Ndncert » History » Version 6
Davide Pesavento, 01/03/2023 02:26 AM
| 1 | 6 | Davide Pesavento | # NDN Certification Framework (ndncert) |
|---|---|---|---|
| 2 | 1 | Alex Afanasyev | |
| 3 | 6 | Davide Pesavento | > NOTE: This document is **obsolete**. Please see <https://github.com/named-data/ndncert> for the latest version of NDNCERT. |
| 4 | |||
| 5 | ## Prerequisites |
||
| 6 | 1 | Alex Afanasyev | |
| 7 | - ndn-cxx, NFD |
||
| 8 | |||
| 9 | 2 | Alex Afanasyev | sudo apt-get install ndn-cxx ndn-cxx-dev nfd |
| 10 | 1 | Alex Afanasyev | |
| 11 | - repo-ng with proper config |
||
| 12 | |||
| 13 | Repo will hold/serve issued certificates for the site: |
||
| 14 | |||
| 15 | 2 | Alex Afanasyev | sudo apt-get install repo-ng |
| 16 | 1 | Alex Afanasyev | |
| 17 | Make sure that repo's config (`/etc/ndn/repo-ng.conf`) looks like the following (only repo.data needs to be changed, the rest should be the same). |
||
| 18 | |||
| 19 | repo |
||
| 20 | { |
||
| 21 | data |
||
| 22 | { |
||
| 23 | prefix "ndn:/ndn/edu/ucla/KEY" |
||
| 24 | ; prefix "ndn:/ndn/<site-name>/KEY" |
||
| 25 | } |
||
| 26 | |||
| 27 | command |
||
| 28 | { |
||
| 29 | prefix "ndn:/localhost/repo-ng" |
||
| 30 | } |
||
| 31 | |||
| 32 | storage |
||
| 33 | { |
||
| 34 | method "sqlite" ; Currently, only sqlite storage engine is supported |
||
| 35 | path "/var/lib/ndn/repo-ng" ; path to repo-ng storage folder |
||
| 36 | 3 | Alex Afanasyev | max-packets 1000000 |
| 37 | 1 | Alex Afanasyev | } |
| 38 | |||
| 39 | tcp_bulk_insert { |
||
| 40 | host "localhost" ; Set to listen on different IP address or hostname |
||
| 41 | port 7376 ; Set to listen on different port number |
||
| 42 | } |
||
| 43 | |||
| 44 | validator |
||
| 45 | { |
||
| 46 | trust-anchor { |
||
| 47 | type any |
||
| 48 | } |
||
| 49 | } |
||
| 50 | } |
||
| 51 | |||
| 52 | Restart repo-ng after making changes to config file (or the system) |
||
| 53 | |||
| 54 | sudo restart repo-ng |
||
| 55 | |||
| 56 | - Installed custom fork of PyNDN2 (! using python 2.7) |
||
| 57 | |||
| 58 | git clone https://github.com/cawka/PyNDN2 |
||
| 59 | cd PyNDN2 |
||
| 60 | sudo python setup.py install |
||
| 61 | |||
| 62 | - ndnop-process-requests script installed somewhere in security operator's PATH |
||
| 63 | |||
| 64 | sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests |
||
| 65 | sudo chmod +x /usr/local/bin/ndnop-process-requests |
||
| 66 | |||
| 67 | ## Certificate generation |
||
| 68 | |||
| 69 | "Ideally", the procedure has to be done by the designated security operator himself. |
||
| 70 | Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere. |
||
| 71 | |||
| 72 | NOTE: The following commands must be performed under a designated `ndncert` user. |
||
| 73 | If ssh logic is different, `sudo su - ndncert` must be used to switch to the account (! not just `sudo ndncert`). |
||
| 74 | |||
| 75 | 4 | Alex Afanasyev | ### Automated using ndncert |
| 76 | |||
| 77 | 1. Go to http://ndncert.named-data.net |
||
| 78 | |||
| 79 | 2. Enter `<site-name>@operators.named-data.net` as email. For example: |
||
| 80 | |||
| 81 | 5 | Alex Afanasyev | /ndn/edu/university@operators.named-data.net |
| 82 | 4 | Alex Afanasyev | |
| 83 | 3. Proceed to certificate request upload page (email verification is disabled for `operators.named-data.net` |
||
| 84 | |||
| 85 | 4. Install certificate using the command received from the NDN testbed root operator: |
||
| 86 | |||
| 87 | ndnsec-install-cert <received-URL> |
||
| 88 | |||
| 89 | ### Manually |
||
| 90 | |||
| 91 | 1 | Alex Afanasyev | 1. Generate key pair and certification request: |
| 92 | |||
| 93 | ndnsec-keygen /ndn/edu/<name> |
||
| 94 | |||
| 95 | `<name>` is sometime like: wustl, colostate, umich, ... |
||
| 96 | |||
| 97 | The output of this command is certification request. If signing request needs to be recreated for the existing identity (one from the `ndnsec-ls-identity` list), the following command can be used: |
||
| 98 | |||
| 99 | ndnsec-sign-req /ndn/edu/<name> |
||
| 100 | |||
| 101 | Singing request should be sent to NDN trust root (Alex Afanasyev right now). |
||
| 102 | |||
| 103 | 2. Root operator will return signed certificate (e.g., `umich.ndncert`). Do the following with the file: |
||
| 104 | |||
| 105 | ndnsec-install-cert <received-file> |
||
| 106 | |||
| 107 | ## Security operator actions |
||
| 108 | |||
| 109 | |||
| 110 | When a user requests a certificate the operator gets an email alerting them and instructing them to run `ndnop-process-requests` on their node. |
||
| 111 | Operator just need to ssh to the node, `sudo su - ndncert`, and issue |
||
| 112 | |||
| 113 | ndnop-process-requests |
||
| 114 | |||
| 115 | If there are pending requests, the script will guide the process to accept/reject. |
||
| 116 | When accepted, the certificate will be created, published to local repo (using `tcp-bulk-insert` protocol---make sure that `repo-ng` is running before `ndnop-process-requests` is run), and uploaded to WEB system for the user to download it. |