Version 1 - History - Ndncert - NFD - NDN project issue tracking system

1

Alex Afanasyev

NDN Certification Framework (ndncert)

2

=======

3

4

## Prerequisites:

5

6

- ndn-cxx, NFD

7

8

        sudo apt-get install ndn-cxx ndn-cxx-dev NFD

9

10

- repo-ng with proper config

11

12

    Repo will hold/serve issued certificates for the site:

13

14

        sudo port install repo-ng

15

16

    Make sure that repo's config (`/etc/ndn/repo-ng.conf`) looks like the following (only repo.data needs to be changed, the rest should be the same).

17

18

        repo

19

20

          data

21

22

            prefix "ndn:/ndn/edu/ucla/KEY"

23

            ; prefix "ndn:/ndn/<site-name>/KEY"

24

25

26

          command

27

28

            prefix "ndn:/localhost/repo-ng"

29

30

31

          storage

32

33

            method "sqlite"             ; Currently, only sqlite storage engine is supported

34

            path "/var/lib/ndn/repo-ng"  ; path to repo-ng storage folder

35

36

37

          tcp_bulk_insert {

38

            host "localhost"  ; Set to listen on different IP address or hostname

39

            port 7376  ; Set to listen on different port number

40

41

42

          validator

43

44

            trust-anchor {

45

                type any

46

47

48

49

50

    Restart repo-ng after making changes to config file (or the system)

51

52

        sudo restart repo-ng

53

54

- Installed custom fork of PyNDN2 (! using python 2.7)

55

56

        git clone https://github.com/cawka/PyNDN2

57

        cd PyNDN2

58

        sudo python setup.py install

59

60

- ndnop-process-requests script installed somewhere in security operator's PATH

61

62

        sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests

63

        sudo chmod +x /usr/local/bin/ndnop-process-requests

64

65

66

## Certificate generation

67

68

"Ideally", the procedure has to be done by the designated security operator himself.

69

Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere.

70

71

NOTE: The following commands must be performed under a designated `ndncert` user.

72

If ssh logic is different, `sudo su - ndncert` must be used to switch to the account (! not just `sudo ndncert`).

73

74

1. Generate key pair and certification request:

75

76

        ndnsec-keygen /ndn/edu/<name>

77

78

    `<name>` is sometime like: wustl, colostate, umich, ...

79

80

    The output of this command is certification request.  If signing request needs to be recreated for the existing identity (one from the `ndnsec-ls-identity` list), the following command can be used:

81

82

        ndnsec-sign-req /ndn/edu/<name>

83

84

    Singing request should be sent to NDN trust root (Alex Afanasyev right now).

85

86

2. Root operator will return signed certificate (e.g., `umich.ndncert`).  Do the following with the file:

87

88

        ndnsec-install-cert <received-file>

89

90

91

92

## Security operator actions

93

94

95

When a user requests a certificate the operator gets an email alerting them and instructing them to run `ndnop-process-requests` on their node.

96

Operator just need to ssh to the node, `sudo su - ndncert`, and issue

97

98

    ndnop-process-requests

99

100

If there are pending requests, the script will guide the process to accept/reject.

101

When accepted, the certificate will be created, published to local repo (using `tcp-bulk-insert` protocol---make sure that `repo-ng` is running before `ndnop-process-requests` is run), and uploaded to WEB system for the user to download it.

Project

General

Profile

NFD

Ndncert » History » Version 1