E-infrastructure shared between Europe and Latin America
Review Installation Openca
ULAGrid Certification Authority
Vanessa Hamar
Universidad de Los Andes – Merida,Venezuela
5th F2F
Banff, 17/07/2007
IST-2006-026409
www.eu-eela.org
Overview
E-infrastructure shared between Europe and Latin America
• CA (offline)
–
–
–
–
–
Requirements
Web Server Installation
Database Installation
CA installation
CA Configuration
• RA (online)
– Requirements
– RA Installation
– RA Configuration
• Dataexchange
• Tips
IST-2006-026409
www.eu-eela.org
2
E-infrastructure shared between Europe and Latin America
CA
IST-2006-026409
www.eu-eela.org
Introduction
E-infrastructure shared between Europe and Latin America
• The installation was done using:
– Openca 0.9.2.5
– Debian stable - (built from jigdo)
– Linux ra 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007
i686 GNU/Linux
IST-2006-026409
www.eu-eela.org
4
Requirements
E-infrastructure shared between Europe and Latin America
•
•
•
•
Packages
gcc
g++
perl
– Perl modules: libcgi-session-perl libxml-parser-perl libauthen-sasl-perl
libconvert-asn1-perl libdigest-hmac-perl libdigest-sha1-perl libintl-perl
libio-socket-ssl-perl libio-stringy-perl libmime-lite-perl libmime-perl
libmailtools-perl libnet-server-perl libnet-ldap-perl libparse-recdescentperl libx500-dn-perl libxml-twig-perl libdbd-pg-perl libdbi-perl libpg-perl
IST-2006-026409
www.eu-eela.org
5
Web Server Installation
E-infrastructure shared between Europe and Latin America
• apache2
–
–
–
–
–
–
libssl-dev
a2dismod userdir cgid
a2dismod cgid
a2enmod cgi
a2enmod ssl
a2ensite default-443
• Configuration
• Make a directory to put your certificates: Example:
/etc/apache2/ssl
• Create your certificate:
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf
/etc/apache2/ssl/apache.pem
• Edit /etc/apache2/ports.conf
Listen 80
Listen 443
IST-2006-026409
www.eu-eela.org
6
Web Server Installation
E-infrastructure shared between Europe and Latin America
• Edit /etc/apache2/sites-available/default
NameVirtualHost *:80
<VirtualHost *:80>
• Copy the configuration file
cp /etc/apache2/sites-available/default /etc/apache2/sitesavailable/default-443
• Edit /etc/apache2/sites-available/default-443 and add:
NameVirtualHost *:443
<VirtualHost *:443>
…..
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLOptions +StdEnvVars
• Make a link and restart:
ln -s /etc/apache2/sites-available/default-443 /etc/apache2/sites
enabled/000-default-443
/etc/init.d/apache2 restart
IST-2006-026409
www.eu-eela.org
7
Database installation
E-infrastructure shared between Europe and Latin America
•
Add the openca user and group:
ca:~# groupadd -g 1555 openca
ca:~# useradd -u 1555 -g openca -m -s /bin/bash -c "OpenCA user" openca
•
Install postgresql
ca:~# apt-get install postgresql
• Create the user:
ca:~# su - postgres
[email protected]:~$ createuser -A -d -P -E openca
Enter password for new user:
Enter it again:
CREATE USER
• Create the database using the openca user
ca:~# su - openca
[email protected]:~$ createdb -E utf8 -O openca -W openca
Password:
CREATE DATABASE
[email protected]:~$ exit
logout
IST-2006-026409
www.eu-eela.org
8
CA installation
E-infrastructure shared between Europe and Latin America
• Download the source and make the installation:
ca:/usr/local/src# tar xvzf openca-0.9.2.5.tar.gz
ca:/usr/local/src# cd OpenCA-0.9.2.5/
Configure
ca:/usr/local/src/OpenCA-0.9.2.5# ./configure --with-opencauser=openca --with-openca-group=openca --with-webhost=ra.cecalc.ula.ve --with-httpd-user=www-data --with-httpdgroup=www-data --with-cgi-fs-prefix=/usr/lib/cgi-bin --withhtdocs-fs-prefix=/var/www --with-opencaprefix=/usr/local/openca/ca --with-etcprefix=/usr/local/openca/ca/etc --with-moduleprefix=/usr/local/openca/ca/modules --disable-external-modules -enable-dbi --enable-rbac
ca:/usr/local/src/OpenCA-0.9.2.5# make
ca:/usr/local/src/OpenCA-0.9.2.5# make install-common
ca:/usr/local/src/OpenCA-0.9.2.5# make install-offline
IST-2006-026409
www.eu-eela.org
9
CA configuration
E-infrastructure shared between Europe and Latin America
•
Edit config.xml and change the values:
ca:/usr/local/openca/ca/etc# cp config.xml config.xml.orig
ca:/usr/local/openca/ca/etc# vi config.xml
ca:/usr/local/openca/ca/etc# diff -Naur config.xml.orig config.xml
--- config.xml.orig
2007-03-02 16:16:47.000000000 -0400
+++ config.xml
2007-03-02 16:17:33.000000000 -0400
@@ -55,7 +55,7 @@
strings in national languages here.
-->
<name>ca_organization</name>
<value></value>
+
<value>CeCalCULA</value>
</option>
<option>
<!-@@ -63,7 +63,7 @@
strings in national languages here.
-->
<name>ca_locality</name>
<value></value>
+
<value>Universidad de Los Andes</value>
</option>
<option>
IST-2006-026409
www.eu-eela.org
10
CA configuration
E-infrastructure shared between Europe and Latin America
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
<!-@@ -72,7 +72,7 @@
this country code is ALWAYS two characters long
-->
<name>ca_country</name>
<value></value>
+
<value>VE</value>
</option>
<option>
<name>sendmail</name>
@@ -84,7 +84,7 @@
</option>
<option>
<name>service_mail_account</name>
<value></value>
+
<value>[email protected]</value>
</option>
<option>
<name>policy_link</name>
IST-2006-026409
www.eu-eela.org
11
Openca configuration
E-infrastructure shared between Europe and Latin America
• Choose appropriate section below 'dataexchange
configuration' line in each of these two files as shown
below. config.xml
– dataexchange_device_up: Replace /dev/fd0 by
/usr/local/openca/ca/var/tmp/ca-up
– dataexchange_device_down: Replace /dev/fd0 by
/usr/local/openca/ca/var/tmp/ca-down
– dataexchange_device_local: Replace /dev/fd0 by
/usr/local/openra/ca/var/tmp/ra-local
• Create the empty files for dataexchange
–
–
–
–
touch $OPENCA_HOME/ca/var/tmp/ca-up
touch $OPENCA_HOME/ca/var/tmp/ca-down
touch $OPENCA_HOME/ca/var/tmp/ra-local
chown www-data:www-data $OPENCA_HOME/ca/var/tmp/*
IST-2006-026409
www.eu-eela.org
12
CA configuration
E-infrastructure shared between Europe and Latin America
• Edit ca.conf.template
• ca:/usr/local/openca/ca/etc/servers# vi ca.conf.template
• ca:/usr/local/openca/ca/etc/servers# diff -Naur
ca.conf.template.orig ca.conf.template
• --- ca.conf.template.orig
2007-03-02 16:18:50.000000000 -0400
• +++ ca.conf.template
2007-03-02 16:19:30.000000000 -0400
• @@ -227,7 +227,7 @@
• SET_REQUEST_SERIAL_IN_DN "N"
• REQUEST_SERIAL_NAME "sn"
•
• -SET_CERTIFICATE_SERIAL_IN_DN "Y"
• +SET_CERTIFICATE_SERIAL_IN_DN "N"
• CERTIFICATE_SERIAL_NAME "serialNumber"
•
• DN_WITHOUT_EMAIL "Y"
IST-2006-026409
www.eu-eela.org
13
CA configuration
E-infrastructure shared between Europe and Latin America
• Edit loa.xml files to make sure CPS.1 points to this
correct CPS location:
– sed –i 's|http://some.url.org/cps|http://ra.cecalc.ula.ve/pub/cps.html|g' \
/usr/local/openca/openca/etc/loa.xml
• Change the cps number
<CP> <value>1.2.3.1</value>
<value>1.2.3.3.5</value>
<value>@psec</value>
<CP>
IST-2006-026409
www.eu-eela.org
14
CA configuration
E-infrastructure shared between Europe and Latin America
•
•
•
•
•
•
Change password for root login
/usr/local/openca/ca/bin/openca-digest sha1 'mypasswd‘
cd /usr/local/openca/openca/etc/access_control
grep -li '<digest>' *.template
For each match in templates do:
sed –i 's|<digest>Actual Passwd</digest>|<digest>New
Passwd</digest>| g' \
/usr/local/openca/openca/etc/access_control/xxx.template
IST-2006-026409
www.eu-eela.org
15
CA configuration
E-infrastructure shared between Europe and Latin America
• Edit the files /usr/local/openca/ra/etc/openssl/extfiles/*.
Using the definitions profiles in your CP-CPS
• By example:
/usr/local/openca/ca/etc/openssl/extfiles/User.ext.templ
ate
– nsCertType = objsign
– nsCertType = client, email
– keyUsage = critical,nonRepudiation, digitalSignature,
keyEncipherment, dataEncipherment
– extendedKeyUsage = clientAuth, emailProtection, timeStamping,
1.3.6.1.4.1.19286.2.2.2.0.1.3
– nsComment
= "Grid Venezuela Certificate. For
information go to https://ra.cecalc.ula.ve/gridvenezuela"
IST-2006-026409
www.eu-eela.org
16
CA configuration
E-infrastructure shared between Europe and Latin America
• Configure and start the service
$OPENCA_HOME/ca/etc/configure_etc.sh
cp $OPENCA_HOME/ca/etc/openca_rc /etc/init.d/
/etc/init.d/openca_rc start
IST-2006-026409
www.eu-eela.org
17
CA Initialization
E-infrastructure shared between Europe and Latin America
•
•
•
•
Go to http://localhost/ca and follow the links:
General
Initialization
Phase I (Initialize the Certification Authority)
– Initialize Database
– Generate new CA secret key
– Generate new CA Certificate Request (use generated secret
key)
– Self Signed CA Certificate (from altready generated request)
(Accept defaults)
– Rebuild CA Chain
IST-2006-026409
www.eu-eela.org
18
CA Initialization
E-infrastructure shared between Europe and Latin America
• General
• Initialization
• Phase II (Create the initial administrator)
– Create a new request (Fill in the form and generate csr for CA
Administrator)
– Edit the request (Optional)
– Issue the certificate
– Handle the certificate Certificate and Keypair, PKCS#12, click
Download.
– Import into browser. Restart browser
IST-2006-026409
www.eu-eela.org
19
CA Initialization
E-infrastructure shared between Europe and Latin America
• General
• Initialization
– Phase III (Create the initial RA certificate)
– Create a new request (Fill in the form. Change Role to RA
Operator. Generate csr for RA Op)
– Edit the request.
– Issue the certificate.
– Handle the certificate Download.
– Import into browser.
IST-2006-026409
www.eu-eela.org
20
E-infrastructure shared between Europe and Latin America
RA
IST-2006-026409
www.eu-eela.org
RA installation
E-infrastructure shared between Europe and Latin America
• Follow the same steps for install the operating system,
apache2, postgresql, and the requirements.
• Please install openssh, and close the ports than you
don’t want to use.
IST-2006-026409
www.eu-eela.org
22
Ra installation
E-infrastructure shared between Europe and Latin America
• Install Openca
– [email protected]:/usr/local/src/OpenCA-0.9.2.5$ ./configure --withopenca-user=openca --with-openca-group=openca --with-webhost=ra.cecalc.ula.ve --with-httpd-user=www-data --with-httpdgroup=www-data --with-cgi-fs-prefix=/usr/lib/cgi-bin --withhtdocs-fs-prefix=/var/www --with-opencaprefix=/usr/local/openca/ra --with-etcprefix=/usr/local/openca/ra/etc --with-moduleprefix=/usr/local/openca/ra/modules --disable-external-modules -enable-dbi --enable-rbac
– [email protected]:/usr/local/src/OpenCA-0.9.2.5$ make
– [email protected]:/usr/local/src/OpenCA-0.9.2.5$ make installcommon
– [email protected]:/usr/local/src/OpenCA-0.9.2.5$ make install-online
IST-2006-026409
www.eu-eela.org
23
RA Configuration
E-infrastructure shared between Europe and Latin America
ra:/usr/local/src/OpenCA-0.9.2.5$ cd /usr/local/openca/ra/etc
ra:/usr/local/openca/ra/etc$ cp config.xml config.xml.orig
ra:/usr/local/openca/ra/etc$ vi config.xml
ra:/usr/local/openca/ra/etc$ diff -Nuar config.xml.orig config.xml
--- config.xml.orig
2007-03-01 16:24:37.000000000 -0400
+++ config.xml 2007-03-01 16:26:54.000000000 -0400
@@ -55,7 +55,7 @@
strings in national languages here.
-->
<name>ca_organization</name>
<value></value>
+
<value>CeCalCULA</value>
</option>
<option>
IST-2006-026409
www.eu-eela.org
24
RA Configuration
E-infrastructure shared between Europe and Latin America
strings in national languages here.
-->
<name>ca_locality</name>
<value></value>
+
<value>Universidad de Los Andes</value>
</option>
<option>
<!-@@ -72,7 +72,7 @@
this country code is ALWAYS two characters long
-->
<name>ca_country</name>
<value></value>
+
<value>VE</value>
</option>
<option>
<name>sendmail</name>
@@ -84,7 +84,7 @@
</option>
<option>
<name>service_mail_account</name>
<value></value>
+
<value>[email protected]</value>
</option>
<option>
<name>policy_link</name>
IST-2006-026409
www.eu-eela.org
25
RA Configuration
E-infrastructure shared between Europe and Latin America
–
–
–
–
cd servers
ra$ cp ra.conf.template ra.conf.template.orig
ra$ vi ra.conf.template
ra$ diff -Naur ra.conf.template.orig ra.conf.template
--- ra.conf.template.orig 2007-03-01 16:28:13.000000000 -0400
+++ ra.conf.template
2007-03-01 16:29:11.000000000 -0400
@@ -190,7 +190,7 @@
SET_REQUEST_SERIAL_IN_DN "N"
REQUEST_SERIAL_NAME "sn"
-SET_CERTIFICATE_SERIAL_IN_DN "Y"
+SET_CERTIFICATE_SERIAL_IN_DN "N"
CERTIFICATE_SERIAL_NAME "serialNumber"
DN_WITHOUT_EMAIL "YES"
IST-2006-026409
www.eu-eela.org
26
RA Configuration
E-infrastructure shared between Europe and Latin America
• Edit loa.xml files to make sure CPS.1 points to this
correct CPS location:
– sed –i 's|http://some.url.org/cps|http://ra.cecalc.ula.ve/pub/cps.html|g' \
/usr/local/openca/openca/etc/loa.xml
• Change the cps number
<CP> <value>1.2.3.1</value>
<value>1.2.3.3.5</value>
<value>@psec</value>
<CP>
This files must be the same in the CA machine.
IST-2006-026409
www.eu-eela.org
27
RA Configuration
E-infrastructure shared between Europe and Latin America
• Create empty files for Dataexchange:
–
–
–
–
touch $OPENCA_HOME/ra/var/tmp/ca-down
touch $OPENCA_HOME/ra/var/tmp/ra-down
touch $OPENCA_HOME/ra/var/tmp/ra-local
chown www-data:www-data $OPENCA_HOME/ra/var/tmp/*
• Change the values in config.xml
– dataexchange_device_up: Replace /dev/fd0 by
/usr/local/openca/ra/var/tmp/ca-down
– dataexchange_device_down: Replace /dev/fd0 by
/usr/local/openca/ra/var/tmp/ra-down
– dataexchange_device_local: Replace /dev/fd0 by
/usr/local/openca/ra/var/tmp/ra-local
IST-2006-026409
www.eu-eela.org
28
RA Configuration
E-infrastructure shared between Europe and Latin America
•
•
•
•
•
•
Change password for root login
/usr/local/openca/ca/bin/openca-digest sha1 'mypasswd‘
cd /usr/local/openca/openca/etc/access_control
grep -li '<digest>' *.template
For each match in templates do:
sed –i 's|<digest>Actual Passwd</digest>|<digest>New
Passwd</digest>| g' \
/usr/local/openca/openca/etc/access_control/xxx.template
IST-2006-026409
www.eu-eela.org
29
RA Configuration
E-infrastructure shared between Europe and Latin America
• Configure the templates in
• cp /usr/local/openca/ra/etc/servers/ra.conf.template
/usr/local/openca/ra/etc/servers/ra.conf.template.orig
• Edit ra.conf.template
IST-2006-026409
www.eu-eela.org
30
RA Initialization
E-infrastructure shared between Europe and Latin America
• Configure
– ra:/usr/local/openca/ra/etc/configure_etc.sh
• Copy the startup script:
– ra:/usr/local/openca/ra/etc$ ./configure_etc.sh
• Start the service
– cp $OPENCA_HOME/openca_rc /etc/init.d/
– /etc/init.d/openca_rc start
IST-2006-026409
www.eu-eela.org
31
RA Initialization
E-infrastructure shared between Europe and Latin America
•
•
•
•
•
•
Go to
https://ra/ra
Administration Server Init
Init New Node
Import Configuration under "PKI Setup".
This step should report sucess after prompting for
confirmation.
IST-2006-026409
www.eu-eela.org
32
RA Intialization
E-infrastructure shared between Europe and Latin America
IST-2006-026409
www.eu-eela.org
33
E-infrastructure shared between Europe and Latin America
Dataexchange
IST-2006-026409
www.eu-eela.org
Dataexchange
E-infrastructure shared between Europe and Latin America
• Go to https://localhost/ca
–
–
–
–
Administration
Dataexchange
Enroll data to a lower level of the hierarchy
Configuration
• Next, download 'Configuration' on ra-node as follows:
• Go to https://ra/ra
–
–
–
–
Administration
Dataexchange
Download data from a higher level of the hierarchy
Configuration
IST-2006-026409
www.eu-eela.org
35
Dataexchange
E-infrastructure shared between Europe and Latin America
• Go to https://localhost/ca
–
–
–
–
Administration
Dataexchange
Enroll data to a lower level of the hierarchy
All
• Next, download 'All' on ra-node as follows:
• Go to https://hostname/ra-node
–
–
–
–
Administration
Dataexchange
Download data from a higher level of the hierarchy
All
IST-2006-026409
www.eu-eela.org
36
Dataexchange
E-infrastructure shared between Europe and Latin America
IST-2006-026409
www.eu-eela.org
37
Dataexchange
E-infrastructure shared between Europe and Latin America
IST-2006-026409
www.eu-eela.org
38
CRL
E-infrastructure shared between Europe and Latin America
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=VE/O=Grid/O=Universidad de Los
Andes/OU=CeCalCULA/CN=ULAGrid Certification
[email protected]
Last Update: Jul 10 16:06:59 2007 GMT
Next Update: Aug 9 16:06:59 2007 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
…….
-----BEGIN X509 CRL----IST-2006-026409
www.eu-eela.org
39
References
E-infrastructure shared between Europe and Latin America
• http://www.dartmouth.edu/~deploypki/CA/OpenCALiveCD.html
• http://solar.murty.net/~murty/files/openca.INSTALL.txt
• http://openca.oliwel.de/docs/guide/html_chunked/ch07.
html
• http://www.vpac.org/twiki/bin/view/APACgrid/CAInstall
Guide#Notes_about_the_installation
• http://www.openxpki.org/docs/guide/html_chunked/ape
s04.html
• http://www.vpac.org/twiki/bin/view/APACgrid/CAInstall
Guide093
IST-2006-026409
www.eu-eela.org
40
Descargar

Diapositiva 1