Project

General

Profile

Actions

NDN Certification Framework (ndncert)

Prerequisites:

  • ndn-cxx, NFD

    sudo apt-get install ndn-cxx ndn-cxx-dev nfd
    
  • repo-ng with proper config

    Repo will hold/serve issued certificates for the site:

    sudo apt-get install repo-ng
    

    Make sure that repo's config (/etc/ndn/repo-ng.conf) looks like the following (only repo.data needs to be changed, the rest should be the same).

    repo
    {
      data
      {
        prefix "ndn:/ndn/edu/ucla/KEY"
        ; prefix "ndn:/ndn/<site-name>/KEY"
      }
    
      command
      {
        prefix "ndn:/localhost/repo-ng"
      }
    
      storage
      {
        method "sqlite"             ; Currently, only sqlite storage engine is supported
        path "/var/lib/ndn/repo-ng"  ; path to repo-ng storage folder
        max-packets 1000000
      }
    
      tcp_bulk_insert {
        host "localhost"  ; Set to listen on different IP address or hostname
        port 7376  ; Set to listen on different port number
      }
    
      validator
      {
        trust-anchor {
            type any
        }
      }
    }
    

    Restart repo-ng after making changes to config file (or the system)

    sudo restart repo-ng
    
  • Installed custom fork of PyNDN2 (! using python 2.7)

    git clone https://github.com/cawka/PyNDN2
    cd PyNDN2
    sudo python setup.py install
    
  • ndnop-process-requests script installed somewhere in security operator's PATH

    sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests
    sudo chmod +x /usr/local/bin/ndnop-process-requests
    

Certificate generation

"Ideally", the procedure has to be done by the designated security operator himself.
Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere.

NOTE: The following commands must be performed under a designated ndncert user.
If ssh logic is different, sudo su - ndncert must be used to switch to the account (! not just sudo ndncert).

Automated using ndncert

  1. Go to http://ndncert.named-data.net

  2. Enter <site-name>@operators.named-data.net as email. For example:

    /ndn/edu/university@operators.named-data.net
    
  3. Proceed to certificate request upload page (email verification is disabled for operators.named-data.net

  4. Install certificate using the command received from the NDN testbed root operator:

    ndnsec-install-cert

Manually

  1. Generate key pair and certification request:

    ndnsec-keygen /ndn/edu/<name>
    

    <name> is sometime like: wustl, colostate, umich, ...

    The output of this command is certification request. If signing request needs to be recreated for the existing identity (one from the ndnsec-ls-identity list), the following command can be used:

    ndnsec-sign-req /ndn/edu/<name>
    

    Singing request should be sent to NDN trust root (Alex Afanasyev right now).

  2. Root operator will return signed certificate (e.g., umich.ndncert). Do the following with the file:

    ndnsec-install-cert <received-file>
    

Security operator actions

When a user requests a certificate the operator gets an email alerting them and instructing them to run ndnop-process-requests on their node.
Operator just need to ssh to the node, sudo su - ndncert, and issue

ndnop-process-requests

If there are pending requests, the script will guide the process to accept/reject.
When accepted, the certificate will be created, published to local repo (using tcp-bulk-insert protocol---make sure that repo-ng is running before ndnop-process-requests is run), and uploaded to WEB system for the user to download it.

Updated by Alex Afanasyev almost 6 years ago ยท 5 revisions