Project

General

Profile

Ndncert » History » Version 2

Alex Afanasyev, 07/23/2014 01:46 PM

1 1 Alex Afanasyev
NDN Certification Framework (ndncert)
2
=======
3
4
## Prerequisites:
5
6
- ndn-cxx, NFD
7
8 2 Alex Afanasyev
        sudo apt-get install ndn-cxx ndn-cxx-dev nfd
9 1 Alex Afanasyev
10
- repo-ng with proper config
11
12
    Repo will hold/serve issued certificates for the site:
13
14 2 Alex Afanasyev
        sudo apt-get install repo-ng
15 1 Alex Afanasyev
16
    Make sure that repo's config (`/etc/ndn/repo-ng.conf`) looks like the following (only repo.data needs to be changed, the rest should be the same).
17
    
18
        repo
19
        {
20
          data
21
          {
22
            prefix "ndn:/ndn/edu/ucla/KEY"
23
            ; prefix "ndn:/ndn/<site-name>/KEY"
24
          }
25
        
26
          command
27
          {
28
            prefix "ndn:/localhost/repo-ng"
29
          }
30
        
31
          storage
32
          {
33
            method "sqlite"             ; Currently, only sqlite storage engine is supported
34
            path "/var/lib/ndn/repo-ng"  ; path to repo-ng storage folder
35
          }
36
        
37
          tcp_bulk_insert {
38
            host "localhost"  ; Set to listen on different IP address or hostname
39
            port 7376  ; Set to listen on different port number
40
          }
41
        
42
          validator
43
          {
44
            trust-anchor {
45
                type any
46
            }
47
          }
48
        }
49
50
    Restart repo-ng after making changes to config file (or the system)
51
52
        sudo restart repo-ng
53
54
- Installed custom fork of PyNDN2 (! using python 2.7)
55
56
        git clone https://github.com/cawka/PyNDN2
57
        cd PyNDN2
58
        sudo python setup.py install
59
60
- ndnop-process-requests script installed somewhere in security operator's PATH
61
62
        sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests
63
        sudo chmod +x /usr/local/bin/ndnop-process-requests
64
65
66
## Certificate generation
67
68
"Ideally", the procedure has to be done by the designated security operator himself. 
69
Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere.
70
71
NOTE: The following commands must be performed under a designated `ndncert` user.
72
If ssh logic is different, `sudo su - ndncert` must be used to switch to the account (! not just `sudo ndncert`).
73
74
1. Generate key pair and certification request:
75
76
        ndnsec-keygen /ndn/edu/<name>
77
78
    `<name>` is sometime like: wustl, colostate, umich, ...
79
80
    The output of this command is certification request.  If signing request needs to be recreated for the existing identity (one from the `ndnsec-ls-identity` list), the following command can be used:
81
82
        ndnsec-sign-req /ndn/edu/<name>
83
        
84
    Singing request should be sent to NDN trust root (Alex Afanasyev right now). 
85
86
2. Root operator will return signed certificate (e.g., `umich.ndncert`).  Do the following with the file:
87
88
        ndnsec-install-cert <received-file>
89
        
90
91
92
## Security operator actions
93
94
95
When a user requests a certificate the operator gets an email alerting them and instructing them to run `ndnop-process-requests` on their node.
96
Operator just need to ssh to the node, `sudo su - ndncert`, and issue
97
98
    ndnop-process-requests
99
100
If there are pending requests, the script will guide the process to accept/reject.
101
When accepted, the certificate will be created, published to local repo (using `tcp-bulk-insert` protocol---make sure that `repo-ng` is running before `ndnop-process-requests` is run), and uploaded to WEB system for the user to download it.