Ndncert » History » Revision 2
« Previous |
Revision 2/6
(diff)
| Next »
Alex Afanasyev, 07/23/2014 01:46 PM
NDN Certification Framework (ndncert)¶
Prerequisites:¶
ndn-cxx, NFD
sudo apt-get install ndn-cxx ndn-cxx-dev nfd
repo-ng with proper config
Repo will hold/serve issued certificates for the site:
sudo apt-get install repo-ng
Make sure that repo's config (
/etc/ndn/repo-ng.conf
) looks like the following (only repo.data needs to be changed, the rest should be the same).repo { data { prefix "ndn:/ndn/edu/ucla/KEY" ; prefix "ndn:/ndn/<site-name>/KEY" } command { prefix "ndn:/localhost/repo-ng" } storage { method "sqlite" ; Currently, only sqlite storage engine is supported path "/var/lib/ndn/repo-ng" ; path to repo-ng storage folder } tcp_bulk_insert { host "localhost" ; Set to listen on different IP address or hostname port 7376 ; Set to listen on different port number } validator { trust-anchor { type any } } }
Restart repo-ng after making changes to config file (or the system)
sudo restart repo-ng
Installed custom fork of PyNDN2 (! using python 2.7)
git clone https://github.com/cawka/PyNDN2 cd PyNDN2 sudo python setup.py install
ndnop-process-requests script installed somewhere in security operator's PATH
sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests sudo chmod +x /usr/local/bin/ndnop-process-requests
Certificate generation¶
"Ideally", the procedure has to be done by the designated security operator himself.
Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere.
NOTE: The following commands must be performed under a designated ndncert
user.
If ssh logic is different, sudo su - ndncert
must be used to switch to the account (! not just sudo ndncert
).
Generate key pair and certification request:
ndnsec-keygen /ndn/edu/<name>
<name>
is sometime like: wustl, colostate, umich, ...The output of this command is certification request. If signing request needs to be recreated for the existing identity (one from the
ndnsec-ls-identity
list), the following command can be used:ndnsec-sign-req /ndn/edu/<name>
Singing request should be sent to NDN trust root (Alex Afanasyev right now).
Root operator will return signed certificate (e.g.,
umich.ndncert
). Do the following with the file:ndnsec-install-cert <received-file>
Security operator actions¶
When a user requests a certificate the operator gets an email alerting them and instructing them to run ndnop-process-requests
on their node.
Operator just need to ssh to the node, sudo su - ndncert
, and issue
ndnop-process-requests
If there are pending requests, the script will guide the process to accept/reject.
When accepted, the certificate will be created, published to local repo (using tcp-bulk-insert
protocol---make sure that repo-ng
is running before ndnop-process-requests
is run), and uploaded to WEB system for the user to download it.
Updated by Alex Afanasyev over 10 years ago · 6 revisions