Ndncert » History » Revision 5
Revision 4 (Alex Afanasyev, 07/27/2014 08:27 PM) → Revision 5/6 (Alex Afanasyev, 07/27/2014 08:27 PM)
NDN Certification Framework (ndncert) ======= ## Prerequisites: - ndn-cxx, NFD sudo apt-get install ndn-cxx ndn-cxx-dev nfd - repo-ng with proper config Repo will hold/serve issued certificates for the site: sudo apt-get install repo-ng Make sure that repo's config (`/etc/ndn/repo-ng.conf`) looks like the following (only repo.data needs to be changed, the rest should be the same). repo { data { prefix "ndn:/ndn/edu/ucla/KEY" ; prefix "ndn:/ndn/<site-name>/KEY" } command { prefix "ndn:/localhost/repo-ng" } storage { method "sqlite" ; Currently, only sqlite storage engine is supported path "/var/lib/ndn/repo-ng" ; path to repo-ng storage folder max-packets 1000000 } tcp_bulk_insert { host "localhost" ; Set to listen on different IP address or hostname port 7376 ; Set to listen on different port number } validator { trust-anchor { type any } } } Restart repo-ng after making changes to config file (or the system) sudo restart repo-ng - Installed custom fork of PyNDN2 (! using python 2.7) git clone https://github.com/cawka/PyNDN2 cd PyNDN2 sudo python setup.py install - ndnop-process-requests script installed somewhere in security operator's PATH sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests sudo chmod +x /usr/local/bin/ndnop-process-requests ## Certificate generation "Ideally", the procedure has to be done by the designated security operator himself. Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere. NOTE: The following commands must be performed under a designated `ndncert` user. If ssh logic is different, `sudo su - ndncert` must be used to switch to the account (! not just `sudo ndncert`). ### Automated using ndncert 1. Go to http://ndncert.named-data.net 2. Enter `<site-name>@operators.named-data.net` as email. For example: /ndn/edu/university@operators.named-data.net 3. Proceed to certificate request upload page (email verification is disabled for `operators.named-data.net` 4. Install certificate using the command received from the NDN testbed root operator: ndnsec-install-cert <received-URL> ### Manually 1. Generate key pair and certification request: ndnsec-keygen /ndn/edu/<name> `<name>` is sometime like: wustl, colostate, umich, ... The output of this command is certification request. If signing request needs to be recreated for the existing identity (one from the `ndnsec-ls-identity` list), the following command can be used: ndnsec-sign-req /ndn/edu/<name> Singing request should be sent to NDN trust root (Alex Afanasyev right now). 2. Root operator will return signed certificate (e.g., `umich.ndncert`). Do the following with the file: ndnsec-install-cert <received-file> ## Security operator actions When a user requests a certificate the operator gets an email alerting them and instructing them to run `ndnop-process-requests` on their node. Operator just need to ssh to the node, `sudo su - ndncert`, and issue ndnop-process-requests If there are pending requests, the script will guide the process to accept/reject. When accepted, the certificate will be created, published to local repo (using `tcp-bulk-insert` protocol---make sure that `repo-ng` is running before `ndnop-process-requests` is run), and uploaded to WEB system for the user to download it.