Cv9F zDK^cQ)J$5f&9gQw^TlOtsEF4;|N8*O$-eIlEME(Uo_%~v<)SD1BPTn5Wpt;!PbqgD z;!!tH$fB*Q>3%w)F(7nzh{@)4b#k%B>#}EA{qqAF^r)Ai>-tE~?dGs+0N*rK>GO^+ z{Nw)WS!?aG($NU>oFdOp_-vhxC!?}!&>=y#R}!CIw})WXe2^MS7Z_+mW3jyVzMh38 zpH6BIG1hNpVTyrFlkWW-K2!} zF*mT!?mP3J{WLT=_|=LyW#1LX_B|5& zFTSLedEe=>+>iJ8>!J<**BHJ!EW3iZhfS)REzj**YiJlKWYSjCbYF>9dn={FWsCemQ@6YN3qvDue-p?o>uiDUsaR$;QQkN;B*i>MsY2; zW`Ue0)B*;rwqr#vtDTzb1b>sl?lkY;=0ML_*}9^bw$tZex}0aNOq*|x`uw%|&*vNlAllZTG6h1FJb8}oVyHaymO!F*NbovQugN_LgP50{ z?;G)PKU);BeWH6AhI8;yNr3jN@ZT8AJo)<+S30=aXR{~lNb{Xep{lAqp5D=@C-zB4#S!R%Z%LqRrnUI59E`!0!kk1`7!?W>QrhgwxOC!j# zyrVx51-qYbztONWf)I~X;hP!lJkaQPWiNRa14ocrA>Fe1?rQtOd!^Ciumdlu<`(BN zZw8!~cBAWj3moLqhRlEg>#si|6`QGIR$u=oY2lIM$XNqT7a({cyL5?lqOPGOcHw%tnlPXw zNv!58j4_bHxB*T2vx-|L*FUd^<1T!JmQJoROipLmO<_yan zp>G=n*nDTlqK90Mp`V0j_~oB+?yDGzd%M zfvB|U#&TCwlxf=aVhCw5Vib|D#bjOaqQTu;$L2v5MNf2w?VsgYq#c9SG$AV$^;-)~ z4bfF2fMB#DLLudvcT^Ga9C+q>G9rn$6Z>q1&v~lY9}u3A%e9sB7z3;{eat~qdLAW7 zHl;Y~nyosvt%%I-YsypORkDbylDMiB{bL#4$7sy8UqJ8u5Q}q?GR~F3o3(@YzXCA( z^OdstYhd0Mx$lxb?E4htKv?^jYIJTIkvJ6um#;@fl6Mb z%1@+!s`)=e)t7l}v(Vac;~-cv3lgbiZp1}CMdbWdWn_N#yQ;9V?8sY#5S(N^Y2;zs z607RzT>R7r*`B|wFRzHCq0U!vA&pj4ToHzY<5<$LS6@UXQw~}L=qvK15&iPY4LB1` z0-a&(1O)5a^f=-dU@>SbAle)TFgCptbe*S7uB*hpj=8O;X^dyYUP%3l&d97JlU(ir z{al&dtQ?bvie24Z4*4Wc>H9Q&|GG7)ZNmWwW_>ODx98Gj?mOjOOWfddPhj&?j3J=T zu-AYBa%**3#(u0G#S8PhM_yf z)sC0y3qfbhi*T}OM63ePIca}t3`)e5`V1Z{w(r`kmeed9x!@J|g-p=prGCKGbsX`( zwfx;W@_m!Jq};`<%RnMCW!3Pw|B)94m}94ef>HY7a$Emi%T|SNuQqEF*3vS zUJp%%rSpQ@`Z%q==V4IV^Vf8*b0zM;>&@4D+VAJ7(DK;Jt2GJs5{ERdQ@hm$pQ$GV z_quPK>Jl*iW}mZD_$k^IVBwZ9(bL(e;X&Br80oAx+6GZq09%2pi`1vlxkE(s^9}3; zbR3_}})Q zt;BaR_>pM+ zbIZ+<>tq9e5EZ&o<65%CC^N`Wf94iPz%Sr8aXy3MXC5XyU&A-t52Kk^ljk^82aFPc zk4w}-e6R_eU!hT7E{&)jq*zshpcqx27*>skop)fw?Fx#KVm**ZbF$$5&2e$NvrlrF zYKddGF{M@hm!)fek@Dj{fiplw=JB2^*tVlT=pJxMy%AF^XR!rf^VqC;3W#ggFNHCD zDt2Z!DvBY~7X;3?zNgHaa4L}R?Vd{u1FwZ%svYmiINP_(DF zG2$iU$h2Jc7(Um5D&0IWsrS=Oh%TUI2Y&V-#q}ncbdC-4U*?7)CoTuMC=KtlJ? zF^Ya$%u)dGPF+$5Byh3iW|bvZGK!>UY&!Tq{gL546jd=Da|R`8Oz2iy4DYWa=rYpo zF|oY9eGiqyo!w0tppa6?#ey#ymYmS>V^}hb6hqX-VkxDhD@PScczz7Z(9kieG0YnY z#?Drd@g8-*ift(Q4(%kcV4o$e5Sx4l7<*u9ZZq2W;zUo$c@VBDfoM$+b;^$f7AnS) z`mMrAzj_2rM36$y^SW=VftZ(aGJ>R_+8%{i(zO&D!DYUW%+!pV{3sACmlt|orxPZd z(l^q28g_s(w|oUt^p--EC0L^=N;MjO&5w>4J7$e|xkoqvF9_ z)}@FWz^}`IBAvfX7!4-!s)^h8Ln1L-@V?&l-o*rp6od=)a@jBN<&$u~@U>I2xJOY-$TJE1h`X4Ee> zTp{sefNV6pMZW}_3H(8(6{px)P}}I~ls>GV$KhzszGk(!!3NfhIAXjB&@SplfAt!L z8M3NeLm3$ZFd( zIYBd(q#uN0y{8cqG%$zIy0-P^YN}Q9+j0s*?*v;>c@N6jDZ+nXhxN zLEaYf4F+k8F>&z#*oXK@!+0~h-CHCML;X?wrs9efou(KvrOl$!<_dK;X(U((sdsI3 zyb^2Rf!A^bS3h~ki$O9nnmq!UB;1t-1~~+egI1)7UMl$C;{l^6QaV>lpL7R`>4b76 zX)9{3&yZ3sYrqSbjP^2W7;18w$vh6ZX~bIqchPm%26J1r+@2v`SK4(EyCec0Me%!| z(b7o1M9zsuldq$%vx`4F%PVWjgvUzOgWT+|p@CEbojHq=ZU~`{_Hlbim+CW)V{*5; zhxNJj3WW63(c)}7bVew$fR&S-|;1xXh$H(W+`Jf8MOB(8sg!+dKEtYRrxg|4@p6W(5O?NYa ziqQ{ke`~OY-tPSF$oWw}g67I`yi$No_rE-L>X33jZTivQU_X0aS4hp+bh(y-=p9Ft z35?R|xW6!O)!A3tayN5xcis|JGvE85m$T@0ZpqeLEAkK9McOo833arMlL%qF+KV@s-HzZiNYt0^O|t-q5DZ1t!GgTZFQ zezU9-eMW*)QgA$7Nw!bcho?@A3I>}u$3r!fJ~`h&TNe+k<~;8-r98ro@f*MDVtvj( zS^X6-Q2Cq`5$416QC1BbGRU)@I-bb}o|K9F;>kkQPU5j+aCN$^QN|~y%DtH#t87|s zPh-wmF>Bp0U^Qd>$GQ>mI;y%d^7g1O8m-5?j>Z0@9;=Q zda`WE^B((6h+VO5%2lIGwPw8%5KX&b5u|DS8fAI9pYf}d^LT!vo|-t6%ALXKK}6gv z%@<3Y&cF((<&uq7Na^skSS{_w^Oc;d`O$^mq1m4__0ku;L`UD9Z>Sk@kV92;LzT7n zFP(m&O%NkLq@7Ii`-0679=V0dL`rIh$*Mhvkoer#IdtNi)?Qm2D&Og?V0I%8yv)U4 zz9BOm>6z}hS;hiCL>7EBpnuqut#8>lS2Ace#nx+DZcFO63X50=6PvW{09y_+&F8Ik z+!0whJ-A}4rPGU^#_Pm-<&de>7Ngm1s#N~jMAvyWUL*HPsMkTA`%+qlFrEATcR1*7 z^{j~r2-+@}#7ZT&P^7`~s)!Yl=kUz*qeFD0z?o(i`KO+wwb5WpbqdD#B?g)c0*rMe zkRcWE;dNK+_7VANcx%tH-v9bM=5E9`ndDbq2a7CoUbIfzLkCZHvsBdV!>0kmCUq%kv*e&ovZ61vOrs808 zY1hMmANAR>Cikudr~H9A?9VHHJ~d)iu%cqzyaKoESCXeNm!89XTB1)QNsasfF~K#h zTd@}#pFvt7&Kjx$#wZ7b=d)&z7~AT74<7FAO~r340QaZ^MO8)BUSrQ`r^967UVF%@ zx|h|(U=uJ{Gd9Qa6rlYUFV*VEr+X&d?%o-K$7&cN86zJ84Q5qjI_{e}&d3_AgJ!S( zQe9)!`;EtgcgGeMG(CQ5xVL@YM~t z*0rHBBtG~g8~ER9^o~VYs=>z8a%8GsL2b&&u;N8;5F5-3a2nRGwoAEUX%r&&722ud zX&(LV55F8E_!_f3H?yR?*A^3Ol!Fd?@Gm|UhsgvLN7nAAdh{p0kr0E8w!P^hGBi!t zo`&W{cjtimjo!rI#yl{TT!XVc3{&Xly(w>Ba-AIRn+HE0M|&mvIx9-B;v7QVMz@>o zLpWfP3p$TE)X;TOW6-%|I~BOzfl9EsQ?>JM7aRUzpSqB=DZg3s*sIHnhRYhRve4k` zmlG>~F{7;6i?zw_kx8WAM>Be|Iab0=qx5?R85 z=Z_n%zmlt|@-c0GSzD9Dvp5@ue8#&*!M0Dot>GwdwxSb6vDu~UJ~vbIz~GA2ikbs>qDHRS@jBbt0uMjbeyM+J40VH-vJRS zEA|y;e98;(BsZx028hIgscCC3q=iJ?kY%q1cACx?*4i+z?Ah2p9LYysrbm^B+8AAx@;8Hy=+DUx;Pt%n5(XWvFFHJJdXBY zbSNZ{8S~B_u-VHgQd**%ehWwMMhMG_=KwKPE4zWj*VVZlIXXc(j0WO^p<^bay;mZ} zAd@-39VxF04BqZWu`9svoaCq!l6z2A9Y>3#4S+-O0mgTCXFs)S1OoT74e=M`8HK(q zh;B;zAYl7Tcq~&a#MOqREe0#rtm6Lex@*&<T;Z-Uaxjpt+>tX#cEl zOLkJ9SxPllY!4F1Xdn#^KA3Q$w;>m-Wq+!2mlY%56;J(}F(T|i{y8LnMRTH}Hm<15 zaWM!l8Ibl<^EJA?TT4l%=>=xNwCHHD@hYsfi(=OIfcs@BFL-J65Vvj6EszCyTGnso z4g~+mL6MdDqP3Z8!fd=A&eCjVipt=m-=jjs+~T{Bzb4MGFCA6g&c%L zWb3>6v)r(i&JF0uKG5pa+VM3)3kwog^ALL(Ooyaey-u>JDS>60FppdM^pM$YZe&F< z)2a5@+e{lLaA4`*D!$WHZj`y)A{y{L2V5g*B7H^T=ckJUf>x}CcMe=JaS3Y<36V0!c(vrrD52|U#yw4QEqofC4#EGZLh$WX& z!-isH6^QlFuSa(@dIn1gWgOd3XcEf}yOJMc@|TfC-b`fk5NOOy$V{y^jN8vtg4MG< zmO^Ph-N;kz52Uede`czg8@)=6X}$$39Mlx>JX<&5YAarPT=5rgGTE9Ei{<4j?!L#jh=Be zy#Wk#&rj6Xd0gkPBum+u@t;3 zjB->NaE0xOSY&x`F;+Eo&hsmBVd%e|dpHDCl$(obq_v`B3}!m!)1Rj=#~i{1P!$G$ z(rf6Lqbo^+ENKns0(csJ3s3w(1mTotWlN(xND^XtCb@boSU_M|QAWp{NlE%rMAKd& zi0XGe@z5*(ksqTSow%y~bRSlNmWryf-ZRJ?wgJk2nv{RqYK7vzx}NW+ls&K4#%i<)0yngq#{!A89p^!1gi;E-tCguKY?8gpdIKisFhXenzFBM~ee5ACv z`0qCVpD!r&%J+ZM{*~zYACdnlOa6DH{>A_Q7cvm>L&6LMM*9B|8E}3d0IWsW$l}Yt zlbF83)bPP=#$OlzGobhnRD|4sV`G5$y7f1R%X*N&91T3`;HN^atQbBa-}T#8Aqe42^LU}{nl z`~z1py&5hzlw?~^O_KxiDg!`#$`mly1|d|5+$l$?aBb8Gg;HN;RzXfj=dk8tkv<;<2X({Kx%PYe}Ze+LGISlz_dNj{y(b>61AKAGrjbuIqL#Z7EKJ~&*blOVVgIr$5O(+vs?K%0Pm?x3NtN zkWN%uc8cT`7lDuuzeE6bjRf5#$BSwZFGG6%w-Xv@$jZMdhcsroO>n|A5(Ze%eJ&8fMTcGj@tW$>p zK`quNe!*13qs~(8{)?T-&%57h5(v0ko^UwEl#n$zZjSCyJVcMR5`0sSD5Z4Yk zR*lG&*~Bp#BvN^2C@U0<5ibwx(kg1TYxbg}a%Nh<_Q-w`G-M%}Ft78pG*(9-@t(io zEOc#|J#rbh9#-}o|B>3O;h3YF35_hP+s1ARw3%~}30CR0XTHK91l4rO2mC2M&FT=vOQPf;}}bh8SNNk7>pVphu&G&FZqf&&VoJ;gKup z{f3>TicDg{tLOl5BWK4@2f3oapMAFku$6;_Y5j(eh-UoI2WZv-9OC~b{vWCTcewt? zPXC7l2-PbEp}UK$Bu=a3&6%pA&EZTj2}WnJFQLL_h{Emh`p*!|0qNz2vHN|J1l}IO zuM?1t%mo>Q>s;T{gug5x2Ud%1?F#nTa09aJg)_|OzUguY`g{at3LqZRb6xfqOn|`Y zx3EMuhqZTXAAaO<;sGF=k4Y{IZYir9b?fPDK-zxUHjcW)q~8Jn0xJL+XawMQrZyG;#pHfU02(?0GB~3q z`m5@zHA_M{3bikMPOw@lb^{k?SuJ zlK~DNmCtixn77kmGI#Q!3JE%_KVWK(y695?B5kbk=15j)RS*i&aqu_?{?!D1lk?3xmX;ftF#sIr&mB>32hahO`5wSia^+=so9Hg&UK6u4ohak1wx|<) z!!fS+?*?*6oKgHoc*jvb{25v#54e-Dydh_k+fy!Dz6mavXSpv#SqkHhtEMpIpvq>W*+0+Kfu%TZY_%Wuzcfn*~$6!5R7j(1<{SM-lSfepH$UBm#o80P{GcEKH|+?14)@15jE+hl|CK zgfu*qd?25sKy(kJ64)L<9LrYf<{5xGFOI*u1ZE2t)OlA;N_%}S#DRSQ#Hrt>dmf>9 zG&-ygu2qf=z7A)skP^A+BJmi%IW3K1FN&JjySd%3DfdC7q2x^Wx#P*=RlvRN`GT3} zv0LTRaP>Ob=sPFE5yi6^jGpbQY?W&u1mNv10l;mFFUKm}h1F%&z2LLOK z2;z7_c{di!!bt2m+&Vzt((D!W#$249h0v<9+=_ooc3Xy_Bo(3q^;+(XfG&Ohrou>j zdwVwfko#|m$npZPnQQ%Q3N^D8kp%n~Z92Sthlu8`hz33ED+z+Pxh(Y?kB;YEVDUGn zB|w%*DZnwK;>UO&God*EUccoY;1`d8G{)+=E@rGn`82k#NuHMj2kM8L#R^Vf&YA*O z<>OiYoSE4%y&$S8Sq$C{G7GojJbM5<2r({E^H3!CTXQ9s%%*mm*kBCbhE&~qQz4HKHXvf78;IWs}`o3A^%bd0>%n{Lmv2LSHb0#aXE zvkxef&|()CFhrs?)Tx?$yKkCQ`APyeQFdyY`18E`LrlX)q4@MTyzIrB`yro&H$cKL zC#RH!zR*)OdVpg}M}l|+0D?~e_+{wYc4|HrJ*W56WR87ax zclhqhmgN~$v0hTUBx3^LPAbpVitPb|h$#%3Eu%4OS#;T2)QR z)mYEZ?FH*oFmj}qWiMvjUS|;bOvGu{138&w91Wcj$4%DK%cbyWrKAg+)&v!fae1B` zpAlF?^UT(E38|_c2G5G3kH*_=CNCN=ZEM5+T^GjTm?D1Y$Sye5Z%rAXRFquIFa_s!vPQ>p3!0!YKt~)7ebRKm^yqGod)|TltT{HB5vy79FMQ z?4M3Qi(!O^Du7Cp5_j4Hn4Z7zI3M^C#%Mv#4^cCB&>N6*|Q(o`nim^o4`9&GZtlZp z{~lnBYV}iQbT59Mqweol&?GO~~&J@5q zG=}Kd7npsVB`6Rx9}T1e$(d;mJiwLp+*XY}1VDsLbt^H>x;TzJ)TMyhDeZoD!Ra9n zYrgHb?_)BZ8oNvL*yB+Oag8atae;Y7afhV_D*z~sEzNuWE7s&Y4)OR|;Mn8xh>%zf zT~CyH#r6pq+ZfjYEZ{{Z#!2&*1zhCASHAfTvgRU4^x{Ub zJes^z$$iHW&Rm~Q%uK77<4?c@tmDJV>xv#Fm;G+(hVn*z0RhGq`oVE-n^T!C^ej7xSaxY@q*ZqMP}!@jrTF( zb&C92Yg5sQu|`Bt5Uy4?tO~b2>HQO`FNYHbmG(;Mb@w@GJ?19zQQSB%iwm<*s2_W^_$2$ zlS@>Dc>?fvOMzSidi&lIcaK;(PH6#_O~XxqFDun?3(;1Ki?+0X(_KeDO4{6#nfj*BcqCaECD+Gz+?St<%OV+Ht#q2Hu@7IRqS{rs z(+mh{=M`V-xoNwuG>Y|=EK3+!Q50DMuDzZfSZZ?rNbDRifj0Fw`x+-co<)?R7vK8g1lur2XWONUb9+ueSKoZyLm+di6i+)IH3 z%@CPyGqv1=RS#skq*z#Nx^3#kh_v&bKJ8Fm2kgmqRxLmdE9=TrW&|uu5a=EOL7G|b z9EtwQiEL41*`B;U=Z6%X_zFPfN@4~O3xKG=dCQk7?R!_9s{2rxVHdPTs*+QCe~0w4 zDejg`#ORm8U_)Ama&o)%eX3Q>uF7aq=2DU2L%qYaipvbx6gq8^a@`YG-D{%6Pkaz6>q{`icZ9M>5r5 zvYzH5Z&hZ&$pVTj6iIu!m1+r<%jgch;y6s1(pxzhjkW>y&I>PJz5%JH zXYGbj0w&f?r|JzBzrOoL|I(vkoOc2lBlvWkBR_U5w*nkkNb{$?}>|9G&>nwIjTId>WwHjVtJ;?R`p z(>E(W4X^9P>X^f;w$&oXCE~l|a7AbG3kg@f#YiM{`QrTfN3#)7 zFNoO>cnSnVwrTv|Fx$*EHoP`NAZK`@rA7Q3cPEPiB?IJklB7$3ef=S2zLGNp!3$l( z@wCQAzh0qSc~f1U5B{Kb4d{KO&zV1g6I zZ}nSYwa;^86e-?SjHqr!gOkTa0tQ0~r3!6TQ8tRw?nQY|$Hxr&Ugd1I2&a~1+pRy; zVC=dL3dQis&DV1{otz>(^~K-Yr@}d(z49b2?o7|l?c!{);X){f^Y@%Y^usue>v*ZZ$t&x! zJ8lg7N8ti^s_@{Q)Gc`^Lr2Ot$?9 z&&Y2SsLlauR+`IJw!E2){jyoz0L0CVD>Li^L#C$4cEwH%B4jr2R+7}q@q`4VUxbb) z+Gkt>!2BP1pG})~U>n{56%#ekB3uvKOykRl&;>M=+w1s4JwZRrXNXZUNCqhW=1%HBI}M~yUwZV6-mHsKSz$D_oRarf z6~)}^=gFNN95`szXj0CAv^)!xLd7_${Pi0 zi#f{aT?H_Pp>m?9R5I-#9phNXnT=~DrMEsuJ$d5sdymd=)xbSVvbhDQKs{h{n)#%) z`2Ee{*&Yb|G5uQWbET1}rv1v6hue?mA=5{BEWTIC36h^X^jf^Vtm@8NYB31U>{e=a zDLjB5+o)zUf3HDsbM8M_a+0=^vEQOGt~lDz8#-@3Y+2SCT<);H*e(!tfAJ^Rj{a;Cq1KqQ=*6#S!C4il2`i zctl)UFPDeU3XAS$16je=fR;-@2e&bs%2XmUbfxV=7)5*%coFy4ymPVNF>>;l->k*VEXoQWqi!<0c( z@j-y5m_%hS1OS|SwPvg_xzl=TcgDn?fB`wpPU%fYjOXZMUE9JK3-~o3UClyxB>}TU zE|qk?g}e3_n(T}V00$RWN7L?fDhgje+O3X-NN;`Vo$2w4i27Lio<1>AkV>Vrvh2ofl9h~J zmsg806%sE5A%T|pFSjX{6<{Nd+MTcT+1rZ7k9;?MB3?B{`K8;`T(SJM_Csxd>J z)Elw@#S+jJdV77t88Qa z)Uv{P2AK)-yww46GI^#s_;KGF_GW6|ER$sNIu>S+zgEeK$Msxqx(n}!y8eOf6W%|U za>I6McZ2s420vcsrb=L*`haAQ?zu_vcD8(5BC$$fQ4E$dIi(_Fs>O3x){I&8<;_Ix zVZmlj0|HxNYL@`!6FnF>K`lvYAZ z-o1+}V(kbO^)7CFb`pIk96cE$)#f;?nwR#9m?2-})f=j)FNa6w+_aW8^Jkss4)y?K z7PQUPB=iKcnQX(J$&JRiNki2{%^9acoHJ>$=u_QiDn?@vcA*`eorXw+)qP*GM}}E` zVd__!4y&e8d7jm5lSzN`?8`_kszDm!tiGk?Kx`9jrHg%#3(INaQ>)=1=l9!w@joy^ zNl^30Z=@~$bPkpi1HCl1rQ^danR7Vs@iaIm+{nb zQ`BQWnF*CTY&Ba2N;qqXu?7HeeEqLLs)>LH*fb-3-SXBP2~czF?2zU(87lazpJZJRM2y8vi5G&aGNQdSB?X}-2=qntYaLw-_U_$rcj z3;DWvswv&;jOP%EJHe$1Q-S}`l~D5GxDT=RAtm15+z7__d<$fcaI_2XW<8zR;L*bk2I5VS+qOb8nz*#XGzN}CRugl5?4n~t%!2!R6WOC zQKU9}H8UCNb=1pKTh3;PiVWyejkRF`p15>z+Zn~F7BJUkbS0z>7^k^?cghX601$sa zOZ24R?hCOWJzWlLj;&Z=aBl&O$fh$aJbh0vG%~B9nvget7l4RcNM$NXoXi}Rd|b1^qQ&**e_z4flDTD5**u|W8H zr5O?+QGMI=L~@ARcof?Ve(FggNjY{vxT?`I=5lvy6JQS|sZlO#y2CoII+WkY5ys}x zd)ch>Q%uq+XZ#i1@1e>*2RE{tl2R=UzBS-oUg8B|LZ3{S4RZ4#+A248{%(` zNcx^Re~lblkm*P=*7Y`Eu!iwz_{*fT-%^bcfIeuL{Hb-fYG==H3Glbe5{~ZYi9jE< z(nbV!$&7S3v?dEljo0sKINVwXm*Bqqh0TuY{J5{RN4hM8j9N_7uD-?@4s3-2b{3y>g-$KMFp zSQ_1=YZp@a++zMj{`~thdMLcTIQ|EJzQZjQHEz6mwO0}>=rn134|E+mO2s}Ur=FvA zw{)PiWMd5QW}Vh7Qv{TXU6k$*{m7ZmpC=d7TU7NK@QZYt$7#?uMN@3g#b_3Q{6ug1 z{IsUIn4-}^I+@I?7XpQkd2V_uQy!lkH&)<%z|C+X+ZB-s9^v5JHl6e8&~a$HDR?Kk2x^JhCte$^Rk?$&f z`Gds2*-g3Z!r_{f_rb25%>mokQLMRe04SsdmuI7K@~nB`J0-QWTo zjiR?8yJesNO8X`#Dho?B<9Vp0^Mi2y#mq;_anzFHKY%q0W6d{AEPh6^hK{lX=CuXO z>Tzw{eS=BS~Dn3|8vC zKcFVB7*RI*vbQHGeg}X>W|TY~+=IxwL7sXN{gQVf{0w__P7QO)uMDeP(c2xIQsU2T z%XHMuAAirbK<TcaOX>`etgvxV3{Nq>$h^ZrKgSc1z`d0(y(eO!0MfHq}2I}hhiK2nb z=_RzDGUXQycl659T3dO5WrNz7o?`r`;X1+iwkT4r6}O^lfG6muIxpO7U} z*&*<qKU@iCb(@4LOUrnE>gZHk%*T^y8RL*+e?iS;FHO&BU_Mef z8Wu5#%d)iA532p-8j+`CQz?{ONqc2YCcH!iKEQf z9{R;yW!^wE zN*v87z>j}zGH2>MyZ;4y`X@7tlMz`Gzzv$zeUjZ5G68ct%IEd7y237v*&hkmrAd6FdZ26c4+giF-3mX}N@m{Nx z3ak<&o2dph2czGJV~eqab9XGgeSf2)quz%qr}vfG(BHSb7h3UjX=(evt|jMSpI?@E zlyA!)`9d;EsAU?_RD9wro35;QS`aSW^lCaEq!;rlgZk2eBKy^7_V9 zMS_piBRTjs+oYk0(M7qpfpEA3#9NhHb2DcNDx! z8e=Z`bVn0YZkj|j+$iqb>**-mLf$h5c14#Dtz?sBqCdW_Nj zXKzUWE*<>aXTYp0vBiRy>#a!J{uf{>M22SbnwCHHMwK-M#kMlQxwOo0$B@KDe(MLd zs@+bE9hRj#lhjN`a{NZa1JtMpFiMDUZlT_PZ&Kc|dc7?k3RA^9TX&1bg9_-ubTyK^ z&}xyA&PDVgvT3^FAQX5ESXP)-P~Y%5_(YRag>yoey;fGxNv>1qt#|OYrIq1|Gb=|7 zKAlfQs)ynxNa?^+kUArD77hS;FiZT4Uojd=bEg|ds!Yxm@;2s_WkkSjL`G<%(uiH_ z+V`U$pXtMW-X9Y^Hc-(0stnCvJJ93qmF}y^@2EL>ExbRH=F)HLSUFvR&0R*zc5R`w zgjI&Kr}7i(z0i)BW|`c_Nqp#;Itl*(!U&c7^M>!1o);LI)DFlezxmA6{Q4TgMJa26 zU88Y#f+x66Op_IYCUlGH_o-Q{K|&C_Uza0p4<`YS3@YXy%SiWL$(VE(MV%{IhZyl* zhXx55Cx}X+# z8eHu!(Cg2IX$%kT?b7sdZJT=UoWe*GMtk1+$+p7q=|r8oF~{vk-I>~N^gH4DXAh#lsj&u9 zj5QskOT35`E8}UTMT+gH6M#p!DX(Vm;rV#aHynFsw8eWr$5Mp-%7YE)%2^&T^*EzE zP(1=tFva*fwI^qvJoeYkhqXY)j9N6-nz)yExO6~7D74zxbJE`0)3tA3`~*_>zeSHyJJN;hBD2 zQTIACau(+wh?@lSXv93-q)X?6jNqMno#Hcg1f2ZLO)LA0PE+@5B7~Q~UfssI$>1fS8GjO$j%q4jizB1q`!pX4^X*?* zv*ghB_Fa!+4Z;IZMok1~v@(6Tt1?Jdh7?<9r+Wwwl+M(A5PCiVd{B#dpqpjfm-%%0 zcidhZ@fZ%a?9&T0nV@*^^ZK~rj(6{h_ORVR^-f*7Gx@iGBi-tQiFde*9a|yg&#klXj=-av#B;0|eGppA3RdJ=YC$dkmM)6zzRYEI= zxu5wFWxL~h@t5Sj{W>|xqDpen^cB4Gu029zs(P&=Jyi2;;e2@Na=)qIU0+4^YanM4 z?Ye2u=9&^=@-W}E`{R?P+unbuwnE_+E6zy;Y6~)4BsOJ(Lz-nzdh||3lHTr4xDlUMcilRu)J3F9cbv%V;A`ZM zX}fQG5eojFS@_kSEH6N~?09Gz&?ZjYl$~~K)8b@NPaP&I_j4ZEiMOTObeyOgbpvu3 ztH)L?S=@-IP0yg{^m@gg$5{RD@(a{9dx}K$<51IN9?Q>3#JhUuM=?o~-(GN-Z^tn~ z%qOZ@EqS=fjH?(qD42yD=9kKe*by6J;85Pa<_z$FQ9PYt*jT)pRQCC=nG}g6w68?T zt6HRZ`CN9^&uH>13!cAz?yT2YYNd`;ujSizIq-~!QthwARf5Wh^uW2YUX1b78L;DN zd0aB2X*tT7v^tVW#31!9pNcKg)}z3>;Zr2fWd3Xw9sN?}Tzsz6{Lh++6<4hzdDea1 ztt2_t6pIg>ziw*iJU&suaqWT$r@ z0w~{hoVq$}l~1mWLsSWn0(4cIY05VFsi6V{2YHAAnX}1FAM&oBm0_tAU7eYZNpq8c z7}2sk_YR-_Yh*VWl%M0giPMM3`}z^1L+r5^gthJKF`%o53a)Qxh8AA`&FopZgQj&H zI8$93D{C6y{qQ3E5PpjW?2WM7KEX|T7 z6p{duZgXrpO76i?3@OgUSt+u;H(FhnC_2s+HM4-wngX^6%`dk0H+ypS|)qiTu;ViC{*LdHrOIuoZvP`Z=#hN!FL%o6avs(j8*2kr8LD5@@r z3T4Jpr(pkv^RZF-Nk`QQkk=w~T~7|TB5v~2l}q;>OV{sXG&DPT;V*rp%lW;?uM4R6 zWVmi3t*0ePLWKa|%)YJ&fbY*>whd)%(K}QpYvqd`fEv!T(^@u$0I=nEJpyq84JAoc zR%!0Y*JbHdHM;A>5Lx6W@(_U>4v^cIs>1ttP70oG#G6CahGf>RG&x2;DV`m8sJ8B) znBggX73q37BlVrS5hO}FP%bSQMmtb1TeH+6Lv6LB=7^wigg-wg8ku4XZ#K7n6jTJ|+BCznQNJR1S@H(Org#)D5E9O5;6PYKowjj5r$ zpguO-U;ihVPBQ{xJd1?>T%tI>18=p^!VSR*VaXRUIYdaCFRh73<))roW6q|Btc)GS zb4bm{cMGyfn*moYeXg8FFif8Kw`;Sx{p&silplVr1<3{=Z6>QVE{Tcb_P<))#CRyh z9ltEC+^gjLP0j-aW^2p0C3rF&?q!V}4PItK+Cppmt8+n+o+yMh>-p*-xg}0D_vHE) zo0>#qdxULcvP+o%y)v#n&wYUMl@SB)qvJW+%{TrdzDJ;YL?CkP=t& zhHZ&Iow1*_2Gp_gBKbL#Nq*BLuNNDmF@6``8I@bbXC%rC^gLCuSy{TlzDNC&&j?D4 z--{J}BNTk5x1BBF8qhZvbnEmZ@n9HL#<7*LR!<4qQL~%cSO&i3ddxzZ|dD3;5K9C}0kvVIX23+yk z=$DrXWp&4nzEv(I*BIuoh`y@t1J~c~t>;W<5A#CavR>BULqCCp32kSZ!4kDlF|5`H zn|k$^RYmj4b#LVTVS${{WcRUHuit83TLcAr%X`>4pFU1+4r!g|$I)e-v|d6^-8fpk z7xXTlUJ+8jN?RunmtzaG0kC=jnin*nCkm=!s z4ixM;BBJ;613$DGO5JMB9-pw|BHsi^Xh}&TQvh)t+Yq>XWX{U>YC-$kj{qlQ(M7KLAimxO-b3gLg z9l5y@OYYg*GiI{%RHqobZMQM!DKMiNcqnw4i8$C30iuTZ)YtcbZ!##5?&!(WS6+~| z;4CG~-6Z;Gw5(@-0FKzucp_ikBeb)7=$(}4^<-}Xc%&HTbtXASLZPtdz>zaM??&Xe zH`-KXH48%MQPcCO&N0~DS7Io{e9aNPig%4T{(LvXb5@CfgCII-5T-R*UEaznW${gY z>{;Dnd=5LlxAq-U0&-3=<1$8HH3!j|XSg4>$rGYY_)%9M7s>Tm2SRs%D`n~CFgLz6 zI;#$-$Y!Ts2}+#?0Osifj{{wOS0>Y5YjX@N!Qp!p+7_N4sFr=oOk}@;j43}`c@}o^ zmC#gWg4;l*N2)==JJWF}nM3ETc|5iSpvKyR)F^RD(e5dm4Iu1mJ`B;$4h2G9q|hH~ zjA>H7M$|W}vmU5DiKaAe15|jk;{_E$Gjh0oqlw;?4mq|SH|2@F08>E1P`d0IW=64q zw3-v>u{<D7 zqpZ))I&|q{F%aIxN|Pp05#VU$j*|BdwTkl(o2>|DC0ZWZgM9DS&US|!wXz<3dv3mn zBSjuCw#x`+HzsQ&XJG{l>t*L8k1yYimBb%uQYgk1$%1SFki#dODyeR{;TD@D9 z4Gw?Jl;5R$B9&^%&rqDt^zd0~-V{5rv==_|eQoJ3m9t6x(JI@TpbTxeswjfei54*V z%3zZg_|fq?<%v$-25snKWonM10^nf0e>tYzDJ|%S!)WVXiNw8A7}>5?7jaad4<)f0 zqv6WqoavKDD2Mr4U}+`&@rTcSh}ObiU+Wlhnznt@z)^`vP``HDVw^4WoqC@s%K?RZ zQ@@~Oz5rt`aLYE#;~glY7~b=?Cp(TsPG|UtT6CD}^hnQou#0AtE>VvW%0NTBLoqe0 zhbfjh6N3Q1w4}^Yp6LGyc&^0!2eoZ9?eP)xD53oYak^40v-v8$lDBc4MiAPU}^4`BR zsqTBHj`zr5(tSw>A40(WLCk0=$=t@%ZRQrS#c|#byqAHNVe->Hzw(fl;yoaU_nY?9Yy=L0GVJygOBV@s%*7bn_XHs55cF`KWpkDamamOXwM#AJ#kg9p&2olt8oB^v$N~Hnz zQ?@@S@(pU&P>{E>DZXcMz-ibucgK_GJ-6oq*b9mH<*jK$(>**)J}vMAzLSDgtL5p< zLqO8Ydu>8MtzqBvRl{Lzi9<8F|Mw6b_S66HlfBluRSt<2Id!T;4Re=8BTB9B$qD?> zeG1-S-LDyu&?oR&^*{WsGTqd?^ux~j2Q7Am+A#K?hflsiggfp4ACS$+oNCYAK&(Ic z=ywh5a1^(%RUqhqs|rSIO%d>0%T%W1b7?~AE?~p=0J{7$!<6hGdUIBu2-C3P1E+Hzh^)sg&FGyy+00mrT;V5h!K0vo0&XVpB8}pb|{$1( zqW+aCzgsq#DgG$~y?Xk@PRm)2?stf-QQV3P5(^~(B>sUOo-_S68f=PKjQrFu!p`y< z0PwESSv~!z^k<+@E|7om<|h7gtk#S!6ZqH`p})na`DM&9K6F2PFoLbI8}u8bzk6;_ zeE4%}p7`FJfa!qWz)VebpyVRG;v5(@)1G6fD7+ZQ@9I6wK=m0XG+%+`goT@M(~R`b zu|7jzv7-%@_;ak3Z>bNk{50?WmWWxRWFl#COKCB)voHQeP!iL1 zur1>MoRrVBY;l$un6F>%or65|N4gw+n<=-91YCz(nwh4O=ro^vT=EE@Y^TC(a}J$P zYo4SV@OghErYevdZPE;b z;>wT-<1>iUssFiUXwzPP`-F}hY=rJ#{oD4BaG_N~SBd?^I559gcU((`lsf%wWAFzS zKQXR#(0uHb$acS%w#b1`;!<2KRMdC6sVd7a9EcDi=y?^(qSE!^hU;B87{UB+ zKd$#&mz?#Nk}5)0rs^!aS)!=0>2AsbvA>MT_WUNnE8F`|Fb)%RfA|UEK2PB7!h_0d zTgb#$U4!<2mV1m*PeHf8R{doIHZQGza`+YqTH6E1=iS^RL06$ixQe`7UkWLI|C(m# zmvB+}he?92!FdQxhnZXW(Cs{Kqvq?N*UEK(mpWE3awg(mFxmN!n+~1g3oOx-Uui1? z=3!>i6I3v5i?)SV0ZdDxGG8OlFa?n=lvd=O?tp)^`N`zCM9`7!*xkKl$EU+SFs%H( za9)B*XG8-c17960d&KN7kn)!!(8VwK;eib-XsrT}=}pRSDpiXL=Yf;-3xDL0=P&Jl z?9o*EK@4Mt%|;f(3b5_eNRImkGE?7Q6bbyzu_+_4@mp{3sZI`Xl9&1T=7_%rzkD+N^*~LL6PHcMIB| zaTkIV#@_$yJ^%OPfrAIIF{uSzI;qZJVU?s12!B!AH7G`uG+E=C!vh0n{9mv1uldJ( z{>$A5245w(0H>1zGjqz)BoTf4?rq#a{3%fqDR_!1{dOiY-9r2|QX%Z`7MH)jPtg;b z5z@tPY8tg$^x+;O61B6Lncfu1$*}T$zI@XN)QF@y1pdjzDN`6r9xl66^no-oa=fjE zg%!di$(Xdh*=1r>8RjZy_R~*xz;)(_!QZSU{}b|Jp~SZz+jy=1=SL~q ztX(aua4}1b3tX_caG`{3(0?-3Q%nH!iWZ+qG@D1Xmo+4pqc$LFaEDtm9FYyEp~=33 zBLBkqH%0yzWBbo3DwClDR;e-a(hgAHlp6eVcr7RKn|S_B`3=kjX$jC`;(}|Zr$>z6|sKxLVRl?gL2hIx}4r z63SF%J%=DhB)&{tW~)&<-LVBTxsP zMe$c|EoYhiUtA0+m>vLMoYt1UL{T)Hb=pv-f&>CV8%7d4jN?L6pZw!O-+O|Y>S6f@ z?V8nsjxBR2X*$*p!!}7M2NOgNY_3P}uZI7R(Rhy*n$$(*=u{f#^h#-{Z}P1mjV++y zkp8{@#qUKcHb-K{W6-9-d@W1sAg0*a!eJ`3NqO#ky;A%iVu-@;B`1WZ3ok~PRQ_O1 z3!K3FaM1XHnSmu0d>YVamnH!&-H=NB&u(WHAHKvsoYq{L1baI#E|ll!ee11%T*#7G z)*O(oa?N;QQo<0V=1JCj=6@IsouV`yP-|Q#aC8)(oajTjvK$_xiliBXO#^md)?VQ4 zTJn2N#)6j>3tkqbKT}ZbKfh=luy3pa`Ybow1XV=rz=vT6KSe#7(b9S{0ywELUzP7=pe$8qffzR`nr|)pZ@oOyC4Da@Uob{ z^N;`f2l!VCH(cZYVOolLf&YH?zk_bzuembd^^=LZ7Y91#4&xsqRH_+I^ryv>&&?RXF)&|_|(>j5IST2Z=y7N&7L}iFa>fLPvjOyECciF&W zZ&huGUjoyo@z?qKq3#o~mwN4~^{>X@*xTV;vUeRJJ)pis<|=lR zh@6y&j7Wow)cz6~l|%~}nUX!a>iPp*|C>*VizA$#68oGcf7(#-?w`!6UvbLbJWX6$ z*+qFOs3jdGcGI4Ece{uDaS00>_a>d#%Rl^PAarnw?vjHaBfbYU(@5YCPj?F1VNA{2 z7%ubxsYt>UXcDvZ#VCr9$8B!JC|nNH{L16q{15RPa+@B*HGKf&OA$Fo_bl}!qdQGM zhx?w)2_ISK(as70b%wjhDd_)`2;2`ocImEO;dFaK*h~l*m`Z(|gl%X9;*)NC*J1VS6p_RDmBJY>DYrW8R&}f2v!Ki%346So#cX-t(sGMHs=e z|L;k-goUC5v(Q}P1{|c3T-|(W_Bf!0hnvUQPD%=jQLw8PRO&pMgk+Ih0zk zyk$viEof1nrF^leJqs8)@43q~DyMLZU|z-l9*!R`*-Z#R|JypC$ms(PAG1P7BOA9q zJ-78!!sePrcf0mUiEKwq9IPn#dK}F&i)tj))B~9|rnH#c0<6kTb9p6e5?&*3>syTq z0>095DG6jxX72J|@BH@@lN$#r!9&l6L4iz#EJ*uPXx_@R$`KSAznp8rdG;Hq+mSg!Y40 z94)&+q9^pOKn^$A2V@a3pvhwkP0;zWlxVwTvn}uiZw}6`sNc&o2PXJc)AT`9k(icB z1A~Ln;4f{Fx3v50?IgjWgU&mR&614 zoSM1BYdNv5(fa0FvrSdW11IPmmD*$hXA6%`Bbul+{ZLxbdi0QTi7gd5PZ=0+Lplbu zCg=D4ewQX9yZ8{;(jYN%3Q%y^9amR-Kd|`;ZAW(9pu0h3_nr#cx-r|&!jDq ziRD!ikPjhSj+<_5dMyd|8w63qPDT!Ov0)1C?JC(HKH@}g8$3qmrZumexF z5uM%eP2d7z?lF)?6P@C4kV;;6-}|FV+O@pR<^)%a?PP=>$a<-=eiMX!nc-1JIpG&D{d4JrtM}ePBo@Pcd_lTu};qXngSja8*c3R1#bda~rlSwEg3Tk4LC~dO9 zmL)>i?TQ|;!lp=b{ASH9?n;Gqrbr#~cgrzp|C-0^+FVq(~`hAglLO%|zUoZc(Yop$7i z2)XrW@e6*ZV0Ht^@ko7^4W_RZ47upOnEDU- z@wtwQG}AQTG`ZBmuepG|e=%cQayqsJmy+kgrbMTB>n0?cC$Mb|m!}?_GmE`vnAS{e zPMXw5Dd#6kyQ}IA0<<(dk-;z1yy`O>RIFZykg+S>uQglvnO2ceou^a7OYQZm(fx|t zfQ7|Wwi@B%tHcmVx?2IQMrvJYw5Q9Yeo)8zWHZva@ZZ1$jU(CUENZH&|CH=NA zjREb=^wMIqwG4eT zQyO1+tKenmGkMZ;g+d7M2j6JV3eiTQB>(*sVnLXrdxlf2YD&R2$Lp#Cbkpac zrXQ0HoD7toy?PC-I*x%YjeL7X7|OIr_P! zcD;I`(>dC6>GR`;^8`yqG6i=wm|B2kQ5|Qu#vyM5ZHi=wno1LE;Yjywg;#7908`%# z{W`Z`{cfwYYGnU5yT!9T*gGMSkU_2M`dcpic^mN33b>K&Ys6TODA;y8Tc*TkE1UsgC498_1{vHSI= z{@8s(ba#7g(f3HRsDGjWy;T1SxlEqpZ5RUgf1(5t#40oI2W&xzWKx=4h~4LgAu2lS z?utQumZ#%B%Y{~+13MTz|f!6{XWm)oU>@QEu87kg5!f?A$E739Y z6%zMtH{aa5+p<%A!|D%W1ci1LNa@0v_ssuxa^AcNAtU~_>`D6CXKE)o2A@;vrakDX zg2W_5o;XEGEKk$TilWzm_N%8Lt?b?zt|b)?sZ20-V~Wv^lp^Kv*9B?AfnYTzV_A9JfR@`J zaSp;HEGGi6_V2-|W<_OI1$F!F1s&(#Su=nopMd1n^2iZcQ%%deJ5e=OIb_hap*$$Y zNR38Z$eE+LcY@)iXB$*EQk|&D^ffi4NoDD)aB@7%rb{8fvp-?#!y5OVS`e$(T&&yE zam6c8(1yu(%(mflyAZTMnFm5uoM_umTOMHVHV6K#-b4BpPP?xzoVo(aVujq#GlYZ1 zT5eV1-c79o(ca_i8*j_J`bQHYBh}1>N`i!;ipe7Mn6ML`6Z?q7AwxhGul|9E>K~x-*T61-rJC0WHQ4K=-Yfw~m-T zY<}GLjRwE-x!Ye}0Q-f8(rC|C?)*iuE0Oqznp&?`n;-%D|?rb^n8Y8A(acuOts&fM_jI~WC!xr5jq$d>shfewge zmApwd#ms&R*fACsjj>FPYyTqhE`Jt^y$YFh`A*Ref|N?c}Iv z)Gbm?JO=r-)l?Y#WP%FPMCGqi3ZHTM>4)=KN_bU?rJ1}QlUbZW&hE79XVoUz0e`gT zo9;cHeZW~SPCe}uoa^leq*{xq7>@5sX~<1t8~w#Uc0;lX|ocp=>|gcW8JjZ*=n zm!C%hZ~4iT=8-`p-;+5<8SW{RVy+!glGaGjU5?#%YFu>ddo6Bj;3Igj{rCOWk$a&D5<@)(Z-H{=6OjXUad8U}HnAA4~&>I9s3jQ+2?_rn#gtARbJ1|99pp8warU z1NRE0CFW#Om&PmP+~vb$Noltf{BKA$Zp@w@(io@-eadUdXioy#8x}k(sUIX-`Rypd zX|z1BQc>B_0u5%oDFj`t&~r`zQ~yj}w=9XSgO8FN^i8A=^#a;df?>4W@3fxK4Cr&t zsTL)cNv!D_m4z1Ah0-u-9op0P{5#13@NO%dK!U5^V(1fZ$4 zYMW-Y1o`~;X$KbDB-Se=?-9=%yZf*fiOKZ0B+Q@TS3upM_0psPX{~OhodID?s+g;g zuFv*-+hqZ%Bmt1Wh}v4sRD<@rJ1&jZ{PmfqPC#t-IX^#NNEGx#QvluNM-bu`+MeJh zgLX9qqL8W$Cc;98SCWa|1IgAD{!R+flc5Rn>KO0)Bq! zxDMPGjtDw2eLL_HU(YQ=#>MFHTwC_@MvBSC+h*HdNRAg8hzDonC3$VPq4O}eBip^4 zj@6HbiS-wb`2Sri7@jdY$E^4eL-OlN`a%}Mp_Gp~hP5B{qQv7bO%;t2dMqWY*^CwkWg=U6O3S|-&Gvf7EYrK!K&%ds^H{9d6uco!z8GzLsg-D3abg_Ik!K?Xht`=apx2k1m| z;S)E_IKis(?8>P5+i`%6dp!=E`K_5cZ~pcPx*xhA0`}t-T>rLyac|y!1dikPN;Nkx z{sx`c$2u?#D4vv!z`uXl17q-I^l2{ie|u>!#XPU!BE~F5CPAN~i>Ii5EBG?;XQ-za z{~DBZ_KCrq4SQ8n{_PVlzq|)u7Wi%~;KJ(0%ms>x4sKC^c6$6jzKos(?6h~v@QMBw z|JY+taD~y`iQ5Ft;_^$u9|MDByw)Ry^uEHttI66e!{+V9r@a1LA2bLx2PH9caLYEI zs4OxE3~2Kj)V=HLj2@4{(+~vDoEtU;N1KlpFYrrKoVm^sUL5I{AGq(R_#eq7*NUG7 z|CGt$po3@IsEsGD4GF*Bs4`X31QsteMkma%4-C90xJ;h2o{7SXRL57i9$c7;+fV%% z_<}=)w+@`t)zw+gOu`z{G89tA>LSf2Zibn;>B$yy*Di5R`kt>kZPtbC_`ZU-lXo0E z3#AyPz8`AlMX;mA?RDWB=^iX&5#1xxqvW;f^wqPSsC=kr+WcS;X6?J3C5 zk_QKKhUcSY?eRei_>PhBzxVVU;#;i4| zt=$SHC}NRJ7TDajPtU~&zhd%J)-mm>yzpK>c4IY_S2Ad8)_c7mj01(e_nrE!s9n^+5#$a$fl5(dFBSWxMCw8?9^yk=M#+}w{O$=!l7-xz_qda>$+K1lvIJeo zQOO^H1zm#ZH>L|CIl?E+LBI-hlMoy_h>jnf$-+5jm#44ZC52dD-es>c-r}x|~YkpoeY zfeU^h^x~9SaNZoBnZ0IT?yQ)d>UwQfPIr!rx}w;=G?p?sYLP*04%C!cs9o;|pJ`}%)p zUAUzoV%X3e*ksBrPTk1naN6OzFGjGMiLsAULHg#3{1stVUkOH zf1O2J)Qkle|JA1#a;9&(bTGE2)Gz`{UMJ4g*r~cqqZ$KW1+BHK*ibE~3tLJByo|JA zVhfu8_iNSbyM=Z$shH~&HxLSu;tQ14gIvaYeBda`d2I;k_EejcL`5QZNacmyg;)6C z9X5iajuVu@8AKs$7L-zz>3i&S@YV6p`zfTy!bTrS?mcg1i+T30kUf8&#PsEb4=W1# z!7GV)qK9%<+Kp6(E5}H$A+q@g%hmm%O13O#m)}wFu*#)~Hl z3k=h+M}uC(1mPEgAW(wtmdW?&p0#0HX&oIM_kg~!GRvJZP)bcAw|YnU*had!kC2=Q zQuYlZ;&g*eJ^%T^WJPU6VR>&}71@OhjjnJI`&k%O+#0zQfe}8})n*8sB6hfNnfk3I zWNvL$GeP{bn~))6@x>bd&1EM)+_2OSoy)yx{Q&*mu}MLdC;V7}uunJWXT1=>A^!VC zSU?M0ghzKaH!h~X;HlUFCZhS-k?!JrfjU45c&ACi=Nriv9v$ScKZ-%=;@=;+5S{-{ z*T2#A|6-jC$o~XhYR~b>Ii7<8Nvj@EQpz|kcFG8%N>$TF?H)NRy2A%V4(M*Q-OD_%!LC+oEh+y1lFEZ z^XIARWn*-YaXOtx2m?n>5GPnbOHOncnmpK_^k=i(h-9bvPTh+8$asc>SE5L8x2W?$& zVGGyC1>3av8)0}1hGi93zh73c(60lm5?RXK_J&3FvJ{X|&N^<_x7N?VL|gh!R*ab@ z;3LlFM9=Qxm|&PK{cFHcgq@}ZxNRoP=1k-R-7OGCyxZ1due${)`(EDmWGT^6USP9! zhu2+n3J@NAdf`P*K(V}k=Z()%e~P?<=UBgoaM0t6<66VRMU>}n!uUPiuPEn=1glAV zm+h?$XPANq4H+$38d(yr}1(-NN$}=CO%jtjlCkw()7mk`u<<;t2tppG0ZbG44|wIf5f6i3j-fgG6}0q#6;I`H z#qxQctv8#bUCFf1@dDOtmv^f4Au!*F3(*o?;_s0GZs(mk9{31D%V~hQc990u8F^}# z-v4m|C|1G^VGq`)&rs9bYkns?$J6H`bu$FEtwD(ZDRd7QmU}$;LHskkObs~+n!mUY zb^=TzsYZ0>nnEj^5ol+Yn2imEA|NuNN4??2*0B=8A2Zp=nyQbpi%5sxS?l#O{80mt zuALr$@^32p`ztYLPZ-i*SQon>!1&3X!zna@E1cFCfcgMfp!{o1mVbuH%^Y>2YLT`&xku-J8S%Tb~|HoUyF#z>!?!`_`z1#VItGu$IUQ_5& z{(bodFZ4F4GvdgiXp9}Uco8vwPzun2PkS__Ilyx~AT+fH)4joCVvc5bttyRf8v}WZ z9s`&&HpG>jdhVLGX_7On8aUGhS9o}ZAMtRyw?RE>hqd?y(!>vL03OCPWzH+Z1Ql$_ zUJpUu6hWG|bd^O9YPe#F8JtL)8 zw?*BhMN0!S-BZtFv#0}*)>o50S<)}Vh28BewJQSA9)O zH9&zKobmp2E8Mq}UOSgKgn1ows{#v8X#w@ND0q4L{B+uLAA#Dn7`GQ?mO%K^--4O z&T?>UOt9l+wW#2P>;q%fbU-mHBzoE$n|w5ou~_&(JNVX&{GnBT(@4i0 zW56TpVzZo`NCDj2z9_(}@ruKs+V10e{tt*!xjiK_9Dd%)i8pjsD#E*0ZY%j?f3Lt- zIEC}foDjkAD`fCF(U0%Wvqu;n5oJzby!xX(a!3=}sA&`osMErKEg>;7#@|)#c8{VKa zB=vXlHZ+xip9K^>cOsCiscwa1Nr*`G>2DF)FPbPQ$TKKnV8%)^>w5Csy{Qj$7fJ#i z-kB2xCp~}|+m8=OohPsf%N>`hL%PMsFltG*@Ganh)KgY8dkR-0n=!6xYEQ@QX1E?w zz>pjKa{U!PN2^YUf+bs6=uhUSWw=}I^sp^=^zm#{NdF}qDn*~1mbLresT*PzU`%ju z7{h|ueJHew#Xawsm-a zg4$pRaAh1~aJLzLtQAN$Zr%5qQlHs63){PM;fhy!51^@CdAw4R1W9lu(i}%ae7KTb zRqZwtEdD!5mxpB$HOngNBye!x=MJ`(DYcJ@4e!p&c3u?MO4%_&=x@uQ0$frq6Enp z02L6)CD}qGgX9c?0WAcy6;O~MIYTKyGAJbqlA}Z=O3tZBXKnf)y6Bm6Zszm8GjqJa z8=>kKc369@XMLZtndoqvk4J_{D<#2w=$?Q+q%->Ii4i1d`X1j!C>Yw zvu#BD6RIe@PqoMX+h=#m%VdJ4qoZ-K^7ZwmlbkuvWj1V`>-FjBvLE8}6(NCj9_-UF zX&F3b%O57Zdf#Dn8}&2i(DDfy@XN&G{*%N`q3*UXepKE#Bh~tr)a%c1VS3^m8F@0w z(*Ugz_Y%xleKh^CGPm1PKVl&(VSq+YT|+8OJC~OZZ(Zy-Tf1X_Fm6T1BBqh7Vr1|G z71NE2)YCCL;|xbNK^~gpMC1&@Wh+|v;w|L|T2?O-mbf*t%QeN`o=l)&B2sibQc12=KueW2%D%vwaF z?_ZBO$4vF#rNJ@Y{nl- z3o;l6cdOdh`l+%7GnHH``Q>-I154R81c~mOv1{AR-gm`UX+fU{(TILT!5DOZfRd6# zHz`M0woTM5Wa&8(6?)bNr)R2(d9~3Px&A!z_B)HOZ!kMQx|vUx7qd={j@wO=<=slZ z!AWFSkNu}wtS1Gw=@34;or^um0Pc@taU=}w zl^l4B5N(Syk4xhc&omw74vK7BfL%3~=r3!3a`{M{<0!|vne`eB+mGE0X$I1Ga{ zEm)9qTq87Q;V;ZA4yxM~H9r`!kzPDVVCD7n3e~2JQNCE1tFhh%BDvN{0LGK|eVkfC z(?_`Lq%pVDfns`TyJKpF`rS3OW$(H4rtwGVxj~5BW#6bM@(YL0v$OHb;sZ37sc#lR zgGTN51|))JR$}op-2E$e`0e+5T(aelE~YybamnxxUVnQl?(19Q3hlKV_HtcJOu!^` z2#@A^xil-gJf1E`i+`%J7(25KOGgUs7wVRBd?r;1z6Df>l}S#8eM}ra=_UkDV{oTb z3Uur2Q?YpMx9ueU9v#dm=xt~|hcwsX%M&jQ11<-;_n%Ouyuj~E;7O%7w(xt*6Ifr_ zvBavjZwQ$FTp364nOqUHnoZiAQtBDv!oJL|CP3x6t7_rqm#=|9thQ~Kp`K3K(jTf> z?2gRa2jOrK*qgR05n(_#U+ikGsbeD}x;EG7=8iFZtglvcQ-%(anu0A z7UQXeDNo9Ib&nzn}sf6fW3 z7evEVf=@HzccP}CxuI^oyJBxn+uk-!_NESgYFpV;M@m#>{Albw(wy<%`0%xKJm<69 zg4=X%7A|!#Y@@?rF(jf%w@OF^5O?Kf&V{~&(qH*?Lsdu~ya%155qN@KJWdXo&5 zwSR!s!DnB&ho^76zsH<_x4g*$iwXmmUGKX#R=VSgb38sTK|fynk#7Dj&QFaHZVee5 ztEMv}{C64-w(7ZA;w{bVabJjsr?2R`dK~HafOFG)Eb;y=>%~Vkgk<)d7cxb0wtl7T zdn4(TdiTwq2sj(v`FlygbVc&(v(}InNxJBZI=WrYJig6g=19Z!0dI(VjHJ)q zK4*<8pZAVe_Jr{2hDuI(AM8)~qArq=4v8$eE^Q7EtEIDjFp=s7 z&PXwp{t?>;nd3hOT_x7KESi47pZ`Kow>VZY?^FXj^T&&?r|27Vbo}4k{{9}5aufH< z>|izHl!UBA>{+?9NHwlKpclPM<;yur0cr*)|D3Vj$-UdC$fd%Df6~U{-Wl}@y4hbr zo6Ba%byFuJmvyK}_ie`Fd$#j$5;HI4X)`r&{X2~PIU%X)jrFx?4 zv(4L#g8H#cbv!s+9nXlzCp5_z9NDhnE^}ki+af!~QN4(4Hbkj|iX_E0fb1}a)@J*6 zPzdA_E+vQHqyA*vf)I z%G15ws$kCryJ?|9yg`!xNr!)_A3^yrf2tvWsv&=>A%BYE{wjPxnSuWm;!&38na10; zop^Kk;yJa=)an0GoNE9X9<8Bu!1r6m!A-WAQ%=3wJnZ6RKdUucRin(6w z?gFxSH!X%?u*D3P4P@?WAlTF)b(KcC&dZNLLWWv<>x|3MOJuS!$_H1V?OLrtdsq}? zhzA>v7{7W7UTMXO>8C&pH-}gq5+J7Q>OW&W$9sFeSu+8#Y8DR)&rSe*Cs*c1x3A>f z>p6s3lK{!qRsH2kO(8o$mMz`smVC#s?F)8w4OA@|`jLo^x7*b`fBGY1BZ7xO&*k%#SHON7<^WE@ zsiF?={VQ-6*7zsJwGxX8-vyrJfbua5ij#^5mM5G_!a$S4*T2a3?wb$LtG_6c0M2ab z_g;)ESm^ltF0w>$lMeJJ&h8npbUrA#WUxsGsoW%+$<*;f!9X#eSLfZSB0zxEu7S{s zF01fY<7bCkSN(bR1e5Z!xzgXUBCN)8UrKsDXEk(>W~B3!@L|nf)_9ZU7&HB$F5W@q zDbHKrJl$(wx_x)QYT??rwGx8BtcZ6ZVdJJ|qg{$%mXu37v@*G|KDo(o5HxS;e_tQy zF=p7P=QiG~y~sQXqR;_D!yvULmv(rucK%UkC36M@bFBgMw#+~XWjEWi26~*!h-TI( z1;uQHI*Ch=7&nzTaO6|l`e?~IR~K*&hAX);6mq*9wcA0K+NdnY6jUn=wFQLXSU9^V z?MZKvnPt=Wajv6hT?i33u24@YzB!keVroIC>#jYwU$@$BU~_9>>< zH}Z&r*8i0FfvK|8Ui{?ST1k%*f9nL?&|>d zNv=&moP0=pZs7n=k=_}K;?3frMj8@v+9(vV5B4F{3;s!FZrWV}C$EONi;C_+Q7JO% zu5>PxJ6^0aT#Qm{QZhSmB)MB9RR#Yo(S+c`uF<>-Wq)%@dL*8$sy0^jNGBXlmTQ`UFS2Ft(qiN2`=6!O$C;9B8Vr5EZ1Sl(p($gM~%j=U= z^lWB9IQCm0S2}fyWi-*FaN6JcONRDxf>|bptGHJbl)Uoawr9>W;=XS;4u zEi9Z6Pr`&1Ny6GlXT7+@yxnNkir7*Cw9)hmV{*=ocMUYkXMbLmnkwC~Y-)gN|1-}% z;8|;J+?1u*%$SIruT4-7R;}~LGc%)980Og*75%N%8yC<0NaVqcgHTAp74WU0`f}dm zpz@e>8BnwcVz|WR^SJE_9hXIDM{od74UqHVu=TS*Z#yftG36^|QJnp;7UaK+v$Uno zCp1nH_r{sXWMbx{q6gLJ<^0mD2yyATv>h~j`9GppmG!sZaHmgs8huiez>s`alb>b! zULL)dbs80kHTDutR{J%M^vtl`w2vJn+JGX3?YJv|^l;MKP{oo1Gp5VPa(ETb-5@Jf;g|);Dj}&P9xE=5GsMPX-0uphqIlY!VO7LevtdQ6hm}tGg-R<&iAJ2I zppIJl%+u>?!Pdm?1aQVIr zo2e5*3gR5T0#<}EB{+HmB$VwlrZb~hep=%D7_a5aHevSeKm1>8%p}KDSIZqei5-z| zTp=cw`VV?7eQ-;&QR{3$y7b678Y#Mt^p-U3R_yPyPXpb5gK@Af zvv{RvCAn2~;9K?1Bif=l^dDesBV8zB7u|dSwe#1lG_un-FoJ=i>cmkHe({t5Ndl{m zBD#2_lFXp;0iS)Ce$_a zKvj?T*EN`=9KdSU^XMifKqtphm5aWK8>-^>)7o+zJ{|XsMGm-b@M;wFxjog8$ex&GDdf<0J-6swPn$8KIHz^s# zqWWSvkAf;_BXb*|xdLJ3fcSiOX4v@4i>I0=iODgxD=oRjLEwg(wW@*X4|w0XsgDQ1 zbk}73GbKq81PIY>L^{Hg3NM~`>E&2l?=!Vg?%){1vrP>g=-R*thO@rFr}-(LEizFb z1bMW{GC41&8m9KGr#GhTQd#k?Vno#sy-C*8$Ht-2$z`PphD?O!zM#9YgKU08jr_B6 z_oV8hpDetMm`^QC{=J5=>kf5 zd!`-;_kZIhu{d?wxTs@o#s<@mtRZw_0*LX8EB2;uUh8uY^8NE4*Gh6}PFCj_A?bjw zNaFnSclX;CFlARQ)ct7Acw{Hu$0(iT(x4AoDf+gP?^8;sYYH1?EtpR~Vv`Zeqd(Bc zdiD{|4T5e)B8!^4C&KYjdE&Cwrf+8Tz8#!|7qvV)lmO~}4%DGx@oIrInxO;+6PByu zPv{_U#>uooKpM;o=PpH`5-bk}5q)Opam~u9k|QZXYE73#SEoKO4sqiN6(YT%${2A^ zIy|n2m}ltFWUeq}H2R8uPIXG8B=)l4jE~6f-?z>7Tln)N>57ONBuCJ9rT(g|70m!|xI3_|xxx(0v4R8K2yYDFV`TcY4VPYG> zk1eZ11vxaFWWJ98(%y1HBPUAcU5JV6QA6Vw{VN1)0Buc)z zrCYl8qBKG(AQA=0StG%WY8v6+la@9Nh$@x|wWVabIB31Ze`6O~DDP*&>7A^ADZ0x~t=yUfl3Yy(?iV}#P7W`seKSe%v zOQZH(e4*wJggX8Wk0QtqxQ8D(6QA(ta4zGVc~0M+o$?=?H8eByo@sItc^-tMq03ayLR+>(6W z86;7tFcqXi?*R`s^VCMK93Gj!>NuyeOKVVGIUgrl6TwfW2`kN^W!K=6NyNk%^>Uq$ zZ)2t_xZ68946uu#lHA;R?5Mj(nM$~ELL>n}J(fcx%{XZ0pGQY~5L7NlH64ryBzuN; zN-t1AU`iFl?EKApHFp7C|7>GR%wR)jo*j1n1We=I3F$1v#vX*`&}3JP5a;j;)L)*Kru5*ae24r^d*(acZQzb z8%F}qKW@K*?0dL^?p@ijXirK0(AX(^ttU1*4&|_{Z$U-)Nh3f7BD8iD+@Gl0CkBL);G7=M z-rITik2570m|n`uUB$s!=pANffm7QJ6}>df{roM+aRkQ1Y3qm!aILTFWsj^+q}_hj zkY%d6YpCDSkruUt*E#>H6C1CZFwv%)<>r%r<%7lgFCk>B+z8*bR4uI{R|lvSxjO?6kb&j4Q>^VNcYH?`3_;CAr)8@yOSk@Fz?uS3 z>EiVen(oVOvMFSM-3uM6gSGlkD)_J?9t=C>iwc?+bOFGY@R5A_MxnG}^GVg80Jf-~ zD7t@))y*fd5n1Fm{%8dMep{h;*>@H5Wa2)vzKsp_c+OlOS>Dq-?hcO~wj|xp6n}Z# z&x837Puu-(7iJp{7Jhy8=zaLU^hT?;xuJh`wNTt;#?6H^7r33X)8i(wp-VRDDGIVcD=zRa>%{>StwT~VyIwM;U>OnxY}%+Bx#+relRm9N5j!^{Z)tpqv>My z7V_Gslh?d*B_$#bFzzyI{A;UVGt z4cVCNiQ_$1r++_K?@IR8Zu3#h<7C&?T!acZo_&rjcr6fqwO~(OAR# zF!o@rOVbrcYHDgKL-_PJ%(0B3p)q8mZ<}}A9vBmjwS4KdryTkFT3^t}mkiDyi#PAn z%9w^RoqjW!B@oMaU7zgBr44>iWS>nA{NsqftdY29(^__IOUq#0b=OFJLQ`1HKC&Pb zy|fRs*SPnKc_omglF+-Hga4S1pFO`RxA@EXr8ILVM*c%h&+y+qstEq0Xt?liNsCh! z@a{8bom{tml(hABqKdUB-&RmP)i2u81c9;D@V_(N;6MI%-v;(3VUBOxwrv|5_I0m| z{^{iLZ$HD>w`|$7bbtN{+43O$KlX_+eH*Qbl#&ABiOIOlJ9UUnS)?x2#t3H^KyZA)F)&uQa|50s-0`4OM+tY3rG;XLS`@m7Hyf^mvvak zk9Fe!D>HlFE_Y|@kC4LO0u|ap`qGG;WPk~pR~B9_dQOhXLCwl(>ASCW{g3edyzP`? zq|?|<#mYjbUG2$t=DJ%}j2)mbV{o2*AZ62C=rW8{8^txI3E{!rq?X(T*J|XeHw@ql z2fa^XvOM!y#CgwYKmAy65%_Y z0r^KRy8`}J9<}U;m@h8GdzLp0?vnq$=~24rj%WMnIESP#t$N99jhHGu6b5(#x!r*5 z*V9okv_{R`4U#Gll8{vOF1e4j5r*?>J*@QjxZ=;Xc*&;5(P*z3%T2ul57mLS>9lSM z*&La)NdRz+vG^5E0^ege>h6InOiWDKcCN0}i?&cOj01;7f!r=Y?b?>~I(;NhH;+R- z*6e*KACjs;&Amzj)Kch4(Do2fIZltxCE&>rf`f&gHo6kn8fXB5sR?sYnLa8p*HGC7 zR5IOtEg{0yj8p=)Z{kL2@0NB$XSx0AbOoJt^it>X)6%@OdoaSBAOYZ8cx{6e*NQj`39)@Ma)TU%u01BRgKCP0U=Nki8f{l zNcQH!d9yHSV=PnZ+npV@VM`kCD)OkM=LKX=$(DpeAzB2R8ot!zNA^HoW4$!vpR~wxn4899Zy3Fxp#6`! z&V=Y&1U=2Oj`}~=0AMu!=Gy8ea7t{tpl2<8L9EW?)AfQId}K-LC{xH3Dyk-@Go>Ar z>b*qCPF;!Fm~yf#`d&c4Usd6?-?bl+>%)-^_x2pN{Qv@@SR@v7(I0zQ&(Gfggotvr zSB&3fDKXQS9Ndj5Dp}UHM-BlvKaT6DHfdu93^u0vR{CsJg#k_m!G_#-A6s+`lO#JI z6~6-fhDaS}{0rj4Wasnx)cvdAEqMhbNCELKeosz~86xN0*-vrUqvAP$Ug@vnkj2w< zz+AG?;~ry*>BQ~Tu~4oBuiz6({(g&yc;Q;MPwx=l>;fVp2HwOA6Erj_J&Cvh{`?W7 zgR$(tE}nEM-I{D^_Fe!ZGeMhhBt5hT<1CBYyQ$kQM$JNv_^cwN*zfic`cxxHY9vJW zyAV!w8pjhg(XlC7MRJ+R0EZ{|+xrhWjAX|+tgVy42P&bik-L#3&yS;sKqfNAvCz63tSr|btw;ila)tx>aq0E2 zcbDfYP#=>0fr+Uoh7HDQ>SivLE$-$uY6VLx5Y~P37w&#{uE=mL0U;Xml#q;OHhOZo znq)0gjWg?)q0?1ckzfy~Xv!BZ{J!6XQkU{^QQCld*5Z~aAcr=Au8-JGB?lYoF+Ps^dVr)H4(@oU+qsB?FP z&PvGg%6vPd{n(1*d=hJ{^L&bac#Xtj=l&W$CTbN6)1Kbd;$MP$T^T!A%U9qrW6f1q zxDh%|p@P}XVjMfoN?R&9_`-0egT9*PxPis|5aOQJ?sFL0(N!#Sdls;PwJwt|4yX?x z;Z|4rQhx^(Yo8N){MiVEpEO=OKdq_fViY0S+W2|;=KI?ZOQ%4Yc3nwvjQq{hf^sbT zk}@L8u7fjJ0&=!e0JemZx%pK2I5A(8TDn|njliQvA}BunSk|j<-FJ{a_h^B3B^LP^O*PM4H_u-1>?e_ z>G#`#hwhMAs{ZH?aQgZZ^FnB-MQY}0V5~6M3qy=fll@en$p6#VHU~d|fI$R5>A@&q z8EZ`>!k&z0`%LWZHOeI!B<0F9yX^}`Al1U#j_w-V_^!rFnP+LY<5IgYXm%FmRb;#F z4ellJtC-s5kcK_N>>_f=PMdY^5SAwrWb zsW!@!<)>_dK)L4TCUA{e_QMVBy}g@ET+lDO-bCRugNW_T4D(a-&VPiHzsI@F2Y2H! zEnfKof$4VXb`IJ{6Q=EIsc$ij&ApfP5p^biFx1@4iE(tJJn==F>)r%hr8elCj)LGR zQknbY8c@#S7n(AWXD5-Odwz7gjP$Qcv|->dfUoGN!1c;(R8q?O&+$yK`Mg0cb<1zP zU_Egd);`+Pl#>nat*s!Q?QU-(B0!eNMNSf9IzJCj#5SzO8rXUcUGxVgPj}(c%6{R_ zC+Miq+c#T#e;-{u_OS<`>s$ykOS%NI3b3>rIA?`s*6`zhlpj|5V*b0#V&6YyOv|P^ zNbAqcqsH=^!$A%lr>@S4_mOS5zv&*I;W2K`5&wlq>)i`Z^?LTT_6TvVsEuKN za4$ok_{^mP{jSMXa2yJ~P)_B9V|-}9A(`O$T&Hl-)bG&POch^-V(wUyzX$o)(?Vk} zeF(*h$QD){7b|)3kv5*ggnF!8ARe(ri@J?c@7p)4Yc|W$Hw%k{erPr^p8io&Bdux_ zTD}k)ub}EXRSb?N;zc@LjMhjlJUs!KslzdGS49S%lP)k8TE$wU(=1m=2(_ht$=qWyTU5O%3A z@|ZEIQW;*nRv7T~CUpSu{3w4Vx2zAbMLV-;?QPXNI@Rs~k--(op zvgrx5N(_%3f-T5zT@r4cHqjx~7g5Z`8-Azl?1tzb1!zK}HRwntw?{^rW}kb7>lLF5 zK1*NdjSjayJY;4k<)+F63wl)upAvsQm(NR}qg#!{g!VeGF=&PrymQv?{04rGZ%kLa zWggO(aKS0U!^X7r-$fTBF**rmgo4-0>~phs;_%;*4`~)0DF-tmCKdo_DZeqpxADip zF2JpOF!#^Ty<8xhTid)NAl8&fYLheI+EcEj$luHzA3|&#$8*@#hof$lgf8OyVFEFF z1frj{TT=79kzG<%;9ZS*A>rmoTATEWM5gHRV4;x!O&x-KUnD(9_I^gz@o|IXZ%PW@)Vhs>`rpz} zRVZ^+TyFKZtY_WNKl!hHVwvStAx`lFRUrvAH8dzCxoqB*@4)kSb4-hfQixs~o*ciR zA}1%uAnA@p%3FX#^$+S^91Vr-S+;(a51IHOHy+TjmM}W~CBcnOl)GdNroNS#!lC=K zKDGGQN_feY+Uhv~$4hB|(7F*)Kjt1|Kj{C!J#WZ&FrTf>Hg9bSaM@CRX;(jXK9(wQ z*M5e=2!m@OWk)Xf9#A}daxByHx5g>Qfv;mL;0h#kJ^Lyaq%M$xa1jy5OFb^T+ZTwN zSM~Z$rNvBL-kSV~cZEXfz$a|3ruMHOY zhE>5lwI_n22c8_i+qyxWnzZu@zrKJ<8|$O4x#ldgg#Zjok008u@@4E%1~%*+)pH!C zF;q~gX6dU<#iJHI&gs!(SWa&>;z`t+5Ga0HY-5J*waUHAM2ed-Q8%qjXi^fC$finW z_D*~~7&#IfPEXTh>^{i+$A`EjFW1WFpH15`Uuzen1g*Q5sl-(^x(zXVI%|M8<~5EM zWqk8kUkZKFZ`Ve;YN*L4*)=LmObD(YH5JWJ#h<$i-j>gB)p20|fKgl$RF>YCUQjg((@M=HBx>Sx;h({Gh zB}1?1WQH!N!5e?+{}C|XDosof?zPpHwe(n> zFa`fkURfSEpDuy-^B9T4rjIn(%i{>D_-8bK+G1wjU~-}6j|mD*y^~LFOBqDRF3ThH zF3YSrQ~*~#1%kua%0)MGdyrfSHZd-J={3C#$CR|Rw5HO5S68-_`sR)uGUp+d27nQ0 z21{E#VSV_vs+);Xh(Xe4&)v7aIG;mFxoX0 z%2Y%WDzl*JAs!=2o(bjQM!x`Nmp^~uzt?jx%QY|s-TN?@!(T>@5{Lt6G!k`!Y;CG* zhi%+;o`yTfE?FVv*1q80gVU%176nqM?W*CmFSAy=E$l7BkI&S68v1w{TFdkRC#W+# zE4U?rt<4D|fsGBzIi&Vdqnef*WrV|RD>=SSzN~e>B?=+P6>UlAQW-`j_i1a$^+j*B zm#($jZObk}0`q6Js~VYVHA$z_+BvXzsa}8%3&TZlL2LEt5@zsnH!^#@ViIlVWyQbavoU2Kf_>HCR6e`<5)6N?fHlgOU9Guy$(PePU)YvkCBu)Z zk=Fj3nQAP1QFD`Nh_2&hlt2rlg_Yo{afHh)l)nz?n{WMLIz2%Z#0!0EsK492dv3UK z_Sv@w`x%3Kyr50)N}wdkghABag!G=SxNe}mo2-1c&3hen_&oc^^GkyUujsFSbbK`j z2rc#fpPw}X;eXa7o`P+m0@nc+(|nF`{yXK-7D%V>Zi7!KA<~wq-%|y7@d~B%o9+%`SMaz zl4>LBwro;O#O$Y(fB9LMY{#QFfRQG0`_DDBU8_tbm4F#NKA%H;j?MvmECC7Ss7z3u zF?u%+rBpfAPfbF%l{@$OWCVV1y~e??C-`)bHTe~nqAULPk1K|J0*dE-rHjs`VhOAW zeZ71;HDnH2R>Vuv4+iH)GL8x|LGO5%lamVwaNmC?_k{oD2@J=hS$_^k%QS=G$@PiJ zndjNv$9fM=^gmOo@nusCeU7RUtFDG+Dgw?!Vm&WWeXlbo!P+M-LTyWea(#11(Ee*k zpdR{gw~4$W(Q=Az1S6iAM!or)t4>D2Zh7CMwwDmi6yXnMr_1i{9=czWpzyMxFMFrF z#G5v91FJQ(C++6`b0yN|!s55F({?cnSzrTcow^(}^8x)nOMufXAHrlWJ9uPf!2x&( z#;|u4Uy1nIqSuC#)!|WL852S1HdrlQ4>L&8`(RG~%Gl8>GyV4~+g7+-ZG9E2kfwIg zPFK+GbCQCkZW+5amqRibMhl=NQ#`C3_6uK)6HvOXy zTFaTh^N(k92D|s(i(eP>TZ?$%^lv3XpAU}(njX5fXE!@itMnG$w6DNSuTS*ct6L~F z-=x|I%lDY`OW`t=`FT0A zTZ+1mZVCTi_6s|hxOH!r?S$tEMP+-aHfw%7NB)g>q`lBaH~i;DhqkexJkzb0y<>C2 z@ctjW?EeE#=6}Rj92B3rhS#5fY)d?n2$|GHRn94HeSaxbEpaGQ znG^~Fw~P~S8zCrZ`1JHcBP9MFW0P+N+2hILkWgLt1k{s-QVit}znjkVU#|9)UuyvP zM@i;FkIYc5mpG4Bma|8qfW5~%f%BP7UQOu=WJe-P?n7k_Z;Zl6<#^JrK%!a^;>Q)C zmLF>^(B#pfHggHo3a)eYBBr07l#M2Q@V|0*_rdg=QV!%-LM8CF6uGsMu1ueiQV@z88se%N>Rw-Hgyx&j)WsdG zx@8Te*B8IC5&0H6^8yFzQB%=%DW>#V-tqHf`>1r(_)Z)HNO0t5RKJ2gP35 zf$BvuzIVk>Ssv1freEkwzR~c7Opqn!qz~`mzW#<=>ZwGFaD-^HNt}Ps)yypZ@VzYB zdA3G)wsIM~sQXf8;S;C(1u5oRzLtYBm~Zln(p|py?vCtCs=5^+Q0`` zw3HyotJW2;O{xrPAP*-@c6t9UADqsTly%a{p@NAmJ(5EB&5`^f^%Zt(d-AHkm-9V& zLbu9e9lU^G1g5o~KX!Uw!4|oV$zgA7qS$&#z($&3*jbzN>l^usRwb`HFx-OWn*PsF z3zZx%j5<*#cAvQ87asHnjY4MQIo)!)tkOJrUn-S_hc{${;^Ak2Exm#&PS8B!Xq=@*c-%caoXhqT=Ce8fs|-`C^Kx4PekrPpw=r+sacRBI^eqpmPo%~*-Fa(} zv|T)b%oqR-|8^vrs%dtbB!4B4B;Exf=KgOYL1dEzmiW3F7>thT#co@U<&;zc$3Ta& ztv2azALWSX7k2YqVq}{rMCDQ2VV~LIe3dLSfPN|KEo`viDU;pgcLvw8A1XTxrFNWu z`>1f(Z^m^z7RlS$;aW_j;TE?=sQ&Gv#$hio8yYDf_m+SRne-00#a&Z>%Xb_yF^20E z)9fiCXJ)~*FdzZKouNNjYk$coN{d1Musx47K@Pw|&+!i2;?Gy|muCfU_vb75&u5AD zY}1i5w_;(Fn{T@hjkj^reHDw&seF#<*WaFm^M}W>ifX*VWl*sV`&H$WbIxG6-GniH zk_%hkg)}6?knP~?wwkg7ainRF$D$%~Hbtxnp|jne0$!dmjt2qW{PM4n$ZrrF>gqlX zydqB=!gNQ~?#uh2I-Rthv&o4AE7X=rvmf)odU+Law)dg?{xX#d&##i9y|z;*LhHL( z!wjS+A73GX4XJK{Uvr9P0+br#;aJ3moMAW3f7=jI1YzdlThgD>`NYZ2ZM_67BzTF< zhR#eVm!Cp95{YgZN(Fuuj`wkJ@?}G2QxZ8Ho#8%l)ijM;6y;g*=<-LkPGa%e$g<1K zy8%)t!H`ABDPyV)6XrvNiA&V<$a51kL>vf2b_L}$8org?6*kcq!jgcD7TkM=#bd4> z5+F}E5A?`w2^5MRcg@?km*dHw-bgMkBf#c-O6M{X#(6HD4X zBn`-F_~nmrbt6YEglOyhw#P1PZ!k`@8;+dMtcsThdsTEji^nak<)M0vLwj_{+Ljc@ zc8Y2!lbNNvHoI!Wm(@5GKdX`2Sat746?9f^&Kzy4yx)oMyNN=8SIPphM8C2uv6w0v zyu|n%_IL}?aO=7b#|^_3aPdCfv_J;cXe^@OWD7zGOh9aYEdTy?YFD=BV1N05lIbNm}#MU}4%L4-QRj zIHm-7-n>{L9xFIsdpvP~U_arY$BzplYWPtIGJf-b^7>_J6QUznmnEz%_DGd1Y~d3f zGLeLZdbXK+(OI>u!Dr{b8G)Qh&&7hgwG_Si% zDV|y?DV-M58>*OnmUP;w)|fISN?{_cWiez)T4}5GvP_hb7u4)`jLAoVRmc5D)SKr|pV>e=Q-9tlcE zT}D@-k~q-?vtweVpajV*8<2mscvsq4S|xL_O>q{m`NWXGk>`Nr)LVM*Ii&Gb^7Y#V zkh6bDl`^RJ*&k$)biX@F3_u={%UpUJ$mkdrnnxi*Tfg@+`d*F9=mMEc0h``(#2%z6 zn5{*cwrrUm+`e4Ym)tTTbG_%8Tzn>6~QERham z<%xs})gm(5Tfc}E)-yZ?XIG$1DNo2;0P;x7z#Nr1jxgSaK$7-=0(2BvM{Fv-5hgLi zD_Y{&X}RO@HWdhUi%1)to;MiUnVJi$mz_T31>(-#-8Jv{wS64{PN0iFZ=rkN*6(zI zo2yn$;g#sZW@h1tc>8i{xu%xuq+G9+TsUHjHP?6nHKpOH9P`VbNbrZuHnqv#rBs9k zskLQz?1cj&zj=T&XSEy{GWQPKQDcaX2uH)@)XD!J3}HnW!p~Y9U=DOPAYsfLtQn_! zx{xNpetmhUbwYr4DS%iI!lNB5$3=Yh)s;aPb0P>=u3|yB+K5~N^%rTm(dtFiQXn9w zyy46b2dY4D=Ev58z@4pvFYhSeu2CM>Uu(QC`*$l&ssBXox5t^kW zCeWNktfg53O34ZNBrScTdc=AO*_L+Gj0&N(vSb1jqj&k|c_q(8EIEGIFB}Uw7v4x! zckOq#Z{XR!5FHA3>&Y-~NmOt19z;=;T)5DWfq0*|v#-}VED>4@Pt5kSobDwKGfg_n zp)_>2!}~pKv2-O%M3J?08I#8Z33{*_b{MDJNM%2cT+bX|xG`&Ql zNi8kEm{zss0BpYY(?q&freV?y@{xC4>F9}Ynt;V}7@6@E2t2%BxG@~L&HW8O#9o3iBNc?WQPLi{543rah`5VH5%gn1o#h$(TViG1?xY*?Ru=(gp^UNOcFA$gowKvS(?9FeVDsjkMEs z@(^TK7#+qJ`PZqS1Lf(115Ba#lHDhQIkhF3$ZIj%G3-7uFWL@oC^kxX5R_fUut8XvtGj=cc(s0 ztX<-4XggV~uDj*b>~Zptx5~Xs(=_IXD{9;5HjFc{gwtL%0b*CP7F71wl&S2AASUUixyP8gXR!Fxlj?u=K`dsoc9l$Wm|z=1yZD&hgr+ zl!Q@b|LVp<%Y=E5lzyh#z=%bxHOi)KG*oC^A-Y~6M0@Z9{3eT9+;_|CRHY#P0Qijt z=&Ltc^@`nPJlkDU^8_s0F&d1>rkgS$*|&GtdUi-ELXO?CV7zVhjOW)A*k9Szv&~54 zy}|0V?D0gJ?+x$o``LZ^m;Pdcq%j_5V45;xz3wab2dVDDnc3A^XACYi4K*Z*t6WaZ zT8^mMvQpfaUaej0w|^Hj8cCbW%A@m+{ht~P_9yvk7;c9hNu&;Fn#F6jnbLqghd(C3CL>(M^NWepPWc^`T}!@D z?fb66-BwgBWH@UQhfVAt*A76-tiQB^pP%n7;zkc7FLkA8Hf`v1dUOhj>8x0@H$ESq zePb2uy5T$C%GWN@kbgx{Lu!j4Vq_mC22>5&!OULn=ky-jg8XCiuO3_=#c+Ue4#%jt*B8WEq?oMCdOW55bQD1qasL&6Us-1# zhw90+4I*}#);lp<5-Fu0DRH7Yl=5$HNrZ-t=a2F-ns?_^pdio{2~ZTA$d>Xbj-7ai;9E8B zzb%4X!|n*wvon<0bwyf?(HJ&PkLCg#L`27$!W9*yK1 z-myAPiup2?)kz5tQcaqzxrZx@Pn_hy*oL3P>Qri$>--3u-2zOProMw&0unQBQRKYk&L zEVJ;^l=2YVD1sxj5=6K9Ql*9}Wc67T1R`xUSeQJ6KI>NoNgJO%$jfb6ui-G2jmCHEFV-KZA`r$ zD4BhPQ)~2&+eI(Wuv|{jNV_67ah4wrz_!~Y>*dJLtl%$!&9QI^ zJ!3pU@@Bd)yCbW8bfT&!ZS$O=#jBgoT^+uH)f2ZEY2tuduFGj1BYX_GMxt(xf?tbc zmqRLa6|Y4F>>1td@YsyxHj=@3hVZ{aU2Gx*7c~D{%UtcqN1ST5w|t1JJ#6CsehJe4N%8X z9wJLA=s=+Pq_5Ri;RI)gKKW5dHIqx}M-aX3j^#_6I_?vvk=U!cmv;PSPb0Gbr)GhhptO99DIl^;=fAk1MjGuv$ zx})*e-W57-OaAb~WFaf6@Q*Fa$eLtBAaZe$z}l+J)PFNB*-Qa zj6(xIcxl=SLl?=yT~u~-L$$(!^@*)Hxnr3`NOtnX+p%u_tf(SX_0;_j$irhw!V*`@QzK>rKf|l+%BszrtZ0ky)u0S_(MtB;qP|O+_O1|&6 zzJ&VNCe~gWN4!J@j0UF}NcEp4iVzo8dNzukzqUxh0vrPMD^1HL1L%moiaK*$tIhSE zAs&u@&UoP6Oad+|8Z4fzR7cc{)kj9c{MBX0X!%Mhqf`jrrq-VxM2WLSmEpCjB=>9O}y(1&}!7! z6O6FPbL)#GQa!C8Ni6(&f&k6FJKO)C_TDops%&c)?p917CX#@FN(%x-Qi2jqfKnhC zij1HlS(F?b5mBOnBw3)yIZG52P!N!uv*etLSkyPS-KROgx$hX?8265Qe;j|+u&BNF zT6=}L=6piDTy$ew2`)#3G_ZQ9wA2*~(jo*j0&8B#&KuMk8s)A!^RDj7kXL6a+1)GW z5F!24VqYpm*QN0QmB#BzZ`!s8rTjaV)gK7*ohik{F`Yc`F>pe$07bWcXH7Ox0Tq`H ztY#8;CV)(d$xmffU%QupMg?^P$$J{cVPRocjbAlrA=vbV8N~O(9SzY1OEB+JmK0&* zGUk^C3FE2M<#6>mTF z0j+JUei`Gz>xak(S+r?dFWayoG79VcheR=gI3MdGM#O+Cu{h1S!O=ni&z-hoRgKI+ zYHn)vGf*k2tmW?ujc9M_Vy}n~K?+V43MCVHy?>Qskpk}3YY6`lp-6!Iv>H-_Y+9Wk zn&gzTryKZ+ln(l;qUwa%t%RYxXEB+QH^Rq#BQ~g9#d&7FiXnoEnE>s7I|K9O7jJcX z>Hw$Bbq}$m$vhji4g~36G*geLSU6m4y@p5yEl#=~6S%lixD^_%6-XMO>-_;Kc!K-X z&kLM)KwRY8!9bEpZK!G3(j}*RCOj>i%0%Z*iYOUBUGH=JA}{1W?YuSW{NyZo+pGGQ zECx_gX*=lH+3s`NEhj_g66KKy9s~K3TipZ*!}zQ|l3UuWH${{*@EzN+yIfm@jWsy? z1-Rcd^?B%w0nb^+k&PVFhItkzL-4i`&*n7 zKBChlPRjupsxq9QJXJ8;+wa(+!*W*$@T*OT+|ZfRc;KJTJW0v-Jx$%J&=)-*0gtm( z$zPITRX4I!+Iz7)GJXw2#*Nxowa%D-Ir*!IHO^vi(vL!h7?s-awcbWeW4^HUtK}|S zL-JA)FZ6&)lX z9q*ZSvZgvim#hbK zzgVB=^uP3{7P{c_X5)x$6-3u}*AZ=t6|u+4LKP^la9nmAMI3JZ>CLAVn$b4lYJGRw&E?;_4$JM!wS6ECq?ZV zr0Z?(D{Z~@cJR!3t6Liro{Ly%jeD@A#(T4R@^Qaqk0n&hYMQBgDQ*DtznfDgWpeuR z^p2p%#RURy(jwak2VKYXB`Bl|ioHCc?x-V2xPEfqtxu=all?D)m>rmDPz|pv-@Env z;Jjk`X)!YO=YMb)FztKWj@U0+w5sY4|6uOb2C#`igd^@%pl#A|5uhmy>Nb=H0-{1j z%Lc!K04|)ZrrM#N*`xxlU7Z;=au2@wxUrx-LY%XhaS(U$9kV!=V0tt8Jt5DyU@;g0ujzP+3#d12ZkBK|?MpUXQya z{ZSJh`eIQu?(l?NXL;$WaDr%W*I>`GN$&mMm)93}S?x{0+(^`prnkpH711vT!PLtX zdw?zwY0?Jeq^q6FmGa}m4%xdPc_-X-L93y4h@nrW{$2Fg2BP+D?`n_8Nw6#42*fmDRnd~QuW zCSn3i`(`pZd;P$AgjGZ8)y|~&wMnQx2509kmo*}4R+}$Z5QCk*S`gc5e~>W&xY3xy zhjrOnOV+?rr$sNFoKZ!W2yM*m58@~VjK-^N&iJg}Bx;knuKQ=R=c zCasSGCH0r}A|gVeuvtf;F6EDkrK8*^Ab8Cs*-~L|5YH# zZ8Un9{fw7$WhF7?j!;~IF4P%I%fbx_l zumAZ!S#vKj2H2_h7w5m&vC*FWvH2?oxVLf=ZBC1j!szA5qIGnyk7KS~%|%pja@^7x zi4fpS0;XTE_27g_PuLYv%0{2ujEd&Mpl4L-j&lvS)0?|KatpAATTynk9u7GF)#Hs6 zH$Ej!76G2w8tPp6GU;vN4Kg^?6*mTuop@{P5_HgmB3!2te``w-W(72I5NRyCZ)mN| zhDm{)v3cz;gxmTuIjRSOiX2{R53#UGs;66Dm_^NQ&Qy5l~&Kupr z@4r}l#84$}ja$wu7Oo;2da#J2T>)Wh!)Wrd(glo1Tvvs{3}3FvHxRFCVw>sMS++_+ z5CDyxIC4}4Sq}o(6Y5E{F;qiEo?*1tC0CFNV{Kg;2PDVb_(+IZ9qaN38S7XK^Tk#Y z4|c6tm=r)Ly4}!K-T)jy({%^|Bf8q0#r>aQn`A_V5!lE_-v^~F?k3#w%&}9J3@wVH z>=~>uH_9M{EoK$tYHgyNG_D9%n6;@AG<4T%#w2GTv3qC9I@QTois+$<6?^F&@Oni1 z!LZQ|dES)Gn$k^l!Bl3=f+m6(97pzaCpv{_#DH<6Z6105PK19{c&zTu>w;pyIAF}Q zJ;b6I<2~eV0VBWG-K==I^;h&->cjgI7)ud@*`4)4l6=-P-J2rfsz@2Tbf!j!CDyuv zY?4nuNn6hV4GwBwHvpOUoq>8lV?~zb82NSWqFzjTvpS*Xw8@NO{unyBjN*gJ%JiT6 zkKINflm)X8+cF=*k#pFd*YN(j16P!tjT}a5x`5e4_*o^oks&swki4iMnt0Kt<#2AM6JWolz!^q_|#>ogjm8El(qdsz? zV$ubN&=1!8w9DjCT=WA&3&S;@Gb0g*D5H@K$R_qD@Xu%G!<is_U!MjKIR`|yRIxOvstw+ld4sR> z=8!FW61}JnzAm3|`aQY&iVh3TB$0rpMlCO`WjtB~3g*y{gX+&;LZ&x$dUkB=tIPf8 z(mR2AkB%b`+qx!gW~YE4ssy%HhnkRWl5}PeQG4WGX5ANwDJsP5Pk3a5;I~LP^3Rs0 zL=dZ-@ol(_M8Zx-9ld@_?9;tBp&%oildEHm<4SxSY!1=*1q}LI=1%TXGp9*7=L; z?Gse9J{1*=L9eC}RZrh&FJ0#hWks)aY9LpeYCCv3A=b0?(TN@n*XNfC5X-lcr&7)dhlAd7ckx>-W3n?P>iHYB~Qsq z^3`LO@`P{im`BGSJV;}ZIin7EO@w{ip|BpKNyNh)%=9c2bE^<@wn&CUYw-L@u8OZQ z80U*3&Yjr?EaFRkJ-JqdSs>eyNkdk{RAf~-MYqF;2+4;0_b2~P_gJ=Su|`SJWkm57soDT5?wj^xYf4wL(W9N5 zGa@xP9pKdhrR?0V$`OMI3OuOKL*XNn!p!p8%$;a7z(4xVOMoZYOCHFmDQ*g%&QR=F z7~iR+e>C#i$ukvS!dIOOva&8y5H42{8vdnu^ZS(CQ)fS&gpZSf0UVkE5L0PwF~0oZ z!0lj$km2@YujiyOm5TN3IG_Qph2z9M`T3lOwVj)UWrP$rD)p=SAe>k)nnl5R5o0)* z$f2GqmXqqz&4|VygV!Iq|LQwSXLE%Mo0VA0adUYYn5khRq&vg_Ix9`59{53 z_12Cchba8iMR88CctjFlvlIu$UJFgFdcQ<((mP*5hMw_?k}$c9bBHKmUg!qs6jhBx z%-7JDy}g!@sMNGmU?x8E8aI3D;Xq0bjnJF1^F!9Rf%}*6q%F^|4@waJ&WoZ#e@Whq zI#))Y&@;gTxNP{1DBJ15FzfJ#XTfi5I!-5n z_I67jhgQ)awITeXqH88l*jr>g;jNfx*Rr%z+C5n8Y&jNVhNx9e>XQh+Ibj{tb zkWAKY>6>GM#-&aTGjCdz3^UiqcRGG4YDb>VL4>=PR)MQRYE#3rtX3v=Y_BP#`KGYKf!*xbsJV!l=)h*$A3*!Fd;9DxFp|JtQB47MV~89H5!#={&1YxIodj|P)f6iK{e%D4 z`k|Bkm%@h~!am40Xlew~C!d--P{ptaZvA7emi@FpQq1tqwce#xx5V^|-8%^iN-Dn9 zrAC!H!YyVU>%WWmmI|*lQ>gfLiY|RP z?u{^Eu#45Mh#aXokT4!pa5@Z-=vDi%_)CZGEOWX9LwcQ;+f65dFD}-gMY2r(1_3bm zH0rs=uYk*b1%UsME2mZ(9Ykxd%jaG)gu|M7HA|eLN!%`auoq}1(A`HkC8K%nlEo12@sm=18&eBgg&t|M78m{0aknl6K{LyP9l{zi(TlqjVn9SABSHlXK21L{2VirONTvLV)S zKPKLyIbJQXs;|eW^!kWyt==BO%9K>e+mUh{5N{DNaGkSA0o9Q&h<1lzt>1rql^sQe ze6b@2yjo@Q#C8i5Vs{u#qI!CI!rZP73owU1z5&FCG({ebbiYdUhsIdxkW8Gxvcg1! zyJSLofDRH1&4cQwAngzc;dp;OCWsQm9opHrcokr4hlEo6^@>1x>B*mn2ut|fb7ns+ zUUXU|{wK5Os}%LThte=u$e6<{ok!W#{vmRPhi{BB^;oW(p{L4qwO-}6scLU^M*$P8WZCzjvHW`poTcO$>*@E z4+|hT%xO3hVEEK9Sb2yVg=Bg<5~DwGIl(cm3ZZN%A;&*+V1qua@-J(=96s-5jFl&T z*2r8eAE@OV0_P|zt+lG#W%6sQ2uJ3O{Zxkk%`3Yizi6mp07LJusp74Y&eLcZ3GxhI z5b@fpSkj`VMC=mFai_-0&had(>CP$p7+Drx8Wv2!a;y3fBIVB43)x3{@PWW*>N)S4 zM4A9yZ;568=i-VVt>rJ=UboES1g{BI^G?q3tM#^btu*LSO1L{4yuzTTl#HUc5Rp$u zv}h|3`crcKB51t?fof>v*4_W{Ef5Ec)P>OkS#vP`7?sB3>&g-3VdM)j^&o?kC_4C( zaS*IM%mmIXT$WE?@=tTP&~?QDj*;_laCH94O};B;Xn?G?AsHE}Wu%!WrIHOp!;;U^ z_sJfdG&)M|97(x^DFFQ>I)h}$PJg(sR?=aeFcHhUOHt70*!k+IJ7J z77Fg_a!Z7r0rE8ey0+wR<5X>pTIidOrbY9W`Rfx&S&0kM*)^`%g-_!MSG60azUl@K z;xE#Dj(?7x1G5epi!*H+Po?=P8zdO$z={2nY+kI_PW+aa8cYvbkV{4uRNnA1M0)>s5C9)jJtB#1tUbAoz6hL zw!?gl;qw7>A7N`{2$GUD!KF}JL{{d7RG%Gn(m${DAhTm^dv?IWHiV?}WB!caT!hiC z`yPmzGe_YNc=tF$1PX{6q>SW>UCHouKav`Qx~$!s$70fZ`h~P{G91G`wvxtEys^d ziy!ppVYYyUgGeG|2)MuoPBe(CN{nOBf=rGMV)i_bSiKkp%#8lBv9I9Yx!$xtfOL+@ zb7)*>aBPds0kna047+-+pOz*q@%`~e?0j~du!(HTW4Ol)7L4TY3R`#5zF<{`8spT` zmtcZ$07thVSz1jj2NHYttG0HrExdu2*Ajd2pV{K4OiKrI7SgUN_u2fbuQ&FJAGi6m z|6qz@^`y~}0QoM2zMH*}ut_zR2rs5Ue{mMJH=B+ctpM%1U61|c!V3!j)OE6ljs1yIbTNI4ghJ2d^Ku`(e}fc5=sB_UR80LT=&v@K?Y2>##&^s*E8uc%($$ z^xcAk^-vt2W3P74^@pm&}&*ZJW zS-9(O(nFB-*@fh<_4ye#_B}EGP9e*80NPUQ`bqrXzxZpM|L^Y){yqnzn9^=2_M!v? z1*1Ve)nKO9d)FTH?Yt~K3QL$ShH}l_012b9r$D2uzKU}NF95oRt}a?oL--^1ZWt?u z#{P-QjwuPI5U_h%TgxN^B~HCPqh7>5C$jvjFA77`5uc!j(k{7VXJ@B7Kj_B&bOa<# z6>5D#c8%rpub*Mzd|9Pwo$?BpJ(QF-s4$do>yJ@j;QBqCI;5WU&;+CTU#*MDOQXnvUt>Uc&NjZ8tS3UlRaj7dKT9eScRMJ();#S zSQlh13I{wmcBv|;p>=8kQZfu%!ra{GG&_zz%4uzC+scMnk`f#{JW{JZSSP5WAL0(U zk<9YM3#CWfc-{@|nu+BkF)fk?auP6|@5xmSmPh$elWo1PocNsxt#?7Na%dzepiz5f zDX`mp=Q4ldk=Lhcf9pyhLc+lz^)`usLn2a4@8Yqn%{A#dkH4YODfOL6S6W!fbf?!P z(`x`QTUV_w(`GW%NZQlJJ^mI~01HNebW_{US^HSpFeu~YK1oQaH8PhLHQ%K$9(?yK zd-rX7R+FC2u$~Y{Z=;a&zgCehRyVXkDR$|2Bp}E^LSFIk`&iy-d;#}Ppy?0eedEsR zeU@#(#xht7Gg!#4Jgm!3lV@K98Dz19Z(Xpv3Zs?m?d`J!!@#0`K>tMC0|Ic%?uR(2 ze{25vZVb0`CCfV;<3>I1EV_cjiCJ4)=iW$&i(@XdQc=;*)zO=1PADAKV)`sbgnoCA za@O{RH!XirnVXGW<|Ez)s}J8uHHqa0Wx zQ-lfOdyuxW2yWF>fNp2t0Pj5osp(Fytt{=_cp$@$#KV?N<2y^h@K=vaU{f}#FWu{} z*$mf847n?@^SuB7*a(J?n*EmW9?Wp0DO{_^LSSbw2+dMMK(n2TvwJN$E#X=du}ypN zzlacSYq+z_PNV=la6DW~kw465PYYWi6wkqJ+V6GoL;|XUaf`k1-(2X%oYB6f9s4aZ zeI}5w{=cteM<4&vCjRd$*_j4E{NGvf--YYnH=6&>lK+c)3D1M{Y?Ce=CjYTh&vERY z4fW4Y?Ig*nPpv_xm;%t&ARltl#H7L~x96$sv|wpgkw{qH^hJjSkIc`>7e&*yz)Y}> zs<^oL9HyGWanBYJtfG^52>t538(Q#?6qtZbcCvztJw03@+#A^vooZQqrIL`XLZhhvWFu zbPObMG#WW70|(tCa^N_2WbwzN_@N@xe!-~HQbM@OKyC#%(?%yHWwAtd6YUNu{`{ol zGToI|Rp}j)slzgz;YWFR_@f*>6Lxm<%5thzXbZ)Ss74R0qO6lZvpH)`jY2&+3eNno zG7*%J?m&ND-4R>=3N(4%e}d35y09=VTQ}hnrut^greKd#&QNmdiBr>0(*4S@em2;8 zKnQ1=?aFT<562VuslakFD>5E(8R{uK01mIlF6bnrrSaR-aj;_-cAN)(wdN7MOK)#) zxzS@<5_>jF%G^t=2hj$+@@q+t*Cvo#J0iCZr$8s@5&Jc&#R*{~`P;e*g}YV_>dqtu zynVCl2n=DCDiNP?`)d<@V0lsO-(aI~#R>@}Zr)u94^*PpA1$OoVXrSZ2FT|(_w`X_ zJ?!`*_;GJH1YbX^ozmRf`^HUjysf{{=<)bFWz_J1+^}^<$&dbU87*xA1`dp*ccVv) zVc&}4gEDz~4y+E#@_RvR)A88M-#2%i7+@r&cO8(wo8{zaZia=I@If9jt9P%#+3P=hm304N$^{EJ=2o5()>O?bxmnSjF{yYiy5MlI}pG_@_(@M+@6|j=xTH z9Nj;%j9t`(6zW-n7I|X-MrTJygB*EhN-pdL<#F*8jp~HGV%@lO}2I&;2!N^4bi0Z_`P1kaB4WIp`7J zYs@tciPC-P=YFSxLNWoRo#H26zdx#h2yGj&P}nuB!$KNRjukSNye>b066Bous3>%I z8IP}coN!u%)Nj;radv?g<)f{^qNF+#x~F?o54<3L(wH?eJYKk2svGI|ET(LDEfIU8 z-gsDEM4Z@vVdz6iO%1DWlkK_}^pm)4zXDz`hcy>%;xX;fx8{M>wat*`cA#<4ICHOG zZSAAk-nK+tqh}qaukgQJ@%*A_oyxi4>k1k5{pl>r3@n($BIRLQKJjyN9R^orAIPoQ zI%#Z$`O0c3zkHebCyRC%G}@r0vENF}qbS)%xj4C~mwWdrqmxN;lzQxEg6zP+;`&mU zG8*FZMw8U4)9$s0k#7i%^bn{^;>{hi)f0&zB~zh7Y+!CSU|) zRh(vmcE67whWq?~m)Y7(5K602VHh6W@6y!&>0(-aSD>%I&!GuVJnQ7*;--CbnfwHX znu9cy%AM{?{r>1dYprm1sfr8_#|6!**!)SqRvm2-?tW*#Ng`Bk9D7q23X3@C z;$(VbZTRN&Z$88FXwV<_Pt&NbSx`c|b`5_}n18t7RFPF={5WJmplZ*QS3Yr?wVCC( z-`nfGOau-;zen<_THz}-_3kr*Tv{TxZ8wTglj?_^6Jz=Pm4-*x=Ii<@2H0w5S!zob z3M}NEG>qR>FEIA)zU=S&?wmdDR?SD^u?QBFc? zfi4Sg;!($H^Y_qUv zokVSY%_MP3qrtdBZ>%EbO1!dGZ{^}ZAD!L2h^74nA4)H8k&z80bG=;0y1m4u@~3tcqbOq|O*;l0SP({!o+p?^&`{%k@~ za(iZxGkaBnify6GBI$=(D4ic7IwL6xslmc@2PsPfuxyrI@TW%4xHmxx$JIYm>A)wk?4oSynmFFyGX zgT(a!t81j9I=d`uD=Cqfzav{cTUXqoVMMSimgke~fXsuAvHGMQwTz-CMFZ+dd-Rm0 z=v_YCh**eYJN{1I_Q6I&_;FtGwPjXc2?`Xp?&bku{|Ag=Dzwa{A3rGb{KtpCC`*0b zpH}hU?S#}!wemL@k4Tl&<3xo`{P?PKddWFhEzN53DbzIDC3X5s#aHQRSJ*G z%?a@L6>K)wgl0eDIoBX-;?7DtanQ(wUs3zP?up^@3OejJp611)Evc=UJiYM81$Q5) zB3%}*Hg>slVW2Xx=-%j_pD9zF<~W?F%-^}7=4B1V4yt&{^V5==IkXHjYAx#*ca^+| z4om&vV)*-y$Mswq5q6U=3bnNIYLLf^`J^ASu2%WgtbNa9iflRXg2eMl$eT_t#R%Wa z-PW*{Z0;*$yp}jjvxZ;YC3pMl4w|I)hU41k5Vcww8q_dV3h!n@j;2WJf7n3E_T?ND z%gLn`TA$O`JB1n!?Dp?}q_RHJwz6lk1RdR1c#3#hvhU4QB@d>WljD!-3%iQ7uzy(j ze!?7-TqBzb&|xXXtW#d{H@dRt5qa+FSUfK@{_x_%s)R}1jI!2r$)cs`ws{a zTubNC8F;z(3v$S7$-#kOS4!f`JA4#G&JUu_>_BJzdPpyDx#uB9N$*)*h!DB<{ggg?C!jb~t!NGe z#P02BMCJT<5{bQEM8gw%??Wr>4R3yjM*iu>xc3V=cw%uEEX&^B|L<%0KlfS+(UJOH zxUrdD%Hm>tLth_*pw+E`(sBk7qF}|y6!xf;ISEMPTUg~*ffvq zKo6DAL~V~2E6Uqt4VBV8Zr2i+N#0tSet7=r3t14ip5ga!-r{l7BIlaQ_BmIQ=+RDw zTgH8@7AvDK4tuHTRA&dR$1{HkWfm6g)c;Ozxnd^>iE96*ZII}-{ReVQdz26R=LRTW zfEpD$aOlHR*2l)iUM^{?kq+LBR6QWi)!Eh-hz~4pfI9d6a|Q){OV<2uXs}kMUg_#< zC=})+EU9M^{7|jow|Q>5hux(4xtA@+R&i2AboLleU)hUJ_8{*`~5+@J#D5$ zpdv+=VTvDVFDYK_tc4>#AZ={j&L#lI@;Ted(~K_UJixasXwT1>GgKY8jGZ&=?!J1N zB(26<=5|4}Jvtfxy(?;k!I>tSnGfYMa&k;y^&B_BP5)L`HnpCe!ZR%QFz=Or=84P1 zK7-j9UL*bo_7^QFa5b3B`@Uln!KdvT6`fgmVf(yYHlCN(mVdbVeNyf2$$W_`>^w<=iBx@uU% z^_s$wY<7)Pp1qGvv+Kk8nN}`fXvmaZx0kMXj@P)Tj~g@68O3>N>7(D5$|bQCIGMyc z?88$>VoEoxdp`=01Qrws=x!CM>TOv&OZ4F|PjQn`v#rij=kNI5(6QJzz0oU38D?db zZOP+Qf1#{#Y~;qj=@As7(ruqw8?$Z#h6u2CH#R=QCfFrM5U{-=r)vJ)uT+snQ2fZ^(}9{G!cGB)~ImuwD%`J zgN(87oMKg>YtiGpy6R<(FK^Lo?{{#9df~0EJK1W&tzS0(#4m$RTLNzgH{VaVB@&@@axnzDpjQ~J(iJ*;KjBhV+b+TnRK21sVZ;(2C5J_Q~5ZaYuSjlV9zV+{VTpD&VbZ;v`Q zE}OjhVxE+gTKM<84thC6YS(mzD!t923rI?Ru3Q-T9^UYS84_0H`cHHFl1NGq20Br2Os7G9>gwOm zwt?%-$KwQvH@tK7OOLgEmC$k=`PNWsYQpHwL+Nto+z%16>nNv{Hd-7=V(z)(j7A`D zyEDO&wnT1zPDL3VdG$bJWe)-ez|EdB>F@bkpV;K%JvM3b^L6EUuB$}Ev^JbqH>zI< zdx9Ra-@)w|fve~mJ&Nw}C#TQ+is(o;B9My+m@){Q;!gV@Q#_F)V?1U94SY`&5W1mF zYJX-=ufsk)Ct|3s0M)_Z#hHXE03`C1Y^83SqeOB*MN!jOK>7*%=^qg~zHNRG4#b91 z@^9w?bZq{6ng8Q`;{pg?P!uMk(%!6H1^opEAPcxW}beYlknu4(AqZ{k7!>f zjqky{Pi^ukQ+hHVpuvPsA4#nZer9lT&d$k^mON4>|Mc!;(U2Bp7K6F*_y`|iJTL=? zX1EwOJ5g4oUwrN_YDUhxNdQOHbEx0-xX*Y~Tm=v(^)`W%>`OU?a$JgL@C7A{%kL*AwN`>{T9UNrK?X?hYTuKZl=+1~g8C--%-2tpEQS%h zK*Xm%tTV^ZMaQ7+p;o$LY2VwXdQa+=o~vU$xq}hrRn+wf&i$F;&#;%g%&(B6y!RKN zx3|}JB^Twx0b8q8qE$^1P8#CNzyBw%9M$P>?*ADeF0a3W1>ru}4I(TI6NsU^DDHE{h%fF$|Q6F4GJSy64D zUDA#ArJO(&&wCTz6c1XBeQ>XAD|H%p&F0Takyf%EZ1W9$x7GvDibi^6&kp!Y1Gjn^ zFwxqS@Lzp{pdC=B6#=%ejzcUmSDC;sq)aeJ=74&hskg7=RH(686lhm8WpO(#hD;6u zB~*G7#BF>ayvm!i>vbFgMUaOB6vdgv_g|c0Cr+EgU*IU+ECdaY&8#`%z7YT#9(#53 z*hl9xPOFT1Gu?k~&iZ!e{DBPsKr}?Uz6|;AxZ}zT;q(3H9Rf5Pt-?b?$;emP<#tM;m0k>pps( z?-bPSq9eQ{6)on;-JD>SGfMZv$*DaaoYbw>IwW58y`v$|_NH<1e4hDA#ptb#DO((d z#&q9{1TqwMn8DriQ6-^*(}@H4_H)6p=S`LzzjMpfYrV1u`x81q zf^SATQE9EVtd2?4*WvVN6wT|u=`q+VIxM^!y``cuANXN`Z@BC`P*~rAYq3wglRrmV zeQ6WDEZ7y-rKb&mmP@J1lgN^K3G-E= zf^|ZRDS~e5!z*TsGa6Yq(14g$9%c_LUMvqPs3+8TSS>AA*2akl;5NSaMmw%2CnvAW zw3v5|%dpR8HknsNUC3Aw-$KPwCr@RtDSo5~&-_P)xZqylw5V3QH{aFa5;Z5rNQk-Z``kl4UU;sif z4?F`Q^&bDuSZ>kfgvF?o6!uw~;T28{YeusJpnTpZHm93RWVaLEsfZ15>MG}A(=R=0 zao=L6ELrsmdb+A0Ic4n}7cr9D5y6j# zIm;PlU(N!QU%Amk-*3w6o0Fv?OpQTdVXiBVAHn))=mDp_7~fLF)>5hKvkwb8Om3Qi z+FL2@W~KOpJ(WN=U?5?8A0Fl(X4z^#_=U`~$~GDlX(B2U;z}+F;y)d#V@(!foni2A zi_`vuPD+t~v<&oyg!F~+sUlXuAr9Ks+nWz8=k-x&wF&Z+Y!25?XS0qA_I(t(D~cD* z6k*ux-xyS_w|ki2yoLwRk6`wD_wHMB*^>{`-Eqg2PC=h=% zKp+6+=~%yBFaOEEbEzBGcDt>oWHW+$F}Y%QSv=j3+;9UP;A!K(&0mEh zFn`Bk_wxlK6|=7`H<#~z5hd6v#LSI-A@i-rU7#@x1!XG%)52+7`9y>nX=hrzP>^j~ zVV#%4U241K&%kI&Eq9WoqPh{OFi1ChCEDWEl1DEiz4`q<(CqQF*;>>N zRnoMdZppa+jlN?ZW<E zW%GWK$&<8eTlT+^?+-F-n0$*ylv+a$AVPf3uKug`s~CCy2x zXluEmt<9>+E7YQKaS;5aJi+h0Fx_tK4i+77=rSmts8kluEOTND7F^97Co^rDLV7hY zbj$JOiBa`|iD1OiS9OG$+*u93KADz8V~jo4rcEeC&;$lIXRbaSxvy6=CdTP$l)7dc zYSlS8*tcb(Lvee2-^!Voxv3*ESC|CR_SYd}fD+^=1z%5W=hx9^*f-wQ>J})>nGL5^ z5BY`>Q4Lz_@Wsl;wPy;wvhA~D&l}ekR!Vv7wzixR@c(4Ie&ygOrAj|`kvGthiBDsz z!s5zUQx3sVcQ()YqoOh}nP$iRaPkFfyb==RT470>Q_JC=y49KX{vHR=7d%da|0Clm zgI_3yUuT@iH6oa^OAWqGMd>m>^asT_?XDMrxeI;Pk=toOppAOT^y6?qIcJe3Rm7Uq zJXIp%bn~$ERG@agP|(^CLz-`bLfnXwYe`x$j%xlHRnZmtrN~1S*g&UZ#T6iwq@+uZ z3uidrGmBv$tZrZz)Q;1yesaH`Hcy(fBENRp;6bx1!{(3V=?j4lDNAhDzg91*q-hMo zUg$L}Bk3i7>U+kf<>}fX8Sn7Yt#fHUVb9{uDW7C_xO0y)R)Tb@!lK4N#%qgo60PUQ z;O8y@q@Uj-HpC2Cnp#UW8Q4U*EV$IE?;i=Mc5?^57wK$tz&{z+YYNE5i1>i98b{)L zuK-DrIPHsL_PwXCpT)4HZC=-KT&^DkwXd7F&MsNk<5Vb8s_#G3GL;UZ*Vqgp+VMi7 z9nt0sNdf+Z8(J;mHx*+@i+n{2Rz2S67#xn2BR>LpNu@^xvmZsheBM{ISS5^3c#7sW z{pK0IJkc22EoeuQR$c7Suk^7w-@zHXNi}Rm^E3Qeaa}>ol7NP7dNbbx!zn^S61t}q z|C82yrR^Y&gH4J2SS-B_0fP&u_xB+BAKq#4EdH$4MrTu|up3zNNRYn&(LAMCqf zuH`YXJ3mYdrL*ZT9)v(uTf?HEqT^tP_ptyl)7w7}F~Y}G3XD-(s<*rF)ZBMa#yQ~1 zN5ODx1Y%0FGv>E4B6JL{B)pk~(L_7U&Z;e4QzNmiWm(pxTa)G_Zx6|O)7Jn^-0IIHvrdQG^dpztPSm8LMu*u+^^Zm=!QHS#|Hk}`q zdf|!1nJgFubR4H9wzFV5k*KO=) zriF(CTil7S-ONVevyOf@-q&yvlp&>K|Mea{ek@uS;sw&<0TBMz3@tSg7(t;_u03?4 zpqw)#kJJ`#=(gtQ2m*nxs)QcSvE6K0_X{KmsOA-SMqv_rj0rLX<9>>~lIaYSHEAV5 z8Px*q57W)Mcpp0RCN>i1ygak|y3w%J&LG0`!51qDI&1FQ)WXhdju|E$5gn7JquNUC z5(&a=DMtfvrTxK=CdaBLa{FxUySD=L1DENqXskBoRfS5>tFr^`IkzMe#;Zh~v>XP>Mvv3V z!&((JH_@(_CE~4>p;)qSGRl*~%UyKy1J<5Rv_1Xa&7v7gGp`i&!XZ6|4V`h7o(1i1 z_Jd>*Cn7d~ULDpvNEcUI$ZytLr0|#tL-U1af(&r&_nR1=+($XKxJ!ETYuJmymamEs zcdyFWUPn2Mu%RoAIE4B690*1owr#zKzVyzn+a;u4;;LpFiC8KKvR?YOW}ukM<}A&@ zt7f|uqC08ktZW!Tmu>xJD`LxliG#=Wmo zaCefNSVdW0+je#Jp6uHk!Kx}nL$P*@O?$0#71nx18@%cDd;8~WfTkhlpC{LzzL}gq zSDq%`xiLPG}z8j@`N!>1S_))41w+$K3+YdVsBBi--EY`>sLdct$E3kHXx}-j4p4l2 zC&^~pnp!Mqnm<4ogrNDx=0adau_7qXV%^&6?t0>IgGt;8eG@I#6^sn3-DcxJOjQVd zT%M&{7dn`x40;mWjcK{qYs>^MF@U~>ffj2_{@O?gLc(Q#evRQ3;vQIdpSYoffG1S* zp=1u2*?gWHQcAP4brS4Ysi1Pc3~ICAr&d8IOdq0;BUqJ*x1Yf^@T7j&@>cQ|McNhK z%U=&6?OJw(80zulnAd(01c$+j;kW~Xg(k~N-iR?_UNBP`yOz%epnsLpePSS-k6o zdAB6)xz28e*U*BX0`H6euq$Ruru)sQq!e6+9`c97+ExM&l|fomN7ks{zPO@65Hd5P zq!}Is?2lNJzUao9yd1H0E*0+SN1%ddX6pG0$IcOVwyuK0V&Z^3l$?u)1Jnl%WCT;^ z3OWOlFPe-9J8u=O0$cO#fx8KF2{Mk7MYE2xNa|#?N3xG$?Q4gd|81)Kqu=_0IwuQE zpp2!X34>ro$L*$s);~T0C!CY5mXJ4iZ_+vxLFXwWQr!Hw$CuNmuykv_(Kg5R%{sfo zH)`%tIhll3;YQ+^aKWvUO}Ij{)>!M>>ilWx`qRxNPrvoLwM}r)wAUNRn#|uHN^?4q z#UPSiZT?sGhy3%zxnMR{AnEzvyRx0J=aM5*gTnsPOaP>odxSH5IY8wgf-qFWV#h(e z$|tbs=K;53fBH-XP1`atDo0_Fr4PP-&%%m0QnqY2y842r&HS7wWm&~qnXxDS7Sj2QU0@f?_;T@G;MW(G&>kY7N6qMSc>af?N`E(BR6fc zLu&)`mni*`^PRDErxnAMnb|puT64$5%zUX2iK3EdSuv6n({BEE&|3HpTj{9=XlWM$yFCj%RlL&c zW`D8ht-=uVG)s=dnnylJ3oz1gY8BbP|wcFI~7 zN35&E@ZA8~!PKF@e^%!C+mOAcG(zv)emp-e2Q|%r`If@IUnh zqG04#U)~M1R!T#f+;oYfyBzLC8SdcwPrjVX99TYNpbEIwj@+uQ^(#>#d`SHEZ-9~? zU*K0v;b-#rOyPrhwDkZbLY$fVX>akbj&^wkl8eFl(1TTX;Z|0;;!Lt|Pep0*tJ@Vp zCioTa{LlOxa~S#Fw8bQOh+U!^b6@m!LRJGB^Ce8sTEq%&m664J$;A*p7+$LWr{RZr zK+Zqm6?0XJcL;Pr_n2nB8?=F4XpR0KFLIqhV3RXJ4s9_5xm8%onuVx0*8cmWm99n+JP6`B%fi z_8Ixr;5T!lAy6El;kTnQMFjImWJ)Cdf#d|`LmOTRTF*F4!L9W4jqdMjfe$VB|4qi> z5%?O&lgap~)ABpcjx~!bUuY8wN?4h3F?9zvNuqeUu~S73BBe@)L7~sVphVtv67CI+GujF zeE++w^Q-K{LL?xd_pL*PZ%VF{&rB^Z`d&2kcH!wam&AS6DIF&q9q|ZnQw%JHTdY_Q zgS(2EnOQeN{cLEU_oS>d7}HA=S^PPsotOJTkH+iM{S%KO^3GD0ZcLKelkchbxa3%y zc}#cN>vd#exk31TfHvvEkA43tkc~}DcpX^O=UsX=yFQl`HJj_qVHyycui8;JRmm;XFMKw7Iax3H|O1Q>e25m%ai{2G-z6eF(KetOY!1o|dz;@oKp}tw3zqVW5eA_6a)Q1#(lCfz+_q|+ODramoZ!es}0->uHRmPoo8S)H`ujB?@eJT#BB!hPD4ZfeAQ(N+$-jA@T; zW>+PWg*Qk~b`>n1?;~O=zSiaSKBM1zRD5)>xN1uE09sGnNN2l~7)fGe4SEV{0qnqO zBxH}93KDhJvas-~eOSrZ_lA;)hWQ8Nq^$djIrvPw{YX1oT23yG)OAn8y>8({TB|x` zN_p2!@%CCjLq5e&j0w$caT6-^DV14k>6-MR_QR4^w!M%yGo@Qj=C)(nn+2z@zY_tv zNR8GTU|k!YyFYPpN1?+Dyu#@A}PA>b8^bI0n z&$pS{Hb!P<^;*NBB94YqVVAg-J5BJPa~kl4NyMdRtc{k;dQS-El56#_O&uD(8EJ5U zI0@5K9fN!SG+J-GgnJs!^XvPMF$8u|pu9;6J-0{S-#mJz5+p3B|G>P1SC7nEFHiVJ zqg`_kT##!X2?3ms32&d0|DNSK8pzJL1040&RCRd;_8!5jPsfh@Gj;#gRq$~ZJn{(w>?7tdUv1l0hd?l)+4q( zn*NTT$h2Y0o*(@|wjEFX-4&H$@D0Zl#~$!w&?>S$i@JyZb4vc#2QCiy#{8bO+@AY? x0huT1&8tg9|BR)-Ke(8K1keBPSM!N*NS^Wnm$`>5_BZ%+ z?>)I^p7}I0ALiwGI=y@ET~(`A)$(5@6s#nJj`{)>1_lOQPF7MC1_l8N0|W1a`~llaL?>JJ^|8SewAW$cDxzBB`rEaNi$zvZV(mUrr{kxAayB0Szo zU3hdTcl^gf(`j7{1jbiVieITYbw#vd1N&19%ZxqrEwrI?8I-@ePB!u-e=6EXzVsNt zGs}}gQ11M)<`c@LtKTYy_lr}wywz*(Ib^X^t1Bj|Un%q{v^-rJPB4?1e9;kPHrZ{A~_ z_7lFh{ywsM6!e9&qnEmE6>9wit@$n76PX{C$=|=!R=Xm+xouG*4XHg1^+X;nSH78u zg*n8Eh=@o}K1cL@@+%h>hI+bcuml%I>U7RvzAaAPfz}(>6$MRp^8p6k98UNRLZ2V^ z7o>r2ByRAcSP0@E>JRW}u$Z~;pH>~yyg_^oj|yU+dRi0U07g0YllVo?hwz5t0;5w~7=bwge`I!q7-i%A%IO zpAhc=qo`wOfVhX)hAcKIozS=6lZpusk)J-feoFQ7dH(l?FAPGsrftl8&msc}zjYrP z@)5GW=WR22$L)n+`<|_h_m}6Fr#>iARiakHszve#T70WA+<)WovOUS}HL50( zRgiPL!0; z7pRiWF&wxl{gmc7wD&{mhnvv;A38romg(h!jHQpsrD9d(tYl4c1x8Fpj7D@25fLR2 zwSwwV#e;-`ID(8&weUUgL}E0$6O4J>MIiDEvLdoAVm@L%3Rz%9h6SjbJdX)gUa&*x zG4xm^=CgTDm&z(rnPv&t8oaCSl_#mrp<>9uqTZvys3DN$q+lVNTxk8dPjj8IT(t}= zQaV>Elr66DRSiX>8$6xq@Omw!=RKqTxcazqe7SaJgYsFdB^!R$3zcbgQfC%t(KC+f zsNkIBVZJJLZT3C-(sZ7Z{Lkx!1f@0VrQ&-fDIX(;UTqP32zcY(@im9vL-e%L^H{+K z<@yB+MfV^Hopv3GOqE=fa(m^KN?M6gWzJWQ;ift3xGWzN@+NdkX|z47Sgp`4Myuwl z-Djj`I;+XHzX>D=ED7{FpKr~LJs%z)MIXZ7*&l1p70i{HJeg1!pUrnwvIA#)J}6=v zTg>;>e?XLo_->fX+4HRQ<6C%=05SL?P&}yddtp}cTj<-Cx6MnqRI%8j^xfvED&fOl zzP21$ui*cz{)zeO1Fd2lUK|On4K0~szoL=iWHL_*Mv_I6eV;?WWj|@ET3>S?VX9W@ zV)Zx3OO_F47oEA9K$di7HD)GeJIHs<0ZsAZc})_|FPyq&A57H;H*08hDoY$otV%tt zH+d*{u6QDN%1vJke$1#hF`ezRt5K@is=2Wtn=YC`oL-ydo^AeGTeUH*HMQuR$#*GO z;$rULwr9RZ|88!@Z83D4Yt|xNEqqkVjLeS5I*S5};&X3MvHe&X1q|zi+`)ZblWFbxF^hm6CA1WTs?J%5h94>ok zcnY8J9Itzl9qyY!zNkWEUYC1WdsB-Pc!_+OpJJLO^uk_*S)^Qa5!Gm=Z*^!bxDUSX zzOTM-hgE{@g=a-Dgb#qPMR0L+;ulgvH{G?X|>5J4LyV%r2(8JyS&X+V*XA`EFibPPcxSG44JmHG?~;2VAZ1 zd?w*45fun^bqcFrdM`~&$%og4D^b6}HN?T7^I8gaD6XdpP5Yr2+AhRnhjc)*nA#d4 zN`Ht2MZS&`ij|Lj5-S{AON*KBmIuv$iZb2iu(UJwZLDVu(;~|PY4j%`qC1?(&rzNi zNPW)cQnAX{Umxki_!?gaX4cuQal2W5EB9qpi~w3qUd)gh%p=X4w?0CaE6o3iAD^Er zQId`StGY>%`BuM4Lhl6I&fwYLojboNznyz8Y5=~K=4pv>X^A#ssl4uZ#f-W0_wAOZ z_e~O3vQ{G#w+VKs2C)yeHhnYeaP$66{tIMqK7}mm%uqa+az_KLE2?#wrKr6fl8FP| zhtdxQPR&y_byb(WPZolAM5pi6&qt?z=0@zLrt$7gf1G8WnXB%w>dnH5kDZHMD6OpJ zu{N@1nmM<<$=;ikCsAN>jdqcB?dlQlNpX2`FxPaV;4XjFjG7U4ttZepad7=5wYAYP z>f%#_{Cv-H&!A_J=YbZYI=6bNX5xPPUhnjUm+$F)O-8clB=L{{*z4C0Xc#n|btqBF z&C1Ok;*4SUImjxnIzVQftloR!-6tE*s~;I;^!Rwv7w6`$^;WWuwI>%Os0}TKf+B3w693`Z8MTlXv@9^A$I@ zH}IGvWKBLvC+|*G7L0aRvgvx1rY z{5PN*d3V=$-04;r>{^p9vJdhu*EYdR8H~RB9wztOs|E|c^Td%P`<^WB!sn*# zI{mdsi~KEC&ryinuSHhwHbb(bQphm94Sg(ch)?Q$ow^Bc6D!II3{qPWeLaN|*m-Ez zpa|bm17N_*FqsR|HzDqEcc+13af>jx2=};x zS*C=nOFK8wgq=S55)hzU;ISAg;;s8`ldxBR(ca^WGl=vuMDhG^ar{mh?PsNczweAM zY%2PbBYzbMIlz4lGkGm%`sx)7BXErjg8=&i1`)V|1wJCMME|~)hNXvr|KmO!3`~dx z48mXUC;{J(f6>6_vCW^~@Ug)#NWd=~;NzAF_pi4RpqcRhx`y`wp22|BB;+26P&0Bc zF|lsMfM2|EW9avs)~ ztS>1=P|3;3g&d4c1ym)a|7s5W5~ehFa(XAg#^&nk%IeC=YUg0a#?H^r&-Rjoje~;) zc!R~!-PY-?8;h+Y)t{aGs~<@dMrWCe}B?x;%4zb zBiTCsH7#I*Y>!Xa*jZn){kw0VsnFwH0kDOei8Vyh!Uo_OFop;pKbO!S@Bi16{~7T= zTE70Dmh9}j9RJz$KOX(wRKwB4LBh@k7}H7Qf7a`-#{c>7uZBWwk5m5-R{Y85KkfpI z7C{wa`}d-Wpc=zEKCUFOg`~1N@D1#;$3NIs;2-)wzaOuQcwmq>fzV0}Moto>?gqP? zj+91RJsq+p&0Y2eIq(HJ6ia?HeF!DV5*Y!x-{~V-et^x(H=k`@k|?4y2N58%_zhi& zA7nib`2Ne*`rBPK#M)*Kg|#p8BY=hR79>z9sJwe z{~S^byiEE#SN?oL{{hBd6;vnt^xw4oCtdF|e+d8M1jxZyun2kn?_!?)H@hEu0)=}1 z;{?Pq$>EUY5tk_0|Gq^38r>h~;vXmQUJQhQ1x0O>GW^G70v2%pUtRpYW554h!2cH) zkpAPhUAdLMsotBU0Z$Sm0zIqBHWwvXVY>-M&hyV|ed4WpgH8)unSttg;nHA65*>%K zH*l4v{T$Z{s5Y}T+-S^S#70b)|66F>v6F<|o1SxSvYGCWG4OcTE+q2ksK+L8naV12 zT8(w`3@QmnGBp+kW|=v4Bs+|H-X`a{Tkk{BW-Gny|JW}UXj7;p)-lLVYU*RMnh z_UYI)n@C5I+O#~}-+(Jh>VV(lC0~EOfY_J(w}c(jyfo`UI63&<@SdfiGSr|A8qQNEB_ntkxJyp^<7>XAIPhkq zSPH-tF@J(dnx+92KA&n&b6-z}*dN75XO1P&funT0P#q-N1cSuy^5FOmo8$o_X3u z6_o@EctZ0@l0k4k56j1ivSZ*PCrX5)Aj7AjT2dY%-bg}CQ-I&aCgzm|Vw5;yUOT4f zT+`k8Y|+3`Fp=%cosvqW&)zy71yx=;4Rgd~e^-EF)wo{_N4~-L&voM-3&h*f=^GN< z-L3PFt~1frD+(Me&N|JorrQVg<`g|L@|E*8x0BV>m$$FtxyR29(L~FzI{LH-bSqMN zI?JO3eKxfwge#7Vf}=GLr@Sxb`;*v>DwK|zP6jvy_v?%_(=<&7(kyu9okpdPUa-0y zen(2Roo`6iEY;?oDfg+7e;$Hk8YMqX5dqi$+3JOnbMyS+W{u9!irye~m(*c6o%R)#pX?;r8yp z_o8x;*-G};c5%6F0>tz=r%4aq$$;QNl3X0ENlhmqm$7YLyk?k;)|`j-ccbgmt@Xx( zmfp0eG>3=l$<~3A8?Oqm4OBI)^mYelTRbHuG3H`s@)*%GHY1|f0 zqbJhs^FC=4l0Ccq6ez&66l{j=;i`VKq>Lkku5{vB5@YpUYsngbFKw8vZ{mBpdyP2bZ;y0G9S{~k?ZDsd1 zJX&8-fD0!slJTd-YF|#S|416YA&&HO>1=RtF##+S7OodKc4Z}1TNs}l3N zDMACUw<0&YoJ=*h>%6V(*E>U50rSG8hiad_RyLfDItWt%1`3keCKPd4n1(xukh_$r4^yBc^&ebWt zNURMXDzUFvRlPj$eVFZXoqS0yUn|}zd5&~O zcV3a8W8Z;aYVvxv#zvwM3+eB+J#!z0OGaJWI3l7ii9)!)M1_p-$5)Aq;}3F->T-xQ z&YMvp0<%Bl;ob+E>^1C^MP$x-?37BA+UJap>zlph8Qi>rLI6 zG+H2thnlOs8-PAKH2jEf#)U9YtJoud*c)c*>IoPVBAbz`vWD%?5zF`#U$<^g1_!sw z<-DkOyQ0AKU4Cv}n%q~m0xKUmcZZrcGJF@B?yq+s1nRttUX}c-(Gud*YaiplXH!N| zCL@6ZSAc+U6_-?m;TzN}`rMSPn7Sx_jqYW*7!-Z5wr$+waqQ=wTGKvNl=| zIN{{mHf+)A@H(JdKnure?F=dxJa$ah=qPM@S!(;jdd+ACCKoqO21RQxdH}_|CS%6Z zD>GhH@X0bk-(#!9P4hp!x<`lLTT)fF>WbbL0e#BkPzE}^^AQOJ=TQ-yep9UUaD zBOrKAZtO515aWtNzQ_0Q*LP{9_E7|sIMz+ltJ6{C`OkMG?1q8UZYvR`b_^);9jJ1Z znD>hhcNx!Lz7fm0VVtyA=3m1b&5?Kl5yWAKn-(oYkfA1#~8 zgjw6aQOrkYyT++LzLwSS>HLxv)8{uwV~o-d;0gtE4-0LPH4QG5%b1zfa`XMb_DcQ6 zC(gU;Gc|QuS(sSgRNVyrmCh($!M!Rq(+n;&itqXASL=+6bQxZT=Zn4%(sIT}*bcNL z%6xVULV~(V?Ss1JlV$1ntaH(#9Zcz7C^QhqdT)tV3af(XOuU)NsA7DO9A{tmHvKDP zJ*|0H&%J7`xMlNAw?qRUcT<8!Lsa<}VQy#RS|J$8oUBeh{H|}PepBTF6kvIkqLuxS zRMz=+R(tu-T4Vna(fcDztBxf?{dOzkuha&DDI?yEdo@;LF$v09HZ{{f7g?+znp7!y zOblIwqnpDyaXhn^(V6O>y&UnWxv0Tg-dW_6_gA)_n^__LkqxyomQ0m^>!i)Z3h4|C zw!2%x^fg~q7mmnu>cH1}2H7$<*Q5ZocHKCp(28q%VGIkE`_`*P)c8Jti<>)H31b@w`5?K zBdj#`j}=%r&RId~xQfhWYd%$_df@e$G7M+w8_JTnE9|QXe$uU_EL2EUOd*StO|5Cs z6-lf|w}wjym5;Y;N;`6fJSB0Rvp+It+AV3lzm8ZQmF)5;^1RrO2z-K`96KI+@LsUn zP+nr~{<2fl6k`#ZSv4TA^SW~rM*z>5g$8LwAOTlsm5{;5+jy8(RMF?P_1BJ%2bcVb znYnk=>hfbMZh*CVu|_vc=cAh^ypiVk(M$A-f|cHaFQeq$GN^rzYgJ*O4u3VoYA6#V zUD?+m;q}_AD{aE<+u)TlQt~K46I5ez17`^wn zDDOu8et5YZb7dnj9-HYm!@8X i?*+_;Bp(PnMlvJRkr$OOz;Mx^I5j4Lb#kjaV)a@_Lm#DKn&_$to~Dc%wsZKvTWK#d5T5x9!}OL<{xJ7 zE*3LPELI{Z6!Owt7wU(x3hN#vM~^?&Ck`QRr@VEcq;bDNt`Q%Ptbt&F-Ge@7=&3DE z*y?Og5H(27C-(TvE?)X@=txHuJYsEg(0uW!{f#d^A&y3s3g=-*dS5T9g3>4&3Qk~ywo0I*3o&lUKf$Yu) z9_WT`AX^o*n6;@r%i-uvsSx3!R$TsI+NUOq1O4Q6EH|2`kf^9%PcVW^+Ebo~Koc5Q zK^lgH9v`=upG!V0<=hs;V>46N@#{d#z}sZO_raTL$$YF(#YGm<#Cj$8GbEKVMV)|JvnlD`LTV(@1G{h6KR%Sbp`Q0Juq4nc zUc1o+X1(Bb($6d^7um--C}bqyvb(9t*}CX`k$yFraSw&Kq5)x2>ahB$Pqf+_$k63d zAgtz2FVHOI*)6ZwxjcYlqt}j{Aiq#TvGqNl~m4O z)$967w^NbIjlMMj2l}Y1GAl0)A#oO$NylL~Y&{*|*)Rrry?5UcCuYivjCiV>eIM>k zTkp=T7@yDnZk=dgL*;3~e~3~g#*5c-I1G_|%gBNOnr{+I3aK|XS}t*qRpR62 zNSPW49Qtg)n(3d?=~!t-a#}#H{|r^1S@EzH2cG z&FqtV{_xXxKGC@5`~ga+IA(wsR$9_;4=Pf>G9}@9D|PR>EaJd3V@~A=#0<2%?4sHh zfa8{bh26@0MJZ!`&cPo`kmw}=xU~`Yy7cjx)C9+JP^Q3=Zt0KDuutvO`ydOeNDN$0 z?Z3T;H3c@H0&|6_XDYjqw5eyU?fl1*F1*#W*^Hxp8i7YW9L)IBED{a9pIH)Y8CIS) zYc-WhX6%jc`sKhbimg`$$_Ce2`(IX(6a^}-=s>I^ug>^6)9G|rCRO})vo22gI%4nx zx5KKeRo+s87Si2P2-yIR(A+sSTIOGh&EYN>fh^Cihc}AZlKsJ2*gqPYaf3?aRqQ2{2hPZa+snBwOl!8P!WT~Q;wNj$Gf-)!m zkEyJ5qL%`0_uhBNIM-f-BpJGE7}6`M#YWeIOgF*|3O3`soZHn}%W0Fu2s0bAXN?yN zp8Y`N#xYwnWr$YUjv;6~5l%r*6H0izv~u&lhxjxxC;<;jeJ-0Bj`Tq4JiAI{k>P!A zU!1(iJ@LBzkKkkS-AO-@mdjW4@#N^2g^GZM;PQ$KKBMV3<^`f5$9d<;3de4THVgp0&16oeLxj% zqq{MX9`S>vU!E2%2K)g{KCg$@Y1eH|S@h1>j8!2e^cBHNAP8>2hpc+ttVD^{Y!Kiq zLS5&4BTVT=nLUn9fdoe+e#vd}#XS(-6ZH?_W2V|R6x9RyDbC>zET{wfL$ATTA$1dd zmEGb3hS?~X@p1aGKluBl=|d)t-MKu^t(kh{o_@R$RJ}^~Epb0tPXRNj9jH=LZO8O#4X0)t2ddl8}EQyeH zy_)D&D(4YzQO@HH2S81)rkl~f)dj1j0B(zbj}U8j3iYS5qO%Czg{h}xB6EC49eKXj zTLlrp6CDA8BK>f5;YqHG-nB8&zeYOm5b!0yBf^idcXE`-br%Wk(c}fnc&vXcY7&>E z%Iptz);Wd+%oc97R-d~*ASt(DSJT@gGogUv;G`$s2AyS)1IzdFb`Lj376`PQjwqx8 zD>J5z(ZF%p3U~~~_>;GM3BM~QBER(ya_O!DUCSw)CgM`z@>1B)SOjc-5{&+j@lI4U z5W_k5jr8X`$mqQ>j!XFh`*NLNFIh07MoWFql3gQ^!{KakzP?E zzNUV~xdX^Bh1iCd4p_k+PIQC4g6o8zoe9A@J)-J!$#uunzuDnJLbwjBIO1Y?zz9&% z>p2Zet$*^|x8JbxH8D8?tS=tdN?fpS_h$yuxtA1#4?yZNNll5r<0Gl?j1;1;$8Ct$_88c|@IPHs&RD8DSj!8hKk91=(C;5C_8+mODuU9DtT%*@gX zA#q8vm~U{NVC?`JT6EbvPkhgg2fR-88X(`)HxNvaA^cL`wzljB%!zGz-r^Qr=+uTn z$Hf5dR<#?~(Bj6?yNgx;t2T&VS(5deUkpiLLU!7`f@T3~2Cg|qv7~;JQ$G*d!@K@~ z{?iRI7GzL?cNA~B>r*1)T>SV1qU$7!(JTef8a=hW3IYuZ{Fg93Du8)B$(2M=b z2de9{y=m!|Xj&QO>M)@d<>U~TEK(it_%MW1(^8hYsQhod@#7)<9s)n z#$T2he@&MWFmwD$pEibkZr0DcdlaPmPPP4z-ez=ghCRG&VZEj{J_t|UQ3z# z$kjs~k(ApCMyj>1-L$Dmk9PhsEs_tU4U%uGqoeTOP_kQSsvmrhi45cIOOm4!@&Hlp6L01RlRx9nrKfvRo1a zy?3O~E@je%(NjMp};x+#u~8A78G))7VA z*6W~jkwqN5L##3Bw21Y4j)gq++n|Aud5dtXSzNYi!JS9)fFN;nvtyffOSUTi4{H3c zv+>U^cq5hPh#3`J*N0BpipAb-G6XGDXJwaL1A!g1f(-tq75_>?f+gYP zvQ=NOcjGh3sWTQN*E6-T{ccYl<&&PnFGI%rO$!O}mHKsuY7xI-ER(jbI%928 zt^?4j`1?P%f`tv0H)0d|=`?pz*yK&it?`tJG2QVCWV3cBiN+Hn67SOp|1XSqL=b~y z5Z^!12;(OSQ~*QGr~bJtg$2|<@v_B<|B2-HVw6D9QIgC0pG%p@K*<$Vg#zR63HiUu ziR3Xros;qf&u^;fubu*d%4$&I?|H_*xEd`B17g5NC;EMP|9mVC)Fs8$KLq?^*;1DJ zeJ1onF#7Ky*`IT#02o2R_~W+}@?RuT5WLPzw*U$y5Fk6==a0rZ)b!NIQ!T?t>~)YB3JN$w0XeaR0&EJGS2k#A z^l-VNYhwI^tL4saS0Yt>ST|lJfU(?SLPXFi_`>kUQbx}e@?@vcRZXTGWY5-ZJoT%~e z>0zw??o@B9RIy6LJfQ5J+8tN$`pA4(itwwrstwi3E;-m8!T9`sC2Ewi($y&Cga&%8 z>pq!)GfoD(?Rcl>I8f(;f>$h}oG#F>n0jtBHegHAydj9^o#eTv4?FM_@D-u&pGwgx zCgJT(^mM5fNrapSnS!nbD2JFq7VCY)GeG!pms{^5vwIBz}AlzOv7q^Rh=N|c#<)j9wmAb+C zcq^UwXnK>1`cw!Hb`T!u9^N!B!>Wh@`(zopOWWesEmZy|^H)i;5-8(7s)mwZ3JrY( z5iiBHHb?)$n{eg|*|ju$8b7ggoand#NTsQ?(Wlu|pdW24#BIk%teamfF0jJH>`3p$ zrjfY{M3g@XaaV}n^E*HrqpOt|b+Y)e5Xixk2yW+NXKRButEn{f-6UM$lZAw?~tGa}X8%yDO?TJ8Hp zn28_=0|6F!jMy(Y%Py`|Be#SK1q&J5JRy_Ia?D&%!y*KOgo;c)Yc~||CVS+>FwTJJ z4~YsX9SBscK_QMI7=J`Af6 z0}c?4uZVi~9cyTeFaMem1R0#s>z^DTmdT7TGO+>V+ZGb+w(=U|^U{bB06+0P)wh$* zm|wi1fM1F8e3=5AhcLqP8XNlg)L(5kg;vbFY^%4od;Gay)mbuzUiv(J8Y=?h2bjSO z)P`sH+IR?gsLe0&(BLdka&5j)(&y0(_+ZhK02^~_DwY$W=M}k)cfN$yK2ygLpsQux zZ$wdjx5ELvUuupY5}ERUHqzKaESTbc_5NCSG%+!*m=n%ohm)j1pizZS4_O@x_LC^S z6FXxSJ+eH$$6I;=gb^Is**8*Pd4;q)a%RA40_9|7`Sm1WoCyRSL{meLfo-ot7EE5;FlOXP2CJ4OoTba6-O}n}+J< zDp*j)(>5?OaxP7D&G)cOXae62DANg{a4^qEVE~Js_fKZjm*aH;OHB+=7>Up-2l(Ex zU09fYjDI##&m&AToa6#n@ybA7scZl_w{*~Hb9+~M$%z6CLU6lRAL=L^$|k4R*bK^g zjU}rYE-7zH0dAu)ZVZTSZ?)>>4FG2yV@0TlA#+|mM3nLMS05W;8ZpN-=6--YRo0<7TncIU4b zpo*>$8OUSmEWkyh8o4i3)Jf9@qS zUep3KKUB(ZCk6hj(m@1>pdxX$ryc%c+He*`CCKs?p_OC^@-o0~5~x{y>gRy_2Q%Vt zk^p zEW>-^_9P<;u$FYwA0|q5QqfrJhMWLhs4}CAeX`!qY1HXs)pEIv#%VLdRe5{NBm&B*dN z<}wj4Onye(hAH}B$d)7P`zE)_=a@=6e zcib3=!0j-ct8CV5MAUB5FN|O}8?YYDl8~vqTn_J)Pw_lkOElmZ6gsJbSd}iO0_i#` zSHl`jVn89)s|q-IxDKT8k1|(uQLaz6-a9L`0EG;QQ^w#|i&NX(u_CpcQ%gG^0En^< zfFilH^^GF9ty?S))`@79(#%D!R^v8F4kPAW<25uE0z15C-to6!WUY_Jc?`@_gqW|g)caQntt61iT7I0VZ7iPvK6>Jr0RP@WStbh z`yJ`Qwu4$!HG4EK5#ub!fwg$pyOX3gRZHJ}TJ~EQQuD7Ufo=23K91=Ke@qd#MO~k( zcd5D?URP^Wihzr>(m1(#jYybghX}_F9S}O%{VXKoN>*OCe2f_1I)Ru6)Ll|#NZqGy zH$(>!ciI6=h-m|m!~|T>1b0WzlYZVlpp0lVs_>(3x8ki7cIK!^+{b?zTgF!RlA1dz@B zkI?5$?-G{{pi*x1fP;x;<96Il*UwTrXSky(lrEC=i1soC29B^ZBmq3VXt6vYUsPtE z?q1oiC zvkkxsM$a)n@8Z$h#sfz1a|PN2Tt}%DXbTWJb}fDWHp59mD5>x{H<3-%R|o(Bh!Ds; zXnoK>ZM&(x0(fry0>XN`#)d?&#<7M2y|vM?sg9raeQ3q=>Vt(Ji0l!b*sonrY2^ff zdbK2NGzN;mT6L}iopS@?WKFxMz*^sTZSH{00ZNGf;jwc^!O?s0E8FUx5L9%IK!biF z1fbVA4A^O60mP22DS$Zq*mq9IZQy&Sp-y*i2JDL%MI&{CyR$P zp?`?rNqHDnw;w0wf*w|lzL=paNOK4qZu|t}rwXK08ENKcx*E$6^8oI2c>y)Pb9qZQ zHFKf5pJAA!UXkAQ-GMHfLrYR$Cyu0Y>Vjf_7GgekXkkeV&Mj@+_duMtxxcq6Z?55A zPg?Q6dAMkOFte>&@@U)}^j%o&!uh-a@2|RtA`etw^4xFsYWGT;0rbC=|KPARoP&_8 zBq{syv7*E|fR_(#`OL%Ruwqet4?t;|Dr}p2ZAaemLqxaGiaufEOohY{L|KaeqS=Ek|MY3y7+}nD#i_ zKS#wW)Azk=jd5JDcR8{1y_wxq=)RuFmTPy(S4zhr@pR5{Bh+nS)h8CY`~|-QR!Mi@ zM_Y7Td6hzJ%VjYl*{gFin8ZFB*+2P3?8uU_tNTh}Sc{AQ9Ta~5(Ob}`<3EuCe`Wz$ z^d*(|*KhD}y*r~hO>=y*!R381x`AWl9L3Khc4f?e`AgzsAX5+^@mQ7Jv|G14To=i? z8$-Z4yiHF9c0(`-?a4(+teTOtZNh6q6rBfP-smTLwTmx=5AeJ~T76nlZEEUCOiwxp zGiDoZ#>)Yg3df?pYE^XiQO~u9`-6uPjS6PJA4(F= zT*%7P`7)rv1OKh(ZHNZ{e@}sDigz9 zbyi{vKvuA%Y7Txx!KIx#yIAyHG&fhx5b@sQ(Xtf|IeYqC)TgOB|Mu3A-}aLgo!D?= z>l7~0RDjk{t2RE=iA=W2USc3p^d7)7SY?qfN?UGxw($h~w!qk_CSx0Fv@0UpI*K^y zi%IrQVxvi*D1Tu-CRTy?0Kh?WE~c%dZ4|EFF>)1>0!L09r8j7KaV#?)QQH$T28FiQ zSH)>F7XUP`#>QgY0)k%#oW}8~=&P8?1;E2K7Y}3)m!0N;-^|V-xf}i^wHN}Mvj z6@Of&{LVhs>2Q_DU)EZ_PbS=ZDl~Q#-VVU34Kr*+Du)~uoIxAA=aYx4!6E}cK?O%g zJDD|kW#1nQxSkIr0LJoFO`Ps@_+5CWx^;GSqJbWod_mgCqD!H1=}WIme15@{de-K& z*HO>xrPigk3&z8DfvR@6qR-@Mj!ll^5SvncdXQ=tc5UmZZKE@<@AYVzkNP_ZNm~q+ zUDfRQbV0~8fKCtCa*+B-)a0WroVoTxH)6mIoC82-L{v8RaRh&u17&wE0Ke=?o7}5) z#A(XaRKiK*3jtHLXqDp<@uRtJ-5*8ClscN!?mw`$-l8Vd_GL;?tY-Yoi^IxfzccXR z?-8l8@7e28KPWe4^4cz<+e10snH1dymyWDT|^(<#E9JwtksR!Eiu|Q16+SW)XaGa2ByAldfaGbF$u@*P4P7 zT;uXGD0|<&Gac*Juw>e&4Dbk_&R(``dtCr%hpDA;Yu5@q4LWMlG5ba5$^96|)8f5+ z!^^K>WH~gGqb_3D(28(ME-f1dk9He6)V9Q}AFLB?y?77ZZ zm~o|O3^XG-4;CBcVzL}%x)w1*X-=;}&a&-C+_-zu6ol8QyAEaNACAWwxsBbY)$eZi z?6fLx0WI?p0G~J7KtFv|nsT<7bNmsn(`J9M?(53KJZd~?#dzbXV zOt8<$yIEz`7xg$FkU~9iu9iWpJjS5}9==SalI)=|9{SgytD;xq&7Q6|Uh%l+Zqe~6 zWkENG`*zBnx@%b{aY5;U2W~^0yC0|`yXF$j(w#NAc1&x0b<&Fm+bcJ0A_+ULuNxyrj@ct`{M0D z8J;b7;J6Ai^(FekB{P=~ou0cq%=V1)k@=JK;q#?(!YF+>R5}0Hp1kq~k1sv3#Wu4% zF1t;h?!{T`?|$(|=)bf)Ty*H|=drs}%W2T5rPf(9=_WJm-?;{je!ADJTm%CNU$iRIU`_{MU%zdoUBV_bbWL8Q6ZpFD_FV6_-DI{bA~U5p<` z6L{sU(QCQVwcImqkSBaP)Na+Y5i!smq>T#&dmQgE+GLmEAE+N>fjB>>mA?X6gilR|S_$8imiG!P{(x5Nf<}AO=R5<6 zF*@*RsJ73Lj2!<{*DQrZ)``KmlC(5F@*P_Ao0Hi>CGbe)HxexZ_Rk?HB+45_8)1R8 z<8mkts2)m1UZ}ufPP^YMs;J~_>HYPgOoV6mLG($=VJ-toX%;%sl)V-dfEi>Hn-!}@CXT6;KK96)gezhgh z5-7ViiUSKOqAApxWCxtTV?ntFYs*X<0Fvr*8JCcXdYqg+Jv4@;ns+c>>^gB+F`2XU zhIhd&!25C&w2N7L6t#yy<0>TlEgdrt!2PrgqxHVj`s((t{|g|m_l(Gn*z&R$Fm0v= zJXaq~%f1)06}Dua0_O;&D_yx>i*5x`e(mA@GJe#!mXKN@5b-ERtT8*6E1o8%_-X-? z2E6IGr@*;Qo?fA;i@5CIV}^pX7tLcYelG05vZ1k|U#LuZov>slH(*rsUKb!WGRs2; z^q9~);-*W*=NwQ#-G)WizMZ6=Rn6-!!lo-XVx;)Vnx}5g_iT2Wx2tzvdS7qR#a#IW zK)f&Z8&maMuGGGFo@AiS)DM}(wzfX#s=&()GSWFH2mu0I%AwTAy=%NV)XO3MB{H3w z-Xc{p=kEN*@#mQCU5Z0!}H~Gfd04yI9xDC1K783+E;iz1%0+ z{%I-2E8G5y(*}TE+xvlBajOpAP#ki0lDZ zv)Wv9BQT4Ube9?axGezfWgAkxneH$mcUQ^m>!q-ydjLXV>?HFQ=lWO`-mjG&0|d4L zM%}eH`<|u{PXNH@;fwL?oo2pp_D1>*Oy2cF4-=c2>HCj5D%-c}GWf=!xsb1OjT+*o zz*b9P7>pF$H)i3mS>DWGqi3*fy<3g4-|1@{&vRUJ*|Ark4s}etH=HivD){8lfWM)8 zt$kHW1Cle0F5x@HRs*#~A!O$J2M2Vs#acz(T@Cuy?Ah*JT3{rwedeW`=pZJ`roxKiDud z)W4_1#*&JDQ}>{51>@wf9dq^!*s44gVnRKvI~lmpsuIWO%DuXwd>hmZ{Aq?-He>n+ zJ(uYYVuvmY?T;dSuc{NY1@h4Vza?>)TMa9&_2KSdeZiB6IrYxFTCXh(*j=(hF`H{; zF@fxmqs?cAdpafz%|O4**xNuJXmAd#K?z7Gx=2G~VG4H+#2q7na-{Jt`y~g3*rIeCL=<;~X=xd0u;wio;o>xJWTzV4Sr%SWbFW%qw z_Y35w%)-cefGQdYrsY(mq#j~_bb(Sa+P-@>MUjIG zDPi?llfcweMyVehTOs$93X(Io;B0)m8slrUk^Dj+2-F()-8r472fLqI@K z$q7hzcQ=TLG)OmybW1mU&s_VruW!rpJO7h^zVBh}FlpU7 z`mO4zUcipE|I&$#b3e>|D)|=DgZ3E*Dcps+>YK+R0~Tx6Zi;;Tv~!dWKUcU|N~oKb zwAGmNk~X>e?y8JSq7dV_J9nO_IKQ?PX-LlP8lE{(b973DhVwJW{9FROt)^X0!1C9n z&OJHYGF00yh~!=Ob|v_h_^_eKwvEdx(_L5S3w zVw2%g?}ldKpELx;)I27FqNwuw4?oXHZCwkHC%;dML+(IHMuU_m6{tA`gi>46F~V^k zwMk%CNz3CcD_~(~BH5E1jb|ltbfTZ#mF-hPRzq10_WHP~=o#wBju{n0KF^ z|Ky#Q8-(dybY8KRm3LS|c*#lNE)pXYoe4v|rJcXWx2$zY;OCp`_(i?0lv_KU9KCK% zw$8cTw8>J&ByOVZhSBqLosAykJ&b*@rWrM~aTF{4U8&qC+T|^z#$PTGlqH)O5N!^@ zdkM~qE7GAJ?5{I6b*1V@@p*r6e0&QT;gvCwWhTfz1V${cyFe<~y}M$kohQn{KZe4AlZo*`Q`Xoylsr3-flL_@0}ic8%QF3)P0Y>SDfCz6jugY}XK&TQ6KHf1(LqO>Bd3+{5nuFiL1KZ z=xDuXtCccm(JCL0WGSfXH`pSW5nL~7?gqjG#KL*nQBLflB28qQ=1(IoQ-ydM-dqR{ zIhk&Ls!Bo%*!$>vCD0K$4>s{$p3z2YpAoQvr10Bw#9W>ZX8;=Raor7&_O}x#ljyxA zD5GWdMOF)8vq4xt=XbLjI!YMo#BdEJ8n1(0dvSV_*b$|0FhMI+WXM{X8a_=RKva-kdpU+ejl2u(*@zM`m)Q{iID%&YcX~C5oO`BX}#-er7yRx6$LS=>v0H z@35y5$E7$J>hP8E&KN1Q7Y(#4Rpk8{Hqd!;c_v)Gh2$T&aE}HehVZyb0bFL?H@k&C zaYb8T`8~dbAE`0*Cc<50i0j_{!T=7kzc`z#G<$9uM_FUL~*qmX(fbe@P7m#;LM({Q}-*yQt90T-Y#F;e0k z&aGuDmfTB!c?1X_{IPht@=KbuEuD++^#OlPF>}CE=t%VqpokQDCoo!Xk4K0$W5jLo zs)uCF6&8Lbm&~QPtxJ-YX)>|R9}AntK3 z$8}}%zGToL9ii&`bpY5m_rn{qeOswcrMPY`(Z+UNV%?rm5PyP+NB$xexT8v=Be=L> zD;bi#;YhKQrlD|HySjW`ShH;N2A|YOxk(Yc>f4O+?ap!rC@k;UM8|Qra;tEAPMfw! z^_`H2_ud7iU*DjNVIYqSfzk8mT-z8z_Nc71Cw6A)=SGrj*i0o^wxSn~^pi$@`EK5^ zUh<^!JLln+x32R{Dl8>(U3+KnK70)eL$?SROQ)0OW3g6CI70D)e@RP}R30#93*>&{ z-X-6x95aaJ9#;_`BK|49uO+4qY1d$bArv(w7lvg&5t;85OSeWqLUDx%TKGg^LEpId z9uUX9W8D6ZE$UGt7QBWlRw55Kv29z0t196%B&D5d99DY2ZAnWyhismX2qdnBAa%3n z2$68Ps*_zQM29urLe!ksjm_Sh6a()SGNxB=WxpQFRl6{$!cR>$V2rmb5qzcCsz4z_ z3mx;h*ilebit*byn7E8IM*n(#w+ge618R(k)7_Qwy>bf{@X<-|b1>f`G?pEP*x4<| zuJ@E5+{Q>hoavSVNVq=(J(;5^W?Z1tGQApLd|D`XO_u~}0hmo!| z94wCrlaMOFCUR3l^YOeJX-J?!cWDAl{Bt_St{q%XC#&WVg_dl(f*C{z0lA!KK@!0| za)FbyFKxL|`jgviMve%-cr@A)^~`f=c^1d|lUYA%4*$2l^vaQE^f^#nE?q#@-7 zGmVaT@60d)@{#K#ihmch`rUdHNUkLL##F#Q57y@bV;94w@MIUyMS=HynOlK)!!fA< zrMF^nz_5-77Tj4&sZpF>CSgcblP%X8a@#h0M-Jnd*t*%m#{N5;4O(rp`aV$hcnI+U z7n+P&*ub3itiWooZw$XwJK-dP8~K#h_Z2og(Sv_xwpeyHKD$6r`b(o6&(x%cSKqPm zXtKw-pOq00PZv!O9kN1k4q%8(i?6$ER{N~q6mu~)y%WJH*K5C__mXjGXuS3CdYZcy zBge?aMTOS>R|U0Yo8{=VCt(S|96m3Ytsb9A%r1ED-A@<%#0-^hjBroQwl~-Np$ls1 z>W#$X3a2c*x#=Q1ZOq$pYonSIw~*vmL$BN&MjAeOhkZ@k?V&K6Az=4Z7lg46cge^2 zDtm{Xh4`XFHd1#`mA_DuUjpi!R3@=s(?IRF{iL7LrI9(Gda{&(8W*Cw4z{+ihX1jL zPIcr~^^(Qfb4_FVJ?UTA7&9YbmfPxCNrT9Ud2n1|Yrc6&l z#*`8KhUyW$_D0N&ispr&xS!n<>=vt#WPy>M=yCG!QF+`8Z1&=>L;(bN5QNX}q%8%~ zXlBqAoHZ)0XBLJ?QB$h+hO<8d=4K_91-g>^LH5l;-7p`nEOYCx+2$?~w7lRsrEEj^ zj98W}?!e~W3j+d|+xrJIC$uYdKesnExb>4~&vQ^OdjmiPcFvr?pRe& zx};;4@;~pvF5^e*VGQ@H$m;t<%vGl>+T*0aODkM@{OUJ-AxqzRC{E9KX;Nx({M*cQlsIO>Vnf;t(RsVsH22 zIxiYEf}?T&B!G`-d|=Hwok(_ZfE@HXu5a}^sAVOknL#!g?Kc;YnjQv&eS7hlt$|8F zLFYcS<$OHLJ*%fI)^NZE^Z>yy#c3TWZF{?I)Mxv@dWtug|1=g`GfCxN>ZpEO^1UH2R|3coWW>=~sOK3oJjOHM z^Vxb{``la6HfRmkr=&)PT%K(${dCLH$o2>%_!=Q`Q}>P$%=ADGQS5zLgd~`5$P8in zJ^jOX_Y4>@JU_kPiu(F-e}t?amAfnUN_+TaJIbH{U&9u>uh>FK_h?X5^*ZA;Lf+&T z|4YdwR!?jTKb*vPPIEP_VsyyDLY}`3o^HRIa{cIB=>=~mu6@=5azaj^z)k!6$O22@ zy_af)$a@j17yIYVD>6z(m~@vn-M3$ZT4G7h(bNGr9XvTfJ9VthVX9uZq-Wx7Eg2WG zTP|A8y}S>Dac;Lbp$?sAyW^IP!W8Nczc%yCdDi zrJ2s7KWRB`7_jLcTzV?9;gdv?0{+EObiWF|{>@*!rDrmf5^k*JSLzrX6dygb3pO>1mwbFgo1a8~txKKn_?V<54%mfnV(rwJ zpXPBp$<6~IQ0}Fwh6l?6T?fvqsa^)owhcAlOn0aYk*N#OL|;hvNZzE_hiSDf@mG~C zT(pQ~PkznaalIGvYW)NbOFiFyCzB!T52HD*#G-evv#s1NnwOqRPn4 zey@5qiMCjp&qxtZ{UOtlF>(ZqnAy4a*A~O{h+FnRhhVhAM+myo;7Gf2zFM(Xi4bkK z3se!!f`hwT@irev)eyxoHCT+iwq^2jPRKV-;5p}<#jdyNt z(3MH$%NsZE3>smkfx6yKuy^}Z_NAXzoIQbrfkxBN?4iJ< z4fR8#?@3+t^Zi+y&dmE-w^+N4GG-k%bw=cKq(HhduRKgqu!gTh%(|8O;j5>6o0q}e0`v~q ztVCl%K+tgFvEXhOC#U#JTtei0DO@bf+dwzGF>~>)+uILZ-eD(?V$S76@p~4QCkbq7 zX>%d!@l3=r2$M}~6$Tz67k{uq_nkp1EKyB=88D=Rg6serNf!v_YJ>1EY2O5 zAxSg?tqtxJR6jM;>hi27Lmpz^Bge^5zxFNY{ISjAdF1huFtwT@MUU{Mx2)9T?77Uh z-6Tjo;|ET^s_!P=+TlyHJyn?}do^8GJ$&;LR5U*5m{4;Qvz|~}K4su`;%0YW{w}j& zhCidb?xMdaf#%-jq+ zHFaX;OdXA&eY<2VjKsF=I@kg!R>F638dJXCSPS&lr?A_0M`EoU{UGbq>$eV#o1s|251_UUyHLpuoAM{l$ z3WeJUs@VlK`)Nlqd6NrtvhJErd^(-E6zUmNk4ggJlkiQ|_?zm??Y({p6x8l}$&^7$ z1;GW~wEp)N17Du^^LB~~S_0Lx8v=s0s}%+zuD_Zvb01a$+{|@sP%@C>I%B|d-i;UO zTt(RHHmf%tFH+FuiW)|wYPpHRdLx9~<-4%H17@zF9$T@)-sXzlmT`Tsoh8e9*+9>; zOg)9#JWtrxh^)6!GC~v<|BH~W-~l;9PSLnYZtUh%t&~SnWT4-gyBX!2DJg?*6{pn< z92Wmt{Xs#ahY!Xgzy??d3$>SsC3{|m(@{fNCiKr`=%B{J#mJ!m1M{H=6Cn2I8-OWM ztgn~eFyLQ>>#`&dgY;GAgheeI`OesnQ+az>yvYcu(gY&%Ny&Fa$S6=IBM@+tTO*PI zQY{Htf(QAk=B`@ebCVZ%_{$1i?{1O9)8!leeyq3`oDUs%?6hN=@-GmQVGu_VD+hBa z#qS^xn$J=`x?R)(JYQe!Ds@GDlDV~E-^qjfnOzpr39B;zb!T4Vuwf#R27-%@o~N1a z`a@7t7DpXlEI4zj-$*-=?3R*xXWI$9xjif+d*orbn2?wxxhSmFHmH1GtM6AOICzW% znT2HCf7lZMgKM&iW>>ck$+{6ejK>Jm^3O`71GMAFg)(X|1=|hO3>&#?sRa5p9MeE^ zz({iZ`1bvHt1s9F@7XGf#ujWT&*ma+?}}!}mF4a}2ifav(X3=9BH|bvqW4_B?vr`i z1a{aYatp~l+2lFw^Q%X|>i0kVsk<>{J=f?G-I7m&WKi=_Qz!OljdXvkpPFCaFfkX}EcgHwNRuN(*nIIrbklz=gJR_xOG{aUg+Aq&tV2%aH zdwUC6vV{b)PLyulo7n`UFj27#zXFi%?>}jt4L?xvPtk3>P*-)Xo-Slh6vKdQWa0-~ z8n5l_ctRemoM+)@QSW3Y0t~7$SKJc8g#`vK+@&`#b9x~;>CiE(#R=+O-ZBKDkUnYr z;-N^DQT-_GlwfrKQT=lzf2|ASxW@D@zfo`25WSY$i4WxugZR&?$GzBDJQ=vjMg|MP z>Cu#)nGpk9w&YEq=0t~ow%_Ukvu3lPP+Qaf&iluT7Ezo01_wmXmWLD@*e_m9X$+sU}usP=6cn&=G}Y+JKxKr(iNBaSI4qT zj2T3ItCG^HLg}O=F)=^Q8WHQXPgz(1HVwOa!IR6g z-C>?U@()5#GqT+Cy_}M)%@NJ)NoB>@^Mz8m9B%5%9S=QIx*fvM> zv2CFg|F{igM~5|t0bgvyND&S1`V@e#<bVFm7NuO3euNQO%9rO zoWYkPIYg>Sgh6+mUJ*Dv*tVs zI+;8wIX=`Vz`lPbxKH?0yz-~`G*WWQiqFS^^ofOV`q1}>_LI}Wte*7vuzLqSen-oK z6lBtSc_A&~o4r+qO>WaZQRhFgo(OeLfJ~V_oAq4tvR3pS$r%8xmTVc4W$N0$f?ygi z*GGzr_U5^!GBqr?_7D*D&%aO~j^0i(3}AI5af|wE+pecFWrzI1ix+!t)%=}sjg=uC z{$HPcQVoCMY)_dQ2%5VWAo1hx$(ue877~#rhU1hx3ElTy3o(5coTsS$-E|YlXqJ%* z^pLlkE5+J@B=x)1o{NuuxYb-lwDZL3TNs9fTNNwyMLz>sB!R-3nGkzJh^{tc09s5$ z4?&Iq5n2$CBmC-;Hmexpp`+TgO>+q^=?bS=@CVwZqb1)tCB>Iwa7q-zgqe?NY?dxF zh0mGh&}*~L&o>%EXdlYDCpd*X$eaU?M_%&2{1YQTf%rm$ItOtgP-ilQ|7CmV{XXh4 zo6=#lDbO!4{7vfGrZ?}(>m&oTL3c8oO^-ndinIZkILCl zlAz1lk2>%*mBvFrK$3c@6zS4aGqAuyD5vTi1N%;JtaU@!oiB=I;aI81cJa9{VV0|C zduzJiXqEMh=2B4%`*ZQHd#^fp+H4HZj;x3Co(1XGI%wDRjl6f;Wj5d!{5s@C!DFE{ zSY-Y>Q#8nPn`v>I{F}sKsrusD1Mcqa{US0;`#pf`?9$+&x0jqd&Mi(dr4$4$JkWEt zby;Z5eaeB)yFAG$kpJ{Rh)6tBGc#b7SM``X3 zJLM6<-}bqxIc*-82FT*~@#yKgJXtVr;Yh8R_&fC^aG1P76 zT_(sv0=H2XtMWL&?Sv-%k;CRBq(QSgKQq6#d@?z_Dy^r?`)LbMnVWZ?+Q*N6@Y4JI zc~(WzTl%Te7MvU@qPoFp&ais1SUkdhu! zz?#Vj=t&9MQ=3eT=`PhM(6uP0O$`e4KW=`5(#~o=7dkLilqaC4r!*C$ ze4zi?W+SQ^K$|&lGMH%nZKdKht5-g0=6XR&X9N@TKA(@bFEhg}B4o~yogx|7Ga2Gh zu^9>)Y+;=EA|@N2oIh+R$5WZTIlpo8r&I4%7Opr zrKtp&Jqd%@Q+;*Pw)y>?PJew_D|e}R75fwwtUxN`lAgKUaqBoy^pu0 z1qcCp2mNG&fcwJ6Da){VM<6`Jw**D6q~yE7dJPcuFth$<;}K0F^{~DEy2kf0%04si z9nhjNt^gY7vdrptjX$NMGh*QR3|KX|v8i+3RT)F;O=PZp!G_R6PbYn&)9sHm-acL; z=;5sxzOE*IU9X3wRCDI=3kr;IFlk$8A~co5>iRb$O+{z34)+{@8Z|DTS=_*uiSd$e zzSQ$8@C)<)31pUJ1twe57b+J3J5Do5P>P)jb$^k6-`~%v_w(ppTIgKOiE(MQG>z)y zDVe&*^58t$eq49r36{MUecN88vH%laizZnkV<+BU9g^buFf*^Y~3S7#hU`GnuYkMo-oK7$VVZox&$e+NJ*@wwWA6{`i{n2@u-? zIjAK3MgGNyW5*0r0VG~Czzjs<*$+`+iDsK{P-6IteEJtP@DpS4Eh88ho5-}@Vp@dO zzo?5pb#B-ImgElO=l}lHe+Tft%i{k7`>F)$tq92OkIojmW24j!fZPyN_+OOW9bJ|n zEUye;pkwcUb-+?40K`ORz+FF}kJ72p+>c|0`2K}%;{E0}GE&22JBByWMJNEYJJ6S( z(d~Jfp=DG7l9?b8?;!(W07|FGu2DQR62Kux8RZlX7T;VYU|sm@f5kb-5dm5+py%s3 z(?Eyj&6{ANNh#R8qQ(IbelDY)Vlw@`vsj8OZ{C!S9gU%h&)eABCnW?^`LqQ>4QYY=cjS=hNN zzh`4W0-nkvOlCZa+xU$wzQM7tWmiY}p3{aT{L5;(EUsgFDWWth0$Gp6lFm>peI})h zi7()+bs1y*6l+ib^(*UDM)j##tGkE!VL%)wUxXD1LqVmiTYMGAN!G_z|F5>B)sPo<2LFSltuD-H8L2 zS2mI7i(!Ly$8b;NHJs#hGhIIg!|)&9cMUC^QGq+2|KTM48$T%U2RG53Fe9$nL=$Z9 z_HxSBI+$~+!n^t0OhjP~;Xq#EwLx#fYf>GjH`xRlt|B)?$%l-gp=*OUiOn_fQ zd2x!OExuY&()<}64ADOWlt%LITG-+=HT=g-{Kx;MLy}&8z-9f;&bclpC9@`zO(WVK z0OL<8MT8{{HVDese0}>ztup3_&t=8~`ANi;2sj<{0vq)BRoG`hoLb!wt^SiRm&j{0 zurd`%nVAG*730_m59W1)kE^4cdZ{cI0wq=IyPh^`u|kBQEls)-s;o{=-ry z|DQ$BFbF?AafT0v@aS^wL}`bLTSuFR@(vocX+G)Db?m$d;X#M^hyPh)FB+X5+Tve# zoD$lY$N8@C)NrUxtQ}j@mL>UI_Q3&Lp%O=k4E7v^$u=_5jK{UJeot?!uJGj3~@Bhzg3jO>w zfP81T=Ph8Vp@wVsUExHPG>wTOVkb=R3`z@C`I#>o{ih`bB0_dim@DsW+j))F&$Y+q zVM)Y9p;~bs6n=Hx6+*}&gw4BS;0gZu*$9}3x1tY0dPRo)+VDqodR<<)hJ#_`cJln! z`;|?o$>s14qigx2x?z?ZnlT0>KAPjf*uFG zWj$qa_PbI0_ZC#9@dCs*2_YouQH#Ig1u2|A!W#pk`&1Frf>IR5h4t_E{ihCL5aif3xx{Xi@!j{w5@e>us6Kg6@+jR!Ky+0t$YhIvdy zS8YVwgC*?!=eey#hqFWZOzCOuIxh;%V#wocUMDNpR^Bzl{O2@^uo3>kNcU5p4)d>D zsdLYz_Z+jpRfqCzOJh%#T(055Z93|Yerh9;f3%S_h-CC{!HGukHkGC$Jt(OXiInGm z9D^{dvQJ4|GjLykg0rpz$pd?8J(e!U47YVFQ?-22L#?xB1)FsVh{Bs8WLWj%IP>aI!t;8oL3t6HX69)YI-L8S3 zZJHzdqgA8>$6Av*6XYLlW*H5*O8T}p`A@D?gd1?AbH3$DM*s0DF1TtUdIVrgf0!HP z|L1@9BC%fJT5!sfGv13ZA9SK5EgL#0G|-9c8S$^b`cySt#}16w`b;=9O>^Dz@;4ey zdNU6O$5rzM%{G)=$A>AN-Ktag^%o(QVU_P+Fln^Q98)&~Hd zn(7Ql@8?TG$L$I+y&eap3>^m-l1x0(v=0z57S)WW z>zp6ovn4P(2i$-A+=~sAx(J0(d1Za0D17s6Jy1{ZMD?0jdUAr2O~ABePCFcW=}#G1 z`b6RWZ^MO^rUu6HuL+Od1i{BZl)@s(rXJ z(0YdIQnUN$5^x;5fsltO^$e(*c4<3K4dwU`EeT&b?|!|la5NF`^fSN!bSqgj)jf^5 z`$+Gdv8AhLGkaZX(w6JYX@YwTu&&X7qn6jHa}Jo&+`1?IQD-9pKi|=H0m}WFYQ{yl z1I<#2E#5OihR=VjEr`yU(?QaQQ_v|x`QEY@$7*OXa`cI z;u>pus)|u-C1GxLybv{^7KiF@2tc;A>qE_6VLC^+x<}r8Ky##I*h_?o1yAAkwTJZ< z9SbQ&0|QzmLu%cvLI)2UW86;n{S{?Oh-lFHZpSAJg=~!DKPnpQ_}Ld)^$B$PGX*!^h|Y*69B2)f+0KzNXO?0PKA}US*vM z`Z!jo17-BFYTHaawZT%Lp;nwxQu0XoWJ6^?EbKH4BGUy_(q+L)+&~C8<5TkQZFo=D zkLb8|5(-`*Y)E3ioU>u+*@$_fwgweFK@98F3$l60|GJc zSaP9JB7j6t3%Zo`xk`pt`bR;%!p8N0FRKWu0qPf?nvJ0P2$^$*jIz6I0MVie^C6iH zfDtLV-KG%7TdYD;1LAgow(E^X^&i_*(y{3wx!)nPkrU9e@4*Ke%x$Xi~h;lRePh zZBeGWpy1#OF2|@G*O|QS-Rd830+XYdMfsD@H-tirD-Ry}vc{ZBzh9KR7p0JgnxtCGfR<7;!vj=b%Wj^=V>z|5?)(Dj z%)j!>$_9nV;(D{?UT%4Tg5UWt%aK+=O*_o?AthiqH_6#d6JWw|Hi>tbLbX-@;A7z-ew{aOGgp5I}#z@mE`c-$r>^y*?K zs&VuOrYZ9R@KZI<}IrTLE#Dvej8qj|BVQjlNe9Fvs?jtQBlr zdK-Ycc%ZABELxz$&HP+V%@A1U^~b9bDG9t5eYRxa{2E``CK$P*D(cgKyb<*xDUC{k zJd#w47@9ru&V@r?v*r<^U!~^}#@(ix?2*s{(o7vui{puz3xfv0MynmltE4_(mgY}>uS+e|=@@{!)^1ReYoxy( zN}*E4`3gQIchlqIc!^>^vhVw6lrWDZZLlV)V}|RKm^<37`LxetZfbYJ7~}Oke)&+3 zo{~2#`dJ#k`vIsquc${jFoaj_GhW(}H>B$rkq2g_)0tD@BL{bvP>LF7v`#qJR4!Ln zO=>OAJ4m6vYgs>}^i>i;qqeaFhVaHnAdb}I8Ehgr%C4bi$rNpLCwBS<&y<}~Zi2aq z?mp&#%1W6fhHL?2Tm^w&R(W~(;vDs5RpU9T(cTDw(9sJ4EyeIkmOR_{E-@=r>Q^F+ z1D!V_##?x`W(2~(t(jvbkq!Q$#Xvu1kGavhpY=?E)|WYkfUyeQpBjb7SOng!`qJ(J zLb3NYo^QvnCi4^JUf<^zJ#_+2KbkP$o5w%WCUNd5AN~q6b?w$p%WXAoAMAuY={p9! ztt?OW*9B>SV|L7yWE(#j4#m zM~j<>$M6^jzw=^fY_LV6r2|E`SOWKDaSzLqU#?Kiq%<9gM^QfB?1v53_TSy4$h7T3 zHOtLc{4OyjBrv`RrhXCp3`iTVQmHFhpBH`B0*Xi$Lk*V%yg&Y`Eugh}G?GGt*qHO? zKTSH65nth&i6Zq4#7TPoe;lLL>SP^KjW4=&0vZ7?EJ=7g<(#Nj^=;3#TTcmY6c&)) zL_X?{pR=5w3gAR2-q~q5tnV%C0Y+Px)95>m=hW0Q4u*Z{{*(mide=h-1^xPn;Kg?u z^)BUXw-W|(>P2ATF{T#~Hk=$TCTHGTeYQ;r#xaJ>cZ!yeWo0r%U<(NVh^Xo%SG1&F zA;L6p;S-DzEFOHr6%FG$WFOyVOSjVfs6JUoiT#1%-TebatmO~fm65UE-9U>}kF7MT zPfG`dx7L*sPmtPphY2?NRT96&nzxp#Kp@)M{c7STqwsM6s%4d)u5PnyO4mksehGO+ z8m)vz5Z~e*0cAF&F%+BiqB(}b2s9OP5WEA$Xq-Rwz3%uWSyb%+frIb3))rDMvcI9N zO}QDNrt=Vx;A`sP(SCJIpsml$agSryN@n7w@Ssi-abE1>{z-Urq{MsDDDlAqb5Ix9Vr^cDW%^Uhx!ROUy|u6Dx2p4PXhT z4axmTwYbJAT^g$)cQk5RxsW@cs92o4S)Vbjx*9Q0>MLKMhIEy!#KE4r1=~*>C@#4Y zxvba!<<&n;;V?#pYPlDac)o6Uu>WZPU|CwiyIvs0B9qoC=7+k>0|crb-Th38GQyt6 z8WSFay9!KdMg9a3v+D+}k`v1lq7x8SY39WE<&}0^2%O>kdiUC;RLp>CG>G=LocP-0 z0};H50XOxSr4G3QDk_c4TL@7kF0HovqbUPin1uidAaL87^&J8g7RGJ5qx zX)6|3YQtjFx0~iv1xYY5qkawbahW~arKo<5hY9Bw+9$$c&nYY*%7l#)0BswA&cWrgweZHqpU*1`A(5&uYX;_YV_GMlsHs`$@iW%~lk!lj#GPp>jO8Rx9Q5 zU5Ci+<>!WBM1iwc^VY+RRv%H>qBuXt6%)%;z8iMGz&Ry!m<*2(gJ&Arj zJxSLIGzH8`wyg&2rpz0W0^e{D2TUtMp%=T(-(c-m-DKthPGXf-s3bs3$i2Kne3LJwNKH=+#odf+f zt{NOwt3LF$%1N8|?$Tai-riv#J2@RH0<%{kAg#<=>U~E@H|8GynQlEVz%EhMoyf!!g{3luC1C;&Qm_zj_uLdpBH{1_pZl{^1 z*j2uDg<`DHqnaLdTGCZ^gCe#8N~=?i+e}8h#5=jK#(vH0`P}%a=FCYXALvRoxu|ZL ziVh!l8p=^QU^bbh#JHaR!s>QIN@9T>qb|>O`N4pSmtxV>ppUHWhwApvDg+n?HOvVV zVW?*CmEHAm-Wgw1A?ilv|R5VP9%LUqazkGA@$NX^2HI+ zW_wAcSAT|FteMl|;*I{bwdW+0P%|tYdwJRk5VxDGrLhEQ+q6Rt8a%QYM?imROO(Ie zn*`|G4dG0ISrH~T$fNzRXB5yg+xoP}W}`0v-sy?wW(ttb8_TU{dZV~Sf!AlduPVTt z7tlYzV3L&P!m_M*bVmzVShT+z+6(3LXLZ}%M@;%wSzO%-b^bE~)NhK70yYB%{k z*{QnK)A@qHvF;A*@ajdC_1xJ@wOJ7uhR-fRH6Ax@jmv(OeoG+9Sz|eX$O(NqTD`_ukdC z{^L0mz;g&!J~c~EV8Jor+UszSb|kT_w;Ft%T2nJFIJv00`DMO z+aA6Q5S9v>S^9W|x$w(X?1$t5Du4-i6OzF;P-c11s0}rZz{O8m`jZHJ=)MFf0uA6f8PTueRZmjOx$;PNj zqe6yyqrv7SFvoin&;gZ^NLKY%{$!Z`LDeIm0ifSAfgnnOVZp&ob15{)hHQP+V9%zz z9ncu0@YT2IQyC%-st%akuX16@&L5PKCdK(y2JFbeIOIung?CGTzhW)*q0Gw=ii!-{ zPqPUQs}CK3vS}=kwP`m0Ib%X(UGGmqdez0+p)?bh)W6j*%KggYIM)Dj2$r6cZc@*f zGn}Ki&frbnq`t6m1*rqV1$$*lL2Zz`>UwkSx`y^cw$%eyP5EnYT?V0Dh);u{5wwG2 z_6uo2d*TO7w{Q-IO&nhrzHzy>!o9#cVI{J3ko?l7pfY%s8w6e`xb&gjdL{n_=+!iS zLT&Z=n)#PRUY60(QKM$~xn@>YR*?e^%hk}BA1u-AUAZy3-|amr`+yikLx)RD)!n=I z&uib0!L@kH4l2Umb9um^dZm!kAedJd7k*r^uBdB0WHg9XH>HDjzo$1)nJVIPFlx_u zIBxj=^O{`)YD8m8q<%j}qEc%~Ss+LVta0Y!{lm3gaE*TkDR?Cnh6;%!*hG?)2fI6) zXn#+Wp{~Vqh$IajXRH%m$=!i}LQSrrrKecv;N$=E+OiwC*2AM8e8pOVe~LT<2VN5U zT^p-ETw6jNh8vh%pZ*@IqDD4Q158g=Y?P1qKd=4YHFYVA`GuAb_V@QQl9T(&%F0F) z1zit_`v`5ISMPnE@q4}|kCKLlNk>PAtb~N4lDfJvK&XYz^o(|Z=WU98F;T(4`;9`= z{EafYe>3fsSd<1(wLlUFn1bm8DX-fyc3}LLRRdV6P1VBHD=q4cEi5YR2Vxtgg5gR! zIu?_S*Il5Hg0ZYyzb{CUn`rD0`bDVR6D^F49&8GfHb@cN8=YCJRwfkh#@U5nBXLTn zx_}wz23e<#SY7RdLAk=Rvah&dHOImjE=I}}SLV{oogwK~`*~T}dc{nk1Beg;aW+pNz}g?dN35 z&X=gaVta7pM3Tc6l}yac_9SnZ7gO?M;@^9blbegPfv8DqK!qfeWB3W^ zE>RotY1scrBLHJ#i_Uc>N7mebxV16i=p;Vv5`FFZiG5GcdovEODEgCXN@5lJFV0V0 z!mSTqOsAn4^W+3v86IA=f~fwUc!BQ4Zp+aX1HYShwRmrQ_vMBlR>juqotYf%D@A=U z$7d~Sawu?r8(Ea0vMYGAsAvL~`Pzsj*TRDS^w6}Q{U$DP`!p63Cyh3WEw`APlHacA z(2u<`+=oPZD4XHxcVN&Zy|k?P87qmia{qa%rY)vub+ z;Vogh`pIf^u5~%D{?#E<^WwhL!(Npq<-LSZ66t~4;E(t-x!*0Ymp7@^E)+=9f1?76 zadD9z(Xk#@C54S78lhLl`hCkKVF62>!p-cZ$dx%NLkMk|MpwRK@n|r>LhK`t7Ga7} zT2IG9zOqDPzGAvV(0~Ck`Y4-3+|6{Lhz>92xkhqjO-XwJPf{kyfCyY9c4b0KAB}y3 z^B;>B^@V97AllKOyA74F4Xh{jQe2l4!ML)V6lp|~i1S0SktuvFI)Nfg2MkG9$BO9| zsA>(jfm@Dy#UYVI?0OsV`y>D5MT~U|Dq*SzZdtxK>OLZ{9y{yzwem&;2h0csn zynM~fKZuadFCCG5F3td8wopRIa9%d|$B!Qketf>j$jJeIkuYBj^6#DcKi)4;PQ>XcCR7bw_H!PepB~a7#t-M~(0+HX zA~+btP$t%~2KQRfhNN<3q|g$FWLy}y(u0pg&r*_;oAR`4dyr94(V&a@r?9ZFr-Sd| zSKK@ez!8Cj<705hb~hc5ZmNh;T;!@T14^(SF!LW}ADp46&KaVbQ0-JaRU+l(IE>{2Cz@O<8xYjQuN&!I$E;3_~M4qx_F7 zt;;e%=(32cQpAbiN(`GmN>5J*3*eegm2z~Iiz4ms>*pGJ7<1CrFksP@*fL}Xoo?`a zS5|pwsfauPUy_3S{;1Z0dyKfex_WH5sHEgeZQRTBbAah74|g1}WlH`iReohP)hLTl zKH594uC8w3;^G>mf`R2%fe+&1id0Dn35lrT>=4}#BH1CDTlqC3LqpMQniVGjCWQBh z{Qqq<{yn9ig~*^xOvSsmO@m(X>)CyX70G_B6TqJTR%L3RoSfXeDy{P#vzNZ;)u?m> z4d(-wzO1@>bavLVh1B8R`WW2?t24E*m*TXY*&p&8X-XixjNj;a_6JPUzfel8e*eCy z{~ZpB@Ph!ke{Ay}_wTcTdPhhlh-v@(WB+^5{@*iDsLgqd>B)7p%{Jg{fED z=zqgWbY7Ib+@7j+j0J6K0F>6TtdO&ZcPc+7GLqDG#+~43ZBrfw3y9{k_0!~*lapKY zx?yk(UQ<`kj(+&MMw7eNVdD`fjE6LCZUQ?PyE33)p9>N?O;3QB_eD*u(zCv)IG0r> ziy@Q&87rmU9+`^o=z!aHFbz!Ri~-a-=!#Gc-Z)TdNB}x{DOZ|QSkAm$>@wCYsL2_Z zjdn@VwLm3zmQ#1n>>V@J?92I#J0=zYh|B;$lC}~KEKm0~%^4D%yc-+zJ1G{6Td5Ag zPdM(ayq5puR;S60GC{$@7jMB0?yXJq%JO@pfEOQ|KLVPhNbus@PV>>CK2S9n*fhR$ z`0>VTG5&V&_K2zJNHmZP?g2xB39QFGTeH&zOagMfAfZKQWi;qo`O*2}nC#r%(eT%g zrp4vdV7pv{{Z;NoU$XH?3VyqHe4y%gX2YUZ@CX3=_P`y1sz5Yd(5D}&-GL-5-Cuk; zz%cf_BW&(|i|t>nQtIaX(HZoM1kY$V-xj(Enn>B_8jSTXEJmp5?t_o_rAkGMI+W~~a)lIe{BXz)`o zAOO3kk4Zo^uUhXZ-unrU;xSl&J;l?FAJ6MN=`5Ug+A~oOeKN=Mw8xR^H734W?IaK~ zUOCsCSr^{gl#Su)1KlWk^IbeS6CP+*n4wmiRkiaj6({gQ_6nz!;q{Gd?sbh1Eu8oI zjtxNjF^i!_yr@{trDt1~3l5jgj)tH?PDV{llxDf7?S3Uso$U67q^heY%hb-VX4@{1 zPnpW`6fj>U9w^PpY!osbZq6t!2C#KUc|PZu?Dc0Ws@(t(UT*^s{I#~LOpLLC9XORH zn~k24AjycDvH^L4A-gS|P1SlE0+)pt)B^gpHz2F-9IeR>s&tKxRMQ(^7C99XU&7%s zlR0XeLaq%5)J|(XcR3Y!rr~+gyoGEdgA063+ckMiFhjd#BbvoenwxA*1 zxqoRwr}zR89NFtxC_UepjNe?C>NXyj5t1?#jB-5eS;z#k3=`FLQu+k8J4_pisktr( zTuPa8)$89uNOw!iBTkon zg3m?d(!=1VwPoUNX#@rDi#OnIhG%B@x3n%~{cNi*@2d%0=c9Y|CJQFJKfV7Kb8j9`_4fV^mng$2LK;PxGZm>2cBL}gnP(Bn zoSDoTr6@KsZ?TObGS6iwv&>X7^@6TGFwXSuo zYj|Jpi)dpsNASBPyHUQ?vZQHU|930vnwdibxIk^&ylL~2{s7L|+Wr(hfxyYhuqg8B zEJwWHB-c!B(f8|v;$htQG(Ar{F73|D&Nt`w*$>V<)HtVpL%*b|E%gpO@5ttNWo=D8 zz|SHF#I&}*>)epaC&?v^4L~b}1P34bt~*eF?Q_trs2j^Z+!{-1c3kG_(8sMjcz2uB^cCwcOMZI@R;IA?2V@dZ}T)K5;;_DdhF z?dQD<4@$dO_jRQ!p-#KNQQ6UE`1^(a3*->kx?Jy@?I}Dp{76Y&zBjD6JYyv)eB3M4 zo8btn;W|)AG)sptsc@-dsW&K&&6gMfdS>mEg7)4y9DTk*-!lBFG>2o#pPSo=lM>`# z(y_@~-*cR+^#ZzmfJnmh;ajbOeAICCZESjT_^wZ@WUj9##Q3P|MM<&CH zy{me!4S_{l4H-Eq;lEb(bDE#lb9|H!A&=|=Oz>$Zl^Q^HiD;a`pf4TN`qZCBB=Ma* za0QDa*Z9t)VfHQU*yOb#_V2n{*_0a;xz(!|J1(F}U5TC7=W$v&Wu^;>y9{yGnQU12Waf*#h!Nb3Ibb-+y5>XiulaOC%9V9!WY4|Ao(d6MpwZL}Ntc zC^h;~;Qbuc4<~0JdJn^I5`JAipHIPBL+bZtia!E1Ed6#W=dwCl6f262wvz(%WxXe= z!hUnQbw$LP7}K@3N+}#j#ab{-$%mG^No1o^|JIv&5x?lRUUymy;aT~N-HcSpxA)vUb*Z!DiazGk&eS9QtGn(iD|*({POKWm8Yo@4YQJP=+a$hhV_x8v5#41T5PxHTwTie|)-EMvU z>!nFO#XNYG-{LQv?sG({YCCbWW?3?hI;jl8n*2-&m`~9G0eIW$*ntPEoSgb%>TlJaRqpW9sGqwP z-pQj7&sy=8zKL5<_d&%wN0s{5qc0YG-QzDeDeo~vegn*F#H5@a@W^Ulv7ka{rn z@moyUXr%QFTceadlb^X=sZZKJ2Iux~eUx#DiM-HCbTN5J$w)?UT(3i(O?mme$W5#Q zDrxf*8CmsAKi}P-W&|fTSYC0bcSL&a_V-VLh$T`TcWX5S>=N`5fA7cuLWy(O!CBv6 zr`2%BiACmaE?OXiWb}a59 zSbi4@9?bJ7Dhg4lTuXTLkC(Ic8_I$hF@_PNc;lXjSwJSl{Y|AQm&N4etxk_#$L$=D z^{)HOOq#B6e!kC36q|W&GX51R-nhVlZ|CANqOh1{XZZ1r$-;*cGKu2<$|N2ndk>gA`%i%7k8|?9XhwyLZBJ3a+ z(Z3*G{ee)z(~$Jcj!3{((xVfS9+(c6b9L}qF>Ghk9 zr*}v%8%56<^PJ<5UdfWx4cAo8>uSMiZ@PHKQyto=7O-tZAWzTNDP{$P32^ysxh_#L zF$2l2x3qR9%-u0aT)|}z{IC`81Pqd=G3A*Z`@J>)YGnTZ-L{;4DmPIMGBob@#$d2E z%zTu`u%WcH$#ds|(WBoHX!LX1RZ(s)8T@`u`pWekGK1uAFnN%_v0P;wP$j^Xo+sM* zmRpIU2}l%e4GBrBMrsAZKX-5|BlY)^F`*@-p@c)K&H4>#=^D+=xA~|4-0@um zY)CL@Z7=-zFOzOt^AAF{{Db6=lQ4e`KlF}xjr(bu+Xrx+FF|Gy=>jvmyG6et+Vek( zg$hx2rTRp`&t1x?RR13dbZ3xz!{(k{yEZq|`~)0-bwC=!?+ZPlzy5i8u#!2@a`>eJ z#Vb^F7R9CKsC%b1uZW6Lke!}6e2`*y*^{?!^d8T|s0bA(ULRAVe}s-^LJ_~Z`oNMc zP?D>4#?_^6;9E#oSXf5^=i*qcfmTZAT#!LmotEvQW8G!>R5oGON$laEZ*zBW?d|Of z#>R>5*{Q1gkMexU6Ko72I{9Eov*^Je)YKs_NgF=*(r9V zrbGxK#sT~t(3Q9|XMVKaN_9AmZ_`TB!o`;uThG(*)Tuzec-X!`9J5jb?u++2D8{?R$x5Ctf?OL+Hg%$n}PuQ4tX z4qao*KS_-FP>?ST}SoGfb;Oukq93RwvDatqUMy-GQ zl|9Z?c8kq_yh_FTc=ghU08~X#0+xPTuUVg=*J=1nSEpE0QzPD?q^t~0A=-V>Y~qiP zZqKX}0Ij4chY4`^=?q#ZS^4D;QEzXhJKEh^#~1I3u8=spU6NRA3I@;A3RJ1>+yXK7 zdet|2c8m&XlrOfCQ1_wAjxFEp=Nn=Bq!iH<+XE61@$B~-t9>M)j(BoE! zH)s3s8k1l`<4H-kbvx=gDpSW-Xji1K|LqrBmyMev!R3C=e3|X%b~H4MNU5^^((=~C z)_hWFH|c+yg*-h?qV0#2M@6-z0q^{eJ(d) zUpm9!&*z{Fc)?$S_6&U zakfH^>WnH$`L;Mx%OZlRzWvcm9IiPi?U!7BgeA^{&3ZDGNCP#C0MuMQK%r&>|@NTX1`At@CHPJ zRR7vJeb)M}u4HKbd#$;%b8N0zJT84aQ=R=N?@wa{r9+5Ni5$4B^J(c*D7Mr`0;_QP zkXURdliV$8Dnx*=(L~_H#{_VyYf-iWZ!bNcWgiXGEhW-z@C%9!+0rRBhJT%)N|oDR z-L}Uy^Y7%r z)Moc&Kf!w!18j&Wag6`fZ9^9Q9ML~pek0h2+3hsV~tU~-DVv{rOpKZ9r$ zmXvfT(Pb7pChQdF*B^!6-YSe22)Mm8<-c_bBMG44;ugC?!qPc9jt<|>1GH2Jz75FG zwiGfcGFfkcCG8lL{uN?)mVW$e`;NYC6vlo^B>!_J zQ78^2P47VeS-yj;{ZcBSU`HML9Q0v(TV5r>XESw8e722dLpTaVt%m`}?PVni$|RAJ zblcE!1Ml(2R=2G9N+ zJ`9Gp)iQaxJ$yVdvcthh5y6gYN{o^oE%D>_-mO(~PlMTzrbztjbnS9ygk#5e;O_R_ z#(Er4xe1K_pFggL&HTHf_|_h_2Lvb?R9^jc+hU;vH@?J!ZF{pTZ-Iv8`dn4H988R{ zWag;d4Jg#!>Yonj7bVa(>gO_VZe@$G>08>>>tEUxRSYL``s(&=h|Px#kH=`>|K?Md ziIB6%W%B9Kbiac;zt$mlId8YJ_Ar?oFQyuY?bZ7t1H%h)XKr6#SOr4+N_Bhbga1jQ zDOi~-&Tb?4P~TuSkCmDJ!+qondri5I_orCCg#WWw{Er6&lDFaov$gM{^}p4c6s_AU zYHIqAoBfp0T?9nPrTdxbKkVv3mGpb5YB_1b`VP!w0GLiG_ofZ2h%xyEF1)_=P3C`n zQ$h+`P@u`jXA0JZsRNsXscCm{uNbzetu3z4Dd?|5hx`)&U1~Jdb0y*J+td1iHlxS< z(_JcU;t~=R0N$SfdGgk4sUq7)^ED;1{mo$Nz!Cm)`&kdULoqq~a-h%ca;@1n=c1Yb zu{~yTr5q}Ij3zpl9fTI@Bd;|I)?Mh_lx=Zm*5!B*#_^+vY*R3waY1a==-dIp z7s`r?*1N)$6%K6qvFH}${%8iZwZpu-#8Kare#Lp}<4q#Y$T`>ZcdPF)aR$tsOV7+q zkQG*q?z7FhdO+PY1Luo+0eqEPlJ{v#I4`_8tK+ov zE_>Bz-f;jr2D<{fxO(NnCBxTEo%y#AxZq_buEqleRypre?|hDfOQGMAcwxJ;f}V2A z3<@UMHW>dguiPmqSe3ASv9DSr{Qcu)O=itmX2-`v6eJ}j>k~Y<7|>@}x%X|IMpgzy zvsC_Dvq+$@d2rKWZxKr1(2|%fSGJf4`LG%Y?GCLbfmpoGOb1zUSvo(%FIu|^m{M+x zoOhQ?@br@;#)Q73A>B&6_r$?@S$Td6En!}AYH(HW?D&6sTANDOmYcIjKpJ zH7vdb1I`_~hQ)L};oClL_C)rTA<7Ik!6>%o(h4THFk}L}u5OE0&s!8fk%aTgoKmU^ zd4|jSgLTpD0rW(BdtpLCf*RmIWHK`My4u40ne>>pWt*6Xl2DFnaS7Cnzp zIfN3>(p_QCz60lDAQdM!JHUws0e3G)_8FQ|`>3|Iw8TJ7bhwdG`>QlgcR5lLvTdD1 z47F3F17IWDT9~o9`&ubpb>I4j6Ev((QSo+@P`8sL;vdbyiRp6Pd>F0I!+X1U7vJ6L zxafXx51Kl2W_<%H{`xdZbTUfCc4-COT6ary;8A}E1a{uEA2Vhn(So8cTLo?&OFiZO0^ zr#L&vEmqy(862!-)M4tU&da%dWSh)C-G&{flaQM$0RcB9POW?u zsBYXuVfzm2Y#SEtw?QOsAI`(jNGN@pKIiV+dq{M8YiUC%Sp$I{C5}+yF}nZFmbCP5 z8BB@)Hke3=P1@dHsR^3BMS@9Ry54D7Ws#7XX+AAmeRSJ#VLgY4I_bYnG&mQaVQWH{ zftUimc|v5P@eGaEq0Q3J?P!lXB^B&^%GrNi=~z+1X!29b*pm8FXMgUsH<8q~;JTsI zc8AXd1eCvn@50$Km6S~6)sOt?ykR`tti=lMf7i`0YEF=2HTziAR^%$e_h2qAI=1}K zT6E|(2*aI+;#pZjRnM6jR}w;r<%^tO4g%EwQ{|PdH#$uZ`s)_l4E3@%jlnOD(b5ID z(MWS*U_yMnxMl_A_EDr5Qh=lU=Gnim-R(i(R6cWq1AL$9--h${0Y&T~eU2>`+y-17 z?%u?)72H8q8+>w{V*{JrtsMTN+eh!$$5Ewlq}7+mVB8(v$S=S6=a}{|=D$4KZSxDp zJO~J5(i8|S?et)ODr1Pm5+HW4Kj5Kvnxxz2Aee4ju6sVX?pq%CKMM8lXY6t(-ZJeZ zw(s6QH|p=X5Q|<1d&s*Ich@G2P(szhrn{U_0&h?kv@KkJzt>xKu#q(u|K+W08IjwT zBq3rfu|rU5hb#K`GbmW^xI^RVH;Ex|%^cO%Z{>c8iXXMTj`sr_sIsPFTOa-X@zY$0 zy{!#wP&=H69b#`N>8$-dBD$QQF}Cikva<5U_!lW@qk%WD zO*VONC&XhrulEn={Zb`AKY#ErVz_dH!~FlcF8IH)cj%(DE{*=FgC(c$XMEE>?Jl=) z7oP?YNaL)~K))TyD0&Kgca?Vnm4Oip?If6nhU^RvR7KJX_WX`D_=>2*WCP@`91MVf zo-z~luQ1`yb>C8l9}#u;5VmvWzngawTUOMDLkgMSZgRLkXijeTknKPKR z#DoO7nX-3wlfnrxF$RRmp^~C-DbTzTc7DR<0!Krx@P&te7%KjD`m)g3Fw4PKzo=7g zC>Nskj*jMFzWoAXMvRv$xjAnlb$pddD1sPhb&J@xLGR;DxG`kccDef=+VVYb{;90p zWU;BKx1Nd{`#+N4X=-X3D!RPLB zQc8ewsQ5zXRnf!G*un5+0q62l;^RLxoO=zyO#kiW8UKVF{*A}j%uJ>ICoZA(iTNMd zKGyZ|ZjU4rm6DXeLaWXMJ6!>KK@Ip&gjJ@3O+_sUa;^bp=^sjylU|zu;y`BQsVY)X zKUO{Gx%5`bd)dQE&v7GNJyg~;@v2I==(=rlKdR%XRM zR}z2dNRkAld!MxZ7&a4jA$stOG)k?YlI~1PO84zgjLX*^canZa*1|d#b|qW*4;L2I zN7T2+)ynF_FpIeG)X$*SD{gn3B$I+#3Xr%*Zr(n3Ui)ePC1fUngd@r=A?r_kdU(w# z=-uUBJ%3mg&2|XlAR0t>(;KWq&BL$M@ig38Z~IC%z@=2M z;WK}y*{UatSSIe)1Py@=ED;<$uIX*MUI#l@0uDUyhsPn=_uEE)h`IY05&(Tk@Lfo5 z^|4J>e7KMNdFQ;M@^tN&M>jrohU7VnpI6rRo z(&)>pkJhh_RVeQ|jKrU)wXuL~?3DQ$D{Ibozo+=eVK?5>Zm{nlRN9CM^jq}sHTA2{ zm$K5&kFw;wM1x4bh~B;R40^N%=z*65IutW{Uv*0C_3SL>`HvG2KLdeU8vWB$qxU74 zvChiOybwM?Q_(*77K|MCiG#0zU2>-4>a4<7fW_O%p1Q;i<`vZMvgNPr5NtMjx*`2G zqeP3>`7T_?5K{}gL@Hhoz>6!3^S3LKRnT?Y@wwUXmr>nstQ$FAuD&T*>fR;wE3aVt6l|io!6AEayahJu zJFF$CdG*mPRVoMnBPXo_W0WEDyYQ!l@eG4v+bhxFxdbf_;F{WEO4Y3`P28udlQgDS`@G zU&vC{U%R^eS!4qj?r4?}e0iB-KBta0Xxb&nj8)$^&3SWmaG1La_wDOS+2KtUz6%!; zBG&qNK#bg^xbY@--ya9Y#l*xEJ4Z(ZKsN|+=K)@-(;X!5+tz?4N>M)Maw5`sZ@q2d zx`4*8frtMd@=om{W*<3qlXIu*>zW_aIi0<^zOm?v?)_{Y3yhK>?qwKn<)T&mtX~Us z*y3&?VL4$CfVXbsG#aQ@z3a+<;F<-jz;-N=Ugh@6+|j$&;ezSef4UHZiWk+|b-6!D z^vrYJ)94ri95pnIWK?IuA3RgAI^j4n6xFMJW3bwxl?K;14O|(?69tRH>t*xmBWtro z9m5OX%pfVr@`k${5RI|zR&_#Yc)aI0^wf5g_l}p3X!%}Fqv~HV(eX_NS|7j6U0+ad zp87svTdJz9of6@}CmU#CuSM`4dWOnr!oCW;Q>Ux60zQOz z^Aq?E!W&lx3wk`fn&2Pxl!Ru!TrT!Ea~WG^i01flE=j?amM6r6!vm&)Ov2#5S$=|4V zcu25BR=}~~#0S=%$bf!(@v9SF`=qXP*bb&S5lP6$7RHrCeyGMdEqvG)5B#UC5-!SX zB|u}=3>>Hl8>`(nYZ8E(RLXg|Dt752`^Xv)jmD0SghaagQpe@wT<>;KO9B%~u5uAS zxe<{QW9~e9d_}2#68A2U2#Fz4a?B5XWw`Hb$5}nMl9%X|6AmG6I0yf>l(vnO*Phi%~I)5?E-XlKu{T!u*Tfm^PII@CRoP zvQ~_nKBcwAr~%MapzqbgX6Ql}(s1>&`WX_X6r4fL+?^2^$pUc)wN&V(M`O(+U0yk-OL#cxhCh4}8kJvb9MYwl&l z{-g(4g;s`oN9J2MWB0gSv+;U?m+t0*J~{6m%+_RK=3;qm$5b+)?O@P>f=1_xx@dAH zhjxGK0~=kAlcQLj_~DyFjS*c+z@2JwbY3<6!Td3xaTSWbTepD%WS4RUr@~A+$FQDL z7Tz|a`IT+H{WRr#@t#eE4|fYQwUZM)&kx&T@~;3M)<%dx~g7>Q>apn+^)hfJXP+ixhXJ+Wa6IPaH&LAjHK zu5prFIZc@P3KlwfFy_Yf$Z^`niA`FLWrC~){Q)6OSN73TWc%cMN1yC=b+!Fr!$=!0 zNq3#$#$V)}H??>dyEn-*=3CSgfvQw|adAF5_=0J$i*E1v42wHfKQc4n6kUZjcB3QX zSq2Hp+Rn|GO)~9EY!=nfWelyTq!jFs<3G*qnuE``En3KEtl=?CoeSw+Ymw@<>t2uP zj&oiNi|(`Gde}L!^`x>W=sM6=ACu;!71pf z($O7clH47Bt$dnC_?@=7Iir?29GI8GCeEK8*>~%8jpsQAqvG?7-DVjmwm|{gxQy|p zcz}vC%XC%+@!W!Z|1)p5DtF)U)oAvNQ$9oy=X$TtQfDTQb$=6nOpI{>brTYB3b9;3;Q;kJW#~OZ!Dur#Q!) zlvtI2_r^kSI;~(8r=sgpiH#vX!u|)_{J430Qr_fAa#_paYiwfy z7ahw#)NN!wSQ$33?y-EGcIA;KOD|k=2A&%M`BnOASJR<0XyYTD4I5jn6=Q+vQtp@x zP(i)c-NGWWIntv5aK7;UiIBJ5Ws4u8(DX9P;qYS_Xj&dLQg%32A5W6+%z4szZm@~3 zb&a|IL|B10SJB$%0bBk}&U=|HUWV6RUtXSjtK; ztjLv_-$2>LAT7tmQ8UbcI@(W0AyCuS6N&KQaUDR?f!89U-sLVv)|B$@VylSLqdfAV zp<2?@=ntZ|2CMpjm0pmunqxoYlLLh708+AE)?U3JLGFj~&@ zeE2hrU1zR&M99kueM=vC6~K%@dviF&xPJ{ zqmAD(QD6MZYX!OaFJW5H4X4L}VCt67HbjIEF^;q@#(oGeA z@#4EOuRf9+n$ADwE>#y7FXnTYImN8vI2fiXp~V0VZ!g{?AssQnGP;L$db2#~UK{vU z9;2LctdU37Rx8saC-|ayxEXFv#Ad#^i1&%I*0 zS_W$T6%L3!s1&4rBCFdaKPZ4s$KAK7Y*572BgYgCN^E5)s@g&~RYgwoq-~oXRSffi z1eV+tLBE>$s^#eG9p^rW-mA<8*63g*T_~Ok9DW9*rrPx>jjkcO;;$Azi)cl>=OxRV z22zTPKdg)hDa44y=$!tF2S*{ES%&Kr+A>Xzm73u7!TbDZ(u7B_fp|jp4I8^|=cnzC zlS1oWWEZr*pekrqBA;%=uVux53GD0j+4T4(8m?!Hw41J}xul6@)P{D(%e^&$OTa#? zy6D$9-QRf<75<3n%5$f0u08HWA>7NhcwlO?u6ntrdIK7oyFpX#<8muMQgz(Nc#T^^ z#A#2YsD3D)Q%%49kwszwXs|_MoZ{z&H#EI(eL)#cbUFx72x`bgm82Ij;S&b;?@lgQ z$QoEU|Ka-pLcb?~=5J2F_qyZj#>Qe^O_GW2aYI_Gc0+B%?tbFZ&}qA}@X1j={4#T7 z!^Ogbu9iqkN}TDBDs{*~>Z{lci#D8^Vh@cdAEG9+|+X z`!-q=M;-$=fK+$Of}1KR3m-=O)dA<1VqR}M%vR;^4H;)GX0gtMpV!3dWu-c^t`A&P z9`0dnR?U<=%qmXLWV5_7n!-+E#Q4UqgQlS5A^C>7=KYW4HE)5PnswUxqlT+NpIeYd zQPzuwinZ~qO@7=V->etPn)75fpGZDCa7T8;0B6a|a4H5jH*kb19)1sEM9^e8XJ1GH*>lB z$zoa0U%WUPa5i?x#q=(l;YWnA`OPDSB&$BMiNi(qa+QHbdEenyGg?`neyY<|=oJ27 z#DdRyh$2r?mxI#?s;OpU{2z00C}0_#37uy{y2T$6LN%M%TalB)S;i603l}*b$y}Z$ zoCo?(j$6W$kLI3QgDn|+yG&cTfv(QSW$w<0JIp-w#o)3Lo7)a$weE%k3tshDYKpD6AglT7J=rsAuGdK zB(;4nV_Hvq?8(McHQA-PSdu(vJ0gjO?#8mipI5QIt=4DvF==1v4dwbU2(Y&BWHLdnG8(u1&h85W1)aHe_aI zj&y|Eo+ol$_!iqV^fij|@Ih);hgH9v@l27#++1g>j#U<|M%q)Z(_XQ`P)Bz`bAFO; zt-q-#B1~ktud({@X!qvEF=t2he4rcsY?%ueE}^2g>8m$(=GCl z*PQtRoNwJ+7HgTAwi(vLa*a6)rdjLFgjdoUx`)#jGmC4(H|{}!@xcK5ZOahb^JZcIwCZA^MUky$o6)27~4v_39_w^%%B z=%c?!H0S!*C`xrDHSw?A9!8vo@oJ z!biJ(@7c*L3NnoH=D4Vr11(}*r<$S9D4k?B=-JnIp~I8xEry%kbLMh$z!vq^&*~~6 z#T4-uIxW4p#E?GK%4kTxrcrwPI8=sgPdPpv;6L@Vsek0=XcFj&?yPLpH=`*R2zcE&?Dy!x~ zM_g?(({QQb-Tag&)el_~hPR+hE-$IId@o}|Q5~>6PT-mDx0`iqy89+o9XHFCsgNh0 zJ*T%K$S_#hx6;3;=wiM(?Nb!OLJ`9rHCK{3n(P>C%Dar0u?uzLVnJ8NGJn3h%iRRY z!DS!$Gg8P1fsI_H@yCB*pn5}r%Jz}}*i4nHkwDr;*J5E};cS>W(}n${7?bz(wDeVe zlLE)bOpUL&KXW?j()apv6Zq39fxkN{i8cFkB`c`-Kk;NDoas|Lk;(?7NHIPMpJSnn4cJWr0n@v96q>n*Dq%DMCk0 zP^ZHj3}(^=@|*#tZ|$roo@3H8JpQUnJrKecG377GiiBjnsm@#X+m)Y;{V=+iDV)Bl z#}nY4LoPJ;O6mgV&;=+L>F@7>$fqYn!7fq!$HnS`HVp@SxO0c(@ZaY}2kWi?uRPUQ3=WX*LWv9XbvZA3-VLlZi}G^`wQbWe_+SbEn0on|zF|Ye z_v6pJ{CGlATi~144P6tuR+oVwgP}qzE-4Q3;8)n&pB`yepE-`Hp!&Gb&h8?qW6*j= zP|FU#KbQNh$WURTj6%^`zrT2F1s{55uNHUy)VpKnbnP3aKZK>GFnp685o)}mWwp>E ze*6{YDz-1F>L_o_FxupHOkikRa$*th!mbu}P3!82zLpCxfQY5$NV6Cg$fkjoUzFA!Caunu~O zCD~0S2v(#Nma(p9R9>m$AG|!j)GJH4_eIWL3Cp!>2l%hngb6Blm)ivi0P(Bdts4)W zzPLb$qnc9zf+UI`>Wo8HTYb+~ba4Bs27M?0wY-iKIr8H<1}nl*9$X@=-ADOj<|PiZ zI#jXJrbt%h%N--eNW^EdvJ>>PAo;)8ov~fk4Ak&I$fim7edcxdHXSd{Of*DnM4F4; z_l&*u@F}3B-W)R!xy2H(_E@Ga$Fg4{W3g*BXnf7xizD6L*NJUxEM8-E-0qdbvEZU^ z45-PGrQ$ukSy|RJE}Rcjg6PF0`E#CZ% zp^B+=sn)KR_bI0+w$C)fs>@+;L?*E)%$j6jdZgjp1A{D2At=JnjT#`6H)H#-Hz=QL zEEDktUF6yh`&Ih-poX6u--s(I=niQyBp0?XdS2!m!5C=$sfO3m>&KOS(ic)vs<<~( z1;*34gZLVF#_89oMUD!LzV9@lo+{bP2(cjXY14IkS^_Ti`?r#dcrDSR{#Hm3Aw%cL8uwx&y0JDG zq5u(>A)PV56uqdy@Q}BwOX4n-zWXtH&TYK|57o-Q2=fpUNu+gVDv*%g(kq}fE0|AN zX-Q11=9H!!QczHMqX->A3UYxK+a~)}p({&#UT$ukS=UBZF2mFk6;AIX-Nt>t+=1Xx zYyJZ*StIz{nItQxQrulPX0`7so+4o4e?QJ59;59v&ClnwbT;UGNt%9@O;w_O?00Bm zktea(#le|VIQ`P93CdZcewk&}Cr=;zOX8m8XWFb7XSHs1^MWLA5#f`f!s~NXMq_Q~ zJnwvYv>yZUqZ2k=4j)rSqiG2czJnC?2HLwV8us6bM#ergis;l$m_6hPa$TPfR4j5? zA4@15jr-tsoj}=P9QZ+aQ&Xhc+!#AhZ118Tblhy?${TyDUX1s%77hXm?b&94$Hl0J zYvR0x7G~K-^{=4mV3jsxY?T7xU+tJ&=`k#<;Z{I2s!ZG0zaYr)`Ms7-t9b<0zD>t( ze)5}5ntBiYDW^Mk?zEr1bU&7Wn-P8H?AfOfZ$rDU_|M;6pE^hzvFEDYvo?U?QpQgO z1hi1Hv6VqS(~|l=6Ix((%shm9P^a9Iz3r%h)AjMx&t~G<4a)CSBEyj|1H@Qlpqb7i z+N;nILu4+h-HsT~+~_|Om^A6K==5P32$^GDroAF!3c{*8Hl=da+s6Wx`FkFb2*#~W z7O~)Dsh8g(iXf2-D|eqf9d3dwe?B6QQ?=ik~!6OT|qb>XAf1Ek3^fX z=83BhbVK0EPU*G1An+ydW?VFkwWwJG9 zl-3ieH}e_HRHteMc{A>;T`09a<()5sIC9di3ab->;&_+Uq^{F%hDTG1ZtcUi8YlKz zXU} zxo+;@A#NV~ql>3<&L(7abcCa6ep2}h7=%|xEKMLdtNZvS4LDYSUtT|V zkX3%SG64?!SWOW&;~O9SCks~(ICp#tcM$YhZ{XgCp+RdyBbO#`L7B6%6rj}P8xGD{ z)k!yJJy* zJYEXzUs594ZG(aic|~~(oc`J_Y37{2^n)&Bm!jDzOb5-leErx4Po|ECRJX-v?YU9g zlxTt1{Xu_GPKDaET(mKMXYVxxUzDqhh#YnGVDr1oCM6K$y7c{K6WGnB2iRJnmc5m6 zq%HiWM+x0p&yUhkF||_rRT^KKTMfr*GI{dmTSSH_cs6oh-_bkH>JX96999Ru4NJUM z!Gmu<-dLR4!^Hm)CK)@*b5cO!He*t#iLvN%L3WP^9kWUQ1@UD(<`i8KWJQWXtAJy) zgQb7-Ku0b*Jah?Kw~wBk4or*R5E4-jyR6BLvzhsl}-XCB#om z)KakKs9(hV1zBETao4H>gJnF|Ms9{-AgjYn5W=}+QfKw*=#zN*Y*PS0&~{z?&T&?8 zN#bSSHK42y=8lD+N|rD8OiKQY#1H#nwbRjLm_E@Ng|tSQ)nEtGkm||oUTRQeVk52Xd%V+8^&)TPAA)T9S~dfZS1_ zY=x+hk90lb;S)`{hP?hq9SRsPwF8h-nzrrsO^>H=D{Mrct;#FHOiz`F1llKrn{c~# zq#M@ZOi2du-GcbePTi{qkI%K)$Z<`|uj=JIx}dBv-J6~jD3MdRknw?P_j~IGu<-7I z@8}zShX}6~WQt|%pYGbrHcMG3&YnYSxAvksxZ59CdL-=@!Z+2ss!8U^SLZ~60!RJT z?=$txx8U+^S!6mpCUncYTHQFlEZE&x7#>^EKYnz~k4|4ri~UEct?9KNi}C?<_C33q zS?8WwrX>sRCBRLf2SbVJdmz<1<5fDijVsEvuHcc6x$Wx$L`%cTnL6PnNV&nYJ{@lf};SZiqSPgP0LVdQT|9R6rOgYjc zbB#qNg{2$g=8MdxA0Tp;08MIEa}RwzC0;dN?a30Z`zg{|761xQBMv?7rd-6vx4a65RITRiw8}fhMMTw(&xaTjvs~Q;WM_qFIy8U{N$^$A&MrLK=D9cNZR_K2zkPEZ`N#zOmH9# zKQ!iYSEWfWNN@KIP@ZWLn55TkDT4k?aS#eNj{NAIj?Np;6l{vvm>U#LWOoeRbD&K- zVl_WnN!K>aj$?lQA)Q7vw3W#z{eewmRDvS0d+Dt-qX_-bl|MHNDwPS&z4AHSJO~jAeR;X?=0AI{(M>Dr>LICHYYv z(@1N)O%X3=nTHG}nVcyv33Fvcu99AseeQrwE_p^3caef=PXDFJAEnk{iG^tv3B7() zYsnsy-^Iu}e_+P7KC5Vb|Li83jzzNH4s~JpqK&0#vU8ig}uvrAJH}#gbXj zXI>i(vYBsHT)FdrvtMam#-*OwY0Xinb1h$9cX-NSZs=Cz$A_Hm7tv{9ELDLO{8qvW z0N#;$yAu>LWB9D%fjT87rAFYE(mW;~f`!uZbtpuqgu)x%%)hRz366 z0p|51;_URpR1$^H_RW`3WxAeg6?da=W%qHXyKMhH{^3cX2YMQWhGk5vRY_*e&F4&o z&Ww)w2WVFXa5iSCDTd4%IL(|tF5!hM%cYu!iVK^dgr@g8CAo7L(Rh(%k?2UBF#g6b zuhoa{?3eB|^BHYeLo_gX&DaOqNp8mTbM9>5pSAVmTvpxov+U=rj=lL;k) ztSiHONGlCuJC|8~7LS0su@h=Ua47r$vGA8Swd5qmAmsh_VSg6Oh{_fFqlR&TF(HLl zqnkxfJprbyM#BZ0*7Zz^r*&25NH8;>zCfW6K%T)tiGItyou}3UJkFnJ6|mJ~0r&P3PyQH`z?uAW1^_sjgNWL& zsowr=r#x0B>~1BG#Sg7oj3-o+p{!vdo$;glPAD7l@g@B$i6VVzi8SXO@|lGr1x1VKe`PiE^^DC ztcLRO{7L9>*-#YhfS^$B!8?3x`V)Qnno=cAFW$)1R1vcDa?Qi{MJr@I9mUI0Sx$V88%h);``JxeL%tLR)AiuVg?o6?oP4JSV~M zpe%K$!e<7qa-#PVzGZ)J)NIrY6-IkU(RtcM?L$}Z127Bbcb!V*!`-BW6m8tf!g$o) zzmA~OXDv^|V8u}Xc#-|!Wx!DX2E~1bDSonF8j2tN0aJLxG?gfeRy1KIM+I4#5JDPG zwYL|{I^)1@H0g59jXx4fvzzcV2O=cPJB8$x_buEVv!geBPR36%_*`#r_u4A`V)aG= zt>j7{)oLMc!X=h|q>YOk^zx|K_alS}J>#A&09kjV8Z;N-TL!dtky?^=cihU{u(USK z*Ld4xYS_3T8i2_KjxL7IuL#BZ9J}-(Ggz}xR#skyhtzM~iZuUlG7>5)$XsM(V7-V5k)p+TYYqnV$ou;bj1YX2 z6M}ED=4XSZ6PT=GC|gpvRw6K4O6%|=#Hq~yMb5HF@QVuo0Ro}`ZaA&}?l5~!e^O>< z$_R9PEId$Sf$Z-)A_U3j{KV%-zr|- z23OUs@4*9kcP~ek0;o>9+bPWyP6rYRHVkSydSVn-=-w6tc`zX{L?PWOpurPSZJ7`? z^;DoP6Q%bc7;WK805D{*dQaaB^wh0Ry3fZaRHGf7n3ywo*@K&m3px5?l&{p=8BxBj z($dFkl1zcB@a}Pk=ONaG_*mJ=Xy-SGI?7c?P~)wjcz=_oT|nmEpk`PToUuao=>e1W zu_Ig9Gm0T8R5*2etSlWZ^L*6ocax>RTi# zSuFaciR4%!g4W|X{Ax;UL%dt8!BWwK(XgTtk;d$;!zK9V;o3Ubzka|r16t+(yii~# zVh>Rgzn%p)+nFsKbUWanE9WV#a=8d_p-a!RtN;f+EmIz}{knhGF@P2!F4eu9acKw# z?;8E1hX*OAe|&le0v`kY-Q?~c`tOQWwhBj*p>PC2O7Fnc{XRbsUb8I`2vh(RdM6hr zcPkX89WMVw_b4|1P}iGZ_2GYi=QdKR=1+X`zZ+bCYmp%#^ZPaT&zit*|4$eB58j8r zSNMsb#L~m>bD)+p63z3 zqaX9!1tHyC)Q1lrWX(}w$B^uJW+!A4JdB|k-G5od@<&w>I2HOaQV;i%TPB)L)}6C78}xt#oGK6fRebsPJF!E-%RAAj|88*BJ23mH%KuP_ z`}e|Zm4^J!D=ZLe>Sr0#|NYa@EVd0}&dz>@swh*7l=?%E;Dm9(QPC**Q^o%AnJr=S z_*HI%WG(fNLDterKWdxR;+RT$G310S7qW=O?eA zua6U08DgmFPn&r_3rs)#9GxG-?RB5Gzt?#vFofNskfK#UYIoXuN5zjDl$Nz5smF!` z#pmq0<4oT}hU9}zU@jn2@IO2Qn!Y(&oT?dc;Gyhva6RmhS`ESxFy!YV&)@Iah2Yox ztMvQl1ptp*sha(;V0oYeN}U}>cq4+aP@XNHO=Y3?$4P?6o#uLf|NB*@?hZy5Dpx&Nqy8hZs*H|%RDJHx+MwTTcYgqi@h7LDwUZ4-IvN>huve>)R( zMm}`d>aShbOUk9g#mj3eAoT?Y8E(YkZ9AA2A6gRrdwHi;MmOap12`0+NVk6frG;C~ z&F6cF9mN46K71+H41jn73c)dYm!TPEMirOfSGkI>xo=f=2&WmDSXFeZwrfe}NDE-* zk*$sgr!HIb-ad(&*gh1KHI5jmedW$SE4>)slmLmy*o7`f?up4UQpVN4b?o+2Mb&y- zHyy7*>1ydCF&mrJ1f=SuouSbSa;*xLAIC44nJDqz%{P*`0Pe|wfLA+jEc%{Ix6XBd zyyO|RYT6BaS5{R3QUe+lE;FNuHKkjTbB*0Um^2Da9vi8&V!^1s?Q+z}=z*nVsF(lE zotGpj7kyTG#hzrua7K`lO7B$S0rQwuy4aVHAfc$Lsybzf=^!D-RL0%tuP_g}kdb(l zyC@+bMdh`ne#3J^0496(a~I5|E$d5gv|UcED=la)zOskPD|T3GLODg%?@bof>WEC` z3i*(^K@F$<%(Ls8@4E~A6cEBLuUO$tj|2HFOatSk8x862Gh1pCAn}oK?D%o2S=%3O z>!S*EvQ(u85e_m*t)6MFm!{m-70sPD6KTU;R#ev`#QegfUx+x?yC=jbOY6E+Vq)iA z&)0Z52wHqO6(ODLvrxej8wVO9PvD#|Kwal;Q%lz%jjnGdEd_Hu2Y9SpzpRnc9|&?1 zuxTtX4V|a7!Am|e0qcuJKHn6@d!dW>WkcbJjtbXe;9k~inAVR`6Vbn)#uY(ZdQD^P znvIQ=bhy)fT?;6e0q|!m%=_)lcTWZS>g(E7<+bI^HzEz{j@e9o+{a8)rA;0FHD%9c zePT?Yz|e<%j5JlF;#$fZkx=YCQoKhn(=S%wa*B5BMx=Q}q0#1^1xb#8+G%b3?`5U= zVR1?0i6bKdnSSaD+D;b1nqfy4C%d)B^CpEomlYG05(Bk@!(pxW%uNPaliqu}vZ83T zG8Z^*qRUa#-PQ6O_?w$#A3HIncFFv8^75BXX5+y?C?wHxVCriB%H=l=Tnx>C`3+Y| zH~D5c4`EAWPu}ZXn?G*(*|y+LyC!?7e<05NFTigQ4^oY5#l+ffrygo0p|6l}&xLECpL)dsd= z)pcQlb!)gYskdiKfqkL*5eaRFGgM{F13T-=MR|2oJ{dp+EO_?Qxh$nVfEMj zWQ`Ia=5OhC$(Y3YF!_{Zl;nNrlBcT+Gd7^=9nYdmNztz=&0m|BF2)>LIBnhyoxw0$xu_dHQXDS5 zFE2KOO9xZcRmOMs&@c#QIt+P^Xn%I1m=a>H?_EA->Le2bX;zVUlGbZwf$F{H!C;&H$HA^ZH#?b5qjV};%Hsz zxcs4Rbi8GiJa%oeAF0UbjuLd`b{(mRRkV`aJJ~Ngv^dl9S69`%oj%Qhew1*S(H2KEj46u}~pA;%93VJ@gICCv;N(A0M0^KwN?4M?X*#{iPj zjEGp&FoJ-TbSnZQjna)Y458B9APn&~Uhfs}^}WyU!(YD~&di*%_u6Z(wf2hN+FHeo zc*uIM$^**VSLA?hrLP=C4m^w3%?eB#QRoG=k>)PjDPPXW_PkZWUh(+~tliH0kHmWh z&*>WN!)HX0YN=|_f>^Jp@PnZV|2P81)d>R#5(Gu=oT3pCxDTCyKo0_Y3TUM^E*iU^ zE%aZXIR{cmFPbm8T8Teet5q(sIm)a=`yKo#xH0 zo6r`DjK?s1MDoDl zyK%Ti%9Oa^wgW3I*IxCRz&WzSm#a6q#Y`z!QufF*#ao&Jb%jlL=y?zcw6MU%q>AT1hXCA)s5xO*-XJ_Oo zum|N(N=U|uW8Es{pDuI~O5?jE6sRyGJFAe^-^4tx21jzRTzP|^Qtn)7<0^+4?x4Tb z9p|}V%+IY-MttJg<2ebdEky`)j~qGdI?8*$tX7EXyAeQ?Ad9=;1Ac}PB14PmyoHy8 zH0P&dSQ6i59^bgrX!BGb?F}N>+GLv+w?%7yp!|zHAiTl=CbMBjU>SVfSl_@ z)(3RPkzVkk>XxYY;EUa4kr}j7E(yui!r+6~j~rbe%;jJ=|N6gLDcR)d94)>>&H}1H=AdI+j-#}Jo#nD1&FT=l)~gTw zRy*zsvvJn0Y7{*`IPVPY_W!%nBd~v;yaq><@yyqxf1xG)W)eFBXp5%Skn(?_7y!!> zlw5-5ZMjXwcmHjo0hiSOUiQx^@`n-rKQjJ)&iWsN{OfG?KL+^^gQP)H4gpXfELRQX zKKX+H0zn+Mw~iBRJxQ{P8UWrD_!Kl$&xjk;PCj)u(PJq!oV> zniLTGW-R6U*D?0Tp90JvPI)(GkbO!kQdoZQE z(-q;FE|JnJAbW<^-QN9uPT0IQEFR3FIW+(^PbY~gu*wG&mzjlywa(Msd9*p`nkWD9 z{1K2lNZ(x;EKJ3|nVo$#J1x#i!!pp(ARdvAHQTr19_^8kcP-jukx%a)8A;vQOmVWi zZ~XgseoRE4{B2G++qEpkS4=8y;n-o*&wGNg|S2U!Dt%fJMCe3ATHb-Qgm5jn>I#D4t`p)7%-I1#r||mVHh` z8p?Ailvp+F#?x(puB|2kvR*zgt#QdIK;w4JGcNz3Usu5S(8pq(T=K`QmQC!PveMHP z3*c<91SY~z(`NCJvWD#EL@>uWJrTwHoCqfU*@5>m8#7&4eLq2B@qbCcAAhd0(Op(F z8S?-Ykl~GYndDGk$4{&Bf&<02oUH?6>ntC|akn;y+HwLnesZSFrOlBb}9a$<7O>v5?mDAC7{C8@Uqoosg111JPlNC>{?-Te%;*0{Ris|#G3nWG>95ZKjJty4s?N=1F!W`3*YkttFxNlu6 zd-HrFW?bz4ZU$aY4O4H$ae(zEFU3%$j=@)~N?U@V>iPbsqUXKpD_rHx$8r}V2R;w{ z0Q&n~vNps^zy-n^Kkwn>@0t=F6*RP#{Cy6>u(bCwo(=CeE(eJgljAU zVLB!JFm*hkAs2)741so0&yC@>`>^i9Z31u<^=_hCz1OY-^%@_`vycTxN{-r)^P~0q z1=xP~pK!*%i_ZIal;5?8TFvHAZeJk8)67r`_{ORl! zprtKEYOs;E$4VTy<9YMqCvCz&)zu#3!7}BvF_85%b!d@*NFar9+DrQ~p~E z0&${G+&oKL=Ci8f(d%`U4Pa^S)UQ}6e&Yb#04yC-cEnX<}}p}r%f9F~KRVIzBG*lmC4fb!#U#JA?}e?c$*{zRQB+D&I| z0z$bFvlaGooCO!Vr#og&z^Gn*P(q$>g-B#%yDimUDkZ@rl{8Z5S^v!mQHy%D)c?vV zWas(m>t*s4`N36k5uRI0aluP3%d$;IotyXSU(iA~EHr^eSUlyz6|*Ri;pPdF)r+`n zP!>^#@JIi88pG9&GsoOHhbfOYIxdxAXj8{0sOw>vp}6YO5stNxTlmm{5AVqvO2zh^ zSFOsi1H6*W^Fn{%LkTqDLn)erd{Csnq9`gOyL@gk)+K?7Xf05D#C@s2S8oa7Pz2v! zSaAHqkB>nbA^XSVdQ(YJ-{yoM3!GTiULtHz9a2fRwg`lSd9@8-|_ zgi`-y$ABxz(FP)QJL^3(XM)tnAEQ`r`gq=xz6AOdc11pQ<8pf z$~A}n;?9L?$Nvs80Zq_JC~n+GUZkSc7ZBT?JLd?NX8QUxD6MC%e@kfg??4uy=xqbK z>rDB4v52k#56{bVyUABK{jijDncQcYQ;AsAr}=BuRg>aLVEjLqYpXa2UfmaIWTBp%RU8 zXorTsdjtHo7|$5t4Rno$l9J$Y6qnC(xbwdHgW6iX3V%V~s5khA5H=D%XeGt`4+{TL zx-}>!^nX=_XO!^5Pq4wYBF-qfNC$cUHig6WOn3$1AduWH8OaAxx`2;|i7)?IW}%De z+8-Rgrnd2$kRE--KVSU@5>d)1{`Av)igZhTO!NhqPT0FY7*an#5G?z|wf-Q!OxXd> z74K!?-*v^0ZSxCo=szDy9KsRngugq)+xl&PfV`|j#D)L8>=#}BN5L5KkTfL{}FcmOub|7i+b0_mfn`%AI z%+$VkRfNK1)@B{A^_?-H6yI$W|Gm?Akp%Z{YJ4uu%bf30(FnSfW$h{~w=rlnYR5{C zRKvV=QaiHKg$S5#fZ%Dee{vAB#H@DpIY`R2j#4)j4J;0(Dkg=CKR{OQ7#+IqCL zm20jSK!D38^yp5H3un&q3G|iL*vxJ9*veg$Na)rO+&rSg>Bu0Id^~eEtZuzIuco9F zGz;?ZttM1KkDKxMg8jP^RT_9Cx3PnRE#f57eR)RqpHx}%%3Pu90HZ?|bJ6#X&2ww7 z&3Nm*vs>vPJ*=c$1mJaek*asEtCf@CP_s@|_cPxJMJ!dPQ31rGfJcPCc%S&3VM4ig zxNdo>YGFZ*eI7Vv|A>g=shNFMX}e6$^45<)@h|AYoeNx`-VRf>vD7C!dZADB>vU@B zM&|w`ZALGd#rf||f+CP%PI9cV8}Bl}27VSjLdXta&m`Ri1&+v|49LOgNUWc%>bN)6 z!PRga!&MSDxT}k*=0yWe)AJWaB($Un(FQtj!E@5&E0A;JaDw7<;Xe%#FA815=4^K3MH_sN+Q27UE~8QK7t}1AMs*aUcXDroRNZHWo_IMFQDv8Ccrx& zhgYr%3I-OYIHc?>d7v(^Wt=KgsYy#^F*@B|e8<{}EcQv>m@xS=8!{nTU7iLb@z7*! zxRVoLpuX*7IYO!+!fr!u+2C{XW*UV>X^P2w+^hk6VOO|SzXd{O-3~eusYKOJoGO%) z@_K>w-LlEL26bD!lrd7;MJDaeM4*3`c=5ZiJdLo{!|Rhv8K8u6@DiN#mrg^DU0~th z2xnLjFKo#{U<=OjDU5v(R>miOMVDaCW@b*)9a)(XRMMmOWoVmq*C7R+t@pJpF9AW| zB}JDx+DhR$aJLHwOE48;J$0B;{F9?Pv?Yu-ojyoZc2s!liK<)cKc^tr)k}EuM(Q+G zL#O%Gr%YFCi`mt4SX&}rv+_SzN8|WeR0933L5$C!M79av)j&U}VJCzLU>tW;|ANK- zF=Au{>A7FYgUBz-44?m zOjRZDQl;B16Ql6$dT^&yIl+|eYS57sKQPcyaptM?3Jb-+(+f5C-tpw#CV}8Fzzq!8 zahufS8(VK&VAr~~)G}GwBVH5Pk!NI_CRe37i+7RWIz5VOjF%+%g==EIjRrAV-|5YT zzvmAq!G3{-GY`F+R7-L8Y*Kj-dq(Yo10!UgAz@@kQ(gV~O3oXo$k0&hLj{a2`r%aC zHtG3xq@NY!el;^}JW5o_CPbo<2X^I1N>SB2KSZ&fqa&)Q=4#!2DC`U|9rDvBDM2p* z6;G`3tD0JwsGafaZrm@!>vrX;=FRL0U_R^3ACrFR{Re3hc7}L|2qJ!Bwob%S(fhFWRVuYZMK?U|n&Y5J*RZm!K)U)t`v zA#Lqx#q2P7r zqi&aaa4*<^<&-V3D643E<3_l_jkx<$dPhZM7?}I>{tu1qVC1`Ae(oZ9pa;onlX2qD z_B=n{DFA5gI4@;&_pmR==J&PrIMCo`^@Z^05%6e<=OAlXx28_X2c#p8PvN(Wxu<~9 zX`LpG{cXEQ&>e>r7Z>MyY|O0!tdhoDgHk3=P8BsZ-Ddf#E)f8PPk(29JFBMVw(xP% zv0?a98b-M5AyZZ^Z$E!qZSZ$*ES{ht-`^#QZhwlH{%n zBXo19c>|P*_@G`(lTkT^e^kBM>DuW?lK*ISi$E*0T%0G1WbYtsw6fB)%iS=q+U6ov62r-OMHlgY-@XIQA?eKrjusg3aQyxhK9 zStwxdtMF1ZxNqNN)je=cT8%gdcF674GEZW3%ll;Lk=;4OLC%8gd@ZGl6`q`r62RE~yCw?R`18QnfS$T_jXNP?c2oUC- z9n8hgo;{n0KPb~EvK?U9!x>$BZ{BK|??Y$61Q)9K%nY~AFbYlP98OC_uf$}S{yEI&eXU@)uw2jjxny5 zDV~V<>ao&iWRI$;sd=oyBz};-J7;7w4r=nkhD*8E%^YKeT+r9@=C2Kx9%QI`Yru7N z*;K>?jYd7ED{ysl2(PtPa{%>ZKMtyOQNh&0*3HZNbbv}ZMd#Y>@-7ADJS|eUFU>Z< z<<1WkE9hlvUH9EJ;h*VUaGv=*=4I8B`7*pTyEc>4rnf8!p7$%|gYT#deSI%8!S{;$OF znHE1~F(qr{%e|FmJ3Wtns4^Og$`d=Ig%2%MQTtYPlcG2Gx%L~Al#&k;Ft=Tm;Oscg zkMCCI6T7>Q@!SWk21uwlj!Gp2WS@p5qa#@lvnYgHooJT_Wfb~XAcaV`(F(0Oh0#={ z7&iao!|laqK;%%h*O}@+vS~j;raod^-RhtLHWv5z{E5mP2`Owce<`cmw=eHHXHm#g_I>R(%?eQ5HY$rw=l)`b&Cgyym`o-Y~NmOH4M89VB=mazK-qZTeIrpzwTt#8R-uZqI}YV}Z^=wMySku^jJFnxEwVQ!3l=G; zsF;krH-bRo)ck+nKNL*U@g6U}=G19i*t5n*aqaZz{$>Mqno&t+;G{e*XCTcCkJSr;L)!*4pP6 zVQ_fpg66v=aU|;Fw^h7Dj*_WOSSFVD^(eQjeBz<=lC1$M#Ll#)r;y3;+g7 z*>NbkZ|9pZIL&h~N^x%R`x44q^t|RkM310Hv)-qKn-rr{GB~{})P0&-)`;%CC2+oA zWJn_C>Oft+0JVM5QK?A#kArg1vNuMj)U*@ zHxN-+%wT@m;_A2O?Yz+e>zh~`v)%8wbx#^!ugCgs!-aKwn|oK`T-y3#Kn+GUrC-{@ z_`*7SdMi~jZ`kZ>vtoAw(#&T?*ZaJ4v*0`bUx;~Fv!lvb46hJxc4Z%?85qN zk1W6<&uiUu&l>T$y@_l=vxb{3->rX7&8!stW?`#9m(=%ob2XU?59rTTE4)+|x5Fjq zl4o80c?zJ2O4(Jozw)u_NS1kTx^$~g!NoOIRl1aAA+?gt*orzRKeNnsz-_6g&VBVs z28Cx^N}c=4*1^kLPW6|kX6fEw-8&~2-8Y(S@wCgOl&OGiCTN;S{>v1^TROMACDB;a z-ZA|d(>&~^7nu?JB{ES|at?L!b49X(gZSjoU+zW-DUG?=}kJNP}VjAm$ z;+y;5nT!Vu&zgH*GFrwWPqcEB7v%Y*ZhBZ_i*kHy0eMm$TerraW#P3qHL6CvVxW$H zP|w0PQX+r4wX$A7g-S#j+ivN1KTdE>ll5T3b4;JQX1zpHZQm~Tep;JTp9mwNO=MQJ zM|{Wno#egbi$VF1k*K{mCF{K87s9wFmI~undONNFqFF;T`_fv3X)X-Y;B%hs$qn!S<(?=3<$>xx=eTey4qm0M%@Wqs#j z7M=qN(faf=eEs^hNMXarZg4%|o_C z5djpChzkAo&m*u+M0ynb5QBQ7B(Hq)*-EbvZvQOH!1H2P#f0(b@Epx=p(LHNoGuDN z+_bbD6XN!T1`#sIaDSa!@)%1`b^|!3uQTplq`cBc)udB6d|XGmaYFZYG3N^%<&;X> zF#iz2)25WiwFzLGpOk0;aTltOww*779Znb&2wGE`sDy*25!MQ$ldsJ4AjvLsVxgxf z#liu`$80l}ig!dkpgng z;6qZ(pQisNL5YC`T?e*dgMnL6&(=xZ%6-N=U-<2Yn8L4$t8w0jDJXPBM!3v4=D+sY zvC4Oxu=XCad5@nm(?uIT(QIV<`9)S)nTX)jYnl?td-v{@w|V%g71>9Zru+zb7JqwNj`aP3l-W19s>P z@R$^Tfy})KaGC3EU`^9LcsJcd+!B9)J~Wton+K#XZgktL+Qa7tH%{(-0A=)CAW1!E zZw-3$bIHxOIm2O$vNj5xVrRfKYoA9py%uyT3@UC9k2JC?BYUxcqu$HT%tYN$Sx7Zf z`x-s?3a2ej0IO%ytORW|yhBpk)E2$;@3lG8>-LgrgmOPtXTPa4r;w*6NzG*E}K^<*WXiJA5KH9p~s*FVZMt{E54W=@9c+fnomfcxux`0CF3Y*BfT`la`-3wpp~GWRx$lye?RL`K6S z3irS*6mt3OdQ(tSryxqobv$pmhgL7SX?CXf9{m>mz^LBWC{QW}5i4y=NN}SUBy*LXCODH&mgmrduxvw_X2Vn{Z zMm*dG%p#k*RN66>DI@O&(WM_gd{DhBlb{|l^GXG%O2+3RbDStw-1Q{KkEw1v#CRWG)c`MvPtV|nq@+53_|aSPr!ygvgg`1mJ*!pw5})k{ z+oA8pV($;}<@!eA%ngcq9R#}bK}&)7oTWR-x$N3Ew01VjhtiAehH<)ZZsqvlB=c>a z-E_Li#6X$|aBR3$Y3iDge1)2KmSYEwPCKZi!&+vss>o9v4ZN_r>w8(tNMN4niELf{Mmii!L7s=}Nh zYjxmgCOaqPwT~Zrp*LnLUcat(+~4lqLoZhPK0JBJA-1MgXH-fy8JWkZ zh&T<})|cgDvk{?!Hi^RpT1?rk@^urUCY<5X50iG>#|JJd45rt=u-QRwx}}t`7(JAd zf(me@?(;5W8z&^QIltNqe#DgAou#K|$i{01z4w`Kv1ntU0)j-9%XEQyN+q1b504gi z=#q_QUj%n zoN)2h$GhIQb8tUXPrs9~(3g+E@|9;BRaOkDy;s|A_w9|T2t+L?Y|Rfa`r`C_5jwh0 z4U_q1l;xg8#`_HB5-DXagC-7WfCULNHBDaN8=IORa4L+FRoHMca{%y@FiFY8m6Nld zYA+fkx2i?!E%^Wzdwa-Yt?z5sD-6}_sO;5S4jvRz>F~A-xVd%=dCOxI(H}^2on1@Q zFUw94xx#LziBG#^I+8V2ko0wD(V_+o^~5mwc9p3fS~*t(jJ)aIP4%`~w?w;P(1`bs zyH97{F$I{2rhy;nkGR7|ILPIYs4LH(J%b^Rw-e<%&u|TZ7TZZ*0pd;wXaY%&SW13> z#o#@scCq8jmS|oqv9oPow{5(9I8FB!r<%Pxz*3)AZ8L$>csmJuBZv0q|j9k$9(<=m)M7h4_WW-xDP93zz3Fm`sN4xwvFU zOqTDivbBCKmNAajg{7JEo}%$edh}SApT1}~4{}{=$3AN*OWbW~B*{&*(4{OR1jL&} zEU>bM=;hOCm(Fj!n7hU+yY|8kFN^@^!Fcr#s>_9WmLopr?<+UJ3av~&C zE7zRS%(}S`6{w6#&z+j?qauXOO1U+MHgMDt!W%i>! z+Z%ncotYZ1lhfQfw|E`Z+hfhFqXt2HuZ=v*(Teh3BE(G4bJ{`+b#wCwDnZBF-S=Uz zXGJI926ZJg*P44*TtTAR$&ACv$OpeNk<2+~R;Vkr(tz!4lV6ea9C+y{Tvx3qP(zwc zz5@&|aj}&FZJ+nhyukHnZ7W4`WVsEmkvAYweWy=QuYCX>#`-|N(*y~?jd|>}P{^;e zhA*YS+gTy(x<2F$E*9UXm=U}NUSYxT#6!4_zq0~3551kABoh^A4xO^!$vcq84tp?H zNlu0RI`DgG0SVw%9~@VD2rJ@URPe%&8<5a~3wq`K5jiCUGbK@AeprM5bk^6xQ zJb`JEA6=k+L}C1vzyW1@vH!Ev78px$dql(;2WH?dReXFjoumv7UPDS0z~O%A8XUVN zK?DJJSdS6K%Kpl(Faduv=wPgkZY3J{k2a?>vwkS|Mt*Kksu zD;d8JE<(ugsEH+jWBC}BGtChfsvB@4d%4X|7vm10c`Ou~i3LD)i6iqZ!J`WZ`nQe; z_)A5K9J-2E=o9eq4m-N~`L{9tBIx&AFodOGYEid%aDlV6x{PN5=-Fn<@>jp{AF{BD z6uhs@0X~hY2Nxn@1kQBFzy-vi!~ICn_9#G-S{;6uG_`m*mUwn{#xIJ1uu&)f0<`&y z5DyZ;Yc8HXVX*rDW~xBPU>E|C12zFVA%Skxo7^MVPaZP6bW5hraBu0>99omP&>F$) zX)7K!%XSBwe3M{Ts)~Xk!>KQ7lSQ&tdb=>SQ0CSz;se}axi1cONOi3~IS}k(Vq!}E z>~eyfmru^tWdRHT~kDa*O4z1A-{aTEgx0VR3Q6@5J{+8 zvK&ZlPDWsPNXW?C^q;B`K;(YLlVFyXPnei%UhRwr#(yx#+*;r%RJwAjik9FywQ|I` z=S46~0$8eQC;5>T3nn~qLLsG~Kp(i{p&T5&KLcG!vZPF$OHXb~KUT1{P0mn>J7}_H zJy>P@Yub{3NBFvE0{#%5a(7P|r)7_L@`Tu`i@E3L6I)vR58W~(E1!YK-+DGY(r$o- zuw8}w=MZ&+9;h=Y3)lZ~(g}QYnv_miDy6Q70$+(h!CW~IU7~}lsi?w-HlSsY{iQsU_-$1fp6 zpzP=8(H!G}joG=OFhk(CcHWQ`ZfHm!6{X`biV7dAp`eEZBth}D$nmlKeZ;RO5ZsHGocPD=zMF36v4^g<_winzq(b_geKPHmQ&8fXJkzf9?;!CPZHa{x zbfgxG#-MFVdb*sv5@O*4LkjWtD8Gu3e)_`h9CazF>!?@cCOaeYry8xBVN6?%!YMmn z_8&(I$kN>fY*ZrG`RXc^<@(UN1v8v07Jd8(MIAU2A}S`RS<%tax}xeZd3p0xloLnp zccfo*l=F0lF)KTJk58XJ6YI^*M|*8rQxlenot7Ew4O{r~G*Sl*vsIg3|$k@(rOh#Joea&jnYn#o)RP(&{Tb$Cf*sVv`h+lCYMyO?j#}$l?!$uxhrb~a*la61$(YR^K zD=iDPZ}e9y-_p`MBYtLC4;jjlrts-)<6uj&rk%G8NHAFKJerH4M2e2kluInq!3>(n zcr!3Ctfx4fIrCNbgX!nZ7~@H`u7~;?1%5lj8hEIkJP;`!y_%8TB18#JOLF&27@=GY zEnUOsGIGMcagIcObBk0!s3uO~Zjq7S(4k`yl6jN2n|9l%Lxrhf?_i1miE6}`b2=iE zsIvTah>B0VY$|YQymF1&hO}F@3P+$^6Emc{+HL)Q@!^)1T$BgCzL~T_^cNa}G6lNp zQVbsY^!K%fu1lU#y_yZe+*e;ja~_HOCAcG3pRpmW|QPCevW6HaChr1=d z)R0<+hpzJ%5fTy2Dey5eRzpQv_|1D?+6^dpOGdP-PU`Pwy;%0gqL@| z13-{P$$k8sQ-kVNWhmJ~HHdF6%ej%DMLxAf9?5z5+imiXjyuAOe;WZIhr!z4qeXw` z7yhIAe<`Ma4!SglK~Q30qa#7kzcuea%Ik=(`umY00L5wijBCXq^4Q-a_<8k@PCuf; z|9<2H(6OtLao!7{lKnG+pI85wI!7&=zaI%&JECO!w~uB@{d{fJ-^%)^ZvOj`XAYJ8 z+qIPcyv*;H4fCJzOH?r)+CIip3V)#TKU(+?kCX-0!vA&QmJd$TQ=apFbGPCc_$M!| Ld^=a_?!*5BBzJBI literal 0 HcmV?d00001 diff --git a/docs/static/images/yp/encryption-in-transit/add-self-cert.png b/docs/static/images/yp/encryption-in-transit/add-self-cert.png new file mode 100644 index 0000000000000000000000000000000000000000..d27bccf47f7427fca6ddf56505a0f086c2074521 GIT binary patch literal 106030 zcmeFZg;!inwg(CX5?n)w5j?oNLvWf996DHVhu{uLa0u@17ThIBfZ*;9!CiuD^NR1A zJ9j2`{(<-2uvV`=^r`CFXV>=qs}7KpmB2uKjtU0{han{?ssIOv7z18O$Pd9M)96U} zaB!%FCL$toQX(S6ayC|mCguikaFPMhv5%A#p?IGTTp5$SW3YL=7ZA4)!*JiAr4bXF zdy@-Mkv#koh!Nh7uYpEGnulCZlkw|49F#U=>IoA5?hAb!xrz2K7}0m|e!uoTVRwRe zNvu{)obkMl`~2tYeGfim^x+4M>KMSWh)zcw!V!s^Yw$e~g!}Lbj^ZSLV9g)^s-r^! z7fpTb=)8!OX6@SP!Z+D`2h$ewVeDFlhx18K>Ka@&NOQv-C*Uh1e*ve@xXt-Kg8tQp zN|Xt1rBKvCsO=FsR9W9)9W*y8Zf6izUHtH@LjWpYd@z zo%l2>8ChiL5pz`k@Y6AgSA&BxHw^EN7HwYl*xJ-}+oWjpdSko!K$q?I%kOM?VKw?$ zklb}9vFIdH6m*FqntG%2Q5LT?I_V@lp7u8|(Hq2E$p@J^ak1?osk#D_oN59b?y_Bv zDN$~@kNBpOx~QM%Uy8|;k+W(Ds784AC+HUIyJ(rbkD5y*{nd56kt5n6V;#ceGVs_a zTMY4CXX%W>pRiB* z2|k&(jO_mQDP?W%C2w7gGJlBHsDtoO;%7yCOKDA&BjSgfCfQehH75bC$ipS?t|ubk z4zYuSgOlUWkUSs$%7TX@pROD%#Dfz%nbV$cjg+=|?T+V&f+o3n2Zv#d!2bcU?=ySp zqk$iUP7egJ5#I=t`#(T~$IAMIUU@|E0ZHuvsxb2udbO909Lm{ekzZ6?n9p0DeZ(r2G+~K95PVCD|4H z*vKrp2t|F-Nm7}((DB=TsOilye~zO<$EtW*fm#8t7{cvs@}p9B|APxtTbz{|s>&lX zANw|&(y}T2U0idL>c_5duBfihT(M^T+(X-zHn~`n&={}@{2=Z0ofbd#I>uKRe(`*4 zti|DbRT5Cs>iSFMw}u->6LvG6C!*)8#ejo0PjV{k6O=PV&o_L+qFt0xxR`hYI6Nq~ z-trkN!`_?X=oCi*z5a>**8%-M)qe^sQ%U*giysk-MJPy_Ng8DFj2MjQji@6bA&DTV z`qZJm@!|7f@zFz7#dmou5U$)EqtD?i0F_>l6p(BZ@(}WXq|3=rFGM*>a~P0i``QE? zMIFh9e>2YPl3%4QRwhe2MkDm5SFQqwiSX+6EbBuH(^vjme(SD57}pTFGFBVKQ1d zU*$X_Hq%)}wEcr8hG&VV*Zyp4ZtU6c_$bB@{?7hbV-|0g#N_b=WPCQqQPxT>_1i%{ zkNN|g87HiMbqOUp+2)%?JNZN7rvQPqL<*8jCkw zx6r}Z#%a%Zjq2mviqm4iHruR8vSQGvsu6)vfNk<|T2L9}OD{vLu)bsUu_RK&Re7qE_@zIZ%>|{oZF#3W;tAT zQFi4&<~Uk+B|6+Uf|e>kCDcmX%-zWaa@_<<=cj0=3EXfN;TB039R!t|shVw?b78)) zZdetp4PF+$_W=WI7TW3l0aDqrNB^p9c0_GlH zQuXjjKOe^}ddx3a|N2VgtCft@S2_p7-JYoz*6*!bYjd33-0W^XUxYh*99IwSBp$Fe zfAp9{s6c`cXsG8^F}W{Ii%AF72Fa3tz|+OWq;y;IwJE403rPB@8PLYZVfE;MVllBf zSdi)vI|}(Kk}pC!;$Z}TM9pig9H;E49CVcFR-2`ru^(eSV^}8XCXYrtfQs(0B0ocU zmMiuxgH7HnM{9kg53?+~R*p`6x7z7?Sx2gLRp?1n6>$M|qA!OyXZHFCQ5HXU3O7DC zQLHEj?8-8on$LA$a7`E73(gb||scR=p%!mskqj+aa7d z(6}q|*S2e%s;;fP=zX~0yCXP#t8_Lx)sYpvmzc!4H~n>%Zf35k-K;kqH#%Z2Vxg#_ zhQnOXoOb5S@;YO0QkoD#>lo%B>DbltrYFJS`N3SnF~nK=vJo{k@Jf^C`^3RjX=3wt z+tBlrdg=L|<(@%TAJ+p_BqesGM3vb6w!Plzb2rZuSaoW=;N;689yzyPJHo@l)9HsI zMeGdh?0)u`R^NQgva7r#)`{xe$IguvlkGK?`5T)qo^rkBKUh#D(8y0@r z8Qb(_BWff2_Ue}X!Px_&hqsTcn&Zwh4ze%SHszL5X*~B`3}D-<+6$iZFGC3TUFn_q z&kWnt`)eL8ayOYhLwVtRC9rb4>6a0jK!oM4>tTBR^0>~^uAAT{w!Gwtc49M9! zGso+7=~}!ZxGywGQHVbhz2M}Q;nEhwul<}OZ%@31A{XKC5Mg-l&gSrz(S-<2J7!7G zkl;enO%wdq#qAp?0#6>6dUzLxg`0hXk(R!Ak)C#Xqmb;i=#r{Pj5k z9GssC9O6I5$b$F#zcBE+pY!+og9u-^N8mqP@N!B+_@B{;F=-F}d7T9A!3ishNZk{m zsApqfU}zEp5sE{*wRs9#I2ZJsXpcb|zMq#P{E;qibbv$4^RnztBJb{-)Ew z$>e`mvb6ojV}S=`yuZW9%)rF>&+i6P`R+gEkuz~JFo%koSOA`ZH3XQMxtRF=n(%*a z{qK_hGF9zgr*g9W>(qa__2*P&TLT*rD+{owoxuNY*gq!!>&<^mt{A5>`QC<)0OieKO zb;m+kP~azoKKiq{!RzpCB++hFPlz)Da0*;WHv`?_;|M}9tMu2$_ z|2yyha^Syw`G2##q;VnGHl^w})n$cl)ozp-4%>6kGRS{cJ2o0*S=12tL3eYFA=62S zMT7m_#t$ckrZXmqRp!Il?zFh4RJwA3ieU>9fecTd$Ny1AA$i1gnPl_V==?wW5(WA@ zw7;EqJq&{2M!){b)zb$%aZfbzd)3LAQ0rZ)G&cB25=wG-GWssjanYTVF63uw`<0#TtVK=yq?T*H8|-ppeb%ZuI4Gv#AScn1#jL1GWk7)A|H@@MZXB;g z;H6C$EIn^^gk4l4Fi@Id5Yv;l#cpm%s0LbPFz%fltL-t(cfDI-IFQ7>)LvydKV#l} zduEtyKY?-{?Yg$)N5o;2WGyaR?ez$YFr{|JQ9;tqB-*_^_4EWAuNwdqTlDr5PhbUVRNFi|sLd!L?E3G6(i1`? zxUl>EplR4VaHiNmhnjvd;|Dg%zf%o|c!V2w-FCj-+tPAagDBrk!62qV11RU?-Jk8X zo3a$Ff&Mm7_RfApbgAVLk$KE}Q|gKz2xw!x#e_k0<^F^=PhCqNI^?XWKZq5_A^BJ529KA0dE3H;7iw z_|96Bta1^@tmhlgWv%PPZ?n)iXVdF53k$qa+-p2vfH8dc0D>?%H`L-nApb$)eG^jo z8q>c!V|e7p#7ss#qO3ZSOz8W$L})+z_+L^oWaCHA*z=Cj4L2I?qtH|;TkC8km=!at zYT7HeEN>h~Dl%E8Ag?|CbTb-7yBMqG(#=zLcI>bt@ya=id$+W$?+qILssnUm!{&>C zepi^9(HQSuWh6Jy;YA|hF_7cqo3+_6mYqj8CtkmzWuG>`E8Zi0pc@{rOCz%uvPZuX>={g) z;yiJ)Re6xwCritp(7(Ts-`#bvkz^<+INO_j0e$f{Rbaj&{Lp&desb;SB>HE{6eryQ z0TkgTJ;#0;E|ZZgrjXv*y&*c=@?C`sK!f^V&E$KtB7*_m13m(N>wMeoIiD{*WN0+d z^{sc!m$Jz`@f0y?t?v^q4H%{*cU+8*XEmDH(Y9{K?4BT^FjL9KyEF?|<*fjwk-oz|ix` zL+a(MeL-hS{X1W6`6Hd(-anoALD~lBx=C`9%QQPEkz? zKE7S?tmSulO6ex(5>2#~EPMmTZC(iC)-?RJ8Elo{XMiZn;dV z=>@x7SBYedf-Os&OpUyd{1u*>UP~;oG7Ozso!zP&m8}rDN^#xiKJK9{SyfY-|Ja7H zJ|uz_+{ULP{k2$a0V_TfrAcki#-bOOzC6+z+p{$#(;vJrY>pz+CV+$_xwo5(US639 zz%KNz)t!Nrx|!$RInuG;&d*H%9%EzI=)u3U5DxLH6fHxQ@o4pGy4_wqk!8%LgWY(U zs*+m7;V~e0O=C>UbJOxm**)YxM3vRG7P)JEjW z^J>%acxc0nQk*+Zb|&9_ZzU#?gjpRyw`EfJrgv*sLUatlj|?Y)64uo7}p; z6;m7eYFGY78gF^Oz{AmXzs^WFoNeDNR>MY$Ye$pYhXO;sVL6a?SvKBLd+v1Y?GNEU zVx)d=A&U0wv-wb_AjcrbXhn<$e7qRg<)G*L0?a#7wq5ZjGDq#1`M-d;&AKp-9dTEV ztEgXg+e{dUWk4GvzPPcwgJ4L?Zx6<$ldo{OPAfSlC)|FHRvjtk`BXtC&>qamK>NLP> zrWGfTLn|LdaVf~N9;YWWGQ>dnv^PoVwj5#tY3p$3+sl&uM5jO7G zKVs(u{?F3>kYIY6t(^PaM612oy%4^3^BX0T2w^)4UGeMZT%7y*oV{lezu2rR%Ss~;URc)ZG~SvxbS31g*I1q+ zKElY3z>hr0g7q?2_?ha}BX!`EbJoR=m? zZGe@AZjXj9y(zLIKTumsECD?)j!pfUy6KF6URW`}a)hzwmsgsl<5Aud@DQVIRE~*z zPbDn1I9#wLtai0|;q2ky5pQ`_;ww-TGt3Yz*!zOR7b(5U$n+*wqgA zMtCik%gN@;RP`&(ZqN62YPu&^HY~b-*aIO}N;z5UeD`y*2as&C7seCTL{Wyt1ZpWYg(h6$2`yKPSj}aH z7~bcvHXa4|`rI(#W5$@Q<{5)Q_*gb1_Ty~P&j2}|7~c}Z-D4zC z$B^2kFrJ)pNYYnd0&TZpW69U>e;UVaJSxB1D13P-RaG1vDaQRK>~y?t1yNQnF|V6m zQNQBubA_Y>lC@{}NNgv2M0XbwA#1_Besr-8GbXt%BAI^)js2SB``0LtNe$cJ%h6O= zR8(Qst@U{;w_Ip1m1PGfiujTH+M9?{^7K5lJ5>{JtmI~9ABz6{vk7%8ZghuyckAUq zOw*30JXRN|L3f=CwQ$A=Z~+!YM;Vw+q5NlRWVD&al5OXnch{-hSDSOs5LbU{icqh7 zadT`B_;5aF8!F#O{%1`?hz~vhqMcF}8ZUSpdx7kHR=v1FRdG>#y7=IjJbyF291U{3 z-d|B6;(onX!;LhFoy&hVMP`)BVcB$PXbU32jor|zaqCAbISG?8O3!_x9xsoG`efH~ zt#xtc%UF6wlx9uWvfbpp6edl6nSCwX6kR=S_`*}Qwm5%(#Wzrjd>Gvo6^O`R`GU6F zZ>ADATJY#=lWMIIqS8=2F)!bt?h-|Xu!{_yr8m7X^z){>M?s8DOjgae)#0B`wsKQv z(hY~}S1G?@GTL{J9FCXrV7xo^@}@{8qfT;Ok3YrC7q9|ro}N|wA>nX{+sJ*X{Jn10 zE?BINM?WLN>Be2Npmxc-4YtvmYA&basj5T$u4HBNer=am>+?h?3ejr6w5n$^<*2^b^YAkC$t)iOn}_ zjKlN!)$CsJhAd{rhX)c7rH_-V1s1tSk%@Xr%Dl6QJT6Ek^4;nRd)W$QoW*Wmtm)Fpfbar+NF-Ix7Bl>pH(g5VEW=?UP+G zD8TEmDU(zcK}NL*87{qpT_-lVU$5_m;Ni=1uSHEk3pL*Ki#vcEtp4ryuc-Hqdn1ea z1uo9AFLSc(0JlSRbsYJrLw7*A+e$65-*iG3BRZsCH z>OkVY(z0qi{p#ymTsa~we$GxKbWby$TYt{f5VpO`!qAN*)<3Ive+Bkw)Yw$Hd8GxxD+OGE8_^r>KZjkvCij>uQckRd_ZGxo~@DbK$To zqU#sS1XIv$-B>pt)RH6?7lP_cP55aDk^W~pkabLJmhVSKrxHbovIHnvW0pmFXS2CQ z`Wp7!MKaP|tr-yhX{3+v^0M+)2O9p7V_PRGYsS1)yV@=&k*Tqq-^SN!%L~L9jy2Cd zHhLbE*raK#Z(Vu4|J{t8Qp0Xo%mG<-VBiDUKOEOeH4u%7Dd-fN=J%gO7+!%7-wG}Q z*QJKT$djp+G#+vksaMghwm1D-)FJi7{Ca%011sDFqK#}y(DxL0Z)&9uUz}1 zzPs9y)wX^#HJY~ z*P+H(%v$o0VqJ6xdGI=T2o6@mKID>jZ4}C{5&lespDJR=cUxQ1S?8O#M)>NtV=O)g zC7y6)`Sh?8(tX~I6h7zj;h~z^k0Vl))6;7_4!g$WHYQJ4p&_kw^!93@Ue$?dr`b1-ejWD_~t&6K~;sxxWD5+jT-){ zHC(!tlb8Tus3V`##MGfCI(~r3^+WQLyfH`!2-kB+R8WJd0Xysx8s$Pt*6>U~IZP!f zlIrQHU)B-t9rSo(kn@E_Ww^r{B8Fm=L6j9q77zKOMQai%HR;}SZ#-G1a=9a~?Wh~x zqNc0urTtJr*wo3^D5XP(FkR9cnZkefYW;CS@8$DFLRa2?f9t@Zjmh8Dmw2Wrg&51T zg;25Sk{BD6lOEnnO1DJ;eIg=nEgHj+DIQEy|J526c2d57ogUsCYgW=&y~(#iD(*wk zp0Ctoy%D+(DQ5`ipsj5D-SHw3IG`ymoQ`(StuCyEk-d_*ZICq;-jCBL(80Fq^RbMbp3Vko*rd%u3CSVjN%ybSXXt*yf` z_Rkx$?)0K7t{cr6^R88TqC+k9G~9N%Hoh{#LryB@8OTIjjp@^ucx>KiY$6G4y__MU zypPk|)(%58LGGP?KZ`dWIeHx1q6~Gr_}V&AV;&~nG&IDiz-rUj@JgK6g!Lr<}!ay$HO%IKr;@F2ktCZCT zzrNU5Apor$26bBU$@FWrxNHd*e0ga{!(l8r0X&Q4`%2^R$SjT42$o>mkIA;>AIKoB z5j|%hteu`7&8WZ-@7=3DbrsLj&C}D(iSIzFa_bgaQdvrP0nF zMt3@2^lYx;pi}t)aw?0W5>^b&KO-*V0mP<8ow)elb0QQZn};=cp!&Uxfi)5cq5b;Y z=zX<%LzYcefW{LYsV_b-jj+6|B}H6&X$UFDTa@4RwLith%D8=EOk6sm>*b(9SoF!g{?l-5JfxV~hpecRa<=XLi-{i(i69mczv866b znmTl8{MZ@u$|~qpoUIJgO_zaunE}*0J21Mq>+2~3U71K*727D3d7w3@yI$e)iLE7p z#2YU+Rg=6FI=?3%4m})fm#TZ}m6=`T0T*QhKbY#nss&lzse4PE(68Vpe zlsF9XD|T>!T|3oPN!U8SO@J~!WcDC6kxQpQ%{o6JBO-8y+&dd_eb@JoPUK(OAN=M= zAjF6W2i-ZIz!jz-N)aneVx2#e5z*sQy1I`E`6J%?Yi&7k1gT|(=kne7v{D+T=<-qq zZ`5oYeJTEQDfdQ|iuJR$fP1GKKiy&7Nx_WnS%=8d$*#tbqETSAa*rjcwvS zP#g6K)eAh!SIT>;qQSHCq2lmhk`qG2PABI?1Crxn8DxmH($u4Ww`2cktICDJwJHdU zivHPv{d=%K*{9OS5A+0J2b8I%3bXC3_`ZRtW|I#*-NR{=<34(Z0Dl`w4W=sxJj8n9pvkDs?J|WYSm= z^@YhH8L6Hr&u(sY-;I1zF8F0&SN0=GRomSHU`z~-6$Q$@O{dG1p@;=NVZ^G) zV*>E*Y2e^cNYSWEF-@0gzU{^$`{r`qAV#Z%E^-#Bkh|<(h%_NG+&rc4-rcN|6R zu3Gtcgj=cG={P6HZAK8o^9xH;gUL$}Mk=NLNaD8rvb4s!8(>hS^lgxWKb2DEVkXCG zw%URix26y#_E8*J=m+lM&T)CK14CW2jQhGDBAA#cBr;oM8XJ4eF7Wvw3Pdqi7OUwS z43`U2YwA5MJ8Vr30h!GT0V6*$^7UJkLM+e9FG>LAlE5ih{0iY2aauQ%;b02>g{+ww zkNx|MEL{0iNUNAWvQiStOcq17}22JEq33P}9|02sAWxqo-qdq4!CprBv@w8A5N3l+RM^m1=1u3bK& zNM0I!Cs;FRv~4Rj<&XY35XV^3ef?6SZ1znDSoPKYgB|JjroWa>6K=hiM6)ux{RSnx z_BI3Iv@_(aqF4Z7h;N(%sDjA_F-2WuHhBa93aL=725DZ5ozK`t#7CTG2+AZv?!~Bv zvIy|VQQ<-}4h3Juhzp*R0I($)XQ1wzw0mS_dj#n##PWB<7Ji_}bbTI!%OMCJf8BAg zP8WHM=X2$rN|83_8e=l>sat)L@SkPyfKxx&OaF*X6(BT&N!Y3&6&Ha1`5ShcfGQFz zyuCp$TJgf>r#G{DVF)Z$`R4);wN&lix3D=NRB#j0rm2yj;6fxXq7F@|$ z%jhy>ePuE*)^t@|UIzIw1dytx@Y74^3?*xCh=k7IZb6}SUED*EU5;9=*# zo$ln^WCOO*BtN4j4l@Bvk8k3CjEO*j^A~+ID6Bx}@B!DqeOM<4+y4wD%c7=74YB+i z4j9XBlS%a&F^~d~N=LmcOni+v;;@MwQ|@U+t#eE!_R0JN@a{S6(5jFzY z7CrFwF?JUlV7koWE7V7yBar{1FWNi43p)=La9x?n78h8+uZSbn>IQTO&~aoi_IaKB zV?2a*TtI5f#04r04t=8#8Cmr z2{1j!3d_e!Na}C;q+4Zxw)z0B)5LM301XgFFqti4dGfi?)EkTqo}&sx`K)`NRYC%t zu)734R}%7gXYVemOHbW^4NhF--v}g;+qtK&%40sN*$%KGo0SX+k>xF%4)th_U#oB$ z`QP+W=)7h@{PyP4l?Hxa5+ca3$?nDWS&)zl`x~%9;+Buwy@6A~jtQg?<3rX@{ab9$ z4(KV&J-`O{AEel}V*^YXpznRNWsf!wV8uv$I08caYY;1L&5A4$%i;b_Uj!50|NqqL zNAMM>%J&sQEBfvm>QB@@e11;FEM_hPwj@|8)m9{};qN`~aV6@)Kv*Lda%XrXb_6nj zZ<F*3V*7Yz|Dp(SF<4XRLjofTn*BqN%u84oU?0i2j>>$L0e6I996#K30z#C)YE8 zrb(=}n02AZS9d=dmgooAHM6GcectbxVnI*V0p^E|kjE~MfO9eA@^~W=1@Cp-Jt*V` zw2lnNl~t=e(HI*(nzOWnwp3!jx>cjWJ?60jRMR^;%mR6vZ;l|x!1~5>Sj@x$bY<~t zMjRdLJBvuUYtZ>jkcw<#7ld)O(KX-L7_LRDG6yl#8^gSrB{l|<%>=G@6kz~2Xcds3#Co$ z9D}aA4)CA`vuagUmtRsUK+CyGK1MAg67*f&8#lMDzU{#d+kT7hm=%_}3?1y7k1f)3 z$RuAiUV@ThALpV>rTba5suuT|M*F%1AF>c}EHKctoCMVg4}g07VgQGquMJnb!VR~_ z@=y2cURi=BZV>mcPYw!9sfrT8%F8{T#D&lpXhQEHMht+@HB+dYxC_ zkBSS9-TT=m<3OqYwNve20fA$@K@9U>uvHx&e4CI)fUH;tFwC-RyW4xXmdW@xW!a>h zdghP6glHLn8x36lg2s^7-7BgV*ld9tLgaP`f4p1q`&9VJ=lObj&P1yPb^))r#*(Hh zL0cdfGi11|U@z@5Ht{0)tS2Rif;oX_jkdu#*g1m~r)BFG z?qC+{?RDxhrA7G;ZofoGVL?fw%PF&2ah+jgoyz$OHRm;aNPSKY9UW*WJqF-bpLFS_s!berARy5cUO3NH>UXL zq3&_d5(n)xrQFVGop!T8i(k+)!*+aCmIse8r4c;_`R|wj93hW?q2AuicE-f$=_&Uu zljWRXzX%q;T8ZcT$%6&Ut~y(w(VI^>v6=n^Uw1-H55pE9**e}o$-X4KXjM2^XxxD!5xO0=h$l-% z8*~ynvUy#1v>^oBmh(pN$1EmXknmv|4OuYui2UI_bMgwo#H%*Fg%TL zVr=5skaVPOBS1HQn!r_a{%~mn-=HWO@};PQJnRgKp7ylvsm@k@E)1WqZND_`boV*a zhY!S}x39nMIJyCtH#ovxm*#}(v3OnLIY0H%rYrqaAZ;^q>n-Q}2Q80FgV;HSm6S+z ziz@pMjn_3U&a32wWf-SBp4VX`FRbf2_O%D%kEzl!w z3Ke$%m*AMc+9|QZ_L*Bkqy8;+mFUEogttAO8os0I9^L?OePKfTT!G^8f%mh?Lcpz303g7jdSbIoS z-M;*`wB?~E=8V7IjV49WeLvr@FRs`8d6m>Qc7ZLuJal;qAovYZJg%r&t(Qe#NK7a{ zdin8#6D9_Q(@qiR9(J?f-R0o@$pZ9H_BDL(>?=o3TE>i1$iyLk|G2Kysy>t+BIRyQ z!}d6TDXTku4soO@%^+KV05=8(7!?PagRg&1)EsoT99FZpS`=Lja@QquU2Ud(<|>Z} z&eX{O2%l(>#FWqPPakt-3KSBNzn5xI7&<%#iZ^%zJNGOl5@HuU16Z@lHnCG{m8Cd6 zmxn|KoTWQ&mr}1b$i$P(7}si7WSMq~zgsHS(iM}m-G>&>n#coHND%tptMMH7u@*Uz zRzE*m^^~`6SYuOfYbR&xt~~2_VMP~o8p8MrbmUhzq!9exG<)2BA?R(cUw&M5GHO-3 z7iFn0hjM=Q@xp&oA;u0@7$ zYrjFPrY_P;Lf*9~cySeBsg^sM0v)>}?HtCOOmR(fpR_Ey%QJ1KrOWh#D&VbHCkA6@ zvUJ)8%GZ<K|7w-mdfgUpVWlpGq2>2FrLhEuAL}!lKQMKua300-! z%wiMhR|+-&;z(J3f9j(sl|<|*i@s!|_3}&!BiWHb*2BB&gXS7*6{rC|?@#&xLHVT8 z698_G<6LlR^T>BTn>LCrx>d+@drXeoo$i#Lmd>WCVeJ$A`uA?A=Z&5&Zh-7)?z_MG z+V>5*R;T-O4UMneO=doLT`==i2hrmvpL_{Ee(t(c>>AT4OSF0=DhS^HzAcJ-X|ZMH8;VEBzi7k7Eww>g`M z;L@>5?`#yjCN|*bV;XO5B3vh+ZAS?|uYZq|sC05sqrY-9JeK=H=a*r3|pR2KI9x|z&A-SxQ+qh=*yo3~rc`e@nC8!<< z9fzvfbW>PtcmlszJ`vxe-r|V9yYYS6P;>V%5rC$q^7^lqg9ab?E%(L&J3@9w(Q3GU zdks$E6t=HsNkz&4G?zu=^$O8s0RC`;{#gRR7gznDTyQn)iRwNx&;_7n=JLLXm5D{) zhrjfs=E{#qw-?)Nid3c5uE1G>zI(*)wan--WRQj5b1j#`q#R8%vXDUV;+Ok1Z&c(* z?lmokX#=l~9>cP&41pMZ{G!++5PJRSP`!=K&UhW}?|TP37j$633rd>a%UNx2Y;B|qe5K1c(Jf9p6L$YZt}PpQ2aMcwttsn?`9w8cCcA$A zyHpP&SeO)#a9w93@2hrjAmm6sdQpxsuTsnm@Sz4F9w&3pNHU zzPHFUCjZHy(Bm1dn4A1uOyn!S#aSMkj%QwaD^!e7#;weLB!aK#D|sQ9FP*;4FMy7F zQAx|;2YoR-=w|$I^s9>!FRoH5a+AcS)XHs^G|w|FC^9QLma8q=Udb59Qx ztiF4PFSYskVJQhV@_61KOlTx1=F*`a(5XqCT!fu*R-7-mUVqn}r0~`RGI|#0#=ci? z=JCkiI=%~9=i6^lHLlXqds@aVKPIOQpg-%`vD;cgw_e+BkiO@9PNi=bL1plVcE6Q~ zy++fF_N2eSI%Uny(T*KBi{yvZYwQhg8{?y4(hB60X46dtw{!QV}cy#tUITd zKI8U%T-eJSJ3At}tDWV8In7%YYB$3^UzEADpgrezQ96t`FAnB(IiV`5Mj~d(?REVy33Y7+j=D0pxf!DKY=OyY zuU2*mSAO(vKn}mS;mGv+n4qBcrF}$Rw)=2eNJSHRXMa!5vlE8KlZY@2wj!-o*ON`0 z>t$MaHI?_cKAFOdhu`;S=ns)pDRW}m29-}<2G=E5i^N6~3`>{N)|6(&dV_p~qH`li z+wv5{<$Pb=N-}iW_~{-n4~D5m9?y$t=YM?89e1@p@}W4zIYGe3aEUQR4n@=!%)>O1 zH23=u(}hDeaEvv5>bT&{TiVdTRvkh+7%97rZx#T}^DxZ|ACX2sYXfHq^bh%9-{-SA zCQup}Ld+yI>Q3Qv)obRx&eo2mSbB7hEx+5_b|=o2Pwdzxm6C^l+#ISGNVS{-8BQXV z%XaNGRc7pOowjXXJAkQqh$Ya5+Hh5yzhuX-DY8kOJ7!T}d9pn|OGvZBV!^LK0wC~y zyP_o4ND-2DQ#yW=*Ft-fp@MhLBDMhOm1r{W{5T92;tTR+*j<;Xd3tX-R?bu4rO#>{e*LfP6h4u2)OBSY~ zk7BBew>CRG?b7ZNi!*c0SfGOKT?c~EU6~vPi@8z-$HEbaBVo2Islt{`xaS!%o0*Oj zEPB;UQU}EIsD?(|wOYCPL-eDn2_VAsBP6$Q=jbGsH!*= zW3&A|7BM}3gf~SrWJ1^U!>O2>_RBHh*w&J?X%RLV#;Y`EpebImH)|XrFcY_?*iyDUGvFt*lmD=|k1Oidi;R4gwqVmc}8F z^u@@O#w(V6k3^RzCR4#y@?_}_KmC^&;%`xljP@>muZTRF#r-rO;2P(?Q0u=BWQ$_0 z@#ctjiYI%qE=3sCMLgLP=EMD_$Q3>qFNV$Hx>U!=&tL+gnkx%=PYdrz*rUq0BHywN zY$r!a!;v;&b&LDw^J`{nfmJu1ZvN{k4VSI#J$v+PWv-8FXFJ~}#xZ5$m`Dnnc`kvs zkXO>qEzYVsZ3bEc&Ol)wRt!AHmHk?FJn(<KRZB8XR>R9~k(?<$iTiF+t_wc8W9) zxdx>RtLix$$X#hN_ywQvO0aY1M@9KWCp`WV@!!H%Vk;GUfp=+gse$C-4xFt9j!`?a|RSg^jn^ld{F7t${7q zZ+d@>{9a*t_pmn${5HVfzXed$ZJG!a*EdO(=sDYT5Z$^)Se%l1sz~!&cVt_O+@5T# zkor5_y)RdexUm|C2VU2N#&xR^5G46^bzy}|HgQmjWEY2W8?E3PPqaob?r(DB4M*9B z`ihw}$_>Th^{2cR7KzqY;eeG^fI0~ScQl*e3=q9PJ1o!m4Zz!N2l)xq2sKQPl{*zPq7&b!Fn-eO_{v-!X9FOP zBfq1+U|ysNd%anb!H7Mw9T=gQ>TZ}oa(54-i2Cxg5KNv-7%^4Hss@bg=R5rIU%(xbpI9(;Eh7boeHo3db z%6_?Px4*f->h~d-c<_6Qdig|8J!tn^Jc~{cbn5I4=0TaB$c)g zpIH5`Y#@6Ik8DJG|X5I3eS|)K*Cb<}>*Lp5mJlZlgkJ1-2cM7CF z1z^6oYW^V@nS#c!`5<7Rh|jI8gOJf+I?QGD`bshW5jq!pp+tQOz${NzQ_{SPWk`H9 zar4MW?0Cnocxmdx(eR!O8;-lV&8N7RtjJx6^u-u@sXA#9N0Dhk9b24=Cf8j5KFY&&?Z0tY z@@cj=oVyJxC70I&#g0&RPt^wC0lAnUjSH{2SH7|q3X;Sw(4X2bfrBwc1i2%v5j?rE znhwwqpHHain7M8^761$C(7_4CZ1(}ux*YEcKlYJp68`*n6C9JoAE;ym=Zv`Zogd>L zp5QN!DeiO(9)N=qEwx9BJS(^nY~t#{g@y4MCiYDg13a`(31BfQMMJAvZtQj&A-wyg z*X)Q2j61_j4!deQFQl(=VlwPZt<+U)x8tbtM97%4Ukb0Rja$q4H=WeUI-X>gL>>2( zv?!};K5P0=SJ|UTXvBT2D#62WL5QcV7V(k1fXIhD{B4`rSe-qv1%cN*d2HJn-&P9K zVpZ;X6LyHV4Mb&!GuuqYw37cH_TDnA>h4(|S0n@lln@1JklKLKAtj)6*QQZArDanB z0-_RbVAI{*Eg&e3bazUF)RyMIw$F3Ub@c0b`G560yx_Xv)3avHnl&@`J+O7Ak!CTQ zcl&`U3b8xc>cXX5;)#^THm~+NJiq99F|bcTzp#KT2x^~=4)bP=PsAcs&|qBMDAC_G z#(3zkl>M;wEA8<$_>WYQ2lbzi#4aRG4%SQtpC()pd@nVOea@36hIipCjCn~;A}p8JDB~(ZD?^mk;m%~H!j+6F00>YpEvMKtg`cu_v*54MKm(?A{Ej_g}AhOgq*sf!3Psi|n~B{goJ z*)<$bT31-Q0!WRrBA*6XYNdqDbP&Tx1%pgcr8Z^FaDX{t(!3h%9?(dLLdT{{1so`I zD`=|{?(2tULEbIBm!&>=#J=Tr_} z9V@Tzd$#%mOyvyDHG%K0dkYIA6Ak6$wclwVkuZ_8W|fo!n46Mds+X^@X}tUP+lN74 zwSy{gp53=kKeV`0F@#O)&a&+<{bb{_kKZTS#sUxsq&gia;E}Kiy0MMH#SG!^mqHML zC>!PJ6Pnxd?A|!AEr>z%(r`m-(pKW)Slq*@0A{cG!{96Z^*oz*Hwvc& z5bTML6Zs^0g9?JQY-cW)d{F9yh^eTSm}BnJHDL5cY>1j z4u{r;7HYO;ItzLlE&Lk_EEF`3D!qQX;NIevlE^ zG*w%5v5%L`ep62uxXD)7cu>&0q}l_8GAlgVN-vX%N_&Ov(-M%rZ+SOe7nAYGGuynO zfxcpP<;Olbx202luhjA~Bp1Mq8u1-Q8bA^IGsQ{sNtBIddB|YP1#)NTIfLMxnPVXN4R32VatvC`%C_c*c#x=U84+k};h0VoQ~FuZ|XN z=M@MX+KvbWsYokC)8p}HEnM6ZkJQX8BeO0RGrvtNR8%=#a~rX+Iy53&FVQg}Np0|~ zC?XGTaK$r5^*pHI2NPxEi?AiD?1=pw`2o!uU|zVh8;jnE)vg-lVHI9g|s2rY~3=iAn{1Ym0eDH#ILg}NMo;vCaZ?6nxxMhIwhwQi@W#Z zOQ=)-4Ys!6(=5*>O^HiM-dH8^q2*+#*ca$Q*4z!**!nJ9)e5Y7@4~5x@V z^;*rAPlnG1N19ycPI-)bd6GkCKnot=D|FOVjjAOXc?2tQ2D zbCm8SbM<01Nr13Wd1?*qw;pp0JQ{YzCST7YAsiT?opsRgE!j~W7Ae}k%xlVjk8{B} z0f5-`$idpfC(ZD^sA0#38X%R82lk%3P~K@k!{COAIY|FvO7H&4)hv5 z@np%KjUhT9i)!DQ-Fdz(uHqFrlLYD(oNC%d+(FuWZ;B9G7G&UL`Qqj9MUP3toI~{= zo{#tJ852^#E%E{^nbdT&aBkerZ-2KA@FCYJ9&7q1T!pe)jPR2H?1=mq50DoaV-yd# zS(0EzGHZ}aJ*r6q+=vd6@w0Mm*M$&vh{g5zfaXX7=-Y`tO5i%yRGHv=)ZJ^~)|K_a_i`^Pq9{qjKzf?1uc4Su zmI*2sNid}(AWs5_C=|!j_ZpKof^QIHur*Zo$PDZ(wX_secmh}8njmb^Q_-!!S=5_Ptv26TKw2?_r{h(YMMQ)3(S5gzLkedGBu{*G>}XON5=;vtsfG z&yp{8{YerjwMP?NXE0KngDKf9^cIFdj^wV_+x}wf*(@!UTCfeRq80B5@0s7(0r_LW zGmTT-^S4$n&bYMM=^z%X6Cln^ERQHF7}uG8S@%3~$HJe!9>4t(esZNpn>@@tE}*o*DO zGnR3`nZ|;u8G*Y3`y}q3q#@ZGQx6t~Cg0m?av${6zZSgBO3JV?Y2bNS!1{cpXV*X* z-Z@KTAdyg0LNPLnMjPTR_ASQ$zjJ0_&9c0GEwd=%eI~wz zSijEQa-!>M;_M}eiA!qEOU4Y5Rufo>H$ooI?L`qsNWA!Foe6!rbWI{vbwD;L{}Al> zj}4!;@j93)t9Zehwr9OX^LN6)*EXz{fock!wv%mb9M+vr`#U4+QoD3VQhXc)nE;yO_jb@$>3*fH@5;bk=y}EE3*!h$EM?7V% z8++#=RR=nb&3aq~jjSRjJp;MXr*l~a-(jFEEY@U6cbuxv+Mk{u?#PL~)|B0&pc1wQ z3Li#==ui<@K44^T_LmWHL&E{#x*To5q{{&aOptS2|}^RQe9r1k#@9sGLEz zpJ|tOz;w;I0nBAcZt&2T&7teA{n6${Qgpk%W= zTmz8ATyS^N9D(|Uk}q9TYSaDm7A+n@t~4$s;`8xu^=0DH97I6j&39A?UB9`5;b)cj z(b?_lx19W0NuBC-e^3+4X;xxm*UY!+*K9OHZ;GNR; z*bt^a=5}g0AX=Gn48)?uj_R|lpA)fDXXh3~_)d|pE@t?ixh?NoASLE@lvY$%XD^A$ z0MXL;p~ody><*O`1#)^A%!QjEYg6*dS_5Gc@*c^_C;9j`%Di_-spsy$jFQ!|YN$fe$~UW-=eCr3*JE zkCNhaURSfa>a-l$7~By;h#;E9=CYY6$3Dx{B|G(9H?>ne0~*rV1tnbG4^J=3ZXyf5%ez5LK{H@uc7LeVn9}aCZDE;Kyq#7`f~^krE~(q8o}QMf zPEaJpSqWgH!@ftVl0x$I*ggnoy+@R@FImWXPcDf~{hJMXh7-6lwo%9NgMs645AvMZ z6et7n(kQ9`X@sB)`|0rnd5|JO3X#WE=HTLVixKX4HqwJL3ci=GO*C>v?|fs)o2<}J z3V%btJ5rHA!Iz+^r~LNh%8>AEsdUeH+Lt+^XHDJ|$2N^ST+p)6HCH&1M_y#Qz-{@s zN(v@Qy}FZ`79N`oYAoT6Eq_gvh+}_SmK`Jy}i@>4c;u@ZXVUmp7*rfE!ukGBR#8#=g^VF^*f=LzaMnF@F^B~~#GxVox316#= z!?gwMI=CM6_wUP7c(B$?YNJ)yOpf&MJ!llei6lbMIS5@GEg~Na?tF55sM?(3B6MOm zRc-%tH0@S`1*^0cyf+7n;??KOkDqB%I(C#qK>f!Eeq`{iGnTAkCqT4>QD!V;RYt*O zu2fI`biI8;-$LLOwp&(`7tFlmu*mzI<&|cYRZFX+amz{);| zs!Vm*fx(NH0)leGMV?C}NQNY-2saoHr_Z&0qc6yH( zKgwC?%~-slANHqrF-tS?_Kz{J=44@X0B zAA}xPeG^nTP=Ow7UaY3=B0U$=!(oAx39`2l9`BcJr)$ZM)vctYfV#S6-bM^P&7D?% zTXuKUeGFtCuqdlQwL>R8g!|yrmw*Ifyp)3iPIak@G)pt?ly^70lEe=uk8g!bCYT<4 zs5LyI`tik0*$^YoMT@hsLq;P7tbjexEfcT;PAo5Z1S=+wmGZQ2S>?7$kZE?r@E7rQgkR71&2LiC=b?M3URpWQvGlc{1Z|Ve4J{2qq&}+0Q z=??iEfzm(-Z;8_iTNX%VDq=&mnHhJ$ZhHVy@|8eC4j%pBJI;wOgj(7}S*ZpK(3%zL zO%k+JVxO@V0MqM&z=0a9C04&KUXmKRP%(%yo)NZR`1<2H*ZZ`FryVk4hmv1-xjkAi zW)JjF&q8Ddoa)#L5Cje<2RUT}%I->=2X(ecp5>I;LV*vYS?pq)lXeUk&YLgNjBEzM}@c7Hr0h~=lp3GLu?Bg*gaMhxe zD=k-gi^n8G3t^%x8EWIhCL;C9gTlG23VbK(IImp_+57qgD}A}NtVb15Ia!^B@~^wD zFHan{9Bjf(LeK6pOC119qqkMeW1|@Tu<2yXq4(Ok0+(@5MwDbNL@nWNidnV(#i5{z zx7ymQ+e*RbtNWatJptK#bI3MUGL=v+_g$zNZplKy9w<5^|6nRQ!krzGBme6BaCFmx zz7UVnOaGN##&ucdw6fHpeYG#>la+dqyQY=e3kOL1(RJkV25&VVn4lTXHVNx{Gwwf& zg)Ma|t%Y0&xMQykmkAi`bVsQl8>2-AV~lnCC$d83^j>RL(Ub>$JHvUJe8RILna(i} zx~$djC|;LU7O1E%h)M->4047RyJNXsBh_wr313=XhGhc^ zH969NZJV$#|2T4suq;V0KZ*5Hn0xE7@YU`t-(iHF>u|%>p+1GLWvDkTRQSOWX^75ZV>r?HgRX;`*t=l*^XYb`<8x_EZc0Dt#qdxSi3u{*b3B|I6u{Dp~gL zQMw!g2W>z4= z!ext~fiQgoR^u7N(dzo$^#8d%%(wXIrbR`~r9aJHlj4-;;!mS7Q@e^dJ4Ceh`4MaXq6yRoTrC7=f(6E|g~NKC`&)EkbBW2kAHb=hPqVyQ3fZ1Z`L$ zzWtd0a?Z$I7P7y6q?6IJ4a%?HxgE{hAHE@TCOVL`1jP$IYnwIk#xcnxvYyW2;&!9A zU$z0pTbD2l_!Fk@>$y6;LOK6l(r<}kLzY1eOyiN(csEnJO#zXSP2)s zen`8-k7++3IldX1S37kerhz4IaH7Dis0%Z4jE$Dh_yp;7 zF4N7c^rGwu_F}??t-c9wdZZsf*0dZ zcDO3}V4X;toyUQ63j&+66SwD1-vl-8&+D-O##qY)Q>g5Hynj$!AEMBZyfStEbJonet4E+?nVu!{a71TT z7(eyPTiyG^P<};3OG??CbK8Ngme(=y=KkZY{CrSuwmv&+-)3_-K^Uoc5rv${d$yX{ z6j`HG@3K3kq9MDdNlz)ceX@Tn<+!$hXgMGY5iHCS3KgMEPZ|aB9lIjlo+mmx*kJK? zJkoi&wzOgc0GQVqFjmJoUGGf)6Pi&7OLj~bDq>0UdI1JJpIjrSAzD}%R6ul!8Dv=X zd7lj6nW;`yheB&bPCVDe6DD9Ht2L?8n#T9m1D|jEQ8vbIfRME%;-jO9pJ*8g;%qYc z9c`pGz63Vm`qJuEb?Y$tP>L{)G_@?1gudsQ_gQ%^%XibOK?ry>6R%J|`H)60CmE|0 zQci@Na_oKipvECd(IC1-$2XbO!}%#(UnXs3M2G;N`vRu4>ct%iz)nXBxrGWb9Q?)l zaYliK>tabQ$+cV-163m;AH8N{6RRS4a)zvG=L0sj!iX~V{WDbdnTQO86CNlgJ{Qd0 znyk9eSjoy1Z77LI9m+SCN#qA$8fZCa z7%<13@mAanXwCjWF32|1H)t#@bXar23U5CE^-h!5N=X$7!q>C7koQt&bG*(?0KRIlp^>q37tI74Srg1?8gHy+qcyd0_eQ$@0T?8-0`{p@% zPgwYE-Y6CDQqBu`fRPr!_5iiUA&vE-(t&qw9h7mQ=B2&uABzpznG_J*X zyYH94wnCrH^>B^4YRzoUt7C%~iWD8~v!G*6@H(+TzK@YeLlyrQ>*{iULW7=9!!}sw zf5c>8+j>aDqW%w-Q0-8s1$!TbHS`nr?AfQCzlF{rDhitRRWRkHp8pj2?6g+uro~)8 zX@0Z}CcMSZ4%eBtw^vAP#z{@pUZB$Dq;+!dbTC0G#^m)_d}&xm!I^N!S4}b8q5xdW z_M|hCniydxYfwFmPr7_wA(Kr55HQTmg(<2XN&fpu>Ca^i;Ueg`HzLB-88EFblf|;4 zocY9XjXHIee{G03Tv_6reL$$sR^+e-s(FpA0rUE&bEHmF_Ing75<^13HlVTZRM1{J zl^b|gOP81V(C-xj)~p;nj0Tfbn2mhq=8&_xhp9kx#qZo3p7 zyWs=5{R$PG?a(a5G0T6CkS8QHM_3%!TjNpN)D7Psdl_5sUYc!e7euW}f zr=4N6DVHd$(TvJ@VAt!=}`Ym248 zFsgwp41%bSHvx-xWZBInbu#cemW#s5GS`U!2r$Q7P2!E{_kWR>7b7a4O{D5&k6c^>JudDe1j3Q|SKNi3!Dxffc z4hWx5mVV$|n<)kvY@bwAR66+G+gt6A|G@xu&uZh0-NXhM#d-M^IJMFu3P`~1HBKag z0rY~XPYTTkf&$6zO{ZAjVhsKVZD(O=PzVj4@a1$4N7r?PbHYB zl~8!iROQ>Z(PI8l?1*C>*{gBX0ItdTX-$^{-7+2pl5J&=TgajU$V4FL68L0Tn1C0}6P_-zBPFAqK{WXPYqNjc7l({@qhaiR;FR|A^wd9V>=)019~d zBh#_tR<=D#=%kI-?~;6h&~eP^d_)mI<|fD6N<7yip8kXUK@CNCTybf)Bw=x9(Bnsm8N ze4I*&^dC(c;3FhM8wPO6LQIpMs{o%BjvC*16RM&KFurPJKZ8`BB%6clCDUkV&^i7E zY42Ad(0Ihb_?o^NtTDbm#D@}kumMktA`m(g1{YkEstd@x)WemL3|)ryA2>6q*>mw^ zQXur<GVya`poxA*z?asBZ@9H6{N1qE~iWD-)g^dl>y?s zIaZiH0J@N@@Oag^WMr_c(MbS0G8vkOpmhqFH`w+vGLawF(CPj!fOlpLpX`Url@-?g zsS3K5fO&&BM#Y#ij;^AZ%lpD(|8O+iIx|6#oj8tP5Rh}M6TWO#IYqulI63G`{KKQ* zkD81CoLvWp7^zKec=&ZN>qUGl2EDjAP0x&Pd35z6?*BpfKE&ZOUS_5Pu9sb|MgS^^!OU|* z0Vl&TIeuGoH`M&fR7g;mhA=4Y`TkDX(}#W?EH`q4wa$5cmO1yMBDA$)dF>Jb_eLS; zZBU5f^5{~&g8~}=(INsx>ymxT2V`Jc0DlR`U4l_S2Dr>8-_Z>BU}2Kd8khxO=HP%Y zxBqe-xLc{LsIBT9-C}3H`wH|n*+m(kDw~0M?Q73-kYk^$%;3k?fc*zu=r1Z6(ZlO! zM~gREAOI{zO2bCX3OP=Nv)wbwf$=7Civ7#O_CINhd;$nSiAIE-wtWtx5fd}>+8YAI zlDzI6zyiXWsrSFot$iSf7Cy(aDjBMEo_<+v{%G*6EQWsupRzPVq2rVgmJt(-WbCip zcK7J!-ehPLXhX4P>?I-Ux}7Y5K~!df{e1?%<1NI3E!yed1R^?e9RNb#-(e*PY>cE~ zi-bVI!3WG>HKexy8=i@9y+g=$EUn(c(qhi zm)g4J*fv%AYfzXcfNxkJ}yeKYrFY zdo$i|hSRnX{K>0}lCyF6YeK}?zt3ZNJGl~K0aem+cmk)Xb7n=ot)NSv(f^`nPq95N z&xgkTxp;#kb+TX9Dy*2x9cj&JHDc{oOw`iJ^S4>ie&;I45-RaAkk(|#Y!tQGJS$>+ zrsZ%)nhoB#H8MT$v*blv*CXYsd zSoeTb@BmX??C<2OJTRaaB)DBUO<>gV(eSTI8~e~F7hASRKpHY#+c@;t!MUfdM9Z?d zk(UkkKULM|fy8GL#JZ`!ECo(h7qTGY%$ZU;zXeYCk*L4mR2J0S?r$q3-1)h0{2%<$ zzw8Os3-kwy7d-+yAX`!)rqwz2ErsuIa}f9~q-z?XvQeJ8S50C*kOMe?wavxB5 z^Ng$e8?LjXY*izh$#yYcRc|ZyR~ig&1HLnP!Rbe=-a5Rd+fy~D5yLcM!XhX8>l4G# z!G;#_J{f9MBYdLOG`pX_p>H{mWN`HvX@e7fm{RZ-)KtnPOimZ4hVX0uZ)&nch){zW z7&=T|s8d6ZxwQVO%irDt_ms1CT$lN86BGE(xi@5OrF75f#pgTSUUb~}&v5{(O0lAk zz?N|?;8RToi>A|LE3O1B21y&+w96g=_{h6||Hwt)4sv+;F;e{P!R^eztIeOe*NO2r z-!A-h@yZ8OF`erPDY}1^?SDM>vUeuobBFTKIpw8ES@^WEtK+OI6}8VT zTk$Jj?ln_ay?#Z*JoD}`jkg2_#_nwlNlIcOV&z*HYN9oEXpbDk@!G|?XUXMw~@VFr~dD=|9KSnvk>PN zq-KI+=*FLqLcjG=_qAciE@mq1-xvEI7r)L!LzgYAym@G;ZU|@sRP^*%BO@bKw6!NJ z-EjW<-v4!-s0(=Q(v6tW`T}U#Qv|Ed13>W~Sz5|*PsHofhx`1c$xosVH%7bgy?$JS z790BL0xn?(fUK^1m>}d{dA1kT7y&vU@z-yIh8g7^^EV8__$IS>nSB|8gM&+7?LK$R zBqk>2upTSc=+*Apa1jW;`{+q6pch`}A^Jmvj0#tMGtkTHFd-;v2;-4_Xo{KR(R^SR zZ^JI`Jt3IWDlF=brJ)l*!DZwffF4EBVcl$f$AHuPYfmO+<6(ha%&pvttwA!Pj_~AB zfaGWR5{MuA_*7LOti&7Ni6yvHG-Jt#(}OkI#?$GY?r51c z|C#XRuBa|R1jD4Q&%pWE?e;#D9iR^bHs~^pLK+gS`h^!OybU-=;0%t#DRdf!7;}L)aU-W@Oy!rO0JCLG%RFzM@R!MWd z04Ui6U1-=$DM?R;hKDLC`feOwt_&{-@B{ z)padnHf~s7b-ls7pJu$+$PbV{e9`sIN)!*o^DIjKX+7WU|GiX*6;O$scjXT@mGy%5 zZTq^Rt^gX#J^9qksgd-l#q`0ebrFjJI#7-f0e;FEDJ!V*+u#UFPSX#oR!_0q@D=QR z>21P6J#5dAauNVO^$zWTo*Vd{1xJ&Tp`HNJ5Mxs@Ix$t__)T;_oI%m{&WA#sDg}V} z=XL`*+Hb{f#%kv&2`r;4XzO-L(O$D{<-j-&-b;0mO*tHNeI@k|Ei>zdz6A%0vYRmlyjN2KmvZw8OC@z4uaj?bNo`D2oRtq)3af%js^ zTxvbeQ5K9;=}+W$8E{TI8OrLee(C}pOT)xFS)LL(_M_i2N{`ArX23<1lLR46JGquQ zvg(c>1f_$3--SiwY#x8hy0tCTV~KW8 z98Znn0Cy4zIAJVDyo^jXIlPOx0G8?)ShggJ9qF#K@4Ss4#qs#R-r)^Z2BI=ke7q}B zwr9lIq;G#=DE*~Q?rP??>@{}p-txH%?sA-3HmzdOp@s@+Z@Zqy``sh&N+^C`(5N!O zG?rtGdWRzAe{j?%ux26&=q(iM^0NH&HVk`QsBET_@VE-1K6CT%ywh*a6neEubo1s} z6CBaMRbdv6JnEO7MNYdKIIh7dp0Uf9Mt!n?ZUv=>>kCK8WOO@vUomnA%_LyjB)A3E zig$6n&#ng6cQb*R`C_LH(0fsVo^3%1k*G#7Z|+WsmZC zb#Gq1vXBJU1xfebReC>EBNX$o7g=E7XTN(mU2zt&tLKu%k{`7I3|0B0_pmFv2 zvh3ujHPRZffsgyToFrCXAB6KQin!_}l(QR(;0qt!v1Oht7cab8k1)`*Hnwxy4{NXil;C%_Ksgy)M877+5pdjNG47mIO@M zYNMW?Khh}A+uvM;8P?}Z`S~Ih1QbHHjM9Vxxpez?9nQipOVfd>sCWTPRF>u`(7B-0 zC@GV5A>vPOdIO+q32usKSKr_wHer`@)1;5hr~OoikOGw-XKWO*iuKu>uJ%*9Z$4TB zFhA?b%5NV|(_fsM^JNM}9UQp~T#>&eWde?jpRjYJ>aLfjFe~8 zL;7afw5i5ana5~1%aYFXS49NBB?{@V)vnSATIpYcB|Iu-RCaMlmjM^O!qeK&><&!i zfIyHOUycEng!}FDC%-#-tJOeP+i)Elu(mo<>e-xdysp|=nVi*YZXWS8d72l+fi`Y5 z^<&<=Jl@4bJe3MC+8t?OKYCor9zf#d@J=lzJzrOs0xHQ97%n-ol)G;rn zovhwf0o^k>OnhJHSKNWD&8-Lshbxe3t<5br8A^;EyXUU)sa+&Xjt0sb0o8X0gidi7 zycdb)KwXN@Pos`|#iLH$F;Rwq)!3lX<#f(U++BHmPO8g%haLA?K}krx36`+P?pMOW z`bgiD#OcNWqom_*vu^8R-bmIjw12FvlfW^Yutof2^*R|$>I6mq7V9Zd=U?xgGN@)8 zIy|T!lF9;nVMDsjcQlZ8-lsaSk`VHtMsIJ<9el)@0dmmaQ_*)`jLjW#%n&783yQB&hx z*A5+o$rWYWno9kOvDj+{A1YmAB6~V<@cCF-<*YTsjoL=NQ-~-)j zH>o*<*XP!e1BD;_KM`N-kH9P$SCf2QRR_E7IiJzG7lIX_SJ55!n4zF(MqL5RYSv8Q z>0PY<;sQwW?0!Az;>qSq@2R(OSJ`FnC#GmpJVsheZQBZ=m{#zge?_`$hCAByzNME8Jy1UC4fT)?V$X&d%s!)C!-A>AdVvc z<7cg>jlt_Ka7}y9c@8}HTe$C?N?keQ9=kb|UH!yuJ@{HNs}fUo;)c`?TGk-oON(lF z{0*`?7dqlgKV7enw?Y{`OZxPr%}?NDHEqzfw@b2^Xmc(7 znv1A?=hzJKw_xptMMUJYPu(Y1mnh9v#3@h0 zJQm4j%}YY{>Rf_mc4gZ#v1c;tm3--im@ZAcVNCPN&&Y>2b;-!cmQj3_RoSD&u(fz( z_nyuM?2>9uyD%rGXKa1rYdYk}Hy77)}xMcLH{1V4^H6t~Lpd$l3jT8R~e`9x9V zyd359tT~Y4t%*)mR)ye6Y&9O9pa`q_>r9Us$Qh5T8qW)$>A;=91SH3%4XjP@5q0$RmGWkd?19ZwF2Lr%T@2jb~_N)wfH&mD~CO=)~&GG zN6wd+wf3swkc@+m+BcKuwefL#4%lEwl@{Ppq>ahIIzDGPC-4Tu zj9hu|y-E`K>{Hhy(^5X-McXjoz9=G$IS}w9xQXy}WgFDzoWLYS zo6uJ!^1yz-40X+7wnXkaaeXZbxMi63 zzqWjq1%8z=iEX7OT}z->le~e7MOCkQae7lfs3bLonT@|dQ9J$GN_^e~-I=X;#;WVn z;#s@?T!~ImE0NvGS45M}uvuN#U`}!@b9U}4&H5Z1HHGJI$mwg2`HneZ0F?*W|V+|0do>i$$*QD#FH-DHMC9+sFr)AX)?Z+!KpnpSUeur97rL z0s4*`vk4v;sF;QV<{qbhm;0b?o!-#;3msq}W030uE|o=TVBamy#Z?wQ<1a7HAvjmZ zHaa6ap)p}4#mYrB*g*-Y7-4Gy8f>@;_Fm(m=P4;+_3`rT-)$ZN$2bBxlVMdxI?QR}vS`$j!~waLu{;5joYLEbT|_ zy;GpUi^MT6q7up!$g_EvU3S{nwPL+PSuhIdUeW<()Wvy*^6-p=UEg}W5df1buKVmk zn`&zX2({ODo2;w3y$Sey97(vCSK|ASSaBLVtv{P>zfwwP>*#(YJ2tzZ@F}-a=;sle@(4 z{w>O-c=zPBVGd(#O!!}pm9m4O@KicomHg~QGA>wU>nFD?w zvM}+hWcSzng-$$cL4a`6)%2V~$WTON2z5S6a`VbPu*deWO&g5i;?M*fF-_~c`oC#O@xF9u734wa+U zes0#*!W`qp{4hC?DmU$YGww>U-N`8`iW<%vjU{Qw%$}~z=>Gh|KR??y;jrL z5qq7pNIxrht;ey9<9XH$j&hsE`ba_CT8>2akc(pF?^^_rZ@^h~-4=@aGVJd9J}(@w zD8`h$e-?6I;Thh0qE~cUIIpXPb@b}>cx?j>?NWhqDW-N#Bf0uu<5;~Xe zz%F8aef?9Oe`RzC`8CXgsLsxJ03j1U0ve=eO_7U42gs1Jt-YQWa@UBNkr7bhCH(!v zP?q7DDEs@tIMcPCJ6n^kucDgOr7tf$%gXlOZ224Jd?r=fLC?yuX!P>@Bvx0)S*YSu zK{+h>yUluO@ENH+QRA3pJ#$ugFTk`ttZ7^GF+Mk)R_8U?GdznOOkVT8D~|W#XD~wk z7;|u=QkLWwtivNCohOH6^pVVm+jzW?IxMO7nd=CgeCj9&)YS5^)2iW)e*%Z!TjDV$ zCA~jqZ9GX|*ZcvVJ#0B_24Z!v`mtw}pOP3nJrIT!V&R7xa)*1mSogq*wVS`^y*=)Z{OH>SJ%pRdpsB5#XSWGnY0bO>Ut%r?X z%c0UD`|cm7`T{ez!2O^}= z|2K*L&$j%NT)l$!|GdeyTpL(UW#0ztw~U2Fj?>yeOH8fuAFIw)bU4i%KH{M6=W0J~ zxPv8B2;Vm&-@)agM?v$Hb?@Vs-fv#GQka-FmP%z&$)b7@U9cm`TeRZD|p z@+UkBzu#U01c4xvmFlvJRt1$Dm3snCZ$WmMPhEuB?{`PxwI~5PsCF2uXtB82B z--+Z0J5wDltW%vDhYBt(uJ&ZHYZ=c%xB2;K0{`?&ldI8Pw(~!NEs8t2pvrel?G|U` zZZE=+sUeb+-gR?~X=Bvxp&uY#;ThVf_?j>uZ*l)mZ$;?`+Jug@pfiXvbZrbh`n)mJ zpElQFlRvt`DDZjF_r@P_I`$(}#r%wSB$Z)?@L)DH~}Nmbc0_2ZGt#efBoW0J2v zv!OvBcyX0Yj1Lwb$_(tLkgb+4fHV4Jt$lB?!qW{wO6+XpXl-~Q#8$XZmVFS4$&i-PhU zlh3a&^xM_8tvz%8aPdHW5caC;2B;#4c@$Z03wpbRy~Al$e>bRrE^8lgpIy~p)=*`* zwe_j$;NBj`4$s@=?*t>Z3M0I_6`eAhL`LQ+4TgLz1;kLyLK0*m zWAVsLOicK5WC`$|6i2+#INRX|hd^%tok46XUxi@RKRiOw98JX^*7J-0AIRZ@>~}43JN%>!)GXz384>u_ufF*K~L0=mRu&Yyj-obvoM)6*ps zgxzWrA_D?2-OhFy2KSNDV8+A-rl+EI*}tSrz5gk1gypFCC6p-ifwUPV(Q1(Qpl-fCiatxaFZy;FHdghQy& zq^oXk$Gcaicaovr{SZzYD$v~1`Td&?D4M%W2QS#*dD0m{`(P3}UTzT%$~M?hZ*5ou zjAtikDQ2yiMTvDlNwpK_VGi@!nsDA*&nrTmA$AR`JteS0-}Xnc80cAqHTli>aD901 zWWz2K9BuN$>Y@(3Z)|2VoIAYNO2*oSOD-S*=r}(+)ey62bZ(A20zq_u1i{khYe2Hl z1`q%47*1XxyQB|yAL%}jpP23G9LVT0p7~UTILm8G~?yi-x}2 zvO2WN))V#5r7%B}A9G?ZBd6prNgnI5FrX`V`(C`5{~vd69aZHP#fuuCA`%j!D54-D zt)QfYA|S1VfTU6?DJd-&DALGAI;2~=HX$P2-BQw^G;B7!`GMyg51#k#d*j|a#vSkc z!SE>i+uvGiu9?62o3Sz3I6l8M{Ir&($t!ittUD-9cKCWMrW7IoixN${!4k|3G zTWNh^8Ybaq9G33N0g;1#{dWF_lZh#B4@NMf1yj-@1D)p~Gky83fT;B1|Ndz5ZZj?a z_NZUuZFTjX^=##7#}wJ+hx$WtwTDS50Nz}NdyAWai7hj8p-Wp9-8DCsx`eZAGr zqA`)tX1ncU3#L|qbxk8|lD|N9Uc>B*k683-K!Vz!fCD_EymgEnEw(z}sdSNgYrxJi z*6iTM>gqr(k>tDy^2HKWcKKU^G25Emk7t9j7p4r-db^jjfAHISz(3v(SzYiSuv-si z8LWLV-^`?x?8~L!C_~*SfQM2ouCrqc?_EG&UptF7oHPsMGYRXLhJ!M$CYeWXrlhYf z+#Rr6DxRDj_&H!bZZ}_2CO$~NjBSy5cfw|V4F5jrG@ljQJldXGweEd$M%m-Oyif2| zT}#8cgJEp%DA>f|ny?JiqRpGk@np(Y7xK-=t3h5~ROpmoFIGVtcWdo+(V-443uybC)%?^kJI5dV1s~_f%2p>livvpL9b9eZo3XQx zZNk$umjv{4?Y+Wg{HN!c0)C?VF#WUBSi;`N-|L)e3+Hp}y#yZC47J3Wz)NBTe1_l` zN@4<5o!mq9>YiyNCaD&Sm2Ah;#^|So<$PFmpf9(}Uv<)qS#^pC4YT>KGS6S|6_G?9 z+e8J0d(q?Jj#DZL2}UY&-0&}j^ZXkL^x-}|-m42*`SfRjS^|B{j;&xbA-V&qhV$c4~Z%&YNTInr)D;~W`a|O#T9hdJBBLa za-;42`QWO2dRwC%Eng88wPyMF(y4KPegC zc!zu`>(YVvSLgS?cO-6iva;>PN1dp|Lk$GYJDfCHkG!__K%tzIpx;IQ9nnXPQuOr; z-v}K~wqG`_a63sYie_U?Dq_1_me5Zvs%azLk*Z437fSJjlgM4eLuD?8LK8)Bnk%PE z^GErkSgnK#*JdZXvKADI`hFaafI9+Sp%&G*g|{KVM;(B5;YyYfedGvR6v%pwE9p%1 zk@CCi&R+!zWE~RJnW8>@HU5Z9nHdbIdQZVzv37Y1d*#-k>v2dbepJ|}yA*J9`{5_8vZy83AuX@NEFTk?|43C= zFyE1vH?S?~9r(7PuCkq%gx)eti+#BAxHg}ZIa{Q*Im5O(7@`Pcd-a0%&jQ{a;|eHx z?~m?G8Ej6JXW8rRE?kUI`ts;70lMV|n>w|C{fAR7!mch4+@RD6+1743-VT>7nxY?@ z%n4H}W9s4js5!faoD<~2|4zS}-W6hN?R-G@)sss5>+7~F&UgXC*K;+TbzSKUg?6$HNRB*<1*)So&tTbQ4lA0T%W*w3*PhTEUC{+j#4_A841d#i*>jhuPR zzgI(DUw3KZuGu$dzrIw%vj$@6@5MG(&fGsd>9{sjS#+bIu;ytc6$>Dn4H}KR4*h$- z;E^;qOHU&8!$Z$YOG}$ARMSf^`nz3HFG@o4_OqSIDokv}YZ=E*bGm=YD(&%{+OrNa z)N_q1&_>D_czylyDRv#x2Z{n>*>uV^$1QRQwb@?qeS0p>ZoigpIE%vW4QZYW32Ch_ zkRw1~lYR3~*&pHzmL0sV2SKt_#gHzaRa@2f`d}z=OE5Cpa;wQF?kVa$7kYpXUa@L{ z#pJ`SNudEL76@|h2XUjLBO{w9H}3N66;a|2+C}_zIjjb zp7;(#T0c7Xm&xV5%ap`}dLrc?^+X|OT>KM(nL*r7Zysn&9f`Y@-uARSWbVON_rUMZ zB5#Lr^`q3op^`TW@v98ta=aMSFzDvx#w|$JJ+t_V(a^B@Ozy8FNKo0Ql zBRb~{L1D9pL^|2*NZ)-Iy78cwNB1<>>{KKQpxhAU5TYuXKC0$-=ls7Hzmo)x4lw# z=lK;>)M@`+X#h=j)iQ`(H{(C0LHc>&XOY}XyW*G66!M?K1(u>83S!8yKoKxieD4Z( z$~u3GAC&L@_Z?gxIqP5dsnB@VRz9v6yTPl(wfD|E7m~x3OK6D>yYJfYPAfs!K7TMT zGV;pm;juS+F9caW6c*R;p>)_+(H#RX&q=V?`0YsDGmyGhh1`YjwW_;gBOmTQMu+Ut zlPA7YQ?mmb{c?(mfGDIpRhx0(*OB#+Xt~Estbpl9Zte?fzQ1MB`L^@M#vzpgi$Li6 z2{Z%5fKFTdT{#Vn6Zuq3zpyu@1UvVE@IN;G6z)}p`x!b3ZJnK5O!D{dGeS-GqS}+# z&%d&^#?a6wl8gVRQW1(5ioH{P;-Xpx$@N{~`<4UCx4^*f@4Zo3#E)1MGENh-s^I;C z3YjXwE)^IZ`BR+*;e8?SpAmg2dC%n+7N!qcbKHz6{=A0HSwgD9bcN@KeEq-uLg}pH z4j74i-n)P4Nn(@db3dF5MtX=@EBvF*>|U+)<8YxC&9y4MKrcNzh?^vq zPDb`%x7)*c6W`*hLWaIjo(|o!U0_iuKVmpIq0PF?x#f}DbQ#hv@={rXI z+jgK}JD%Br=G$}BBA2{p?^KhJ{IeTC%ISjpPKpj1yS%q+xRnpO&>cQamnd;;fGVb( zcUM!I(Ko3?`tl$AOvhCA3tO~K{w>wCdFzi;6*_*@!YW=z94{al=NF=DR2KHTCv5i~ z|8}h|u{*21l0f;JR!jWYRog<2P==4{|HIHY(~wkI#_K%({h=DjL!l22F%`c*l*HK{ z9vbl5Lyf_1N1^}Yp~O|z@j7pRf2a(iM^s67r0Cx#=*#>~B3{Si_g}sTCa8XPKmO<= z97)`kJ2^o(|HuumW@+}F>aZ*Sh=+3@9vlZed+(9pk(ypp$f)~G=*(zARn1BLp&KvU zjz~xlKf!7*HZ?sRD!@b#@YSPNb;;*1kOr@qR+)>4UL`5L%tXjRvNa6^7P0?SQDG^i z`>ta}7F}9kIjxJ`Ai%x53jD)0fYv!0m8!6dC3C(>h8${&=pQEK!X2&UscRXJTfe(- zX99c@vQg#uzkd$7CD;DACE#1MxA*E!w&>zM)uR@C$?X3gF&k{ZIas zp_{k>sJRf#W#R+SLHfpYC>UJ4LwWVlbHC+}a=R+)f(UYn>Hav?{W$JI!on|r;>(5b z@q|#{*w`3V&*9U*oa~+U-6;P5`qaKM5;mM&arb3F{E*&XmWP1AqoMunUv~cakus9B z1HXQc1#$Q=IK4JjfKPr|+o^{mx$ZljxBG^-!0`~lq@UQ)qRuw~KX}yS#vdjzq6(zb zZ4OVZb%kc3c;$83WHqy;zQTQLe&`D_Z);RL( zxaD^&Jk##mgRd8wMEbW^bsT;V_t)>KB7WftUe4kSfS~aL(&_>7Mc4Rr*BHG)Krt&1 zSa#L#D^?J{0hd2uK|3xZ`8xjdRx!j^zFmaqQqn&!t_XZyVU%s33^j7Z=RO_4Kf%mC z&iQos<(DvRF&THQ1X^30E>v0J;`4^{zg_@AvK@R&v-`4S5&NuPy)(Z0$GzFNA2h%h z{QbM4qqAcMe=YrY-}?XU!68x1_qxE&^BxYXq32>^)cLZAIDdtE&NIlFP|fFW!ixI-0MV8!CIuwcf(z%V(H+V#r} zMv)*Ysa|?VCH1_1Ejm7R>sQ=hs;&i!ENVOBcvF`-)s=@Imgf3<8?0)yEiJPlxV@f) zIeR&xJxXb;Kk>pPUp5bvJO1th-6{WEy@7V&)LP7vQ} zO7e=rLb#r;?kglsJ{=J77_F47%m6BFk(xEBakbaP#bUNbXh=mwSAXXf-hz-GHPQG( zQwFg$(74Fo>@CzJGqMqtV$~Nq~g>4IZPL-ahS@Y&}2~HyQYeYN-%&q&q^#W zTS5Z#p1D$f-a#kp(JzoJIFGhno~dH(`lZyOh<6SLEY+S6gqztrNsHlj1Uf)M;{L!8 zi?YmkaFCUxu&{7fqKrBytAwJNGds8D2BJwk#Q*CFX`%|l6|@#R7h##4-sz5Aihj=~>%9oDIUG7tSkBHGeFeL9c4mTVz+ZY_8)6v$O_+Wv+d5 zygY~{Ep>nun)wZKr1T-(vFCyRC6pI%B>C-D-ovQatF7%Ck}!51`RpOW8MYUP2%h8= z0U{b)mbh;A(DTYqZhZb_J8$BiU{=;a$%b&Bw{ZBxc0rjjU1{G7YYOETcXt4z&PB+Z zGP1Dv{~W0lhyQxaraO!>?AP6pa-YV4`d1Hwfx^e-uRSuXW_eXFU~i|tkNt+Xd!9ZA zAi(lP1mB_EG1=C*zQoK4sf2y}78AsifcrJ=3Bqr8r;&QX^zCJDu z;uqcd!!LSXegKka?ACLtgq@e26oW56pcapjTTj|2wyVrR^TO3Q?e>RLY^o+yd9sD* zy3{-#=txyj_me9F2f}{E+d`rcpauARO-5|vQ)44x;g9B)Q8#zBd>-`VE2Z7f7R@p2 z9yYsXelHiizZxLE4(ius)jvGGt2K|1r3*1C-Y?CbFG?h3whS|hn+eoPkXP+bpjjAUZycnb5k#Y<8RL?E0*K?WOZDve_nff86MQ(t|sQ z=l@ZT28lSnCnLdQY3B4A!*OQIzRPiTT0iDO%*-$E`AQlJ#9SbGq5thkEl{!lYqOF6 zjsg%g&5pzDZQ-ntcy%(aD|L}p`3Z&U7AK8zO*sFr3;Fk6UeW-4{3D0{e^#{h>TR1t z+S?MuF8-L|b(DZKGgsZ@*^@6L44k9i*swqAD!E z$l;H0YR7fk_1_Q_{QoHV>#UNgaaI4C<&@9=4^>Jqml3Bv*P|b$IN`b&Sr4rQtd&i7 z2BaC;D#s#ziTQ4D2vSd$i75KIxbUBScqsOkynGj}>UyildwYJbddG*={Qs<6goGl% zU9g(#W7yd4fYvV^00e&5j5wLO^L&vDNV`|F6SRGkV_iBvioJRt5J2v;FV1b>fmfF< z8+5#j?U9c=tMaCOeu)?C5bskfqS9~u-OD;A(CDS^92x7-c>CQZyrJ-#+3d@mn_(aK-6FOb+g79--+2 zl`3#kf9CS0#-YigpMwjDRGL|O7mfVuTVynx7m=Q!N%3zZy8)+{O89OLnqs0L(d z{fAQ`9-pgs{F*FDp~_K+NYGrInlC2Dcul|UTkJ{={d64EoVN%P=1KiaXFErcH%ShF zZh0-qZ@c8}d=RtPITqz`&2$*fNyrK(iz0ce3}!h}k}^(GGcS?wAf?fB;fSlh@o%q2 zgeii0b9#EZo?Bw0EPOYSdEU6h8H*HtvLNP~8Z^1v5LQQ+L{0Bds^1=hM&#jgQ zoxx95#%k5hU!}0Tb?)f_J67qg#m*5QT37h_CHpcxQfbShi$LoHuxUQFttLFpSvQRy zy@!p5@P^E_G+Bi$h%}UUxoVhuh%=0?Ozw2qf_ey~CHfDXp>`fV5ucFYBR%l#70})R zcDiKv>$jPmY=s#O$fGENyX%z935OQQFh6ZGV&nzc;CgIQvV=n&|LRj)yfWX`df_oh zl$4@a=4}JYX1$^3?uz%5Vbx$##1rl#j!#WJfo+k4zzC#zL^LKI7v9VtagWV+ldXRh z!N~ld4{YT}Mh+B`_GtkOoGHu^aMGIbkw^yDrYI~{8AW(YjO7?LNyRoS2u_|-|~Nv#njO^1~0+ne}iFb}%w z#$hUDGNTG;eHOytcBH7XrIl>GX1>4Vsi3G>eWg;$AL6?lCs)Jn2k=dVq!|Zsh^t)S z0J&*)%ch+v>Lybixtf~#)3>22aW4PBs}szR4?B#(wB0TmkBNNjYk<*${Lphx# zrrFE*J>WvQ2A(<0P*e?Wtq>uAPj-imtH2T_uWdq+8_^*?y|SF9IqdM5wQhfR$$I@f za*Iao1`83@NVVD~oe#5~ zr{GA^8ya4^epIVpfs z)f&4j=nX86hM6-cRbziZg9Xl73QFZeuC&I3L+r*rXVV?8fGJjnpS?)Phm8&*SPIDJ zF{K~+Sa9TmRD?IMQpM{8(@+n!0No8sTzK)gVu~o$c zIA*sm7_pds52U`T={;XCExQ0%#*U8q&`W|=GsUrIIrOfNy*eY@qd;G1WN_MpitnCr z3D%nZk$2%iE8~Hp?m~kO_B78I86+?H0i0{LKBn|6vcKVWnCA9|lG$gxN)c3bd(Fm% zEyCQ55a!{CJ*Y&_WH5~uW9GP$fMv-M_$$NpDmF`!955^XF!&uZ6{p9TG}nEXW_!g> zuxSkAqU~-D0Cisleu86*A;!Mp3(vNFN7~2Ai^@~+=X&8Xh#~c_th0MB6PZN%dj^FJ z5C3V?>TO+rt?HbcR%ea4+kCVp-I!QSPF#NEovv3;**w7Fw9y(G8wGWO0Kx5b*@l&- z<^g>;cat$+$>QNx=QL-C=Ztc(cY$fmsa^m;8&x6{4sx+lJZc-O^ZK@|=#`$+$XM|z zH*zNFKof`QV2waoi-`~2U2EO?;eN7C8|G%f0%+qr6MoY=fj_-?B|Gii>sP@0;st&L z7nAjLN{QceTFH$=L}!@+*_rnq#Yr8V4J?oiywleM1)YjJ@nOPr1CKsuuRu7*(+0ut z<>`q}U^y78R=_G8M+_zZ9z#iT>7`Zzl!7>wSTL5>O?hwg=wq@(e#gwG6gs4b{|Cn=C2I@t$?-+f{OM7GBvTN5~i}pFfhxkf_xAK z43u5T8*|oazFrP9AoN;U+)hZO&K z)o2s SBRz2Nr)wub20vP?s>Ba2JbL-1@~a^^jyhWg*1!p%$h;W{@U!$EupQoNVoqY%rS6z3AuH;HZ&VAZeBJ6xhJ(eVdokTp4ly6m4DEa^uUOqg^ot zcQVJwvDwT7g7LTGZ5lmoNr!2tY@%YV-Gd~^!xh8FkXoUr#0-B>XVS zv_8@)We9V zK^+)PgTiO!Zahsi!xG429&7Dd87QZu6kgmn>mzp7Pf5c@QLizK2@seW3ERLc7cel+ zRbrD5?M@$T&|iM8mX!1tSqUyD;McRymMx7?4?YSTbXeurQ%iu^IC4vtseT%V*5At7 z*InKCoZTo4dPOYgOrnZl;sn>rZS?HkZq~Bw}zCDvFXd^1-u%cD$BTn6cPkV{c)ie$prl9ru`c$)TC!f|zc$8qlk=xNJ&q z2rkUMs0BF85E8Rq_Vpl2NgKDMXtw6j)t3pS?aKh#dR z1jKfqt8N`=Mwu=Z zWN|ywXp^JtN^pY!#-8m<&@92kmL1PjJnFo*fsxJ6ig3<=ZrnsXd?lg6ZM z-Z1Nde6w~%B?*Y-W-r<}L8HGN=^gNE?rSZ^)_>nTOklMtdUoCLoJ)-TRPIO@WLjps z+@ui)dFDvo8Ro|(?~+nCQuANPt2SDJ5G^0lEAB7!w^dZ-@=z@1co74%oCnh8oURO2 zbQW8^wYJU`j)5{cFfLM{B?BFGU5;Wur)iJjl;nxwN`k<;bxP{UvJntG7uaaVmtrHD zwJ}@mUk$2#wKU4%kiX)3lhRl^*sAEv(=S68Z?&AIr{tcDUWTzwN%iL2M6)So(82OS zq{nU)H1f;*-oUfl4Se(L{1!{8YF6&y4TLCxAI_QVgk3X4*VqasZnjEFX-e82{-n8W z+n6%BOsKs&xSiWnR>Ec6_vp~e4#_5qJCkeb?Uw9`K1P(0JWCu zLTv+gdxU2_`R07#I#ivO+A!pSvB&Pg9S=Ug{Q2F+Krk^W34QjO-PR*=`bP#vPFCoZ zV&3gdest{Bi68-oAiORp{Lybv23|8jF;Jf9>edo}!Go5PB>)TCNEtlWUn?!k-~SBi zXb4O)t+U0zteimb%Ii)I%z%M}-BNd_qjGvQ=GkI>w+350@4V$YN9(k>mwDY4c}xHN zrKiw*@?m^~mQlGShkL}GD5w_Ca^H_u+3n}uvW)&uI#BeXSNmTkPKMgb_F(v0Q4p{^ zCdvi(qOjY~5c(^cl7WaiJ zC$yh106E-mwVZQ553nAVe6U81op^Oo3oo^Bu|cqA$hCwmFR%4GABS>=fARKKiR6z3 za%_e@+?ik++wsgs`|mWWeb)hIy(GDDNmzk2$J&2&eKp43O^=W#Q3noi-$ zT{D|5F)Et-2x1A8$TnqN)wUV5R z1QcNCcM>jDQM+3E&5>~5PEDu&LXQ4t^BLtOS$Xn-uO-7VePMj)e$(>hu==pl`Z-~0 zKH!&I(c&3<-&)T~!5Y%}xz{N!bcYqA(~*1MJ!z3w%?et^j|!OGyQn>WXss? zpG4=Kg}BQdUfdKpe&d$V)iY*qa_*&Ax8F}%j$hTZdz4~rU^LrktCW;|_R?}<$9-?f z<7HKJW^bSOiG4o)()8tp(rrxW8Wm?|rXOAKNMUB0&2=sP?|hZkVT00otD%AOZ9K}H zw?`xNc>F$Timc2Jvc<&2WSD4v$}$Y3%I6&!!~+ZV5DD_zf=YqlB*ejbx+A7z%9NY0 zc+|IcY_U;aB!%5-rk36G+uOT~Nd{k)G+7XLxw3oHja;(=9b7n9AO_<$g;Ptmc=MM# zf@@N&x3MJwK>FSuxY|27a9&C6r=QuF-f*CPm|w}}*xl-yCouB0(Fe@K2O6H~WOJk( z3r%Ecz(l@cJw9kV%{GQz-DUy~qyS)JBY4~t;jF4B>h|v4*ybXeRfphm+t32A{|3{H zTaMKzE;Ng^j()~(3=s9msPPYcJ5(-K4UnHP;4${mKznj#j(KnmpkQ`-ZNlPcHMK<2 zJ(hlU4moAzOL5^_!qv64=6cfM0*XD^2KsIzwzC6h!|?fH4C;)XA={wk(W5!wxec6K z{9f+|*}0l8Z>ewJzaNyDywzvcA}$;q5g`Q1Pz^ZWsh9e{LX)-vCY%MxoR6ERVy87t z5^PG$JAyCY2&SGaBxoHdpwe$_@V8xNuVGmQ`y`TGwrI9k&sF2WwH2kNa-B3kKXbH2 zk}W_clsC~Tn5>bJoYfpNTjB#`!m=`aMp@T?e)*WHI_d^!#f8>zjj_!T4TojLg(S`X z?H|;8!2Z3vK*?iHhFto~NvQekd}Ii`G+39@|?La)cW093GbeCNuDto+vF|`TAgdI3`lf*0 zvI$->)1f45x@StTYiXvtH({-kS{7Bsrt4VN0#)A_>v_k91#pFmMn^+t+%Z@#>$&UX zXVizu>O+H>q=Pq{#Ftf-8Ve_)YD3t%yac!6L!N#;Y5fT^XLm=#MmKqLqcb;2Ye>Sn z*!q^MF|U2AFilwtNE?e7wZr?ubu5PHwxeUQ{bIcY_yn8EFfkO;912!?Q! z_qAl`90R2xy$PbZTlHZ8*q;8yCpj+tp? zfB408_1vZln2Zt>_2xH2{Xm%3sBk~)(GcrARkPB!rAc!a4vYtvhJ55Ll^;Xu4N~*H zxw4!_HGbC&I;xUY%tyQRx97;P%V|z`G0Yf}B>fLeH#MFOsUQ>tD*RK|*t^6pD7*Ef z>x(K`#xif&H_wu1gYrigLQke@YDuXn?`d|pnIE1R-oVJ6%C7XAs2y)L@%0Iw$iMe2) zi~P8p_)e$_Qs0c75$&g#)vdbeWG0R)WZKQ;YdTzUQa8>YyO<9XYx_j7E_9@qb@cU< ze(1k0G)z8j&KInCIjV%r=|>q3bYhYsb34p?g9oi>fEL-HtywI*Jt~V0eDPqG~=lS_zN1GyUKy1r)FOMbDUJ*yq>-s`^h=bK;?q`vlvG)w5 z(E!~b@8~pfuGy^nFsop(>7zs&WI1f(@I81m!C?RE@>IKA{Cm#ez1L~=VP9m70%V!bjAY07*xsUQmdDuYBobIwmkImJS{rRc=g#~ zY#2wbLQuqoQ!X)8IU&~!Vvkk^RoYd}nfYS_ubjTD@yR8-ig)TqDgYq#+Dkhj{c?Hg z3A&U#F#+iKg0#As4;=YI2U(N4TflLwtquTfOQgl+HUp%EYOduLFB^P$lOgc(tC!Ot zp3-o4%ZDraHIS*YH*sJO_aUK|c5Th{GuV?st5G(C8? zMY7qUI?}dM>q6U@8d^P8s}xUI)M)WFiC4MhG`4?!PM#{*%RF^B@XCl^yiCK0jS}s9_$c)`qsPSdR6SQ^f~wa;>ZE~D=;dancI0m6dL(sK zxuq8joP`S7HoE{lZ=65s`))Zo?-2HZ-RGBY8&VXNG}h(yL-PlhOJam$svP}7K67t# z+z@BSk@PW|oINHORxZ7yFFIfTtl}t&W;&klQK!-rT`MqyNTrCVA3qWfiDuJal09O2 zuG=LBl1BqJG(mH0Uyf~5KY*BqucgR_gCnU&la`O&@kbd(!L^Y>A+Hh4KmvVd=rHp* zfyR;)&=a${lJi$gzn6c_Co8+Sk~B=gJjr>MGkGQ_!0l!_bp9s_c#Cpdx~p~c9g3Nb zO*zeFJi|PKZEUNxvj>CZClz#6{H)^|k=b0nu59aKYEqo#ho|KPTzn$!$C*VmDn?eb zvaJWPUVV<3w2=Y_KwAwcg_>_OK2gyoZp3_M#*`jhO{9OPuIw4j=n@0n;i6j`ot2?U z?E?<0($!U$wny{L_%@Ai4i<3RuRR*aS~l{R_|>v9;nQ`dsHT1QGD9WCYnzwMPT5?% zB>q}Uyt6Y)Hu^;vb))x0qx*pCPd9SrNnI%_rl}GsHiKTFbRE@qcc^jXB%vIhhsHy> zI3zQL3OK~d#{vJN@@{Tqh$5X%d1EG1ZCQDNPf@HX*uL2^E^Fi~nsTk;SxYp-6e{hs zeP^eapCESW%2db4k~Nf)UTnUulxF|J=Ax51pNVHS%VIRMx`0s+S^MET7_)alK%0Hc zRti1n&#ouzSmw*hp_IDzia}2uy8#XO3b{J`GksIhFQ^vdyGpi}@oXTQp;$#+xJ}=0 z#lsWF8@zZ(5;AvO?M}_wiDzlsSnOp*=Q8^89Epk+8%jcLV5=tyf*s#4t+}6Sjg}7X zux&d9{4!CgUl^y=HrtgneU-=c9CSOcb*iz+$2ndY54BF+{OLs$B%QZEl2BH|asAZ? z*;Unat;o#@FqEq->5G^M!dYqRhmciQ zRQiI}Fm|#X28Me8wb92jH4~Ectnq*KzSn zMXStd7TARk8uivq4>kb?sQvnLF_YpVlw_YA(t}wt#Fy@*r<5|7w5~LbKQAShOZL`c zsHQB6j=oy`M9T8G&^f6CIXIF^nppgCNn7ufVv!j)CPx}9W|e7G*8u`p_NT)->re)f zJ&KS2g7ZAM`#H8>Fjt&wzo^Db$b>JvdElIWVduJ=|esy$!tl+mL5-nqyroJ3OM8_j5ahzF?Axw&=xH%LW8VAE!1^@}mT(CDIX4`?Vn%g4jtf z#ydQ2l3#gOJL)p!+7D_?g1RgX*ybFva zRZI&c-~nOYjIUAL!gQsO24PoL;u-I`}NM#ZA!P) zZ703J&(~-mtwdtpg7S&St+7d}rCT#I@|uc2KjXvgckJq*M?nqUz4Yj`^nC2fV0;qe)`-3McBSB!2CEikV_H`x{-cR? zOIasW-tNyGO@_jEjX3=ncRRM;#4%>Wkhc@f}R|K1I_k zNU_l&uALNK9OuL-tr8{3@$*c{fYK;NdhlL?ll6xrf@QxGgLd-{h4VVIpvHJkNEQk9zgIRQDnLO(<`8@U1E${ zIxW03#}Ug*e~#U*N$K%KZz<)q8urW@G$?J&Q;{Xije#7M>%M>m5o*?)&~FTzHD>GZ z$NS_$ho;4nWkMb(aIuY(AN+q4`pew~mce!5f|`wHsqb5;$hi!aSH`*m*ZZA_1UKJo zV&`2`lbe;KCYv6@bgl*x-t?yPuZsEW*pyqS2sCZRuFVCQIw+#%sF}>RVX9cxX34g7 zp?L^+@sIKQ*KIX4!scgfV9uT&BwBixJB&Kh9~@N4H}fauo;NVuS;eb`*^m1mn`s|^y0*-koH%mA=YUCTO_gmTImHDPBjn4Ym-ghK(RWLZA8l{EMbedP}_IR3#ds zMBl}IY}HDXEZ(5a^&>Hh3FAaS&W3jkJru&4oNUYJhoI>-oYQeZlRNk?c5awA@C@cJeBql#%f%+%zc=W%3i+UdNa<0l zWr`sf^QXLAZSJq5rzd*C|1?*bZ?VJFLM@wRab59BPo7z=#cYqFBX+vCO;Lolww{X= zY~v?Vk_ub5_LbQ|UawrQqJpYqyPp*l396XXfO{!XCMN8)?o^n90+;dQT&7nRm&r+B zYC-6fReo#i%9__3&BEOwck7fMrw9E~P64&(vFB$9#-Y-UZGJ!$9_%5|7) zcjDxa38oGhNT+K9)I9x3>2+4G38|u19L)2RzDlW#CK;z`ZY^*v{H$#4>vpuX#AiCW zzPZ@V_}->@HAkN6)dtt-P$36^tLN56L{qwivT~oXhIc=6r zvRv+G%oL~%U|m#_`knJkriQKt437Mm%Bm9g zITy|;?yF3CYy91hd0a7RX3fh_da~XwzUrC3mm1+Q>FBwnc%z{4682SJT3T4dvO$K_ zVZ4oJ%OfMIkc7y(0c{_{sV>Edl4)rs&XTf?cRHvDG0&F$wV+4uUanRQAI8gW{K|KqN9J!%XgfEM+%1Rg3G;Y|>dfKJiw z);=7`l`PzA@C8$VD@%0LUIAdxCr}R$dnZVCKM*GyKG_Bd;r$&uL@UJtEN8lof zEwzq;oHASX4m@5_a1TPz%I)VMjY1G_2%RUxCoXl}TY2BeX{1_-mSJRp<_Vn?bvd~p zoolfLpl2>Z%z8QdVkJUweZdR%X(5aJn#j4j1E)?+J`gC9pgvtD7c==pU&JM*=c#@g zPzzp+pbm8amagTh)rR(kH>M#wpe^DbM<*5=rrHfc7iC-tXVDc>2;T78MF6-%#BpwYn5cE|xb3`K_G=G>j@F8K`SWmhg zbmi$n&(3xSz4C(fCo5ye0lhfmZkCLc6k6zdcm8qIaG*#8QsglXm>jthN9>QYm&A7H zJ+wT8?luc_XEDe^w+B5ifMvvLAWYwKV&}N5QReA9JTK(OBZx+B=eHd)i8fsg8m z)%Xkn$od+PdNQn~Kz8Ey%mk0Ki;IbFV_3hhf4g@vt6b_bj}|N`LJxOgF*n}4;jCpt zweR=(e1cTHJF;N;0(0oVf%T$vYzlDk|t2 z6f-QR+V19R=K5!4Wl^Rb?S7eZe)Lqt)a8H1L~H4fS+7ddV0oOIsK3fN!CAtk(i`Z)7?p)y~9R&@_T zy$~HO^mx({Xtdrzd@{J6lu>N5Yaz^-$v4;#B9`GAPuq~de8(o&K5_{VgvMkZ6PB`lT%1n zF;+Eh9(;T3#&WdCyAx^&3dhfk!Fsh1K*c4*VQlnR>L-Vbt)53vz6se1>NbpOzDUF1 zxmP&QZpOlAJ!fI;(drr+7&zHS6A-8}xL#{+%exvK*VOAQi~ttxahFnzd2hFDySc6K z2wB0IeGxqXiiPUt&+jNFQ zCqU)yb0$091j8@lFfuJl8B;>yn%%p*i7@H+@#09933T|AFsuAcZL!lFfc!Z31&+TA zVJi9U>ip9}f&A&_&O@L>2ziK1xIk+{D*&vMlTQELp}Z@>@G!#zxV=Y1grBtLSauPn zNO-zxB}kk!Fs7xWi@BD|v9gCV2hQ75Nc4~_&x#!r$WMaubuX>z;jfWTc3__W{D_2J zo&^&i?{T6q7>8B-2j2>^iY-_La&`MQi|S?iGgNg{RmJvF4?P!B#xXP3=W+G*&$LX^544yoyw*1L+&rPnaX@i-esGE3Hy`Ii1;R$lW(GQ z%12i|r2_Ft!Jl+D=OH>diqPHsW(Psoch4UY`*Xw(k%s_((ErPa?6Hk|9>(eHVuagp zKKpSmuc7Nbx=P`61v>X@xjw$WEkV7f?Dp{Wz#)r)GN8hv1`S9}7Oa1qxx0_I4biN> zNy52gWRF>P_xLZnw)5_P|9A%pb z@jGT_hg`?J6PLJ;pc3C_Zg72-A4(kj!2jFE>^xixu2YE54=2EkgIZuM^UeN?9OR#8 z-bCmY`r`i=%KHEK!b~nra)j~{P+l!9DEONU_Qi;>RPa;=jWv&vd7R3`@7ZsXBXg4 z&cui|hW@Y}kzHKmWA5gW>Cvyw}opZ+*eLA`3O`VKA_K_<5D;VQnl^5v^nno7UkzcZumgqEh(@* zDnE`vSk>j!%C~>)EeUCSsLK9%-81mX$jIKzX(xbz1nzZ)YDeyN zIiQe!@*t(y!*PA=CM5Mekn;Z|WZRZ!->~dWb>^xcL z4?+7~U1Z$zo}LNiMBDEk z5;-+znOucv2g_6NQW;qK**3EC@|34K(@fN<68_-2s%A`wOfX`b&)AImd~TO0OSz3$ z0Hep?K0;ur5|yUWBKroh%-NPP5Sst9AIP6Byeowk2;HyljXID)YfB7u4#i16d<}}z|pJE5Eks7+%UiYazccP0SB26KP%cR&GU+vyK z;Zy9RWC_4sAL^eSe-B6U#5GafL?B(3Szl@mOl*vid)yNJ_ShNj=NLhzgVnry7RSH> zh=N7k*4XRxQZ>~)Dv&mkcO7~TcItYT%5wUIVch)Yg%zE9lqD(AG~o)@2f zRPCEKx;BFO;hkLmh{h$Ryfnk+?qYNvujMU%mek}}RZbKC&+4yQl2tgyU1>Nn1#)Y; z``+x;xDh=#;A(8#P=>(Q51DWb^v_5u)ZFT5fo1Cj7M7Hr73vNG=&eZCUG^I$JbV3I zra(BYYL2l7?@b3qc`K_NzHJy7Xzdu^cWTfhMpsD{q{R_ZUkoH*@1JClk4@C% zu9(X@b&6-9&1|(>Cg`dN=mn`y7+$l{BiU-N`S>AAKaLWy{%TG8QOrvrv@E7DlV0k> zC2+n?fNdOkg}G&Sj<4^7Q)|YS*oKJ&LllfLwlwPe{-#-p;is}( zt$q?tPM%`7T{>cI_4Mf{sj%zqp`5hK>{HcMcjJP@wv>{DFt}CB8MMYqkB$1tn#JXsY~K^WFn7W?*S9qW&RuUhhKt)v$F*wC zFa@07pu>i(WsCG5Z;J3(7;Wv*fLz5QV0})(lv_=F zz6yxTCJQ9x2o7@4o#kxH;Rb|;Jg*hV0`6~FU>jCUq14{clGqu6RZLbrt>v`nXL}JE z)}8}dbo11PS&0fglytJMn25f-{4Qu=!p=9qm%O(0wO*}%VXJ;rq5aV0^2@Q?XZ5-| zYxO>I_vf|hLuV3G6%m%i-gpY_&jdgca>+%N;1?TxZ1+a=Jw2qDRw`qMU_EI5pZ zLl7crI9uL|FSk3ehVjUSM3%k~5OZk6t{vdM^7S(C45u_SKWZMnJDsn-{j#l;sn}y# zeQUOI>_joc+6iiF*6kIt>|UDbZy(^#*|9p-FH=_31?*bn&$B)qR2Ps5sYMN5_D{6b zj_0MY_iT>jAD){XQ%@0iZbvYk?^wj^@3Or7-r{+v^O~Wo*mkz`!8LEs!Ack96m_YQ zme$h^t81AaTYnBvkHyhT2@YPe&6yIo>T-7WP@kpU{rgXO#iV9g&r*)53nUyFo-1~E z-o~>w7&obxV7VH9`f>ie4$CmVKa%MRiHvN-svJCC({x+7ck-huD?CG?{|t|qSV(Pq zW7nUH^WUi7HDJe1Yz8#)@Q$gMBnw%zzX?TNwnQN$(qJ_>G7|Zkzi0TwB)|V~qUC~m zn5C6oBR0LE*-y|vRc?50#L}wrC3SoLhO$4?mgTCEHLKQGih(Fllfsof8=64}T@ikT zebYZNj`X@G? zUbB2^I}=(3)7Q((a9D9n$uTm^18-OaVj4OlH!U)b>1O&T3oJDsS3 zxIu)4!kX1PJ$P9?MX+?NF}-i#q4Q>&fk)0*;W0O#&a-`npez>cW6rY~ExGN}NxNbt z^se;7xVH9}_hiwqt)>n`vA>8`RR^$kT2B_M+x{$QWGK}Zce(#ko%Ne%^T{>Mj%Ob9 znAfV2qA%)9={r0-ZjV)n2rr(j_%nTn7zK(cb$8hHYQ!XcCSgbFeu%G#E-6^6{gbTS zvspHbBr;My&G)cW+9e66zv?d^WqzSVD{6gVg!)r3mukx?=dMwbfVGMk+sjT~YZn4z z1WnNgXZN8l3VJ1wWUo~uQ-0mNK*gavw@>=x$MrVP4)3~en9e*8`u5j-gyahWC%3c> zy@}8Q7ZdYS4=Sva$W8C%_^^KalA?Cob^NH-oMx;Zl2jw6Z19mRK5DOg={@}?+3JaC7VL*ToAq}Z$k;dVBDolqc~6FFi}T+L z?>|sk*wYhr&7BQAE3-ecZx<7xkIA24PS(o3dW>0p#I)b*!QQxRWBIhK%WJ}k+{&t% z_Q}ke86WO_a$01~HHu!lP|!AAaaW0)dC{sx&UaAC}$7mH;5RwD`9d3CSe zLgwg>a}ppNcR3}5QAzMs4HrMb%iq5{1NlbZx3tE)Jy-D5&NIPR8MhkU{^h%;kcOrI zR@uG#R**ERfkve0d##pV{^h$n5CuM6P3QXU5$RrKz*pyc7EWCLm+$`XtL^ro|KH4- z!D4rG^m;Tvhb_R}AMP)I^jr@juo7#5L9dHb8=(GE_3!{0#*pJ(uJzhzY=C%IsY@vo zo6o?J8x$F*68t#H#8C}2`@-HQwG z1uBDDhOp~wo#zr?|4C{8tgyEslpMFx*SoXC$#_^hLhAjYJLZvl^eP!rPT@;do?(J=a8~9-O)b@v5dVdqqvls%@I`|wP3VRW( z>(T^I%x5Q)_6)z^%U|}{^0KjMeXCzD2QSP-HP?r1O{qw|hsz`i3{Frx2y5UxCwR3i zlO9DtBpaXA1Ind2tbcQDwpqXA+S248D_9YGpe1_^z7DU|2%Xc~0@oXalu0G)ZaVUr z_1L*$2U_?`ghEocS_$zZdh;_+I80pBmsLzwXVGHOKn4_Cu$pGEhL*{)RV=SfKc-{V4mY z{*LctEl;{%;p1+ z7zU=R5366daue{Ax4~C?(>{%k8MF1G6xg(iK@>?Ky6D3qIf2DO3x73J(Z_!xk($xH zvmyQYYqqJjf4y@SbDQWm)s z#`zQ9>cJ-pFN7;t)gJ3&*ZvY=>70aB&Au1kfZfDQViPS_!70n%;*WOG3OH#d7h1P| zrzF5it9W?i)|mR12;cDBA~;TTYwA<{VyWK`<*7!m2mWe>q9L^uVqvxLQ_jTBny>Vz zI{jXyX^TWfcoQY(;W^f^6HZx$ecWS3>)E{9_5@C$ZNn&zB;|+(Z0$S$@xDz$aD_uv z>QufT$tew345ka^@65ualwtvEs4ZWe+C$*j^cQ}AHqD~z9Z4$V8aDw*8w=Iw_K;FQ zU4f&fIrUk`L43FYyhY%tl!fPoK|HgjULx(3@?2opp|SaCDDsTg8?g+bpS40F)dDMI z!%_|68@rl^NA?)yqYu}9aj&`c zOHL8|~3} zFybF~(js5E%xAgcF5-&fqxwi9*HCU-7GJ2xl;$epwp!km7CrEMJmz1UHt?EO)t0C9 zZgH&$0qTlE+EMDiI8Bq>ql2ro4LvPS&6qZV_ots0C3)0?3B*dk<+&D8wO{dT1uQi+ z-G<=&z6$e_OaAK@s7|{+Tf2}TkmY>1(z64(yKu}Q2CEwb)J3&8pO}4-fOWI1_6n?? zY@-)z7uF!QB+qyt=#?TXnAwax?Fe^&l6)=8^X^diw*|Qn%kqKn1p=AP#y?RCX<6){ z+M|i7-~*3R-i z>e|L-Q^`kx*u9Z<_gT3eI!=I1GHzQcq7{Xq0f$deuB>GVF6zOD`vk7d0e3M2M17-Y zGj1417Npud6-%|N=Wokho^ZU=jm1D!0Ju@*I~pNwDp3>qJqJlUdH7Q=Iu&a_vnm%wmwUqGT8uB5#U+0 zuWIFm6F6P{=t(PSu@x7&eK}b$S6`2s=wnSz-S#ZZ|Hnw*eYGRBM4J@PfyXkB_HnTi z--wL+YERDf>J7{T69$7ZqH-CB(=t@dWEIDD$3RLHW1m7LB6V z7WEvh$D-nUuJiKd7PY0ijAS^Y5+$>DXYJxR_c)1pl?Vy4$tu$t3BV%f&ckjxLIo_M#5^kuYUBn?DBz| zc}KNShnYVP>tbbj<-1F_T`i^JrikCc+1Wd$uZNO3zbhr(gTG*VkL>KI(k68fu|Fe1 z(){d2lE$@uyx9JgKYw#yrL*zYm;Ikj-TCzJmO|m;%)J-d=f!(0ps~!S{X$~z>GN+E zq~m^bZ50pPWBbf%+5X10aQX7P-d4ZlgeZEylgb%UClAF^6-Y%_zY+A=9D5c$5PRrN z-A&$6ffIu0U8>|lbT`7&(xhXg!s0_om6U*NbV@z{XqF?R|6ykO+v9-M!)2narg~Lg z@-MwT!-to!I}`4T!Fzs;<#o1krvzkOqol(6Y?N}28AFfG^A*3Y?5QY+jg_YfZ>9=B zF@zNIpPG7H6}z*WP-vnHpFS4IWm0hBvbhkjz|d1tQtm;;nu6G*PxfZaEjxDOjuWFz z5qqB+`eak@5UKuM(ICCSy2q)q3DQftphVe{qR}&y;CQedtsVb3Jkf~z8&}@o%W)QP z=;9LUGpKjX)jrZ0LI}Ji!GK5d&P<&Q;hm-Ktr)y{1XubqTb?SGm6oQ1gbg|=>G8j% zR$ukv5s=XMg2#1v+e)nO&t`}>n$IdW0;O(tf%9%PPDs5YfKt!dv?Bs%-J>5KFt*vd z55+lN-?w`?Hz9?sX<&x`kL!yM@oLe@<}VW91N&n9Fc{qJhue^r#`BWKMM*#VefO5e7G=fA8H-fZ`_DVz7;*nGlR|VK;n_F(|JbRN!t3Q2 z#_dux!oA)Gyk2$x$L@Rp_5CerLKg!af&@`%=KhR==MZ}c;G(y+vOiwk=0H=WtU0J( z;1=sJ=AZRUCmo)bcOBt1hl-IUI#G#D7;>nm0s-T{+sugjxNE&bo*t&VD?G% zXG+hoJ6k=D8v2tLy1UY`4lrXyZbj{VhlJ<_tV2b{Vzu;U;B8V@%4_nxhv%zzLPVH*goJUQU+wGRN8$l7lU2KWJS z4iFH+^2>^fYAg6#fTo;T8x^PP_4ALDkV<;})CKV+(KO#P2lW!f)Bd^X8vZ?Ezq-R@ zKfN3eU|(E}e>-yMbn$W?OFRzvX~gQm_g=k1_S^KGJaXCmiz~C%){CPQ6lzZLkVa@8 zywRNc!wr?@$4w?zFHGiG*Hs@gP~fPhdeu<)1_y+OmlTpEf?Nu^J}CE$2u3Zd3Jv@m z^df%?id3HiFp|3(_^i7O;zMaD0^Z6nQM)R80@7u-pv~*0xQr6xQ{4U%Vuy4telAF3 z>^iy#BZO`bumS+$7W`SPBsGHW{O|l({ClJj9j;vnSkA_p(@EeIk)6vnY^|wT`{AIM zBLrK$KK}y75eo-lWi+b>`qks9Cs#N)I3i5az7vBJ$|u9_PGk7(L51EU8Xhlp44}|u ze1NBzgQNyx|5RmVjWqtDiGBhq9;`doimn%d^9~5Sm!P38lcgUpGKS!w+s6Q~kI01( zVqE-n=^Ya!l!2U(xpcpwya4?HIqj|eUuJN7;2Ny!q5coQS#dR+hM)daNUQeo9ryz<=ifJ|JQl1V^6lxIV8QB3m}E88*Z2 z^YA5Tx0vnQF{|ak5_7aS<=@8DRr@J7-p=+L09hv@Q>EW_s;es^ym9=y@P;{VSpdVr zu4S=%v=Q()EY)3Wj_wO=gIUqLb3Cfq^5|4HK*04 z_kO7z?_-{w4Xe_mI#X-s?c5Pt;B;=sG5~Z4j!?B%znzaa?t>jV>ay2-1viiph(Bp| z=l7k99Ko_12j36iiXRUZwLxE?AssZVIkGC>R=Gjk^-hU+yv5FzB|HrB-#OZsfw7ZWHS5gD7m?mm=SN4a$-4J5eXrOEwIj0x0w%wC zrs{6s8dT?);7=_KcmZBmp4WEj!R5p>Xw=3HcAG0~rVH%9P4A5(;9MNKf#Ae}GsLeg z@BW}@Nl$ZG3-n%!OtXbXNQPWOSX%&+fC8}kJ4Fyh&mBpOI6^(vaqCT8-A!>63S}jS z^w-0U0L?!mpZDe4zggvb6rZ81W5h+_aMN3z$+mcpOU4~_Hx+A*Z{Lnc(k#xA$i*Zm zprBVT+w6%#^p!h0I}iTwCV&z7b;aa4Jps4K`I0k-+&!8qQhx{kbn@`$486o5ELLf? zSyxxLN=9rkuESNoE5l5;zvLZbssm8IL;>PRp+tl0yX@9m+(P=@(MppR(u&A>Fsr0s zA1ym{o6E?TUZcP&Wv-{z3Upf4*Z`^R)vMw6lGgI3RJ@x1%kspdelKu`?n6}sglG3V z2#**aP{B2GSf<2m{Q{RLD9}7BagS$w+|nYeQtBKz((@(3a-<_UaYWne2h`LZALqM|BZ@d_}4}6tmiNjFpQq>UL zxw5P4Exg-ANGqs>s3?C|rh&J;yZU`PODG0KnPRM9wfp;`*IaDCgr14oahl!EA!aMi zu8wp~St5rUWK1%C$e6_4a!UiA`YSp9ptgF&7s*cmX^A+ja5fXDyhO`HGRNNA-r5Ab z3)OkX?&I0aWwJ*PaO@ZuLa@_w!voKD$GPvXxn0xIW&&5`8O(3;T_NoE*e(`+eaiKtOrpEshG>)io7&lC46A)B=mtVgS-Aa439! z3dcu+%#(B?-ffVuX>G;EMcN~5Nyhnrv;)EW5U7Z-a~y}N6*kqhduPiAiS#P{vQFS2 zrz3G<#-IO;@N;PW&@pj9p4LzUbKe%?7%05hXFyLOkV%VMZHqe#gM-tqfJ&z4FHUh> zpOox^#XiCmT(q~$N9m#A&M<5s!=O>8o}$ctM0^eyTF)F5;l!QbNu-3RG zHC(ul%5lKqgx{?E`#Ww3HWf%LSW<3JDkLNL&%FDQ-HCrV>4(d{#I_&&UBs1v#)r33-qRJf)Z79tc{@q4zOMk zy>j1-?hQ}u$g2WL4Ft}+m?ycFKtOXt}xDq z!vB83-T&ys`sYTt`50$cOGWh#F|Nof3`DIu9^T?z&hzU=ly%YV?TRUF%UUn`h=S+h2|9i>e(j#tdxLy;7 z-@M6x))B5_=0~r|f6xaZjcd1)hju&R2UbsM;Z|QCa~9z9PN&G2+UyeIh7bch|CNJq zHvacoaE|=%=;Qf+ei2+xLjls$uyT&c1)O8Q+(bW4B-^W3I)O7I|BTfiZt^&LgRStk zn*i*Y;RG{eFfujb$dS|k$MOX~AP+GpJ-@qXJK+U#K_o@%;{qw#-C2`=E_CuJuA4yt zx*7h@Gbl&zF`2(ixz*EgQlO@W7Q!a%q>)}dq#sqg*slCmZ1TfrXK#^PozbBI_Wzqy zSBRl=_8x`Nqko1R`4_1vBt5p5{?o1+@Y#m?p#p&P>;IF-l-9!&5fRBSXryT_onHph z4RCy{wiLP!eTH6xGiRjX;A-9;>qur=Ly1;AR`Cf?5sWa&z{UBH?n4^!YM>D>C)X!i znZrF=^+Rf13N$ja8zn(AA>n5>rcj3~p_vyvl6 zv;Wv}p?nlwk=!i=_`e3RM~;0icE~02vw3#Nf8kX?Kzxep-7o5UB2u3;Z7=vMLc?I1 zu#lEWT!AfQ%9cuA3aO@c)3uTNHStV!$gbLhGRIwA^57(T*SA?K1q{!2H&Gn9Aj zWeg^$mO+l}^K>}-P{U=i+WV~&n!KGEk2SXXD{uL-8x%7IDgIVXf9A{#Xmf!gsumdeR+ zGq)b-cV6(XhhXc5Juj`~#9c}wH=)G?BPHmL)c%o&Rlt9UMdyu0>eqs;5XweUJ)n2` zs~r(~gx8a6=8q{{juU&$jXuVb!K5CF4=&LOJQ!-r&|{r(GH8fjnNJXWltJF*Ja~;m z{UbXYV~5Bhi0w>A&S6{+)W*IV)2HVPjUpfur=I=A^8??$YmDKkit2?n#g^H3JP%Q~ zwWCh*OCKUeOj|sz8LkRxhFc&cyTS}-^M;Y52^<&qEo_h=R{rUGfZXW?jjg1EP(@3E z!gI#1vq*FP5H1>q1}Qa-crE>+zOeI_S|JJSXr`E7=`JLvmBpXRilJI0lV0csy& z-kBFDuScYW{z4G2jF9xHs2l_~wr>NxmtTUs1}Pz;x^BLAcXF7Hbay^-eg*m>v8>s1}ecIws-RMDs58Ra3VLSzaghQF2qKG27U?azgFmeBna z{>O+&V5kV^YUMNQ})eEpfrm+loK z9^lOHAIjFLJQQzHbpqH*=tzm&@D~3##-C+an_TC75L&}y@67T!QF87@&M%=k1VXD7 zB%`x00TKf72_juI@VRs*l6d4StT@vJJOVzKeB;lS`Mmx@4g(71bNA>WBQ~SwLe`Kz zQ}AT$K`KW^(7#^YAGkZyg@^CMsZ7N^bdfsgIv%xCY70N9SFS=CfLW5RK4EY25Cy#>lM`D&x9Fqe z4UGy%R@S!GY2$=OZAPIft7x%f+^tqIW+o}K!SCa9|0)n`I0ZZil4m|c&2o7k{XmI1fS+l0n;F83Z(k=_Np5MbZR(662pd&yuSFp+ z@0P{SKqnRpsDGpe)-a4JLic&r00K3MLiCqs5Fxi;gUI^_&Oo3l6Q_G9=WGQ%nJXzX zZNvD@w|OL zkWk^4XD3hx`jrDhglI2E+@lhrLmlTRSI4zzZ5dUYCoL2#FIA^Q)@|r6gAr0h*rDyg z#vVY|I4BE>r0F`5$y^01^IqxwlJ=;%Fumm~&cpEXQGk4!9TfCMdisFajec`Ij1EwI zKJjvbXtq*yI(&TmmV8SCq(P68-#!Y+e>+bY<##?ObO&yuf>FWeqW#jWHVeit$*%Dyh0czdpY7p(!YfoqgQirC|BK6e%)c#rLMBkuXL%Gl~tubnq z4BdD{igr=T+H1@*!5fgp-J^Uxd5YF)aHs@X0KMTA>-?>?amES0;<`~M?4^EdL^0N4 ztz=paBPj3^Y=JXybwyt6#PMaf$$5*5iawrRgZ^5y*2Y)S{*2&YxwiJ}-c<(}{TPcdQ|_m9@bq@nG&G7RsGuv%E7|i4b zq_+BtR=H$DP!FG59nKsAmTH@8AsmexZX5mEo97w-ARbQ47rUh3`3r5%C zR@-?Z3*71DhL`&s7{<_vNE1uqGgk9sAU@ga)R^+@ajk%@9kzt4ghJ zduA7MfZ<)?WL<<>w^f)FFJHk-`Fx0Tz=ru_5?bs-u|DaEA7u3TM8V`hPLTpcsF>_xQoQby@Q@ni$=)pmyQTHndfX(k>`%(N1U^+XgnPB>Xf85HGg zgTFj^OnVzKQ%K*=mh;c<>fgL;;6v;{>1G?^Q?$iBd9@rbsx|9W z$~V#A7)@C~ZyJiN_?m^KrGlVvXO&4V<}0vxpJ!y04Keh$eyOO{fo?Bl+YOBA@;r$n9cg2w4F$NC$om>ZB84wetKU25w@`gG$@>S3bQ4X1fL+imLKQ#39b9 zKp&I*`q=_B#azAiiPiz#>a-?-}l1^N@gK-ar8*&_z21 zI(g5=779x_TpC09$7%w|f@iDWFx&v+){ET~t;?|+EAk*#6lF}`6 z$DbmcFoGN&=v7|BiL6yQ3IYsj}=;kt9ZOF^AO|K=MmlLS6h4fi0j}!6j%0sYa~1W6{_JxIUq9rOQB9k z9d`fyi>s_r6;#xsd@Em^#+H&Z7_wJc|GGH8T)G`uwDJ|j_~f!kF&e|A|Lj)UC8M@; zi+`{j~HHKwz{aUHu!Uc<=(F~9|wNSF8 zp0Y_awsVgj^U*6rEZibeDPP}RDW_v~(vou~?KMZ_b$|_HXs*`f+d~!{Pj}vZo&K=^>*BH&>rTuWNGthx z(r$SKJ52GEjE@D7ZMirs?_m&A*}lJFTdd_%sBRy5;2PdvZV!*p2_1R%BpmPAvu7>W zSLOD_6Upu?lRo|K3EeHBqpvja9tsh%oUtN|dR2?{VaoRzx7{8Nzy^ebu;k`qO>LGr zQkC8Y80Z7pI=}72w;*6#nKL9;4KX$Gj;)l9yXdtLX==X_=Pj^SMa8G)sU96ozsKa_ zWGDZ#Q!ntz&846C>DBhh4D)u_6Zf@5r^Y#K1=!!5J!jmAt?i#!p0qldaMK8o;<9$} z2*==!K!{y*Rgu*Y+EZ}1nMpB7zoECn(j@XKOvoR21NcQpnA*WK^d{_{pbFSn%M zfx8Q{Z+@u&QYSU_+*)S-g%k^4Fv-cuxA*3hln5;5VbsUduTtAX%P;$Qv&iz`qbYk& zqY!PwxFH@kh;vE9gq$>r70N~~_EF}tl`u(6G((f^;!S%K4GoOAAOQm|4Su7@6(Bu5 zrt6+mjl&5~DDpO!dTQBR>=MSr*-@}uCY-FLd?~clqdwuQYA=eWb3atR3~E}~hh)wt z?$o}29(?tgX%J0o<>uYD@d~A(nx&IB1$kpV&S9QMhljtvm-FrHMl;iu$*f4enfJw4 z2RE{Eb8CUuUn8+oE-tt75iuIb+xe}7r(fs8c&I&kz_2e^E%g#Nw^~GPceYj)(23I9 z_TCRFZq)JSKMC3zG40P8+E#>k@8*AT?@!_V!MmJ}E zjQ#-VS1Nh8Y?dc|T0Ey7M}vy_`iNM|H*9-D*LV^1`V?!Oi4D?hDydzR4mku?;C(wQ z?{(BS;G&teStD%rsWg1Wd+>%Mid%kI&xJ+(wg?!W>V7xT||ek;3sp{zyw9K*~B zKuLdyVgxr@n-p1?pf^>YuzX`Bl=Dp3w?BeQl5g4@8I8IMLEQ)nbt^rk6p zjP%~>oRZOHBnImJN$`JM?Q45JcBJsG@Jyr$PxSFxTU%T7*-=!_H?n2X*tU9q9^I2v zpLKumEGOv_v+*K#DUTTFIQG1Acs(jkAUi+YA8vmQqnA9s4K4Z_FnFB_G&(M=&y8M9 zUjZT>OtRi)7&%j)ALy$*AkQIJl`LSUYDiaL@c8}=LP@3`PS_ovT z!TFpO)7x0NuXudHrA}>mA%m;gY}VMwC?{3Hf4X$rIl;eo!?n+{pqGc*VS*%iJ+AiJ z!E;l+w&(m0pdZVISt3xaSxCY?;(|KCBxqk8xC3kCF`2)^CMJOzOeULr-nXf<<;V6wM8%H6yOt^`sQ1D z^nCuDr-BIsT`Rm)l&3mGhSBy8y{1dYhd}w}%xSTgmtvn7Ie(%oRpig#VgP>Rj|l{A z%cp2so0{T2<@2^s?b9F-BN2FzT3mW)ZmM8hvo<~^<`ZitF)tn8V%wXcyulI%J3G5Q zJ-tj2rI@vkPh3k}iI1frru>}mP5I2)Jvu^qI2bw0H}F8(IGYi4{Zdz$P!&{w59soIESC;Mt`M60N0QFzNpMIgTc*Cg+oSOT<&ln{nm_R{K%@7PQDr(P6ze%WWY8q<4VY1dmd8>}-=pX?V9nZMLw~VFK6iu_$acn{Yqc!a(#>|mV87rNoH1ax98fO5H@@9Ku zcuSXyGo=6+dA|-KG^5&8`yMc<>)P)ej<8em)vkFUJ0)%(*d7s%2e$GQZH(|7ksRJe)NNf zJ>GE7u%^qV0_DX!E8(FobPT7Jsh%8LM>5HM0JDAO$VP}hwf?{qC=Z8C4;(~N@b8Yy zNTeNA&}nsKaF1>)EwjHc^X=QQX0v7vvzJ$9KZI5D30SSHoT940x?NWK6&RxFHwP0!T2uHHbN>B9;5FuBKF{{f!j^Gy6@Zw_Oj?~oG8yk+4oC%D{seaE9KEIY*AnqRB0YY!t zN(CCK*HS#S&!6=2Pt=s2Ho148O~Mm9VmLPk|hEn0T7Ldecec>Nf3-3e=DfvX`;|t?|s!_`vTAwrTJ3*q)-rOSj7} z17*SUvCB5s{%~uf7#SP$VJo>%x;-ej?Vg8+OkV{=#i#nse_yHiW8=pm9jgfKh5BB8 zaqXWE!v#L4-Hu$t^uKdnM(KVar13y)Ua2961s?;YAdwQlChp#t#0yJH64s0M#xC|O zBK4nM5=LbS85sDtt6gMbLVbEkeY&fw>%0^HC164(t-1~qS7jTbeLll`IEPhr;aPjk zFKc}p59%#w*n8vk(rX9rudxLI$?vOByb>|(&gafYQ<9S8q0oyCrKnLrR;(ebw3d>Y z#=ywM$d(NWokBjSboD--h=VnK@(MQt4#oCFOK4jpGbcxJQzTOjcy)Cb?v{jqNR>E9 z_&`p(;<4%?p?VN!On01&!oKRhqFY(WmVBa0$HvAz=EPwr21x9}9)QT(RNQ4n7V5R| z+*~muBO?((s@Mwpt#V4dr>FMGD!-?o8^7<@eTIQS4ZkYVZXfHTX@*+}R^AIx9j^(4 zp~Pta!1)FARp&n0kC-Bv16H=nRZv)uj*YDxs}FZzozz7=n+FmNh9iq@sJ zx;oumhu;84XL`eFPf6mV63-paq~Pi%ac(FhBNJbbC~jTRk%qWVrDqw+g;?3xs1o@4 z`Kg$BweX*K3o9UdpVf`trlz|uB4X4urC+i6`S~r#OC0y8L5&7TY_WFiovv@bSuQ)BO$^LpuTH5=u*;hfe^BXc3GKld! zfIi&1^{UTSYhT}O{<)66KGP7b(#2aOEkH`ncXx8&I#`N7@T$qbB%8l>`fW8IITh}} zX42OiwdGzQvY@3JfP3bJ<1_%ek&lyapu@ylkKbj1;crSs0x}>RL;|v(&YXwDBQ&JR z$t>?GZ@2KDvTC~i+1Fg3@j9LU9_mx0g7y<1WcLiP|zilt(%#PhfMF0;`OY=}zPk2-A?$2S zpR^zmOt?Isx@g+aK#*|jPnSe4-l7Oba3L93b-^wB$;$k6wO60ObB!>A#?HGGjcC)j z`0Q>)8I^%9uJ3-^Pfyt*f-{8Cb%-HUm%Wzip?y9gxH{Drz`)5Htwh2 zfMtW>F=O00-2jNw%M!5@JOA^>hRB()`VE|hrP*FZFqN1iRJ)jzaWC;2c?sl@{BK;Q zL*%(;diN#EZ#1FC$8l%;&m%{N**7*mmW-m}*O&j<;)^ROEq@8|;=rATKfQ&kEBz~o z>#q}n`64~1$$APoJ0nc~c?I0RMiJ1ezfKtImF?BKy&e6crlkduoWT0Z~v zeCJaVs0@fNKYJLq4~a4=$6Sx$Ber}>h8Docz?Omvu$`~=3}*R3S< z{zz4At;nf|ut5orvQZpnwp*QQ;@b5dR&a6>IT=7PzVJZ~kXC2rK7PDwT5(%^1li)< zA2Xwm8yO|%D99^5$a!(;2O#;!t=+5+D?{1U`h2GTq#vulZ__xi$)7WrV;W30ujc;t zqXF*kE&SJ>K9CN$*0^)`g=R5Y|GqxW0B*CFLqkIkazcK;fjsWyhHRE3@C0FJDoAcE z){0B4A3*z*2Np?$Ij`{;8XLdq%3OZ)?%lhgkSBpSZ|cYMAxEpZ8wBT2O7c%Gb!iN7 z(0*+Eu*4A-8*3;_yI>QjvS)N^azJ@^Ak>6m_p%hCYX@gwT*N#55@?xrL4{Oy)5534 z**!Wc?QCj`ZJ)|XfR3Q!U&7CGle8JP4ElXHEVBgO3gZ3L`HM%wP=Y}&!~`nDB*IN zZSlhP%P8QyK*z-BQ*!8g-3%)+-td#ffp30(eoEGv4mC5>t@`~C)Z~p-rN<6^Yk7UT z#T!_J&ro}t85jR6NU}KM~d|zUTN530-##;h4nD=!9Qwi3j?`7>gheTR|`&!<{UTH)v(U?^(T3A zyP~GONS%n-&Lh}=`n1Vz+xpVg`2gCvC&+m&Hr_Dv5_j&CsQ}%_zL4TU-)q0^VW`^+t`&sy^Kca_{DYV?tI&=C*(7+L&=mQhF6ElPuC?B zy%YUt)?3u2$xZB#SXTG=Ag#V)ve^6rTcSg^!E|wyI=;HT>OxCxOOj}ptP1K>gQ@^4C@=L1X@mkv_AjUXM0y z^L(3GP-|l;E-qdwPb()V`*hjD)82xc}ON**5-e`KAL+P(i0qe7RUY67ZuC% z6P)y0Xu3c0W50c??#(CY{umMxGB=Ug*fXwwQjksSP@tu&O7@h0iP=CF>)vG2-H1vtHTwn^WzYY|kMiqFftvDDvR8s<#=0W~(<#_xyrttnZb)S(!^ zx}fE3mtJgotfoeyoxsmUaC1-2gIOm1OnzFfdv8HfGjz#bSU9q1ZS05xhWSsWQUm)L zA&&M=?kXSp)BpvC6qnM)>HL7Pv9UI_Gg{n*yoT4$>9c3* zy6rhxpWwJwEwQ@tMry)3GcDO3JE@e@-;h*ON$YefEJfWA7G0{N-jyz!9+SER;4-Y7 zgS2rMJdcBdzw?Wf0D%YF!mEz$jPTl}Ywgs!iODga$Gflhirx})4i=(hF7XTJl)#tlM!TEqrKJJ%6es*d62;?^SM8ZgIGdh zC(QhS@t77}<;(f$<&GdD^M-@R>+~H2HjN8w-lpqJEJEcT1&oK;o%KKoqb0}I{FjMh z`*c%KN8X<{W&Xs4(_;~GakeQCVAY>@9?Y0+}hqjnqt~sGyR;S(e6w+8!@m05MtHzz(^!AkEo0WfWQ~WNM z=IcsbXFv6VE#b0n^b+4tlbuaE4bTcR+?SeaoNH)cU8LL$cHpj-3&UF8Sz$JlEB@mc ztK-SIl52}9&hOpUd$0pbmM-YrtgM8_kuQyNK40&2nQc2wu9Z(xEU2UiL~0$HrKE;` zIX50l?B`xSy7S>d+=rSp4Bg@01Q zhaHV`=3&k0F6dN+Ff0rU+1Z=YVOTknlo7#NrTE4v&+-YviDw;g(y9}XeW^Yclu@jjx;UNc3>Lzj1O3ND;42Rze!;*?0mb_ zYbr5JkAMrZiPCSMp%re z!8&#$s6*q4HKxY4`!`RKYKacVX`gSr*r)JW+wkQYd*Cn$I#gN<;TsM;6w0lXLA{;X zs>QzOe{0#Qs%)(GZq8Q0XwbU@=yGRD1udgRe>Dz~b-hdX(uRn_d9Pe)^Y3^RWA8v? zoffsf<%%@Elm0US|W;wp-X&?kPxK!5i~Y=IXXM{9Ci1Vis%EOmv;MYkTXh$uP7bH^UZ&a3y`3k z4#(oQahd9u2z|$^LGrp@#f$3yLh(zA$XGi%pZFK{VqJv2_*0)fD^fJx6|Ovyf)HIm z@Fgx8_3L-+Nc65_#!vAtq{kl^AeaoJ75f)rV@ibdI6XI%7{|r%>m|Pe_Ul=rcjWHy z03tgth=^)Ft2I9QmrKqu*KY*<_{+t2mWZtDH@!QY8_j7=XuhQSZYEP^wowQDu9`%6u4HuH8NQyU8TICS-7Baq-3GlCs5;gazw3BW7GNAVFDb zPpnnSxL)Q|*t$DC#yCDRQx5Q-XCbY>$2x6?=HTa8m5}bs!95`Z_aL3?9_=`OG0)t) zoTuXSa7GEya)Clj`6(s^_K4T4R%}7m+v-udxy!X;1H92mNjD*$UyS%Y5ejCAh72id zKvjTAxkZP0^w714Ps$dL#RkwJ{`xP{qlj_owkpOiWrJQN65eL4Z1Yo!t^MVP4ySdInb?@R2N9xO7iBKT{L^yS>}9kMC5| z|7!2Mqv71zw+}&rAc-UrT@cZQ=!EDkh~7!G=!p{D7$RM7nIK9Ko#=*9gXlFTI#EZD z7~RZo&w0;zkCXWR{nod>^~)bw%i8Sc+0VZB-uJ%m>$>i5mBS>jHa9o(CRAiW{oo1J z>jq0GR5|_g0n=;{Z2x5+1V7d=_l}R}(+4}~S#r+hq`vWMh*}Gs^}E=;r4Amw4<5}) zqZ!WXpRyh)GCB69WN>`kn(R==OudkmjR%(${rA@mtk)#HB`9dvbQN6RUPAm>&5NuW znRiSohGVMYlaQ1Ejn8>=h6^>D3lbG7s#iaczU=s0f9P0Wd@=Z$6;@}Mk~83Y`^@m1fO zXX!lY8xiSCFWgEHK4{VFZ-^p}1uoLqohaXN6XmgnDCcxulcjRFE=pljDRJ8Rgmdp~ zXrMQNx~-s(AM0e`xS@HszY{<7US*YC)v)tWmqaFbdY&&gN>dq&LiHhHeewg9JwNr6 zWh_K7*__nf`#@B7x;Xw`t4@2l4;L!%%T6njp7KgaLV{ibZj6){xKPgk*6O*MkEsTH z;eyL6fx#1o1)U{XB$tAJjC$|h%J6g7SWmBf+|o`H)VDa70Z`uLu!A!10d}{=qP?pNjJG-2k-l68gYFbVFg6IMl%u=R|XWl|tKNHY! zgiwsi`G(82H{<;}e0*IBc}+G$G%&7id9Z4lD+OZ+hUMQ4QW_N1Bz0A*dM}RM#b>2s zA&g5fQ{_-E_TjN(n0$Pj-PYeG!R577pldw%;`BlW{o-#e*bc|^LnoXuZy&X78EnQL zEP=;BJ2IK(X>F23f8Uz|12yWOO1Cs2DcL)W1UoXRqKM!5wGuqLyZ;9w*=5a`&!c*w z7J)B&UE5~<9-*p_E#;xe!dmOJ->4r`G%Crek!9SW%{$L7kX>N8+fB5?;3RKMxt>6> z+u=zZ%vutOh~2W1xh|mpDPrb_FeS@g(=}VVd5KJ}F*rN&XJrtpDOA8@^SK;`UJc%P z*f$*oQ=76HI%<6vwK)HYp2~D}<=0>rSi~&q^>ib0#w7H3qgnzMMHWqE9G*DOHTE)LZq?cAnq2Ksbg8&Dj)`FPY}usX>obxJ+R% z{%Cp(yGa#Z0Htk{n1J_~tpvI~{rV?d&8Q9}EB7 z{1vRvQ~;c(| zlE=AQU#H#d@&C9{C?0(cTRiMcJ!>XBXQMu4#q#zyPgxpH@{}YZ5xGR}gO5B-&w+v` zd5FZ1k0!1@;(2~HZi{@asI|&Du4}BSjuO#WF{C_m)4&i(9t8bNXNLxzCAH^5|2<7PHkIB zIbMvN?LHd!*xM;CCnzZXMg9SId|4$1N*z8n^GRm}g$Cr$BpssR%l!+)y7LlsZlVv0 z(mhvr&$>EO)U8NZKT1mNrt~6kIAM76;M@C-S)U?{Ewy<>hv{XfUd21D3fHm?oHYxt z;jUC(I||-O0Z5PE)`K)@WiX>TY_bJ0UbSXIZmu5`%<7+}IUQc@IJJyPwKs7pDfG7g%_o?AS}R1e2GL}`?7uVBec9d*XVEW{0CI+@}uW+ z>ZChDJManN5q?`lWZdbCT&Pz>7cPX12naZYHJ{Z4@@>_Gd3FagXgP)8kSJZx9-H`X&BKiX# z#&M3Fi~su3>cHd^ZH-&F4b?5E;Y>uD=yN-YlQxK0g70L$X`;8^`4id40mZz;TO%86 zBS&h86OL*;0(`yIVA?H|w9RgLqEaVyO-JyZIOMyikWqCyf$IG1 zQ#pm86ZR555&YouH(;E~_C;3eX$w!))X7e85TT!m&)U45bwsBSs&+@evu?c3+;CDz zK;0rsCS5b1rr&~HC-?z7bIL3EP|M#ez=Dsk=HeOFCHTNK1C@(J=-*}wtSmX+h%z7^ zU%TjOtMR+t153c&wGUZN`qR%W5no68mBKULE{gm|Jn3I6=L?QE-dT$^k^KEQK34+b z9i8s9|IwfOmw#$i4w`HxAq6`y)CJbJaA4d=_S(noPkLupPy8Mj8 z2MExe#(`0OF_N$frUz)a;z~5Sl+TK=2t*ym^Y(Hw560LajoER^h z#LD`mRW{bj)>hToxg6X~mF@%-C>qmz%PXIIopF>O(yv{j;A1STYVPnl%e=Ne$w0PV z6<{u-bWJ#hS?8hzY@#lzCv(e-uS=$Lvlvio1*jkMB?5Ux?49lOp<2%`vD^=m76avY zsgw-uA{TfvJXK3>NqT>D=L*nD&mC}E1+0~`28?x@B-`&e=T2jlieGmS`FYix1_sah z<;OAW{LIulG{oM;?ewHDy|Gb-orkB`#~(l!USK}>2JEexlC;+&%{SQrjKqSV1 zDciXaGyHWL+`KUn!gYn!sz&BsO63y%gn7pwX zIemum+c*%d_%3}-W>}y1b1jLYQ$W{ z+;r6y9!k;SaU0x)uhtGpRJC{aNvj|xZcm2Ru|LGbfR#L(|e0W8)(!&Hp`bS_FkwfUHF?Gom-LWKkk2`R6? zDQRTI>cyS=au(X%t&XEnFXglF7Z*#|P20P;eQ>OqRlJr&2gB>oy>?C+7_NfZAw?TI z!+E>Hw-um@%D;DMIo{sE8u^hCF)(B`z-md8ijX|7Bmljeu#{KPe2MCklA+-}t%8Cd z?;X-D+XR%e6I9NF3Kl^yH>=&99(9!g9N0!Byd?%E^0)@r|E_THQ|V{K zTU%RS04iAyYxX9GI&R}roX@C{^^EuACDdvgpCJzw^bEdem6k{IQIx69h5H}B34wQ= zZ@G7@XF2ZPzCPB_1Y-c3&_NIu@Gs2(^sW1)UYC~+c6PDTO)BXrjGux@D!7eV?n3Ig zOi`6Q1P?CXz@kF5N|*EAhEsSlHfV`lZ9jGrDMbW&pLL%7qJm!3unV%!peE4LPpPUh z6mrVZcTwz&-z@(A)a*=n18Yold%qH+VR+Mdu8ckk;`o1JcvE+w@O>Mwfqj}F(ASI@ z6Ta`Q9jM22?ndv#1k*ASnRREyE&YL<;Z%zVQt0T14$82azuQQJ7P>|G1y&jQ<`5n9 z)ci_=R-<6)iVvt?o6S_qgI<=yL!;9dl#70R zUsraq^uLyy&O^{I!|3Z3qGRgg(pVT`!9Ja?bIjL}PN{!3qL6FR9-~amkR`IA2KuAM z_nBJL%^fnRqwx7-T~3{*TSP7Wqj;pQ78O2H%Y34OQy1KI#s zuGD^R-Ny$#2L9?XrPdv4kdVokzB?BsffMWAGnPB<;he$Ac?qQw;9iI5e_!Xfuk+=z zMRq}fI-ro?c`xTz%mG$dG{6F7=TQGi;-Yo^(!g)q4F$RY7v9LfbQ~_05BQlt$|@yg zj@fPHWaZ@Kz&38D;raJs4INyFm-=C3& zDp7cfqvW-!^_YBxs-F6L567+`w{(ZEt)~juC@Fvo`nkGW@E;d6y+-;vp(=p#xXy%< z4kjlsPgK05WWy;C*c0A8@7Y-&iUY?3^^8o9Ifj5roJ7HZ7Sy6Gp~9m*C?rZ(bJoSg zywES;J6GfcJ;ab!)e>?*!Jb$etSjqj8k#4$V0@~8+jENm=G7d${dl?XK+4Yi(`PeV zCY(Z#7ft!GOTv^PRE;eODeYn=NiE+DaW{uYeLrS~@y682mOOYXC!Y z6A)9C9F{Kw7C{`~!O7cnej6{@alSzfG}e;$pP6^PE(|(*8*cG&+-eLaOi1ilvrN%n zyis>&?$br!c%;QuT7rT)w#qm%$>09{*>}>J1gb!&DCuyo2lB}TNE5^Z)g?A%b#?WK zpG#jIW&w$u37{gg%U0{KM-^&GaLe8Rm=RcLlSym_uf|=rhJ{sr=m!T+bfc5o;G}g7 zzRh9G#BsD&WQ&xFZV@adUijyF0`(%~XEN|vM^MbZU=AzJ0yFNWqmhv;XNB8~8L+#y zICh=rQWo>vQf}dkO2~C57K2yo&VXC96wj*dY?|J}P4Z*W+B`WAGY9P-EoU8SU!6G< z=lF`r5G>;hPt^Y-!vE*!r2X(==eUwQhN^~`od-T@#QUxz1gtbzE55(x<%z8yc_OUh$!yWM}fS{22f%^UB&{nl)C^SEuLeXdV2r%Rxfj&;&-6&q9wZh zZJmhLb0NvItqj>+(PByRZDXz-4?sQ=Tx!iWH~n0m@gIl;!{W_+)N9fC>qaga0;63f z;dmZ1p-4r)v+Gf+Jkb!$PiHr!dcV%MH#aNl#;=L56!`;2;vS%r>Uw#oecOiYR8K~} z=DjU-W6ZTYxuH7LX3H%oV=+I`H|$_MNsI3Xr`|ntjfy<6#|$vPffC>j*vEPZJI0jR zGOS6kJQTH^eF)pAu3ohq6Telrojx0y)W1G8eyKHysfk>q#lNy_0@-(+1{3h|jc7AA zQ;cYxT=`OQ1o---A;(sW7oc7Svkv@JqG&nVUsh$2lHyx@IkzTpv{hpNCez&Lxq5=o zU2?I-KZXH@MDNAcW=Ej`GLkT3*%Y`t-N+C4ccQDTolkeQZ zBi`SoS@Bp1DzMx{YpCj(ZLCMRNzoa>T32Ndmz+O;`q;4{I_XA#p>zy6kg>FZg#d!! ziyMwWUD|+J=%3Aoamp0xP7w!=gn+7z#z`ZlHtq_7x_kC1o|zdL@{%^?$zKO-u}3?U zrnb(`Q=Ar%z4Ey!-~uvnyC4|5 zUNgkj+@l<{^pJ`id)2r71TjS(=c*7MtsIXXC9mANP3ItW*?*#7sVCj4;*`}lE_C(x zGY`@k;GjsH7~A&owW*C;o8w+H_&|V+Ms}P26dw3zO>4Rn1UV$Lby(}M_ zp7+cS$beKIti(k=vq*urRkKmA=PGApb^xf3s)o7#$2>7_^AhFjraMn(V?v9D zd`FF}&~~SXM^^~ZB1?LZfHsEREp+=k(pqLonw(YBL4~W3y*d_1Crfo+bwF_55&Hc0 z{+DQ;*kZ}~k>&jL+G}M$drFaLndwp(|2DRO^oGD418F8sCJ+OXDb_sZ&jnTx_DdS@ z&zwtoGLpRs!7ljvIq|K1`P7QhobZ|ds$}cV*eToNW`L&M2H1~tK{eh(Yx{`)Q_#$3aM@L7#SiojJM4r0ckUFXt{z1G{?p{KkYpFx;=t=FzDjyFOmmCqOI+tOP#Buw=u4|Fn_gJGb zyIH1#aKBH3W{^09+2b*oea(jttLP<8$aOk^RWDo)=^s{9`AXp@xv}Ll-UNxvRCGqZ z#?zjNS+#DI_xxtPX3-{^8BMQh_my|yMV8{i*ud`OB=_D-`KQ;wd|w3s^WA5CaQfJ# zvxY5Vt)U;V$Un9a@4r5rWozvqq&mEACoC=Xpgh1o6chz8LQJoc?RA*@xn#lD;12l} zpJ9~Z!LXePA$L?cKGE(L$_8+G``LC z@qk?lncuoA6N;G4lihirnqKdms^Lh-|?|Ou!0R9 zGP(0DlNXdD7*G+Td6 zxXtg<-vk;tc((!pR}Rl2+mvm5qjWZA*Jl*PEIhIEF@;1S;NX_8=31>YI%`ZBqd2$K z-TfoBlV&c6W3SlaaBgQbyh$`TBkvF&wz)vH+C-gv5PxfIhM~H1BIPnkc@oD=_d$ZG zT#=RbR<(4|An$qc;~T0ZZbJnkZOVIJ3%iS2E*e#Cz@Cl;%D=wc(M*NqVN|0AWC!$@ zVE`m#2C!-tKsZSjlzx&HoYBFH4IT?Ppu35#&nYa7m)!m~%Ab{$b>@nW#D&gSeY5K& zHhW>r2CrDYVu5FX3GJj`Qyft9hWsR}Fk>_}^X;B+>h!Kq=_{`lW?s5et)EnrjOaq} zt$BK?G<+^JXzsRPul9SY_I`bx$zW%Ld+9M8Qb|!U^s_}Hk~n_C)`i)in0?=r(O@b5 z1>Juq2o&~wFAYDfT2@A5U5N0LyaJ}>{&0Zrq&fA6DoUg|BsvcWxS;h)kG2!6>Cz@E z%V)x>4LU}htMe0|jIif`veRje!huEEJHT_$4$qNfdr2OLIb1NF8*y03#jCMxH}xb8 zr?l*5u%8$o=N4b#>l#Uy6#`-k(twW+eMPtilr9&~+vP9C>no!Qre#wewU!rRq=(G+ zDSh3(@)pGOqe@oMJsM+dv)`0_o-0Fq)LftG8XbrMDUG79PO5pXN6B#&<`JR7Apxc3 z4|j(7=dBV2|m|;o@svIF8F57lYUC!imB9*mVe2 z7uvZ!v}UuyOxG>}O0xr!$mQa9{@XBaK|w)cia4M=r8o7b!qR@#Z^C~3G!Fs)N_uDOZF>i(Bw~k-t(wVtoZJYs?TYLU%7EZRF zks;lK5WmM0p0tVwRGg3}kumGuZ%w8DkA|vtCJwVx*ZP%a+Rr7*m0XSvXtP@N1ixH2TsV$zD-oaat4p#)3WKMn4czWT7iR#(kT* z2L+?v*P(a@1R&)MOBbzkKlT8{TT_Hn*N#ZSLHS~9a{+vb+JTlCvHFZ=z9aQHz2o}! zH%pDI`gyh7itsh`%zJl6w+6zx*wgf0y(2M;Ami`T&R!P<2y6Aa(TF{38?B^bEb=1$XM z?piUc8(J~c1p!L2a#-NIV?w{3I<__U5L?L(YT=gmb=k1Tl00$ zb#p6OtSCoGx2m~x$45e2?%ykC;*Hk(x2i>2$h*5H_)4`iw06eBLV5^;<)P?P88B;RO9xZTt~eQuy~dS31ERu z$3=4*AIYN$_BSI--*grNps z)TjZf^z;1V_Yy5e?I70By8E*EiC*8?H^Eeo?#P4#j-{USX?2^XOZp}@AqqC*qDaYi zn0@5v$~C$*_v{}gdU*!-W9goJOIFl9;XD8Umm5W<2(RFzZjk+l zfiuAMXncDatN~k2$whH3G@@jcjwTtQLA{3PHlwKMoqQb2W^!ZB*PnT8I?b2SBhQ#U zB)ZOib-+}g*`a4ouO3tNfi0_bX>B`v;bPI(ivGiqXf2_p$&SZI9$2E+NK6QwlKg9mbO35lFnLp9f@jnxw6(tE@tl3M`xHKutk;cJwV7dXqG7wrNMpP>)2z!|_1|0ReczDusTcWP6RlXbKKe2NhL(=ydP)64&Kks?GbSbwJtMqzS~YX()PgYEdZ)fIK7}mYCJgVr4}kD$C(Hz zD=Iuq{O42qtE(o=D5_He;>+RIkw+rNp0fFQk_QQR)$!e;Mhf)a#a5Rto{m|bQ2x5~ zsXS7uO6is7SkuU5pkhQ*tlN{`_t7+;{_9V~{l0>%LVarbI#VI3Z4FrQ6k)Z-dNoRrtyZ8s$C?H(L>Bzysp)+$n6e!cw*F6&3p(v|)vP!jy`p5~w z8LlvX>teyRds#*vu?@rkr$tcRX^wyZ10yADRGP1Pz+?<@j8K`9w zk=Z@Hgw1LY9Y5rLGCTC&Y7);~$nVndgK#m^hlS5qL2f*zK{#3UpRACQ zDQFu+c$P|dgU7U$WY`ci0(gH&bn0;^0tLurd+*Nomj3Tc{eS$Wvc@Y70ngbAWJ-WG zPb{2DrsF)w6Jh)f{*>n7%ds~IvPbKdOuuQ8^MO+uvBfe)Tn5Q2ejkh_aa~N_P+Uvx zQ>4oAXcMCasbh{q)cf~leY;TNAH^6UStFCfgAksMmnn*Qq{VT3SJX_YO_hhk;npC@sHLfSt};@PfM4@(wVs+9 zlk6+^-f2SbLL_v3h6>akCh0r_dG1-YF$D#T&z(lz6B0zy+HMJ@Wgbe_)*&(R@r2G+ zWYDu0ztvPJgEKq5GE2I>{nZ7IUaua({!g>8r$frtXVQbE8#+b#4-ahF4z)l;TK!+6 zCLnQlcUPX7*JB5=|DP-sPyeS!pfnR17Df&dta1RV4|*(jjJ$PpRQy+u^+nMEydmPN zksGQ&??Z(B(lH3jxf>~`IfhPoE!!RLep=$~--C)5J(DIP2J$U!fSx*ZX&G8gDVgH$ zVw~$Jfqh7{(Vdda&Lc% zIy1yGel{jtiG&cSXc}Z6tCs||015>{cH{l`L)itMtXyeR?>Em0?olJgm*wpp9d!s% z*(ZD1+-%>w*8iD&WVN=j<-jE(ES|xQsw7Ohh4^CkZLMc?-md)x2^Q>jr8>tH2&7X2 z=^e6bYYpML>lxp_Ujx$nI#c8zotKF}Bw|^%f4))(9FdW)&Swxa7`NR;B5UQBFk7mq z?7c?BOAi8m1xDNNFzUT( zgIY{_WZ+u1j&Zf}$jHcGk58PAUJThtkDtbo!X=)h>;88`?O56~fG&@;o_y>ZiG%BH zJaqKqcsJMNi!L(LK0oG=pUVy8HL<@ptyKs#-VG(=0TaS9KWygQMqXgRiWAT%LM<&7 zH>S70>c2x8dsYPrkJXaGszr7`(f&*eEv5Rx!4vta#5rOthgi8z?>GEG5TSe4;J0ra zrsI-BEyczBI0=E-Sr%KqnW@W~LDHK9KsX^Cs9U{DFwTnxFYsmKK5H;N2aI#YX_yOL zk;p6Qa9dEm^SqKVbj;~v`-^0=JRc4+nivNFMY(9B{!jKeQ2HUXyj*YphxQe-k|1?kBoVKN=}mM-BPmE;Dq9DPI}ny3}C5#vbl8$c)utjF{$KFDIi zD3UY3@HSIEw%T;x=-u;L$|+P# z*rjF_qjU`<7M*}hoV%;~u?U^C7c{KfS@6r_=SxR@4xtU{;{31)wdwE&r1-LIDPpXK zE?yno-R1OiTpSz`L5G8jcF1zSPo;Hbng~(n(5-SI<;lzF#rM<{uZZz_NV3fG;I>*% z+W6Y83Mi9&?1@WD+M(|UsyAfpQf&X6-hT&$K=K|S;yl*rxKC(%rW0skr?e+}0#NbK zYI@ne>km(8<4Xq)foywE+cDI@U(fr;|2UzI2`~qLK^^^_sY@>aPRi1RxY030(%)@o zv;S!5kJxl`{jZnv-~8U1f;DH}(9gztpKozNx= zz{wd3=%N5921pN=L4^)!? literal 0 HcmV?d00001 diff --git a/docs/static/images/yp/encryption-in-transit/rotate-cert.png b/docs/static/images/yp/encryption-in-transit/rotate-cert.png new file mode 100644 index 0000000000000000000000000000000000000000..fa75b6ccfefef897908100ccc5b8e15a4b60f167 GIT binary patch literal 156284 zcmeFZbyQUC7BEhOAfQqrDIwA&%>YV+l+r2EjdX_yhzLk`2?z?qAYH?#DBaydHw-Wg zJ@6fG_GCNsWO=VeGMol*tYdc3P3=E~HBD~FW(Ty|DZ4?;$SKvXykZ5Z-`;Q`F?^Dmtvd7@}}n4kC(*B zSD2CWyTO-N(pOo6E-fPI65hL@9$}3><+}PG!819vSpoT2q0H z$nBU)@M~W3d@hAaL1yN}xC8#A-oe`=iuC>ck1u#M4&ZM0y4>9wI^A-NyIt z*sZ*Bm$7MJE2^(WTr4PO%bp!H2ZeAF;X5 zrN%|{rGx|3JIL9tp~Vg)C$l=(DJ@UsAAe>MG?vm!c-5Qnyxh{y)Xp$zCYNcx1G)A= zuI=%QSU$f#a+@M~9F6vhm7u5x#-=bC@_9iJ1QxJEZ2$-Bb;QT@sz+T z^rcg9LSlILP?@n&3GLBUfy?eu!>!BvFAp&qq&e9hNeR<{-VIx{F8il-5ff%U|ALp! zNT+k{S;&pUUaAnsuS47W;T3{Ex>>$0CpqE~LCvx76u(!cf32vi@y2;}(V|WtS$7!a zPcR74I3G*E*t-!E6O)~Ogd2=EUxZEm6hoULcwGH6o?;D-2>= zEYLHYo=~9*{Jt-AKG@PXa2`Emd5ukkNm>|kz50Ol8LmDy;Y0q3>$PESn%9m(W#{jU zlHB=9?RwJ~Q{;=2E2$)wzyQAKOY=SYw~ubTioAb=V(8W3U9t|s%E+{LY|HrJG7Flt zNf@lMOiF~{kg-QUG_Prs=sXk};2p4AXYwH44560+4KNSw2&aC_z z#~_^iZjqAElgJ0mP91b|5!dhL@`+xjX#JvZF~c94cK7OT zgDvS630dDw@oVT;TJHr0U#%-#XFZ7Oex3RHJgWD*(RZoE`^w>#3I~kx2~U(Al&lKH zhpdJyhKz7=abD3ig1fMNIKAp|72Uxp|#9eu3M(*sJX2jP$Z``D8aSb;72=U8E<0;)HZ1S!~@CD zqR{9|0~5XMA|6dMh-vZM$IFMZMy*D&d0K^9kQW+DRrh3vH3Ze%qpb^8$++L96pa~! zSq=TGc^ruChO1|5e5d56+G`j#zlf)ZFNk-09&OBwP!Em{6Aw^q?T$bTB?=YCkz=Z( z(;vLmT{Lq)AwKesz&`|=Ug65de0^Rh*mWEH)*PEIOa}Yo!{moeUrX}S&6CVq%%KZp z%n3J#?|0f}YDEuLd~VryT%u^JX(Ls8eeZE1c_Q6Cr+W;Kdmmdo9#0p}AW5@Jd(q?8 zYu`(s`LqYxLzStQ39tELz{fqrnRr}my5wy-9Ft%rL($pf)#?sHm|L< z``2sl8C8|JmpOp_9oL2L3ZDwc2t%yz^uNt*u(F=+aj8|W-KafxVwn6mg*&-2Ei?`N zTvxp|sW$=l%o9D4DD$#)^VzXox$io&WIq0QL6_`m z=icMJnJsptz}}*tjz0(~e6Z@zu(xYtQ1Qe-Q6CcE7|0@393WLOJHa_g6>t-d0cV1H zN$bGw!`xuSml2npmo=BInCh6_*gQDTvBR+IaJ<|-#3a>;ZA3d*ZLKsN_{2n+>LpJM zUR%9pDfAVVl(0P-n~Yma>$%x$cO5rBYXF?D@vY|@Wh7dhN<_rb`Nz!Kg4Y7)w`r!5 zo6$@pip_C{Q8VPH_q!xj?u_07lY^ui@14oMb$P7(mdnd}yK92xh2e{D^&fl!0z584 zPvU)pkhT3=nTQ84*PwB%DqK}6W22H9zQBb^d6nq;XmyrnWY2GrumvncxRo|AM`e9C ziE5P;cELxm!ZTqp()agnBoUk?N+zfz;3a?(>h6(#@F`0AaQ)ikH@AhYkuM`%Bcyiu zcKE|>0E=!35>Q{GE|&lF{(+Xm2h-J|9+J<=^_pBp+qFLDi{{D|%QBQnHH@X~nGwPY zB1Nl1422-E95D(phEzFTvCrC8A8j{!tx~$jc(?jd{b*k?YcUt!Zo)7M2i?OmOK_PX zE?C8Qv~tSU^Xq0yb4atSgObD0*hPvzTSz-oH+8plr+e}^Ao%dIHaA^*oOVE5 zGhlw};o!r`{5@H)5RZ^hq$i2Xr*Ma&nlQyxhK9hAW80_Mo+dgVXv@iM(R-ky#ne}3 zjj{L)E@EFLwY-Oxm&>1yJe4QbY^{t~XiHKscxwE#eIsv}yLY#@IH=|nHBTKTNMSSD z=Pa%$uIK8!9k6>EPqauROO?obRLf=W>%o3BG&|M+-boGPHG?h&uRNhC-MP?-E43+a zFp&t%_J!_8AY&pj)kQSWtB2Dcz1EH*jCkrYoSWvHchg2+ln<987wO;ELgPX%LU665W^)RI*O)Ymsw`pVX7Y8V_qn*aj`^9}|s(82`XQkXQq+6tKW zF|hw}9SZ{^(hdXXU(cum-#=gPfcMWn|NO>Ih`_)He%%7zK6zOGej4X65BuM3+!Wv* z#>1zw%0CzJ)WXfm%Gur4#X~ND?j>;HnyZq5I|c?N>(4i)@)MRlVEhR?ZG8`Ywa4NX zE>1k=mM+h&czm2(e~yD8=_3v_ovb{}8GW1_o!!NKKurI5LL6xSyv)nQ_>V_C96(I^ zYMP9)E^bzg!aRIDd`wb=jEszuZkE>KPvjK-)gAZ+VzTw{a24m}_4fAW@fPH9akJs& z7ZVfXz0M39pr1&2Q z@=5-q!{2WGHRW$z^?&OsAT0WO*WYgacUK*ED>qpeCty+!slPVtU!8xy`LB+Wygy<8 z4Hy4J^gpfwn3f`xcq_vaN&<4H%GW+?$>IOdU|MMGYV=9RGQW?l& zV8~!7%RSWg!Q7s`mPd@by4tS`yf&Fi2~H@|pV*{O^y)m{=elod3T1k0%q9LS%TO)G2l3|K9C} zOo&XJ!=J8WgtFXX98i6qD6ez#5A)q%99X*Zr|U9|Q8>Ut*DbYl{|AF@>y!>zX{=Y_?p?kPT2x&%xO3RciG4}|V7M?zG z;tICK^6~VvrkSoEBbum7lXbh}Q-o5Fo zpwtwnsm=okjGuJ1Z_~Tub$(c(?I2TUuq!+5*DrTli@f2NtA_G~R4JEeKh;)$gt9p& zCG!og3U7pz??tD&02=Jw6TZ@&lB~rXsa*7i;-#K7$?uZqy9wjH(7BMWt(NVvbUFC$ z-r%O?O%6Rj9wH%RB5rP1bDZ?Pagk>JqoLEzc2Fum879u95mwFCSSoHV525J#v@=wG zF8xyBOY_?!^9{Z3mD)|AFp{mrhN_h=P9D;XTqVI46rVBUKMC70| zSC2x&B4gg=K+kb$?Q_sgf1F7TlKMz{~!Q(y~S2TBdk@I`rwbjOwI`j)#b z;I4Job;Ayg+aBZGI6)9x9BjF`{TLnhr{6QnyzCi>g9|$hb~&r9;P{+<c0<7WQ7!J#1*a=(PDl540*6IGWs7Y6bf^L&w2*RrvKSU{zS9+A(UHuV`ZjpQ zN^GZk1`~;D&8P|PDoVwz!x(GV2sT1xTlQuM*=D{KDDa#nIhabC*L}?!bDM*7W?VF% zG*O0kU%mg7Dmf8W>q7b|Z5)nJf)zgu7r_2Y%7hZ&dNrR{Zl?>eyK)wUn=Y(^SP(j+ zSZl?5%B{^{Y=%S&{3G15bYud@ljfZ-uZU4YtOE|yACeCd!-5zbBls{H9S0gLkm^f4 z9Dx)WXvA^nj4v{bWOEIn*I{6jP5t2NWPiy`BkZ049OZNQF0@}2X-$d?&W*SB0lAev zT>XTADW9Z7;rK;)vy#wBJ;~V_Wy^c+X+NION!EtfGfWyEq!C8=4DUB$zDeK{;X8J8 zGr}*(JV(cvDbjD_*1DavWbnm7!Eztn%(u2jRi@tCGwf@o`fX?Hrz&}Co!=hgB$zS^ zJq(R?mIzqBZ%}*TAm;q`#IT@^ZfN@}zJSM;m>6PE^WjGxK0f0+9|cAf(`lC)t_yi_OW(K-hH&JtO{&pkLxX0@k=` z9^uCx?yLJE>dt17YF_buNVDXVJ3{s22m676c8B^KQ{X0qn~6*wRYGJq0Sg%8;lrVv z#@8GzcEi@E7u`iI(*di)1>&}nkwaOi-*^O2g^LEm1nqamR526Ym z{57*nC^oG89T@xDHnT*yChrVi|0m^3e?#TaJ8Iy#Yx^0_p>tNr99{1r(UK{v_S5QaD2c-lXtG;OtrGG%OnRb(Xz)n$0#sXI8B=+h-lD@70A6{*DbTv=dL87m%I;1GSZTq^E6cb7#RL6H}VOU=?#xL zY(k}l)?L^YB~-oEarT~=`|`W@^3iGP>^1tRMm$fwzLw>Y`8s%TY8XC=%C**q*f9l) zad;+8joIg-o;mJAJ0x`Cj^)KjL28=yD*>B6uE{DJ5k1sFcZN{(GGA=BnB6nv)>V** z;c=F8HLb*SeGXdjx*Po(niO>F@T4rIX*;^VaCy=uv&oeqa@;cuCSvSyfvyjbo^ zA3h({%u;A(kmjXld+U@b;OOw6KL;ugCC%c<2*_VB}!E+65@B~383D}NDP%|Vh`0}*< z0yJ0uqKZ~LVB#WM4Ea`2&Zx8afp1`4m1U=+bjyxp%1D65(<$lh-&9CfB1gJeH4-kf z`JA1rNw$&b2R*}dmh8rlRa*91u3Co7l^b#W{K}%K`cmIe@Ss53;n9?;U~yDHsu9r> z!b4s3MfCpdDNcb?6#LjcOvumki%@FkC4XTyfZ9J#nDnN?|_i=r6 z8>Kjy!>_U&cxQevdn`TCeHb$*D&#z&=?6OZ&==8~zMSG&VtbtMdC3&D{qADMU8Re4 zrCYTsGNX%I$7RT*P?Y=RP>|YO^5seA%W%vsL(i?@swQg96>fd5XAMD`nY^hu&TGaS z6)zG+k*#6^*4sV?XQKjZOy_~KO%AGw3dGAt)6SpQicm39Z_sVk)CXM?FLFX5^wZeK zLh+j!*zo2^rH~WBD1b00|F3g z3GW>NMMgSgm*^=vZq&3?X{X6vC9#dT(6441lzMIwX3_pOLE^2hib)g5L6S*?``I+O zjQ|9{9i}o;U#k8k0G+3>rFXST6VSr%)F?UC=rrKvM|`=rdAwe9E(_-O%5ZENDSZQ(nEVqAxXQB#=^!S@f;4oyU%AU)&MH(X-+6Uib3+ z597<;vG36m3pI#K-s=f#rnhfb+wN|YE@yD)O(M}_MzB?pK@8*y|56W}=s1L6ioqb@lKaVo1I7NC^VS=qF$n+F&98_oA4=;Uk01^7n7Pz%M@Bx*Wrnc+QE%=|`{a46 za!p<#^Bl?y^vg;&>pH!#ZjE-ajXUdh_k|qyFyO7h^ZBa>yXOoiJav>OxPDVF^GqVu zbC{(KryI=_Nf@5T5`5&2&q{>HOuV&&L?0OmSxykFZ9YT@;rK4qL@C_X$*L9+(5qN^8C_Sbx^X}ec0|oFU<9=WKd=pe zA=C<*_=t}pNa^mMYDmvQ@4xTQy1PMfqJfQF8%mCpIJ zh3#o*oD`q2=B_eqW3hj06A&Hzn9&F|);nmw#J2o z!oB@xH_dv-GJ@7vO7ao~2@WqT)8c+v-#5y?#Dll2mIPzuV)3NY$t&L`=9|{uTJwpu zrg582BqFNY=JbW^A$Hla1l~i{8}a=7_@+3%bIuPk{@{FefVD?>_@KvO?0t<5{V_d>L6?9G^P-?%bF zExvt9dLfHq?7WSbrXx-3Ykn!P_?^33MMYZaJ%ww{K}HhCuV&`C_>fw3`0E%?qVX;->)sTDM1^(r_Yg1H>>mrkiAIsxk_eAFZS42`}^|xv$GK2_yC{pJ|6ZZgDTx( z+-UoT{SNJU;tY4+dIS^;{dBX!JZnSI&+kp{iwL9G#S-j>b#MrN`b zD`q^kdNC2Xl)^4YkC89r0})hn>jIF@$pf|o8AK#QaDsz#$)=8_KJt)%?iijnh%KYW)=H{nv(8xs z8Eo8O+{dp#Q~O~gAQJ494KW>$yd>WD{|-3G;pZ_9!K6Og6No0YyfwCtfM2>~sL!=R z@ex&dTr#1aVc967yyAQ#v4WN1b3q&28=Dst-7N&`n#M-sCfc=+1}tRN?g%}o&7~f} z`bxLHQSc$v%oA)=O6U~zf%|5cv9V!FAUb9cf7+)XRsQjb{A!;Rs@_~w6+El?M9q6`nTC49VFu3ZOXc=7US1EjeiZPckNIJ|q(TwAH z9GHR?c0z*k%TR|p4A+K(rVegnD{%?a4-%s8r|ad7qc&_}q^`A#MpwhPmeO>CP0mhI z;RPLi80~YS-)VMQH#4?M{c1C+&W?r#xx5jVM%K5{il?AYPN*x(oi4h1{ViVVAff=M5z%2t9GC#YoOy(?7Jo|Lk9cryQb&o{ZC4sJ)9lMIRi;+<}mPeTslHGhLHxo%_cNk1uoJ?V}y5V zXP?m)lW+;x>`L~dw;HFeCN9JTdwZ+co3}84tjmgfhc!IovD#$##gkjsnVNW8 zU9mx^`pqetKt*{jiQEiO3eHe;2oc3DI&tFA-JX zy;ie;PGqC^6>|#Qr2t^Y6@Po*y*Iz4a)^vQ?&8f&R=2cb=NH6>c+kD98579Efzu4Z zEl|U5M(NHeLti>4ai-+6;MzG`0`0n>);t!q>;2tNMs0>QD>aKZwHc^7b4yC^ne=yHkRh>$FSFce;W`&jLk}*?E`E5ivf> zIUBy4{OS(a$4j4sM8J(L5kkH6eqTs3ZF(=2?#y~~G=J_I(eoZy(K9m{pKVmYr)+>K zaQ6>%oKBdQIB0f{j;Zw0H^WK1P=1}MA`p|SIdo2HXqZOL$*_}0#^I*^(#=UjHmR%& zNKkMy{gNl%+eZ8Qup_5wB?SHK4kr20_9SNvB3P4>+w@ii?^Y{By8QYbibm7cb4i%u z6g>0%g&sHCj7&eGaYVqB8lCXqQ?NZBJ#>{udauGJZI@(SHoKtuLfsbnB;!3mCNcup zIa>~KS!MY#M~NFkL-i3uh{wUqMfUPmzGYY-bbHK#EMAvWop#L?&-(rLDdO+9EuOuP z&CVtKboJCkT)B>i4trHvOaa-_%+uJX{ian)3%Ny1e8 znxT(okn*1nlyllS6NvdhZ`Ei*Kj(!TzMtW{+Ao7L7HfSbl@{&l1x3B;AGPxz$;f=z zvUB)?CEq_%_i*^AcZ(%*a8bQjQ{*`uqJM8K+h6_5(bVx!xE0T}G@C%zNG9=M#9W{? zT}{gwY!R?qx$p4S3V$}+8gt=7N?(2lxI7(oIc*)yi>Cc#Rv~m{#2QXSQ7K$yhIXEt z37tC^lukO&kaBdffl{A53bvb^IZtjr(!aGr~EyjDdD*(bgsh)Eq zAUm9}Gy9=ei92}=JSvY+!nzPRqqdfYdAWx89?R;l6}AWO&10^Wy+fcfhEgop)jk7O zU=Vb~+tMAJco{g+;83@pSr#nomChaF(zLRg2j_-iNGGJs*)>RATz-DoKlsREo+i*! z{mdv2ZMiCVY0d_@dA25WiOH^4ZrrC6(CYVJ+CyQL4AB>^%C1keTG8ccd98>z}$ zAfM(xq{Sai$;}j8X39*#srQ06P> z&RozM=+w1OF}A39PMpC4)uc6klc9!z8}iY5$6wNjIq+;>(e2bKxmoyHMlm={__in7 z0%d>dG5EYcl-Q$ybS_ZUxn*BYIv^~Es3PeAu!Zsm-9@VS7lG=d&yi%wb?wrKbUU9$3U#PU81U zhr!?yoyxGC;_#D&<5xDu(Teu@*msO1qTuu5Q*fg{-jplVKi4rjMD3u;&<61D z90N!R={|&(jQm^DpaN%@sN-wN6B#mhPnbLT7W~?*uOT*wj=0ex@@Vyi=vBd2jjzvb z#B3%J$GbE3uyGMzB1)o@tRZ~JSib4>ccuZ=ZsyiAQiWi2jmb|Z4&F+ELfn49+fllg z?VD$N4$002n=%@s&M+MwXkqi@tXyA~7+Agq@>5F$nF&z-r6m?7$~=&TT3$mYiSLHy zn5m}DfpP%%9D|^2On$2(o(W#?<$m<3zExppj+B(pT7hq+fZ)bb? ztt%Gj*g~bRa;n<@(LI>d53%k5nCm6&$AD9-hsYYCj&>r-t~Ij&cIk_Hl@<|ty0Mn{ zZ|PYN<+_D;thz?*9%e!h4wURh=I8QG#VuMRVyqb)cEfjNARDdR-{_$uCMoAtwev$M z#tV;4*Faf2&0~{Q7SZV2pWtd+SGs{N)d|;0*bWCV^gYD&>)9j1 zo(Z$@akTHhBkB0+@PQ$9Bb$w?A}kc+@&v`kZdmC0*2R2o|;?&UG>Ev*}x13#UtI0`;mTKD>)-a>tPzNaMnLfE1r8ndgxIMoJLC4 zL83@WbO&KEe1*8b$tf>qb(xG?KG{Sy*dAvZ;;3;g>mAkFKPK< z&)1jMciBxtP3`;R%<_tv7h6OfD||&iiYYGO2|M#1+hBp}I->d)8td!ET3AZqp56n@ zo4cq-fw4Au#i#*<%Q*=hsELh0M`I`Qu$Mg%yHRHECn<&}SW^FT2+8>e(7?fT&bJ&H~&;PnIOm7JN`E|xCDfRlm;)&(*Gw1GgiOy7v|IN{*$>)Ig2funru z2YiMRNxVk)MmUZHASu%J1z~z};+{JrgY-WH6EbyYHAF*m%GW%zHv??8WYDyoNf{L# zr5A%1?W)B*vo9$(mOcRT6h#YmUz&o)kQ^fMoR-$8>?<%~QfIdo;*DTSBiP48b4^~m z_cgqCET;-rX{`!n5HWVcy_iuidB}6A$M3*ecQM18bz|fi{Mc)N<4W|$r`$_n-SU9+ zBwjQ1t~eGMERs8qCGem$NikIV6s^<}fV`E)34iIpTsLghO-G zzSI0=U*g@G*dAxl6 z(C^sa6pw^{(^P)9EGY7E<}F&h%{NP?*(`M8UL;d(bnB-vb7#GJx!v+bJlChB3I-KP#b5)4}YqsC}-Z+#F!>_Yl&4?t=* z`r(jwRej=uC2w678)6PG)?+Wu;yhyeGBezh;<2E4WVec__el;PkawGX_y3Z^lb!S6 zoC!LAf!r>bu5*D=FHQ@pw&-aN1A_>5+_aMa=} zv$`EHk5y9%SE?i%qckiyvt=W40gQDfBEnkY+LA?eBkKi)o!_t;5-9l!kr}4w6{VNP0VV7bvpay>8VXBGsWAbPP2Pt~zGC)hFZ9p96JUZI}bE zRO@8cejied6?$w`b)-=M`%3u`Tv9n@w4{IGt?Wt?C`Rs~Z?UQ*CdsPz#s=Z0g;& z_X4EtMi)njQSr=*a_9FB{kEHe;d4W^sDefVZM+|RL;{yfRPXe=!Fnh|NB4+dj*7jZO+|<=xdP03Y=~p!C zfwjx-4OP0cc{`qMCwdC1Xuo2-oqAQJuE2W`;wl$Cez%l@pk90 zn{@>vIBC*X2c^coy~GdYy>?GtNe+Wm2QKj6ZY=@PCV~tGhzz1J(;0PvzAdnhYj?R9 zhKU;D;Uy#|cAovjDFz&wh+22L(s>}xKIYZT^jG%RJHya4AP^j$z&N5hF5@zHp|PBU z7sFkir?>X(_ShpxMIXAuspd}2N_3GbSZ!MmdRht?uH@WL^s9BIO86~`Quhf;;pA~L zhz86s&^gyIU)2)XPOq-g)SJC9gQ}HIb(0@1-%Wutuzk3B#X_Lhr zL{HkQ)@^cvR6Ih$9VaWh#yMM($BQ4Mng>1L>wc80X&(#rQh4+Rktd!Z(WaorOm5QS z?O9IosU=PY=@+KDXZ6O%#p)nK+D^4nUBFGC;gW&kH-|7j?H)|=yCbmHm8^R2an|zm z{v|1#M}#4K*y#xw<%XB(aGy!jGEi4>WJu1}FZR;m%gaQDi;FVPnksarbMse6{s-p; z4LM*LPZQYI!pB{ZAJ|kFhcuBmrg)`T%hPo|gGN*D;A0D4e zs@T0z%o713i9;us_)kBnyy>0|ofBTt8YWDJ5N?UeQtVQ!Z>Vis>6s*csFVe@ZRq9V z<_6uX*_zv`6D>Q1U0sBcbLx(miu^q7?*oV*H#r-1E5J2U3(Wk~2~v`?{}!Stq5d(v z%z0~kEmx;JH@8M|Mh~)QT8AQX%UThaKpqo4Z!TY|&dKfO&`FAu&aiqlKDoUK9Q8NX zCj(ksF3Q97YX*kjoS>>~bp*0t%=?6g)kUbHR1-TLZXL*ON-JP&K>)qyLX>myB1e1; zN&icw#|Txz86sb`5^lT@_j-^p8^z-K55#bg+?ITNcIeMTFao+AQS(SNbWWo*D4t_{ z*48Ouu@oL-Ac+Mcri8#wb>WnTyItp_qkzxYD<0<=-IVk_*~mB#1dnZ!kwbWrp`PKE zFLX1;1U3iSj*o_p?Psou%tyk{`c9wT(|Bhn{z`0xl*9_#|^qP9UR;L5UMM-RM4I@678Lj$)9&OKz`9b1VNdo4k z?`Q2zP-n;i!(7VNI96`1p*{&CV*tYCds&{E;VzfA#!4&N&&&75DsQc>|4T;r<#MyI zXRp2~gZQ_-0`PQ1`MdrnbbNM;C;XUkV}P>?8brg4&NH8HG>+2(LNG=u0|tWoEievV~kIsTE19#@WJ-JoAT#bq%SA>IVc zpyI7?fA@kwCabO_Wz*ZD`XWSWi-1dxL=On38+$r+VOox6IwvW{w2a?*&?23ebM}>U zVE7bvahBex#dwPI(6gBlsmJ`&0`?yo*KhZ;M*a?{?n-%cSU!z zKHvD3W16&92rco$8nXwGP&%dtyU_!5xgP8*k4Gl83yhOg#O0$)YX;!Z|51V{$qWTsyH90 z+Jr#ZaWnfoQBWxkkkwG>Lo|A$awLlx3zSR*It_RDeEqOm0X*%+XBgFTv(c?>s16>` zdb=SoZIHv;;7jBF^+S(#h~k}m7FGr&UBj` z^YWCsXZ#MH=R(?f#he>?R8zTga!U#a?K-8~J2NiTI;N$H4DnU{;@!~uI=QHug3!)f z(T$oshh7fN{ujlubjwl&(vRpC#vDEw!9K5{7QBZuGGsK4o1D>p=@)0(zMkJ$;Afk? z!Ncd7N(FewezBLC84d$mY1v46-|CoVu_f*`u5)OR8Ooo=p3rkR7i8qMF;|c}2}?V_ z=}pWnA$gfLV}8hbyRQ(8J_CsixRaX_JEjJIp13Z97QfKg5I2RHhrIx)CB9fo=58QNk0-f3!Q@rL4^2c6^8Ap`! zXhdi^KXq>&`^+F6WL$0ZiXM9A6EW;(Vt18Y2ltA$aWM1Fql(+Im^Pb^dFE32B1bV| zn=)U0$MF4C+SBqfZ?lZ}OW{uj_3)?Nsd~Rm6ighZn-h|Y*TfEIsp1`(`T!-2PblAX zH2`-xE8o40>DHpqy-?FfwCM%6?uesL*Tlu1z13}SK}d-$y}h-%{;978LR(tAWkgqI zF?&W_38YpH#-0;VaNMUd^$E?&;Wc}_Rb$ny%dT@Ylox2bC*XZ_{tyYZw!Por+f6xH z>6vLMq%gp(nHQ2}^(tIGnsWboNpsh0j~qNvn(Lh4D|!p^(SkPQo=vvz2kIx34~}we z6LrjLrW~%%??Yb1dcLD17S9em|4}-3mWHZQ&|k>$I2=RhaS_?qESd6Z=jky92f2F^ z%Rd;HskVz=?ua*0Ns%-nq~ciS;VA1rQv&<8)HzcSU+;g=(k(9FyxNoAIwe(NdNLzl@W>fGWlP|s5CYKf_^1GFf zFCX9D`d9eX&*@t;3)O_ftLbD&OCK_Rqd0ey$wUGazj!l(Y`sXIfb%a$;y+vO5<)Iz z&nI@>=1b>``DQaC2$5x;t;DFx^*{0l zO`A+r+nZM>b(!;w>xNWW2eTYg2QK)k1%)O0fV-Q&Q~8(=XinNyPXQz%xa?Wr!bcng z{h$L6CL3EC#PKur>yiCSPW^1Xjtbc)A07ML|LQvG+cjiaV-fjgy18k4Dr>jh=Ro_R zPZ}%`9KU#5*1<-=ppAb4Q9msEd?cp(@ewYPU!LyW5@csOaQqzpi9v4MMkOe;HIh_y z;TG#t$s0S67ZdZC?B&IrH`c>{d{_DHkot**!CM43H|1}w8jS7}p>B!w3^$Uk8`$uL zLG5#`L}uM0UG%B?7B)L7P+OzdY;?wyu|k3LE`O4e#j-{cmV?vx8j^~xp5-=Bwt*^^ z-?gZJ0F@bXbJHnv#O#PS$MborL6!35RGbo!r1(@P91RcVnQliVS)3ndOt0Pdj3RfC z5WQ=(YJjhlXQOQSMQ=wMGL>B;d9Fm{Sx=SPqGU=ZVaUU7#xr8ir793wt|83{q;a;@ zjZNKh|Jp3}Wc4|sy#^}GGJt$yPXEgX^p7BYu(ZnZG0dn zrBdy4R@Su!t0gV;gPkxLUbTQI*yp2SkrzW-2aBq_k)wtXr%c_0$8|gjoOOWd5LRzC3fGj zwnQBH`q08+&o8=VS0ASr0lA0D`-?wVR8zQarWVm~8C}LWPSo?;PG<=1&KnXwG5;D`g@48ABN|05ohUJ=-{c1ZN!pN4`D&$-m+IkB44I1DG&Qo4oc%aQ?Tk|F*#Y zx3T|b(EoAlzcKOu;#dKv>C@x=b#nPXb1mZy2SAkQ6FvPs(ey9=)*=T)3DZ6KyZ;em4^96fxEuc?iGQ8$|09Y2 zk;Ly(_<-1o|L)WM>Mx7t zSL+=nj(}AcOL2CJ>cJ{V?J!Uw_fjx)4u~fA@M*|`vMa5+?LX9=*%viZqb=P7{)=FN zpE3$J2H3b!QQbh*mfj)zLbc z+0bj99(2FwHy7x?wV)eH^q9maN4ubB5&ni-v|^R2Utbp6OpN(aiw{Wn9hNx4Te=@R z)=-#+VijkC_Y>CK3P1dPO&C}Ugtnznlcvkss=ROEM7IqzQ(Q$fGEf4JdBxnwTBm9A z92qq$4QUW0zUyAEZ~pr~jq&luz}(p7r9XsLD&V{0gif_>{`K)EysdbCQvw)40=BW7(WX@)yDXlc|M9L!PUf7;hl+4QiaaY*g~sP% zlz%ti7_VbGeXO%+k1C(=$h%JW^lrgpYMucAhxLxLXQ}JToKFfd!ptm_IFpzDNd~{r z_wy$c`G6GakX@Y)U9123n}T{0|CvR%YiN#ev83yK-f~~|Q(&jLzYX_n{t0SoV*jbz?BO=5O$ff{!l(8t}(24@9%5I2)!x~k?L&-JXc5B^$GUf z&$!D7^z#O2d9nfN(wWQ|xn4E+=RcviKp#sD&Xhd+I?QU*N2^SlkdFnOZ92XkH%%|l zDoKn=`xAa|3^Xg@YxV+FiNG$1Y&--eJ03TaSji2(Ovb`Jh$2z$`4hp1e2Hhi>L@qy zXECZRYh(O`n@GzHcM9t(IiPJwD$F6Cf1QH(zUSxp3RrPkzUi@JC!D`CYZ zHUFp$qel^hhr&)%*7lT~y7vQhCMEu$D$9H$pcPSgGF$6ZEEZxPbxZ!%2h)#W0wA?$ zWrE~SoNb3w>pW{dCdB;KLp3k;K`I@^Z?V5$8?FQfOm6#?=go9+Gi|ql(97QlB9w&! z_`8h(GR3^qJhlk?KUe@8Trzp7eQaM`j)7tgfj_b3 zm*8;d6z60oN2XsR;`Hy7^(EK{@GCs*mku?3nREM7_%8|cOX?R^0icNIV!&pB((_I} zhQA}_#D(a_I_vr=+fR68YyM6Zp&o!aqPj*lU+0enlBQn$gH>|n1lS}vpsSzoJTIaA z`%b;<17O_lH=_!9hZes3z*s+|UV1zrQoh%Ei8 zx0?7>?>)YEd=3L=pTsJ`ab>od0-T|GoypBYO$6J! z=F-VDc%=7jofI76*ZlX`sBBBTdropk-FVHw)(NoHR(7Y9>h7NmI&$;RG{y4nODr|B z<<*5q@11n+(OV_X8(I{_4|D8e3gZwnXd2!mmU%K*5<>3^1U?PWpVK@s$j($?2rne{ZzD#)Q!TN&b$@7n#|PM9j^)dBAzZDqqxWn@O3Gpbu;I zC3gn%m>%`=VXOC|fU5lW8nN%PiZ~(+K^rMQ!DatRKYtJj|A)Od|7UyK{>KlBwyHX* zqUeO8s48mKky6#xJVk3PF|=keglem*XwCCHPcg@oM60UiS&ERVSxAsXNJPFb=iGDO z=W}m=`2GR+m;HlBBzv#D)^o4D_j*3JmO}^>?iM2%n9@}h%KjlG%_%aWZ}c#jlI$^` z5FjV`ao3O#|3FcX1Du-6zSWhXhfPqe5zSOtsFYVe?#WlWq88zkdD%1~jd%L({mRq( z;dbfw;RZm@50ZuKj!&<&Jy^ao&t)*?X;<3aO-um%R2jXp?mXBcCd`SkIha-iC^9v z-YH8?s)2C=rMwJ=Ttlk32m=Oh%$E3I` ze)S{8hWdR<60^G;_GgYTm9D4XXg^NCZH#32h5ZYPLCowy+ZOexALAx*Du@NUu21^! z)wW*EN%_a4&)-#X!zyst0ZJn7yX)DN^>q_hPs<1*dJUY@%vzQMA$3~y%+wl z+M$2?T`iTeEGDddD*Abl;a<{>~5x57uSVDVe_pB4dFqz2H9H+>+h}78k%lHHW zvN5(mb%RXlH?V$zHo)jUBF;!(*3Vz*RbcDYd&`S0+cvrvrS!~u3%GO3sQZmg?VMW5XZ00G#fHs z<8BFfZ7pcqJ2@?I%yi3P+V(++6_l2_I#D;N(m?E2HhzCv@`PuW7fvC8l|#L5u|HE* zXP+}oR~*FV`Otw&&8PK8^$YiltL768wLPnoMhRFbBmRr9Hd`Djkf_v|B3G*FMqH5G zTvVE6ypt_>#mey=s5q@nyt`?S-;K_{Im@o1Fiu(|0QKIk{dUWW9y@4>xuwCA0vC)M zYFp;I;w6fd^b3$;E)!l?7p*L)7fhSxhO@k$q+t zAWkx_&TaDEzBI!7$=A)dZlG-%?5h600?V^}imh&}_OKx2Ez3z09sTm|z&BzL+lr3r zzR@S5oJ}QCX$pxpG=0}#+qxkM(sLojwapU2d|~vJ{dlwj?n2aMfJT81i!-VJGXKqH zJ+-$j(DCad$DyK|1KB7#o;Fl=SHc6yHf|M&{C?(vn9cwsTj_LWGNBdFZn#b%uZMDd2c%-ySB=eI>MD)@YIxbkc5S6So2k2v{u2}J zI*hLxdoo`lG5_;(sJmYJ#LVfFaPnBWm2@J=dqpPlPi>tW>f2V3T%brF?Q>y}Syi>M z5BC)Z`7p`a8uhO%Mx*|SvzX={B~+%eT&CJ3hm!6hWbeR71=usI~0_+^J}wRQ6YP+WWvu?pf&7Z1#Elgq*%gNwoP3h4*_D!Im3#UFVF1~dJAj6rl)6+MF%*LQbs{O7e>lVW`?rf3?3$l z8#g|zWvHa%-G)p+XXP(Hw+g?0F(V{H&<7GAdO~JEKjINOSIXgEsZYocjrCkpG=ubxNi zk>2btpl?qo4scM8XWhva9?+?kjZq;VQW((5xTxKda$@PO_ro0SrFe0V;@!Hy=0*?H zSmCG9EA`+G<$;K`LEprTqL2(9mt;V|>d(ApEn(F4Et0=i$-;wdxR7fPqF=i^6qYge zav`i{o`N+_?Fbya%hP3O407D!G^*8_`PjkJ_hlqbeYgE_wb!J4&9*(4T)fAJPgjfs zXz6}Ok=vURoi3!i`HNZjsk$#KvEX*N#C)i!P}j;R*sf6KsaB)=eBP7%!%xPS7(Jzo zI~1=hfl)U=6=$K3ac6;-F?@|m#*4*E!!8A8@}Fbu5~EGglaUW++?r;T^b*pWy*snc zxAiV8OmzHkfg8o+DjFwNiGzN{P&<$7LCgGI5U&*=Llcw+j6$wcCOw=lAV0k-CJuV9R%d3{PQRSLA(_;L@ewLFv`32x3ADfRc! zuyX4Q^hKaM_{e5sSY|{ zA1M?HvJh6M*LJn^c`@>(#f2mJ#&}>@mc^YhoUWx81gOH;nY@v~`|VlXLRtw9Oxk8^v;>1glKRJRjrZVyEl)p~hF88(57=n6~G$$Glo(E!hxH#|wG z>$HcsTqzyo_K*r(eQ!Hi6JYGw+_>{V>*_H&)JK2lNFVG*#LpLl>1lZ}d` z!hh=9{8382r?UtM)g__&jX{r1rAkd6KUD5*R__?u6)B_c@DM2)s91>P(vD&3zBC8i z03p`ik@$p2LHED;*S_-3g-V;1bK|J>sl0=v!}5N&9>UDjW7>3xO;G71DdoZ=_p{SZ zMo%p?l0jl7jEz%cx~uK`7!!2OENk)Tms)7qiX5R{i0q!hwx$k#C6kl;_8Q)C_M7g| z>fqQyFUmieYzj}6x2vA(^hlBG4)9`!z*=@=M#`}R9+h0>ZTm_qw8sjRm%g0uv(Jy* zj;^iMEILy3wUf(I*(WYaVB+qn0F(K=`~U}VnkfM#c~S%^;)bGS7<#tif){D5tQW@) z&x~YSWrBtZ>^#6HiKA=qx#8&frc`Fl7im=LrDE3)Lrbf3mZ5Kb3Q)%%B>*Hk5HFMIKzcR}j<%XrU>6 zE^!m+C-NIpMEat6Xvwos_M~nJqlyb)h6PV$ z1u>MZPpEfu@1Z$Pa&MQT5r>D2Y4)T23B?y}G*PzF9E-}>mBEFK+^}X;L^hJLb=1;r z8nUSB_jP-XOAbNV@>K5e&QRwR6ODr2bw$iR?8o}kJHo zpgA=yl+O~Q~9Od?3oMyLj>Azm6eK&Y00 zRiXK>|7;9im(IuDqx z``NEp(`$MuGXY#fn-taOVLg8xB(w@YC1*N#W;xVf^N@U)6rJoo7w2)WC-#A9O-J2B zs@7)anp@&*7}pM-^7S@6`I0|xt`OpA=Tx*{NCv_2A(oX_b)dOGn|sH4IehFMXo#=K z(P0t5(>fk-M6m=6`PntzT6*0#mubLr)*h=Uo+mp{^931q4^MaBxFzQC($Sv_&#w=N z3zW+VLaS@0Oc99ej#PlwAn!_|LauCN#*b~LE2vE{cSvKZohqMBJ2%Uv$m!t*DsGGV zxxDvjwJ$G(;nf;3K}r*q%4wC%h{Su*@r9Yo&v+;uFm=fEQ#t3&tbpro8I2j!Nw}ph zrA7*O--eQq;t|mS|9wToha$R6sGfIw;4f=XwNPEyf)ZOUsqH1ShFLpA9Y`% zNn3gd2J5yC^pRRPdf*}ZF+fz% znpl+wXmut>Pn$~gBvG4o-W8D*^U<{lgqDrLz~x9+)HI?;lZ%3%lE}5<JH42ND_$uim5#}T`A zM?w%5=x92@r)~b!Sxyj@s_cerQL!(p;~1XBNhc=J(EQ$kck~MROQv1fHTmL3RmW3G zA7#IaQKf}Ly$*X3p-Thji_ux(JI^!fYW6ivl);#1YOcl6KaqgQw#Lt&$e?tE5hLF8 zjMb<0_9J8J`{E-kY^?Iq6tJX?3n5@1mal>N1HTeK*>h=sW@hbq+JGDGKTsP)eGX_e zQ5Fw_y|BirVeF9|1o9xI&oWaUJq-R;!zy}fVpXx4{XiogY@*-`XudQybs2tZ{Qm5K z0_!{=8TUZPrPp4U@4Kg*nZfi6x>wB9naa7_v;Nbidg{%6a$ti*v}h#UNI@_&X!u|i zb7-+vwBOSDr=e0eX!8TaTes_5uxQHi#fE;;k{$aks(Jn*CM9igl6T3425vqpC#V}x zZ!APSZeVGJBU@lW3k80gbDvuLZd3H#x7VM|R$(m{sKyo^2$zB84%r+@qGwmKMBx7}CPW*>%& zS`HK^Ah(teNq0muDSb)Zb2W)Y?+ioW*UUJ1B+S0nP#Oa&{#L* z288(7DewXEc83(x;xbyun9cLkF}&L=&~4!ljJBzi5e=a=n8C&qqT6uovaD^=Af!J9 zbKc*Kv1c~F`Im5whS>pm&oZ%&tuqWCOnBkF;U@+U;JVQrF6AuR8 BA)tg;cjtN* zZ>x`6$0rv7wYi5N_P|z4{~G7)EnPjn@`SYL%0{;(Qh}yWb62u#p=A&D9#(1o!yg?^ za)peJtvj=W=3vOnku#>-%NK}@b+qPTO~jd`ZCoV&uAN>a+cL7)6A0ZiV`pavuRA~k zsnY8Z4;i<;jxpEvaqZr~vwZ;Nu=8+Y=HX*$(Kcpp9JLGzLARAhBJzawuXp)ix0h^+ zj576&1aNXK{Y$aVAv=#*P@LdB2gw+@dzo+ID;g&D$`srnf@#sQF4(Hu*R`tp06hnn z{IKJFD|1`JsdMcdi|hyFy=T7h*A0DqBq}Z8Q<^S>vUDY#_bzBe`dcaK!x}f|nPHZQ zit8p-BAjy9vpgTp9C<%;X}UkN?hkdhmO}NV<179eT4_B@^!2pkx^3HXz+xVc(l&o zin1exe7_&8=}tO72QXsBCBOa|G^VUytsfon$;zj>tBV(-=l$JKV#%@&^(7bh;w+#< z7w;Rz9P$%KKh`m`C-NMX51dR@M{H5q zqZcG6&jhZ}#V0zfa^F(A$Y_vFg-|34wH4(T`sZ$4gYUptUCYh6ACGfie|<>O_VmB& z4tlXNt-=|0cB3F{ZyO{}ahpL+b!te*4xahB`biY;Pd9$JD*R_ce?oOYC%jyf;yRQ~ zx7l*S^DCi(zSPP^)H@B{XMyMIsL5fK8My)uVDJ%#ceau~Tg?kWc>ujDQb4uqd89kM zu9#jD>KrF!HMmz+o<+K6E=qX`2*o*EokQ-_aL7(S$3;$-WI8>|2}yo?NKAL|GS+W4 zH&B_A_Y5X_U^klQJ0cQaQ%a;stN&n;YhcOEL|Hxa(Q zq9$6!Avj;s3OIjV{&9N=UJP78RXn3)M4eT%hUa-orONssuQ$PpRdIN$hx_}kVNlC`D8nW^MFJTUy7VW970r_fHbE{pn zTp{*v=~icV7Z*z1GR&Ei$P6<}TkqaKsy<~$(&!&w>GeAdO1)+{p|+Q&s3X)l6y&`t z;=-My@LoxKMakw)i!{=N?-&wIJ?NA9P_f&P@Z4l`Cp_nW9wka@XpsNJ-*H1hCgwX)+P z2(up3$!$av9SJa*6^9D3RD5t3?}6uFPQ*r?h);wZ1=(U2WHQ+#ls`d7i-14vq>O3w z`-S3dd+X41o)w~qf$xk(L27eg*##k&sfW{P z8wopurQGFp8ECK*GXhY;x<5?g_vcP3HM4F{9Yqq!?>0>74uU=%q(P)Wz87DIi~JeGcs0ghMElsamn z_?5lThJi%rpRF^AaNn~rDoS|UMF zbuny{h-pn)J`(Q4tKc6i`a#Zk)F@a9QY2SSn?(oTG{Ddfb6)^X)bp^fWk zR-Uef1g{raN?uO)W8ae3PV0;*iKP=B(dxPmE{-lQlfRb}l{242d^hvL*EOGf@m2{> z$iWhzH^`i1+8jm=1NN>QRCp?s8?BLk;Sh;5F_ZxBLt@itXjkEtDScx+c%&82*4n5t z;_vXCdrd>S4(+au&K))n#i*p~jg4n4x>%Xowoq>lx zQom3*Lo%dwZ%J>f`%{?C$qmZC*v$@o|LUA>`*iE8_XwXy8dVp)AD=pP>am!0+xyFR zkKOsq=3Vvl?(yTNjc7~j*m&P{atgmT9|cAB`{;|rcDhxYZencT z27`_p={*y?iusjC)ks{*4q7O4%XcK!{8EdXL>sxND=!}agm{Wc+?|JJ-K~UlJq2Ak z4pA_%y{L_e?i_(&(bQ|7pyFI=;ett1*Dw=}v7XK49@WOFCEWdS-kBI@~0 zk4M|o6bq5MQmx$OUcdq<(+Zg6cUY>@6Cy&Gci~x-B%ZhG0={;#rh$bvYYCspAGilR zP()W~lB=Ni-e&0pHFTvRFzYQUBL93=;bIxnwkB0ggoT~+;dV3W3$g#ey+`$+4Yeu% zR!h|;|4`&t9Wc6?MgNjh_TqHvDsoG9P%eHIGNQ)fGvVTv8vlbSGvgZc49g2(E1h#L3TU*7Ur)als)? zid`rmYqg2k2eNWqb8WZ}@?Ewg41_a7Ql9SQ`0a(hF*iy_EyYOe4!Y{8%=q%|ba8-U z?kv9C+TqzLm-C!Mrz*{n&!6eTTDm%SS$+P{l(-s1kk@^$qFyz0XK?Pa+pj&MpE`N06h4d(5~qwBG+zrS8ze-=+~(@!mqQl}_n*I= zxut0`Y6mBWNfn;B6v0Cp0{cu(C_k5kV3uz_+s0*7GfhUC&uf~NF+{7tDl;|s46m%fB!mei4I^wZ8LkQ};sqShhbMdNz z(m8@!@`~zb$PYb%@t|tn{2hs5SozV0e2SHiduV9#HrVB*r%$j)!cadviEY)+J@;2XQQXhL) zm|}#*xc(@rT6O@3z;W$7bumnI!HtEJs!7wn#PT3;mMs?&WY4;r`Cu-yD^xEhIHTT| zZ>z@x)G7BzHr=?LFYOKuS;M7iSZYM3#cIzbzH1YRB&8)dBpZ*LQR&B4yf*1Q#d|no z`ONhy!4_1Zg+JNQ+vDdj=bc7$x^A5I$18)kYoe%N^H-MkAY%e$sZAc&y7*dJJ|$rljMmCw8a$@67Af_V%`UJrF)NgHK%!&fvEgFgCaH_wz-f%|vxGF6gGD zFY~lk`nw0EfgelH+;6EOU-}rs8dWCa=2=X>$yF~|5n*)2;N8SF|J}A z7mI&BI76^@s#wR-#o4uzV zd`m%hnP>Qipu{nm&qXTcZPB@c7y-{)EK61aTj8tFfoDODo*yLyR=d(MG{YQq?*`iI z#VPO)&M$9;0^O$r?p~T_VKdE=Jn90w!5DHo_54j z4Y!eILbq_@BCCzH*9rnc<{J-MY%wzLWQMqA^&yUA__@Bu_YJtmHMB@i`S6!i zL76VtAWA42q9ueO&)hR#ikG&Umb}%o^S29td<`DKS(DA5D^#u={rT~G|CG9lx(ijo z{fn3`eU$HNUC2j%qZ$PE4cxE*14xjvYe^p%t=ZV_;DVbgw0WxCn_yo0MjICixke|L^ z)>r_h`gD8NnebOi%LkG%!5JCNNHYPjHW2W1%$PMoutl$;apir$_#5`yowgco%hh(* zg1+!<4zFg~Rq)m>PW$6Oy3|iAJ!0eBbgD!@#22M@u1wZ>Te;Qw}Vjd{|)K50k_tXZqBgJ!(+>gyW-T?RfE! z>rLxh%7o4l$6?#dz^zYoKKYMqw7DsDz{lu_qYgPtyQbJcQFX>{#M!52+m^ndX(2sl zGk82|D|CA_@6dF?gWbIeoAvO&cC$*%9C*|d`Q5Etp*U?(SPllhxu>Z$73If}ztUy% zhM2+7QZ}VbjjTICO&RG%-wu$(SF7P8Yf2+lRwo<|F5RsiJGjKk0-0g|QYD0tW|voL zg(2j?W8d?QK^KLhcfMNj9PN2+zU27jg}UO*Y2}m!bS5%(Wwd0uOrZq-IZR-_7sqJe zDlmJ?a#RiDmR!JfwJqc9mF8q)+G<`PTl#Zm{rb8DHYt0ky1uw^g>&pzde7gh&hj5z z>_S1cSjgjUMps0e?&4l!`Bf5k$&7T%B>~qioO!>%feRMV6;_y&47X4kUrMU{G)v&N zNt0f;thq1jkU2qpFG-rm!n2t2(Si7ZOs$wa-=vmz6uKZ*Y*Ljo)lPdr8c@Ma66Tg> z^|pq=nU1hjbORV&F<(Axydb!y(27HMiX4u9o7%-vhc|!10-5~=m2${PSN`K&hGt9O zoPOh5FDT{nE=i=Y^WEZG)_awn<|iE?>DPD%IN;(@+ygH)$z!vOs~#yM#rozBu}F7Z zR9{KCHtGx`99=R#+4u)zcHb)%E1caeqeO!UwDm2aA5HnJRYq^|o^ zox}Q1Vbj0lngdF<#xQ>tx@NMnFjcK-`7r;$qys8+*B=p-*%7oGl!be}?xQv>q>icn zv11b0?KrU2CpcxBnC`O~khAJlbFo<-|G@BUGn0~Ky?#qp6LJfJ zxnDSLn?ui5b7o#Qce5O|qKu;T=jTLvcjsSl_)_>Do*M8lUvsjjzHeqbzLp1TS5Tbo zNrFW>{Gy-*!}R{jWQUHMkW55P6+GPMSRi)dh6(A^$UdqTT#>)`ARL|kRB2>7E?5!n zWi!tb6=$|)gHnutx~S!HA&aMY<-5d#I2MRs{sR?-m0t8*Qm#9#P@5dm=aPRih&;$? zu=I&6M2>v$NKX?fK1y91iq7)|4!> zLLvR;ojx!=mO9G)q_p)cPZvsw5{IvE6ll^^MJO1W#?u<*r}v+RnjRGDc17b>F6)C- z`-_JQCP$|iJ4Mqk!w}b1Dj)JdRELc5&`RT{2*GA>qWRp1f<~^~PQjGAi(B$8ldPKq z#y8_4iX=FM@DWnP2*J zZ8(~$X&wM1ttle0Osc*8oCk2#AlVKfXqm#(FhOX&qnK^s3tXiwSs+Mtask>UCfbz_ z_o*2dp?j*@u#&Eanqd9NBkCmqYA>JsL>4o}aA5-{xr}go001iOf8ko9ZX#J3(JOD> zU8DdaQlE@^bt0ov?iGGHK=MSC%~Yu{%@6i56}1*PjKSV8Vs5@(yO`wYSyJTm7ng}y=i9EI8`!kSM3r3 z_S6ke-$%F=?b{mt^o|!LT%P#b4STsDP5!!Jez(ZOBsUxMq@FGeHu%E`0%Xz?uWSj3 zt(Zm4xuf3Ch%eOpW$Cq?d;`+Q4DQdXSl4ZO5bKD>prB&(iStH6p7Oe7{hph8^Pfdc zHT1gkxHcSWZzvmW?0Qk13hJk8U{lL)4R&{r+>)I^pY-x*c$43(vu!ffgh`RUyjXxn zXJUQH!s_RKy3(+EHNCf;hBXFs;c!$%ImV|y9W-Phm?8xICARGCziPa=x^cZSH?-2Z zs{OQgJSF)`tIf&g5JC*8t2{v+gv-c;rU}c{PmL+J8&o{gEy{JRcM5D|9IkHfFS*$cndO;t4xZU4 z3*Z*VlH;ZUUYYM4uY$d2mSHuXe^07_f50C+((FDSZwwv_xvv?kis&q!ZZZH|r?Qes z)up^FR5Vh6Vw!bihEb+Ejf#X`<}^_6pw1vZeQvnN|IY{1e6uTvr02Z7OEm_ttCE zf6;!EP!fMA+QF)^eAMfm!F2w!FSU=cS{l+ha;NHoGiY232Avq=g)dy5>U}90Fz%2A z92=kr7N)$C>xv#c@77SIj~qKhh2UB{s9m@MZUdp=7@fj(30G;vW{SlmG8C>GDndvx zQs+{ikX}#8bscH_DVgpTBX4Yx;C2dQ&_CNPX4Rb=DAY~if%Y=8SorUU;U+tid;1Tz zFc(ceNk5#5GLPN>F>$by>~&KwD6duqB6A!c5k9HW>7N2!n90gB+p~F#ma3bhFH3^t zVe1YJ?ZXt=f^SD!mxE?(9FN^Jzdt>&u@JzN;Ee`dgku778BSi?4NYZIXrHA^naN`c z-b!0bxpQj@AoA&{Fnbq-Ee%xdxK>zyZy8+iSedWL62`R$xOp;WWP_SC|AIvYe=x@z zN?T?F&JEJnwtO?gyE31rre^XV8(^Q%6bc%cN*iinQ>BsCgo<)0_YgCvvGguEXRf@P zunIVKnQP7(jVnYBVfLE9wu@69G{0dlJUOn|W6ao){ixst7IxL_u!9dE(aLSL*YU1q z5Rt<_zm>YVi~@C(=zGZH2j!(xD5VA^aTDrk7~Fhv_U#^tR6m$J+hOqO>q&#ndg_d5 z5xlp6Mpg~4shp99*skRVABGQ6M;?Z4dzkLVv3nXbT^`|y6r%`cI?)^HqmDW@aJlEz zDkIPzHEsD;45kpAVRr@PrpqA=5ieLhd(vc42dE zqIPxv@}By*s^Sa^N1}?Sq1Rz*1+?I10s?D~W92i?7{^#eDdbYV-CStSfz7-X4UFH0 z44WZ0KC{13U}f_Tr!+6%^U8&2T)rw+S1pF0moB?nx*bQH{-yhdPLE6!!u`d(xco8L z(NZ4X))`adTF!goV#lsk<>V*k`S>?qNBb1|@e&mgai#iy?jfahI?xH~gW8ktP*E|CS;LJ=jMU{oxrdC~7n8xaX#zk|*W1;n6`YfBtFl>FSKMhy zvnvycNn2tLw8|@GAxCfIz%KVGEEwwk^yC^oA*G^m_Zjh_mpZ4^%EqF!$vN&W<8@{$ z!&2Ay75t&$Wx4B%l*Z{+adHnu`s~>U4Iby^oe)bJLZwD9d00~lswE|ObnIcK!<+Bb z1InkOq)q`+q9XLDMJ{E=uG`obMWap%xqezK z;Of_$p(t30B>Xwe@?0V9q0QeXfUhyu%ncahyHPqxK2%&g3%YC8Q>We^_XgqiF^vq4 zJu6BvoEMMO`?yxosBnK`$xS4SXHW^qsRrL?o3x7@6I_-z#ns$lLRc#wI{M*Xb*X=$ zV&3`neu`CBjG97xFo@)?SG_7f*|jy5nXoD6&JNX?9kIbT1r1u5z94XK5>gCh;Oxc= zY^3_;MwG!g?&r^f6AgC&c#OXXG~BnVs>QQzHjV@Jm;Cb1ag&6GZlUcvRt~8$UeyY% zH(QvG4@8KzLH^0)xZKIi;a?X|u5pNeX9QWX$ew=q1UC6d%v@O3t>{P7WUc#~-9e)J zc&+m%%lMzN3Q5K@QJ(56+96_fJbouNLon<&(^ic1xC*QF$@H4GBxc0NL&*7Yr-R0@|-IAS}L6@@N z;}+s+m;b>xNlkD4qB+q?6+(4JF5LBZ{-81C{L=Phu^*oEiEHW?vLtF5W>@Vz_lK$K z3|#{m&f{*rXgEQ6R6Lcf_bX5Mxy1fi&*}ZswC#JUvFpW-4!R&aF3__IXnR zdE?8v)=@dUrH>}YcXZR6w^P~Fr}avbkM1V_Ka8}H7^%vaokG=>i*}oY320C899x-o zmtuUeiD|u~cesJ_@+~oazwWsA2*+OS9sgB{O|)`<;nnRovH6adb8^R>I6f<>X2=EZ za8I3!>U&&sO-DmoqK8%eAQR$MY8CrG#{8#WrAD+)WEOP)(o}l4+uWJv-g$V%&&!~q z#lZDNrL*66u_rHSmiZW?(foi>C(s|R!(HljvnAZsLDT)!kgksEtw}LPy2E)VxU*t$ z;N-dDTAj9At7oSy_Y*eP{l@z8f05;mA2(5)ku=?~kcM3s&R0jQ4$LPVbKoUHFN{j# zE*M5TWu&*+Z(Ke=s(xqr@%HfniFcR-w1y{T|UN`hm(i`m!1$??B-d3t1F z<3^}e`C`adUQaz_@7fNto^i2sK#!b17Szklcl@kN*nkvvO@Nk#xchFWN5CMU$)Z8B+|Wxf$w=c zP|jb=AK<+`h8Wx*#e*d^21Ri2h@Pm;{Kc$9nXVpt06c0k=HC7@OacFCT@a~!w%1?1 zQYy3AkG8R!eTCH-T~36VTa{c_dt9%yedpx&$#R2qb8*qz8q(bP)>^kUU}pvtFa2j< z^9`Q1{qn1}UokO7{p1<1wGMYSLz?W-J(B0jtoWB@rSz++*}+ zP0t)!YL9)U`ky^Kc&^fq;~3yk^pn4Lt795jNvsE#xII|EDyuLde6N-LhN&*^#>5Oc zUJl)F&bT)=7}z2^Ilg3J8>;V3*;Os*&@UZ`_&kpONU!V^FIX14xdPW_}2b?A&Fs0H&i z;?Bxgx#6$=mJf>OPclmg4Cma{u^TRc=G*r=J*lv09D4aAjrG4BFIdBjIaS^zCSQkf zeIuv(Nwarv?dJP0efi>9aNADz@ychp1~6ouL7B<0c`=j|q4;9?u`ZHNBpt$zbXo^)0@u{ItQ$u|nnO5QI! znDi*dl>}#avo}2bd?MN)Rd2=r_dNepSa1})(sTJRR~85nqkisfhF0<6rR76_R4I0$ zZn6$kTW3}mgMIy^Km5?|hW>(i;_f8yY_l%K*)Xs6>w9fW4ZYk7rHS%~wL=n^H+`W0 z9L`Ay)t;rOoLjIDfN>JE=Lyu1jTzPEQGFZegT zSYTZ(tyl7O>P?wUC}Fe8zm`>)*otE8Nks5SQ`EdjCj?@W5+KP8_m3C<+i8voGr1%K z(gx7fAfmi4OMxrgl9O2CvJ45V8DS%lZgmCfDZw4{qkPQ~RQV49{P}KY?0zE|c}(6pn^h0LHXLk1jO>t&>`#VQWv%V zpLFi8k)6s6Miv94B0ke*?{wpL@3|$kBKedmZY?_{JG{{e)acJxS{Y>|y|=UjeU@93 z>dhnQ0ncG|(nj7%GO0Q)l+>kTs^T1;6`zH<0k=2sDh*ZlW+ego@h(}!x<8}#PVAsR*M3b@E<$- zy9xUvq!w81@^!V?errTqJ-`xMWr`<$+b2h00n$nRc;vT6{NKd>JsJO-*uTB!e-Zn4 zl>IMa{~aCwgW`X!5&whYe@Dmv*4V#ukN>T)e@DmvlBd6u%KtxEvD8b=6jho6FJ=6a zBK}949c9WV%6t!o%s7t?Ag1rGw>cMEG{&sfp)1_IyJc;Gt#0>FzQi1Y((zr;p3%mo zZqgMec2Yq|{@kMxW<^ECYmP(c&Dh5J{u}g5#gB6#kA-4(k85O|VciyxxEF9V^6!1^ zxkq{Xx#%2yF|%%St7vd@CM>f{8nr9s5yZG%Vo-cZdG(RrQT5exj$^B~ilmSC90i4G z&HZURp=q97ta~Bq0<@ItKODHArVjGXKQ3D~O-uK4K~*b3JoXHNNAaWVmg_$#2TT!= zNH{&4y}6S+adAG`P1I4NVcc(I*m zeTObRb-Fkw|LS>m!G_FL6a%PKIps83VoG8i{}5g2+j-4zqg}ynGjX_w@Z&52UgkPw zR^2T{o_{?X9e27{Z(~7+?>Ndvxcu8?>Ay3fV2zu=HiG+(MBLUWdis;OTXR2`$s2iE z1mD*czkbOlRo1Lf%a?t?&5@CPAT8AR_2K#MRQAO{BKKkylb%k$KaGlWBTPS5!o0{w zmC5q;@LpX{ZdJ0pL0!6SI|tSaug56UKj`ePQJ-#a>V)pjU+#In{uFp~-tX?X-=aYN zn73Tcqbt0!_ARwefq_|9=v0hkxmh~5iLn6(2al9YNRxWYD!d#d>B`Z|MiV5|eHnS( zuQH|i&<$e!m|N`P4(P><*R`!->D`uTs9VF?)dT1CcU-rXWn=4u_hj;VN8y)x9J(dp zA9*y7teb6%Jox^NnZp^=@EG6Bkm23lmc36|qb*sw58joGE$B9SWq^O2+D%Ae`=a17 zF*itn6Q&oU-^bS&a-L=X_jVC*Ho#=eR#ubE6l72i7f12KFhTd=BY`W&i!J?|4Sd9^ zJzqs}QrdZ3^ZJ(H)hMNfE3mq-0zd14(4lHO{q)El&(@H_@2^-R5St{Ne{^lrdXHAz z+61nt>$}1ZVJ1v1iLQqXsLibcH`w8s(VNtS8r=I?+0m>wYU{cT`-JOC zPp!u7Q%gc}oN({x{OPMO{u@8l6#LVlzC&pD!UxHC#4F%%1F^nfZ53s$K_H-vJMsR4 z+`|hvF`*=InQM%Np4ROLL_acTD@nzdB>5KUqG|F)JXkPFQ$Ew9vPf zH0~K&`emmD3=KZ1vF9{x@h$$4xt@O{=+}-$N=={Bh1+cEr%a5`auiSJYSRd3m=M1j zs5eCZj<{o-!1kK8EDSgRk_ZzJJYs>^{-U9{{56+2pGU_{4OD6V%r5SBS<4^RMbGJ^ z_Hrj5G<&W&t0|a{PASi;Km5*GL(gj76&grMO8hFI>KcQav=a0%7cnlNR$823frO`B z+nCadQ=fEal|t5reh^gcGaoSek{PgDGEy9iB3C1|e~?HKf%TU$>hv#hKY2Ol95wnM zDvx48Aiw$Wq|Z-WK4Ui1N_P{+n)=P%j*!isP0}NP>G3znsg8e(m0^a2J0< zcM%)wD6*C*u^02cpe9JbWcK4X_U~%6RjGMhsL#xOa~KKY`*B|~ce+5C&~SgD-|C7` z;BIn&^PYMAt{#kmY&)v@h~#xUP-85r-^I_fupT|9dKKKNWiI)Kh-lO|chh*=8C%$; zOo;k4FJi^1GJfBxyS9A0PaZZp5wueqjkp_;;M>`!*j#+wsTMXRyuQ;R#DUn|qoAy8 zD;!npy8Fnwf}FaA+njUfhC8fs24B{3|12!9y1vG*%l>>D2SeG>AYOL;sy?4Q`W;1P z5<&pUT)4{S(#h$K%rh~@iBz*%@2{}os*bZFg=y|(3WPnqXDi>Q)Z=%EeQr1uo6lxv zN0LYJ#R+kPLRAXJP$XdM9>)3CsJSmY;wT9+aGynNZPF6oTN*)aQQNdcc@@`ZI1TO^ zxHZ>nAQo1}rd#&(Ze;nC$k6P+QKq%3Pm1csSKD=Iv&gpIj2(`OFsB6B+uKt~rq@=| zqwS*n=KVi8o;QHIx{L?H(|e0Lb!WF`dDIr~U_%JKT0PP&A900f@M0>Ad^B^#$7WiH z!}dpI;_d|;cwq+D?V2X%fobP5$Pu4bST|amlTupX`d#w(9tM%oGDzJ#ND>w6!@Ly`k z)D)V0LIRb>Zau!SL4@0|8Mv@Ppla(shgWmZeCFnM9Vv%BqOW}SX*fqIdV$Pe_IaS0 zfL7PIV$yJ9U9;`9qBG9j0o?iagYMMmE*}`tGy+G=tsI4vX=4g)B z04wFCL-cMUE1%`Uo?f+x%EyJShy0Bpp0TBTe1tmokP)g|@5h*DVrBk}Qh6Vu< z1eETQ?i^|uV5FO&JA|Q!7#N8ezKc7adY_-)@&0+Ae{*=@6>IOk@?7T%q}h8Qx{gPY zASAXxMvVsWGRum{G^b#+&+mwYvS(I)`(KKLPg?UdJao*Y^`U2_$ymihB-eLoqE*8D z^VrM>r07|2uZw?8P)YVnW;x1gzVKS=YQzdY3PV4jm4@gj{r-Xh%6_&3K;yOteijJ` zd>z=@T69~8wkq|oNE5F2r?it=_vKwb8OTST*Vtk=GwvI8`YaJKU|(PKJ8#>^I-|xJ zo2IqLGq%Ta+lM?+zIU7&OPkgTHyZE%-ZqzhI{r=4WhA4UeBrCn>$!_hvs>&Gfvb-j zL)HyA0LkQ8Tb*K@SukM1?Q(p8sEreSrcu4&bB^PgGAE?9--0%Jh}9W&Hlcnf7NswN zFE%>&{XrdfT{Mf-7dkkUnom&87jh9G#xkxpqFt0_KtI)*Je8h`Y}`WW)a$gSD7kEpsn z5&Y8z%3cSy&r3e@-r6+|P7LP${<+Z$ZHE(LT=KBGomt;G(5Pt#hc*#;HNMggT{kb^ z5Afhm^$FIuAqAD27kv|gAtRJ5F>JCg?RHb1>J2fb*r|wJhaPOQ*5iU_Y*bc!EQjP| z25L&K@GZsX+BKW@bA>fVHfCDIZ>{FilpU+(+!=C0Y$rT| znwT-lDNg~xfilb<14ZSBad%|a*4dHgn_bVv7obovkgrtAgB?}n#*`sBqVL0Tk-ISi zVwDdUmW=VlF!c8ZAiUTJ;Nv~d`VIYuGZFQ;*@nM5f-b$chtxnwaN{kx@MeC5xMkjg zPa3*rmqFo|LosZ2tbn^bQ^u`HXKYCs6fkwQIdIFd=?@ zW9xm9TFHyD*8_ZIcaSv-V6)MxcfOso>O-~j4TY#>La#OsH2U5Y31^=bK^}4*QQb1_ zi4rsJxOpf%Y=t^0o3=Qi-*suk-1s(NW!1f+DF6CwI-#@?>M1ikE`Fpa4scz?$ei80 zZSyrNdM3*_+QOy^s6X0aLs`<1Gh0@^X0=`3B?{UH`5{Uh%DZnxn~#WzNmqZ2CTBojPm zS;S#nR8m_#bxp5+EOxWFRoZ5!+IB}6b+0RPfUVH>R=;UhD*-9@WH;IKY`puV)0^gv z(JabU$vKf07Gn)ZQ#i-pDK3&tC_kDOhu(KlDCxS33N98Hn+U2pP@g`PSbqiuJ@ab5 zB5M%RZ!Mv3VdJ85)}m?ETR2XYYSZvsPzwlq9!yf&EmiGD|C&8KxZ2c7=UG>6f#}g- zc*v#zAs7@rv&;zlL?)oKF~?%!n_%t=&ET9gvccNAWH|V z7*E?jK@Ok;_e(L6GO%BBzI-U_xUn?(;=yE*1tuWyo16KufKag$qhQnYAJ6gpcgy12 zd(_P5i+g3UjOMZM4eO1$jdEL1Gj5nj@BbUs50obSuM;PXzfgF3LsWcyDrLtKg~CFV z;VbWE*&MhJ!Exz%7D2H_(u;i%`0xE_EHBs#agmz77O%f{t=59RH?Cw4(wX$aHwS|W zb)#SMLJp9|^`cc*k(nl6KG=%YuG#e~z^r{76w-Z#wA31R0Q0k&KxFURIAES+%E5Vv zNO9C+^KINfav%X;xqsLtsgs1OdBd)X2j#mL3ME^B0${-XYQs3Stg4l7gABTiPiB3AFJSN~yRI&g*-|v~Dq#D)QUdu?Dt*Q@O$371fx7Ib}ZZvVuc^XSJ z!)xtpZP=1sV5b-Le~j*m1EcEUtky!}~{z2{;|p_D4j6E#rMyC=kQ zN>+!L(gxtK6>P6$%OS>V6Xx>>Kh2_C(wmhDYpbGI_VyF@g{b$O%l!A62zP*1!Xya7 z*J;V><3I}NAZPd<^)1&eIB788#nDgPq`bvL-Z(-!8HB&I#<$htKu@z*J;#wJ*t5wX z%A37f+mX9!XKvL>#p7^!cqZeX-@t>io?mL~-k(Qib0@F=Ax2;VAJDR!QDdxssI`c_ zI1>BST&nKJepSx*e4k2atu7ANfEPJurS~lqTR1h8$#qtiu4nH<;!*6YYzNz8lS+^D zRXv_Gq5=(S@CbA3H6G73DV|y`yH$zz$FrxDd4K3;P61L
  • +SJ6T?0tN2q6oej9k z)KE-M3E9gG{M(ZjOXn6R!Wxj7ci7Qk&Hlj5KK*i8AFNBMm$`Juxnqw2Zddr(iU+{2 z9`7Pelrc2X?z}mHp|>zO-3Q{+(QnE6O&;E)?l63%1N{q^t;t;@E#6RKvMH&Pqj zRmub5(s6m@%gE@LKit#!UI&+XinJZ%_ec22X@##7Fqk#oJsP-Mq3 z0R}jg!Cfz8kerR)1$16RJ_k5YIIxQnbzMc;P{|5slA}IkE;rJhvQU0!UrdTo_Rkhb z#nwI%>-S6{*N(gMdlAjJA%<2pB0_tj7okUQN_XKgYz97LQ1v30ABJ>y+kF_|;*scP zNzQsfw{p6<7SE&DR-Bi6u4Jdkxz`-3-cxLSYZ-{nl$ z`pMR;xFWoaw*k|)%vz-1HPknStbH+ox@%VgF0>L>W#0Wpa6&dynd=yN1GzOGx~59) z)44XF`;drXp}SCyRw;c4Iox!Qtx3l@7z;X5|x-uDbgO_y`{W^9=7ar z+~XZ$*ipw@p*A#EAp+1{$rprEicftTm`0f!>Dv-FYrGa)^G;e@8+W%K@09k^B_L}# zF};YvUlEkvzrKB4?f)i;oeRq@#*UA3=l$0e))80VOw?$>btk4#+Z%rjZHvvoMtsvkb}-G?CtBjhr^&*F8a zU(|62J=qb(rK${iJS91NcsIyzKGjX^Q7-BQigxx;ZV8Qj+%4Tj8tJM9Ao`d$ySVHF z9ze2BuXSHdRuVtC?_v1cuchIASx7#>k|6O?*tPCWgWJ|EK?b+X{;|~lmTL?iMYDL4 z@5IdJUT9uniA4o-AiOb{cpt1&AV0r76&ZSCy#&Y)nz$`hUAa2#X!nzZDF@N-Q6kCJ zke`G0MsspeVd&raSwmI6yHp#ee%B?hIPlJ&SUKp*uJ?Ug5qNjwp_u2kOZY;-s0~5B z$6a+zqu7i2v(r$IF~G!^+;NG~7P<1a7~MT?viyht&!K!5XbXl?PM|cN;fX;~#<^mZ z=~QNY)ZfV|Q~%TB-~J|s&RLaS0Hk~HT4&P=|%YP`Dw*Caj z+?FNa+CZ$EUK@{qApHKhOaj#%q)ufQB77_hQTxyr9l zw9C+AnyuL#VV;(tgowkPEX>reYKkAB7Gt%M7WKc2F3fX^GGChvt<{_YZj+N@^Eo<7@$(J~Ns^5(4 z-#W6=F5VRTwPCnlMu*97MAcS}=BvzU1B4Lvn5skJ%38fJ*VD~jjLCe{i9cm62rJmy zcrnS_{z1*t3&SINrwq5dzP{MaOlLB4^XBT4qIWr!UO;Tlbt@tCPotdz813(?+JLTk zN4##bd|I{Z_2}<{*7eu24~6GWV#B|$vwp6XbineG@5zyrG7&eNO}3IbU%BFj1=8*; z{cI@@XA|9>iK29$#r~} zo@qRTshhC9>owgfn}&H%gy~jX)lQABV}mmkwC20U$RFjpULJq7exv1zt)8&3ZE-i9 znBZ(ZELS-P?xBc`02*CC7SC+|$R2Mn;r9MIrRYCwU_|=PkYaN^$Ch3=KP2_W0i8XO z#AlZ#K=#LVrv-s4la7f#j840CRS=k$%Z&EikG>0*43~@r&9n3fjZ|}P@A%VPOB)vG zd@D19JE|8l+Xsfa)!~Jee7;LFPu$P)s-hGb@8tkH*B}W8yK*b7E*Q9d) zX|m}BVm;qidLiga#BRWh3T}S+7P>XqaQJ7d^kv=U79E~+J%@p=7x(dDi{y`pmOA(D z%DVdS`!Beoa1E}y_!f$6Jid*DxMfA}e%Zt|zA{>bg;&G|@4Rx{wtu_wdS9IciFbYk z-xFZ>6J-LEd(Mz0GGDhc}nrJ3AS!maW5UGNZ2!DhoozG$y42FisabUU zi!(l$!Ap?;tsb`dXA;1->F=D2dJWS2?X^r0;u7-b*2ekwhZ8y#LkNX*B8Rg9Ic+hV^~B$++SW)B7~6bs)pqUP1ufmuF_4}-lVeUrc&;&ZRlz=16=_=yO_=VY1>p%1|0aIMFXZQ zz$;|Of6h;@=~DFaaFm8%hQQVg1IM?EL_qq3;s26(@4C!7y#DZs!M1ueK>U8G7PO;R zk-^XB_Y#uUTh@^wz*&4YYtZ}o=+0VAt`}Y^OFHfCu1@bON`Up;LRSaHXqU=G=dA(r zk`|m9KB4`lzqfOQXw^m6YB)oZZ*yS#mx%W7vEdFN8{xH+PTDc%;uTlHX1t9*LDEIz zJ5E5hm!V6BYNRCF>wz#^949Fue@&2jr5rv*Y1nv>2%q>53xhLxF4$^~-U!k0{tAmH zNA@fhXs1;$L;28C7Y|*rF775ZzMC7AR@+1}fvC3N!Ad4dTzBMsxf}-p{8OB3s+?;{ zLnwUWYoj6(DD%{v^`*mD-|}lK3H;v9H52b_q#Wzi+Q^&7sFi5ZEuP@cri3m-f`@Z~ z!4}%N&mSrHX7oCl#|T%m#W$+#fg6&o<4TNQK3pcGh%G48A_vjblnSap|=| z*2Mlcl;I^w37jVx8zekNN8*EFf>o=r{>}~QibjX>m_H1JnCUZ2zVS&MkQv9$*G**9 znvb2Cy1&7kk{~;||LM)_lMIFEG3xn_H=_qEJxrQ!-{)i7>9yDxxp(3?Hqe>wof}E( z*|+3xvv%heMgDhW2yC}(LPg&t=Ji}ImJWN+i^B2uBWDtg6!kr0p)TF0*ALvBO{)iM z0rT6Z$&@=-fBG&@iNn{p!}uh31`|c^b+pMhvRuq&yw=BXUb$W`z>OtQO6O-wM~P&o z#Y&P}{K_H4(EQlVO9MA;HzCMA1{7q`)mY(n?-r3mFOvxrkL{yF&?KNkCTtFByno2!wF{YdOm%KP(E^o_@n@xG}E~*_735fajxU>`V>tNz(i*psZB-NxoO^(rIK^ zj+Okp_6r{)HYX?Z1UHF3s?+Va@otA*=sn3bF(|HAtFx-G0W^l+R`F+ID?PPE9!*JZm!x*3ooEVq8Mx60)1GT;-+`* zAL0Kbz2G0}P#!23Mnsh|<;=)!*=>~+B`q8puDN-O*tuNB|H*%K^(@(4E`Ddsm5#}}5#&>}p)T5S@2Fi_ZzKfOr zCYIz8+jZBdjy~K&!`)VlXKad|^b1gszXET!hsA&Ku;IN`O&l*5pH6*HUTyARX`tHV zR37U5YdDC6vNvVnVo$9dz-D`_@55VRRx^5!fB<94^a+q4OqUB!1oDTmTzOtAHp71H z=z{DVg+%Tb?+DfF&n%+0db?4lXNhXTj#|-S2L!Ke$bhQZ=M;z2?vHv-$Co#?p#QtX zv%BWKiI2@Q(m$Lq0h*5!H(FlwC+V*tX{@BnE|kT6gcdOQ4;TF3UlrUhWjmX@9^c=T zyER8Ld$bYZx3l&^3weag9xqS;_lxuWfVkP+$P>_|?|NWr&v+(AZU^ZVezeoeMfQDj z3{p|_ozNZo>4oXMk7srDiCsBU;|Uxiynihu{{{-y5}c1Gx-Q zLqj$(&&U5v78-hP17+Us0}c+DQ7(g8eWBt!Dwc0#v4*f>2cSwfJ6xprN3HiEFqa)Y zl22k2dl`3lY!<}-L=(huv5*ewT$WaM8+xxY(XYvyt0mykHr>9KPJQ|+Ln>6U2#?tY zTY)`x*?xxNId9>%>PUFGmGg3Ws4a>`Ms~qRnJ_|Nvm|e|98T6lHAI56I^Fr!5yF4u zGCTPKdr36o+rCuB z--&L%AIk;O{kGnCd%hJt%-p!+5CaodY4&+!DvDRq*o+P73FB%`RDKP+Aflgq8^KeO zGy{R@^u%+ebA8p_2g-TvXvou3=ym03tpYfydiRs~6gKT(>D$Uj;OoeO-lg%Bf^koW z7(TU=9pS_2M)Q}l_{FwX7LB?n@{)eZ4?+ZhQ)yRNy4Q0O!Lz?AiJ}1y6e2mXpu%;U2Os%0+v20h?G*)P%8>P#W9>WVNp#;uAfh5}EEji-}KlogVh>@3K{1MW7!%aa!x+8IS#; z2i0=GzuvAQQxF4EqbAMWz@H^_(!F;q%#D4~jdDWv!jkzPOibgp<|`uNLtSz~uM^Em z1ILQgd&g(2IYf5fPI!{?P_pHaE6#fs- z?dGEGI-|L(3!oZKpjgY=+b{MSMK?21WQ1!`kp$)o#e)qiW4OPV)R<`1TGwOdfD5uK zwdM-3%rlrS>xJw)LU%E!gbmffSrFA1T-?lrjZy5xxQpEH(x1;jTmOW1zrMciaPLya z7S})N)1{t{5mg2fzvBK+6#U!wz`_0UCe8~02aVoPz&R#)DEgFm@Oj%Vjv)as%(uL> zZC%U3WD3cDWzVq1r_qTq0U<71VBm+je&j+{dD*m4xk6oXD z|DeG79q8b+=D!LwU#pXeG-);;dOQ5QBDC?t=%B>x|7aabylf}1P&tqU;1V1ef#Ekj zPoLP`3VHV7S#O%>_9G5${v*Qjr(-Mw-T(1fucd(2lcmH+ni$5enIW*ujy#M54xh%e;>$z)CIR?;N6ql=pJU$sHsP|8z@eaa-@YVR ze=P<4es3Az`0pn~iVJ`&t$!7|3b^ZUe_iU0lmz^L|C4{+#xIvH@n7>1V*jQJ{J%2; zclj}PfAwD{FKY#S0 zCc9ysj)7Ns101{9?_YlL{!{y1`jL09z4`Fc4tL)EG=*F4-!A=iCw_H*@R4QgZ&j8I z_2r@{iocMn|N5L;vL66Z6u$fMAL{RKkZbt$m_kbMgWHT0|Mmrc>&iz!Q!ZCqtmN>2 zd;G2IKtB#iSoy#6B>W}Mm!AOPN!2;BQvV}1`o}H@^pPQ;h7522$=>jv_x@ZCEbw)8 zGO7Ri&JQnNiM{QgA=kg&_V#5D>rzjq`F~Y3m#-8grSZ=~&c6ukVH>a?9_a|(CH*(? z{Vk`RaCbD*ek>YJ0@~ zU;2H49L%KzZe-7r?(*nE##HzpTOkRPi5H@Be}-_WyhXplQ@&Rz7({HfaZ%0&f*M$e*mn0A$So zX=Prz&v%a6$yX7=2iJwNH!So{@A=}M0t~oNTAy{scgh20I$$I9>O zKWYlCwIn%it$NDW6yE!eijw|fmPW&91foN(?rAK@+#$TWZ3r|gqypr$`gRpAMI^sQ zRh24}-?Zn=H;K%SYT|I7IkeuRw;hi@sKqftOc0ix!NKb5w);(zMJ}M8)f!p zXS(JpOR+`6f&)ZU++Ehd8-Y-YR@d`V!eJ2BLchzin{0^aCS^Omo;;6=2om+D()Um- zt*`Z-zrmA-S0z;C8wIq|6OL11+JIras{qUI_o5k{r@FQqj{$0e+oZGfo^4M7^2fZM zK+N0@fn7YOHZ#Nps>^RX`ed%#HW?D5|0p>Owy2 z2^lR?7clA!dnJ8}N}#cAnqqqs&7Ak9=x~tZZN)pN@6R6e49X`885|h}%(3Yv2jK?g z9oHGZ<~Xbb{>s27k6|JQy$85yX|2>zqnxD? zV3p2o`i%Ab7J`50o?_QWuw-1Vq&sD?9YhSj2wG;`y0F-$?UAt6pDU4H)A6()akXHX z4?euciw1mc`Kv#Y8`0@cjhb~*UiAd9SokRD)@R!U2B0+j#5keLmL4l55U7~X$pWNO zw?9b^h(ZYqvKsn7Z+J_ z?Sxs zkzz6-Mgx`_ed#vX=om;|5L5pULoNU_>5cDo*|9^HvA89Rl=%u$?{AkUz?uKCvizmWEavQ;d^z59C%_vLUxtT!P@h&RVO>w8!A ztG!-ZJ&tfqcEtB?WkjuRNP>k%=u3WrZMV^Di$?Uvz=ZC8i{S%NRKpxZWrg;TyvJ)} z+qHk||4A3w_0L|OpND_<}xjnUag^L`@_1fl*X;jI<@h)Nz2AcJw9~_K6hZQqKKG@pfKj?>GUAUUg3)9E?>|lozMJ}myZrz%7_TOM) z^L<8eJxL6SjjR;Ch;V1O`N_`>T_Lp{4p3I`U$)+zg&vRV!+|j_?txrcdS< zVUzJid{;#3x`)EjiGMwo*E626+Zu;+$rPVy2ot%&8gs|K#g93`_4gvpw7%s;dq2jE z`A$rEB6r;8bu+jrf8h*y(y)hILZ>vwkrt>YV7g6Tus*Tf8ML&Q*U$&a<+<(z+o1a^ z1Ze9G-YeOyIU3RZl7X)K%%r;(e$T!{bNF%xW^tYoQ0Z=77-1noPG3&#EmrM%r}Ouh ze8lNQ=9Vw;$4Swj7^X+H14XIXm3VIt^^S%1z}*Bh@{aO-yWa5Ikl~4WM(ko*n4xNw82k!SR8?|^&k}4%5xc?3=aN(7JYf3WyIYxx{plW@4kY+j!S!EMJbnWd+z9aK zsUq)`L42+Y{`1h|r(bNO#$MSCXSL%bUGuaXz)}KbyldN)GWd4hTk>V>Ul31^MM-Fe z*w(R<%GF3L`AJ6zgNs)Lsr}Da8W3CE2<%FLp3~BJAi%X>aS-0qpfE?m9jn~HdCvcn za&!?*oX2}q>Vb*8#(%362HR!m|A=gxUcSrv^dgN-i77(&fS_mn>9zS*6UOuwMykke zNa=I72;29PyUnGUIv0z)C%B1NA4=6=svSRywWYeQ(;e3;5tPt*cs;-F9?`SU6jZF*cz6Pw?_UPjP2Tw2hCM{f zqOguOFrTg6#zvN&8vSJE4KAA`QIBW^o@i@d!?lzokZ*HhnJG`}nX!93MVYkPhd^CHTgD)e@;q^c0?yB`Gb(Ei|O^4^WO+%J@*9V8@r!eJ5MMKAVRe@ z45cTsRLPR$hsFxrP7PkahacO$Iw^rnzd2s8W3cc&caUQtA3TQEVbX|^1qgAz!`bi{ z%_>upHL7CuveNCQL#6q1E0LYLK$=+0Sx|g%Qmj~>Je-j9n$v+_f89Ps-}18+s7JgO z{rIcB!BTOv;%4KXYURE!8PO(Li7{UA=^AL0C}x|-1fiIPwC>{*`E_)ir{E%g*k~0g z1pnw7v0Tke7WGher-(7fEwS;(bws_I?fyH*mmfVw0ht zdIz3$4TH3_GewFmom4r!F^uSq7D-vB1K{w5$iXv1+@x25&F^_8vGXl18<81tulp{)vBIs)%|iPndSfP-%&q_%`{PzGc&D?Yu=_ za**4-Qr9`c`P#!ADiTV(a;3rO>ay<0g0<9|-9w9LfS{|k7DQ3&fEF(lSjGwRmolW(?y_0Lp)+g!JG16o?x91Zj2q1#o5 zNJi9j4Qi3D@oYfk$KeyI`YD<%x58DLt1eq{B8ew)dEN(!UcAJsJ;ntp&<3D)R<&%` zuU3OQ1Uz7%x^S`Eh%(MB2(&g_d*AVq|936lT#kLjOS)hhUyV6R61I=~Om%Q_k@pdz zSvh3Ph6~M+ABswmW8EeCkn`8G`S=FkvZr!OgN{wBOg)J=P4X8k&0ec*%pY@eE(b3b2Og)1Fp(S*@)m3!tc`epcJn@`ZiM90=uR>ZFLA*IF7y+G7@YBS%>nHCVVPC ziqxr;6itwnBPXxisMJn@>#!Pf&Y>-O@kO;ms;y&NhO~yhJ`iABs#A=g3rKh6*EewZ zsGCp|L5iEI35v zYS){JL6a#`jhHQ%c{?SF(g>$ycw+}vyoEF27Cxu8JM%p2cTgI%Bv9k?@2e}b^@leM z>P-&&=frWpG6DoC!QCUbVF`0J+CQJRE{?P|47RbR7FYH(WLIJoU} zT+bP8=SOyymsoYfz{BKZgQJ;Ax=HS{aBAg4Mn4zO2r)~%$qg83>kgR+3zBbQ;g?x< zYBYt(+sch+=V2+S&OHLxG8Z27xzK+gf5T52h>KW9&hM^>wR+~JMt}-!&#>VP=WaJ# z!dUZW^0Pa_51|dKc{SCw8whQPxZmj~afa%$Ez<^t>(A_>@{OAezS5#a%}o>663IhE z9xvX?2-3T$BA`kF#dj@YBiDh&Ga#(8k=?q=-lz-CFiJ2>>a>b_~)I4k~29Sf2(xfD25cnEkDc9`_!@X#mQ!OMpT95m_^Ry$Rp(ei(z4; z*3V1&0Cm4qQu)z=6GYdI59&vOZGu-|F>@1Jc!4l1W@fOeuj2f6i<&n7w}NP9fMt)b zX>U7Sr;5i3D?39W{8&`Ays$vOta)Sj{O6$4k25G_p4HSNR_?TV)!(PN#j2{~YtBh4 z5jf6my?xtb0!n|USoQ|d#rQ!U(9=R(1mKzc8HzPXiHcx(gkoDeL_sQZ=t=Q&1JK|* z1rSDJ(3!c&HQCj9I9#nj7yC`?^EzzCp(K11Ug?Yi**RBw(DaFo`^cP~S25{`%a zGvdkmis`%B<4eCu21yUt8_U!CTET~>G$iVdbOMF}z6_nU;?pqnn(f3HwA|E|#lmg* zDef=`x&G3K<3oQjt+2@^@5RY0y{`;nm6OjRp=ZbO^tnV2lt4`7Nm6OLGe^%XCXO{g zyVl$0Y&SLNkGFk_s%VqRcPsI*C!&k>LxhB(b zwF`bBKR=t{?6zB;IRS|ppTt6s+=d>TS1ocr_xE20H;MKg265W}83$QMDYOMP)mgoM zY}F|0$ewxO3LXEvQPtZoW_+IyJjZ%sKMKFVe#+Ll7%z^q=4e*sAUXF-NqrCRc1dir zlQbkGs1bSIu;SZK{^qys(t{}{%v_G^j+W8@^F^ZVNpRGWNMPkP!`4iNe4A;l2A_zP zZ0RPWO@sdO)H29Agt!E;tv zcrxzf{ZyqK1+9|({Rb88<09^zx8}p`n)hbBYR`X)XjDlnUNkzk;LbvCZ{L{~xV{+6 z$R*3hLw$v8;VRQz@R`I>J%AdKhc!d7w_pFEMEX9mI%;)RLHG8EY}$9e5(xG<^lt@k zmF~+7Y78c6GJBZ9SK_W+B^JEO;7fR`>*uR7L@MIWD=(K(odxc};N(R{B9JpmhF`5d zs3vk}=jC8nDE`0nBb(~kN&sAytvAHs-WDT;qOhcP7ZF)cCINOY;Ti; zeTFE?=+vqzF`*@m!g{5sClmwgVi1c?FRhN(VuoqtVs<10jY>$owhA`SR)*b~>koW> z3oaBMIS_Od&yo|yc}{chredUjBdzb(dyx$l<(GIHv}UQR{(L4`-yUGio_)bn zi>bndn)P{e*`S2Z{h|jjEwcDzTD@u$uSUQGGPFE6o3QAtfT67EMW=)bw>>sgkYmF$_&Vn zkN4<2Vn`(iyvwPsPI+Pd4PTZ#?Ln&#i3n03$kMNuCE4uYWB;iUqO2>5LS0clGH`#}uu7u16`wfSb?8R+Tew;5H zlUnPM_(=Q04&vqm;{qU0z<-j zW5d_P;Kb*WE4zUzMmL_b-+|A!@OMo~-=RK};M6=-(X8@`a&u*^prNF09%p#{>Ah~{ zjSQdKZxI=99w$uNN5zR_$Yo`NOJBY+@0P|FVhr$Okod~)j(EiS$yMMY>zbIDoX=#H z6&Op=Q^)P*9k1$0*z(X`iU7BvSwy(XR4`^-(FoIZ(moH&c> z=S$K0yXc2^naE;RrtD8e9sm#N5O^66?aI!mR44yN_H1G~hQQ%|J8|CQp1VFY+*WQs zyRCkAS9>8)H(v`l|EwdEzEev|04kMCos4T;7bS6QP|E1NOXpkJz#)8SEox{IoW|L< zlQOo-vUy$N$ek8}S&3t+6VN6n`DlpJjVIoP$cLcfhL6GO=)hq=mn6*wK$$JaU2D7k zc8G*2JHm<)RZh}L>2=Vb6<{Px)$gA-ID@VGsHb@sjTU`Y9`L4Jvxwd6`Vc<-n)4HN z3|Y|0M5pRK^w2|cCv*2{@;mIx)xAeh<2KDa9&6tg$;jWBwE?F*&<|7Aj|R8mNCdA5 zX=rPK%oEJxtz6B|C+l>3QWpr|z6W6Y|k-AMxuuGOnBS z^yR*=v|>}MQ}3VAiw^hqVKK0H(E8gsZTbt9OB;afwAqGXs8OCXzx)F6QYu|6O;=^5X}} zHFLM)V7vQ&Xq3s=ra8eqn$)6WJ+#|{aj#>+H6n5+R^PW=(pU`=8)2NFi?+?%EVx8d zLh@`b0h6dsUazvoL6DG5ceq{3mh}TVwe&z=UFP)z(}CG~AL_BR|gA}vSy zM!I=u#37GwN%;ln-A#2t7Ryd7pT8hjxX=*{H<`C%yAjdgtW&X6wdbjaDX3sSw61&c zJ?a~kZiXe>kNlS}9P&8KbxAm`iyqU~=5J?kGpHHX?6}-edZsLD-s^c$y z=f|kePk!{N?MdqZ|9SRE8A=^x#^im9AK}InQC0j#eyI18<`6a$c{eV_s8gBsrIDh* z8~d{IpDw!GgkV;oYgy$7_?;y$Z<~^?ca-?D6kX9$lPybhd#kTyt$#K~>Z9v_vnq>& zQX`lsi`u5Vyb{H`E3ZrlYy!jIQTRweNRw)Q22w=$eyj zi?3JlSNR0i{;@T%-fkr^M^UqY1Fz05tm{Ll`Dl~Gdg>b6$B8FJgRL-5it3C!k2yqR z8I5zBopYa7ZGMqPUSdwP89%M9+`}(d2%xOOTLYR)B`5XSB+ZGMygnC50^fVI!%tO4 z0}~)0$9#SA4dK={36pEnCfY-i;G>X1N`uKP3^DX>LUyam^c_k4Xlqa*WZ^45>{5e7 z-&;eAx@rxv6?n>pR6(iG>qa@sUVYo0oZ&7B8C37T)hx|Chf^PD4Q+vS1w0c4t_iZ! zsdTD(kQHkrD#4j(Jc>Yzwvz2cOWTv4TpSWy6sE^&d(ABeh=Ceo)Kl~1h>X0DyM#dx zT-kf5Cv$b}qCZ^WV2g3d5}8wQKB&lS<#C7gef+^Gd9ZxNci>7MLLDcGr|X%Alonqa(lgLObYZ7T!LgB3zX?AD?c`FpB$uCkRi&(3BEUxctr@hsr`v)l z#kK9m8?a+fvobkA6~M~5B@P|)bSsx;ICAMLt&i>!J0u3JCX%LW-}(ILr3BZPfd(fn zufW(e$|KVOZ9PAuJ*ROF)pwMKZ?uLG&?6N{L};x|>)r8ezf4mw4u5OGc33i#W(2Hs zXNzTkQcSU+?)xqDn@v6Yg#yP8KJ!oO9tAoB>-#mi7lKHi$(<11!ev{~NWl#-aIoj? zxO)l99d-Ffs4)1YE43D!91?>a>0~^!M8%HVJcjT}ZQ4$!tii2zdv>BNP`E!mr6smw zs_h2zz4+p*<|{Wnk6m=8v#zy;{=KBeU-^F)5Of`KHH^wjCuHO;+=F1mSh3?HujARk z;Gq1a{p-r)5JW(lQb>QY;LLj%hXeHj|GYxl*N3jB8r%}(hnV$)1u|uF3N$aw`S5n! z?(uxICiCVJ7Wn#&a>Mqi+@#1PlTn{s6Ri}KIq(EcbF0V<^yUT!u%a7C8Ref0F}Z@B zSwSJPY`%*$S{snp9&|Y@-!K~$9LU+oqv94?0xvkByZpd(TK0G~4ZN$IDtwQt4 z3M%&EH1lUgU)9nn)vCEnnP|K){wZMyAK?=QK9b?hmWA)>q!VrQztC{#Z zzDcGx1XyK52R52PBW2N`d?TSzE_?Fd0!!JUI6jqy?(zc_klBV0ep}lyMXfE1{x#@# z*2`tKj{GsbYoDH)v2dEI1R=e9d3fPJ8L`lIpF&RCb739qT(!+B-MCNvjMlx%F+wU% zpC6UxyFJ$QCYuO}B~FUpxgU7(Fl5Z%=H&A?%kg#-%DDg3&x&>xg29wW&d&=zdtB$4 zAQRiIjgqjFq|FQ2kXAh14G!ul;Jk9=MYvuA*)Ru^D!VzFXS#o^rTqOE)`14bfJhyU z_SYEE*dH0{ceb6S9&Y2{lcr4G4xmM0(&M?$mQ7PLZ#ip@hlG zWm*R&cBtL!jg?o!8!dib;S_^dPN1ZOKZ{Z^Gy!ueWs^E&Am`UuUdzwHOFau-uw)z& zg_X1Bg=8-Zl`DZnz~;?jWe_S|$9jfzN_6G^z@~fKu?zgMf>$39{ZYci=w$$9TU=~? zNW^wz5eDYCw6ZQ@D>VYaGe0P2vQ#Bt6qn}2i#;yi5C63Obz+KAqG@_i`2qFtBb{U! za92qhFq*hAOr zNb8gD*o7(9g{=7psUNXvpP)_-lr=+!9|2{%>*D(QR?n*#;%O~VvGv%X*w4!6c{8F7 zRYRxBf9cu{ZcRYw$jm?z6^p9aepTg37+ zo>5J9+uE=q2uM`~q!&eyE+D-KNJkJQg+V<=SX9%taQ2b66V^cwXEVzrVpn1Cuvu*)jr2 zlMu1sdBoK(e2^xQHcyIphb`|xJ)t;yAiykPd-3fNN+XkS9*D-`3L4~B!G82Z;L}^l z<_IBb_|mYF5xmNO@w**li9GRQ9Hs>4)@D`BzjvRH(|cEbLwdm&_e+hq?arUeUB#n* zJ`!6hFcnG`cEILZj;GSuPF>JH*jQA5m6ol>a2s}eHuby zlFaKJv?>oLKr8YvjlRs(%Xp`9qqf`SI4CesFEL1pkf;oY?L6~aR0z%aGO1K}37AQv zEiha~hEA+% z!zx`Zl}C7FB$aZy4+w<9POA%VF!T7O(0>c|8fot-fI6E@xnV=(!>G*FJ!VVpnE2&! zUMc2`1cnq)+_Ao_^IO=fUOYUYKcO50XKO=mkvVHwK&(ZptOJEr+s` z6(LKJ>rZk^N51wRxovyc&vXk+~d-T9Hi(`ik zPd|@95)>hjF-acwUPpDhmNfGA{f!@@+6fyTZpD7rd8aC>NDN*npn$5DII5F@cqfZ3b)R&0k z0}X2mC>}rtc2=ZDH!H-xp(Z8bmHyI2?%z6?bfTxtX^`t+g(~ik7D1;31@Ov*pgJN7 z-7>(dm}p-35Ng~JTE^8kjT()6I`vH=NEEw6qQcZ!LehFHFzxmoB=wBeaZtF-_P0Ll z<5A02pNw<43krGOx^ik$0Yd4D|CGDsV8_H`hj0DU>i0j^?TrRx*OT-U>h$4=5Jou? zm|;B6yKq;k7a=?p*z7KK-H$fj(fYs5q%YFr%m}{aS;S4#L}63LvayCT;9C-RnPF8r zppHw53!6PKl`;U6>tHdJb*VAn> zU@tlPmvRvXaL1IZrS5dBfLCWb;86LR3&7)|{}nJoRYh#HLOlC^$|e$s{2p^K@Sog% z1YjiNA@tzGj2htNd8}!KQb2Lnm{7QFPxe0np}y+xZt~sHsOy7-}D7kBh$3W2`ovQQzVXI%p2j2h6g8y*d@7G7vE0W4e zaJOk3C(PP??(1{Xn|C~=-=r8P2D>;ExqR#2gc(9F3KLwuawoiMG44r0)Z!_Vc0ATu z!Fjtee9JEl!u6sCobmK#zoa*>^ZArQg4>*n9l#7jqc&yN5hm}imY&wm9$w;Gk`*{N zQ{&{pbDh^GMmN-Yx1NVB*->sVX#t?JAaWVc)3cMcpJ*0TR=(dN^XU7sUkD9#mj;l& z@4Wa}@6i5JNza54>5L<-Z9iwVKfCVo7&u6!c&Y+CKXx@z)Nt~TAZ~1Y&tNgCTgSfs zhw&VmQ)jrWZoyVdZ}%_Tev*ST&lT4hH8-CSSyS&pj5Pd89C>wd_;edKQ`GZD0?U30 zT07WD11Ex|K})Wwzy6M5gR#xqua_3}Mh|ym8_e~6k)wK`44ij1G_$>84c;$EKPZ7e z0-zsVYE5!9DZS{V^TNm1k^SyHBr>Dsa;+aPeu*bhTKENW}HrAsov23AOe5x~?F@W!M>f_29 zItf$MfjibMeiQ~j9ITpazX+(UF_oS=JaV72cYF&VL6IKy?dzr~Hg#)yK=8N{_K>)h z&pPMp1hoB~hK5SL0yKjgea*oMqxDh!zBzE?eXY6@=!G4}`?-Eb{kuL@1mss-ri5I6z znAO|Qe)deU62HWtDvJ4I6`vk#^cFW?JkE`beYrIm4@}1G0W#A{PgFngyDfO1n6_f+ z7Wa8x)6)0J)7U-`BOKL<5pjZhY<_>GSm~R4Av; zUhj6A3C$m{?2D0^HDB%Lc}p1wVitBQ z+KCsuQa>cE@bOCI@tF^S0N&_CYn}QkYqJHX7;~1*S51t~d)}=;FZ-ky>?gno^R>4p zv_@67lVdbK!TSW+{LG-XzV^xJYX^Dnd*$p!V+FdhNdnU{ThXxdm(m--z6#;}7bmUdg0l^jz;L>E zf>v`q9NXW{<5xuI#nwU)Ga#sz$Gj z!_9_{XAVNEA~$K{03MJ8K`Ys5vu&=I5}9Tu!l#d#tlS}jylZ4zA;3(DUwOv6SudY? z4betW&X9f28q3!cny5s-z^c8*k#0{XGbC|8d`vDl_TF8+x4(3drf-*$lEVIpz9Q_= zbFBaQitNVzf|E4ofoU|jV@Q2oKs$T-y=Uw;zGoEW-Xr`sMu6k<-sG|^CqHL018KTU z3GMqiZe`+%+c5N?V*GeD%|YKepn>|NhD-xW`Li+f%wbLr^eF zO|!jRESdV%x#K=gV_DLys+%QgMus-^7!@miw@k}MMj&Ydpj zCC-hYo9?GSE|Dd4cRax+?kU(IWWXa*@FV{70l;6f6^+nS`@f2Of zgZUotYwkLwVpRX*tp0I&ugvgY4Re(1c7KZgj~)BR7QA@@oErQ4qJuQ0e?9lVzv<%y zjE||{c7pw%78;@mEL3j5Wr6>Hp2|PB`FSD>uyq4wbYyCOTIgM1q4~kJLtc;nV{8Ah z*=*%NFdjQyVBGeng|agP3nhO#>G5~6``3P$#sPcIm+Yb{{HKM=JpvZWye^7N{L`Kf zT<^JAc{o1n9~SyO7+C1r4iH@8PkSDt3+#EH^~BSq|9Qjy>(2eJaQxR!T<_4U{}qmZ z7nJ`~!tq8&+HU+O)MTv>x(ZCXjece|(Kl0R)o=Zn?+=3eDhlt-4^3U5^NVx4usRK} zuKEDQjX{*HA$v@Q_N!Nn{c#su99jjWy~9-@5dBnH^mIPXqD~&6Oce+M=lPrRE&7c!izCTN(gl!IlCm z#T|;p=gg-hV!WhDuol_^R7`*|$`ZGE+Y8=W`M@~&3GYPw@y60&ksinK7%qMGQgi`4 zfo$9Pu)e}dgIWsoM1k%@=w zE|sfIon@n=`44Sd90{FuaDvU@)?3q+Fd@~4XCC-}(sjBlB_>Ll-?a-YLwd&lVe0NdzCwLN(0jkONjEi3jIN^Jx-FoK$3 zwR-WA)MVyy^4QWc<=UFkn$O=F+sNl3*t~i4@(%A0XKxd2(WHL&9_ZFWU`r&tF48I0 zoG@$-1Oz}jWLg#Z@4x%s->-dcDKmxk_r>O$_!E8bwBn2j^5W3;qc1>Fa30UU)(5BJ z9>#|MNs%w#Yq1!Tx&p0+tpf<^sN>CVAbih!t&4}D6kM@M&+-YnL`e6N?Ib?yIYG zh*_lcAowo$p+adPn`8ddt6`OR+TuU0nvEYDa%PhmKY=Rw#RZt(gQ=%~l5UvdL}E!iY6;p-quq-+{MID&+bM|ZVq8OG=}>}X}?{oz;=_r zF*MKd@9Ky;mK2=7_bW&{OznYQ#l0$Ex&Lzfr>0GQYW8|sP>;Mqnt@DIT)G9@#+s#p zCh)v3;Ih9_kc{2fmq~mwaZP-$CO9ugBYr%;ll>LLKun$hjcst6>Nkhyl(l5v6T^w! zYrdbb7|Twc%V1fo=|(pF{enf)syPdFqJ?6&0kkW-SjatD>Ed7<%-?)X1~cig`B8P* zUcdrsaR=Er8?g7*BXutp*{1*V#CWZtQh6@FZg5BwGghSOlb`yUsHp8E5BUAMYJb$V zzO|V`*>53qnrM{po?XM;M zS^fKR-qSfo-8ebBU@{0!%Xvr9&K)XkdAl-P^yOCCR4wO%{LrYXG!Hy@G!zJ^J?GrX z|HgHTA;;>M^46!2nw?cCqA2TAK6Q#8`nF$93!za>^fTa%*OXG0E*>lYi2t7;1*2~Y zAb2bBD6e9b($#$Z8-nHzYma`jZ!3lAA4L%zNyz-PX(}wx&JTa{qp{RY>Wa&d+3NBg zXFePj)124Dli!qP)-_tB#6{&g;1J7RW;uCN)A&r{b$wIHS?;ws0;~UnMfN2G91l1T zYMaiyecc00>0MTT|Gb=i$$c*Z%eY-2grK?So9!Y&MX%aw~GvDmLKiu9VV+oLc4*LXIq_?H0|-%m%4Nb_bkHm$Q{n=ltr) zw;h~#s6=6E2>Wjpl3P95y8MVjcwrz|Yz^PjKVSIJO_f|uR-R{Ec^`TVwuGD3Z zf7ycPw&}B>U&NfRb002TJy#RC;1ofolxI)QOGrpYKUR;Lu!)E#W=&(fg=kj)Fi}9| zo*aC3LTT`IbF?{*!F)(y@ssJV66sshwzIpd2@{3cgQbNzKr^ZDqYl zRY%et_Eq0)dirWGb%$(tvHe};2PLGJr!vsp#r*ITaO79pLPNE_Z+ly^T2^5Uq9#|j zR=4e%SnLv@_Jc{gT&X;@Z220d`PL5od%~X!UYi?l&Yq;YXGL z-TqOwK3QvOmTeRJl18bW<5am){&Q+wqS?w84*%LDZc)^;=8Jm|zsvA99wu3{hS@kb}dXu(BKuM=Qs7Q(d3QCN|wvk{El{^kE7ph#sT-F2hZGnlGt*(ZzUMDG#Vkr{&?r(zNt2d z>tWb~2Wv)5=WR~@CW}5t-0NIFcXot+Gu2*%i(OdR*4HM3#&Z;fQR*?MA&mSZ!v^=y z@gX)<3(A7?&e0W`F(js;m-NeziyD^sYA@n8h*N;spbFI124i^c`zPk_UGC@LJn5A? z)pM7rUs>H`EfaHQ)iVv%3uLY3LJBNoF*IH9g=?RFX1wwA5H6CNX#<+CbHU<*_A5`5 zIV6kA0Wg^IU$&S+VkB!|AW7T9|J|?ev(cJ`OK~DhRi~5FWxtCEOm`Q1i9YVA`X7qU zGtmfGB}SuTa-Kf{jJ&PJFj;0s{Cv=Xf^lp$?B-zObEcgy-td2 zk>$O1ae`sr2=R3~ujLV6N6oVpGK&^=WcF)Vq#;B%(q4S4`_{#2PojBB+;0};;pAs$ z=F?V-w|uU04x3K!@usIuBg`a&f^N_8n5VcZ2gCN-Pc*A){OC2$kCKb~T5;(~la51} zH%!Z|@!8vDZx)M5OY=}=y2GC;FD1HU@u^82-lsZlx#;BP}t+w_1M+s>sPy~$+WV|({0v6ZB2UTTe+O?Ha5|iU7unqKDXSB zu0{?tuwr3M9bBz;NPOTA(|%)QPTChM&sd^@!z(YCpverCAdiGoX{Fwd^?sW z7ZFmXLHc)a5dOr%&ljjJKd@z$dCD{&yz5bQmHKXvDCwt9W1%lf7IO;JzA49gQ*3D=R$Tg$^ow4bBy1pqj914QBVoz>+Z4cVM3`UgAwMK~>8g;`-92b%771Zf zX`PVV68HgijOPrXpc_b+J?lr^<&pPnqxGa0IcS`H-*Tq;<3pw5)!GG6x+*@ngyP(o zA1@CA&HS)`pr5u(q8dlh(f2LG4d|op9|jk@V~$$A?0O~578oUVHh@M;YK{hq%SNCU zKv=|d`M4#MRailq^yw6il}OyyH7BwwCuv z=K0C*L(})BvwbvUaa;(Wm+X@TZ<$ZZUDpixFo9$yyM{`E3rXQ-1$RKrDh#^Kmd6_( z?NNNq|1`^ zEUcyDRS3ifwQ1hPyeg4s6ZqlcXcoC}&ZcKmnNwjk``G^SF^KBX2Kd3Wy|FH8GcUdW z{N$iffY$l`E)H`FZPywFOe<71fUG@3PIc^OnZ~Dvt|tZD?hwNie9i5Wd!w( zEHXUn$~I3)%rXlvI6kwBm@ldqjEzSRL2CK^F6d72Yy@r0uNNkn_< z>0zPd)R9f!MbPU*$*ep?K5`J=gF*089MEmv2RYm2IHPXm9|xDE`&wGa8x0-@roneX05*=>df7!|_sIRR9>ctH5`(kRyY*vR<6-s4>DryI zYK}nDIGPD6Rg_WfePWn~7ijL1wxrWb*c~|KlTm6bR`k;9he2Z+P(2oQl!9(K)E5a{vgRc1pkHZN)!8qT39SuxpaGdKrf(c_|Jn zZj=NyT_C)QRdp6Q*Go^#!q)cUf|T+fzPsHdWC%S-C4}s=klaPlYLzr!o+f(>SeB_C z?>$Tuaf;iiSqWdCUmT_Rm1Lb6ZvAxJL-1tfhof_{>jIOGE@smu-bk(Hf`oeq+aAs& zTU)nM!#2{WlpYpV>`22!!+;Ar>1H4aycW;izNev&x+EyQm zO7g;%JCqpukMSA$40F$CDmRDLYi*Wz*iDM{8%#bomxR(KeR0CwX-?1J46p)IFpKsD zXKQdT_EB6&IFE*TkVZURi`&+`i{|6fGtv-sJr6=n%p&^=rpwowp;w1}E}V!@0m9Da zac4VQKwsChUmX#B?I5ZpO++rF^iC^c>=7(mY1q@>pMN?ca=VN?=S_5EMa%A$%$fuimD{W85tV$9{wnEcs zI2N|d0=nqj<`(oi%qMf}Yg+pnG4nhsVV%f+pdKEs6L7c*I9rG3wzd>gWvRb@#7Lw= zj%rVG8*R2yof?Kn$MCCWZS{(q9#rwURW%cJ+Q#7m(X?_vOB*FJy16^yXi`+;=bL+X z`G3`!gScoa#YJ+FJMMa-p5HmC=Y&K{Ty{RtjYw~$d7D-&Izr+AN70NIr?KOU1C3L{ zUad>=%0;HZj8LGn#Kme>8s4`EW9a3%;p(|syeGLBCgp-?e>JBSb_W}K*ZJ1%Z=J>@ zQjd1kC7;=sl4LKL@-L>$Mk5v!B4c}-bC(tY= ziaZH#a3ly}9Up8b0(5yg@1hx9DApIA6M2Vx4D%+Mg0`7g+S+l8789u6CfqN7E{DMbej7qRrxne7~~a0_(e;wK_?BY3Afyz zI9VSvqrKzp_0HlmyI9uH^xmk4+D>J>bCae4E#KIghf_6;cxlPDi_p|4zTQCPc(Wak zVNIt{-e%g_qhkjs2x_BUyI)s?So*YhqE)qlWV#n37nut^2#Yss$WMoemri|SaKLF) z?WZUR_FkW+JSI4M^ie>{bI~h)Qp1cg_!lhkD0xRO;LQ7)qVKMI0aUlDpQ4&jT>&V? zJ2|woo>wcg8}DUJWxF_?)3dI-FCnx^YCP|y0P{MB<4DhT#=i=bMDJxmDhSrk?@x(r z4e7hV>E_qULV3_dqYmJuSd9D^G`#KLmO-`CWvzLCW0#Dc+t-ZpZr7cf%YB-~70iO? zyjW~u8T_jnW#7C+J!L4j-eTbUoBwd%?v)(C*XlF0d!0X8ix_3Uc~@)_RPkOB1=D}0 z)GC$Vc3_#Bp>1Q%AF=S3+>2h~j^|Q@(vLL2D-K>P6aYgw>hG9;gS8o22)DPH$v%rG z;bgfcerWD~wjt_8NbuZ9F|lZM^Y$0=vtcoswZ|_XL^E2{V3zK9max~9ZM$RwQvxRg z;OVT5NPNnyibdz6$^iO6B`Ej>sTh-FTY0;y%M?&#Ht=k8y@rg89d+v2Xcs`?LwLs1 zjH&~h43h5@+6HTwW6p zK?dOIstc4QC#d{Q{7~VRIz)TK>4OY@AwCs8d&IhpON%l$>eL0Fi(-899-FOQ2XqKHgW^qO>~)!k?r?SrAx6Zs?( zsG2!vm8gK)-RzEMqD8`(ZEp7{)nVB@0@3{6%P|r1N?w47Y03lhWVOb>=!Z+~PX5P!QJ!2=fdcivj zG@sKG(w_>$Z({tPq{eTLYZJZEA<_yA!=py!;Aon11vuSF2f3tkhGiGpcIuLv>I1}Z;ux`L{3 zf%ap^C6F|-;0@*oi-sRP^*h#7$3QA({Wrpf&aEeo1*MiMC;dAgv zwO7WZS|CvyyaNCmLYw9?%`Q+5*vR&Kw$!_JXxNY*gMqe4L6P$kIioo6lV+E!LHdrpB7z|)g{_Gn46~qf%WZ1&=li?oBjjh1WB_%p4qFZ5UTS<_I9av*c<-7d-810Cb0 z=xW#I_VlmVYo(PL`ET>%?6}ekb~YX062GbqM=<26PxDf|zwI>57V!bxLmr3|$_qQL zWqSK7A4je3(bDZ&Yi}BBow=_!@K;HEJtixnD*GvnUlLkqdTc8j*Axasc~99eHL$w~ zMGYdJR3ueRYE=MI8jW-UTTk zd@Q6%!V)Et=!|%xGr&3)v~8%)5KnNND1?z}2e?4%UmOA+;5jxTn%X1egmNRh8NxZ1 z_m(5$!*W!j$d#*UilVm%K-x2#Oy0spUTynl8n5wz*hSG#q?*_K$ZWHP>HSX=a#)sV#-}3TJK##hO8V}+JS*>t}ED`g(piNgxT>YGk z*IqZIU)OiQ(_jG&v08$s<4xgP5pH?4o5I8o-P=k^*`$%b`iqrGslbPrW`7dp;Q7i` zd#*^)G#^M?q$8nh0AB9AlfPk1e=#R@;Km)#6LeF95Xy&&4^3`7FQmaZ)NqB+gZRT1 zULQ~>98X9-h&!5Um%~b*wIFz>W7IdMo<085#>U>!u(*B=iyt&lXU$s)Hm&Ov(=s0& zJU61Jwuipcih$fOWBs}FMKnGP-a-C?p6d8x%FNP>RB@`k-|cBPj7YZly6H!m&FfTA zIo1x%L8RzCpAVCltDn@8VYzB3(fJm}M4H`H%JFZ(j_IMz9WCC2byTL-;kWJQq0& za>Oiu!*z^(>=e{8hO#Jo9pnUKqBforIQqPVD@3HZdF9zR^EY3KO7C^iLLMa9rHaV~ z(Zq9bFN;=-yU0l&e=cW}e>2TL>fDBCG#shEdzc8gvtNgqa5FEVL3D|{IKAi7Qm0P* zW-GHFy)uDviyj^yK(bTgD1NJ?w3v>==&GxswnnAa2^e;u0 z(I*w1{=Eu4pK#wC!CnFB0&z~Hp8?-aNub}`7#G`|-oh4L=)Bj$njWsSee(H|j#uAe zn+$$qMM;5us;zUq?7R8f11k}P0@3UY$lFU?Wtpu0K`h-bg+SXUPDoh-Pf}XD+QND` zNxN^;$+r^BbePdk-5aYt6LJ%V2WA(qted1TNzM=egu%-L(Erf1Iej75idU<5JUtbe zhr;L%4ca2jlH~_)cB5ZWa|wXi2EX66!wqyetQ2}QV46!anQ;GVFDqnS{B$|Gx68BW zbJ)V-w{MLX-1TQ+?UR8-`HY61 zzuy8P0pdxScFcFR(afK~1soRL&sHGC^tzN=!sPL0yQXq{mT41H{Um=b1j zLoN9{(~Um5%dTqNwP~@WQ)GB=0hu9t9vIF6^pZbfSfKQh&DSngv+$l-5n7y(rKdd( z#=Jggxmi7ObO;~C3VKp)?eZnv+?8Gol+Kll$3a63+liY+tm2YaDf%Iqy40?Bw_5plvf|8pFEK+e$+>S@xqfPAvRr<4yr)+zf_Ib zU$>HNbQDz{?w6ll9%`gKnyXza=h#T~KGlWffg)=V^WRUhUxcvoMT!N8>!vPRA6EvJOS)dnJwCK&-sqe(PUbWT{uv-w;o%U znRU2T=$72#_}K~u1OB(iui1zX?rG4G9J9`0nP{-8Hwi%%V^C&(o(pH$fRfv@p^TEl zQeJ7h&Jgm2;Zg=@(xwM4Jc2d+An>+4zNe@-m*bXjX+&)Vu?6HiR7ZQ=<-r3Pr|p+Q z$Cv2v*^*Jeg;AKeU7!kiX}~MWb?*9Q<Ar$85tBXsv{wKp3Hb1hz(ir_JrP_9v8jPg zEjE+(=0+(Y!qjF#Q2jV8nqy;a_U!%W7cNmENE-hnhjz*7p}Co9ClgQePAF~BjZMLs z0^x7%9gsYg;yrljm{!;H`>n2cgxwtULSBy9LkF(FzN8SFssS(C2b_#YeeCZD@TJ$} zl<+-SG^%PAWiJNmC~Se;oi0%JZkZjBc1D=@x~c{v;kN$eeO%d5;;3l~Anr)Qj=UsKD^UG73xGzs>aT){YbGpLHr4AJc&vg$qdlSyv zZ7V@FfYk=GZHkzu-Az>Y48Q08{x6cvJc4I z18;(7fYw?&B*7+u=UlS=G@G6??(;FPPsivz1FntC_JSpf*%p;P1ds^A;%e0-R@DC;x0E0x zH2q-&k@6)`viVdmr+J$_QOV84gH+-7WNJCvnfcXTVfWFbAv8MGb+$i($0Em-PCLeZ zBQOU(B8v@PD`cph{;YRY^DUeB)>(JzaBI4iD^pbF5Ep|!O?W+7xrFfOAMhhlwSnYQXo;6UFXXtrAw?H!c3H!T|M zTryLiH|ev$$IzxN7y+n&JfL_9^ z07_MW&m-gnGy_MXBlS47G7Dw10=?9)*7YnGmhGiL$+!p^Mt*beU0t_R`tfiB>$XOu zx2Iu=-_d8*bOcGz+v?v)nczweu{xr1RT>*WQLqXUhSTMjQfQ7dLh2;O zO_9J8QLPNH2`zGe`Z{394v&sqa%k&ApNzv^*U5%f_E0Dc%O=(x9?3az=`E@0L9$dY zY){QQbJa&2aCH0LnQeTsY%m=`lOSF#3p4A^mBHD|pU>KuWmfU#;n-h@o1NO=g+^T0 zUn<8x*S(9To)=X7An+tfCg;(Q!lZ*#&JBoK0o#)ejp5M4jF<}6JD#6Afa9GpPsqSs zdf%Pvbs9zhy47C`kQP4#GVv_4)|IhB&;&#!0J_=xjFm(Kntjr6pD2{OK@^Pxx;LFX zyMTwKrPI3ConOROA%N!oa$Fvv1O@m*CoO7$)>2sXMdVrn-kbm8W#!UR8SH+fWj*vP$Sc zh>~yyyi(f#hSOxH!>nC%q3-8m1KQ$J?8a*lde#$-Zr3|MJAZ%RI34Y|AmeuVY@5}B zChw^*kklxH9#Aw5hheaWiWtA+NVwT@y9Iw$Yu7_Iu+qUKVNxdAzRqxhkR)3D;-t;L z{Be+T?;4-;6vt&_+cL_%+;5XME|~rM>dqY8in&Sfk|WN|%@PcIFST!#t$_rQf)-Kdq=oDPw>O!Xii& zxKMT_X`Y>3dDXZAQezCy-XqE3Pc|%-ftGxftkDn)R|jXFjV+!(0U3OCFt2`Y^;dn4 zR(ZQJi_%{uHV+;w+-2UT=;U3W{blmIMpMbS=|!Ii8pQ&@TtI;{_PueVQOR~}3Ad&a zCLVDP1*(w&m%9CU)!}y1ZyA|9h!A@^b*Y#1JB!_+>|2sWJD#b8o<|-q!?M2gWCZA3 z?ePYa8V2GlT9Fa7lCVl0t>2z%69~c}XJ=>KuDpdEzE)UjSNLU9csoDHa~4*jrxR{z zoIAT%9fc`RZilQ-0&Yitaf9u8cKuj0w{pUvL{1Hvxz1dPwqZPhD0$9Gzq(Z1V?FD; z56Ij<5`cz3c>7W&`a970+rD#l2k1wRgUI~~z0gazYcbIwf#WkPQ%75)>WI2L3yW_y zpn8t`k^pkxEPnCE=SOofoY4^|it{ksYqBdHByM7ySwr<_pB2iHRm~>XHedN;5ir+S z6L?O)|1g>qwo7RUVc{Z{>LXzvde3d^@l9L76}E{J@NLL+MWpu)X(_3)^03n)92CRl zfGsgsUH?4F)VC0zkpVmpjD+d3J5U(KOu$JalJC30q~cd zhSwu90%-~d3f(RPBMQ9)FbNxV7VG)Ck7AQHxj=vP(LA3aYX{wWp%@1sBbxt^5rfHz zGS?HnEI5@kOxJ`X9pShVEvAy1B^syvl_J93Adb+7R~!M%_qMBvvW6^*EnTv=Q2nzK z?H>Q*pRKt*f%u;7ixBN0ak%$lzSts(S`CNXV={EbD>$yTD>{;tcCv9q1GDr_z~_8K zc-kRo*JXG?QtPX%@f~tqLSw%GgW)^2o!qMX&uIZ3l{$=7mIENy*0>N!YN2;Yh_4o1 zjQ|d0>E(?JtzmsZE9ORAG}4~EC)OiF2)-`hF%!(!+D73Hq#3M!yxz*7VC~anY#mN|;#X2hB4N;GP~v@xz3Gkn6Mq$bCWN=*^A|;C=u*p$Z;3A8se>GxjP6)|Lq5yx$Pm z)*7$41kg^VR|U&c;VykQ8%#QKgq{J_LJ8ob^xh#cBxn7zc{$f3Uep(+K-#Y!M}Q6(tkke8 zeJpr<(W9{$;nl~Tm9(4P83k^sA12w)MtImRNFMXA7G9Dk$MJT=hO_t8|$kPm4 zXGJU!+v5jscVBdd`3nSUWgT`^c;jlIq|0%?c!@%fa_ndM4~!ka>Y44W-qkkLOuqz- ztq|k=(#k`0c#(Lb?Jb2kG!xE*5`T&3($lg(SIRq`WF~%%ueNtEmSIjd)UJMo%K-di zNg+Dq7dIm>-m}V1G5Kqe(7vgDsh~L?cJ4) zr*nok)DX|i)7>=uq{NMLs~0fl)K2&?>|YSwE?!&dv&n{e3r z3Q)VIRI|R%ip%oJW13u>oKwGU0OJpz_n`+h<=%`Yy^R_es9g(s>V{~*5@!%3np$2s zyjbf$^Yb2`o8!A_>6*R`%$PtyYvtKZy)Aw7`mbliq%L zSD|_zwn8VJ2tQRi5;MGx>L0`+K1WL)A!kvo6L|0OG3jAtYa7P1EFFixf%J?${ne6! zf$q1_k^P+mvR~l964p;(EoE+C3W{RO0Qz%_ zZM^fYk_idSoa}JE)CaUha~=i!H^3H8etNGM?pAM89nF&mWs$co4Qkw_o41SZ=h^lGckngmbrsMIXkxBZ7d~- zIpcO;&rA8CR~@dqX7AnRWBh%fTwTgw;B;7^X|>R8p);pR*3QTOHqmN1OcE2Mal$$n zUNzjlpVJ@bk>3Z_$#4m(6n^0|SFrDw848%StVF%rmkUI||C z4imn;9lJ8)rl_NOGmhwb*1$l@GZp94-&d(i#Z(4o#zJu_<8|$ow_iLe3ZM^nX)H?C z?erjZ^$GG|7*qg8g#1ba>T3%fJ54EP(-$ZvBD|1puds|$T0U*l*w$pKrU*P)(rpo$ zlp*Oxt@(_^(JE4=ZTgc)4(}ancZFT?GC>_ADJcL`9)dO()?PaBr`?u1+ba&YtyV(_4PGF`evC z7->IOIouAAZBw}6xPJOvw({`;BV^iV`2LeHt+KuJgf>s(c?igRbFE2AJYS(wRI|iy z2cXKPATS>|L-rZuN=DhhK8*V!~MAD5II6ftqb{>7X1N&4Mu9Dv3OdiXj&8-z7 zv!IqJ&@@GxjzBZu5n#MmqqqjKDCZk8qGKf%eWYZ=g-@qGA*l**_6v+y-1W^rJ=+Mb zUKDUie0gCqDg#q!rMt(bjZH!1_570hM00_p76(lCdj$dEIwx((Xt-FPlRp7v{qWM%#dYm6iPV&obYzGV1DITgrf5FR zZAkamS(;dA;hq`Hyl&hh4#;JK9zdKYYAKIL0CEOlk-ZVt?AgKU(@Q^B#vLQ3yYm^< zmyoLq63fMS$h`Gtj!~!~A1Q(K+(t5FA?j78}C4{JGm8=1I5uXW->iMro3^)Y6~) z9+$4KNH0q>tag=D{T44*Uz1Ub9;M975H=hh{XgWrX*iVq`!HUjl%!IWwG!Hpy)c#v zWlgpaD*HAPW*CN~sDxxsjO_c)*oGuz9s4$B#%>t9VK8Rqx!m8o|MBa4-@kYNSI_gt z!5rhd&d<4TpY!Cyp@FXnuTQ|mjih=DsI38$Q7BH(lN+3``6gRA^b=;CU5bybRB=K+ zbU1Ny&UV(!=3GA=R5$TtKT**Yl+fz_nN@{x{ySy3#E|%$Ck4lz;D_oAE)g^YhJ+6C zj#Rt6zAzp0wz9=JN<^0x*42T9qSRuF*i@K!Pafj;?vM}DDa}N9U2b6WBdB_RNHjRY z=WYM$D{TG2!u>4>Rzd;%tG+Aos-I5=sz;Bw7uY^TH^$8`8X6!FQG zZ8Cp6rt|m%3zGWhtYaes^|i5i^=98JK25)V>GNejXX@gea97v3X!6p~^{}dFp_=Cz z+%X)aZp_Y3S?f^?A?>6~v6kNDO8&8+qb!BNd<5abxVOiaSLm;x!-+qse^<{}yHsAl zD51t_P(1CWZXw0_CXVCBc=^y1LC&u}6+_&4y3HsysSe7Pk1~$?_9M&XrMpk7Q#R6j z3zmwTxKK?Bb}y9YOaSjyZ$9Wy?`@d%>gDtzKZ4z@RI;hOfg@Ue&RIpUwyT+&sDG5w z9wQQ~NIiU?euPis)`=}R3~$AuaQg|+G;JV$B7uiD^T@o*-6hv13bzb&I-VI}&AecgK{zTb@xxG?or-wq2k8C1ASH zSiEJ|Ni*3RB`f1yc~sEH4@KQItyu5#HH>W!m1elc`yM<4EYJvwZHv@py(VO>QuJf; zWSqcpj#JN;TM)KwiMB~UhHzez4J{O=;b$c#i2= zYJ^`8)0{?oBQP=XtRX}#u`eK<@|EyX#F=*UXKMa;gqKJ1*M6E8FA5ocdsWWT&GU!* z%ljLFGo3>gqO-CK$_}yni8+tMotnf9I%cIV_7EK!=kGPF8Q6JANwt3IJ;3}$GIdj3 zH6icCi<)cd(Ws2R$*Xh>FA$M}wv9l}Zz1O{B!#;~8mH9OTf~$o z8$&i5J56I5+eTH1@mCPV*EU&g4acclBEVYPOv52zQrqUJ?l29Qum1~$V&UWnM5yR0 z+72U+ZX^|5IsCH`1i=sF)>Qo%b8`uc1~Ihp*T?%XG;6+i;(6nE}O>e-i?z$K(oR4q`e4?53YOJ1e(LRoq7mEBbUzeK#iD&oTyhb|jgv!< z@xvyFLxsW#2^3(Mv>TW?+C}Onhp6dgj7w>#Qj~O8`6$~D6}gTvxugScJ)RD00+V;j zkY!|Xp3^D3_uAA#xq^ZMJ@ypr3dlDGZZ@XN;GIjmpQ(Neh*~|WKz}@Pk|X>DaD^hO zlS@|TJ#W&+h??({@&*2prW;Wu5$7QZVeP?Wrss@rLS}5=nSvyvcygVMa*fu{hB}LD z3-fIu;`RPFmX0fQ*av;FNhjayqI}wFTIW zhz%a}9CSNCpGkM<6-sk(MA~|myw@^PZIPLkxraS-FZlI4@CWA$o{wEJFLiOAaZ5OJ zRev$#%-6!3UkPX8wOZ0%2O7=2nIIuNY2QprV}%?>r9vDcy}Gn}1+}}h^Qu6)FO?h| zR^ZE3b32J>G3_?lxv#=X2{-7wQSx&v4?3R&?XGiZ`b6Q4CSO=uezdi7nXzoyDD33r zUDEW~xHfjp(%=$3N#^FQ$2&?7Xo2q>m1=kVnYXMDP9|C+b|+N%cxGcUq8?kc4xZA+ z#u2+ivr5bzhc@@{7Jl53q2}h2t|p|FJ^Ga$@~m%9e$t|kSNTrv(hYLk@+s~{VI6Da zIN>7;5}b&2|W-nAh0@ygftB+CH*>ag<4AD8mwrJ5nBu?FRV?=VBOYT>Fa?G zZN>3$=PRN~GZjvj{)S(X8_Nrr!G>H0)V+io-I`_MZI_f^9XQCq$b2%ZO4)CvZtuoM zypIbQ7?R{LFXRD4sX!I z>aZBA$>APVvJ!g$xLTwJzg`hrc+Zp+n(J{Wz#=8|EJ1MeoXx2Vf4{8%-UX#dQL~=9 z66Ic;Prba|xAYd;s(mdOlWsV7mS8xucIhBPHnX)|{3ecui@P<7FqC4~OMf)>!!vK* z+mPhDR%h>QhLh}X31@3Ag^rz`qN2qV))sr_OEO7-DM@;inGQ!u<)&Y|YRuKX=@A{2>OEq^g3j@&&_yi9oiN@8p%QqOLY? zV4=iOtBnFs&(;@NQ5NF+%o9H&;Fe+UBPLYIv3Q3Um#iFr@i~vt2JGwCc|+j^ z=KO&rvK!ZY9!HBEC7pK3RTk@Mz7p~ussh9lV%TZ>afFR_)vR{Xy5d)FOy$;>+$k4V z?~TuM)t)T{=eXpIMrisqilpN>I!o zp_brPlW^bwQ|p6!Dh3k*#S^>Ssoy-Q^J|W5&FWz-#Z;w`Z^3>g+moE`5GnX!tBo&& zs;Pi4*ml>hsO!`30npU;VfH+RBTkTEd&NCmPNX;X*nJz~XTlb#1YFWQ{(*$|dosl}Cs| zplzEM(@Ky=d=x7U<>Xj`-RnP*@*keR5&6B_)t~1s+j8!ri)s+8efp-qY@gk%jhKhu zcx2DcR>G|7qd5V9fs_t1!rsfMnf%Q}e}nz>Jkw!6+R`~c>t)crSU2)@uyJW%XBam) ztbp8MdDEeZ*MRjH2VvlV=WWQey$^?7ArI8$KZxyBbx8VN` zljG%^e$E#T`xVPt$gSSD32I&ZSl+zojEZl%=qTmlP}9j-_Y3{N**;EA02p-!ZE7Yj zy~_wI=yf!`%FaSMy%hCt818>OK3y7|LZ^Ymw@7#$bd=?XgkYZ$%Mpzd{SdWj{|uVm z`-N+R{bsc&Q?r4e;dw*XP+J^iPG`hWbrid+(kc$S;?H{5DJYSFn;4`pt4~YSF>HO56JP&BlUEolHqyB$t zxc?6<>w^Int*lqRSR@-?w)*<}=t zw3anXEY>`^^32si29Smu6nX->;~vZlt>l10YZ||G-|6AF`Y@U4SU(nvnNzC2TB=ns zav2>dH6pyTNMw2-QzKcrGLqJbl&mpq>$s#^qV+|plkY*UQRj#0cejo+o>V??@XsFs zPnfk5<@z}KDqPy1oH6c}$T>+k+mC2F^^b2JWLyW#TI`YO4+ag)s1I4iYz)j7ULE-3 z$HP4aMws}L6$2^`a=i1-f4}S?-2LYze+PhM zT7H$aaFmo{{W$#3BkVsfsseb276qX!mce_s^k0z1004Qm@=!_+@RHBZK!4!iFMuA7 z{)Gtt|JM+ae)XY|kc8u+mqUM1fRyX#t<%ri%FeI1ucX@S{cMFKROFkr>0n$%q;rg8 z&t5lbb4_j0$lP)PF3yie*sLD@6OqcbOw0fqC^c~q;G`Yn^>)|P&yL2~k5os?950&7 zdw%NT#XJavc}9X;G#E8Z#(U;0q7mu^wBx+)zZ84nk*q`G+l%er)<9bfsgm+%n$VJVJtb9qiO%qkl;F^%|Iz zSie7t&1sWMl)ns`)}+I8^Gt1m=HqQ5SqG!p!*1PtR?`Di)llIeM3IiAbESpx?VYSZ zRbu7Fx6IdMHe6<*bG;{d-18g4`uRhG%p;{guym61AOotBbT5myiH9&CDX^MjoXf$p z_Bp-%wccH@O~|bFOs#%+#Avx=mEmn4Uvi_a&A9MgXYV;G_164ThM(oYaF3+&o~=7E z-fQ*X;sK|k^ak+N8&s`snFdC%+=u1aTu~j^uR=2Yp(3wBKiGXiJXix+ka)VnXM?J; zzQ$>Z@l0^7ty@I4i1rrwflMlVt61|r+m>C}6fWv#=){`Nx^ISW=tS=dNrkq5ey{Rm zR73s`kqWr8FHO})E-i@7DzD^(bbSh9T@dEk*`L)moh82BOI&H)V`5qIAwuS_Wb*ra z{eV}5AoX3}IocNx?F)Gw2w`+9@#TDdaXGcd@TUPbkjFMp_h9qTcp zdYg@J{cPDxE}xz8jc`U-Pk==ZP`3|wY~$*mQ#S$nL&;ni0@$aDqf^g2or`c4f87-& zcDL@ltzc@#&xP`zL9BFDzug(xcyXtSyqf}hU!)zZ3zaIcMhU_wQQRxtBklbTk~Uwf zD03YqxrN_`%JqGGh92fS=XT1(uvU8(Z|>45RvlhD%b5t9-H#>`P#QzFUB=Y~ZG{R< zPEDC>>8v#Fnko9Ud+BSjI+~7Jc*2#^*$&CRP$!KVnSAS1F!8cWEWSBwu0E9Ox+R>P z3a5O6LnTxBIhnxjvt6+u=seKsQf2aEITy2ra%f@1gmDezp2swo>@;)#%HW2yUwNA7 zP@uovG=y*a+1htc{mp=EU!LdB;R-V_c)4g)=$j&3ymQ!Zb&V53g(}gU`EwIsve*}> z@tq0EiUT5+><_aWF07}w4i*EGKO6>9syxJHEk}~gj2(Kjp0!Pq6ezf_c8zoew8zw- zh}kd|Ir3cJr?ck8LAmnH0VH0w?^kT=E)fzTB8%)U}**)Do!aZA_|J49ld!_ zEEo%s4Sn~%dzhY*^IEjILCKuZggC!!z}yX;ShZiRfI!z zN5Jh8JxE*)J*-d=52H8OjP6D@hiTvwAL_>v(R7Nejf=klHAm(u}0f_WmY zpz6|~3v7y;&tLQfzG3KOK_!iy%1H7!Xy8>ZyX$`$ah%p%Fi7lqOB`-wgw-sU!HdkQ zAyN`hRn#hJ$|dXk;u)C4cx1ymE*SB4khb~AmGEM3;>ee$tA(Bde$=~sKD2uOd}ffQ zr%P3LMuR5n6rcB&&H0^{;irl8d+iFl<8bYVRdw}pUInSDuG(%%*-d&!mQc;wH_9wf z0dGY?6~jLdLqya1J(nMoMj`at0z|=wCtbH^;>H!WDC?7wx>60#-MMw}o2!x$6e4%< z64K}7DDEYGN~k~SB3BH~tLd%NVr;01>OSIMuQJQ7+5zf=F4cOk5nXQzt)a(+^)xQ~8xo2F0A5b*S+medd0U zg>iUALT}K(VdXh>9rkN?FG#y7E;nE1BHXqtufmQ=sodo?C&{^Raf!%gL;|hXrrawV zx}d?JJK#hgp4~=fZ(6-;O>FP?v8ZpVr9u$vRR0_Dao?NxFUkyl08DwuPl#OZ*s=j4RpL0=-@$y+5oCOX>vn z`4W z{qkbOl%Y!bjwf%teu zD2vx!=k;qUS6--MR~@%{oPep8cc6LaQ&J3;jh4oot6&=Pdo4@I$LJy`?&)R#GNHLlql= ztSA9Ot2(d!kJ>GWM>I!)z{s-yB$HWqoj+Eos~k4g zsL!SRMk0(ta4#IyGu(y6@*<;A9a0@yoJx$na2c7@sS{Y&@b4Ybsi}Of)s&ubaHBu5 zJalml$s4%(P(62^xq6K~bJ%>)5?T87CF$GI)I~pj5N<2{`o>Rz6J?uKL+l+SGifu& z3=U!m8jMOu-X2{29O6WPZ;zbxw)>u0VZVd`>Uain6=u9q^S8I=Ke;+9XK>pSAXFtZ zTLyZ8!ltzG=w^v4%2TfOnQgVJ6?@h~$}@bsD~VHfp&&6H0&j3=!H`M*e#x1I<$I|o zM%867_M4<<=A0H1ReoRh$+gkmn)cBkz(U5hYP;6DmnJ?X+y)9)_ zyneNQ9CcmvmdH8txoW+}IC*}*YjHxD8auX;OjlQO1-#?3eIId=l{V|MGlT3|CtI;; z!?X+L=;W~DyfR}kJB6BP3xUh+X-RaH{7vQysXydU8Q6MomFzil=u|YPhNt8u@yI5& z0J$)fHw4q=M%Syd6jdVc~ZK3u-(G$Wy0Mp zV55Nve5v}BKqm=5XQWFX=y_?E=w)!yd6$Bx5=tc?dzWk4*us7UB$?(o4yM^a@q24*jfYU=9Wq6^xF!cO{cSQW9u75{x+#%Fbg-)%* zTb_Mw?I!-5FR%4@z#(e=2puit)jN-n`#=n87c1(!5ot)KC8KAk zDwe}YQH3c+2d4~_ZOQhs)3*Oo?%jdh`8 zy<@)0g%^RXE$)#K+?~?LJRQIp!!-Oz=4I9sn{XxO0ctsqf2&M4w}eMr?fNXG;#U#| zeD%okNQ;=FSKarIVLa41dtFv}EOTw9rC;ONt!d*LER)c2NAg@5{%MO6Vmq~IuO|rL z=DxH-setFz{{yq>@``XJ?3`d?K$sD#4j))?jn^~tqGSK$4nHo zLjGdi900RgzdRS_m;H(HMf3hz_vZ>6pp9oa?}si7u;a*<+n5D581>mojMi%zWIjDB z;I+jO@a*Ei#1wKC=C=IBqlMq^73xr4J-iyWr>6%qmqU50^sjHYrcMVc9Rm4Fne=ag zQTz<%)~}UOxTjt{4)w-(-*EH%q2)gLA~g}e1nJ5?r-u1;R8_%KKQBJOmkwV*qFH&RarNa zNTUunrhH%?%w#F`xLYsg&P%Xy;^28lPOC-4dK~5|sot=~d(N_fs4q)f#5!0W5tBuIVopj!1aF*TcN(dWzS&^oh1JT;5w zHX%QDJuZF%E3}qPLEL4H&8uBY0(jhi)opqA(`nvtCHc?2^^oyovAP&!hlhjt4_S%g z>nQqsC=a-9POrwckF_RV9>)jhmd`H9bGqrM!6%raiuh{tq^3l>nUPF5#^@ytA6{Cs z9e@M8#Nt%hzUXMtj$Uftrj3xzJ@dO_W|A(J6#!nA=w7Qs>$Y?iQ^Tqltqg_OTxA)x zKe**Nkn!LQ)VV+S=J^Q{sUVqkfi9iyUR>prr<3j;5N|>7V|U*OTAh5Ixa_U#9z1-AJSvT~-J@FM5o{9KH0sJefYWyvY$0z_)T3{oxN z+gT`R{bQy449<5zwSkrWPJ(Kk$EG^?({!lq>~a;0;dTr~yg-VS@9o ze;HF?o1aQ#Q{o+q*tCrOD!7Sq`eAdLP!*wNS{cT*Sk)O*0-g(lv^h?xu`X4M z)l(aAO9sg7`^j^bP#yJ`OEqS$BG;Bupev!(&E{TnS`4W8(z!NPsG>Dg8|qRb;XV|h zSx_|qCR!pMx?WgcFykNI^dVzSXoKzvFZ5pzr8bALW#oYW_J^5P=Gi&345a|%mS;`4 zxwBV9+quofhbb$}O{YqXmIEc#-bJ)t@}J09D%KQZ--WhkxqguXUnzGS?65bJ`7>el zTUGQkfOwZOpf5dTn{GWVRP1ekV^5n5K5YEuVUgaIGbE&E-yKh^h_U787lAtGvfivJs~Z0Ak=hk zz65q;*j?8I9$FRQ|4|$o3LjY>g!i$|#08SyU%R77d6`wawH&-fwI0&wkm=qC-#O<_ z9$ogwp=3%_zR7|m`T{Z&92%;}fN1r>$_wsM!3i6i<=E<>neAtz+BZ#Q? zk(u-Q4?NWkQQzquCZ#rwn?un-wv1L8A^iQ9Ya(7>Z{hFp8hb`*x8=^C!)bW=&PL02 zvflJ7CT@*-3Xh}@RcuuSMaCvL5gp>v1-QiIhn^t2KYlzW#>Izwx*S9VgJ04dS~Mv# zBJ48m0T%M5G=>d7Z%%*4WTmq*Pr`7&ra+Ps2C=B!#WOq`@`scn*p#Tf1$g|JgSYyM zPCH}661nX7hi<>kCcFFEk`fXlDXDhEf&A;(YKXOmg~Wxyi~l1`QBLQ)03;mIe=RB#4a&+4xG`0P}50~~mUz3B7o~uqC z;0D){c6}<&u_C&}1#k;P`BNXt!}T*dKVkU2F5SvlAFGl!XP&;s<+wad+4IL&h)FN@ za7VsTSKfu5ALu50VA0WylcNGLZ|i;_-`-ubW#O^AW@~MI*7z;lcRrLno$KmfhEDw< z1Jys4KLt1wH^|JlC9glG!7=a#?|vk*%If9HPkABYZAfAjIJHJ|Eq%7DPNb99&of@p zy<*IREU;BoF`?jI8Uo2@zpKvs0Jeb&Z{=~%S2f=v^l3t{Za$RSO98k>bnT^jn&Rkk z;heItahBhu=Xk5 zrn!uz1)tUe%{j{&opx-)nDrg?U1yhqxmh*S9f3hPsI#zHTunX1en`!uZ5}N^XTHNU zRA3!oA+$*V28oSW*758HifA-SB?gUF-IX_~^L@J~=U8_1yWi(@&Dc@0S$xFP*stCx z@T69H?^|WR^M$pWb;oyXuDdb`E`;7E$px1?4MZt5f8=CU zwu>9rXF60m&|H-S*PwguW-I$ljnG@fsy0s@s9fq8Us%FnA z52FL&j&o=t%c>-P$*qr1FIf4y0ukJ5lu^~o!> zg*qy5pYJUhy!e7swhQ+kpuiU4%L#9wnqHvxk5Mon2O+T+i)SAshMZV3ZKwGxK3Bg` zu$F;*-m(3Doz(7ncxbc_`PtkRjS-yJXFX!MLjR@}F9(`{^IoissN$P=HY@j$=E=n_ zBOzADBd3LNl~tmm=5%^6TQ zNZ6`byDY%LyYL&Qfqjxe|6dNz;ey1{PJ=mFiodlwsoHZ{PyN=`h@06ws!?X}NB-QY zKV04`LO>2ZZp*fq3FZ`Nq8`=x71Z*i#kuZkT?g)4`P=i-#wgSBkGXvk8J%$sTO1C! zv|{_moE9;0^957FI>o7(rg6kP2i^&%#<%37^<8OvSoK5S=Vxa*H)iL>-zQ!gtEC@Y&sL`FPziP9$MCvxg=(I9_FIP8sWiJ78d2)lUJO0_^Tu0LtW;U ze&=nITw84i+pgAb8|Le#&Q;{xEE7>hv3M>5FC-KF)#^3%?JQ5Ot$N`?=i@fY&JEcU z@_&}`m^grP@QWk&40V$^1sh?1I0}Dx$H`@Xc?wifaILGZtdn^#=^qPh~0%8(DT{hx;V?-Tw1 zhzNK#6AVZ>MgiKs4ahE919SgM90#sZEKN*I&Yb!uhLZ0w@B`@>|aO_t*m^vZg-RTV5&Lv9)fe@4uB?{$XlSb zZ1J{)Kkaq$5yzndm(!baz}P#HY`|Jl3x}0nH8gB6{sT`E9Np*Pz`ndPx`;`M0f&g` z<=w21u(7^}x{avk=KBS@QXp`cKLT$47;pPwNg@}Yta8YqH?8>SYEE;R?7vX=r@8XR zVgJ=nC(b$cqZUr_zyM1LEbK-WhMG!IV9w0! zZ9czEzIEciCF_H#a%#$Zc45ps5|;WA*tmJ7>6`c+u?*~EEg-BYA7Bgjdne~%FFcUz z-dP)$1o=mKJRoHsFI8G`H(O7L0tD99(?SUXxOFhq3c%$7Zg<1$w=ztwgLw{GP5*Y1 z-0vUHOWM%(n0k{{-~b8T(v^VVEDrLlm=Pv-&2?}4y$sXJa4}pjZCo5=^DmUW$4ppk zaGMg^yX{kiYQ1_%Chv0YekEV8=`=yaqV{oyF5>DYaVVBU46OeFrAU+BAPOvF+9aIgFM)NLMu7 zhuso@T|YxB(xyEoULI2s0}NpQ-(GzK;BO(_r047Jzx3u9wrjvE_cdJI^P?ovas?m( z)5{g&AoM?voqnmvcjuTp67&8M3g#)lnkB(6yPqH3hZ;4WCTd>o@gZC4pY0FDncR%eT3;w_9)o7!qBtmh;60dwkVOdKu>wbp=`PBcSLJdp-?Y8Y{ zepb?>U;V1ip|DpZ$0Ow6l;;or(vhgj-uP;YQmmItf{X^>3fku#6yVc`4 z0^RKguHq9;5@yW4?*8HV?ElXN4M59lWV|3AB^|TlH<1jmxXkMMr?~U zDxQq6^A~1(*cnj1A^QCPFe~?to&;>c88Bd$CKd&pgt|l0CRqPl3Qztj1@Mv7Aej}W zEOsc(*YyrCAj56p?jMOE0MLLd06wn7|Hv2azWx<%-N^`xkg5&%2Rgg~OV=*xb$H+u z!RA%eiZ%eKhz|T8R5&RJL?nXxm4Ll_TN<7huPpXCNcOpCk=NRDlM;_?DRBRNz#yF7 z80=N}6W{*!1 zu+UQ1Z*SSj0ni~yrVrN~Gqe#G^)q$KnVhRzo6m~918HhJ{fVys1&n}CH|fjht#C>B zEC)GJvCTBwnIMLzuLgeP*{Sg$R)jeh@67fVJqw&vdJ%T=Z>G2e5bu)1v8}@a77c{d z>s`jla*SqZ6ZN!W;GG8hOJY&iUPol?FSDRj;z!PVq7o+UQ0DlG zkIr=i6%|4Bn(0ebll-v-O{0T4J&dqcbAG?Y_v0IKR_nJiN`vDj&k(3mlXfF@#;%wj zNDF^M2u{4zpYbT~X)(@UNYpSk-V5|kC>g*^OwsEmhwCx$xVgmqom0pVb$}5`Ax4;Pm3W(r%zByzN}^=aMki%YIrFzg#jgu z@H6UCT)9)zNx-Wad~hmhT8%Pw(q0c_WPL(e?DfeXD6cps)U7G1nH)RTlrPxrep-Pe z@cY*)_w>85n~UF`c+sj}b{gh3%F~Bw?o{oU8~I3#p_Lzf#6qdpA2Ij0BtIMj)ZQA= z641Gu51Ip#aQ&0>c9uozMU4>5uR$}Hc#=Ko#}b>uUYtR`sj6I=s~BamJQyqL%ZdUL zlx@knijgaI{I;3H9*e^bVWj&ImzuP*>5qXbDhjy4x{HOBmVvPvIPVqs?Y%6kB@4X( z-2NmLS?tRMtSzqNs?%my_KN?_hkoMvzVc0|XH+^N z^xk3r9U%EIrE7c587^P4_KLa{4J=|j;<>sO@+6jM*@P-naVV`ztn^#Y#7bcFPIgw3ULIJiYMxaGwGw9!|}N zTEEHnsrFdt*MrQXN>N~|0w4h~)gzq5fl`~kcw|{j`-@bJSSUu=7FNaQvyupnT0&xs zxTKx!6UwbyPj8q|R22CY9yfo?xap4gi8 z9Y9CphJ^-F`ey5Pw&ZsjzOus-^B_y3Z82ufz})cB7GGHdRtWX^uh{j@?iK5I-o6`4 z(8b-{!oAG?ysF(G$xH<7v$uuhFb>q?zI>=pX{tF~R=~z-*uB6Qy(AFc0=FQ2#imef zxAwTUCob%CYVm{C-`x#u0v8aI)2Ilvwd3;Ex0MBendaI`-IN|Es>O~~lqIcx$ zAzBKY)C|lyN82Wxm$Yqz5j{&0Gx-(6KXio2$bmV%fFz1mxjjxROu=`PFu7V+AhM** z&*SmkZvv@WFIF#ukX_2f)6WTZYMWpO&0D}keTbfyJ--uVX+*wgqI|wyogWS7 zMReJ*>bLg+Lx_W&Nh}~F9vtf8`Bq+tjJ@UiQ*3=AIedn@uennOb5B&_;6v3|Ep+>f zowGZNZgWpW>r(s9Z#VCn;GO%lZQQNOcWe_fcpq5c(2s^QE)|xCvnlRfsd4H@wA}3^ ztFM?F)2S+%keYf;gEYmhzuWWz+Jpgh+o&k1bTY&?{+63#JPrB0>4OFppQUHjMymG+ zi7zlUs(+wK!3PBMov+%N3k+t&U_FSu4G=nfDfB5-_HMlhvC17WUVhz}pA9rQEFn1~ zG+cN|7g*bBu{9{aBDlD_RYMKjJ)6Q&bUf1%`rG5!#n(w8DSXJGwDQa=Q~)inNQ ziOLCE{<=q&4BR#6U0zGm*A?q?Nr^!O(RoaeThS|L4b_B*+N-C_+{V@Ug{cbjx1Te7 zEXnT6h@HQ^6xQJHyZAmc(kK%Vk%i7$rjsSRit#?J5WlS*&d9-Z%2HW7*an!$d>m4< zxSo3nIj}U>mB{IwtJ}L7&PBYITg=;e4Paa4H5q(e!EkwV8S6+W>V0)+eU zN^Z^3$EPbEc={C}*Jf>m9%~L;SXOQYE3GV-=E2XF^Z50Km` zlt}|enU8kF}+aZP-N!tz6vHR5am@+n|)l?|qWzmCv^iY{YS8-=?BiVA3 za(yJlUsR5tYGL!6gL+TDxUFh~HhTg#IF4#zMx6`Fo2k0m46F>gq6^x{1AS2P;}sP# zld_z8Ct6KHtal59k8UdYQVefCZ{+`$nQG|qCPXI~TWlv553;K`E-p|z_HzAw3ns#I z*;ABH^8B|UC>rh}55eab?#)>mf7tnUQ9wORN}$P60|_SnI!IZzQm4$MfHD!DNeYxb z7RYoM_fo2;na2uP?Gc>+S|U;?2<%fpZI8Z3z6@syT`w3 zs8d*uOP#^hfH^m&bb$%W-hlL^`0nm-Zh?5$27!p1viGj>#L*1=0uu$gTxxcQo5TZb z)k2>hWaa9%9F$E>0k%BR7JNVz7N8P6^_x||fFPYu@?cae>NsB};1tT!T!!9+RIfOx zozsbz8wh*V%ZjZkM3+{z=Z8Tgo<(r5M`d$H;k{BrJARc1Ku|Q-c9H6kurC9Cy^5xp zPR8E;-(P*dgFK2Kw*gi_lx%LHPFKu3sSS!q4JDIS)VzT?@A2r?1^F$<+tmtd{iQFv zc5*ZGi9}wXH7PIVr5Z7r}q15$bs0ss1#v-rYy;v>aqtTZp@Q*9Ls~eO+Pd>6ca3 z5_iy{SuauYj6vdOEJI!fP5E#^~0Pm-^Xb`b+(o=gOf5iri^kb!3$)f+9fP#d;R{v@1I9)GQb4 z7SVx7B=V*Nk@8IGGAXk{AfX9R3^rJ=_9Yd!Qd@LIDq^g7A(bz|jN}f(2eKV;*(49R zco>9ZjM2Q3*zP4q?T*CcCCVsyqUpTzP$_f-D2u*EZu+d}I2EwAv4($!6M9+#$v*@} zpIoHL2uW#f({2t;Yn=18%OF)@7gH&<1h@IM_-=^_>U!NdCBHk}7QA{39PE3CiH)h` zeyhl3GYok^2d#^=N7U}t4+X+EYq~9;P#O_XGU!pnDcCHRjfxp*j}!~VQJn5=EK!%Y z@EVlc{h`5r6!RB1V4~XyK@ew|7Bp<$dqQkEjs&NE{c?4ihB*tfh}e+8tVCuhZm@kn z4`|;oiSC|gus>C60s7jEw2?gb!N*c*h4#7Au2oDpVQvUmmC>yT!h7~tBnj^l=;q@= z39juKTwALDiKzo#9vcH(IU6$0$91IE`@N)1oBqdTOrd3c2{2VQPoYN8nfUTUTN1Kz z?8?OWwRx88v?ZNU=OOWEDx*7pRN9gArr9kyN}?q7A7GzlP8hO-rtGP7A<1VV{S6st zk7>UzlW*j|TFtMrD{wPbvl{5iWf_8yvz|rqW%?}fS^91Io5*(3dtfxxSRoPgllmK3 zX8yjE5cgyB?_{LglJ=&RctUl#FYCq6BD8R6e~p1Yv?4!GUkk#oqPf7ISd$62M4yr@ zxiLZY2*B||aqLm~N{=H&xbDfvnypky4*y*7&zDyi(3h1O;$mSqFVcvR%Q={Lom|Tz zcC>91L0GGHA&Dn6v5`C+pL?w}LRoz}%C~+bFd}R~oK#hR13bN3z=js(O^35eV%@g& zg$7#k*${=*^xkyMr6{Y!ALnR$l!JE-lIOa-6LaEk93P~;!0SF^M;0nNj>m^Iu_2^? z4sIA`p2-cU5KsVCfRpjQ6l|JyD{TdCNVT2W7!0J7c!yWiQBxRNFC2xraG3VCUz9UCZ2Ogw@2o z@BPt*2yv>r0kK=DeGdq(FChf$c_e!aoSQr1X*nMeMCj)r&#nt2sXD=Abm&JGySsm< zG_s1m0}F5TAgzM2QP`L5BDPPPzr>b2FkS^xdrNhu&E`;SGA?Tb0jV z5EiH`7Bqwb_&^IS;6C+kTx?uUqsg-C7G-Z7wHmIh)XfskvD)r6T`U|ZvG@I+dL3Xm zBqQka;WGyNtU&CIaFolL{o>?$Wg}d>F^SWX=GrYvo%nVzte(I|GFalixhmklF@B^l zW|Q~}e;T)8NsvzUNLck`!LpUCvibU3k`G-S2yb#;7?in39q!#M@bi~S2;*@hHZ}}p z^;o?oOPxF}HvgKD^C2O8$ogPROePV_EUCoUL-enL%vW)hZ>O^1m*{>)Bkn-;YY}nn zX0Mz%sG)22y#-WcU?+8DXXwW|&{9T9ysjVKH(-@YiI7uz2pdj||N5VeKq z+x<%<$t)X7=#&T;Da|K6?72xv1qL7pav#ijo26Ne{!q~)auy_3x}(@rox0mmuE~#G zQ-`aopC{CHJubX^zTE!Sa+fety8H4jj1GWfv6JcL$33s*>dG|j;}@&u(9 zPGftDMEGcN5~`LSfp$3?$#<_|Tc}0hj%HrRN+>-!m`u|#w_yL_naP&t6`uU?u?N{- z_~HoK%zI7R<^xu}dS+n2DD5b%VkrQn?Fwa`@0V{klw!L0U83{A$V7g*-G;Km4W{*B z_ch8Z9|}7c9{l9w-=A9L_w->IKVhfgc~OA(WZO|)2M^3WCeSjR^$sbRq6q{Nhb0#l z?wl}&Y^yQH(xyHnTVR`U!{a?IF1NE8Qh|0O{z}KJbQQf4`dAb=->lIJS&42xYiv1X zB&ZNGgkM@jM0Q;sAtS&m3@4?ptxS$0+Lc!}W$`+M>#R0Xk9!kF?uCBthfrF+Ixp0O zjlSfNW4K|WG%v^MGzOu0PuFp$-qD~R)&|p8t-QFrRl78eZB^@Z`>*DpNg!mU9FSnS za)_#a2wAvgeffvjlr9`NY7MC$N~Fcl`<6i$;sHr1#bgN-&;#l z+nn)1gweuiW;j;`aSp?#YEF3sKjF!Z3Mu>RNlqCV@dC`mG43R9YaS zzLF@rK-mRx)z!YPgV5vBF_#m5ti-ms|E;xuptU=tfqDw_B4i!+YMuAUIM z(9IHZh9(W%3uc7TED8P;Dw~h({FNKj5G3tgPq#oV(4e_`N+}qB!h(3_Az2`~R)FpG zozDubP0Sz>qf9mj$`66r&j#@?qbWUK!1rRqOkePc`u4tdU$YX&R1aJln0(F1`iiQ0 zNOFj#uOr`Hmp=DKzAJ0KFZ(qk$|4G5*;r)|5_aMxraI!jTuMv+hU?@h(H8o*6ZblQfKjV&V%BBsg6z zA)Y4^pR}%k1`O=hZv&gC?|le_djB3H>$`EGe$N_RO1Z59syy*IkA6rLKZdTgC#*jZt#=?4${OK@cdOV@T5JtAL_744f}ptp17^JPrhweUf9_YtqcINL1cl{jvFJNJ;C`k zC-LR^Iv%z5rcZHT|R*9dgftV0>M!reO zbPz2$+2$%ITLvkcfu&rtT#b=MTS(Y%oAjip12rDA2G%UB=Lt9v8101*mVs8T>8Gym z5EYARJlK4U41*w`6fJ}#%+MBynvgnBt14)G&YTyusn1ZP>o^Ap5 zBIvnK*9m7_)Qcge8D!Aq|q<>v)7M}j`JznmyL5GQRAJY$yUG0>eKtx9}4cT|{ zk(~N))a1y)RE=OuSc!`F<^*I7K^y2x;bF%kPW%DAY=^(*S()-DPMwgb8iW(~%uRNA z*2`>#09ppv-WsSRUj`bF_`cQbW#*G)-W<^QWK{U~&=`8iAM_|hUkjCKU1Igig zcA&WZ5A@?D)Sd3Z^s9Y>YNpw_aq>m)sANHx+^)!{75ZoKhwxyQP5a2JhBYyd125LX z>lKebbDG$a+h14r)Mg@6ZLKm}h|%8{F5~oc}`$z-;U$RxxiR2YGQTd$87( z+uC$H-cOH%*>WaA7z`RT;3sF+y7Oa4AsMxj7Mh-LMhXzA3JNEnGpWp_&;XEuyHtsmJmxhK0wwdZh zhCUE}d(yOQAf@cc58$TWNmuOJ?yhvvS1-S-6~4HZo9#BJWq7!k-j>>!#M$ya^3e1{ z+IW#dgrK$}!+tnzy3=@_(*hlM9D#L9aQIML*>n8yK1KwbcwEnV*SEuw7$sQ9RN4RO zUcHSO=1@zii%2p5;V+SOvg{`+6Kvf7D<3uTQ_Q|oeUNKUWdSqS_TGeFIS8!pTQA+a z8M2zwZtvx^?6XK|dS@CB@{pbgl;7?`N&d?*>Zr+6oP652yheZ1#F_c7S0KmHQuh%Q zU;7pnQ#TPRn3(!WSm>|)C2uYV)YtKNNjcuOJ3$AoEjsKQNH)WKKTE#7l7J4lq!_0+ zO;`r7!-%P7g($@)W!Pxd;dSsrfmi3G7!^U5{5iAnv3NMCe`T#)4c1hoAu)XE2lF<* zP0f2K8bqbp^#sJI=T4JI+QfBgumLhY0-95ETOMaaLT_=5evhkrnGnw`f6y_eXK#V>T+_2hTxeo=VWz&RXfQ-}Zex;A#9b81 zv43H>!JiTwbiy1GkD~)0epj0!R!B_WNEY`8k1cj+uUSt~&QJ&v56D^1t&t{NE*U{) zyW?hu%zlpPmFit1mo%I1cv-Lrp-X{jP}gU;w1FlKWgAUesaa}h6TP%UaZN{OQ)-Z_ zEGv@PP#XUxH`tEVcQtq)CNwn$NuTT!*J?JCr z*c;s^Z*utnx%ASrKRG6AQBBF)2|dsPe5+_)_Dx;<=73chvLx8Q|*IJ z^I;R?aaxwCnfuCwWU76$~ z8U$XwmdvLMsl-$Q?%?p!;6`5@PrwjQx75C1J*NCx;8`PY5GCoA7P2qTW(wO@PkUOp zo*r3LL-jQ1G!q;2`$JpB<9EVR2C`9ur|aVjD`8 zHowi%@y?O)6+A#DT0zR=4d|U{mpcvBzX=D>XRp9JfPhRWi>A=u|4Jtu)*T))a zHL@r6k44&Rmu^d5{AxV_;1ULir5+Xigz=7}+VIM5J0KxqNrOj%;f* znGgd?75za6Trs(1uv$lFzXyk1-D}xN#34Z?eFurlvP|bC=QKFYY}BOAeYCHd;5+z^ z3sbbL#kJ~~$Kz5uwm(1;#{8g*^U_i&K^ln~*7<=N_J%)IAAwZoTyN~}17f@3GS1}f ztA4Pa4|MK3Sq=Rafc+O>Oq$Jf*#l${LO`ysAkw=gJaIt-prDM4 zT-dl%GEo?JNiL5v@pI&oo5@@z@TRd9v1YHtS>eG_wcyk_>sCZ9Dd1=Yi&ouj3 zmchYi@s6y?T7Qql50R(b+i;*9bB&b{HYM-lm|*P2Gv>gDW<3_n>s&va4fL@i8i%@1Yvka zkI{YT=};Ov4fNqDQC-|vI||9Oj$Y|o7*5W6OD$f2h$uWo=b+`NTro}QzLp%HZ=T6B zU~jq?9_kTrp^&^%(9lsBl8{R_fSLsN5vt;|(YXc~FGrnMd5-&-1x?oRmGLx!tqpqv z{^pU#lsz>3^Yb zog$p&obMwjIne?7F5J4|J9bk~jBq12a~=qDICl)sx$C&a5Ba*GQLOyzDHtx%$8P`{wA0 zY$IOu_1%O5+rCeJHjRtf3Q*Kryww9reRqLP;H6Xr00(kvooO`CyC|nxNM7%OR>ToV zrI*RAa(|p!qa(Q6PDCWv1piEGbUx6p$#S%vs7xeRMs1q|xVK`j(i37GxS%PPAGmGJP+Spykgsz8t@Zrl5wtGTu0Ryyy8_>Ae}6a>#f5vyfH&|22@R5 z=7)NJ{cq01Yxxtup1b|Wa{)}l!<|uI%Ix)Dh^39gy7h{VH*qo@N|%6dp009Pyz}V0 z!~AzZ&yR3Qsa6sufdyYZ_H!ETA^(N2`=y6;un*`V1^7QLl-E?mkPo_wO5K<5xRvam zTWV$GvhaQwm#)0>o&A>cK*oFgD7dR$Txy~gets+S<`?*n$+d5J`GXazHRFX6`hA=i zFg*+-#?~osjLyT27++fa7ox5HB!C8tlTPmhfNd{2agR~3P?G>dMaO^H#UJ}cf9Z+J zFVKzSFVIcRW56QzL{I$ZaswTP4@yT!rxfKQq!VvnxH+`%>VJOVF&dR;M=y~Dz~ukD z3E0YJcxhQ#oxe+J~C-UU1XAaC6N?~iex{k+8LH~}CR!_)wTJ2qL=Hpx*R zkUM)Z{aB6I#VHde;`A7!RTBH zu@r!MYC!Zue#bsP1hCJ%752z@aYq9y&kcvap-n74mlt8kDx){7bZ~O}aFHE~oChA! znc`ywJYxAczehl=@cKkm9EX^lW#o_e|2Yn?<(X&z1Ph?jp;mg$V{KH9?%KIZdMen@ zeZ>)zn?Oi1+nrcuHTN^*X_1L>%o{zd6;pvzC1yu;7CQuD3JeERLeyh>9251Z; zFFkw&ljTL6hfsOnN2z4Vzo{qQ8TNavt29;X(Y^l7FrN8s!QW6#Tu&bH1k@^w9g3D` zYCTk?Rf@hoYIb#_f<5;PR{|(Mo%!0%gy3=jB*(e3Ou(PdVIO4u^gr12C-0BDoAsC5 zf~V?R0GPL!?Nn_X0Oi}u9Xn3oBWO-54*X;CHvfl z!0D&RpO$YuH$I|%WY3Qj8h7!bhx6{bBJ}@Dh2_Zo2cEErPdx@Xtg`HQDqZ2(5q-^* zI>jK5It)M#laNf0c0L}d;~AU`f(!uCYMs+$U37WT^ODP1FopkB%)5l80;e1Te3UWi zv2!Fb5^%`D;_)h}=lhI6zh zW-`7*k9b4As<#3ByWZa^{9V!o?uC+-NI1uXRARz$#Q(s`fm`8_#{BaV6Y5x ziPHYn?fw4xcYxZni9_w>5?(;@le_*u$>G1hV%k26YGiMp*Q>AitBbi9c+{%k}w0Sb%)VN-obt(Bs){I?Kz& z^Ut$1Qh0w)xj0n;%=Cwa)O#oY=VAbOCHXYEg+>B^^S|w*^~`oS*GJc?#T=b>5)VWW z*SZplKJlq@r~rxG{H!YH-+8u^H;Wy{ToYw|AwA(q63$O&M=VYKwT^?`mbw!jg`ZOm zrX^%JO^uJOKKY-E1PCbrk%H&duSx()g%aTDuS9T&eaE+H>jX_7g-Ij%H2|H&1E5!F zW#TR}{Wm4%$cJ9?J;s%iosI`?z?;CY>~8o$mGDFds39@E+FD$W*9p^Hskix~1@c#s z*`NWoK9W%Pm)jFmN9;N0ci-rq0`KGQ`zpEJT|RM5+|hBedW-qnkj0Dt((C;7lX@`_k$E?m)d^z$n#&2`fr~ z<$v(hfkYWS1@v%crD)tX=dbNZ`6gjj`qci`BzGCA$Kr?c^kSqu>?ZWTY&v^j4W5?< znPBM!{x{DA&SKC3z)L|Pl9K-JT%K+>0J2Q``zQZu^?!yPmjZ#9Wv?uY?{9v=F`CjN z7Fp6Ks=t3O6bMuf^K<_GE9C?9s#3m;-~RTwTL6?k0c3CYcfpPPC3~RcmVZLv?~eID zKlP8D`)5~wx95Kh_+J+B&sqK5OSS*wmVQ}8&_5pd_q*r++{;ElP%y?BPBHWv?-x1ZXqQ@3uqe zP5sIn!LkF+PwQSj8*>R?a$P>bskA^VHh}xoa!yl*knbmou`v8OMRw}KgdsJX6x)TW z2xTOII5}5pI3uTDo_fy<2Ai3>vlhma>9MNoI!K_LVA_h(N=MBgr_D^EF5@|+QYzh;dR65LH}?90wrn%1 zm{0A?b-lw?(2+KYft>-ZVSHeWzn8-my_8C=J+GT> z+yJXA_W*#Tu5qV7W=c5Mlbk(8N&&`@HAP8{IC-u1NVMB#e~tBoKAkXwl9}V9K;&+4 zZk}NS&{|k)KnCof$izv3wu>HbeN_Pt_zi}0H_MAO0vi?ms6fPecwL3O4mSaH&WNIEJt0I-1X$?GEE?=(%9JYk&4(C3L;Wl(m zEbr8r(N^}NFBp=lT(5B}-YE&=`SgHU?v^)K8$XcF#kLBKk7scK#MZ4JFt65<#PYv{ zVL=~{$oXdDn;B8AfVPp5ad7Q0swwPnU+ZiDh`s0p-t}Ac%L`hdQEl>*hOv*}1B8c! z5_zAn7$^e&atrL-!|_~Og(`#z9~wYP!B2ZIt4`x84Hp+#qXe%Ve&w+rB0lI9RCzkf zt9bDWd4}>M0HMY$aiinh<(!7>XzXc&ob)NCd%Lgp`aT|FCv(#Mw)*LOn7=(xS0P2q ziwK?J{C5zq1C0KHos!CHyG?y}GP96XlwY#W!4dlBiFk7C z=tKHkFJOlAjMdKx>nA=D3^Jio%=9@!2$nTY)w5;#6uNZOiz%A4hm``o{|b|moJ-Ik z6S+u!Jr5wXR*81~cL+RxG>=3M$(P$gQ>2btht`1CfrV6VqFgcWzHG?UHzz zJ6&uJYHxnenrU3;Svp6%+EvnaF>%MhA1qXpV6s<)(Ses(v?V2bh{i@pOe=X#=Op0A z%}GD9Wi-oWi(s2sQ>ff7kr@55m#P$I+N5P`YRiM&P1ogX?43a*T=J8Q$_11jg@5K0 zd89JE@`5C?Mw@?ZYLY$!Aq=~s2zf|0(`3W!t=D1RxUqf&I4Rfm=Gvec9(jODX^nLU zfSp+^6QS)wFTp=w35+2iO*JdWT^S_jiyveFDa(nr(*d_#=CArJ?Xg?Et>GKb=!nU5 zOco#TMW-wlKVXUm`o!%=L~ww-84GFknSl{c;kfsto{`8Y*an<}ublfG?akg@l0c)O zR1!K8pe_|fN$x9+S*9~u&4vZ9;o(QL^8%!CcHYI}nT8AMiX#mGZ${5y2ADFau`-g! z5Ab_6nB;5%mq)(^zg0JW@N*qwgS{sMOq*WxcPqryOjhB9w{Uqy?#UC1jMUQsRq#`L zTY?v?oc!+i?py@=wGj?5g03q@fo@cqoqz2#_!|js-P?4G8dOdaF>Npc<3|m4Cags! ziV|tTHHVXa_b{w(lhkW_J2Oa=ssgNeq%G&5xUu;7D{4uAzPRQ_2?WdFn9tipT7UY; zefM#^kns&bVWpD9;%3_%u}z(GGj!g#3-G#jumf)BUN%{NLRl)dLr$^g z`h%2ce~^tKeu=*pzh~&YT(>H`<5NnhK^R1E4EHb!f-@&|iO6IfBe!)zDIo3Q+cTsb z!#D8)A+=DRy1U&gceh&n#jfv4dlR$ROv_A{nOgwxM+hLk7sn`JWV$oyU)7FCBl(Hh z^vMgu*P>IoDIM)I0SS#uwP`cSh~Xl5WGv8lS4H=7p@3(U1?uij#1m^M`d?(MK8Sud zHLV=CQyn`Zf+IfNc$RzhYz|symjhhr5A~OO?v8g)=uNSjaIB0EW*QaQs+(cUl{n|K z8K;Me0zK|JzkQ((2i4$`?mQ%|JFaSq+w~Lj;=ctxE-7leito zv;zI6o-FF}?3#Z*hG<%Si;NvcG;p_Fv`7scaj~SmtQK@lL*guh`I|p(W$2GKjO^e`%}P*kX&9)QBRhWP2W;` zb!Kh*M^jW`31Yq_ysNivBif8puYq#UyIs$I4Xx`(AoP`vaMeD7G_Y^eVs zWlWmkp5zC7pq>&v?;AR$SCXRD$GuJnhjq9OC>Tl(fU!i4*nQ{}pJp_)&ksNGOAQb-YdU^!Jdd!)}#9tSZpVYZ#f>~FPf@4hj{=lG9|Z{p~9oSs_; ztE;R%NiN|XJ;*ReP20ycZ{oJv!g$D0{uzsYc#H@~^K@GTkMltroI~T@@(||GYbMZi ztDe&L+}}~9PLlX0Je}COK7hW*Ft*jRyO}7{42W-in_er8Qb%#UGte^8slwF~4>4{s z&Rs>5b-dHGRyJpBuXC9a9Vi?98&Ow$#m5~~AE`1{&TwxWFyw3=FcLa8Wm-WKcS;=P z$wMV=DPQ&v`u(Gv>6>p+axq_G+b}O*ZAAr6CnaS$FuV=qgynCyj=$L@0}2w?Y{yGw zF@0A!hjtb|9-!q6ohEK!R~K=rCB5^RqB;$YJnAabMa-4VjGhmjpUC2I<%+|}@($1? zpTKX?hluQNccv(*O)N7ahL%mTMA_MNx3|C1T>9-8z5H)fr@!B(^2VT^=n4}0R$<)^ zg{Cv8DLhvem_cTDk{w&04Eiu_6vYh=P)R^EyLJgL=o*>(5F5jILb%mxg>jh@CO!fi z^{Y$iA#G=_C<2m|CL-hO&)AVBZj403S@X*{exBH+AJ$MceA=eVd|Nol7~6ZYUgvCi zvhyXGw`f%wZo0cPt0P=U;`yo`UBkD?H;u7|_AtgP(w4ZBT|#KSLR(M_f_X^cTg)z%tJ&x6AbNV>YSNe!*A9?>YgQzV+l_I#UHO4D4O|$R zHe1->`jDN9UqtP7rYg)?JIdT?TPu?umO$;Hf)Jrd0?0nhx?r``0s@hpGO#b?_QCke zy~r@MNFk`MJ*{aEb{s8cPM5&|+BDt{9L`yrGXbl*#{Mbag>OKnYaGmCdWvLNse_cO zj0c3PhV3MX)09--*~YN@Q4bIr>sFsb*qI#1UIh~-kCE0{A*+F`{2J~PG|9ZXl{b3x z=und``^!_S&h-~i+CF}pHQ7`3+r6x^$>a|&t>vdGIAFJ! zm}N^X-q4HMyzuV%9E#lpERb7dh)=BTe_!9SPplj5xsdObZ8q_GrEDeP&G_V6S%5}^s(L&( zuQn7!IVG{YVVk24!ylBH@2w^Y8M+W=m{+9F8Q3Tg_s~~V#@)s>s)Kg1g*8~(YZs0a zI_#+9$yvz`Ygpz6X@_F}??veijOzOYJ>o#1>HDVtdz%gj5S zwPm+sYv^b{M#^ma)eiTT6Y$r6J`nkGl7sxn)P&yDU###dgT$n}o4curpLqL35BRE) z$2ucpWBIr1AL_U2kzq14`@l46cM-&ULO|cP;>D>d-i`@n?#HlrQ_0f1=Z8dTsOK?k zLG*){m~Z25y8!VljYSJ3F8wlCx_~aSuuay~y@$@;bW*xK8$BaXbb-`+MALk)m^5t> zTrZoCOqUUKoJI|^6Ytn7Gs{9XeOC5vS#`$J`dE+o8TmG;A9{MndUfw}65n?&^<9ZP z0b}yN>eJG$-IHCEUeDoJY?VREZQFu;pz|qyj)NH!N9*Rw5Q?!6W02W_2{MWEbDx@` zBC)R~9(1&eXY#!J zx#Rhu*zZ9HS&`efp7(T3`n`R*a4q+|(Pd+(!C zHr~keBm6WTTfGXwgdIMJl8Luz$YQp;VOlI_(%~;Xs>!-4+Vhl}9`xl?dyK?rV>C_8 z?r%fc7Ie8R*P?$`&G_rRQ1mE7Du^;H3TK z_1H^?gPN><=hD)@_$Vm5h``o9U`#Cd8W@Rb@)CT zB7DYZLA)6>Auykv;-hikx$84Z$MYCh<#@-W(pEe18kH|;VaA2!6g94CBZ>x)&as&% ztw*zULK%0YRSuf(aj!))Y~r$kt*bDEf+{Rf0s^BrPV!vPzfb$6Cx$eq@vgC9Y+EBB zGqWbcrUv`bgAGbSkTs69UH`&F_9WPI>YG3Fy?b@p3k{8;>3I?!q9&Dg;!zRgd4`enHa z+LX>NQ=m4d*9L8r6*R3rp%N{So~1vFSH4!6QqPo|$=a@^nru2=NCCI%+bS<$3~4+VLu1lmNW zT^d`#Ut4CbD0JLSkY9KJgfs=^hYG|s9{u?@DI<>Co*jev0*%{Rrk~C^a4NCN5%OvD zoe}m$aQ$c_18!8@60{$jv~@%9#%P1|w8onB;_>UZrw@5s;|m6q8NjU*BDi(eU`JJU z6IcC?1z^SJjSMydhdxw6fdwaV32Va2Q$bmKI5t8X&0h}5_~qBB3F$KRN>$hZgoK}{ z>&oQ`(~rrc#mnDB)b9H0x)5czBa9$Ea#I)ibk4Rgaffg8l_lS>=}SKr_BLGfOeZH# zJ_8$L^y0dxC5A4CQdo1?dfjQVsWCgjy*xNG3bZFGpmOhcAM=PPL0Is4@&cz!2II?h z`I;PVu&ubQ*_tC#M}tQ+WYjdlOH-GA#OA|%WkxE$NN@fn=7&&zbp?E*hIJPU&9(eJ zbQz7T^fd(h%IbHoPHNlPa1pWZeg*BB#IXpOtF>Ux{Nhis4TS6E_d^PTflIu!?ZatX zZKsxgG=In4fu*k2ip$v%G3fe>)4Ii4vK=Q^0{u)x9Vfyr4?HojB?n{mnG35W3R9we zx8Y9O_|gY8Z%hVS6%R8TH5SkC`}B@~ic=K1A70X&!yt@h*Ra>zQYy23nPR_RDNe%xrwwV#fF|xKMuf-e2?TfV?g5#O17fZWTv${J;BeWzgwlzB^=eV!F z2&Iy;Z|@E@1DiK45)||DaW6ztTS-ssS<$C|Ij~n!&?@yO&f3}O2}i+?H5=?iC`%@<;kkdY9?*tR_ggx!w1 zThPC_0PICJfwk<-$SJ(%`107a#Z|;_g9*kmPP!MajV)%6ja8899XHe2@c9xESq3kU ztFIDl^%aUF$0OD{uV8$Ncq_JB-#okny|r3El+Bj1or$ASin9NLLS%n(JAZ4w4YYQ6kI_*uHQqO1Uk* zz(I*2H*k9Cs)FXSO>N=8hU3q+D4qq+rM<{#j z<;g9Rje`FYpbHtf6GcfM^`VT#oJV;6XyXEKhKHK*Mq z4GfftXPy8Dhnv z`VRpL?P_V$bX9VFJ41V$V|TjxAh*AfAV#0*FaTm9x&GLv=L%+zxMc1Od)=8RZhFF5 za1VoejU}Xcq#8vIpuwuV@-j^j9~>J`uRg7Jy$NHznhE ztAG+Sx;`j?e!e(lo2=LSmpCoy@sXVZ*0XFxHNEkfVtC4gYNoM~_B{MxA8!0~+k0ux z-R;X0t+Udpb`Imvz|SL$TOfQ{y~J75L2t1THOQ%e-{znd(~O?Qxs9hfJYic6%d8`R@uzs*5n$(*PQrNbYe@k zfT1}0Yv5-IflZt2{V_)Q106XZsO9ml8`z!~>+QKS7&nn-TxRrB`#VPh}uNzXmwBQv2=_8(XPMj1^D*eLd05WSSyFAe6 z%W02@ufp-8DppnvM>taT_Xc1FXYlnY27}t%RY{R6+0pxc@nssRLS?&5D~HDVioaI4 zoDWiE+}6+r9ZChgUasp7->C!%8}tdLQOd~CBm6zvvibMo)Dn7cuwxZ~9P(eDKs4gF zHzrI@Cf;R=j*;e%WRuk-UqA-(JwLH0@w~Rlb%2;_pC z&!gA{F=Lepl~=L`V)|yY+XPH?`|KkRMh=hUxXFCeN zh?BFa0f-yH3jK?@+C>5D8F{DVK15cNh0w{io%Em&C^ROd^WZpU#l%ko0+V{_yZiml zEyw4g6(KS#rQ)o`tMX%nvbD2Q`Hk;rFO0uOfE7^Jb3=jEm2-xL&9B}c^ER+RF#F9j z3}pizfVNYACo|J}z2s*K5L~qthU1G2W4wd`O|KKz1|M{>;n%S5Z0Cz*MrF!wDrmYa z5?;df=qUPDmaO%2S;^`3*Kx`U(hBleJU(_%% z&G*G;z5%7;a@*#KuRW?_;}Kg{$7SnYe(Ndo3?_Jji|+W&KtcF+3$6OrdNcA}DcvJ0 zF5L$B8x^D`m=!dkep+n}%<(MR3( zObVL8dUbapw2}rB*9DZi%OGL~NI~v;z4x><%G9|$fd>LAO}>y_(Z$R~I+i3b8@upX z&C5|dq5|02Z%qda5!_`ocS*&bSMZ+gtye#5Yft-K9All~z32D?BKD;B$n@>K;(@_8 z2~~QE@4+K?RZMP8Q@6JX>h+bSMSbzxA48ASM^8x;B3o%>Pdwu|XbYxYm~O4+hpv2t z?&sV~l6(1xI@1eC4Id%|HT(cI;Kw89R#8Ywr~O*NhEcFl-CpoCuoY8PKQpo}wgzXR z$HX&5=hxGK5K%nmCc%kZcKKZeQo~0_X8p@WW|j>{QXIe0^b;CqC>_^u!Zm`2C!N(; zuE00B=l$6^K&U9Q?lXkxKjUU!HPW1aRVib0IWse^ic$1YUs)i%vO$*?Ioff-Ryvyh zcJX{w19FY$qn}^JT`1*BBz9FKEG-rexn^nQ_<{(YqfZHe(0TIY_ z>W+lMIFI0(RMZU-sz2*jujL)j*zmhuOv--QT?sbFRhON;)ipuMSZ1Zd%9 zid8%&N#l(NWb!>fl*43IuI(bW?*Ws$eL+cRvpKsrb*(QJhB%&P5XfUY!@osxSxZd(UzKelz?Zz2^R4m_qMbc zU`rhR)+r7(Jxt~SEwg2F57K>$PJw$IYxhRx(Dp^Olj|iD!u_zL>ph&CNrS4Su}2Cm zGnXmrHPd74hO*kJ1Txy}souKv3&yMC72&HD_yKGfPr$1nYdvrO{zvB`JJFac%x>0D z7lX6#5>{9sp#m8-@bsXGS$4GNR?{gbpjb7DwD6mYN4lrPAJoisdbEsNRa42qCZ6FUI|-OF4XV$rj^)eegg0hC7K&7@-6`}Z z?O@lvrWuO_a3>qjKF{_QVfGV0$fxK_&s&{+bW(%r*l>?Hvc4ZsXCaIjPxMG5WU%DM z2S%4XtFs{ie0Sb`4gNz5ptdNcBwfz!aBBbJyEdmPS>lN8`ASS#;>62Up{X|vH)r20 zcVG{~g*}75qn*Rrw4nZ?>UDW9>o!G9UxqwOtE?iL_|mLfn^*lj*(F)=fCu8UBUwe( zs0-zZL$Dqe6#<073ZpvD^~q1)nkL84#-~x}kAoVX{!wxRpm9ve(`mc9GIyN*7WbI< z&V}qSk4vX3rqZKiO$HDxUGR6JmhzCDeD4Vdc#N;pEQ1u|gZje#Rn$f5C<%7&$DvW* zoux59sDEx#?~n~gbqT!Aob=6>RY*Bf7y|SPXY8~PAx@7Vz{_Q5)8ZLMTEpjap!(JY z6_b;02(|{|W*hY5R(8?rX>#rfDW2}q4si9+s^ftV-Kc40aM&7Lz$3;c?I_Uv2nLo!X+QI4 zP$8dsj$WzniY4niUlbczlC<73p>@VCw4voUtefj@XckR z0m4VU)mzMc)fSQMW2zRDTJs5Y%sMS3yYvdSBhE5>ghuV8E%!Zrh{&(IZzcux4ZUD{ z!~Ln8yE;Q3-F+Q*xDm4~tf|l~9?$KA_ZC6iWR_JIEQj1ww#_U_;4*;USobkTmOJ7? z26TWIqM=oj+?y(;{cZ%}8V49`qOfYSM^aYw!HgN3FK~lZ(v#L7FAI*UU#L$>YPi7c zIS!3t2l4q3TL+c*jZQeP8uLe`RV&&}K6ZS0xlkM^fDCjELfCMh)0iMo#o^YeHc}>F@pcX9*6)K(xUu z>*FS&TQr2*J2(dmg&;Jqk)fJR0qowsF_B4jn*Yw38~CA~FRS%Cir|MF8eBX1$(Jz#{)~LcnQBc@n`dB_O>B*G?rx%D-ypV>CF0s0 zu z&0)ZQQ?5eScCEH;+T6Ixqe)|8xJ*tbZ)z9sQNKD(Qr*g}{CxImCAcB}{X-7N`n1~d zp*|g;9`g8NMJTjF6TOl?;3*+|nGq$e>8mRVvonZl7YzYTYrhpSoqgxon17k~mHOz$qzy3P!p(SKgH`I*_$z`(dKboTs`sMLNu* zSTU-mEV{$LsO^9uY;Z=jfEaQtb1=w_|Hb71a?h?=(%Qx=@E%LJ(76#kx4QnpADlP8 ztcZ^vhvYR5wM9C0n0@d9#0NP1g}J{0iMqqVW;WC)ss`-|FxMiIPX{nHq)oD0v{nN+ zgb=7T)L&eJ;B+!63mcWaFS9evsqp6q zBH^`Z<5gScB&T8NikzkW!#*N3tA~y%b#<&Po79!YATd$59cwO0o*_1R&3sRFewqx; zF{~;sw5b(2_7{KVdEycVbv;?Tkb52i_E>o>rid?1b0`^^#C{CUW?Je5e`-IibSX86 zG)0`oMdEzjt06}B&$6o}xQFq0IC!s?stUW3=vM8-^psffo&NBVmeoMiFgBHXhp`2d zfes5icyDN1A=YF#;anF{hg#x{PID<>JEO$9(An|gjBV_8!;c4}DZYmxb631(T=FK; z5LqZ0jY)B(*M~)n=cM#Q|ExWn0P379sm&t(q=mCy{ct(gqI!vG^`tH91J4*aua$c# zhF+OiEM>=FvS*;+ymLI?g`W=!LVv_GE}fFbmMVVX5!ww{euSGVQt(?;Lu6+}iOh8^pgH0G8Vx9aN%PzhRYy-Y|Z=wR2PdhGSgrG+$xUXQSg z_dLugOPzu^+W@LZ?_3^be3n4xLJb|t{71Qcch=@;;bgG7k2k7^ZZj$BH?rw=$&&h? z;d|-`u-?Pq6XrZLt}K1>&I>)2A3cR)<%>~E$zj@khr8R%#HD0sx@lkHqa53+;W}LP zwf)J9{Ez6t@Pj+IC&fmvr*0f`Th2^yHLi0%k=;D)I zHtq+!9nnmszg_rFv{VTsvC;Cw*S#(Jx+0g$7io0&pi1H9F)CXc3}vAG71y5@ST00G z4|dF}?{MV2bb5_x%?Y-yK?JZV)pI<77s0t6>*Fm#6ZRLX9B#opx6L972}t9*M@lvi zBJU#PMEr=2bn7^v8Jog4@vUWp$9q=`5XU9f5NCKU`taGE+yr{WtKg!_4-@{#lqvT? zb>yPghME7FzN{;CYYkpD_;LH9<;Z*Z)Y7{^7e`;jA3a6<>2WiV?D4dE^9LXxF|TW4 z+mf$XO&4TK-$zjoe#`Lho$NUy-)HakNF#KD;~3*XImyBe=QK9?bwWihIav?~)XeOl z!0xXnoH=*@kE%pa8nF9p>aqAg`rUuI^?rHPN5En{d#gI|=coMf&fh)n^(0`M`X4GY z|G9ieP4j<0&^I4_#|l0ArBBCJ!ndHHL)&&_?Rwmt|}Gme-d0Txo>g_}8tf(^SbK1vflmId=< z2G){y$jOG*1!8%Wr_)dF(m27lorv9Kh>#s4H>*HorYbtAq=$10Xai23Q6w^goGQoo zoRBGpE6!}LYeHkQ1v;ef;E z%HqABc+4p*#f!mW#*4V_RHiPj;a4g|o>rpiQ)AbZB;S+(aMo9myWoxIF zS>_;WsK09xh-#!07oi&}CnlYj-%v@~NS|}6u}W|`%BICkBqd@Y1JCX)^} zbSHnN!@9|WySa=7R~C!v*5)AK{lq7?E=sSI@$o0~bJ4)~7981_FJmObQuXwo^$sF* zc4#4?^8ROlb~b4;C`^rzXl9+DQCZZEK=M46AP6v=FzY!t2uwT$sdIAdUa1$ z6X`YM!R|FRoG@`cfHlVR$jm41BincjFp@(Y#MIX~eN*ah&+^ z)k13oH#VIYr(ppGZ0SpDwJ!LZ!JFw+kmOyxwh(C-aOdGcxb zJ|OhJ(LFGXG?-z$AbwK~N3JsUVi2m9e=&YE$;;4gjIAlh>B9yYX<-z`#Kp28PI#e3 zy(qJM2_se!YtZIK52gpljV#KL)iQCjKJ-Hj$J7;&?uH@coxSAMz~x7SUrc~i%DP<` zXYxHhl{n!HuNhlPlE@gb&&iz369LWq&G%^@2o0r`7+llN?p@M1MFA>uu0>2>SwCU~ z(iHU)Vw+{Vw!07on$&Jg8>NPDV&r&kU#^D_MXSCw37l|(p+qmw;@}i4fWDA9`oKD1 zmPoVz9%^(Wv586Yx(exg6SJfH2j`mQ=Hs&K&BT!jT&*58?oHJ+cmfz7G$vHDINvB` zoLmh6rC7$IJud@s70HA+7sgX7(y%+w1ETn8>`mKs^`yw~B(vbzH^R7mME%Nfw-rO} zQ?6yYp~R4M(kCNNoP$ATxLjuswPJzH9zf){Jlpk&n)331#T(qY$&NB+h}M*ta{uNC zeC20_GImp?bvW1z?83$cF}v8+$;@y=H^Q`2*m{-AHbMegcekBF3J$BTK__+D_DJx| zdv=3x_1G~q#LGa23?oi^aXQyGiiUgSag)*Sv+p}cA>>Gt{uDCvH)LCPK)iIow8DU zMPT@+PE#Huu0R11JYUyU^F8H~Gkld>!eNvS+f`y=jNq1?1g{n@cuu?c5>;<;$>BJ_ zHxP8(;8FkmWi&QS-p^F#3kO{1$+R@K*my7D8 za5`2uOvsFWPj^EP^gI+^4-6qKC2!8v>I22R718ynQb_<1lj5ni*7pr2jcR5!YK!Fh zf7pA^uqL;rZCDWnLTsz_5hA|N15KuRbo(xeJf0tBQ;5do!$w9tDAy@e1# zDT4Igg7g|f3xNR1cj2x3-nyUnc)q{i_wFAm2Qllq*36n&GqcV)7aHBa1;AxD*&i9? zPk8U6tK=l~KNVICGTHCjRXPcMyD9%%oS=ATwQb3g)nm4#n6NC>!V1Yq0NN}FF+Cdq z9*|0u-Gk%cU?{}|R@Yl@6I4%V20a42O zE}~TNOxO4QDG}Tz53IV%zg`EMq1XLrXWUFrY^(DiU2u< zG<`0wxasrAN@em=*BEdG0-HBXilM)(CtV3X6Cp8Z$Jj3bY9?E)iU2*Edi_vs<1qco zC6D#vPm--U#4=&lDwE>URvafx-ES=BlaWc1!I%79s~&e-;B9MPC@`BEyMHxbOWfio zFMGMqCkD6kt9>rdcYrG1*>witxYVGl=S^1yrtm(?lguE)dv=&5OES_)A#ESb0}80A zRqDyl9bW+Ms03@g60y_$FfRkWD~%5mn>>w-mFT#g4)W{}X{`4_ffp!-YHe((5LtsE z6FcKAQuySS&$fvD`IK*X%vR^G;+HQsExEVjxzP*0H4C7e)Rh9~K%)2VM#~!~wu9@o z`ZYL1Ee~m9A0y`pDrOSFoLQEJSJEQ&KK1}om9y(ATv!RKq6gEy{t3#W~%zF!p-+ihoz}O6MS`Tu* zuw`XC?4qNBM9ADw>00Pu`vJhEp!4Pjqr5MOulk2031!GsZa_2i4S zpT8u+G03V2r3K%2k@1$9K;4r}nDnU}J#sv%9abw^+Ax~!EU1IP4FOyHw=c800yvq) z;_J`|Oa$ejd2XQRnkV~)fvL%xD0&@OUz^d=N(}(+D4*>)JS!<&YW`_UAbPxv%@%b8 z&h^aiadwDWUNwu5xrpdm7-1XWFU5yv74u{#*DQ}RUm07gTd4oym79n_Ec-_`rYc>c zYohoP6nR~3$=QxX?LTW608gWe584nM5)kN19VxK=_fSGfY4|h*K=^WItxTRfcz;8r zBWtHa)B)eQ>C%bRUg92i8e@5H=PS!%qKY>yHn^wEPXi>R z!xG)AMBWlUOc2_2Ttr0=d+UaNINyfn=TZ9LtvE=wEfuNJ{{64uVr#8=Tr^Z;#mDw& zy)D9fZ&l3Yu5ddL6L<-TRUvKVq-p?amv##YRJkCLf58^5E(5qjHnkRyMZOE}m0=g|a6eFH_WLG1 zX1fM7D}~mbbm6e$8t3v?lXN{Jy0tDRaSVonyDc`QBH!$@M|`I2lxp|+=2BNZIk#5u z$y4j{3TzSp=1P~lgndV7ND&;PD?8HL8Z`r&wSz0F7U3m+jn@65)>`bIB1FriU->=N@!BYlMx^ULpppmm=H^(_x+ z;X2a!r%*1R10fgYm!QXjPF-}ds-Pjo+n*U zzvIE_+PX4T^(kG)=H6aP-E*!Mr|e`La{9U3^2JQ7+#Ie?Lq-8yE}DgQ@*It`lmK_) z*|Yw_l$rpTQh}<0^ANA{^^bF@xK^_W_yle=`znFk*DYfdosxob*Dyq2kOF7O+fClj z#lg|0ZfBFnJYiCe#wDt>dqlR`B)1;U!$u7~V^r6nUDrfZ8mGw?t4Ae&E}^iz@wEN3 z?{}8RN?8Z7jHe{g=Yd*PU&a8vD}cApGvz6`H4y5&z(QQMuO%$gGS3=UEJn898~Spq ze(j?xsqxDY^G1BZfj7SA9dMqTwNukW=^vGKbG>Vfpq#*&i`+V#%=om`YoC>|!gj`+ zYXH=reNhH)-9e}wO>osX1nLTDuGj4y>NX#Cv$<^bG@5Zj$~qDXE!(o|q$5^5A1wN2 zWnP~LN+#=&(wWcf5$Mqho)URB5;>t=?{UGp`XN?0JRkPa5a*H_S)Y|yuM34T+t-4v z{0Z5&fR>!FyIsRAtUi*x55q>jJ7?yce8_Nh;;mp{2T+E~p6Z;w)+-tfS)p%9{!#bLV>#Yp<%XfJo)SPQTsiRrYNOI=+;!l(4_4;%DEQSHAlLycc3D*?Ik^% zyWn4^IPEiq+zCuLK(FVNf_!GAwWR0x=!36mC7OEgac=8uEv;O@k=}oL2=phU3m=5k zy)M8(>lAF`u0yfa?-!m)UUJ&)d0$v6Z$8_u*5Z8#d%NbDFykV1AtTnE`Ds&p>suj}Z;rvHca!pF_x=K3mC{lxCC3G$n7X5Y@ajVy`FZeNfh0aWFe# zF_v_DS6X%hZ(C!hL*``|Q>raaU@w1Tx2@7^h`kKqDdx14OOozP|iBKd7%QkF@~w2x}`C+T;;Ca}h81taS84-40|-$H&6pYng`09HD;GX21Ar6qi_{ z+Z1OH1lz%F$vlnCAFoXJ9>DRH%1?T7D2Bf^Np-cd(@EULm0r;^d?|w<`1r{efCwybr*LbcN5LevE9}mRGB>Mop#TU?mr0NOD`ASQ-K_+ z%tCHIo&mpSC$Ppu2vD>1eFO+$YdANicZM7E?Iu z;D14CMnf3UEyE+2G5+`@0yyltzVU*BzS7H2geKixp;-GV7=IBo6z#x#R&qA@oqvUP zUxOWaodCz9=giVNqYLL7KJ94asa8&|yN(hBR2Mfk&{{tFo7k)R`JJdYodX}rGkp0> zC&~}CwDA@RVrpphwgj=pon&P+=lc8`QYVU$WdTS|Iqd6L)iR_Ws!XnOI^K}?iM}1N z1-KpdO{7Q1X&2h;(z~ielqSjx(JM$mtl3rh?E&ZHXn`P~>aDJPj4tR6*#P6D%=NX* zSYs{Pra@R%dD16;@izZ@>L`Nam8l+rcZiQ^TgsK?0L#=`wO^&i6my`ES;0#@4}lXJ zi;l+j#JK08EkX(0V$$cMGL%V6$lb{R!gCwCiv~D9a@fhAzg`u-i}` zs^sW!2T@Nlt1=Hw7P}8nU5^J8zjjB>3%%6Aa8fqPO);C`if{P zyn8{e@f~%{PL0CN;=`x_V)^$KctDVoUxi>UYi6eIy-C}x4;A6@wwj=IaKDzhjlc1N z773IpW=CXhyAXeN-Q~vc`@wjvjT%ycWLKj)6_q+pABS-qhKvI=Gxx-90OyD2IxI^| zHtyTlV>Bs^h)x{C#JNvYVe@a;wRoGh3~^Q}N)l$ZwM=Fv+u!KjOIml)pZn`j^_RNh z-Qkk{_Jkq3sZYH`*(#+F?-x&6sTCO<*1MlfZ8NAn2_Z&l&i1{bq;KCPy!{Q_LZV8b?RaWKrQ|4sa9?27}@+d*nDT*5g4Ib;mw|efP zrK!LaqfT#=O`Q+Jw2W37-eXO`;Un8+)6d1rBbXfo1}WA3E355x%Gk=A+A}Z7X*`V- zRn%hc)=`>lerDRM!-G-C-LHH*J+1U8NyTjD_0142gQ-w~=6eSPnvX~&5JN((wA;}# z4zR4E{ge(quaP`^kOm*-WWKeBw7S>KN0t5YD;I_d%G&;YemL6a1$EP1HqVg&Q+=NH zvP^HC*5Q`IHV`;(Sa%bocC5hlyPH1f!c*Y)c(38|H;XoHOQ1q>UeEs6>{4Ds~kS7X{eN%eAL%l`~uCEY=;ygt$_3y^pvlozB-e^Y049lfGVgQY`2+)Votqyrc_F94QF8Vo zd&@8LYGZmed?Wi&cNyw2cyndu*`bIOlyN^D`A|+{<&*hIs=J6V*Z5pUj>uCdHn!`s zA4}Ss3`$E;4a2JOwUIx8$)N>~&xgFWmPXUFu=w(Vl0PJ=OwgV{o4N z$(Wi5X2$J;pumWz1uLnuhqAnCR_|}a8erH@_dS#%Q!Ja*!G?Q}725hbC0k7SR~A>Rx#k*}Cb4=;^gUt=9SK!q9+`#_4iXi2OiV+6C_ooiSM6Z1Y~*4v z>95?U1Ys=;&r6n88$*>rLndvCCYdYO#xN1pQr5|kF>MxG-r-7Eg)*cSgzOy+#|%wF zeWW3t+dIw3ScdFi@zfhj^{a)9B^ADZb;!gA0mm;}jz#TN0M3{g+#ew(q1#RT$g^;P zZJb;Mb==A9*j7fA8+-J%#Y`$;X0vx93S3ZFoeUoF?t{pjXgj4ArlK#k3%S_aN}tR| z#mhwLU3`J<_N;l~_MCy`N}LZeyp~^L6#_SS%>ZTIqVG-_%eFfy)!s1K<=iiB0`^mr zv8j#iE!8Fiyq#p{<}gEq*^pry?Y55TbQivhiG36Y>JsYuWN-BtF;ftfDM^T@_1as= zjq<+9qoK`KfR@$(hkr=wZR_j04oz}eYC4O#oF|_DSZWX8n($kXH|Ny2#=JSq9AS23 z3$y6t-g^`Y$py~XxY7GJpln0~bnEE>zzV=y7U&%l?Yv|ZbGwH-ab>VKccW5Z9sJd~ z9HMpyl5ZRHI2%7Vrf>kE%`N@VQM^~NaMatPBOL}A8eZt_%-{3;Jb0MpPVQ*|#bNO0E#V8U`$lh8%X0bn4;W)nEZy z^H$>Hek~IPFu_{fNOG11u!c~d&M0-1uV#FTCE4>)u!shfq2+Yy3;0a(7GV)5lQko= zX2;rfhnVKR$(d~Dz1nzylE^PP2@|=w=_;(-O~;%Z7|z6Qpy5pd;Ovivr zUlCK~CM!MDD~gdRT<7aqxcLM>v@SQ@UJ;B9N(h_jv-&3A?4e|hFQ*0q2199|QZ62S ziE`%5r03Q{GTW?K&t+T-6?nev;eG@R><+}}Ybv{Svr;Pkz*P^MtJ`}xY`=%+XnjF0 z#2Hm*Fouqg_nwgAVIA>S>>8<0$%TZWXUZfy3X{b3eE8(Fyr$u)Z*q-=_z6Hab4XD= z?@>Ej#&vVk{6P#A2&a2$?vyEx$p)t)hW5PXaHwJ<0k+eWnQrGKATD*eX|Dt@25qee zBcr;09Xish0!KCaP?6-(R|}?A?-n8mO>U1L+%l0N97f2)S5k;Qxt?l!p;bP5sNV-?LuPhkD8gHRjGlV`H>neXXA)K&`K?6QoxVZK7sPLz3j)*I4lByH!o8!fy z#1^u%V1qGhq_T~ON5U%m$Z3yF-fi%^miva?X;@Ug)&^P@loq9tK5iV+hq8pVx3_0c zeq_%)UK_!T>+U;6NiZ>-D8{IXYtU`;DuvK1%b~|9ZLIyE6aBK_5}O2rp4&GL3v398 zHlIQJ#78tSkEi9&tww)vUBZEh)>R712_VfsuYPUWpT7o(KeGK2_kM- zWQRZR5b-$#=p&TX6m42tIXKZ|1#H{gg;xR^3SMrW4FE!23Lz8yZqxRez71Z|7lV(p zE@3349NLxoS|k0EnBq7WLll_YC=3a()i;)ij&kObqNPc1GS>KKcilVGLqe%9ZI%vN zP!f#WJRf$GdB_K!)vY^@Ld7bJ};~SIbfU%Azf>ub^)W zQ$YV-i$hSd$nKW*F1;B4qVg-8wSEaV^rO47WK=c7B&3h}!HmDcN=bUy#Yn$Fzio`h zR;4xsXLk==X`?4n+5Dte;!q?x3zb|UngK~ZkH)2vyQ<_T5>yVM3v=xv(#IXU89wtU%CpyUiNoNaUm5A&K((0lU)_7L8ZeEtLMfp5SxMbA7Nk9 zPF(G_iAv3QJXBS_a_m}Dn5j0~a{Fa;RluRNYN%OXAz(T@+gxCz2lLgPT<@i1V;Q{_ zIKIxXOOu!=GiqEp0~cN>G&QLX#q}`aR@g?qXD{yKM$;#>Bnb$kdr9w7mJAlD?fz;p zGyDMTGVPlVJ5^(BW_Yb@f}I405#|gw@A%RspK5E_LhEPJ!xQ8#0@la!nj+DLJj$%% zwAT(K%3IyF<)J^7Ig-^OSBGdxc2`Mz^~|R~R4u+WI$Dn>esN@1_Ca6Q!M;oXr_ZMn zlqQDQxs`RI#S%5R*1l%@#wVlFZ^sv1?V@FiM)?L^Iwu9Yz2WO$!C_dqfBf zJz9Rz#?Oo}rGC&g(38!`cK!$`mdh}<^9`p82mj&-HbwY*=%k(@t&;9F4-;a!?>*FG zMszGf*)N4fnES9gC0pe4>e(;WBst5ORf5t@Vrt!G%%XK0^Ps+Gs!tQ!hO-l{EiTDP zAUawiFvH>z-A_3FwdK8A7VgzUsp6GI-O(RmLlc{w52pQ2{v_;2?qmqRN^9^4<+@K6 z!+UN3=!k-VZy+~hSg+dy33V{BKz#rC~O>!4>TfDO?&fM1K&Nk&A-IFyVfvhYh1*`#s)v3R+@;ReJe0Bd)JY zyy}@9EAa@H?=S-}F3@<`e)a$IA#{x^q=c3h{atZG_;xY&uK6OT42O$7%8wa`1mIoSUQ8J*Iw&ZV~ZBbp?2?sqhakS zhoer)kk%Vd3KCPCDjLIVAI7PazvJqfQet67jE&JSZf{Fd-Lk7`<>=VzjlKic!7sSH zrN#rkXQd%+TSQ9xX}%=w+!P%wDv!*%!9&dh^vsO2VMr($Ds7|5zkl`Jm#sqYtE}AS z+1s1jLOY1cZ{~3PuzRu3ZLP$sJzX-|*2$n7{wfL-$r0u0Z5^>C%c*sdI@G|8jeO&j z_ur%g9Hc7y^L5}dOn(i*kpY&hY&RsWr~Jc1n}kktzA(kQwRTf8%_5kH=?`jb7H`M^ zt?pvn0uZtvjyiQIW20Vsa%9s;SE>w>SnoD1$Ld*cpI28Q8R)&zO8F4UwTgSt%l2V& zP=L69x3bxPxvoO)U=C80$x}d<96?7k;ZIY~vESdun*7x>z<0ERn(tM$j$vaxR#NAD z5;Ivi9Wzg^fTMTnintCHK-SB!>7Afr4SDGExd6$fSr&403Xf9d#*D)aj9oZeQ?=2P zhf8BFbJNz#Wvg4?NXV#C)$Qi^K5*YA{-b=OMm7y7Qt(vGd|hL}oix|yB5u1ELF zZ5F{}GyaNzk5VBohErdo@YtL#X4NN*>}r8`v=0yVw=T&LX8Ur+r>*f_V#Jk7tK#Tu zr|V?g@6)%)#J-GfF_p{!zEfn)i+Q@ZB0ma%jg#?=rZVQS(D#lY<#kL9`PA0CXiMX$ z*0^~F5QW4@a&~gbUb(;fNY-%|Nqqs`rjXF$BR^XcbF+9)IiXX)v+Q1oyZ5Rkm^iw$ zWNlus9Yva>fRl&ZeHn-P^EMzS^zxz93~O2%ute z6TaD9Ml0Gz6_yEv{rw+PxZuKJ+A`x1X|&erGoN1ij5=`S$1LC1YI;{fB+>MBk0Uu3 zzuL(9uVvgCbl&u^=Cz8iAQc0X+)wF$sRDUKU^s}_-~Du1z=r4zmf4jYk!*LR3NN(0 zJIa37Uv;HnrcY}k@|7i-&I04KTM$AQ3pdur|<%2<+1?`!PaR5|1dn0PXwybk`KG~t39l>AIM{(-* z+SWM^V}Pq^LUL>SC2$nbepnEuuOlwnQNH!P#ix~jSf{Zfxd@TqfC2-oG|up)tOS1a z`_dw^X@!sVZRwu4J51)A{{-Z?v$|iZPW>$Hm~^6&lK-ZUm6<_c#=SK`Vk1Az@c0`Z zUX00wbsd$0gIFZNqHf=6*YPm5fv;rv=@Bw|!RL1H#o&kbvpGHd>!=q(-@1GFYQ9YW zI3vqUZEZ-oK1%>l*G0zb$*Yx#v z-znYifEy84>q6PL1T+4hYPH?QH)?^@v;;qMe5GGICqFx+MinHKwc1P z4r7tv_p;a-v83$#=#5`;&epR2B0EgEzw|xA{)r4?@d_o}sl9Am{MAii_A{vwRmu2;YgS`Pp(5_mRrNl%2~>7K zqD9v}Bsg5hiF|Q*O?s79=(ON_&YvKjG64K!<2qYMLo&dj8IZzg8$4Ax@q|n4>1@t= z(0(DYu7~d?@qkm2xIPnMpMZ9AYDoJ&g$?DuJ#>Uk;e4^%y+htQwz!^-uRZFn`F5Zi zi*xoFbH-JY`CXDvp*lzY;hy7=krqFOtU?PqIH~L*%oKcbbsD za)QPxlhn^eVWPLakiPP;zU9(f=WT4pqxincI6gjs;(IU#qhjxzF}v8L3G9$jkEq-` zo1fyMq6Iv5!`+6fB}#; z%WL%u(m3zpy;rAf0U{~*gLMakA5*GnV-dFB=)F%VO!f4;MiuFC17%wR6 zoPMePKiKK1BRfr{r)>SKA)`kArH<{ch9u`uu6A}e9QfRk_N1g&f%2RG?0-kAxuu!l~)T&`Eo=+ixM?=7FJnLd+|B2od3PO;AnzJtQ9cpal-JH9mvOm+obm{rxg3s-ut0v{A@KuxElq>E)WTZ7@_I8*2&!z+{K-2>B zZp+hDovYcNi#0nTh>37~ZiicQ{$8PT{RwTp2+5}6A%GTa&>1&9AqYbNtxZa|lj;Un zzp(zt_5alyMDt1(xP)+ z_?$ukana&q!&mKyj$2uCUl{%zEXNMeLxr)lZpl#>@|huqKH)K_)Izfmj5}Jn{1HW~ zHl|$w=@joRF=ks<8)pg4eWcdJ|K}*LWUl~Q<~`m*Tw2y>IIC3iS8Zz)*fY>(p#n7? zDMWsi?&B@qd2~Q7@9qKxhm#L%>I!lLIh4Yid2&V0^Mkn)USS^@ zJ2vbYsKRXhB>!R6d;qrqEVH%hlP8yY;$m~yelyU3GvI=e_N3JR#B&+onkrvGcgYZG zZO;fo$bhe6HC0ZI!6NkuzP2@vNf4y+2oW&N)C!A`fXgo}6k_aMqk>!79FT z)pFnrMEt3aqp2<*YgAz7wk?fMIEKC=#(m|_3CM;WVbFq?j0yYBak3*fh|FJC4g>eAyl*>lN)-AI_s z9Hr%Ov|=7T9j5$iEly!=gH0!eFGx*1A zFZloI;PYgGnViX&CPZI8D604geak2FnyUT zf$$%^MalIR)^?~nh!fu zpCba{x{plZv#vl70)W`A1(;|-v@(RLI_FL&rAr=~2e*-zrVb;f^ai$wS6 zfeO_XA6{lQHUa#KOJ^lEKi&j^wnx4hyMBE=B|HXnEZ`0R3CN$7>HX1bKxoyFd0EyW zZgY)fGsZfi^HFkX=d5O273f96rIJMrvnNjFyoN zvN&n(d0LUexi^bkXOw@Gp7+*2^eiF=i2mA}RPfszo$6tmIGwhvx{*5{t|5K+4UNR0Qprr8W_+L4 zGYxa*DX8`MXp*cZ=3-M+Q!6o7F4VZF?1ut~Xr?}x*0@#Mo4^2GTv+{q*VA4us8cO` zIew+lQyvBRe3adWY*dpU*GP$Uo$CAk4|hgmr4D$Y4rTc3N!<{~%W{}{GFB%a(v|^F z*!+0|_tY=ryeOMJ$5FKR{y_&8x$VPj{DlKkMr>Fkkg=W-@L4B}txZx(Mc!DXy13&D zf)rvKcNd_LEQ!rx{~6`LTW%z5yw>HKW0j(?5GJHIG_Y z2d;qpmmYzt-&sN>x9R!evuU4HF%BX0P;ZM@V^0<)8a)|J-Jue@uMWon4#b2Ti&9&w z&i4CBu2jijk&kOY!GM#lZ_vYAic$aS_JPFDGC|^nh)|k!(!2@&za4`AciVgeP!a0U ze-*!<9pCsmpd7$v4^X+=FYD-oCpsiBl6{(cdkd!HDu|&oh}|QqWU=qL#A+af6y{!> zaBVSO1E^Hb_U&({r`mU}IX{T1M5Y)!SFld(;n^;y6fYDRjz=uhzc{{nIlZ z^F0kjCc5OsP*zx$;|rie1|Fq;hwsaa<*!_|GyCcclha=6;@C580O?X-tSNZoPSpcg z=I5m<#6JIPfe-dsnugz-_EqA6CNm&@fQJ`o(G)1-ML z{L`3ep?@w+azN?|ngvn9d7MU)_++ked(SnNhx!1|&3GR`-68I_CP@|JhJthzmNi_P z!tTBt22MbDNUzz&KQXNYe3UZ){nx+ACkEL%!<@WTsg`1hPP5bI#Qix@O|>KS0@TRX zdh*p5wnv%mXQV-achE;1JOB#X5okPw7Lavp|UUyU9QT0?Ttj1BUH41G*-8$#gVC#a=)y)1US zakL8Z$tj}q-KPNduo5^N|HhkeONsm{?e$vVfdT)+14#hYGLV-IMsYu^zHsMxG{`4i zdM#mN=CdtV$V+I@^p2r-%=!#B(1XN}aVtSGuwbfJSls}(6qH<13H1{l_z2Wi8@Cor z-M`u)CQP%TGFt&4a3;g&tzF_Q#qE_uZLyi%{SD%RI${6C#&xeiSqk4PV+zWRUjNLB zbV7g)J?7Kk(^3TrM%oS0r83>cli6MX^|4R2T@_RuEqY_pZ4&3;_DL@2+C*EO>-PJg znzF8swLO87YqQ|&ZrsQ8@r&8e=-t&<3#V%Bh_%k{n0TIjI6yxnBFM^k`8x&u0Kb>V zU(E>reT9K*fPL9DibQ*#YitUjkb(16O*9}5JK;|{i|VIKA3tBQkE;RpJhBPkBs}pV z*V4R}(xv&%JI(;{#{PMI&sdCI^C%G+xMn23q{nUa04h0xE?dA%1Mpzo2E&AqM^}svHd@&1Cr_Mx0g&)Ieym~8(?=ya8clwC zYhSw&7-I5LnOdasMj&(#xclO$dUvUC?1;3enx%5G(`9LV1hKv8GqGfuM8{d^vio7F z;^lT69eKvNoDAcP%&#tg#+I*SMULD`lzmvHafo9oi=8K|!rtHxe!l(vQH{F>`junx zMrxPR+cRP<7X+Pjp4U>3d&Z8rr&B$|IG-T-Aj^qv%=&!ipYEatuptq~B_?+b&c>$o z2$>f=g_RZtHM=|cJwR3;UIVRJYxb$0Q3uvdQvjyfTw2I}d}u90Tf+??s1w{A>^pHp zbs(`6Ff$G`AV=>>id}w8q0`H6E1vl4koUiiIX)Cvv(E2}d~xN9Q+HWCwX+_)065{_ zt#qf#Q)xB_cyM$xjRE2O@qdK#vS47pZJW^@Dmll$T)TU-UImB>bxBl9|KXNIj#MNM z@}%G}>Nkmdtkn)g>*Zb-A0Pj7?$Js>SRrZR!oob2RuoD-lYbA0);Wu>{v-a-J;IKN zlvl*wY*awUP@J!j1j5+%*yHE_j1vES$^T0wsr2^3+)*~{N7;!Pt+3G>0ynsm)62;M z3H9CoEvdfkv3&uzk3j<5J_#)@i`}UyI?AU=u&V#BzPvjZYgz*|F2I30jO$Scs9bL3 z8Pet0PXHnK#Bhn}|5{JD?S0^8-xxq~R621!s_p-L`gZ^+*f_gvS;1$j=$#d<_#9N_GedNUkr#~HN6Fi4YtNJLg}CgX zmEjUI<~AvV*RnT&=6P>tvu3Z0CePA8J{0xx`y=c19X;BG#^$uEU4SZ4;XW`9P=ZXF zNOX1;kc7|%$RcPih^;Y;0gduQg&;ApmP-$+3S*r8W70R;OT@|h<2jtq* zM<*RM^YLXOma%nm>{q(GyT8{H47KfisD|G4&)*~;J;$p4TiOhamZE-C8&Q^Hu$u>Z z!q2JSIRHAx6Yn9`CKhCeuQT0R8lXQ;F=FZ?g*wEqz^3RyYIiL2?9>>}HUGnp9i z$9-_NDv( z4H161<$eyJ*yq7pL1OnI2ogWAV+ zXDhjEb)f*b#7x}K-II+re>*FzqftLDiUBO)GoV`+J8D z(R_T=IR(3M_50E!U<99CHi7aOy#;7x)_N<{exkP0^~~%)a+OiwDp-W5W-GYtx?q>5 zkn*L=vMDHvqY8J2aGwrLJBjX3VILzY^ab`Zo9j*7vvTlPgoCZFhIlh%5UU35KFwa< zvG}W$9PAD1Q1{L21M%;Gqjd_z14_^16n|sl{VDaIg&9(dKeh04y|YsT?}ep7Q!|MBZzs!CBjS~d6O9{)4P{ZEN*6DUKq%ZJ?lKMen? z==JgV|Ka^40XyH+ymI!>?f2j5A4&9I?H^So|6Tlll*9kE{iCGe{~Fi#omkgeJkdo7| z%f31WfWdzK&_qtY{YL9y;NO4upATi#Nl88KTqK|P;~PhxYQ6=o$-Ka6{%e%Kh9f1P zy$4)i8Rgqe_1|aw_36J4`&}siit&%N_3r}tcY*xtLH_cW|M}rxNBrB4_3sw*yN{54 z_5Y0plJc~nkrRDqDb)VY802V~cLxCx1vPst#XmosRR$u8?4EAMKj#g^ED#`k!5?#q z`yav=C=kAYnW!L_e-C*6eb~QZ{1LXw{<}bax0?Ui&fEt`3i&#E>YU8WD=HO1AkaNe zLxr8L{GxU$n49mL;8|o_TU$;+-kZzvK?=GqE^DlLb_$Sk!eNM&HzC(5dCRC=Af644 zZBM(h2ip0Hl=Z~E3m&b_DPXzC5G5MAT<8{@3PSiKxf-QZsn>`o{^sj5X{6B8D z(-}T=gVXVc=GKw(tN|;%MK(@s5f|mGND|O~O=W=#& zZi?va&fqukqov#TQ}oV1ilO~`I4yhQW5fn*l5ls0jld6ectMin0a8z?eP2YS?R1x=J2hHJ z@ndlTvM{9I8rR=ls&DD(msDH5nH4iF4j=72GzS%R>rGB)BxKcX_qKn1IL@H;-ZoLN zuE;CZWNfpk$8qERIZDQY*bl6E_kF3ZDWbJv@6ELeDxfrt1bt0jsH>d&`y@UcBY)Oz z8_U&h3j#fLFU@WE5;7AtqC1zQD{?F%_p8hGclDMI4Svrq+R`rTKGNk%HCc+CtmN{6 zVPjbt1XpTYcAv$!<;yljiz%VsGb$)-;vVHi$ij3Ymw($9d?P6fY;E7hgz=P`R{|*6 zTSBneM*p(LmszO9J6ol5Rq{bY&E2#P(IwLaHiZ?$5S6--#zemCKqpztdW2WrkPU1u zLl#q!Qxo)?O||jAUp#kFq zo0@#SL#9w*%Ow1PwVd2H^{f4Owow8vf(3MMsy-Ch;LyJA( z=e!rRA3t@X`-EB%hC~2)pi;Sye)mK~kk_Es_>IQrjs=A=I$TT|w@ZN~NzB+PeMR!^ z)TZOD!--hDbXZL@U7)o-ZoS$fc%TOLqgr?axN3o|G)dAp79;82WE zBcSkPeU)j_%g9;>o$`tu*cCTeED8Fn#I|B0SXJjNTMuS|ZV{WHdGdGTd+z&TKBht}=b|O`?Ech&%^m%{>>#r_tf>!QRjuVa@-tG4 z+ZSrFWcb5!5`;Hh-fv!lRE4j*JneFPLj2RuR4q-d?_DyBOdzDEN!mZ~g~pniTo?dc zlbW5~(YVFqI~6%pMV=}ZtB+E|stNXze18|J2_p%Wa%=D4DD6^buvtF~1dL>Rm@?#Wm*KY31wD-3 z-kxb5&_FIvk|6Zd=1=`i_vAF!t3GWug_d5+QlAhWyO2JP&h=S8ox%L{L9(<^FN@%^ zV#E^Tm(3{G(EAo2@HG1AvZaEG6IE*_GjmS`fQnDd!|>l0(_oyeWl9xr3RzetDkAKD z(!~9V;?BB@S@RC%lRXLv?25M-^;zHAt+f@L|LJYKS`NwYZ&Lw8Z~bY@poCYl4tC;2 zF@~}!de616zuB@ZKM;}CTnLowqwqzgTwFGi%#jsf{G3Af#}Ya2Ym%!lP$hcY7d86Q zi09|f9KZP-BOvZ`5zsSeGBX}OcYgij^?-J>1zeMm{Zt-_aAUqL~>J(x9Pn0xZa&}@HS zhvc(&fuJ|^$pzsgnnkMk)XpYA?7)P@<$inj%=0vhF@`!28#OkrkvK- zua4w=(@OkuH?y#OQYab2(S%?A?oL$r*t>Zua`1!K*tUs3EE4RPh*(p$V5yy9DbZ1@hy1)-!y!ONg^Wd)w_vyoVeyM?*>TMD zV~TB2@x%BWRuTSq3mIlge!}J}IOCWv)mceVMccy${moW%$+o2o?@s0T2fD>MSF4wA zf72PBk?gL%t;e9YIEuGK6B*UAxbZEF0<#kL^na(S->i3LStV`J)!z`(%Ud$WBrYjDih zq9pLV-n4eIc#2X@gV)`Zsx>8_W!;E-3Ip$~91Jcp49KUu>`i|JZ}YFzbHGv+d`&cj zfj@MXzv=k#tCO4O7c<*!+)!ZLM==MJ)#{m`nO;?ax68}RBHR^KRV^cyJ{(2xH6c8dmc7NHg?h%Rm-w5igpbT3G(K%dAatw<%?pA(MOgp>8+?9$(22qvACh` zcv%=1@FzP&=r`%!{6qq#+_taZ8@!F}@8dAG@FX50gDL2maW~2xr_zQk640eidZrMC z)#A@&p1|Gk{$fE&0}U9**(omC&il`7jJ5BHyDC%LYQ2pg3=Rk$Uwp0+xw z%#}nF$|w*rN!W4Q_(F#aLlUrY!@xZ%GldQi)m1pA<>~JFl+>uv;TNH<1HQGot%VKX z$^^14?-%N8A_ZQzUjMfHT6gyVi1Eu2T5$f zf^arkwZ7z#*F#Cnx--|ld_+hmAn0Ho+kriXNMWXAqAG9Q#(_wEAFN8&p>?+7>F3X# z-$oO0g_PNy%r+o+E->${LcdS(R<`==~Q6~D@VEc;j4`R_QR=a zYl+&|ggUY`Dd)l?I&A^Zn`voROzQU<^<6P)f@|-zpZ4$L-t5fB2p$Gg7nGovm9?L? zm4mKCUd$E>pOg~aTgGaMco@Ov7$@B1c?n;eq>3_+e;)=IbHL^%yt`8dUspecmS!TQ zPG7V8R`Wf_$^-8P#Mb8*b+h0qrtYSXc4Ee0`YUTyQR?+q0+D+%k?gR`Sw2(pQp=`8 zz$Ud~Xyo~uP>a<`H|ZDoK$X0NEt#sX(EXh;pLo(|4l7l1wbsq7o~tqF=!8?2a7?|8 zZPi4j;EU-m?(=cT761tSjt?{OG?Z_85ajSCK0f|#g7FCi&{o&Hz0@}YTt1+7x8CiZ zxw(QQVb>vQeLbzf%i|Dm55cMOLFd;nlGXF^Y|VETymgjG8t0Z==Cfsqhp#5Te z&WGsP@-`pjaHwpHz>Y~cwATZvW0d38qWgDWQ;V|mxDiXtvqw|=Wi}C#n?B0P4m^@$ z#%>cRv#exU7_+5;&s+SW<9P*q3|+kyU$33B_;TSx=1U(V;931UH<^sx2~%bvI-&t=Ed zA}ipKf8K;z{FUO16jGns_E9JO?t5i_mJ`Jsyf-`RCrUL}o0(w|ZpeM( z*DHWBUQ(?TbRHXO*p5B<)Tbhdygba;d1Q{8G>-%~~kX!56)BW?Nii`+S~m_(jG9 zsHYO`j;^Ke)VG)`7*}=8u>)OcqLlm^_#dc@{gWVX3Om=Cw|UJeHyQ3-ZX?{r z?BS5g2Vw}Z!t^SQ+N-M6>FRy10z2W99))(UH9bi>m=@A5R z>BFV)eV_d?(-r{6cDjkwFwX?`Z+wtnjW)83UwL*2f85A7-yQ3(~2B^p8+j1p4`DP)}~ zON1;X%gD%6QI=7pv9F*R!0{{LcID`_Fq`=lJh? z?&Z4f`@TM(>vP?6cO~#*8Og{*czpY=8}~^C4_Z8?SbWyPSfLW5>0OijhXuL-BR>17 zYQTjcCk{8?PV?>5T5U9eiV4#Fn!sa|i2*?*8;$ddRpT{Y-Fj$;U|W1wfoqyC9qapD zl(ZHCOT^8VgU1>KjXTtGDp!VF_c(IqLm`ba+6yhT)fi)r;>?V`P+~h! z#g!Q5g>4`FQlxx2|_pvWqG8Y*;TdSS|$GdN|irr2OoEi^5g%uoe(h= zKXklT!1(>J&$=nUFY z?@Gvpl44B{s|N zu=++AW<$lExB-AdX{-&dt*yOURli5?Z-aTy-5;LEH`#O6p{vfWmPW-=9Z{X3yCu*C5h-zit!C=A;ws{ zYKTy_sX6|}SO&~Yu{k5vC4ckX?A^h{im(Z8y=JI0C_y@5I_ z<_+vP0-OLzfF}_%Q5}N1Y6MNSbt|Z+CYyiLY**(+;OMOnr%-x`WltNQZiIt;(9bi< zkPq57dW>F1yYe%7F5kxZoskRK8=e)#QGl&;O1}jrCOtMNe%tiUIbk^}?(yW;mrHzs zC%QzZ4|ZvD6C}M8#=*pmb^d6_JTVm%hrWqC9CO-`wyM$@2a+_>T9$7?l^P4pTvxC3 zYqKUMv~PQ=TRu$7w=5yg3?0=izYJww7<5EykyAG}oXq7$ z`!eG?Ijo>lD9vJfK~!liP^(eKiH-N9Z3o%4tqR+=%(U6`iq`BvsMImuI_JU58<}#@ zh#T+ceQNC=4SZthw`~wC2>|LJYR3}gW|BCZlTZgX;<(3WgDH%+;|( zT9ijwcGLorc&Iot{_UX*@FA7=>g!znmJTH9eBPTDw#iOZ&j;w)3Ex8>QhRGZi4&u;r`8uCzC9 zz2V-v;i`ef$}QkYE3^_S9!l>iu)ynh5Pgj!4&#i8(29`Gd0*s-(}BN6-2AEhp#^&m zf%&kEa*_R`KKp!qljinLCcsk!ON_0`mL9=_iEmmGzn^y6l*)5hA?$=MF@mm4WlPLr zYayNm$rd|Bwj-!KmfX3G&vRRR$QD7F@cQ*qq)FJ??O+8dMS*MpD<|P|s;V@62Jhu; z@ucE5+EK5rOJbrX3jd-ycO1149DQ-K0H13FVdr`E8mgl;yK2}gVDbw=qt6LdLyQb&sV0290KmV6d+2ltYNJV?&S8~aeCP1pj=IifZKL;5K1T~34!huR=P|ZdtL=!eBUH-Tv ztWGU!@Lp(?l&C|yqJLV&-LD2kqdsD7M}s!V)aX$c(kN9@!M6H5N}IW6QIr9yTT1r$ zKHd^j@+i56UjuwUbom(6YOH56aJ4xHc8cGFN z?Q^`=>>EHYiN9>?e*s8G-4kL2a|NC2if<}(lmfrV7gk>E0Mo&Q5~D;PA6f;x)Akbh z`>l@p8XzSOS-Y>7yAfu>4$F_lJ8^^|EP|~Udl}NvT1yWc{tmpo zd^0W?FWbLvREJ$*IxC0Mr@zrEV&xOJa#S@3CbK5m4o+vOOab>LHfh*rf1#y}@DBNH z?z6MAZ#%xRdeEpJ)d3@3O${P-^Hm*%PNZb;W;R57y@gGFciTvzz0W`lxs)gqokp*` zT95Nak6OD|r4RSOf??_%(VQd8-JK1USXA>&k{7M8yWHC(byW5O#Zq21C)TvmrqF?vmuiw%saeuH{lka@*0oRfI16FKrq@jgJ{Durc z-aUP^6h^AFz^E`k#(+pgmqh6(Iq_wHxtQn8W5Jp`5R{m#U~8s(&9FNw)m`ACW9wM)(`H5u>3VAf$-^q>>*(iJZEf$!=-_WB||SVJ@!hyaELR?R#-`(v(Mxnx@C zMQ}u;rMnDR@pGlD?x?xsm+ln0cT5CuMbsgE9N?tAw~MAy0vgooyv$GLw;6G$sXHZ} zp3!CzP(ROT#qRJeC@5IyyKQ_pEK3m&W3hp>jO@$Dlwg2SLazmRD*~YZHEkx+2unko zn5dlkm&On#0AMB$!AdpG4lk%DhCC{0L+hK3PJcWyP&8h>74$XTD_*^y6ZP~4Cc8+= z)=;`KD@<>mF;f3^)oGh~wZ@VZmMEOr%^XG`HM z2?VX#ub{9DEq`0cgU>!48ct2m1vqj&j+oT-_OI7o#kD_U;$@PT%a;e}?MU{lhp`?Y zu}o#TlW?q2y8R{_a+tEWHqm1)4m4Pxvq<&`Vg)QBYr_$m&|?j=xJ@LXh8JJ{K)?Dn z9oPoq#@g%SGiFUEL!VwmT^K6?rzoi;v z&+2C^3i{08*=($awL5DR?$}?u2thaXq{6MeV@1W0_mvIY(N}#Nl96ky5*Bb2Q1+K? zF}?Um-&;*{RkkiLjn(xy-|mHOX3vPC6L>!mgD9+xMlm1#h#|GzoM-~#rLl4VhNBeq z{m<~2bA<(Ep4Cft$6k|u{P~56+qfuf(*=55x@1*BcPJ-Kw#?O;m>k8ZbTTdg1eYG13-KXaFT%tiJ2Z`5>_81I$FvmxRML}D;lM7~vBcYgSa$*_bHdZH9k&d*Ht`!tAgPbqVSm6| zFAdK+fh*+2=FY?+7O;c>o;#W>hj!Lv?kaeNL6<$~1t)_`18y(~^E z*v&v}@_#%IQdZMoWz)vm$v$-KO$jGg($cR%PaHYp0gGm7{?Ps|Z)?;kDM z<^A2o;}aI%RL7RnV#e6&>pRj)bv$^wRIhQaty;4bLGwQHounJl=-fhczfiIc-K*P2%Tp!&;0`6OnEc<*NP+MBRnf%i*FPC}tJ_Cd~p01r5pEA>z zMd@(Kp<(-(KEuq63_Bh~TFci{T`3#MhJdgd4JrL7s+A3o!ft#RJ!NIhGz(3{KMu~F z`N$d=Wh0xzw)3M)S8Ig11z?`wLwov^Y>&-8EC6k3>VVktEx}ALtwzVdz@R;0+0N9| z{QE1D%xd`4Slmpf_K6{M?V=q0*3)ylO(VobBs(gLNKp!1RQ2>dTJ1#?FgcyAMr zJb}WA^qj;0qeR~r65?!05F$4|JdmlstmGj3gw$7o+^t|)d|p`5Mo2fLzv1(*de*Y% zKJ`?QhsGm+iQq_nQ}>eFeaNvFNXQ2r4C#g3f2*FQ=hdP1?8T3tKD~}qOR$)k>4&DB zIOo(+>+IqZ_Up+L6Em$3o}9Ad`5V3UMT<-f?!EP>%GGTlVhHoS{%z%Kq*X8sx7&<+ zIc5o8U6FmolnyU;Q78Ik9=Yi4{3-FKM6g9wu?Fm^m(gjE9b?cN9)S!TGVg=3<0Yc@ zh}tvSyaKURTK>l5W{;7h-JL%#EFYXMzywLBg#R9!F^_{g94jRC`x;;DCc~$UGg}%$;qxY z(Lc_aPq|jkW;h4X3j2*&TCcX}YFGO1B`v**1_bEq`kzkyKH39k%5<2D*bqm9Ol*Ow zi)(08!)w9oqc4~{;&lQRp=Eb3RrmSmnVOqPC*F&gS*=+zmvQrOdlh1Uidb1Mxq};D zy(=_09%-`ronP`=l)(yv7aMJo`|5YIZfiaHMiFaUZ%hzZSBlbRxtXmQb^VlP9zBzWp}7ihzLreb97f+%`Jb~{2^#_S~bajAP^-|{gk z8fxuoV9suSD``&~1euskU=b7ZF!+ocP%)zyF5Fb?*j56~y`d)a@u z#<4mg|4r%Ft`e`ed_J3!w3ocoU3WYV9DKgq_=m!67Nt+W(W zRaGV28c9gFcdhackR`i67u%*yU(RkT?&VQp5_$zeV9m~Hm`80 z$=So|VC1T;Xh9TPGsA!4q6hpr^=4YRVh9a!b?>N8RB;E-;pu{U5O7!c_a*U8|HO~Q z1oQJ(+FG-FOh3L~wz}K=IYFvjRQqS=VEI$8^I99d&Vd^#ub7T}L04!ZPw9oA z4arm#P@Q(jd?dh(7fZBF;*R$C*E$A^Mx~Qdg9aoF+8uF#(11k|0x&Vqt{>66rRWU? zoV@(}h_KdNH#OLk#g6Zq$b?PKurrd02P)c}Fo8@Je_Doi!KE}U%W^SF@$A8tfFm;Q z!u{6t1G*K6&12WmQ>8i>%|aKhe*d1^O<^EvT3VQ0=L+wCZLc& Date: Wed, 26 Jun 2024 13:48:35 -0400 Subject: [PATCH 03/24] links --- .../change-data-capture/debezium-connector-yugabytedb.md | 6 +++--- .../preview/yugabyte-cloud/cloud-secure-clusters/_index.md | 2 +- .../administer-yugabyte-platform/high-availability.md | 2 +- .../configure-yugabyte-platform/kubernetes.md | 2 +- .../create-universe-multi-zone-kubernetes.md | 4 ++-- .../yugabyte-platform/manage-deployments/edit-universe.md | 2 +- docs/content/preview/yugabyte-platform/security/_index.md | 6 +++--- .../security/enable-encryption-in-transit/_index.md | 2 +- .../yugabyte-platform/security/security-checklist-yp.md | 2 +- 9 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/content/preview/explore/change-data-capture/debezium-connector-yugabytedb.md b/docs/content/preview/explore/change-data-capture/debezium-connector-yugabytedb.md index 9caa212c9817..bac561d02367 100644 --- a/docs/content/preview/explore/change-data-capture/debezium-connector-yugabytedb.md +++ b/docs/content/preview/explore/change-data-capture/debezium-connector-yugabytedb.md @@ -1043,9 +1043,9 @@ The APIs used to fetch the changes are set up to work with TLSv1.2 only. Make su If you have a YugabyteDB cluster with SSL enabled, you need to obtain the root certificate and provide the path of the file in the `database.sslrootcert` configuration property. You can follow these links to get the certificates for your universe: -* [Local deployments](../../../secure/tls-encryption/) -* [YugabyteDB Anywhere](../../../yugabyte-platform/security/enable-encryption-in-transit/#connect-to-a-ysql-endpoint-with-tls) -* [YugabyteDB Aeon](../../../yugabyte-cloud/cloud-secure-clusters/cloud-authentication/#download-your-cluster-certificate) +- [Local deployments](../../../secure/tls-encryption/) +- [YugabyteDB Anywhere](../../../yugabyte-platform/create-deployments/connect-to-universe/#download-the-universe-certificate) +- [YugabyteDB Aeon](../../../yugabyte-cloud/cloud-secure-clusters/cloud-authentication/#download-your-cluster-certificate) {{< /note >}} diff --git a/docs/content/preview/yugabyte-cloud/cloud-secure-clusters/_index.md b/docs/content/preview/yugabyte-cloud/cloud-secure-clusters/_index.md index 8c978512f531..9b3cff12603c 100644 --- a/docs/content/preview/yugabyte-cloud/cloud-secure-clusters/_index.md +++ b/docs/content/preview/yugabyte-cloud/cloud-secure-clusters/_index.md @@ -19,7 +19,7 @@ YugabyteDB Aeon clusters include the following security features: | :--- | :--- | | [Network authorization](add-connections/) | Access to YugabyteDB Aeon clusters is limited to IP addresses that you explicitly allow using IP allow lists.
    You can further enhance security and lower network latencies by deploying clusters in a [virtual private cloud (VPC) network](../cloud-basics/cloud-vpcs/). | | [Database authorization](cloud-users/) | YugabyteDB uses [role-based access control](cloud-users/) for database authorization. Using the default database admin user that is created when a cluster is deployed, you can [add additional roles and users](add-users/) to provide custom access to database resources to other team members and database clients. | -| [Encryption in transit](cloud-authentication/) | YugabyteDB Aeon uses encryption-in-transit for client-server and intra-node connectivity. | +| [Encryption in transit](cloud-authentication/) | YugabyteDB Aeon uses encryption in transit for client-server and intra-node connectivity. | | [Encryption at rest](managed-ear/) | Data at rest, including clusters and backups, is AES-256 encrypted using native cloud provider technologies: S3 and EBS volume encryption for AWS, Azure disk encryption, and server-side and persistent disk encryption for GCP. For additional security, you can encrypt your clusters using keys that you manage yourself. | | [Auditing](cloud-activity/) | YugabyteDB Aeon provides detailed auditing of activity on your account, including cluster creation, changes to clusters, changes to IP allow lists, backup activity, billing, access history, and more. | diff --git a/docs/content/preview/yugabyte-platform/administer-yugabyte-platform/high-availability.md b/docs/content/preview/yugabyte-platform/administer-yugabyte-platform/high-availability.md index 2efd9cdbb21a..513cf31a8307 100644 --- a/docs/content/preview/yugabyte-platform/administer-yugabyte-platform/high-availability.md +++ b/docs/content/preview/yugabyte-platform/administer-yugabyte-platform/high-availability.md @@ -144,7 +144,7 @@ For example, if your metrics retention is 14 days on your active instance, and y After HA is operational, it is recommended that you enable certificate validation to improve security of communication between the active and any standby instances. Enable certificate validation as follows: -1. Add certificates for the active and all standbys to the active instance [trust store](../../security/enable-encryption-in-transit/#add-certificates-to-your-trust-store). +1. Add certificates for the active and all standbys to the active instance [trust store](../../security/enable-encryption-in-transit/trust-store/). - If YBA was set up to use a custom server certificate, locate the corresponding Certificate Authority (CA) certificate. - If YBA was set up to use automatically generated self-signed certificates and you installed YBA using YBA Installer, locate the CA certificate at `/opt/yugabyte/data/yba-installer/certs/ca_cert.pem` on both the YBA active and standby instances. (If you configured a custom install root, replace `/opt/yugabyte` with the path you configured.) diff --git a/docs/content/preview/yugabyte-platform/configure-yugabyte-platform/kubernetes.md b/docs/content/preview/yugabyte-platform/configure-yugabyte-platform/kubernetes.md index 4c38e5e644ae..fcdd0bcaea50 100644 --- a/docs/content/preview/yugabyte-platform/configure-yugabyte-platform/kubernetes.md +++ b/docs/content/preview/yugabyte-platform/configure-yugabyte-platform/kubernetes.md @@ -122,7 +122,7 @@ Continue configuring your Kubernetes provider by clicking **Add region** and com 1. Complete the **Overrides** field using one of the provided [options](#overrides). If you do not specify anything, YBA uses defaults specified inside the Helm chart. For additional information, see [Open source Kubernetes](../../../deploy/kubernetes/single-zone/oss/helm-chart/). -1. If you are using [Kubernetes cert-manager](https://cert-manager.io) to manage TLS certificates, specify the issuer type and enter the issuer name. For more information, refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/#kubernetes-cert-manager). +1. If you are using [Kubernetes cert-manager](https://cert-manager.io) to manage TLS certificates, specify the issuer type and enter the issuer name. For more information, refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/add-certificate-kubernetes/). If required, add a new zone by clicking **Add Zone**, as your configuration may have multiple zones. diff --git a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md index 7397c8cc116a..e1433c728e7f 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md @@ -71,8 +71,8 @@ Complete the **Security Configurations** section as follows: - **Enable YSQL Auth** - specify whether or not to enable the YSQL password authentication. - **Enable YCQL** - specify whether or not to enable the YCQL API endpoint for running Cassandra-compatible workloads. This setting is enabled by default. - **Enable YCQL Auth** - specify whether or not to enable the YCQL password authentication. -- **Enable Node-to-Node TLS** - specify whether or not to enable encryption-in-transit for communication between the database servers. This setting is enabled by default. -- **Enable Client-to-Node TLS** - specify whether or not to enable encryption-in-transit for communication between clients and the database servers. This setting is enabled by default. +- **Enable Node-to-Node TLS** - specify whether or not to enable encryption in transit for communication between the database servers. This setting is enabled by default. +- **Enable Client-to-Node TLS** - specify whether or not to enable encryption in transit for communication between clients and the database servers. This setting is enabled by default. - **Root Certificate** - select an existing security certificate or create a new one. - **Enable Encryption at Rest** - specify whether or not to enable encryption for data stored on the tablet servers. This setting is disabled by default. diff --git a/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md b/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md index da7a4534c467..e3896a288fd8 100644 --- a/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md +++ b/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md @@ -40,7 +40,7 @@ YugabyteDB Anywhere performs these modifications through the [YB-Masters](../../ Note that you can't change the replication factor of a universe. -To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, follow the instructions in [Expand the universe](../../security/enable-encryption-in-transit#expand-the-universe). +To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, you must first add the certificates to the nodes you will add to the universe. Refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-ca/). ### Smart resize diff --git a/docs/content/preview/yugabyte-platform/security/_index.md b/docs/content/preview/yugabyte-platform/security/_index.md index 67b92d4da7fd..de13a3cebf44 100644 --- a/docs/content/preview/yugabyte-platform/security/_index.md +++ b/docs/content/preview/yugabyte-platform/security/_index.md @@ -40,13 +40,13 @@ type: indexpage icon="/images/section_icons/secure/authorization.png">}} {{}} {{}} diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index 15ae7e509568..3337114f2a79 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -23,7 +23,7 @@ YugabyteDB Anywhere can create and manage new self-signed certificates for encry You can enable encryption in transit (TLS) during universe creation and change these settings for an existing universe. -Enabling encryption-in-transit requires the following steps: +Enabling encryption in transit requires the following steps: 1. If you are using a certificate that you provide, add your self- or CA-signed certificate to YugabyteDB Anywhere. 1. Enable encryption in transit on your universe. You can do this when creating the universe and on an existing universe. diff --git a/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md b/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md index 785f84b59bdf..366e1ea3a977 100644 --- a/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md +++ b/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md @@ -44,7 +44,7 @@ For information on how to manage database roles and users, see [Database authori Encryption in transit (TLS) ensures that network communication between servers is secure. You can configure YugabyteDB to use TLS to encrypt intra-cluster and client to server network communication. You should enable encryption in transit in YugabyteDB universes and clients to ensure the privacy and integrity of data transferred over the network. -For more information, see [Enable encryption in transit](../enable-encryption-in-transit). +For more information, see [Encryption in transit](../enable-encryption-in-transit). ## Encryption at rest From 15bf904d6558a60d84af50bd649d189899590664 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 26 Jun 2024 13:56:53 -0400 Subject: [PATCH 04/24] minor edits --- .../manage-deployments/edit-universe.md | 2 +- .../enable-encryption-in-transit/_index.md | 14 ++------------ 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md b/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md index e3896a288fd8..f6a7b77cffb1 100644 --- a/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md +++ b/docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md @@ -40,7 +40,7 @@ YugabyteDB Anywhere performs these modifications through the [YB-Masters](../../ Note that you can't change the replication factor of a universe. -To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, you must first add the certificates to the nodes you will add to the universe. Refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-ca/). +To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, you must first add the certificates to the nodes you will add to the universe. Refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-ca/). Ensure that the certificates are signed by the same external CA and have the same root certificate. In addition, ensure that you copy the certificates to the same locations that you originally used when creating the universe. ### Smart resize diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index 3337114f2a79..aba40a552d35 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -25,15 +25,5 @@ You can enable encryption in transit (TLS) during universe creation and change t Enabling encryption in transit requires the following steps: -1. If you are using a certificate that you provide, add your self- or CA-signed certificate to YugabyteDB Anywhere. -1. Enable encryption in transit on your universe. You can do this when creating the universe and on an existing universe. - - -### Expand a universe - -You can expand universes configured with custom CA-signed certificates. - -Before adding new nodes to expand an existing universe, you need to prepare those nodes by repeating Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) for each of the new nodes you plan to add to the universe. You need to ensure that the certificates are signed by the same external CA and have the same root certificate. In addition, ensure that you copy the certificates to the same locations that you originally used when creating the universe. - -When the universe is ready for expansion, complete the **Edit Universe** dialog to add new nodes. - +1. If you are using a certificate that you provide, add your self- or CA-signed certificate to YugabyteDB Anywhere. Refer to [Add certificates](./add-certificate-self/). +1. Enable encryption in transit on your universe. You can do this when creating the universe and on an existing universe. Refer to [Create a universe](../../create-deployments/create-universe-multi-zone/). From e85430ecdde8e9fb591fdbe587bbd124aa8f819a Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 26 Jun 2024 14:09:56 -0400 Subject: [PATCH 05/24] links --- .../yugabyte-cloud/cloud-connect/connect-client-shell.md | 2 +- .../preview/yugabyte-cloud/cloud-connect/connect/ysql.md | 2 +- .../security/enable-encryption-in-transit/auto-certificate.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/preview/yugabyte-cloud/cloud-connect/connect-client-shell.md b/docs/content/preview/yugabyte-cloud/cloud-connect/connect-client-shell.md index 924eb56a05bd..4634d24602ae 100644 --- a/docs/content/preview/yugabyte-cloud/cloud-connect/connect-client-shell.md +++ b/docs/content/preview/yugabyte-cloud/cloud-connect/connect-client-shell.md @@ -26,7 +26,7 @@ Before you can connect a desktop client to a YugabyteDB Aeon cluster, you need t Before you can connect using a shell or other client, you need to add your computer to the cluster IP allow list. -By default, clusters deployed in a VPC do not expose any publicly-accessible IP addresses. To add public IP addresses, enable [Public Access](../../../yugabyte-cloud/cloud-secure-clusters/add-connections/#enabling-public-access) on the cluster **Settings > Network Access** tab. Alternatively, use the [Cloud shell](../connect-cloud-shell/) instead. +By default, clusters deployed in a VPC do not expose any publicly-accessible IP addresses. To add public IP addresses, enable [Public Access](../../cloud-secure-clusters/add-connections/#enabling-public-access) on the cluster **Settings > Network Access** tab. Alternatively, use the [Cloud shell](../connect-cloud-shell/) instead. For more information, refer to [IP allow list](../../cloud-secure-clusters/add-connections). diff --git a/docs/content/preview/yugabyte-cloud/cloud-connect/connect/ysql.md b/docs/content/preview/yugabyte-cloud/cloud-connect/connect/ysql.md index beee894fbfc3..f88e7143ae6e 100644 --- a/docs/content/preview/yugabyte-cloud/cloud-connect/connect/ysql.md +++ b/docs/content/preview/yugabyte-cloud/cloud-connect/connect/ysql.md @@ -14,7 +14,7 @@ To connect to a cluster using `ysqlsh`: 1. If your cluster is deployed in a VPC, choose **Private Address** if you are connecting from a peered VPC. Otherwise, choose **Public Address** (only available if you have enabled Public Access for the cluster; not recommended for production). 1. Copy the **YSQL** connection string. - The connection string includes flags specifying the host (`host`), username (`user`), database (`dbname`), and TLS settings (`sslmode` and `sslrootcert`). The command specifies that the connection will use the CA certificate you installed on your computer. For information on using other SSL modes, refer to [SSL modes in YSQL](../../../cloud-secure-clusters/cloud-authentication/#ssl-modes-in-ysql). + The connection string includes flags specifying the host (`host`), username (`user`), database (`dbname`), and TLS settings (`sslmode` and `sslrootcert`). The command specifies that the connection will use the CA certificate you installed on your computer. For information on using other SSL modes, refer to [SSL modes in YSQL](/preview/yugabyte-cloud/cloud-secure-clusters/cloud-authentication/#ssl-modes-in-ysql). Here's an example of the generated `ysqlsh` command: diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md index 74f5731d00a5..d5526faec40f 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md @@ -36,7 +36,7 @@ To view the certificate details, navigate to **Configs > Security > Encryption i YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. -If you are using YugabyteDB Anywhere version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. +If you are using YugabyteDB Anywhere version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. Note that, for the change to take effect, you need to set the flag _before_ you run a workflow that generates a self-signed certificate. From 88c45deda15b4d96468d9adc8163d35a3bbeb2fa Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 26 Jun 2024 15:32:56 -0400 Subject: [PATCH 06/24] misc edits --- .../enable-encryption-in-transit/_index.md | 31 ++++++++++++++++--- .../auto-certificate.md | 4 +-- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index aba40a552d35..2af3966d7947 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -1,5 +1,5 @@ --- -title: Enable encryption in transit +title: Encryption in transit in YugabyteDB Anywhere headerTitle: Encryption in transit linkTitle: Encryption in transit description: Use encryption in transit (TLS) to secure data traffic. @@ -23,7 +23,30 @@ YugabyteDB Anywhere can create and manage new self-signed certificates for encry You can enable encryption in transit (TLS) during universe creation and change these settings for an existing universe. -Enabling encryption in transit requires the following steps: +{{}} -1. If you are using a certificate that you provide, add your self- or CA-signed certificate to YugabyteDB Anywhere. Refer to [Add certificates](./add-certificate-self/). -1. Enable encryption in transit on your universe. You can do this when creating the universe and on an existing universe. Refer to [Create a universe](../../create-deployments/create-universe-multi-zone/). + {{}} + + {{}} + + {{}} + + {{}} + +{{}} diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md index d5526faec40f..7fdad0ec2a8f 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md @@ -32,7 +32,7 @@ YugabyteDB Anywhere retains the root certificate and the root private key for al To view the certificate details, navigate to **Configs > Security > Encryption in Transit** and click **Show details**. -### Customize the organization name in self-signed certificates +## Customize the organization name in self-signed certificates YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. @@ -49,7 +49,7 @@ Customize the organization name as follows: 1. Click **Actions** > **Edit Configuration**, enter a new Config Value, and click **Save**. -### Validate custom organization name +## Validate custom organization name You can verify the organization name by running the following `openssl x509` command: From 3e2c21671ab499513145724952848522e1bf027c Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 26 Jun 2024 15:37:21 -0400 Subject: [PATCH 07/24] edits --- .../security/enable-encryption-in-transit/_index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index 2af3966d7947..515d6b4fd98b 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -17,11 +17,11 @@ YugabyteDB Anywhere allows you to protect data in transit by using the following - Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes. - Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs. -- Certificates added to the YugabyteDB Anywhere trust store to encrypt communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. +- Client to YugabyteDB Anywhere TLS to encrypt communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. -YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit. Alternatively, you can use your own self-signed certificates. You can also upload a third-party CA-signed certificate from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) +YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit for universes. Alternatively, you can use your own self-signed certificates. You can also upload third-party certificate authority (CA) certificates from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) -You can enable encryption in transit (TLS) during universe creation and change these settings for an existing universe. +You enable encryption in transit (TLS) during universe creation and can change these settings for an existing universe. {{}} From f28989a1971fc44c115877bebc5f3a3c5143fb48 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 26 Jun 2024 23:11:34 -0400 Subject: [PATCH 08/24] misc edits --- .../security/enable-encryption-in-transit/_index.md | 9 +++++---- .../security/enable-encryption-in-transit/trust-store.md | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index 515d6b4fd98b..179ff3ba526f 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -17,11 +17,12 @@ YugabyteDB Anywhere allows you to protect data in transit by using the following - Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes. - Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs. -- Client to YugabyteDB Anywhere TLS to encrypt communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. + +YugabyteDB Anywhere also uses certificates to validate connections between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. To validate connections to these services, you add their certificates to the YugabyteDB Anywhere Trust Store. YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit for universes. Alternatively, you can use your own self-signed certificates. You can also upload third-party certificate authority (CA) certificates from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) -You enable encryption in transit (TLS) during universe creation and can change these settings for an existing universe. +You enable encryption in transit (TLS) during [universe creation](../../create-deployments/create-universe-multi-zone/) and can [change these settings](rotate-certificates/) for an existing universe. {{}} @@ -34,7 +35,7 @@ You enable encryption in transit (TLS) during universe creation and can change t {{}} {{}} diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md index a126d9423e89..9636dc323330 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md @@ -14,11 +14,11 @@ type: docs YugabyteDB Anywhere uses TLS to protect data in transit when connecting to other services, including: -- LDAP -- OIDC -- Webhook +- [LDAP](../../../administer-yugabyte-platform/ldap-authentication/) +- [OIDC](../../../administer-yugabyte-platform/oidc-authentication/) +- [Webhook](../../../alerts-monitoring/set-up-alerts-health-check/) - [S3 backup storage](../../../back-up-restore-universes/configure-backup-storage/) -- Hashicorp Vault +- [Hashicorp Vault](../../create-kms-config/hashicorp-kms/) - [YugabyteDB Anywhere high availability](../../../administer-yugabyte-platform/high-availability/) If you are using self-signed or custom CA certificates, YugabyteDB cannot verify your TLS connections unless you add the certificates to the YugabyteDB Anywhere Trust Store. From d182bdb0c97ead8dcb67288916e6c2ad662ea3f0 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Thu, 27 Jun 2024 19:03:51 -0400 Subject: [PATCH 09/24] minor edits --- .../create-deployments/create-universe-multi-zone.md | 2 +- .../security/enable-encryption-at-rest.md | 10 +++++----- .../enable-encryption-in-transit/add-certificate-ca.md | 2 +- docs/content/preview/yugabyte-platform/yba-overview.md | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md index c835c2bc2447..7c8ddb5221fb 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md @@ -111,7 +111,7 @@ To have YugabyteDB Anywhere generate a certificate for the universe, use the def For more information on using and managing certificates, refer to [Encryption in transit](../../security/enable-encryption-in-transit/). -Enable encryption at rest to encrypt the universe data. Refer to [Enable encryption at rest](../../security/enable-encryption-at-rest/). +To encrypt the universe data, select the **Enable encryption at rest** option and select the [KMS configuration](../../security/create-kms-config/aws-kms/) to use for encryption. For more information on using and managing, refer to [Encryption at rest](../../security/enable-encryption-at-rest/). ### Advanced Configuration diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md index 5a45fce41668..9e6aa96d97cc 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md @@ -1,8 +1,8 @@ --- -title: Enable encryption at rest -headerTitle: Enable encryption at rest -linkTitle: Enable encryption at rest -description: Enable encryption at rest +title: Encryption at rest in YugabyteDB Anywhere +headerTitle: Encryption at rest +linkTitle: Encryption at rest +description: Use encryption at rest in YugabyteDB Anywhere menu: preview_yugabyte-platform: parent: security @@ -18,7 +18,7 @@ YugabyteDB Anywhere uses the following types of keys for envelope encryption: | Key | Description | | :--- | :--- | | Data encryption keys (DEK) | Symmetric keys used to directly encrypt the data. Each file flushed from memory has a unique DEK. This key is generated in the database layer of YugabyteDB. | -| Universe key | Symmetric key used to encrypt and decrypt DEKs. A single universe key is used for all the DEKs in a universe. This key is generated by YugabyteDB Anywhere. +| Universe key | Symmetric key used to encrypt and decrypt DEKs. A single universe key is used for all the DEKs in a universe. This key is generated by YugabyteDB Anywhere. | | Master key | The key at the highest level in the key hierarchy. The master key is used to encrypt universe keys. This key is a customer managed key (CMK) stored and managed in a Key Management Service (KMS). | Master key details are stored in YugabyteDB Anywhere in KMS configurations, and YugabyteDB Anywhere supports CMKs in AWS KMS, GCP KMS, Azure Key Vault, and Hashicorp Vault. You enable encryption at rest for a universe by assigning the universe a KMS configuration. For instructions on creating a KMS configuration, see [Create a KMS configuration](../create-kms-config/aws-kms/). diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md index abed124d0c46..4e728af8e925 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md @@ -48,7 +48,7 @@ If you are enabling client-to-node TLS, make sure to copy the client certificate In addition, ensure the following: - The file names and file paths of different certificates and keys are identical across all the database nodes. For example, if you name your CA root certificate as `ca.crt` on one node, then you must name it `ca.crt` on all the nodes. Similarly, if you copy `ca.crt` to `/opt/yugabyte/keys` on one node, then you must copy `ca.crt` to the same path on other nodes. -- The yugabyte system user has read permissions to all the certificates and keys. +- The `yugabyte` system user has read permissions to all the certificates and keys. ### Add the CA certificate to YugabyteDB Anywhere diff --git a/docs/content/preview/yugabyte-platform/yba-overview.md b/docs/content/preview/yugabyte-platform/yba-overview.md index dd28ef75d07a..9d60f6722330 100644 --- a/docs/content/preview/yugabyte-platform/yba-overview.md +++ b/docs/content/preview/yugabyte-platform/yba-overview.md @@ -14,7 +14,7 @@ type: docs YugabyteDB Anywhere (YBA) is a self-managed database-as-a-service that allows you to deploy and operate YugabyteDB database clusters (also known as universes) at scale. -In YBA, a database cluster is called a [universe](../../architecture/key-concepts/#universe), and the terms are used interchangeably. More precisely, a universe in YBA always consists of one (and only one) primary cluster, and can optionally also include a single [read replica](../../architecture/docdb-replication/read-replicas/) cluster attached to the primary cluster. +In YBA, a database cluster is called a [universe](../../architecture/key-concepts/#universe), and the terms are used interchangeably. More precisely, a universe in YBA always consists of one (and only one) [primary cluster](../../architecture/key-concepts/#primary-cluster), and can optionally also include a single [read replica](../../architecture/key-concepts/#read-replica-cluster/) cluster attached to the primary cluster. ## Features From a7593b661803d80c8c067305db3a9b706e6112b5 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Thu, 27 Jun 2024 19:09:58 -0400 Subject: [PATCH 10/24] typo --- .../create-deployments/create-universe-multi-zone.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md index 7c8ddb5221fb..0cbc699fa327 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md @@ -111,7 +111,7 @@ To have YugabyteDB Anywhere generate a certificate for the universe, use the def For more information on using and managing certificates, refer to [Encryption in transit](../../security/enable-encryption-in-transit/). -To encrypt the universe data, select the **Enable encryption at rest** option and select the [KMS configuration](../../security/create-kms-config/aws-kms/) to use for encryption. For more information on using and managing, refer to [Encryption at rest](../../security/enable-encryption-at-rest/). +To encrypt the universe data, select the **Enable encryption at rest** option and select the [KMS configuration](../../security/create-kms-config/aws-kms/) to use for encryption. For more information, refer to [Encryption at rest](../../security/enable-encryption-at-rest/). ### Advanced Configuration From 51822bc1e742e279b1163621e023ed44bf833965 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 28 Jun 2024 12:22:46 -0400 Subject: [PATCH 11/24] DOC-358 --- .../rotate-certificates.md | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md index 8f759e0c4707..c5a8ce6bceb6 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md @@ -16,9 +16,29 @@ You can rotate certificates for universes configured with the same type of certi Before rotating certificates, ensure that you have added the certificates to YugabyteDB Anywhere. Refer to [Add certificates](../add-certificate-self/). -Rotating certificates requires restart of the YB-Master and YB-TServer processes and can result in downtime. To avoid downtime, you can opt to perform a rolling upgrade, which stops, updates, and restarts each node in the universe with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node is updated at the same time). +## Rotating certificates -## Rotate certificates +Rotating certificates may require a restart of the YB-Master and YB-TServer processes and in some circumstances can result in downtime. + +- Client-to-node certificates + + Regardless of whether the client-to-node certificates are expired or not expired, you can always trigger a rolling upgrade to rotate the certificates. + + - If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. + - If the universe was created after v2.16.6, then the rotation can be done without a restart and no downtime. + +- Node-to-node certificates + + If the certificate has expired, the rotation requires a simultaneous restart of all nodes, resulting in some downtime. + + If the certificate has not expired, the rotation can be done using a rolling upgrade. + + - If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. + - If the universe is created after v2.16.6, then the rotation can be done without a restart and no downtime. + +You can always opt to not perform rolling updates to update all nodes at the same time, but this will result in downtime. + +### Rotate certificates To modify encryption in transit settings and rotate certificates for a universe, do the following: From 99434b4499e9d357f2001791366d7604ee175c9f Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 28 Jun 2024 12:29:22 -0400 Subject: [PATCH 12/24] review comments --- .../yugabyte-platform/create-deployments/connect-to-universe.md | 2 +- .../security/enable-encryption-in-transit/add-certificate-ca.md | 2 +- .../enable-encryption-in-transit/add-certificate-hashicorp.md | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md b/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md index 2184a2a90823..5e7435ad97bf 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md @@ -33,7 +33,7 @@ If the universe uses Client-to-Node encryption in transit, to connect you need t This downloads the `yugabytedb.crt` and `yugabytedb.key` files. - - If you are connecting using a YCQL client (such as ycqlsh), click **Actions**, and choose **Download Root Cert**. + - If you are connecting using a YCQL client (such as ycqlsh), click **Actions**, and choose **Download Root CA Cert**. This downloads the `root.crt` file. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md index 4e728af8e925..f5e4a0275c3b 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md @@ -52,7 +52,7 @@ In addition, ensure the following: ### Add the CA certificate to YugabyteDB Anywhere -Add a CA-signed certificate in YugabyteDB Anywhere, as follows: +Add a CA-signed certificate to YugabyteDB Anywhere as follows: 1. Navigate to **Configs > Security > Encryption in Transit**. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md index c3cd40b8859b..e4ed5dd576fd 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md @@ -26,7 +26,6 @@ YugabyteDB Anywhere allows you to add an encryption in transit configuration usi For the correct configuration, the following criteria must be met: - HashiCorp Vault is unsealed. - - HashiCorp Vault with the PKI secret engine is configured and enabled. - HashiCorp Vault URL is accessible by YugabyteDB Anywhere. - Because HashiCorp Vault is accessed via an authentication token mechanism, a token must be created beforehand while creating a key provider with appropriate permissions. From f4e79c7d446912f90ba602a828808642ef1a5870 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Mon, 8 Jul 2024 14:21:26 -0400 Subject: [PATCH 13/24] misc edits --- .../create-universe-multi-zone-kubernetes.md | 2 +- .../create-deployments/create-universe-multi-zone.md | 4 ++-- .../preview/yugabyte-platform/security/_index.md | 6 +++--- .../yugabyte-platform/security/customize-ports.md | 11 ++++++----- .../enable-encryption-in-transit/trust-store.md | 2 +- .../security/security-checklist-yp.md | 4 ++-- 6 files changed, 15 insertions(+), 14 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md index e1433c728e7f..074366e4b4c7 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md @@ -80,7 +80,7 @@ Complete the **Security Configurations** section as follows: Complete the **Advanced** section as follows: -- In the **DB Version** field, specify the YugabyteDB version. The default is either the same as the YugabyteDB Anywhere version or the latest YugabyteDB version available for YugabyteDB Anywhere. +- In the **DB Version** field, specify the YugabyteDB version. The default is either the same as the YugabyteDB Anywhere version or the latest YugabyteDB version available for YugabyteDB Anywhere. If the version you want to add is not listed, you can add it to YugabyteDB Anywhere. Refer to [Manage YugabyteDB releases](../../manage-deployments/ybdb-releases/). - Use the **Enable IPV6** field to specify whether or not you want to use IPV6 networking for connections between database servers. This setting is disabled by default. - Use the **Enable Public Network Access** field to specify whether or not to assign a load balancer or nodeport for connecting to the database endpoints over the internet. This setting is disabled by default. diff --git a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md index 0cbc699fa327..9b5c3fc08905 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md @@ -115,7 +115,7 @@ To encrypt the universe data, select the **Enable encryption at rest** option an ### Advanced Configuration -Choose the version of YugabyteDB to install on the nodes. +Choose the version of YugabyteDB to install on the nodes. If the version you want to add is not listed, you can add it to YugabyteDB Anywhere. Refer to [Manage YugabyteDB releases](../../manage-deployments/ybdb-releases/). The access key is the SSH key that is created in the provider. Usually, each provider has its own access key, but if you are reusing keys across providers, they are listed here. @@ -123,7 +123,7 @@ For AWS providers, you can assign an ARN to the nodes in the universe; this allo To use cron instead of systemd for managing nodes, you can disable systemd services. This not recommended. -To customize the ports used for the universe, select the **Override Deployment Ports** option and enter the custom port numbers for the services you want to change. +To customize the [ports used for the universe](../../prepare/networking/), select the **Override Deployment Ports** option and enter the custom port numbers for the services you want to change. Any value from `1024` to `65535` is valid, as long as it doesn't conflict with anything else running on nodes to be provisioned. ### G-Flags diff --git a/docs/content/preview/yugabyte-platform/security/_index.md b/docs/content/preview/yugabyte-platform/security/_index.md index de13a3cebf44..dd7cd6db0002 100644 --- a/docs/content/preview/yugabyte-platform/security/_index.md +++ b/docs/content/preview/yugabyte-platform/security/_index.md @@ -22,8 +22,8 @@ type: indexpage icon="/images/section_icons/secure/checklist.png">}} {{}} @@ -40,7 +40,7 @@ type: indexpage icon="/images/section_icons/secure/authorization.png">}} {{}} diff --git a/docs/content/preview/yugabyte-platform/security/customize-ports.md b/docs/content/preview/yugabyte-platform/security/customize-ports.md index 14dc4f785a6b..5305e9ad6fea 100644 --- a/docs/content/preview/yugabyte-platform/security/customize-ports.md +++ b/docs/content/preview/yugabyte-platform/security/customize-ports.md @@ -1,8 +1,9 @@ --- -title: Configure ports -headerTitle: Configure ports -linkTitle: Configure ports -description: Configure ports +title: Customize ports +headerTitle: Customize ports +linkTitle: Customize ports +description: Customize ports used by YugabyteDB Anywhere universes +headcontent: Change the ports used by your universe menu: preview_yugabyte-platform: parent: security @@ -13,7 +14,7 @@ type: docs YugabyteDB Anywhere and the universes it manages use a set of [default ports](../../prepare/networking/) to manage access to services. -When deploying a universe, YugabyteDB Anywhere allows you to customize these ports. +When [deploying a universe](../../create-deployments/), YugabyteDB Anywhere allows you to customize some of these ports. ## Customize ports diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md index 9636dc323330..51ff00c3b442 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md @@ -12,7 +12,7 @@ menu: type: docs --- -YugabyteDB Anywhere uses TLS to protect data in transit when connecting to other services, including: +YugabyteDB Anywhere uses certificates to validate connections between YugabyteDB Anywhere and other services, including: - [LDAP](../../../administer-yugabyte-platform/ldap-authentication/) - [OIDC](../../../administer-yugabyte-platform/oidc-authentication/) diff --git a/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md b/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md index 366e1ea3a977..0c5f7fd3b354 100644 --- a/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md +++ b/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md @@ -20,7 +20,7 @@ You need to ensure that YugabyteDB Anywhere and the database run in a trusted ne - Servers running YugabyteDB services are directly accessible only by YugabyteDB Anywhere, servers running the application, and database administrators. - Only YugabyteDB Anywhere and servers running applications can connect to YugabyteDB services on the RPC ports. Access to the YugabyteDB ports should be denied to everybody else. -For information on configuring ports, refer to [Configure ports](../customize-ports/). +For information on networking and port requirements, refer to [Networking](../../prepare/networking/). ## Database authentication @@ -42,7 +42,7 @@ For information on how to manage database roles and users, see [Database authori ## Encryption in transit -Encryption in transit (TLS) ensures that network communication between servers is secure. You can configure YugabyteDB to use TLS to encrypt intra-cluster and client to server network communication. You should enable encryption in transit in YugabyteDB universes and clients to ensure the privacy and integrity of data transferred over the network. +Encryption in transit (TLS) ensures that network communication between servers is secure. You can configure YugabyteDB to use TLS to encrypt intra-cluster (Node-to-Node) and client to server (Client-to-Node) network communication. You should enable encryption in transit in YugabyteDB universes and clients to ensure the privacy and integrity of data transferred over the network. For more information, see [Encryption in transit](../enable-encryption-in-transit). From 75dcd3e98335fe3e19035482838b3e6b5fff8092 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Tue, 9 Jul 2024 23:45:51 -0400 Subject: [PATCH 14/24] minor edits --- .../security/enable-encryption-in-transit/_index.md | 11 +++++++++-- .../rotate-certificates.md | 2 -- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index 179ff3ba526f..eab73f0f2a91 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -22,7 +22,14 @@ YugabyteDB Anywhere also uses certificates to validate connections between Yugab YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit for universes. Alternatively, you can use your own self-signed certificates. You can also upload third-party certificate authority (CA) certificates from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) -You enable encryption in transit (TLS) during [universe creation](../../create-deployments/create-universe-multi-zone/) and can [change these settings](rotate-certificates/) for an existing universe. +You can enable Node-to-Node and Client-to-Node encryption in transit when you [create a universe](../../create-deployments/create-universe-multi-zone/). + +You can also enable and disable encryption in transit for an existing universe as follows: + +1. Navigate to your universe. +1. Click **Actions > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog. +1. Enable or disable the **Enable encryption in transit for this Universe** option. +1. Click **Apply**. {{}} @@ -46,7 +53,7 @@ You enable encryption in transit (TLS) during [universe creation](../../create-d {{}} diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md index c5a8ce6bceb6..6d218260d68e 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md @@ -48,8 +48,6 @@ To modify encryption in transit settings and rotate certificates for a universe, ![Rotate certificates](/images/yp/encryption-in-transit/rotate-cert.png) -1. Enable or disable encryption in transit. - 1. To rotate the root certificate, on the **Certificate Authority** tab, select the new root certificate(s). Delete the root certificate to create a new [self-signed certificate](../auto-certificate/). From 79baad9e02d87afa34d8d89066345fd84fcb1861 Mon Sep 17 00:00:00 2001 From: Dwight Hodge <79169168+ddhodge@users.noreply.github.com> Date: Fri, 12 Jul 2024 12:07:04 -0400 Subject: [PATCH 15/24] Apply suggestions from code review Co-authored-by: Sanketh I --- .../add-certificate-ca.md | 14 +++++++++----- .../add-certificate-kubernetes.md | 6 +++--- .../add-certificate-self.md | 1 - .../auto-certificate.md | 2 +- .../rotate-certificates.md | 5 ++--- .../enable-encryption-in-transit/trust-store.md | 4 ++-- 6 files changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md index f5e4a0275c3b..45cc9340f5ab 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md @@ -23,13 +23,17 @@ For universes created with an on-premises provider, instead of using self-signed ## Prerequisites -The certificates must adhere to the following criteria: +The server and CA certificates must adhere to the following criteria: - Be stored in a `.crt` file, with both the certificate and the private key being in the PEM format. If your certificates and keys are stored in the PKCS12 format, you can [convert them to the PEM format](#convert-certificates-and-keys-from-pkcs12-to-pem-format). -- Contain IP addresses of the database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). + +The server certificates must adhere to the following criteria: + +- Contain IP addresses of the database nodes in the Common Name or in the Subject Alternative Name. For on-premises universes where nodes are identified usng DNS addresses, the server certificates should include the DNS names of the database nodes in the Common Name or Subject Alternate Name (wildcards are acceptable). + ## Add CA-signed certificates @@ -41,9 +45,9 @@ Obtain the keys and the custom CA-signed certificates for each of the on-premise ### Copy the certificates to each node -For each on-premises provider node, copy the custom CA root certificate, node certificate, and node key to that node's file system. +For each on-premises provider node, copy the custom CA certificate, node certificate, and node key to that node's file system. -If you are enabling client-to-node TLS, make sure to copy the client certificate and client key to each of the nodes. +If you are enabling client-to-node TLS, make sure to copy the client-facing server certificate and client-facing server key to each of the nodes. In addition, ensure the following: @@ -64,7 +68,7 @@ Add a CA-signed certificate to YugabyteDB Anywhere as follows: 1. In the **Certificate Name** field, enter a meaningful name for your certificate. -1. Upload the custom CA root certificate as the root certificate. +1. Upload the custom CA certificate (including any intermediate certificates in the chain) as the Root CA certificate. If you use an intermediate CA/issuer, but do not have the complete chain of certificates, then you need to create a bundle by executing the `cat intermediate-ca.crt root-ca.crt > bundle.crt` command, and then use this bundle as the root certificate. You might also want to [verify the certificate chain](#verify-certificate-chain). diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md index 887df52663be..dfc98c52c593 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md @@ -16,7 +16,7 @@ type: docs {{}} {{}} {{}} -{{}} +{{}} {{}} For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the [cert-manager](https://cert-manager.io/) as a TLS certificate provider for a cluster. @@ -26,7 +26,7 @@ For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configur The following criteria must be met: - The cert-manager is running in the Kubernetes cluster. -- A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same root certificate file must be prepared for upload to YugabyteDB Anywhere. +- A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same CA certificate file, including any intermediate CAs, must be prepared for upload to YugabyteDB Anywhere. For intermediate certificates, the chained CA certificate can be constructed using a command similar to `cat intermediate-ca.crt root-ca.crt > bundle.crt`. - An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate. - Prepare the root certificate in a file (for example, `root.crt`). @@ -44,7 +44,7 @@ Add TLS certificates issued by the cert-manager as follows: 1. In the **Certificate Name** field, enter a meaningful name for your certificate. -1. Click **Upload Root Certificate** and select the root certificate file that you prepared. +1. Click **Upload Root Certificate** and select the CA certificate file that you prepared. 1. Click **Add** to make the certificate available. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md index 94dd6b04a7d6..dc084c05221c 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md @@ -26,7 +26,6 @@ Instead of using YugabyteDB Anywhere-provided certificates, you can use your own The certificates must meet the following criteria: - Be in the `.crt` format and the private key must be in the `.pem` format, with both of these artifacts available for upload. -- Contain IP addresses of the target database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). YugabyteDB Anywhere produces the node (leaf) certificates from the uploaded certificates and copies the certificate chain, leaf certificate, and private key to the nodes in the cluster. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md index 7fdad0ec2a8f..16d6a7230ac8 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md @@ -22,7 +22,7 @@ yb-environment-universe_name where *environment* is the environment type (either `dev`, `stg`, `demo`, or `prod`) that was used during the tenant registration (admin user creation), and *universe_name* is the provided universe name. -YugabyteDB Anywhere generates the root certificate, root private key, and node-level certificates (assuming node-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: +YugabyteDB Anywhere generates the root CA certificate, root private key, and node-level certificates (assuming node-to-node or client-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: 1. The root certificate (`ca.cert`). 1. The node certificate (`node.ip_address.crt`). diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md index 6d218260d68e..cf39f1daccd9 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md @@ -18,7 +18,6 @@ Before rotating certificates, ensure that you have added the certificates to Yug ## Rotating certificates -Rotating certificates may require a restart of the YB-Master and YB-TServer processes and in some circumstances can result in downtime. - Client-to-node certificates @@ -48,9 +47,9 @@ To modify encryption in transit settings and rotate certificates for a universe, ![Rotate certificates](/images/yp/encryption-in-transit/rotate-cert.png) -1. To rotate the root certificate, on the **Certificate Authority** tab, select the new root certificate(s). +1. To rotate the CA certificate, on the **Certificate Authority** tab, select the new CA certificate(s). - Delete the root certificate to create a new [self-signed certificate](../auto-certificate/). + If you wish to have YBA generate a new self-signed CA certificate [automatically](../auto-certificate/), delete the root certificate field. 1. To rotate the server certificates, on the **Server Certificate** tab, select the **Rotate Node-to-Node Server Certificate** and **Rotate Client-to-Node Server Certificate** options as appropriate. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md index 51ff00c3b442..e98b7f64dd8a 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md @@ -12,14 +12,14 @@ menu: type: docs --- -YugabyteDB Anywhere uses certificates to validate connections between YugabyteDB Anywhere and other services, including: +YugabyteDB Anywhere uses certificates to validate connections between YugabyteDB Anywhere and other external services, including: - [LDAP](../../../administer-yugabyte-platform/ldap-authentication/) - [OIDC](../../../administer-yugabyte-platform/oidc-authentication/) - [Webhook](../../../alerts-monitoring/set-up-alerts-health-check/) - [S3 backup storage](../../../back-up-restore-universes/configure-backup-storage/) - [Hashicorp Vault](../../create-kms-config/hashicorp-kms/) -- [YugabyteDB Anywhere high availability](../../../administer-yugabyte-platform/high-availability/) +- Other [YugabyteDB Anywhere high availability](../../../administer-yugabyte-platform/high-availability/) replicas. If you are using self-signed or custom CA certificates, YugabyteDB cannot verify your TLS connections unless you add the certificates to the YugabyteDB Anywhere Trust Store. From ab9c65b1f89eb11e7d98152009d3eee2692db9b9 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 12 Jul 2024 13:26:16 -0400 Subject: [PATCH 16/24] review comments --- .../enable-encryption-in-transit/_index.md | 34 +++++++++- .../add-certificate-ca.md | 40 ++++++++++-- .../add-certificate-hashicorp.md | 2 +- .../add-certificate-self.md | 63 +++++++++---------- .../auto-certificate.md | 51 --------------- 5 files changed, 97 insertions(+), 93 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index eab73f0f2a91..b903c15f31af 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -18,11 +18,15 @@ YugabyteDB Anywhere allows you to protect data in transit by using the following - Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes. - Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs. -YugabyteDB Anywhere also uses certificates to validate connections between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. To validate connections to these services, you add their certificates to the YugabyteDB Anywhere Trust Store. +YugabyteDB Anywhere also uses certificates to validate connections between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. To validate connections to these services, you add their certificates to the [YugabyteDB Anywhere Trust Store](trust-store/). -YugabyteDB Anywhere can create and manage new self-signed certificates for encrypting data in transit for universes. Alternatively, you can use your own self-signed certificates. You can also upload third-party certificate authority (CA) certificates from external providers, such as Venafi or DigiCert. (CA-signed certificates can only be used with on-premises provider configurations.) +YugabyteDB Anywhere can [create and manage new self-signed certificates](auto-certificate/) for encrypting data in transit for universes. -You can enable Node-to-Node and Client-to-Node encryption in transit when you [create a universe](../../create-deployments/create-universe-multi-zone/). +Alternatively, you can use your own self-signed certificates or upload third-party certificate authority (CA) certificates from external providers, such as Venafi or DigiCert (CA-signed certificates can only be used with on-premises provider configurations). You can also use Hashicorp Vault to enable TLS for different clusters and YugabyteDB instances. Kubernetes providers can additionally use cert-manager as a TLS certificate provider. + +## Enable encryption in transit + +You enable Node-to-Node and Client-to-Node encryption in transit when you [create a universe](../../create-deployments/create-universe-multi-zone/). You can also enable and disable encryption in transit for an existing universe as follows: @@ -31,6 +35,30 @@ You can also enable and disable encryption in transit for an existing universe a 1. Enable or disable the **Enable encryption in transit for this Universe** option. 1. Click **Apply**. +### Enforce TLS versions + +As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. + +You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: + +```shell +ssl_protocols = tls12 +``` + +To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: + +```shell +ssl_protocols = tls12,tls13 +``` + +In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: + +```shell +--ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" +``` + +## Learn more + {{}} {{}} {{}} {{}} -{{}} +{{}} {{}} For universes created with an on-premises provider, instead of using self-signed certificates, you can use third-party certificates from external certificate authorities (CA). The third-party CA root certificate must be configured in YugabyteDB Anywhere. You also have to copy the custom CA root certificate, node certificate, and node key to the appropriate on-premises provider nodes. @@ -29,11 +29,9 @@ The server and CA certificates must adhere to the following criteria: If your certificates and keys are stored in the PKCS12 format, you can [convert them to the PEM format](#convert-certificates-and-keys-from-pkcs12-to-pem-format). - The server certificates must adhere to the following criteria: -- Contain IP addresses of the database nodes in the Common Name or in the Subject Alternative Name. For on-premises universes where nodes are identified usng DNS addresses, the server certificates should include the DNS names of the database nodes in the Common Name or Subject Alternate Name (wildcards are acceptable). - +- Contain IP addresses of the database nodes in the Common Name or in the Subject Alternative Name. For on-premises universes where nodes are identified using DNS addresses, the server certificates should include the DNS names of the database nodes in the Common Name or Subject Alternate Name (wildcards are acceptable). ## Add CA-signed certificates @@ -79,3 +77,37 @@ Add a CA-signed certificate to YugabyteDB Anywhere as follows: 1. Click **Add** to make the certificate available. You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. + +### Verify certificate chain + +Perform the following steps to verify your certificates: + +1. Execute the following verify command which checks the database node certificate (node.crt) against the root CA certificate (ca.crt): + + ```sh + openssl verify ca.crt node.crt + ``` + +1. Verify that the node certificate (`node.crt`) and the node private key (`node.key`) match. See [How do I verify that a private key matches a certificate?](https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hscaay/) + +1. Verify that the node certificate and Root CA certificate expiration is at least 3 months by checking the validity field in the output of the following commands: + + ```sh + openssl x509 -in node.crt -text -noout + ``` + + ```sh + openssl x509 -in ca.crt -text -noout + ``` + +1. Verify that the node certificate Common Name (CN) or Subject Alternate Name (SAN) contains the IP address or DNS name of each on-premises node on which the nodes are deployed. + + {{< note >}} +Each entry you provide for the CN or SAN must match the on-premises node as entered in the provider configuration. For example, if the node address is entered as a DNS address in the on-premises provider configuration, you must use the same DNS entry in the CN or SAN, not the resolved IP address. + {{< /note >}} + + If you face any issue with the above verification, you can customize the level of certificate validation while creating a universe that uses these certificates. Refer to [Customizing the verification of RPC server certificate by the client](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/#customizing-the-verification-of-rpc-server-certificate-by-the-client). + +{{< note >}} +The client certificates and keys are required only if you intend to use [PostgreSQL certificate-based authentication](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html#:~:text=independent%20authentication%20option-,clientcert,-%2C%20which%20can%20be). +{{< /note >}} diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md index e4ed5dd576fd..0de3ff36ffb2 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md @@ -16,7 +16,7 @@ type: docs {{}} {{}} {{}} -{{}} +{{}} {{}} YugabyteDB Anywhere allows you to add an encryption in transit configuration using HashiCorp Vault with a public key infrastructure (PKI) secret engine. This configuration can be used to enable TLS for different clusters and YugabyteDB instances. You can apply this configuration to node-to-node encryption, client-to-node encryption, or both. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md index dc084c05221c..7af7acd877b4 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md @@ -16,7 +16,7 @@ type: docs {{}} {{}} {{}} -{{}} +{{}} {{}} Instead of using YugabyteDB Anywhere-provided certificates, you can use your own self-signed certificates that you upload to YugabyteDB Anywhere. @@ -47,58 +47,53 @@ openssl pkcs12 -in cert-archive.pfx -out key.pem -nocerts -nodes If the key is protected by a passphrase in the PKCS12 archive, you are prompted for the passphrase. -### Verify certificate chain +## Add self-signed certificates -Perform the following steps to verify your certificates: +To add self-signed certificates to YugabyteDB Anywhere: -1. Execute the following verify command which checks the database node certificate (node.crt) against the root CA certificate (ca.crt): +1. Navigate to **Configs > Security > Encryption in Transit**. - ```sh - openssl verify ca.crt node.crt - ``` +1. Click **Add Certificate** to open the **Add Certificate** dialog. -1. Verify that the node certificate (`node.crt`) and the node private key (`node.key`) match. See [How do I verify that a private key matches a certificate?](https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hscaay/) +1. Select **Self Signed**. -1. Verify that the node certificate and Root CA certificate expiration is at least 3 months by checking the validity field in the output of the following commands: + ![Add Self Signed certificate](/images/yp/encryption-in-transit/add-self-cert.png) - ```sh - openssl x509 -in node.crt -text -noout - ``` +1. In the **Certificate Name** field, enter a meaningful name for your certificate. - ```sh - openssl x509 -in ca.crt -text -noout - ``` +1. Click **Upload Root Certificate**, then browse to the root certificate file (`.crt`) and upload it. -1. Verify that the node certificate Common Name (CN) or Subject Alternate Name (SAN) contains the IP address or DNS name of each on-prem node on which the nodes are deployed. +1. Click **Upload Key**, then browse to the root certificate file (`.key`) and upload it. - {{< note >}} -Each entry you provide for the CN or SAN must match the on-prem node as entered in the provider configuration. For example, if the node address is entered as a DNS address in the on-prem provider configuration, you must use the same DNS entry in the CN or SAN, not the resolved IP address. - {{< /note >}} +1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. - If you face any issue with the above verification, you can customize the level of certificate validation while creating a universe that uses these certificates. Refer to [Customizing the verification of RPC server certificate by the client](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/#customizing-the-verification-of-rpc-server-certificate-by-the-client). +1. Click **Add** to make the certificate available. -{{< note >}} -The client certificates and keys are required only if you intend to use [PostgreSQL certificate-based authentication](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html#:~:text=independent%20authentication%20option-,clientcert,-%2C%20which%20can%20be). -{{< /note >}} +## Validate certificates -## Add self-signed certificates +When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: -To add self-signed certificates to YugabyteDB Anywhere: +- Verify that the CA CRT and CA private key match by executing the following commands: -1. Navigate to **Configs > Security > Encryption in Transit**. + ```shell + openssl rsa -noout -modulus -in ca.key | openssl md5 + openssl x509 -noout -modulus -in ca.crt | openssl md5 -1. Click **Add Certificate** to open the **Add Certificate** dialog. + \# outputs should match + ``` -1. Select **Self Signed**. +- Verify that the CA CRT is actually a certificate authority by executing the following command: - ![Add Self Signed certificate](/images/yp/encryption-in-transit/add-self-cert.png) + ```shell + openssl x509 -text -noout -in ca.crt -1. In the **Certificate Name** field, enter a meaningful name for your certificate. + \# Look for fields -1. Click **Upload Root Certificate**, then browse to the root certificate file (`.crt`) and upload it. + X509v3 Basic Constraints: -1. Click **Upload Key**, then browse to the root certificate file (`.key`) and upload it. + CA:TRUE + ``` -1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. +- Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). -1. Click **Add** to make the certificate available. +- Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md index 16d6a7230ac8..b5c1c7bdc66e 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md @@ -93,54 +93,3 @@ Certificate: Public-Key: (2048 bit) Modulus: ``` - -## Validate certificates - -When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: - -- Verify that the CA CRT and CA private key match by executing the following commands: - - ```shell - openssl rsa -noout -modulus -in ca.key | openssl md5 - openssl x509 -noout -modulus -in ca.crt | openssl md5 - - \# outputs should match - ``` - -- Verify that the CA CRT is actually a certificate authority by executing the following command: - - ```shell - openssl x509 -text -noout -in ca.crt - - \# Look for fields - - X509v3 Basic Constraints: - - CA:TRUE - ``` - -- Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). - -- Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). - -## Enforce TLS versions - -As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. - -You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: - -```shell -ssl_protocols = tls12 -``` - -To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: - -```shell -ssl_protocols = tls12,tls13 -``` - -In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: - -```shell ---ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" -``` From 958998bba447039bb8c6d8a29c4fe34b026537af Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 12 Jul 2024 13:51:09 -0400 Subject: [PATCH 17/24] format --- .../preview/explore/fault-tolerance/_index.md | 2 +- .../enable-encryption-in-transit/_index.md | 65 +++++++++---------- .../rotate-certificates.md | 23 +++---- 3 files changed, 41 insertions(+), 49 deletions(-) diff --git a/docs/content/preview/explore/fault-tolerance/_index.md b/docs/content/preview/explore/fault-tolerance/_index.md index 6e56a5008f6b..f5503788a4b4 100644 --- a/docs/content/preview/explore/fault-tolerance/_index.md +++ b/docs/content/preview/explore/fault-tolerance/_index.md @@ -18,7 +18,7 @@ type: indexpage showRightNav: true --- -Resiliency, in the context of cloud databases, refers to the ability to withstand and recover from various types of failures, ranging from hardware malfunctions and software bugs to network outages and natural disasters. A resilient database system is designed to maintain data integrity, accessibility, and continuity of operations, even in the face of adverse events. Achieving resilience in cloud databases requires a multi-faceted approach, involving robust architectural design, effective data replication and backup strategies, load balancing, failover mechanisms, and comprehensive monitoring and incident response procedures. +Resiliency, in the context of cloud databases, refers to the ability to withstand and recover from various types of failures. These can range from hardware malfunctions and software bugs to network outages and natural disasters. A resilient database system is designed to maintain data integrity, accessibility, and continuity of operations, even in the face of adverse events. Achieving resilience in cloud databases requires a multi-faceted approach, involving robust architectural design, effective data replication and backup strategies, load balancing, failover mechanisms, and comprehensive monitoring and incident response procedures. YugabyteDB has been designed ground up to be resilient. YugabyteDB can continuously serve requests in the event of planned or unplanned outages, such as system upgrades and outages related to a node, availability zone, or region. YugabyteDB's High availability is achieved through a combination of distributed architecture, data replication, consensus algorithms, automatic rebalancing, and failure detection mechanisms, ensuring that the database remains available, consistent, and resilient to failures of fault domains. diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index b903c15f31af..e380388f4c7c 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -8,9 +8,8 @@ menu: parent: security identifier: enable-encryption-in-transit weight: 40 -rightNav: - hideH4: true type: indexpage +showRightNav: true --- YugabyteDB Anywhere allows you to protect data in transit by using the following: @@ -18,11 +17,37 @@ YugabyteDB Anywhere allows you to protect data in transit by using the following - Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes. - Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs. -YugabyteDB Anywhere also uses certificates to validate connections between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. To validate connections to these services, you add their certificates to the [YugabyteDB Anywhere Trust Store](trust-store/). +## Manage certificates -YugabyteDB Anywhere can [create and manage new self-signed certificates](auto-certificate/) for encrypting data in transit for universes. +Use YugabyteDB Anywhere to manage certificates used for encryption in transit. -Alternatively, you can use your own self-signed certificates or upload third-party certificate authority (CA) certificates from external providers, such as Venafi or DigiCert (CA-signed certificates can only be used with on-premises provider configurations). You can also use Hashicorp Vault to enable TLS for different clusters and YugabyteDB instances. Kubernetes providers can additionally use cert-manager as a TLS certificate provider. +{{}} + + {{}} + + {{}} + + {{}} + + {{}} + +{{}} ## Enable encryption in transit @@ -56,33 +81,3 @@ In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it ```shell --ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" ``` - -## Learn more - -{{}} - - {{}} - - {{}} - - {{}} - - {{}} - -{{}} diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md index cf39f1daccd9..9f130d51782a 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md @@ -16,28 +16,25 @@ You can rotate certificates for universes configured with the same type of certi Before rotating certificates, ensure that you have added the certificates to YugabyteDB Anywhere. Refer to [Add certificates](../add-certificate-self/). -## Rotating certificates +**Client-to-node certificates** +Regardless of whether the client-to-node certificates are expired or not expired, you can always trigger a rolling upgrade to rotate the certificates. -- Client-to-node certificates +- If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. +- If the universe was created after v2.16.6, then the rotation can be done without a restart and no downtime. - Regardless of whether the client-to-node certificates are expired or not expired, you can always trigger a rolling upgrade to rotate the certificates. +**Node-to-node certificates** - - If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. - - If the universe was created after v2.16.6, then the rotation can be done without a restart and no downtime. +If the certificate has expired, the rotation requires a simultaneous restart of all nodes, resulting in some downtime. -- Node-to-node certificates +If the certificate has not expired, the rotation can be done using a rolling upgrade. - If the certificate has expired, the rotation requires a simultaneous restart of all nodes, resulting in some downtime. - - If the certificate has not expired, the rotation can be done using a rolling upgrade. - - - If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. - - If the universe is created after v2.16.6, then the rotation can be done without a restart and no downtime. +- If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. +- If the universe is created after v2.16.6, then the rotation can be done without a restart and no downtime. You can always opt to not perform rolling updates to update all nodes at the same time, but this will result in downtime. -### Rotate certificates +## Rotate certificates To modify encryption in transit settings and rotate certificates for a universe, do the following: From 8d5db14833b9193a353e04b08e7e5232c28c618c Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 12 Jul 2024 14:34:25 -0400 Subject: [PATCH 18/24] review comments --- .../create-deployments/connect-to-universe.md | 46 ++++--------------- 1 file changed, 10 insertions(+), 36 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md b/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md index 450fce80bafc..676fac33bf7c 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md @@ -27,28 +27,13 @@ If the universe uses Client-to-Node encryption in transit, to connect you need t 1. Find your universe in the list. -1. Download the certificate. +1. Click **Actions** and choose **Download Root CA Cert**. - - If you are connecting using a YSQL client (such as ysqlsh), click **Actions**, and choose **Download YSQL Cert**. + This downloads the `root.crt` file. - This downloads the `yugabytedb.crt` and `yugabytedb.key` files. +For information on connecting using a client shell using this certificate, see [Connect from your desktop](#connect-from-your-desktop). - - If you are connecting using a YCQL client (such as ycqlsh), click **Actions**, and choose **Download Root CA Cert**. - - This downloads the `root.crt` file. - - - If you are connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. - -1. For connecting using a `ysqlsh` client, paste the `yugabytedb.crt` and `yugabytedb.key` files into the `/.yugabytedb` directory and change the permissions to `0600`, as follows: - - ```sh - mkdir ~/.yugabytedb; cd ~/.yugabytedb - cp /yugabytedb.crt . - cp /yugabytedb.key . - chmod 600 yugabytedb.* - ``` - -To use TLS from a different client, consult the client-specific documentation. For example, if you are using a PostgreSQL JDBC driver to connect to YugabyteDB, see [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. +To use TLS to connect an application, refer to the [driver documentation](../../../reference/drivers/). If you are using a PostgreSQL JDBC driver to connect to YugabyteDB, you can also refer to [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates. @@ -141,21 +126,9 @@ curl --location --request PUT 'http:///api/v1/customers//runt ### Prerequisites -- If you are using a Yugabyte client shell, ensure you are running the latest versions of the shells (Yugabyte Client 2.6 or later). - - You can download using the following command on Linux or macOS: - - ```sh - $ curl -sSL https://downloads.yugabyte.com/get_clients.sh | bash - ``` - - Windows client shells require Docker. For example: - - ```sh - docker run -it yugabytedb/yugabyte-client ysqlsh -h -p - ``` +- If you are using [ysqlsh](../../../admin/ysqlsh/) or [ycqlsh](../../../admin/ycqlsh/), ensure you are running the latest versions of the shells. -- If your universe has Client-to-Node encryption in-transit enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer. +- If your universe has Client-to-Node encryption in transit enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer. - The host address of an endpoint on your universe. @@ -204,7 +177,7 @@ Replace the following: - `` with the IP address of an endpoint on your universe. - `` with your database username. - `yugabyte` with the database name, if you're connecting to a database other than the default (yugabyte). -- `` with the path to the root certificate on your computer. +- `` with the path to the universe root certificate you downloaded to your computer. To load sample data and explore an example using ysqlsh, follow the instructions in [Install the Retail Analytics sample database](../../../sample-data/retail-analytics/#install-the-retail-analytics-sample-database). @@ -226,7 +199,7 @@ Replace the following: - `` with the IP address of an endpoint on your universe. - `` with your database username. -- `` with the path to the root certificate on your computer. +- `` with the path to the universe root certificate you downloaded to your computer. @@ -247,7 +220,7 @@ Replace the following: - `` with the IP address of an endpoint on your universe. - `` with your database username. - `yugabyte` with the database name, if you're connecting to a database other than the default (yugabyte). -- `` with the path to the root certificate on your computer. +- `` with the path to the universe root certificate you downloaded to your computer. @@ -381,6 +354,7 @@ ycqlsh> SELECT * FROM ybdemo_keyspace.cassandrakeyvalue LIMIT 5; ## Learn more +- [Securing YugabyteDB: Client-to-Server Encryption in Transit](https://www.yugabyte.com/blog/securing-yugabytedb-client-to-server-encryption/#verification-of-server-certificates) - [ysqlsh](../../../admin/ysqlsh/) — Overview of the command line interface (CLI), syntax, and commands. - [YSQL API](../../../api/ysql/) — Reference for supported YSQL statements, data types, functions, and operators. - [ycqlsh](../../../admin/ycqlsh/) — Overview of the command line interface (CLI), syntax, and commands. From 4a7780d5d0468edb9657ed0bfaea5c6ea58a5987 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 12 Jul 2024 17:28:08 -0400 Subject: [PATCH 19/24] format --- .../create-universe-multi-zone.md | 6 +- .../yugabyte-platform/prepare/networking.md | 2 +- .../yugabyte-platform/security/_index.md | 97 ++++++++++--------- .../security/customize-ports.md | 29 ------ .../security/security-checklist-yp.md | 57 ----------- 5 files changed, 58 insertions(+), 133 deletions(-) delete mode 100644 docs/content/preview/yugabyte-platform/security/customize-ports.md delete mode 100644 docs/content/preview/yugabyte-platform/security/security-checklist-yp.md diff --git a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md index 9b5c3fc08905..61e6b6bb6c76 100644 --- a/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md +++ b/docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md @@ -90,10 +90,14 @@ To enable public access to the universe, select the **Assign Public IP** option. #### Authentication Settings -Enable the YSQL and YCQL endpoints and database authentication. You can also enable and disable authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. +Enable the YSQL and YCQL endpoints and database authentication. Enter the password to use for the default database admin superuser (yugabyte for YSQL, and cassandra for YCQL). For more information, refer to [Database authorization](../../security/authorization-platform/). +You can also enable and disable the API endpoints and authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. + +By default, the API endpoints use ports 5433 (YSQL) and 9042 (YCQL). You can [customize these ports](#advanced-configuration), and, after deployment, you can modify the YCQL API and admin UI endpoint ports. To change YCQL ports, navigate to your universe, click **Actions**, choose **Edit YCQL Configuration**, and select the **Override YCQL Default Ports** option. + #### Encryption Settings Enable encryption in transit to encrypt universe traffic. You can enable the following: diff --git a/docs/content/preview/yugabyte-platform/prepare/networking.md b/docs/content/preview/yugabyte-platform/prepare/networking.md index 4049dc352211..f41f43bb2442 100644 --- a/docs/content/preview/yugabyte-platform/prepare/networking.md +++ b/docs/content/preview/yugabyte-platform/prepare/networking.md @@ -18,7 +18,7 @@ YugabyteDB Anywhere (YBA) needs to be able to access nodes that will be used to ![YugabyteDB Anywhere network and ports](/images/yb-platform/prepare/yba-networking.png) -The following ports need to be open. (The default port numbers can be customized.) +The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | diff --git a/docs/content/preview/yugabyte-platform/security/_index.md b/docs/content/preview/yugabyte-platform/security/_index.md index dd7cd6db0002..297937b36426 100644 --- a/docs/content/preview/yugabyte-platform/security/_index.md +++ b/docs/content/preview/yugabyte-platform/security/_index.md @@ -5,6 +5,10 @@ linkTitle: Security description: Secure YugabyteDB Anywhere and YugabyteDB universes. image: /images/section_icons/index/secure.png headcontent: Secure YugabyteDB Anywhere and your YugabyteDB universes. +aliases: + - /preview/yugabyte-platform/security/network-security/ + - /preview/yugabyte-platform/security/customize-ports/ + - /preview/yugabyte-platform/security/security-checklist-yp/ menu: preview_yugabyte-platform: parent: yugabytedb-anywhere @@ -13,48 +17,51 @@ weight: 660 type: indexpage --- -{{}} - - {{}} - - {{}} - - {{}} - - {{}} - - {{}} - - {{}} - - {{}} - -{{}} +You can apply security measures to protect your YugabyteDB Anywhere instance and YugabyteDB universes. + +## Network security + +You need to ensure that YugabyteDB Anywhere and the database run in a trusted network environment. You should restrict machine and port access, based on the following guidelines: + +- Servers running YugabyteDB services are directly accessible only by YugabyteDB Anywhere, servers running the application, and database administrators. +- Only YugabyteDB Anywhere and servers running applications can connect to YugabyteDB services on the RPC ports. Access to the YugabyteDB ports should be denied to everybody else. + +{{}} +For information on networking and port requirements, refer to [Networking](../prepare/networking/). +{{}} + +## Database authentication + +Authentication requires that all clients provide valid credentials before they can connect to a YugabyteDB universe. The authentication credentials in YugabyteDB are stored internally in the YB-Master system tables. The authentication mechanisms available to users depends on what is supported and exposed by the YSQL and YCQL APIs. + +You enable authentication for the YSQL and YCQL APIs when you deploy a universe. See [Enable database authentication](authorization-platform/#enable-database-authentication). + +YugabyteDB Anywhere and YugabyteDB also support LDAP and OIDC for managing authentication. See [Database authentication](authentication/). + +For more information on authentication in YugabyteDB, see [Enable authentication](../../secure/enable-authentication/). + +## Role-based access control + +Roles can be assigned to grant users only the essential privileges based on the operations they need to perform in YugabyteDB Anywhere, and in YugabyteDB universes. + +To manage access to your YugabyteDB Anywhere instance, typically you create a [Super Admin role first](../install-yugabyte-platform/create-admin-user/). The Super Admin can create additional admins and other users with fewer privileges. For information on how to manage YugabyteDB Anywhere users and roles, see [Manage YugabyteDB Anywhere users](../administer-yugabyte-platform/anywhere-rbac/). + +For information on how to manage database roles and users, see [Database authorization](authorization-platform/). + +## Encryption in transit + +Encryption in transit (TLS) ensures that network communication between servers is secure. You can configure YugabyteDB to use TLS to encrypt intra-cluster (Node-to-Node) and client to server (Client-to-Node) network communication. You should enable encryption in transit in YugabyteDB universes and clients to ensure the privacy and integrity of data transferred over the network. + +{{}} +For more information, see [Encryption in transit](enable-encryption-in-transit/). +{{}} + +## Encryption at rest + +Encryption at rest ensures that data at rest, stored on disk, is protected. You can configure YugabyteDB universes with a user-generated symmetric key to perform universe-wide encryption. + +Encryption at rest in YugabyteDB Anywhere uses a master key to encrypt and decrypt universe keys. The master key details are stored in YugabyteDB Anywhere in [key management service (KMS) configurations](create-kms-config/aws-kms/). You enable encryption at rest for a universe by assigning the universe a KMS configuration. The master key designated in the configuration is then used for generating the universe keys used for encrypting the universe data. + +{{}} +For more information, see [Enable encryption at rest](enable-encryption-at-rest/). +{{}} diff --git a/docs/content/preview/yugabyte-platform/security/customize-ports.md b/docs/content/preview/yugabyte-platform/security/customize-ports.md deleted file mode 100644 index 5305e9ad6fea..000000000000 --- a/docs/content/preview/yugabyte-platform/security/customize-ports.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Customize ports -headerTitle: Customize ports -linkTitle: Customize ports -description: Customize ports used by YugabyteDB Anywhere universes -headcontent: Change the ports used by your universe -menu: - preview_yugabyte-platform: - parent: security - identifier: customize-ports - weight: 20 -type: docs ---- - -YugabyteDB Anywhere and the universes it manages use a set of [default ports](../../prepare/networking/) to manage access to services. - -When [deploying a universe](../../create-deployments/), YugabyteDB Anywhere allows you to customize some of these ports. - -## Customize ports - -On the **Create Universe > Primary Cluster** page, under **Advanced Configuration**, enable the **Override Deployment Ports** option, as shown in the following illustration: - -![Override Deployment Ports](/images/yp/security/override-deployment-ports.png) - -Replace the default values with the values identifying the port that each process should use. Any value from `1024` to `65535` is valid, as long as this value does not conflict with anything else running on nodes to be provisioned. - -After deployment, you can modify the YCQL API and admin UI endpoint ports. To change ports, navigate to your universe, click **Actions**, choose **Edit YCQL Configuration**, and select the **Override YCQL Default Ports** option. - -If you change the YCQL API endpoint on an active universe, be sure to update your applications as appropriate. diff --git a/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md b/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md deleted file mode 100644 index 81ea07dee02b..000000000000 --- a/docs/content/preview/yugabyte-platform/security/security-checklist-yp.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Security checklist for YugabyteDB Anywhere -headerTitle: Security checklist -linkTitle: Security checklist -description: Security measures that can be implemented to protect your YugabyteDB Anywhere and YugabyteDB universes. -aliases: - - /preview/yugabyte-platform/security/network-security/ -menu: - preview_yugabyte-platform: - parent: security - identifier: security-checklist-yp - weight: 10 -type: docs ---- - -You can apply security measures to protect your YugabyteDB Anywhere instance and YugabyteDB universes. - -## Network security - -You need to ensure that YugabyteDB Anywhere and the database run in a trusted network environment. You should restrict machine and port access, based on the following guidelines: - -- Servers running YugabyteDB services are directly accessible only by YugabyteDB Anywhere, servers running the application, and database administrators. -- Only YugabyteDB Anywhere and servers running applications can connect to YugabyteDB services on the RPC ports. Access to the YugabyteDB ports should be denied to everybody else. - -For information on networking and port requirements, refer to [Networking](../../prepare/networking/). - -## Database authentication - -Authentication requires that all clients provide valid credentials before they can connect to a YugabyteDB universe. The authentication credentials in YugabyteDB are stored internally in the YB-Master system tables. The authentication mechanisms available to users depends on what is supported and exposed by the YSQL and YCQL APIs. - -You enable authentication for the YSQL and YCQL APIs when you deploy a universe. See [Enable database authentication](../authorization-platform/#enable-database-authentication). - -YugabyteDB Anywhere and YugabyteDB also support LDAP and OIDC for managing authentication. See [Database authentication](../authentication/). - -For more information on authentication in YugabyteDB, see [Enable authentication](../../../secure/enable-authentication/). - -## Role-based access control - -Roles can be assigned to grant users only the essential privileges based on the operations they need to perform in YugabyteDB Anywhere, and in YugabyteDB universes. - -To manage access to your YugabyteDB Anywhere instance, typically you create a [Super Admin role first](../../install-yugabyte-platform/create-admin-user/). The Super Admin can create additional admins and other users with fewer privileges. For information on how to manage YugabyteDB Anywhere users and roles, see [Manage YugabyteDB Anywhere users](../../administer-yugabyte-platform/anywhere-rbac/). - -For information on how to manage database roles and users, see [Database authorization](../authorization-platform). - -## Encryption in transit - -Encryption in transit (TLS) ensures that network communication between servers is secure. You can configure YugabyteDB to use TLS to encrypt intra-cluster (Node-to-Node) and client to server (Client-to-Node) network communication. You should enable encryption in transit in YugabyteDB universes and clients to ensure the privacy and integrity of data transferred over the network. - -For more information, see [Encryption in transit](../enable-encryption-in-transit). - -## Encryption at rest - -Encryption at rest ensures that data at rest, stored on disk, is protected. You can configure YugabyteDB universes with a user-generated symmetric key to perform universe-wide encryption. - -Encryption at rest in YugabyteDB Anywhere uses a master key to encrypt and decrypt universe keys. The master key details are stored in YugabyteDB Anywhere in [key management service (KMS) configurations](../create-kms-config/aws-kms/). You enable encryption at rest for a universe by assigning the universe a KMS configuration. The master key designated in the configuration is then used for generating the universe keys used for encrypting the universe data. - -For more information, see [Enable encryption at rest](../enable-encryption-at-rest). From 6e71a19445756537a5ce2f64ae1a2b08822e0971 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 12 Jul 2024 22:04:29 -0400 Subject: [PATCH 20/24] minor edits --- .../yugabyte-platform/security/authorization-platform.md | 6 +++--- .../security/enable-encryption-at-rest.md | 1 + .../security/enable-encryption-in-transit/_index.md | 7 +++++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/security/authorization-platform.md b/docs/content/preview/yugabyte-platform/security/authorization-platform.md index 4cfa768ac1b1..84c0c7432b10 100644 --- a/docs/content/preview/yugabyte-platform/security/authorization-platform.md +++ b/docs/content/preview/yugabyte-platform/security/authorization-platform.md @@ -21,17 +21,17 @@ YugabyteDB uses [role-based access control](../../../secure/authorization/) (RBA (For information on managing access to your YugabyteDB Anywhere instance, refer to [Manage account users](../../administer-yugabyte-platform/anywhere-rbac/).) -## Enable database authentication +## Enable database authorization You enable the YSQL and YCQL endpoints and database authentication when deploying a universe. -On the **Create Universe > Primary Cluster** page, under **Security Configurations**, enable the **Authentication Settings** for the APIs you want to use, as shown in the following illustration. +On the **Create Universe > Primary Cluster** page, under **Security Configurations > Authentication Settings**, enable the endpoints and authorization for the APIs you want to use, as shown in the following illustration. ![Enable YSQL and YCQL endpoints](/images/yp/security/enable-endpoints.png) Enter the password to use for the default database admin superuser (`yugabyte` for YSQL, and `cassandra` for YCQL). -You can also enable and disable the endpoints and authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. +You can also enable and disable the endpoints and authorization after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. ## Default roles and users diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md index 9e6aa96d97cc..4258add7b3ef 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-at-rest.md @@ -3,6 +3,7 @@ title: Encryption at rest in YugabyteDB Anywhere headerTitle: Encryption at rest linkTitle: Encryption at rest description: Use encryption at rest in YugabyteDB Anywhere +headcontent: Encrypt your universes menu: preview_yugabyte-platform: parent: security diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md index e380388f4c7c..0909c9f96b7c 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -3,6 +3,7 @@ title: Encryption in transit in YugabyteDB Anywhere headerTitle: Encryption in transit linkTitle: Encryption in transit description: Use encryption in transit (TLS) to secure data traffic. +headcontent: Secure intra-node and application traffic menu: preview_yugabyte-platform: parent: security @@ -81,3 +82,9 @@ In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it ```shell --ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" ``` + +## Learn more + +- [Securing YugabyteDB: Server-to-Server Encryption in Transit](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/) +- [Securing YugabyteDB: SQL Client-to-Server Encryption in Transit](https://www.yugabyte.com/blog/securing-yugabytedb-client-to-server-encryption/) +- [Securing YugabyteDB: CQL Client-to-Server Encryption in Transit](https://www.yugabyte.com/blog/securing-yugabytedb-part-3-cql-client-server-encryption-transit/) From 456309ce62668251cd048522240e48ee45061dc5 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 17 Jul 2024 18:38:59 -0400 Subject: [PATCH 21/24] review comment --- .../security/enable-encryption-in-transit/trust-store.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md index e98b7f64dd8a..7b1c3df608a0 100644 --- a/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md +++ b/docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md @@ -21,7 +21,7 @@ YugabyteDB Anywhere uses certificates to validate connections between YugabyteDB - [Hashicorp Vault](../../create-kms-config/hashicorp-kms/) - Other [YugabyteDB Anywhere high availability](../../../administer-yugabyte-platform/high-availability/) replicas. -If you are using self-signed or custom CA certificates, YugabyteDB cannot verify your TLS connections unless you add the certificates to the YugabyteDB Anywhere Trust Store. +When using self-signed or custom CA certificates, to enable YugabyteDB Anywhere to validate your TLS connections, you _must_ add the certificates to the YugabyteDB Anywhere Trust Store ## Add certificates to your trust store From 21d5a044a961893309a484dad33c1da1b2faf7d0 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 17 Jul 2024 19:32:15 -0400 Subject: [PATCH 22/24] copy to stable --- .../security/enable-encryption-in-transit.md | 704 ------------------ .../enable-encryption-in-transit/_index.md | 90 +++ .../add-certificate-ca.md | 113 +++ .../add-certificate-hashicorp.md | 189 +++++ .../add-certificate-kubernetes.md | 69 ++ .../add-certificate-self.md | 99 +++ .../auto-certificate.md | 95 +++ .../rotate-certificates.md | 55 ++ .../trust-store.md | 54 ++ 9 files changed, 764 insertions(+), 704 deletions(-) delete mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/_index.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit.md deleted file mode 100644 index 81ac79f914aa..000000000000 --- a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit.md +++ /dev/null @@ -1,704 +0,0 @@ ---- -title: Enable encryption in transit -headerTitle: Enable encryption in transit -linkTitle: Enable encryption in transit -description: Use YugabyteDB Anywhere to enable encryption in transit (TLS) on a YugabyteDB universe and connect to clients. -menu: - stable_yugabyte-platform: - parent: security - identifier: enable-encryption-in-transit - weight: 40 -rightNav: - hideH4: true -type: docs ---- - -YugabyteDB Anywhere allows you to protect data in transit by using the following: - -- Server-to-server encryption for intra-node communication between YB-Master and YB-TServer nodes. -- Client-to-server encryption for communication between clients and nodes when using CLIs, tools, and APIs for YSQL and YCQL. -- Encryption for communication between YugabyteDB Anywhere and other services, including LDAP, OIDC, Hashicorp Vault, Webhook, and S3 backup storage. - -{{< note title="Note" >}} - -Before you can enable client-to-server encryption, you first must enable server-to-server encryption. - -{{< /note >}} - -YugabyteDB Anywhere lets you create a new self-signed certificate, use an existing self-signed certificate, or upload a third-party certificate from external providers, such as Venafi or DigiCert (which is only available for an on-premises cloud provider). - -You can enable encryption in transit (TLS) during universe creation and change these settings for an existing universe. - -## Self-signed certificates generated by YugabyteDB Anywhere - -YugabyteDB Anywhere can create self-signed certificates for each universe. These certificates may be shared between universes in a single instance of YugabyteDB Anywhere. The certificate name has the following format: - -`yb-environment-universe_name`, where *environment* is the environment type (either `dev`, `stg`, `demo`, or `prod`) that was used during the tenant registration (admin user creation), and *universe-name* is the provided universe name. YugabyteDB Anywhere generates the root certificate, root private key, and node-level certificates (assuming node-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: - -1. The root certificate (`ca.cert`). -1. The node certificate (`node.ip_address.crt`). -1. The node private key (`node.ip_address.key`). - -YugabyteDB Anywhere retains the root certificate and the root private key for all interactions with the cluster. - -### Customize the organization name in self-signed certificates - -YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. - -If you are using YBA version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. - -Note that, for the change to take effect, you need to set the flag _before_ you run a workflow that generates a self-signed certificate. - -Customize the organization name as follows: - -1. In YugabyteDB Anywhere, navigate to **Admin** > **Advanced** and select the **Global Configuration** tab. -1. In the **Search** bar, enter `yb.tlsCertificate.organizationName` to view the flag, as per the following illustration: - - ![Custom Organization name](/images/yp/encryption-in-transit/custom-org-name.png) - -1. Click **Actions** > **Edit Configuration**, enter a new Config Value, and click **Save**. - -#### Validate custom organization name - -You can verify the organization name by running the following `openssl x509` command: - -```sh -openssl x509 -in ca.crt -text -``` - -```output {hl_lines=[6]} -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1683277970271 (0x187eb2f7b5f) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=yb-dev-sb-ybdemo-univ1~2, O=example.com - Validity - Not Before: May 5 09:12:50 2023 GMT - Not After : May 5 09:12:50 2027 GMT -``` - -Notice that default value is `O=example.com`. - -After setting the runtime configuration to a value of your choice, (`org-foo` in this example), you should see output similar to the following: - -```sh -openssl x509 -in ca.crt -text -noout -``` - -```output -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1689376612248 (0x18956b15f98) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo - Validity - Not Before: Jul 14 23:16:52 2023 GMT - Not After : Jul 14 23:16:52 2027 GMT - Subject: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: -``` - -### Use YugabyteDB Anywhere-generated certificates to enable TLS - -When you create a universe, you can enable TLS using certificates generated by YugabyteDB Anywhere, as follows: - -1. Create a new universe via **Universes > Create Universe** and then configure it. -1. Based on your requirements, select **Enable Node-to-Node TLS** or **Enable Client-to-Node TLS** or both. -1. Choose an existing certificate from the **Root Certificate** list or create a new certificate by accepting the default option **Create new certificate**. - -To view the certificate, navigate to **Configs > Security > Encryption in Transit > Self Signed**. - -You can also modify TLS settings for an existing universe, as follows: - -1. Navigate to either **Dashboard** or **Universes** and open a specific universe. - -1. Click **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog and then proceed as follows: - - - If encryption in transit is currently disabled for the universe, enable it via the **Encryption in Transit for this Universe** field, as per the following illustration: - - ![TLS Configuration](/images/yp/encryption-in-transit/tls-config1.png) - - Use the expanded **TLS Configuration** dialog shown in the following illustration to change the settings to meet your requirements: - - ![TLS Configuration Expanded](/images/yp/encryption-in-transit/tls-config2.png) - - - If encryption in transit is currently enabled for the universe, you can either disable or modify it, as follows: - - - To disable encryption in transit, disable the **Encryption in Transit for this Universe** field and then click **OK**. - - - To modify encryption in-transit settings, leave the **Encryption in Transit for this Universe** field enabled and make the necessary changes to other fields. - - If you are changing certificates, you need to be aware that this requires restart of the YB-Master and YB-TServer processes and can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). If you select the **Create new certificate** option when changing certificates, the corresponding certificates will be rotated, that is, replaced with new certificates. - -## Self-signed self-provided certificates - -Instead of using YugabyteDB Anywhere-provided certificates, you can use your own self-signed certificates that you upload to YugabyteDB Anywhere by following the procedure described in [Use self-signed self-provided certificates to enable TLS](#use-self-signed-self-provided-certificates-to-enable-tls). - -The certificates must meet the following criteria: - -- Be in the `.crt` format and the private key must be in the `.pem` format, with both of these artifacts available for upload. -- Contain IP addresses of the target database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). - -YugabyteDB Anywhere produces the node (leaf) certificates from the uploaded certificates and copies the certificate chain, leaf certificate, and private key to the nodes in the cluster. - -### Use self-signed self-provided certificates to enable TLS - -When you create a universe, you can enable TLS using your own certificates, as follows: - -1. Navigate to **Configs > Security > Encryption in Transit**. -1. Click **Add Certificate** to open the **Add Certificate** dialog. -1. Select **Self Signed**. -1. Click **Upload Root Certificate**, then browse to the root certificate file (`.crt`) and upload it. -1. Click **Upload Key**, then browse to the root certificate file (`.key`) and upload it. -1. In the **Certificate Name** field, enter a meaningful name for your certificate. -1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. -1. Click **Add** to make the certificate available. -1. Go to **Universes > Create Universe** to open the **Create Universe** dialog. -1. Configure the universe. -1. Based on your requirements, select **Enable Node-to-Node TLS** and **Enable Client-to-Node TLS**. -1. Select an existing certificate from the **Root Certificate** list and then select the certificate that you have uploaded. -1. Create the universe. - -You can also modify TLS settings for an existing universe by navigating to **Universes**, opening a specific universe, clicking **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog, and then following the procedure described in [Use YugabyteDB Anywhere-generated certificates to enable TLS](#use-yugabytedb-anywhere-generated-certificates-to-enable-tls) for an existing universe. - -## Custom CA-signed self-provided certificates - -For universes created with an on-premise cloud provider, instead of using self-signed certificates, you can use third-party certificates from external CAs. The third-party CA root certificate must be configured in YugabyteDB Anywhere. You have to copy the custom CA root certificate, node certificate, and node key to the appropriate database nodes using the procedure described in [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls). - -The certificates must adhere to the following criteria: - -- Be stored in a `.crt` file, with both the certificate and the private key being in the PEM format. - - If your certificates and keys are stored in the PKCS12 format, you can [convert them to the PEM format](#convert-certificates-and-keys-from-pkcs12-to-pem-format). - -- Contain IP addresses of the database nodes or DNS names as the Subject Alternative Names (wildcards are acceptable). - -### Use custom CA-signed certificates to enable TLS - -The following procedure describes how to install certificates on the database nodes. You have to repeat these steps for every database node that is to be used in the creation of a universe. - -**Step 1:** Obtain the keys and the custom CA-signed certificates for each of the on-premise nodes for which you are configuring node-to-node TLS. In addition, obtain the keys and the custom signed certificates for client access for configuring client-to-node TLS. - -**Step 2**: For each on-premise node, copy the custom CA root certificate, node certificate, and node key to that node's file system. - -If you are enabling client-to-node TLS, make sure to copy the client certificate and client key to each of the nodes. - -In addition, ensure the following: - -- The file names and file paths of different certificates and keys are identical across all the database nodes. For example, if you name your CA root certificate as `ca.crt` on one node, then you must name it `ca.crt` on all the nodes. Similarly, if you copy `ca.crt` to `/opt/yugabyte/keys` on one node, then you must copy `ca.crt` to the same path on other nodes. -- The yugabyte system user has read permissions to all the certificates and keys. - -**Step 3**: Create a CA-signed certificate in YugabyteDB Anywhere, as follows: - -1. Navigate to **Configs > Security > Encryption in Transit**. - -1. Click **Add Certificate** to open the **Add Certificate** dialog. - -1. Select **CA Signed**, as per the following illustration: - - ![add-cert](/images/yp/encryption-in-transit/add-cert.png) - -1. Upload the custom CA root certificate as the root certificate. - - If you use an intermediate CA/issuer, but do not have the complete chain of certificates, then you need to create a bundle by executing the `cat intermediate-ca.crt root-ca.crt > bundle.crt` command, and then use this bundle as the root certificate. You might also want to [verify the certificate chain](#verify-certificate-chain). - -1. Enter the file paths for each of the certificates on the nodes. These are the paths from the previous step. - -1. In the **Certificate Name** field, enter a meaningful name for your certificate. - -1. Use the **Expiration Date** field to specify the expiration date of the certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. - -1. Click **Add** to make the certificate available. - -1. Go to **Universes > Create Universe** to open the **Create Universe** dialog. - -1. Configure the universe. - -1. Based on your requirements, select **Enable Node-to-Node TLS** and **Enable Client-to-Node TLS**. - -1. Select an existing certificate from the **Root Certificate** list and then select the certificate that you have uploaded. - -1. Create the universe. - -You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. - -#### Convert certificates and keys from PKCS12 to PEM format - -If your certificates and keys are stored in the PKCS12 format, you can convert them to the PEM format using OpenSSL. - -You start by extracting the certificate via the following command: - -```sh -openssl pkcs12 -in cert-archive.pfx -out cert.pem -clcerts -nokeys -``` - -To extract the key and write it to the PEM file unencrypted, execute the following command: - -```sh -openssl pkcs12 -in cert-archive.pfx -out key.pem -nocerts -nodes -``` - -If the key is protected by a passphrase in the PKCS12 archive, you are prompted for the passphrase. - -#### Verify certificate chain - -Perform the following steps to verify your certificates: - -1. Execute the following verify command which checks the database node certificate (node.crt) against the root CA certificate (ca.crt): - - ```sh - openssl verify ca.crt node.crt - ``` - -1. Verify that the node certificate (`node.crt`) and the node private key (`node.key`) match. See [How do I verify that a private key matches a certificate?](https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hscaay/) - -1. Verify that the node certificate and Root CA certificate expiration is at least 3 months by checking the validity field in the output of the following commands: - - ```sh - openssl x509 -in node.crt -text -noout - ``` - - ```sh - openssl x509 -in ca.crt -text -noout - ``` - -1. Verify that the node certificate Common Name (CN) or Subject Alternate Name (SAN) contains the IP address or DNS name of each on-prem node on which the nodes are deployed. - - {{< note >}} -Each entry you provide for the CN or SAN must match the on-prem node as entered in the provider configuration. For example, if the node address is entered as a DNS address in the on-prem provider configuration, you must use the same DNS entry in the CN or SAN, not the resolved IP address. - {{< /note >}} - - If you face any issue with the above verification, you can customize the level of certificate validation while creating a universe that uses these certificates. Refer to [Customizing the verification of RPC server certificate by the client](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/#customizing-the-verification-of-rpc-server-certificate-by-the-client). - -{{< note >}} -The client certificates and keys are required only if you intend to use [PostgreSQL certificate-based authentication](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html#:~:text=independent%20authentication%20option-,clientcert,-%2C%20which%20can%20be). -{{< /note >}} - -### Rotate custom CA-signed certificates - -You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. - -You rotate the existing custom certificates and replace them with new database node certificates issued by the same custom CA that issued the original certificates as follows: - -**Step 1**: Follow Step 1 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to obtain a new set of certificates for each of the nodes. - -**Step 2**: Follow Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to copy the certificates to the respective nodes. - -**Step 3**: Follow Step 3 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) to create a new CA-signed certificate in YugabyteDB Anywhere. - -**Step 4**: Edit the universe to use the new certificates, as follows: - -- Navigate to the universe for which you are rotating the keys. - -- Select **Actions > Edit Security**, as shown in the following illustration: - - ![edit-security](/images/yp/encryption-in-transit/edit-security.png) - -- Select **Encryption in-Transit** to open the **TLS Configuration** dialog. - -- Complete the **TLS Configuration** dialog shown in the following illustration: - - ![Configure TLS](/images/yp/encryption-in-transit/edit-tls-new.png) - - - Select the new certificate which you created in Step 3. - - - Modifying certificates requires restart of YB-Master and YB-TServer processes, which can result in downtime. To avoid downtime, you should accept the default value (enabled) for the **Rolling Upgrade** field to trigger a sequential node-by-node change with a specific delay between node upgrades (as opposed to a simultaneous change of certificates in every node which occurs when the **Rolling Upgrade** field is disabled). - - - Click **OK**. - - Typically, this process takes time, as it needs to wait for the specified delay interval after each node is upgraded. - -### Expand the universe - -You can expand universes configured with custom CA-signed certificates. - -Before adding new nodes to expand an existing universe, you need to prepare those nodes by repeating Step 2 of [Use custom CA-signed certificates to enable TLS](#use-custom-ca-signed-certificates-to-enable-tls) for each of the new nodes you plan to add to the universe. You need to ensure that the certificates are signed by the same external CA and have the same root certificate. In addition, ensure that you copy the certificates to the same locations that you originally used when creating the universe. - -When the universe is ready for expansion, complete the **Edit Universe** dialog to add new nodes. - -## Custom HashiCorp Vault-provided certificates - -YugabyteDB Anywhere allows you to add an encryption in transit configuration using HashiCorp Vault with a public key infrastructure (PKI) secret engine. This configuration can be used to enable TLS for different clusters and YugabyteDB instances. You can apply this configuration to node-to-node encryption, client-to-node encryption, or both. - -For the correct configuration, the following criteria must be met: - -- HashiCorp Vault is unsealed. - -- HashiCorp Vault with the PKI secret engine is configured and enabled. -- HashiCorp Vault URL is accessible by YugabyteDB Anywhere. -- Because HashiCorp Vault is accessed via an authentication token mechanism, a token must be created beforehand while creating a key provider with appropriate permissions. -- HashiCorp Vault needs to be running and always accessible to YugabyteDB Anywhere. -- HashiCorp PKI certificate revocation list (CRL) or CA URLs must be accessible from each node server. -- Appropriate certificates and roles have been created for YugabyteDB Anywhere usage. -- Node servers are able to validate certificates. -- Required permissions have been provided to perform various key management operations. - -### Configure HashiCorp Vault - -Before you can start configuring HashiCorp Vault, install it on a virtual machine, as per instructions provided in [Install Vault](https://www.vaultproject.io/docs/install). The vault can be set up as a multi-node cluster. Ensure that your vault installation meets the following requirements: - -- Has transit secret engine enabled. -- Its seal and unseal mechanism is secure and repeatable. -- Its token creation mechanism is repeatable. - -You need to configure HashiCorp Vault in order to use it with YugabyteDB Anywhere, as follows: - -1. Create a vault configuration file that references your nodes and specifies the address, as follows: - - ```properties - storage "raft" { - path = "./vault/data/" - node_id = "node1" - } - - listener "tcp" { - address = "127.0.0.1:8200" - tls_disable = "true" - } - - api_addr = "http://127.0.0.1:8200" - cluster_addr = "https://127.0.0.1:8201" - ui = true - disable_mlock = true - default_lease_ttl = "768h" - max_lease_ttl = "8760h" - ``` - - Replace `127.0.0.1` with the vault web address. - - For additional configuration options, see [Parameters](https://www.vaultproject.io/docs/configuration#parameters). - -1. Initialize the vault server by following instructions provided in [Operator init](https://www.vaultproject.io/docs/commands/operator/init). - -1. Allow access to the vault by following instructions provided in [Unsealing](https://www.vaultproject.io/docs/concepts/seal#unsealing). - -1. Enable the secret engine by executing the following command: - - ```shell - vault secrets enable pki - ``` - -1. Configure the secret engine, as follows: - - - Create a root CA or configure the top-level CA. - - - Optionally, create an intermediate CA chain and sign them. - - - Create an intermediate CA for YugabyteDB, as per the following example: - - ```sh - export pki=pki - export pki_int="pki_int" - export role_i=RoleName - export ip="s.test.com" - - vault secrets enable -path=$pki_int pki - vault secrets tune -max-lease-ttl=43800h $pki_int - vault write $pki_int/intermediate/generate/internal common_name="test.com Intermediate Authority" ttl=43800h -format=json | jq -r '.data.csr' > pki_int.csr - - \# *** dump the output of the preceding command in pki_int.csr - - vault write $pki/root/sign-intermediate csr=@pki_int.csr format=pem_bundle ttl=43800h -format=json | jq -r .data.certificate > i_signed.pem - - \# *** dump the output in i_signed.pem - - vault write $pki_int/intermediate/set-signed certificate=@i_signed.pem - vault write $pki_int/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki_int/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki_int/crl" - ``` - -1. Create the vault policy, as per the following example: - - ```properties - # Enable secrets engine - path "sys/mounts/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - - # List enabled secrets engine - path "sys/mounts" { - capabilities = ["read", "list"] - } - - # Work with pki secrets engine - path "pki*" { - capabilities = ["create", "read", "update", "delete", "list", "sudo"] - } - ``` - -1. Generate a token with appropriate permissions (as per the referenced policy) by executing the following command: - - ```shell - vault token create -no-default-policy -policy=pki_policy - ``` - - You may also specify the following for your token: - - - `ttl` — Time to live (TTL). If not specified, the default TTL of 32 days is used, which means that the generated token will expire after 32 days. - - `period` — If specified, the token can be infinitely renewed. - - YBA automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours. - - For more information, refer to [Tokens](https://developer.hashicorp.com/vault/tutorials/tokens/tokens) in the Hashicorp documentation. - -1. Create a role that maps a name in the vault to a procedure for generating a certificate, as follows: - - ```sh - vault write /roles/ allow_any_name=true allow_subdomains=true max_ttl="8640h" - ``` - - Credentials are generated against this role. - -1. Issue certificates for nodes or a YugabyteDB client: - - - For a node, execute the following: - - ```sh - vault write /issue/ common_name="" ip_sans="" ttl="860h" - ``` - - - For YugabyteDB client, execute the following: - - ```sh - vault write /issue/ common_name="" - ``` - -### Use HashiCorp Vault-provided certificates to enable TLS - -When you create a universe, you can enable TLS using certificates provided by HashiCorp Vault, as follows: - -1. Navigate to **Configs > Security > Encryption in Transit**. -1. Click **Add Certificate** to open the **Add Certificate** dialog. -1. Select **Hashicorp**. -1. In the **Config Name** field, enter a meaningful name for your configuration. -1. In the **Vault Address** field, specify a valid URL that includes the port number. The format is `http://0.0.0.0:0000`, which corresponds to `VAULT_HOSTNAME:0000` -1. In the **Secret Token** field, specify the secret token for the vault. -1. In the **Role** field, specify the role used for creating certificates. -1. Optionally, provide the secret engine path on which the PKI is mounted. If you do not supply this information, `pki/` will be used. -1. Click **Add** to make the certificate available. -1. Go to **Universes > Create Universe** to open the **Create Universe** dialog. -1. Configure the universe. -1. Based on your requirements, select **Enable Node-to-Node TLS** and **Enable Client-to-Node TLS**. -1. Select an existing certificate from the **Root Certificate** list and then select the certificate that you have uploaded. -1. Create the universe. - -You can also edit TLS settings for an existing universe by navigating to **Universes**, opening a specific universe, clicking **Actions > Edit Security > Encryption in-Transit** to open the **TLS Configuration** dialog, and then modifying the required settings. - -## Kubernetes cert-manager - -For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the [cert-manager](https://cert-manager.io/) as a TLS certificate provider for a cluster, assuming that the following criteria are met: - -- The cert-manager is running in the Kubernetes cluster. -- A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same root certificate file must be prepared for upload to YugabyteDB Anywhere. -- An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate. - -During the universe creation, you can enable TLS certificates issued by the cert-manager, as follows: - -1. Upload the root certificate to YugabyteDB Anywhere: - - - Prepare the root certificate in a file (for example, `root.crt`). - - Navigate to **Configs > Security > Encryption in Transit** and click **Add Certificate**. - - On the **Add Certificate** dialog shown in the following illustration, select **K8S cert-manager**: - - ![Add Certificate](/images/yp/security/kubernetes-cert-manager.png) - - - In the **Certificate Name** field, enter a meaningful name for your certificate configuration. - - Click **Upload Root Certificate** and select the root certificate file that you prepared. - - Click **Add** to make the certificate available. - -1. Configure the Kubernetes-based cloud provider by following instructions provided in [Configure region and zones](../../configure-yugabyte-platform/kubernetes/#configure-region-and-zones). In the **Add new region** dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the **Namespace** field value if an Issuer Kind is selected: - - ![Add new region](/images/yp/security/kubernetes-cert-manager-add-region.png) - -1. Create the universe: - - - Navigate to **Universes** and click **Create Universe**. - - In the **Provider** field, select the cloud provider that you have configured in step 2. - - Complete the fields based on your requirements, and select **Enable Node-to-Node TLS** or **Enable Client-to-Node TLS**. - - Select the root certificate that you have uploaded in step 1. - - Click **Create**. - -### Troubleshoot - -If you encounter problems, you should verify the name of Issuer or ClusterIssuer in the Kubernetes cluster, as well as ensure that the Kubernetes cluster is in Ready state. You can use the following commands: - -```sh -kubectl get ClusterIssuer -``` - -```sh -kubectl -n Issuer -``` - -## Connect to clusters - -Using TLS, you can connect to the YSQL and YCQL endpoints. - -### Connect to a YSQL endpoint with TLS - -If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: - -- Navigate to the **Certificates** page and then to your universe's certificate. - -- Click **Actions** and select **Download YSQL Cert**, as shown in the following illustration. This triggers the download of the `yugabytedb.crt` and `yugabytedb.key` files. - - ![download-ysql-cert](/images/yp/encryption-in-transit/download-ysql-cert.png) - -- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. - -- For testing with a `ysqlsh` client, paste the `yugabytedb.crt` and `yugabytedb.key` files into the `/.yugabytedb` directory and change the permissions to `0600`, as follows: - - ```sh - mkdir ~/.yugabytedb; cd ~/.yugabytedb - cp /yugabytedb.crt . - cp /yugabytedb.key . - chmod 600 yugabytedb.* - ``` - -- Run `ysqlsh` using the `sslmode=require` option, as follows: - - ```sh - cd - bin/ysqlsh -h 172.152.43.78 -p 5433 sslmode=require - ``` - - ```output - ysqlsh (11.2-YB-2.3.3.0-b0) - SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) - Type "help" for help. - - yugabyte=# - ``` - -To use TLS from a different client, consult the client-specific documentation. For example, if you are using a PostgreSQL JDBC driver to connect to YugabyteDB, see [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. - -If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates. - -### Connect to a YCQL endpoint with TLS - -If you created your universe with the Client-to-Node TLS option enabled, then you must download client certificates to your client computer to establish connection to your database, as follows: - -- Navigate to the **Certificates** page and then to your universe's certificate. - -- Click **Actions** and select **Download Root Cert**, as shown in the following illustration. This triggers the download of the `root.crt` file. - - ![download-root-cert](/images/yp/encryption-in-transit/download-root-cert.png) - -- Optionally, when connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading. - -- Set `SSL_CERTFILE` environment variable to point to the location of the downloaded root certificate. - -- Run `ycqlsh` using the `-ssl` option, as follows: - - ```sh - cp /root.crt ~/.yugabytedb/root.crt - export SSL_CERTFILE=~/.yugabytedb/root.crt - bin/ycqlsh 172.152.43.78 --ssl - ``` - - ```output - Connected to local cluster at 172.152.43.78:9042. - [ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4] - Use HELP for help. - ycqlsh> - ``` - -To use TLS from a different client, consult the client-specific documentation. For example, if you are using a Cassandra driver to connect to YugabyteDB, see [SSL](https://docs.datastax.com/en/developer/python-driver/3.19/security/#ssl). - -## Validate certificates - -When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: - -1. Verify that the CA CRT and CA private key match by executing the following commands: - - ```shell - openssl rsa -noout -modulus -in ca.key | openssl md5 - openssl x509 -noout -modulus -in ca.crt | openssl md5 - - \# outputs should match - ``` - -2. Verify that the CA CRT is actually a certificate authority by executing the following command: - - ```shell - openssl x509 -text -noout -in ca.crt - - \# Look for fields - - X509v3 Basic Constraints: - - CA:TRUE - ``` - -3. Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). - -4. Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). - -## Enforcing TLS versions - -As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. - -You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: - -```shell -ssl_protocols = tls12 -``` - -To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: - -```shell -ssl_protocols = tls12,tls13 -``` - -In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: - -```shell ---ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" -``` - -## Use self-signed and custom CA certificates - -YugabyteDB Anywhere uses TLS to protect data in transit when connecting to other services, including: - -- LDAP -- OIDC -- Webhook -- [S3 backup storage](../../back-up-restore-universes/configure-backup-storage/) -- Hashicorp Vault -- [YBA high availability](../../administer-yugabyte-platform/high-availability/) - -If you are using self-signed or custom CA certificates, YugabyteDB cannot verify your TLS connections unless you add the certificates to the YugabyteDB Anywhere Trust Store. - -### Add certificates to your trust store - -To add a certificate to the YugabyteDB Anywhere Trust Store, do the following: - -1. Navigate to **Admin > CA Certificates**. - -1. Click **Upload Trusted CA Certificate**. - -1. Enter a name for the certificate. - -1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. - -### Rotate a certificate in your trust store - -To rotate a certificate in your YugabyteDB Anywhere Trust Store, do the following: - -1. Navigate to **Admin > CA Certificates**. - -1. Click the **...** button for the certificate and choose **Update Certificate**. - -1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. - -### Delete a certificate in your trust store - -To delete a certificate in your YugabyteDB Anywhere Trust Store, do the following: - -1. Navigate to **Admin > CA Certificates**. - -1. Click the **...** button for the certificate and choose **Delete**, then click **Delete CA Certificate**. diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/_index.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/_index.md new file mode 100644 index 000000000000..410e552ad5de --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/_index.md @@ -0,0 +1,90 @@ +--- +title: Encryption in transit in YugabyteDB Anywhere +headerTitle: Encryption in transit +linkTitle: Encryption in transit +description: Use encryption in transit (TLS) to secure data traffic. +headcontent: Secure intra-node and application traffic +menu: + stable_yugabyte-platform: + parent: security + identifier: enable-encryption-in-transit + weight: 40 +type: indexpage +showRightNav: true +--- + +YugabyteDB Anywhere allows you to protect data in transit by using the following: + +- Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes. +- Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs. + +## Manage certificates + +Use YugabyteDB Anywhere to manage certificates used for encryption in transit. + +{{}} + + {{}} + + {{}} + + {{}} + + {{}} + +{{}} + +## Enable encryption in transit + +You enable Node-to-Node and Client-to-Node encryption in transit when you [create a universe](../../create-deployments/create-universe-multi-zone/). + +You can also enable and disable encryption in transit for an existing universe as follows: + +1. Navigate to your universe. +1. Click **Actions > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog. +1. Enable or disable the **Enable encryption in transit for this Universe** option. +1. Click **Apply**. + +### Enforce TLS versions + +As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions. + +You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer: + +```shell +ssl_protocols = tls12 +``` + +To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows: + +```shell +ssl_protocols = tls12,tls13 +``` + +In addition, as the `ssl_protocols` setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (`ssl_min_protocol_version`) for PostgreSQL by setting the following YB-TServer flag: + +```shell +--ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'" +``` + +## Learn more + +- [Securing YugabyteDB: Server-to-Server Encryption in Transit](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/) +- [Securing YugabyteDB: SQL Client-to-Server Encryption in Transit](https://www.yugabyte.com/blog/securing-yugabytedb-client-to-server-encryption/) +- [Securing YugabyteDB: CQL Client-to-Server Encryption in Transit](https://www.yugabyte.com/blog/securing-yugabytedb-part-3-cql-client-server-encryption-transit/) diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md new file mode 100644 index 000000000000..0a2dd3fe5b0f --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-ca.md @@ -0,0 +1,113 @@ +--- +title: Add CA-signed certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add CA-signed certificates to YugabyteDB Anywhere. +headcontent: Use your own certificates for encryption in transit +menu: + stable_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-2-ca + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +For universes created with an on-premises provider, instead of using self-signed certificates, you can use third-party certificates from external certificate authorities (CA). The third-party CA root certificate must be configured in YugabyteDB Anywhere. You also have to copy the custom CA root certificate, node certificate, and node key to the appropriate on-premises provider nodes. + +## Prerequisites + +The server and CA certificates must adhere to the following criteria: + +- Be stored in a `.crt` file, with both the certificate and the private key being in the PEM format. + + If your certificates and keys are stored in the PKCS12 format, you can [convert them to the PEM format](#convert-certificates-and-keys-from-pkcs12-to-pem-format). + +The server certificates must adhere to the following criteria: + +- Contain IP addresses of the database nodes in the Common Name or in the Subject Alternative Name. For on-premises universes where nodes are identified using DNS addresses, the server certificates should include the DNS names of the database nodes in the Common Name or Subject Alternate Name (wildcards are acceptable). + +## Add CA-signed certificates + +The following procedure describes how to install certificates on the database nodes. You have to repeat these steps for every database node that is to be used in the creation of a universe. + +### Obtain certificates and keys + +Obtain the keys and the custom CA-signed certificates for each of the on-premise nodes for which you are configuring node-to-node TLS. In addition, obtain the keys and the custom signed certificates for client access for configuring client-to-node TLS. + +### Copy the certificates to each node + +For each on-premises provider node, copy the custom CA certificate, node certificate, and node key to that node's file system. + +If you are enabling client-to-node TLS, make sure to copy the client-facing server certificate and client-facing server key to each of the nodes. + +In addition, ensure the following: + +- The file names and file paths of different certificates and keys are identical across all the database nodes. For example, if you name your CA root certificate as `ca.crt` on one node, then you must name it `ca.crt` on all the nodes. Similarly, if you copy `ca.crt` to `/opt/yugabyte/keys` on one node, then you must copy `ca.crt` to the same path on other nodes. +- The `yugabyte` system user has read permissions to all the certificates and keys. + +### Add the CA certificate to YugabyteDB Anywhere + +Add a CA-signed certificate to YugabyteDB Anywhere as follows: + +1. Navigate to **Configs > Security > Encryption in Transit**. + +1. Click **Add Certificate** to open the **Add Certificate** dialog. + +1. Select **CA Signed**, as per the following illustration: + + ![Add CA certificate](/images/yp/encryption-in-transit/add-cert.png) + +1. In the **Certificate Name** field, enter a meaningful name for your certificate. + +1. Upload the custom CA certificate (including any intermediate certificates in the chain) as the Root CA certificate. + + If you use an intermediate CA/issuer, but do not have the complete chain of certificates, then you need to create a bundle by executing the `cat intermediate-ca.crt root-ca.crt > bundle.crt` command, and then use this bundle as the root certificate. You might also want to [verify the certificate chain](#verify-certificate-chain). + +1. Enter the file paths for each of the certificates on the nodes. These are the paths from the previous step. + +1. Use the **Expiration Date** field to specify the expiration date of the certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. + +1. Click **Add** to make the certificate available. + +You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. + +### Verify certificate chain + +Perform the following steps to verify your certificates: + +1. Execute the following verify command which checks the database node certificate (node.crt) against the root CA certificate (ca.crt): + + ```sh + openssl verify ca.crt node.crt + ``` + +1. Verify that the node certificate (`node.crt`) and the node private key (`node.key`) match. See [How do I verify that a private key matches a certificate?](https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hscaay/) + +1. Verify that the node certificate and Root CA certificate expiration is at least 3 months by checking the validity field in the output of the following commands: + + ```sh + openssl x509 -in node.crt -text -noout + ``` + + ```sh + openssl x509 -in ca.crt -text -noout + ``` + +1. Verify that the node certificate Common Name (CN) or Subject Alternate Name (SAN) contains the IP address or DNS name of each on-premises node on which the nodes are deployed. + + {{< note >}} +Each entry you provide for the CN or SAN must match the on-premises node as entered in the provider configuration. For example, if the node address is entered as a DNS address in the on-premises provider configuration, you must use the same DNS entry in the CN or SAN, not the resolved IP address. + {{< /note >}} + + If you face any issue with the above verification, you can customize the level of certificate validation while creating a universe that uses these certificates. Refer to [Customizing the verification of RPC server certificate by the client](https://www.yugabyte.com/blog/yugabytedb-server-to-server-encryption/#customizing-the-verification-of-rpc-server-certificate-by-the-client). + +{{< note >}} +The client certificates and keys are required only if you intend to use [PostgreSQL certificate-based authentication](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html#:~:text=independent%20authentication%20option-,clientcert,-%2C%20which%20can%20be). +{{< /note >}} diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md new file mode 100644 index 000000000000..3ed069276439 --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-hashicorp.md @@ -0,0 +1,189 @@ +--- +title: Add Hashicorp Vault certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add Hashicorp Vault certificates to YugabyteDB Anywhere. +headcontent: Use your own certificates for encryption in transit +menu: + stable_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-3-hashicorp + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +YugabyteDB Anywhere allows you to add an encryption in transit configuration using HashiCorp Vault with a public key infrastructure (PKI) secret engine. This configuration can be used to enable TLS for different clusters and YugabyteDB instances. You can apply this configuration to node-to-node encryption, client-to-node encryption, or both. + +## Prerequisites + +For the correct configuration, the following criteria must be met: + +- HashiCorp Vault is unsealed. +- HashiCorp Vault with the PKI secret engine is configured and enabled. +- HashiCorp Vault URL is accessible by YugabyteDB Anywhere. +- Because HashiCorp Vault is accessed via an authentication token mechanism, a token must be created beforehand while creating a key provider with appropriate permissions. +- HashiCorp Vault needs to be running and always accessible to YugabyteDB Anywhere. +- HashiCorp PKI certificate revocation list (CRL) or CA URLs must be accessible from each node server. +- Appropriate certificates and roles have been created for YugabyteDB Anywhere usage. +- Node servers are able to validate certificates. +- Required permissions have been provided to perform various key management operations. + +## Configure HashiCorp Vault + +Before you can start configuring HashiCorp Vault, install it on a virtual machine, as per instructions provided in [Install Vault](https://www.vaultproject.io/docs/install). The vault can be set up as a multi-node cluster. Ensure that your vault installation meets the following requirements: + +- Has transit secret engine enabled. +- Its seal and unseal mechanism is secure and repeatable. +- Its token creation mechanism is repeatable. + +You need to configure HashiCorp Vault in order to use it with YugabyteDB Anywhere, as follows: + +1. Create a vault configuration file that references your nodes and specifies the address, as follows: + + ```properties + storage "raft" { + path = "./vault/data/" + node_id = "node1" + } + + listener "tcp" { + address = "127.0.0.1:8200" + tls_disable = "true" + } + + api_addr = "http://127.0.0.1:8200" + cluster_addr = "https://127.0.0.1:8201" + ui = true + disable_mlock = true + default_lease_ttl = "768h" + max_lease_ttl = "8760h" + ``` + + Replace `127.0.0.1` with the vault web address. + + For additional configuration options, see [Parameters](https://www.vaultproject.io/docs/configuration#parameters). + +1. Initialize the vault server by following instructions provided in [Operator init](https://www.vaultproject.io/docs/commands/operator/init). + +1. Allow access to the vault by following instructions provided in [Unsealing](https://www.vaultproject.io/docs/concepts/seal#unsealing). + +1. Enable the secret engine by executing the following command: + + ```shell + vault secrets enable pki + ``` + +1. Configure the secret engine, as follows: + + - Create a root CA or configure the top-level CA. + + - Optionally, create an intermediate CA chain and sign them. + + - Create an intermediate CA for YugabyteDB, as per the following example: + + ```sh + export pki=pki + export pki_int="pki_int" + export role_i=RoleName + export ip="s.test.com" + + vault secrets enable -path=$pki_int pki + vault secrets tune -max-lease-ttl=43800h $pki_int + vault write $pki_int/intermediate/generate/internal common_name="test.com Intermediate Authority" ttl=43800h -format=json | jq -r '.data.csr' > pki_int.csr + + \# *** dump the output of the preceding command in pki_int.csr + + vault write $pki/root/sign-intermediate csr=@pki_int.csr format=pem_bundle ttl=43800h -format=json | jq -r .data.certificate > i_signed.pem + + \# *** dump the output in i_signed.pem + + vault write $pki_int/intermediate/set-signed certificate=@i_signed.pem + vault write $pki_int/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki_int/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki_int/crl" + ``` + +1. Create the vault policy, as per the following example: + + ```properties + # Enable secrets engine + path "sys/mounts/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + + # List enabled secrets engine + path "sys/mounts" { + capabilities = ["read", "list"] + } + + # Work with pki secrets engine + path "pki*" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + ``` + +1. Generate a token with appropriate permissions (as per the referenced policy) by executing the following command: + + ```shell + vault token create -no-default-policy -policy=pki_policy + ``` + + You may also specify the following for your token: + + - `ttl` — Time to live (TTL). If not specified, the default TTL of 32 days is used, which means that the generated token will expire after 32 days. + - `period` — If specified, the token can be infinitely renewed. + + YugabyteDB Anywhere automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours. + + For more information, refer to [Tokens](https://developer.hashicorp.com/vault/tutorials/tokens/tokens) in the Hashicorp documentation. + +1. Create a role that maps a name in the vault to a procedure for generating a certificate, as follows: + + ```sh + vault write /roles/ allow_any_name=true allow_subdomains=true max_ttl="8640h" + ``` + + Credentials are generated against this role. + +1. Issue certificates for nodes or a YugabyteDB client: + + - For a node, execute the following: + + ```sh + vault write /issue/ common_name="" ip_sans="" ttl="860h" + ``` + + - For YugabyteDB client, execute the following: + + ```sh + vault write /issue/ common_name="" + ``` + +## Add HashiCorp Vault-provided certificates + +When you create a universe, you can enable TLS using certificates provided by HashiCorp Vault, as follows: + +1. Navigate to **Configs > Security > Encryption in Transit**. + +1. Click **Add Certificate** to open the **Add Certificate** dialog. + +1. Select **Hashicorp**. + + ![Add Hashicorp certificate](/images/yp/encryption-in-transit/add-hashicorp-cert.png) + +1. In the **Config Name** field, enter a meaningful name for your configuration. + +1. In the **Vault Address** field, specify a valid URL that includes the port number. The format is `http://0.0.0.0:0000`, which corresponds to `VAULT_HOSTNAME:0000` + +1. In the **Secret Token** field, specify the secret token for the vault. + +1. In the **Role** field, specify the role used for creating certificates. + +1. Optionally, provide the secret engine path on which the PKI is mounted. If you do not supply this information, `pki/` will be used. + +1. Click **Add** to make the certificate available. diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md new file mode 100644 index 000000000000..b899acfdf666 --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md @@ -0,0 +1,69 @@ +--- +title: Add cert-manager certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add cert-manager certificates to YugabyteDB Anywhere. +headcontent: Use your own certificates for encryption in transit +menu: + stable_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-4-kubernetes + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the [cert-manager](https://cert-manager.io/) as a TLS certificate provider for a cluster. + +## Prerequisites + +The following criteria must be met: + +- The cert-manager is running in the Kubernetes cluster. +- A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same CA certificate file, including any intermediate CAs, must be prepared for upload to YugabyteDB Anywhere. For intermediate certificates, the chained CA certificate can be constructed using a command similar to `cat intermediate-ca.crt root-ca.crt > bundle.crt`. +- An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate. +- Prepare the root certificate in a file (for example, `root.crt`). + +## Add certificates using cert-manager + +Add TLS certificates issued by the cert-manager as follows: + +1. Navigate to **Configs > Security > Encryption in Transit**. + +1. Click **Add Certificate** to open the **Add Certificate** dialog. + +1. Select **K8S cert-manager**. + + ![Add Kubernetes Certificate](/images/yp/encryption-in-transit/add-k8s-cert.png) + +1. In the **Certificate Name** field, enter a meaningful name for your certificate. + +1. Click **Upload Root Certificate** and select the CA certificate file that you prepared. + +1. Click **Add** to make the certificate available. + +## Configure the provider + +After the certificate is added to YugabyteDB Anywhere, configure the Kubernetes provider configuration by following instructions provided in [Configure region and zones](../../../configure-yugabyte-platform/kubernetes/#configure-region-and-zones). + +In the **Add new region** dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the **Namespace** field value if an Issuer Kind is selected. + +![Add new region](/images/yp/security/kubernetes-cert-manager-add-region.png) + +## Troubleshoot + +If you encounter problems, you should verify the name of Issuer or ClusterIssuer in the Kubernetes cluster, as well as ensure that the Kubernetes cluster is in Ready state. You can use the following commands: + +```sh +kubectl get ClusterIssuer +``` + +```sh +kubectl -n Issuer +``` diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md new file mode 100644 index 000000000000..f2600a6cf505 --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md @@ -0,0 +1,99 @@ +--- +title: Add self-signed certificates to YugabyteDB Anywhere +headerTitle: Add certificates +linkTitle: Add certificates +description: Add self-signed certificates to YugabyteDB Anywhere. +headcontent: Use your own certificates for encryption in transit +menu: + stable_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: add-certificate-1-self + weight: 20 +type: docs +--- + +{{}} +{{}} +{{}} +{{}} +{{}} +{{}} + +Instead of using YugabyteDB Anywhere-provided certificates, you can use your own self-signed certificates that you upload to YugabyteDB Anywhere. + +## Prerequisites + +The certificates must meet the following criteria: + +- Be in the `.crt` format and the private key must be in the `.pem` format, with both of these artifacts available for upload. + +YugabyteDB Anywhere produces the node (leaf) certificates from the uploaded certificates and copies the certificate chain, leaf certificate, and private key to the nodes in the cluster. + +### Convert certificates and keys from PKCS12 to PEM format + +If your certificates and keys are stored in the PKCS12 format, you can convert them to the PEM format using OpenSSL. + +Start by extracting the certificate via the following command: + +```sh +openssl pkcs12 -in cert-archive.pfx -out cert.pem -clcerts -nokeys +``` + +To extract the key and write it to the PEM file unencrypted, execute the following command: + +```sh +openssl pkcs12 -in cert-archive.pfx -out key.pem -nocerts -nodes +``` + +If the key is protected by a passphrase in the PKCS12 archive, you are prompted for the passphrase. + +## Add self-signed certificates + +To add self-signed certificates to YugabyteDB Anywhere: + +1. Navigate to **Configs > Security > Encryption in Transit**. + +1. Click **Add Certificate** to open the **Add Certificate** dialog. + +1. Select **Self Signed**. + + ![Add Self Signed certificate](/images/yp/encryption-in-transit/add-self-cert.png) + +1. In the **Certificate Name** field, enter a meaningful name for your certificate. + +1. Click **Upload Root Certificate**, then browse to the root certificate file (`.crt`) and upload it. + +1. Click **Upload Key**, then browse to the root certificate file (`.key`) and upload it. + +1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in -text -noout` command and note the **Validity Not After** date. + +1. Click **Add** to make the certificate available. + +## Validate certificates + +When configuring and using certificates, SSL issues may occasionally arise. You can validate your certificates and keys as follows: + +- Verify that the CA CRT and CA private key match by executing the following commands: + + ```shell + openssl rsa -noout -modulus -in ca.key | openssl md5 + openssl x509 -noout -modulus -in ca.crt | openssl md5 + + \# outputs should match + ``` + +- Verify that the CA CRT is actually a certificate authority by executing the following command: + + ```shell + openssl x509 -text -noout -in ca.crt + + \# Look for fields + + X509v3 Basic Constraints: + + CA:TRUE + ``` + +- Verify that certificates and keys are in PEM format (as opposed to the DER or other format). If these artifacts are not in the PEM format and you require assistance with converting them or identifying the format, consult [Converting certificates](https://support.globalsign.com/ssl/ssl-certificates-installation/converting-certificates-openssl). + +- Ensure that the private key does not have a passphrase associated with it. For information on how to identify this condition, see [Decrypt an encrypted SSL RSA private key](https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/). diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md new file mode 100644 index 000000000000..be142ccab0a1 --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/auto-certificate.md @@ -0,0 +1,95 @@ +--- +title: Automatically generated certificates on YugabyteDB Anywhere +headerTitle: Auto-generated certificates +linkTitle: Auto-generated certificates +description: YugabyteDB Anywhere-generated self-signed certificates. +headcontent: Let YugabyteDB Anywhere manage certificates for your universe +menu: + stable_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: auto-certificate + weight: 10 +type: docs +--- + +YugabyteDB Anywhere can automatically create and manage self-signed certificates for universes when you create them. These certificates may be shared between universes in a single instance of YugabyteDB Anywhere. + +Automatically generated certificates are named using the following convention: + +```sh +yb-environment-universe_name +``` + +where *environment* is the environment type (either `dev`, `stg`, `demo`, or `prod`) that was used during the tenant registration (admin user creation), and *universe_name* is the provided universe name. + +YugabyteDB Anywhere generates the root CA certificate, root private key, and node-level certificates (assuming node-to-node or client-to-node encryption is enabled), and then provisions those artifacts to the database nodes any time nodes are created or added to the cluster. The following three files are copied to each node: + +1. The root certificate (`ca.cert`). +1. The node certificate (`node.ip_address.crt`). +1. The node private key (`node.ip_address.key`). + +YugabyteDB Anywhere retains the root certificate and the root private key for all interactions with the cluster. + +To view the certificate details, navigate to **Configs > Security > Encryption in Transit** and click **Show details**. + +## Customize the organization name in self-signed certificates + +YugabyteDB Anywhere automatically creates self-signed certificates when you run some workflows, such as create universe. The organization name in certificates is set to `example.com` by default. + +If you are using YugabyteDB Anywhere version 2.18.2 or later to manage universes with YugabyteDB version 2.18.2 or later, you can set a custom organization name using the global [runtime configuration](../../../administer-yugabyte-platform/manage-runtime-config/) flag, `yb.tlsCertificate.organizationName`. + +Note that, for the change to take effect, you need to set the flag _before_ you run a workflow that generates a self-signed certificate. + +Customize the organization name as follows: + +1. In YugabyteDB Anywhere, navigate to **Admin** > **Advanced** and select the **Global Configuration** tab. +1. In the **Search** bar, enter `yb.tlsCertificate.organizationName` to view the flag, as per the following illustration: + + ![Custom Organization name](/images/yp/encryption-in-transit/custom-org-name.png) + +1. Click **Actions** > **Edit Configuration**, enter a new Config Value, and click **Save**. + +## Validate custom organization name + +You can verify the organization name by running the following `openssl x509` command: + +```sh +openssl x509 -in ca.crt -text +``` + +```output {hl_lines=[6]} +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1683277970271 (0x187eb2f7b5f) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=yb-dev-sb-ybdemo-univ1~2, O=example.com + Validity + Not Before: May 5 09:12:50 2023 GMT + Not After : May 5 09:12:50 2027 GMT +``` + +Notice that default value is `O=example.com`. + +After setting the runtime configuration to a value of your choice, (`org-foo` in this example), you should see output similar to the following: + +```sh +openssl x509 -in ca.crt -text -noout +``` + +```output +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1689376612248 (0x18956b15f98) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo + Validity + Not Before: Jul 14 23:16:52 2023 GMT + Not After : Jul 14 23:16:52 2027 GMT + Subject: CN = yb-dev-sb-ybdemo-univ1~2, O = org-foo + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: +``` diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md new file mode 100644 index 000000000000..e1500da8997a --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md @@ -0,0 +1,55 @@ +--- +title: Rotate certificates on YugabyteDB Anywhere +headerTitle: Rotate certificates +linkTitle: Rotate certificates +description: Rotate certificates on YugabyteDB Anywhere. +headcontent: Rotate certificates used by a universe +menu: + stable_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: rotate-certificates + weight: 30 +type: docs +--- + +You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates. + +Before rotating certificates, ensure that you have added the certificates to YugabyteDB Anywhere. Refer to [Add certificates](../add-certificate-self/). + +**Client-to-node certificates** + +Regardless of whether the client-to-node certificates are expired or not expired, you can always trigger a rolling upgrade to rotate the certificates. + +- If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. +- If the universe was created after v2.16.6, then the rotation can be done without a restart and no downtime. + +**Node-to-node certificates** + +If the certificate has expired, the rotation requires a simultaneous restart of all nodes, resulting in some downtime. + +If the certificate has not expired, the rotation can be done using a rolling upgrade. + +- If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime. +- If the universe is created after v2.16.6, then the rotation can be done without a restart and no downtime. + +You can always opt to not perform rolling updates to update all nodes at the same time, but this will result in downtime. + +## Rotate certificates + +To modify encryption in transit settings and rotate certificates for a universe, do the following: + +1. Navigate to your universe. + +1. Click **Actions > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog. + + ![Rotate certificates](/images/yp/encryption-in-transit/rotate-cert.png) + +1. To rotate the CA certificate, on the **Certificate Authority** tab, select the new CA certificate(s). + + If you wish to have YBA generate a new self-signed CA certificate [automatically](../auto-certificate/), delete the root certificate field. + +1. To rotate the server certificates, on the **Server Certificate** tab, select the **Rotate Node-to-Node Server Certificate** and **Rotate Client-to-Node Server Certificate** options as appropriate. + +1. Select the **Use rolling upgrade to apply this change** option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades. + +1. Click **Apply**. diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md new file mode 100644 index 000000000000..286799bcd215 --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-in-transit/trust-store.md @@ -0,0 +1,54 @@ +--- +title: Add CA-signed certificates to YugabyteDB Anywhere +headerTitle: Add certificates to your trust store +linkTitle: Trust store +description: Add certificates to the YugabyteDB Anywhere trust store. +headcontent: Add certificates for third-party services +menu: + stable_yugabyte-platform: + parent: enable-encryption-in-transit + identifier: trust-store + weight: 40 +type: docs +--- + +YugabyteDB Anywhere uses certificates to validate connections between YugabyteDB Anywhere and other external services, including: + +- [LDAP](../../../administer-yugabyte-platform/ldap-authentication/) +- [OIDC](../../../administer-yugabyte-platform/oidc-authentication/) +- [Webhook](../../../alerts-monitoring/set-up-alerts-health-check/) +- [S3 backup storage](../../../back-up-restore-universes/configure-backup-storage/) +- [Hashicorp Vault](../../create-kms-config/hashicorp-kms/) +- Other [YugabyteDB Anywhere high availability](../../../administer-yugabyte-platform/high-availability/) replicas. + +When using self-signed or custom CA certificates, to enable YugabyteDB Anywhere to validate your TLS connections, you _must_ add the certificates to the YugabyteDB Anywhere Trust Store + +## Add certificates to your trust store + +To add a certificate to the YugabyteDB Anywhere Trust Store, do the following: + +1. Navigate to **Admin > CA Certificates**. + +1. Click **Upload Trusted CA Certificate**. + +1. Enter a name for the certificate. + +1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. + +## Rotate a certificate in your trust store + +To rotate a certificate in your YugabyteDB Anywhere Trust Store, do the following: + +1. Navigate to **Admin > CA Certificates**. + +1. Click the **...** button for the certificate and choose **Update Certificate**. + +1. Click **Upload**, select your certificate (in .crt format) and click **Save CA Certificate**. + +## Delete a certificate in your trust store + +To delete a certificate in your YugabyteDB Anywhere Trust Store, do the following: + +1. Navigate to **Admin > CA Certificates**. + +1. Click the **...** button for the certificate and choose **Delete**, then click **Delete CA Certificate**. From 7017431740255124de9f8c76a3c1304e2f08b454 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 17 Jul 2024 21:10:44 -0400 Subject: [PATCH 23/24] copy to stable --- .../stable/explore/fault-tolerance/_index.md | 2 +- .../high-availability.md | 2 +- .../configure-yugabyte-platform/kubernetes.md | 2 +- .../create-deployments/connect-to-universe.md | 43 +++--- .../create-universe-multi-zone-kubernetes.md | 6 +- .../create-universe-multi-zone.md | 33 ++++- .../manage-deployments/edit-universe.md | 2 +- .../yugabyte-platform/prepare/networking.md | 2 +- .../yugabyte-platform/security/_index.md | 93 ++++++------ .../security/authorization-platform.md | 8 +- .../security/customize-ports.md | 28 ---- .../security/enable-encryption-at-rest.md | 139 ------------------ .../stable/yugabyte-platform/yba-overview.md | 2 +- 13 files changed, 109 insertions(+), 253 deletions(-) delete mode 100644 docs/content/stable/yugabyte-platform/security/customize-ports.md delete mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md diff --git a/docs/content/stable/explore/fault-tolerance/_index.md b/docs/content/stable/explore/fault-tolerance/_index.md index 986fa265a985..ba165019c705 100644 --- a/docs/content/stable/explore/fault-tolerance/_index.md +++ b/docs/content/stable/explore/fault-tolerance/_index.md @@ -14,7 +14,7 @@ type: indexpage showRightNav: true --- -Resiliency, in the context of cloud databases, refers to the ability to withstand and recover from various types of failures, ranging from hardware malfunctions and software bugs to network outages and natural disasters. A resilient database system is designed to maintain data integrity, accessibility, and continuity of operations, even in the face of adverse events. Achieving resilience in cloud databases requires a multi-faceted approach, involving robust architectural design, effective data replication and backup strategies, load balancing, failover mechanisms, and comprehensive monitoring and incident response procedures. +Resiliency, in the context of cloud databases, refers to the ability to withstand and recover from various types of failures. These can range from hardware malfunctions and software bugs to network outages and natural disasters. A resilient database system is designed to maintain data integrity, accessibility, and continuity of operations, even in the face of adverse events. Achieving resilience in cloud databases requires a multi-faceted approach, involving robust architectural design, effective data replication and backup strategies, load balancing, failover mechanisms, and comprehensive monitoring and incident response procedures. YugabyteDB has been designed ground up to be resilient. YugabyteDB can continuously serve requests in the event of planned or unplanned outages, such as system upgrades and outages related to a node, availability zone, or region. YugabyteDB's High availability is achieved through a combination of distributed architecture, data replication, consensus algorithms, automatic rebalancing, and failure detection mechanisms, ensuring that the database remains available, consistent, and resilient to failures of fault domains. diff --git a/docs/content/stable/yugabyte-platform/administer-yugabyte-platform/high-availability.md b/docs/content/stable/yugabyte-platform/administer-yugabyte-platform/high-availability.md index 8ab6bb467915..7e89080a5f2c 100644 --- a/docs/content/stable/yugabyte-platform/administer-yugabyte-platform/high-availability.md +++ b/docs/content/stable/yugabyte-platform/administer-yugabyte-platform/high-availability.md @@ -141,7 +141,7 @@ For example, if your metrics retention is 14 days on your active instance, and y After HA is operational, it is recommended that you enable certificate validation to improve security of communication between the active and any standby instances. Enable certificate validation as follows: -1. Add certificates for the active and all standbys to the active instance [trust store](../../security/enable-encryption-in-transit/#add-certificates-to-your-trust-store). +1. Add certificates for the active and all standbys to the active instance [trust store](../../security/enable-encryption-in-transit/trust-store/). - If YBA was set up to use a custom server certificate, locate the corresponding Certificate Authority (CA) certificate. - If YBA was set up to use automatically generated self-signed certificates and you installed YBA using YBA Installer, locate the CA certificate at `/opt/yugabyte/data/yba-installer/certs/ca_cert.pem` on both the YBA active and standby instances. (If you configured a custom install root, replace `/opt/yugabyte` with the path you configured.) diff --git a/docs/content/stable/yugabyte-platform/configure-yugabyte-platform/kubernetes.md b/docs/content/stable/yugabyte-platform/configure-yugabyte-platform/kubernetes.md index c0d803b1aa22..85104b90c75d 100644 --- a/docs/content/stable/yugabyte-platform/configure-yugabyte-platform/kubernetes.md +++ b/docs/content/stable/yugabyte-platform/configure-yugabyte-platform/kubernetes.md @@ -120,7 +120,7 @@ Continue configuring your Kubernetes provider by clicking **Add region** and com 1. Complete the **Overrides** field using one of the provided [options](#overrides). If you do not specify anything, YBA uses defaults specified inside the Helm chart. For additional information, see [Open source Kubernetes](../../../deploy/kubernetes/single-zone/oss/helm-chart/). -1. If you are using [Kubernetes cert-manager](https://cert-manager.io) to manage TLS certificates, specify the issuer type and enter the issuer name. For more information, refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/#kubernetes-cert-manager). +1. If you are using [Kubernetes cert-manager](https://cert-manager.io) to manage TLS certificates, specify the issuer type and enter the issuer name. For more information, refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/add-certificate-kubernetes/). If required, add a new zone by clicking **Add Zone**, as your configuration may have multiple zones. diff --git a/docs/content/stable/yugabyte-platform/create-deployments/connect-to-universe.md b/docs/content/stable/yugabyte-platform/create-deployments/connect-to-universe.md index 786964e574ef..f7db84b41830 100644 --- a/docs/content/stable/yugabyte-platform/create-deployments/connect-to-universe.md +++ b/docs/content/stable/yugabyte-platform/create-deployments/connect-to-universe.md @@ -21,13 +21,21 @@ You can connect to the database on a universe in the following ways: ## Download the universe certificate -If the universe uses encryption in transit, to connect you need to first download the universe TLS root certificate. Do the following: +If the universe uses Client-to-Node encryption in transit, to connect you need to first download the universe TLS certificate. Do the following: 1. Navigate to **Configs > Security > Encryption in Transit**. -1. Find the certificate for your universe in the list and click **Actions** and download the certificate. +1. Find your universe in the list. -For more information on connecting to TLS-enabled universes, refer to [Connect to clusters](../../security/enable-encryption-in-transit/#connect-to-clusters). +1. Click **Actions** and choose **Download Root CA Cert**. + + This downloads the `root.crt` file. + +For information on connecting using a client shell using this certificate, see [Connect from your desktop](#connect-from-your-desktop). + +To use TLS to connect an application, refer to the [driver documentation](../../../reference/drivers/). If you are using a PostgreSQL JDBC driver to connect to YugabyteDB, you can also refer to [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details. + +If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates. ## Connect to a universe node @@ -97,13 +105,13 @@ To run a shell from a universe node, do the following: ### Enable Tectia SSH -By default, YBA uses OpenSSH for SSH to remote nodes. YBA also supports the use of Tectia SSH that is based on the latest SSH G3 protocol. +By default, YugabyteDB Anywhere uses OpenSSH for SSH to remote nodes. YugabyteDB Anywhere also supports the use of Tectia SSH that is based on the latest SSH G3 protocol. -[Tectia SSH](https://www.ssh.com/products/tectia-ssh/) is used for secure file transfer, secure remote access and tunnelling. YBA is shipped with a trial version of Tectia SSH client that requires a license to notify YBA to permanently use Tectia instead of OpenSSH. +[Tectia SSH](https://www.ssh.com/products/tectia-ssh/) is used for secure file transfer, secure remote access and tunnelling. YugabyteDB Anywhere is shipped with a trial version of Tectia SSH client that requires a license to notify YugabyteDB Anywhere to permanently use Tectia instead of OpenSSH. To upload the Tectia license, manually copy it at `${storage_path}/yugaware/data/licenses/`, where _storage_path_ is the path provided during the Replicated installation. -After the license is uploaded, YBA exposes the runtime flag `yb.security.ssh2_enabled` that you need to enable, as per the following example: +After the license is uploaded, YugabyteDB Anywhere exposes the runtime flag `yb.security.ssh2_enabled` that you need to enable, as per the following example: ```shell curl --location --request PUT 'http:///api/v1/customers//runtime_config/00000000-0000-0000-0000-000000000000/key/yb.security.ssh2_enabled' @@ -118,21 +126,9 @@ curl --location --request PUT 'http:///api/v1/customers//runt ### Prerequisites -- If you are using a Yugabyte client shell, ensure you are running the latest versions of the shells (Yugabyte Client 2.6 or later). - - You can download using the following command on Linux or macOS: - - ```sh - $ curl -sSL https://downloads.yugabyte.com/get_clients.sh | bash - ``` - - Windows client shells require Docker. For example: - - ```sh - docker run -it yugabytedb/yugabyte-client ysqlsh -h -p - ``` +- If you are using [ysqlsh](../../../admin/ysqlsh/) or [ycqlsh](../../../admin/ycqlsh/), ensure you are running the latest versions of the shells. -- If your universe has TLS/SSL (encryption in-transit) enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer. +- If your universe has Client-to-Node encryption in transit enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer. - The host address of an endpoint on your universe. @@ -181,7 +177,7 @@ Replace the following: - `` with the IP address of an endpoint on your universe. - `` with your database username. - `yugabyte` with the database name, if you're connecting to a database other than the default (yugabyte). -- `` with the path to the root certificate on your computer. +- `` with the path to the universe root certificate you downloaded to your computer. To load sample data and explore an example using ysqlsh, follow the instructions in [Install the Retail Analytics sample database](../../../sample-data/retail-analytics/#install-the-retail-analytics-sample-database). @@ -203,7 +199,7 @@ Replace the following: - `` with the IP address of an endpoint on your universe. - `` with your database username. -- `` with the path to the root certificate on your computer. +- `` with the path to the universe root certificate you downloaded to your computer. @@ -224,7 +220,7 @@ Replace the following: - `` with the IP address of an endpoint on your universe. - `` with your database username. - `yugabyte` with the database name, if you're connecting to a database other than the default (yugabyte). -- `` with the path to the root certificate on your computer. +- `` with the path to the universe root certificate you downloaded to your computer. @@ -358,6 +354,7 @@ ycqlsh> SELECT * FROM ybdemo_keyspace.cassandrakeyvalue LIMIT 5; ## Learn more +- [Securing YugabyteDB: Client-to-Server Encryption in Transit](https://www.yugabyte.com/blog/securing-yugabytedb-client-to-server-encryption/#verification-of-server-certificates) - [ysqlsh](../../../admin/ysqlsh/) — Overview of the command line interface (CLI), syntax, and commands. - [YSQL API](../../../api/ysql/) — Reference for supported YSQL statements, data types, functions, and operators. - [ycqlsh](../../../admin/ycqlsh/) — Overview of the command line interface (CLI), syntax, and commands. diff --git a/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md b/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md index e78bd637938b..41c69725009b 100644 --- a/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md +++ b/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md @@ -71,8 +71,8 @@ Complete the **Security Configurations** section as follows: - **Enable YSQL Auth** - specify whether or not to enable the YSQL password authentication. - **Enable YCQL** - specify whether or not to enable the YCQL API endpoint for running Cassandra-compatible workloads. This setting is enabled by default. - **Enable YCQL Auth** - specify whether or not to enable the YCQL password authentication. -- **Enable Node-to-Node TLS** - specify whether or not to enable encryption-in-transit for communication between the database servers. This setting is enabled by default. -- **Enable Client-to-Node TLS** - specify whether or not to enable encryption-in-transit for communication between clients and the database servers. This setting is enabled by default. +- **Enable Node-to-Node TLS** - specify whether or not to enable encryption in transit for communication between the database servers. This setting is enabled by default. +- **Enable Client-to-Node TLS** - specify whether or not to enable encryption in transit for communication between clients and the database servers. This setting is enabled by default. - **Root Certificate** - select an existing security certificate or create a new one. - **Enable Encryption at Rest** - specify whether or not to enable encryption for data stored on the tablet servers. This setting is disabled by default. @@ -80,7 +80,7 @@ Complete the **Security Configurations** section as follows: Complete the **Advanced** section as follows: -- In the **DB Version** field, specify the YugabyteDB version. The default is either the same as the YugabyteDB Anywhere version or the latest YugabyteDB version available for YugabyteDB Anywhere. +- In the **DB Version** field, specify the YugabyteDB version. The default is either the same as the YugabyteDB Anywhere version or the latest YugabyteDB version available for YugabyteDB Anywhere. If the version you want to add is not listed, you can add it to YugabyteDB Anywhere. Refer to [Manage YugabyteDB releases](../../manage-deployments/ybdb-releases/). - Use the **Enable IPV6** field to specify whether or not you want to use IPV6 networking for connections between database servers. This setting is disabled by default. - Use the **Enable Public Network Access** field to specify whether or not to assign a load balancer or nodeport for connecting to the database endpoints over the internet. This setting is disabled by default. diff --git a/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone.md b/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone.md index 926bf2ce40cd..0c5e307fb2ca 100644 --- a/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone.md +++ b/docs/content/stable/yugabyte-platform/create-deployments/create-universe-multi-zone.md @@ -84,19 +84,42 @@ Specify the instance to use for the universe nodes: ### Security Configurations +#### IP Settings + To enable public access to the universe, select the **Assign Public IP** option. -Enable the YSQL and YCQL endpoints and database authentication. You can also enable and disable authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. +#### Authentication Settings + +Enable the YSQL and YCQL endpoints and database authentication. Enter the password to use for the default database admin superuser (yugabyte for YSQL, and cassandra for YCQL). For more information, refer to [Database authorization](../../security/authorization-platform/). -Enable encryption in transit to encrypt universe traffic. Refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/). +You can also enable and disable the API endpoints and authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. + +By default, the API endpoints use ports 5433 (YSQL) and 9042 (YCQL). You can [customize these ports](#advanced-configuration), and, after deployment, you can modify the YCQL API and admin UI endpoint ports. To change YCQL ports, navigate to your universe, click **Actions**, choose **Edit YCQL Configuration**, and select the **Override YCQL Default Ports** option. + +#### Encryption Settings + +Enable encryption in transit to encrypt universe traffic. You can enable the following: + +- **Node-to-Node TLS** to encrypt traffic between universe nodes. +- **Client-to-Node TLS** to encrypt traffic between universe nodes and external clients. + + Note that if you want to enable Client-to-Node encryption, you first must enable Node-to-Node encryption. + +Encryption requires a certificate. YugabyteDB Anywhere can generate a self-signed certificate automatically, or you can use your own certificate. + +To use your own, you must first add it to YugabyteDB Anywhere; refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-self/). + +To have YugabyteDB Anywhere generate a certificate for the universe, use the default **Root Certificate** setting of **Create New Certificate**. To use a certificate you added or a previously generated certificate, select it from the **Root Certificate** menu. + +For more information on using and managing certificates, refer to [Encryption in transit](../../security/enable-encryption-in-transit/). -Enable encryption at rest to encrypt the universe data. Refer to [Enable encryption at rest](../../security/enable-encryption-at-rest/). +To encrypt the universe data, select the **Enable encryption at rest** option and select the [KMS configuration](../../security/create-kms-config/aws-kms/) to use for encryption. For more information, refer to [Encryption at rest](../../security/enable-encryption-at-rest/). ### Advanced Configuration -Choose the version of YugabyteDB to install on the nodes. +Choose the version of YugabyteDB to install on the nodes. If the version you want to add is not listed, you can add it to YugabyteDB Anywhere. Refer to [Manage YugabyteDB releases](../../manage-deployments/ybdb-releases/). The access key is the SSH key that is created in the provider. Usually, each provider has its own access key, but if you are reusing keys across providers, they are listed here. @@ -104,7 +127,7 @@ For AWS providers, you can assign an ARN to the nodes in the universe; this allo To use cron instead of systemd for managing nodes, you can disable systemd services. This not recommended. -To customize the ports used for the universe, select the **Override Deployment Ports** option and enter the custom port numbers for the services you want to change. +To customize the [ports used for the universe](../../prepare/networking/), select the **Override Deployment Ports** option and enter the custom port numbers for the services you want to change. Any value from `1024` to `65535` is valid, as long as it doesn't conflict with anything else running on nodes to be provisioned. ### G-Flags diff --git a/docs/content/stable/yugabyte-platform/manage-deployments/edit-universe.md b/docs/content/stable/yugabyte-platform/manage-deployments/edit-universe.md index ba49842f7bd8..80666a5cd90f 100644 --- a/docs/content/stable/yugabyte-platform/manage-deployments/edit-universe.md +++ b/docs/content/stable/yugabyte-platform/manage-deployments/edit-universe.md @@ -38,7 +38,7 @@ YugabyteDB Anywhere performs these modifications through the [YB-Masters](../../ Note that you can't change the replication factor of a universe. -To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, follow the instructions in [Expand the universe](../../security/enable-encryption-in-transit#expand-the-universe). +To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, you must first add the certificates to the nodes you will add to the universe. Refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-ca/). Ensure that the certificates are signed by the same external CA and have the same root certificate. In addition, ensure that you copy the certificates to the same locations that you originally used when creating the universe. ### Smart resize diff --git a/docs/content/stable/yugabyte-platform/prepare/networking.md b/docs/content/stable/yugabyte-platform/prepare/networking.md index 60481addf5f1..84510fa85577 100644 --- a/docs/content/stable/yugabyte-platform/prepare/networking.md +++ b/docs/content/stable/yugabyte-platform/prepare/networking.md @@ -18,7 +18,7 @@ YugabyteDB Anywhere (YBA) needs to be able to access nodes that will be used to ![YugabyteDB Anywhere network and ports](/images/yb-platform/prepare/yba-networking.png) -The following ports need to be open. (The default port numbers can be customized.) +The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | diff --git a/docs/content/stable/yugabyte-platform/security/_index.md b/docs/content/stable/yugabyte-platform/security/_index.md index 238de3dbdb5e..adecab2fae6b 100644 --- a/docs/content/stable/yugabyte-platform/security/_index.md +++ b/docs/content/stable/yugabyte-platform/security/_index.md @@ -13,48 +13,51 @@ weight: 660 type: indexpage --- -{{}} - - {{}} - - {{}} - - {{}} - - {{}} - - {{}} - - {{}} - - {{}} - -{{}} +You can apply security measures to protect your YugabyteDB Anywhere instance and YugabyteDB universes. + +## Network security + +You need to ensure that YugabyteDB Anywhere and the database run in a trusted network environment. You should restrict machine and port access, based on the following guidelines: + +- Servers running YugabyteDB services are directly accessible only by YugabyteDB Anywhere, servers running the application, and database administrators. +- Only YugabyteDB Anywhere and servers running applications can connect to YugabyteDB services on the RPC ports. Access to the YugabyteDB ports should be denied to everybody else. + +{{}} +For information on networking and port requirements, refer to [Networking](../prepare/networking/). +{{}} + +## Database authentication + +Authentication requires that all clients provide valid credentials before they can connect to a YugabyteDB universe. The authentication credentials in YugabyteDB are stored internally in the YB-Master system tables. The authentication mechanisms available to users depends on what is supported and exposed by the YSQL and YCQL APIs. + +You enable authentication for the YSQL and YCQL APIs when you deploy a universe. See [Enable database authentication](authorization-platform/#enable-database-authentication). + +YugabyteDB Anywhere and YugabyteDB also support LDAP and OIDC for managing authentication. See [Database authentication](authentication/). + +For more information on authentication in YugabyteDB, see [Enable authentication](../../secure/enable-authentication/). + +## Role-based access control + +Roles can be assigned to grant users only the essential privileges based on the operations they need to perform in YugabyteDB Anywhere, and in YugabyteDB universes. + +To manage access to your YugabyteDB Anywhere instance, typically you create a [Super Admin role first](../install-yugabyte-platform/create-admin-user/). The Super Admin can create additional admins and other users with fewer privileges. For information on how to manage YugabyteDB Anywhere users and roles, see [Manage YugabyteDB Anywhere users](../administer-yugabyte-platform/anywhere-rbac/). + +For information on how to manage database roles and users, see [Database authorization](authorization-platform/). + +## Encryption in transit + +Encryption in transit (TLS) ensures that network communication between servers is secure. You can configure YugabyteDB to use TLS to encrypt intra-cluster (Node-to-Node) and client to server (Client-to-Node) network communication. You should enable encryption in transit in YugabyteDB universes and clients to ensure the privacy and integrity of data transferred over the network. + +{{}} +For more information, see [Encryption in transit](enable-encryption-in-transit/). +{{}} + +## Encryption at rest + +Encryption at rest ensures that data at rest, stored on disk, is protected. You can configure YugabyteDB universes with a user-generated symmetric key to perform universe-wide encryption. + +Encryption at rest in YugabyteDB Anywhere uses a master key to encrypt and decrypt universe keys. The master key details are stored in YugabyteDB Anywhere in [key management service (KMS) configurations](create-kms-config/aws-kms/). You enable encryption at rest for a universe by assigning the universe a KMS configuration. The master key designated in the configuration is then used for generating the universe keys used for encrypting the universe data. + +{{}} +For more information, see [Enable encryption at rest](enable-encryption-at-rest/). +{{}} diff --git a/docs/content/stable/yugabyte-platform/security/authorization-platform.md b/docs/content/stable/yugabyte-platform/security/authorization-platform.md index 628d466fc7e8..e5e9f14a3c45 100644 --- a/docs/content/stable/yugabyte-platform/security/authorization-platform.md +++ b/docs/content/stable/yugabyte-platform/security/authorization-platform.md @@ -21,17 +21,17 @@ YugabyteDB uses [role-based access control](../../../secure/authorization/) (RBA (For information on managing access to your YugabyteDB Anywhere instance, refer to [Manage account users](../../administer-yugabyte-platform/anywhere-rbac/).) -## Enable database authentication +## Enable database authorization You enable the YSQL and YCQL endpoints and database authentication when deploying a universe. -On the **Create Universe > Primary Cluster** page, under **Security Configurations**, enable the **Authentication Settings** for the APIs you want to use, as shown in the following illustration. +On the **Create Universe > Primary Cluster** page, under **Security Configurations > Authentication Settings**, enable the endpoints and authorization for the APIs you want to use, as shown in the following illustration. ![Enable YSQL and YCQL endpoints](/images/yp/security/enable-endpoints.png) Enter the password to use for the default database admin superuser (`yugabyte` for YSQL, and `cassandra` for YCQL). -You can also enable and disable the endpoints and authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. +You can also enable and disable the endpoints and authorization after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**. ## Default roles and users @@ -47,7 +47,7 @@ yugabyte=> \du ```output List of roles - Role name | Attributes | Member of + Role name | Attributes | Member of --------------+------------------------------------------------------------+----------- postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {} yb_db_admin | No inheritance, Cannot login | {} diff --git a/docs/content/stable/yugabyte-platform/security/customize-ports.md b/docs/content/stable/yugabyte-platform/security/customize-ports.md deleted file mode 100644 index 96e31ce9b2c5..000000000000 --- a/docs/content/stable/yugabyte-platform/security/customize-ports.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Configure ports -headerTitle: Configure ports -linkTitle: Configure ports -description: Configure ports -menu: - stable_yugabyte-platform: - parent: security - identifier: customize-ports - weight: 20 -type: docs ---- - -YugabyteDB Anywhere and the universes it manages use a set of [default ports](../../prepare/networking/) to manage access to services. - -When deploying a universe, YugabyteDB Anywhere allows you to customize these ports. - -## Customize ports - -On the **Create Universe > Primary Cluster** page, under **Advanced Configuration**, enable the **Override Deployment Ports** option, as shown in the following illustration: - -![Override Deployment Ports](/images/yp/security/override-deployment-ports.png) - -Replace the default values with the values identifying the port that each process should use. Any value from `1024` to `65535` is valid, as long as this value does not conflict with anything else running on nodes to be provisioned. - -After deployment, you can modify the YCQL API and admin UI endpoint ports. To change ports, navigate to your universe, click **Actions**, choose **Edit YCQL Configuration**, and select the **Override YCQL Default Ports** option. - -If you change the YCQL API endpoint on an active universe, be sure to update your applications as appropriate. diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md deleted file mode 100644 index 939ee6e46291..000000000000 --- a/docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md +++ /dev/null @@ -1,139 +0,0 @@ ---- -title: Enable encryption at rest -headerTitle: Enable encryption at rest -linkTitle: Enable encryption at rest -description: Enable encryption at rest -menu: - stable_yugabyte-platform: - parent: security - identifier: enable-encryption-at-rest - weight: 45 -type: docs ---- - -Data at rest in a YugabyteDB universe should be protected from unauthorized users by encrypting it. You do this by enabling encryption at rest. When enabled, the data in your universe is secured using envelope encryption, whereby multiple encryption keys are used to encrypt data, and those keys are in turn encrypted by other keys in a key hierarchy. - -YugabyteDB Anywhere uses the following types of keys for envelope encryption: - -| Key | Description | -| :--- | :--- | -| Data encryption keys (DEK) | Symmetric keys used to directly encrypt the data. Each file flushed from memory has a unique DEK. This key is generated in the database layer of YugabyteDB. | -| Universe key | Symmetric key used to encrypt and decrypt DEKs. A single universe key is used for all the DEKs in a universe. This key is generated by YugabyteDB Anywhere. -| Master key | The key at the highest level in the key hierarchy. The master key is used to encrypt universe keys. This key is a customer managed key (CMK) stored and managed in a Key Management Service (KMS). | - -Master key details are stored in YugabyteDB Anywhere in KMS configurations, and YugabyteDB Anywhere supports CMKs in AWS KMS, GCP KMS, Azure Key Vault, and Hashicorp Vault. You enable encryption at rest for a universe by assigning the universe a KMS configuration. For instructions on creating a KMS configuration, see [Create a KMS configuration](../create-kms-config/aws-kms/). - -For more information on the features, assumptions, design, data key management, universe keys, key rotations, master failures, and adding a node, see [Encryption at rest in YugabyteDB](https://github.com/yugabyte/yugabyte-db/blob/master/architecture/design/docdb-encryption-at-rest.md). - -## Manage universe encryption at rest - -You can enable encryption at rest when creating a universe, and enable and disable encryption at rest on existing universes. - -### Enable encryption at rest during universe creation - -You enable encryption at rest during universe creation as follows: - -1. Navigate to **Universes** and click **Create Universe** to open the **Create Universe** page. -1. Under **Security Configurations > Encryption Settings**, select the **Enable Encryption at Rest** option to display the **Key Management Service Config** option. -1. Select your KMS configuration from the **Key Management Service Config** list. The list displays only preconfigured KMS configurations. If you need to create one, see [Create a KMS configuration](../create-kms-config/aws-kms/). -1. Continue with your universe creation, then click **Create**. - -### Enable encryption at rest on an existing universe - -You enable encryption at rest on an existing universe as follows: - -1. Navigate to your universe, click **Actions**, and choose **Edit Security > Encryption at Rest**. - -1. In the **Manage Encryption at Rest** dialog, toggle **Enable Encryption at Rest for this Universe**. - - When the encryption is enabled, the **Key Management Service Config** option appears. - -1. Select your KMS configuration from the **Key Management Service Config** list. The list displays only preconfigured KMS configurations. If you need to create one, see [Create a KMS configuration](../create-kms-config/aws-kms/). - -1. Click **Apply**. - -### Verify encryption at rest on a universe - -You can verify that encryption at rest has been successfully configured as follows: - -1. Open the YugabyteDB Anywhere UI and navigate to the universe. -1. Select **Nodes**. -1. On one of the nodes, click **Master** under the **PROCESSES** column to open the overview. -1. To the right of **Replication Factor**, click **See full config** to open the **Current Cluster Config** page. -1. Verify that the configuration includes the following `encryption_info` section with the correct values: - - ```yaml - encryption_info { - encryption_enabled: true - universe_key_registry_encoded: ".*" - key_in_memory: true - latest_version_id: ".*" - } - ``` - -If your configuration includes AWS KMS, the following occurs: after the universe has been created with encryption at rest enabled, YugabyteDB Anywhere persists the universe key (because AWS does not persist any CMK-generated data keys themselves) and requests the plaintext of the master key from AWS KMS using the KMS configuration whenever it needs to provide the universe key to the master nodes. For more information, see [Create a KMS configuration using AWS KMS](../create-kms-config/aws-kms/). - -### Disable encryption at rest - -You can disable encryption at rest for a universe as follows: - -1. Navigate to the universe for which you want to rotate the keys. -2. Select **Actions > Edit Security > Encryption-at-Rest**. -3. In the **Manage Encryption at Rest** dialog, toggle **Enable Encryption at Rest for this Universe** and click **Apply**. - -To verify that encryption at rest is disabled, check the current cluster configuration for each node to see that it contains `encryption_enabled: false`. - -## Back up and restore data from an encrypted at rest universe - -When you back up and restore universe data with encryption at rest enabled, YugabyteDB Anywhere requires a KMS configuration to manage backing up and restoring encrypted universe data. Because of the possibility that you will need to restore data to a different universe that might have a different master key, YugabyteDB Anywhere ensures that all encrypted backups include a metadata file. The file includes a list of key IDs in the source's master key registry. - -When restoring an encrypted backup to a universe, Yugabyte Anywhere detects the correct KMS configuration used to encrypt the backup. The KMS configuration must be available in the YugabyteDB Anywhere account. - -When restoring your universe data, YugabyteDB Anywhere uses the selected KMS configuration to consume the master key ID and then retrieves the master key value for each key ID in the metadata file. Each of these keys are then sent to the destination universe to augment or build the universe key registry there. - -## Rotate keys - -You can rotate the master and universe keys. - -Note that you can choose to rotate the master key/KMS configuration _or_ rotate the universe key, but you can't do both actions at the same time. - -### Rotate the master keys - -As part of envelope encryption, the universe keys are protected by master keys. The master key resides in the KMS of your choosing and is used to encrypt and decrypt the universe keys as needed. - -YugabyteDB Anywhere uses a KMS configuration to house the information about the master key to use in envelope encryption, as well as the credentials to use to access this master key. - -You can change KMS configurations, and consequently the master keys used to encrypt the universe key, at any time. To accomplish this, do the following: - -1. [Create a new KMS configuration](../create-kms-config/aws-kms/) with the new master key to use. -1. After the KMS configuration is successfully created, go to the encryption at rest-enabled universe, and select **Actions > Edit Security > Encryption at Rest**. -1. In the **Manage Encryption at Rest** dialog, choose the new KMS configuration from the **Key Management Service Config** list. -1. Click **Apply** to use the new KMS configuration and master key for envelope encryption. - -{{< warning title="Deleting KMS configurations" >}} - -When you delete a KMS configuration, you will no longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Before deleting a configuration, make sure that you no longer need the KMS configuration, master key, or any of the key versions. Retain all KMS configurations used to encrypt data in backups and snapshots. - -{{< /warning >}} - -### Rotate the universe keys - -Enabling encryption and rotating a universe key works in two steps: - -1. Add the new universe key ID and key data to all the in-memory state of masters. -2. Issue a cluster configuration change to enable encryption with the new universe key. - -The cluster configuration change does the following: - -- Decrypts the universe key registry with the master key. -- Adds the new universe key to the registry. -- Updates the cluster configuration with the new latest key ID. -- Encrypts the registry with the master key. - -Once encryption is enabled with a new universe key, only new data is encrypted with this new key. Old data remains unencrypted, or encrypted with an older universe key, until compaction churn triggers a re-encryption with the new key. - -To rotate the universe keys, perform the following: - -1. Navigate to the universe for which you want to rotate the keys. -2. Select **Actions > Edit Security > Encryption at Rest**. -3. Select **Rotate Universe key** and click **Apply**. diff --git a/docs/content/stable/yugabyte-platform/yba-overview.md b/docs/content/stable/yugabyte-platform/yba-overview.md index 858604670f65..fea817704bb9 100644 --- a/docs/content/stable/yugabyte-platform/yba-overview.md +++ b/docs/content/stable/yugabyte-platform/yba-overview.md @@ -14,7 +14,7 @@ type: docs YugabyteDB Anywhere (YBA) is a self-managed database-as-a-service that allows you to deploy and operate YugabyteDB database clusters (also known as universes) at scale. -In YBA, a database cluster is called a [universe](../../architecture/key-concepts/#universe), and the terms are used interchangeably. More precisely, a universe in YBA always consists of one (and only one) primary cluster, and can optionally also include a single [read replica](../../architecture/docdb-replication/read-replicas/) cluster attached to the primary cluster. +In YBA, a database cluster is called a [universe](../../architecture/key-concepts/#universe), and the terms are used interchangeably. More precisely, a universe in YBA always consists of one (and only one) [primary cluster](../../architecture/key-concepts/#primary-cluster), and can optionally also include a single [read replica](../../architecture/key-concepts/#read-replica-cluster/) cluster attached to the primary cluster. ## Features From 4c94b13ac12ac6334f37aeeb24cdd45fc7e747a8 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Wed, 17 Jul 2024 21:20:16 -0400 Subject: [PATCH 24/24] fix pages in stable --- .../security/enable-encryption-at-rest.md | 140 ++++++++++++++++++ .../security/security-checklist-yp.md | 55 ------- 2 files changed, 140 insertions(+), 55 deletions(-) create mode 100644 docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md delete mode 100644 docs/content/stable/yugabyte-platform/security/security-checklist-yp.md diff --git a/docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md b/docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md new file mode 100644 index 000000000000..eb6210b5d269 --- /dev/null +++ b/docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md @@ -0,0 +1,140 @@ +--- +title: Encryption at rest in YugabyteDB Anywhere +headerTitle: Encryption at rest +linkTitle: Encryption at rest +description: Use encryption at rest in YugabyteDB Anywhere +headcontent: Encrypt your universes +menu: + stable_yugabyte-platform: + parent: security + identifier: enable-encryption-at-rest + weight: 45 +type: docs +--- + +Data at rest in a YugabyteDB universe should be protected from unauthorized users by encrypting it. You do this by enabling encryption at rest. When enabled, the data in your universe is secured using envelope encryption, whereby multiple encryption keys are used to encrypt data, and those keys are in turn encrypted by other keys in a key hierarchy. + +YugabyteDB Anywhere uses the following types of keys for envelope encryption: + +| Key | Description | +| :--- | :--- | +| Data encryption keys (DEK) | Symmetric keys used to directly encrypt the data. Each file flushed from memory has a unique DEK. This key is generated in the database layer of YugabyteDB. | +| Universe key | Symmetric key used to encrypt and decrypt DEKs. A single universe key is used for all the DEKs in a universe. This key is generated by YugabyteDB Anywhere. | +| Master key | The key at the highest level in the key hierarchy. The master key is used to encrypt universe keys. This key is a customer managed key (CMK) stored and managed in a Key Management Service (KMS). | + +Master key details are stored in YugabyteDB Anywhere in KMS configurations, and YugabyteDB Anywhere supports CMKs in AWS KMS, GCP KMS, Azure Key Vault, and Hashicorp Vault. You enable encryption at rest for a universe by assigning the universe a KMS configuration. For instructions on creating a KMS configuration, see [Create a KMS configuration](../create-kms-config/aws-kms/). + +For more information on the features, assumptions, design, data key management, universe keys, key rotations, master failures, and adding a node, see [Encryption at rest in YugabyteDB](https://github.com/yugabyte/yugabyte-db/blob/master/architecture/design/docdb-encryption-at-rest.md). + +## Manage universe encryption at rest + +You can enable encryption at rest when creating a universe, and enable and disable encryption at rest on existing universes. + +### Enable encryption at rest during universe creation + +You enable encryption at rest during universe creation as follows: + +1. Navigate to **Universes** and click **Create Universe** to open the **Create Universe** page. +1. Under **Security Configurations > Encryption Settings**, select the **Enable Encryption at Rest** option to display the **Key Management Service Config** option. +1. Select your KMS configuration from the **Key Management Service Config** list. The list displays only preconfigured KMS configurations. If you need to create one, see [Create a KMS configuration](../create-kms-config/aws-kms/). +1. Continue with your universe creation, then click **Create**. + +### Enable encryption at rest on an existing universe + +You enable encryption at rest on an existing universe as follows: + +1. Navigate to your universe, click **Actions**, and choose **Edit Security > Encryption at Rest**. + +1. In the **Manage Encryption at Rest** dialog, toggle **Enable Encryption at Rest for this Universe**. + + When the encryption is enabled, the **Key Management Service Config** option appears. + +1. Select your KMS configuration from the **Key Management Service Config** list. The list displays only preconfigured KMS configurations. If you need to create one, see [Create a KMS configuration](../create-kms-config/aws-kms/). + +1. Click **Apply**. + +### Verify encryption at rest on a universe + +You can verify that encryption at rest has been successfully configured as follows: + +1. Open the YugabyteDB Anywhere UI and navigate to the universe. +1. Select **Nodes**. +1. On one of the nodes, click **Master** under the **PROCESSES** column to open the overview. +1. To the right of **Replication Factor**, click **See full config** to open the **Current Cluster Config** page. +1. Verify that the configuration includes the following `encryption_info` section with the correct values: + + ```yaml + encryption_info { + encryption_enabled: true + universe_key_registry_encoded: ".*" + key_in_memory: true + latest_version_id: ".*" + } + ``` + +If your configuration includes AWS KMS, the following occurs: after the universe has been created with encryption at rest enabled, YugabyteDB Anywhere persists the universe key (because AWS does not persist any CMK-generated data keys themselves) and requests the plaintext of the master key from AWS KMS using the KMS configuration whenever it needs to provide the universe key to the master nodes. For more information, see [Create a KMS configuration using AWS KMS](../create-kms-config/aws-kms/). + +### Disable encryption at rest + +You can disable encryption at rest for a universe as follows: + +1. Navigate to the universe for which you want to rotate the keys. +2. Select **Actions > Edit Security > Encryption-at-Rest**. +3. In the **Manage Encryption at Rest** dialog, toggle **Enable Encryption at Rest for this Universe** and click **Apply**. + +To verify that encryption at rest is disabled, check the current cluster configuration for each node to see that it contains `encryption_enabled: false`. + +## Back up and restore data from an encrypted at rest universe + +When you back up and restore universe data with encryption at rest enabled, YugabyteDB Anywhere requires a KMS configuration to manage backing up and restoring encrypted universe data. Because of the possibility that you will need to restore data to a different universe that might have a different master key, YugabyteDB Anywhere ensures that all encrypted backups include a metadata file. The file includes a list of key IDs in the source's master key registry. + +When restoring an encrypted backup to a universe, Yugabyte Anywhere detects the correct KMS configuration used to encrypt the backup. The KMS configuration must be available in the YugabyteDB Anywhere account. + +When restoring your universe data, YugabyteDB Anywhere uses the selected KMS configuration to consume the master key ID and then retrieves the master key value for each key ID in the metadata file. Each of these keys are then sent to the destination universe to augment or build the universe key registry there. + +## Rotate keys + +You can rotate the master and universe keys. + +Note that you can choose to rotate the master key/KMS configuration _or_ rotate the universe key, but you can't do both actions at the same time. + +### Rotate the master keys + +As part of envelope encryption, the universe keys are protected by master keys. The master key resides in the KMS of your choosing and is used to encrypt and decrypt the universe keys as needed. + +YugabyteDB Anywhere uses a KMS configuration to house the information about the master key to use in envelope encryption, as well as the credentials to use to access this master key. + +You can change KMS configurations, and consequently the master keys used to encrypt the universe key, at any time. To accomplish this, do the following: + +1. [Create a new KMS configuration](../create-kms-config/aws-kms/) with the new master key to use. +1. After the KMS configuration is successfully created, go to the encryption at rest-enabled universe, and select **Actions > Edit Security > Encryption at Rest**. +1. In the **Manage Encryption at Rest** dialog, choose the new KMS configuration from the **Key Management Service Config** list. +1. Click **Apply** to use the new KMS configuration and master key for envelope encryption. + +{{< warning title="Deleting KMS configurations" >}} + +When you delete a KMS configuration, you will no longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Before deleting a configuration, make sure that you no longer need the KMS configuration, master key, or any of the key versions. Retain all KMS configurations used to encrypt data in backups and snapshots. + +{{< /warning >}} + +### Rotate the universe keys + +Enabling encryption and rotating a universe key works in two steps: + +1. Add the new universe key ID and key data to all the in-memory state of masters. +2. Issue a cluster configuration change to enable encryption with the new universe key. + +The cluster configuration change does the following: + +- Decrypts the universe key registry with the master key. +- Adds the new universe key to the registry. +- Updates the cluster configuration with the new latest key ID. +- Encrypts the registry with the master key. + +Once encryption is enabled with a new universe key, only new data is encrypted with this new key. Old data remains unencrypted, or encrypted with an older universe key, until compaction churn triggers a re-encryption with the new key. + +To rotate the universe keys, perform the following: + +1. Navigate to the universe for which you want to rotate the keys. +2. Select **Actions > Edit Security > Encryption at Rest**. +3. Select **Rotate Universe key** and click **Apply**. diff --git a/docs/content/stable/yugabyte-platform/security/security-checklist-yp.md b/docs/content/stable/yugabyte-platform/security/security-checklist-yp.md deleted file mode 100644 index 28fe48937101..000000000000 --- a/docs/content/stable/yugabyte-platform/security/security-checklist-yp.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Security checklist for YugabyteDB Anywhere -headerTitle: Security checklist -linkTitle: Security checklist -description: Security measures that can be implemented to protect your YugabyteDB Anywhere and YugabyteDB universes. -menu: - stable_yugabyte-platform: - parent: security - identifier: security-checklist-yp - weight: 10 -type: docs ---- - -You can apply security measures to protect your YugabyteDB Anywhere instance and YugabyteDB universes. - -## Network Security - -You need to ensure that YugabyteDB Anywhere and the database run in a trusted network environment. You should restrict machine and port access, based on the following guidelines: - -- Servers running YugabyteDB services are directly accessible only by YugabyteDB Anywhere, servers running the application, and database administrators. -- Only YugabyteDB Anywhere and servers running applications can connect to YugabyteDB services on the RPC ports. Access to the YugabyteDB ports should be denied to everybody else. - -For information on configuring ports, refer to [Configure ports](../customize-ports/). - -## Database authentication - -Authentication requires that all clients provide valid credentials before they can connect to a YugabyteDB universe. The authentication credentials in YugabyteDB are stored internally in the YB-Master system tables. The authentication mechanisms available to users depends on what is supported and exposed by the YSQL and YCQL APIs. - -You enable authentication for the YSQL and YCQL APIs when you deploy a universe. See [Enable database authentication](../authorization-platform/#enable-database-authentication). - -YugabyteDB Anywhere and YugabyteDB also support LDAP and OIDC for managing authentication. See [Database authentication](../authentication/). - -For more information on authentication in YugabyteDB, see [Enable authentication](../../../secure/enable-authentication/). - -## Role-based access control - -Roles can be assigned to grant users only the essential privileges based on the operations they need to perform in YugabyteDB Anywhere, and in YugabyteDB universes. - -To manage access to your YugabyteDB Anywhere instance, typically you create a [Super Admin role first](../../install-yugabyte-platform/create-admin-user/). The Super Admin can create additional admins and other users with fewer privileges. For information on how to manage YugabyteDB Anywhere users and roles, see [Manage YugabyteDB Anywhere users](../../administer-yugabyte-platform/anywhere-rbac/). - -For information on how to manage database roles and users, see [Database authorization](../authorization-platform). - -## Encryption in transit - -Encryption in transit (TLS) ensures that network communication between servers is secure. You can configure YugabyteDB to use TLS to encrypt intra-cluster and client to server network communication. You should enable encryption in transit in YugabyteDB universes and clients to ensure the privacy and integrity of data transferred over the network. - -For more information, see [Enable encryption in transit](../enable-encryption-in-transit). - -## Encryption at rest - -Encryption at rest ensures that data at rest, stored on disk, is protected. You can configure YugabyteDB universes with a user-generated symmetric key to perform universe-wide encryption. - -Encryption at rest in YugabyteDB Anywhere uses a master key to encrypt and decrypt universe keys. The master key details are stored in YugabyteDB Anywhere in [key management service (KMS) configurations](../create-kms-config/aws-kms/). You enable encryption at rest for a universe by assigning the universe a KMS configuration. The master key designated in the configuration is then used for generating the universe keys used for encrypting the universe data. - -For more information, see [Enable encryption at rest](../enable-encryption-at-rest).