Ndncert » History » Version 5
Alex Afanasyev, 07/27/2014 08:27 PM
1 | 1 | Alex Afanasyev | NDN Certification Framework (ndncert) |
---|---|---|---|
2 | ======= |
||
3 | |||
4 | ## Prerequisites: |
||
5 | |||
6 | - ndn-cxx, NFD |
||
7 | |||
8 | 2 | Alex Afanasyev | sudo apt-get install ndn-cxx ndn-cxx-dev nfd |
9 | 1 | Alex Afanasyev | |
10 | - repo-ng with proper config |
||
11 | |||
12 | Repo will hold/serve issued certificates for the site: |
||
13 | |||
14 | 2 | Alex Afanasyev | sudo apt-get install repo-ng |
15 | 1 | Alex Afanasyev | |
16 | Make sure that repo's config (`/etc/ndn/repo-ng.conf`) looks like the following (only repo.data needs to be changed, the rest should be the same). |
||
17 | |||
18 | repo |
||
19 | { |
||
20 | data |
||
21 | { |
||
22 | prefix "ndn:/ndn/edu/ucla/KEY" |
||
23 | ; prefix "ndn:/ndn/<site-name>/KEY" |
||
24 | } |
||
25 | |||
26 | command |
||
27 | { |
||
28 | prefix "ndn:/localhost/repo-ng" |
||
29 | } |
||
30 | |||
31 | storage |
||
32 | { |
||
33 | method "sqlite" ; Currently, only sqlite storage engine is supported |
||
34 | path "/var/lib/ndn/repo-ng" ; path to repo-ng storage folder |
||
35 | 3 | Alex Afanasyev | max-packets 1000000 |
36 | 1 | Alex Afanasyev | } |
37 | |||
38 | tcp_bulk_insert { |
||
39 | host "localhost" ; Set to listen on different IP address or hostname |
||
40 | port 7376 ; Set to listen on different port number |
||
41 | } |
||
42 | |||
43 | validator |
||
44 | { |
||
45 | trust-anchor { |
||
46 | type any |
||
47 | } |
||
48 | } |
||
49 | } |
||
50 | |||
51 | Restart repo-ng after making changes to config file (or the system) |
||
52 | |||
53 | sudo restart repo-ng |
||
54 | |||
55 | - Installed custom fork of PyNDN2 (! using python 2.7) |
||
56 | |||
57 | git clone https://github.com/cawka/PyNDN2 |
||
58 | cd PyNDN2 |
||
59 | sudo python setup.py install |
||
60 | |||
61 | - ndnop-process-requests script installed somewhere in security operator's PATH |
||
62 | |||
63 | sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests |
||
64 | sudo chmod +x /usr/local/bin/ndnop-process-requests |
||
65 | |||
66 | ## Certificate generation |
||
67 | |||
68 | "Ideally", the procedure has to be done by the designated security operator himself. |
||
69 | Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere. |
||
70 | |||
71 | NOTE: The following commands must be performed under a designated `ndncert` user. |
||
72 | If ssh logic is different, `sudo su - ndncert` must be used to switch to the account (! not just `sudo ndncert`). |
||
73 | |||
74 | 4 | Alex Afanasyev | ### Automated using ndncert |
75 | |||
76 | 1. Go to http://ndncert.named-data.net |
||
77 | |||
78 | 2. Enter `<site-name>@operators.named-data.net` as email. For example: |
||
79 | |||
80 | 5 | Alex Afanasyev | /ndn/edu/university@operators.named-data.net |
81 | 4 | Alex Afanasyev | |
82 | 3. Proceed to certificate request upload page (email verification is disabled for `operators.named-data.net` |
||
83 | |||
84 | 4. Install certificate using the command received from the NDN testbed root operator: |
||
85 | |||
86 | ndnsec-install-cert <received-URL> |
||
87 | |||
88 | ### Manually |
||
89 | |||
90 | 1 | Alex Afanasyev | 1. Generate key pair and certification request: |
91 | |||
92 | ndnsec-keygen /ndn/edu/<name> |
||
93 | |||
94 | `<name>` is sometime like: wustl, colostate, umich, ... |
||
95 | |||
96 | The output of this command is certification request. If signing request needs to be recreated for the existing identity (one from the `ndnsec-ls-identity` list), the following command can be used: |
||
97 | |||
98 | ndnsec-sign-req /ndn/edu/<name> |
||
99 | |||
100 | Singing request should be sent to NDN trust root (Alex Afanasyev right now). |
||
101 | |||
102 | 2. Root operator will return signed certificate (e.g., `umich.ndncert`). Do the following with the file: |
||
103 | |||
104 | ndnsec-install-cert <received-file> |
||
105 | |||
106 | ## Security operator actions |
||
107 | |||
108 | |||
109 | When a user requests a certificate the operator gets an email alerting them and instructing them to run `ndnop-process-requests` on their node. |
||
110 | Operator just need to ssh to the node, `sudo su - ndncert`, and issue |
||
111 | |||
112 | ndnop-process-requests |
||
113 | |||
114 | If there are pending requests, the script will guide the process to accept/reject. |
||
115 | When accepted, the certificate will be created, published to local repo (using `tcp-bulk-insert` protocol---make sure that `repo-ng` is running before `ndnop-process-requests` is run), and uploaded to WEB system for the user to download it. |