Presentation is loading. Please wait.

Presentation is loading. Please wait.

IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Review Installation Openca ULAGrid Certification Authority Vanessa.

Published bySydney Harrison Modified over 9 years ago

Similar presentations

Presentation on theme: "IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Review Installation Openca ULAGrid Certification Authority Vanessa."— Presentation transcript:

1 IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Review Installation Openca ULAGrid Certification Authority Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007

2 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 2 Overview CA (offline) –Requirements –Web Server Installation –Database Installation –CA installation –CA Configuration RA (online) –Requirements –RA Installation –RA Configuration Dataexchange Tips

3 IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America CA

4 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 4 Introduction The installation was done using: –Openca 0.9.2.5 –Debian stable - (built from jigdo) –Linux ra 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux

5 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 5 Requirements Packages gcc g++ perl –Perl modules: libcgi-session-perl libxml-parser-perl libauthen-sasl-perl libconvert-asn1-perl libdigest-hmac-perl libdigest-sha1-perl libintl-perl libio-socket-ssl-perl libio-stringy-perl libmime-lite-perl libmime-perl libmailtools-perl libnet-server-perl libnet-ldap-perl libparse-recdescent- perl libx500-dn-perl libxml-twig-perl libdbd-pg-perl libdbi-perl libpg-perl

6 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 6 Web Server Installation apache2 –libssl-dev –a2dismod userdir cgid –a2dismod cgid –a2enmod cgi –a2enmod ssl –a2ensite default-443 Configuration Make a directory to put your certificates: Example: /etc/apache2/ssl Create your certificate: make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem Edit /etc/apache2/ports.conf Listen 80 Listen 443

7 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 7 Web Server Installation Edit /etc/apache2/sites-available/default NameVirtualHost *:80 Copy the configuration file cp /etc/apache2/sites-available/default /etc/apache2/sites- available/default-443 Edit /etc/apache2/sites-available/default-443 and add: NameVirtualHost *:443 ….. SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.pem SSLOptions +StdEnvVars Make a link and restart: ln -s /etc/apache2/sites-available/default-443 /etc/apache2/sites enabled/000-default-443 /etc/init.d/apache2 restart

8 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 8 Database installation Add the openca user and group: ca:~# groupadd -g 1555 openca ca:~# useradd -u 1555 -g openca -m -s /bin/bash -c "OpenCA user" openca Install postgresql ca:~# apt-get install postgresql Create the user: ca:~# su - postgres postgres@ca:~$ createuser -A -d -P -E openca Enter password for new user: Enter it again: CREATE USER Create the database using the openca user ca:~# su - openca openca@ca:~$ createdb -E utf8 -O openca -W openca Password: CREATE DATABASE openca@ca:~$ exit logout

9 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 9 CA installation Download the source and make the installation: ca:/usr/local/src# tar xvzf openca-0.9.2.5.tar.gz ca:/usr/local/src# cd OpenCA-0.9.2.5/ Configure ca:/usr/local/src/OpenCA-0.9.2.5#./configure --with-openca- user=openca --with-openca-group=openca --with-web- host=ra.cecalc.ula.ve --with-httpd-user=www-data --with-httpd- group=www-data --with-cgi-fs-prefix=/usr/lib/cgi-bin --with- htdocs-fs-prefix=/var/www --with-openca- prefix=/usr/local/openca/ca --with-etc- prefix=/usr/local/openca/ca/etc --with-module- prefix=/usr/local/openca/ca/modules --disable-external-modules - -enable-dbi --enable-rbac ca:/usr/local/src/OpenCA-0.9.2.5# make ca:/usr/local/src/OpenCA-0.9.2.5# make install-common ca:/usr/local/src/OpenCA-0.9.2.5# make install-offline

10 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 10 CA configuration Edit config.xml and change the values: ca:/usr/local/openca/ca/etc# cp config.xml config.xml.orig ca:/usr/local/openca/ca/etc# vi config.xml ca:/usr/local/openca/ca/etc# diff -Naur config.xml.orig config.xml --- config.xml.orig2007-03-02 16:16:47.000000000 -0400 +++ config.xml2007-03-02 16:17:33.000000000 -0400 @@ -55,7 +55,7 @@ strings in national languages here. --> ca_organization - + CeCalCULA <!-- @@ -63,7 +63,7 @@ strings in national languages here. --> ca_locality - + Universidad de Los Andes

11 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 11 CA configuration <!-- @@ -72,7 +72,7 @@ this country code is ALWAYS two characters long --> ca_country - + VE sendmail @@ -84,7 +84,7 @@ service_mail_account - + ca@cecalc.ula.ve policy_link

12 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 12 Openca configuration Choose appropriate section below 'dataexchange configuration' line in each of these two files as shown below. config.xml –dataexchange_device_up: Replace /dev/fd0 by /usr/local/openca/ca/var/tmp/ca-up –dataexchange_device_down: Replace /dev/fd0 by /usr/local/openca/ca/var/tmp/ca-down –dataexchange_device_local: Replace /dev/fd0 by /usr/local/openra/ca/var/tmp/ra-local Create the empty files for dataexchange –touch $OPENCA_HOME/ca/var/tmp/ca-up –touch $OPENCA_HOME/ca/var/tmp/ca-down –touch $OPENCA_HOME/ca/var/tmp/ra-local –chown www-data:www-data $OPENCA_HOME/ca/var/tmp/*

13 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 13 CA configuration Edit ca.conf.template ca:/usr/local/openca/ca/etc/servers# vi ca.conf.template ca:/usr/local/openca/ca/etc/servers# diff -Naur ca.conf.template.orig ca.conf.template --- ca.conf.template.orig2007-03-02 16:18:50.000000000 -0400 +++ ca.conf.template2007-03-02 16:19:30.000000000 -0400 @@ -227,7 +227,7 @@ SET_REQUEST_SERIAL_IN_DN "N" REQUEST_SERIAL_NAME "sn" -SET_CERTIFICATE_SERIAL_IN_DN "Y" +SET_CERTIFICATE_SERIAL_IN_DN "N" CERTIFICATE_SERIAL_NAME "serialNumber" DN_WITHOUT_EMAIL "Y"

14 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 14 CA configuration Edit loa.xml files to make sure CPS.1 points to this correct CPS location: –sed –i 's|http://some.url.org/cps|http://ra.cecalc.ula.ve/pub/cps.html|g' \ /usr/local/openca/openca/etc/loa.xml Change the cps number 1.2.3.1 1.2.3.3.5 @psec

15 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 15 CA configuration Change password for root login /usr/local/openca/ca/bin/openca-digest sha1 'mypasswd‘ cd /usr/local/openca/openca/etc/access_control grep -li ' ' *.template For each match in templates do: sed –i 's| Actual Passwd | New Passwd | g' \ /usr/local/openca/openca/etc/access_control/xxx.template

16 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 16 CA configuration Edit the files /usr/local/openca/ra/etc/openssl/extfiles/*. Using the definitions profiles in your CP-CPS By example: /usr/local/openca/ca/etc/openssl/extfiles/User.ext.templ ate –nsCertType = objsign –nsCertType = client, email –keyUsage = critical,nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment –extendedKeyUsage = clientAuth, emailProtection, timeStamping, 1.3.6.1.4.1.19286.2.2.2.0.1.3 –nsComment= "Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela"

17 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 17 CA configuration Configure and start the service $OPENCA_HOME/ca/etc/configure_etc.sh cp $OPENCA_HOME/ca/etc/openca_rc /etc/init.d/ /etc/init.d/openca_rc start

18 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 18 CA Initialization Go to http://localhost/ca and follow the links:http://localhost/ca General Initialization Phase I (Initialize the Certification Authority) –Initialize Database –Generate new CA secret key –Generate new CA Certificate Request (use generated secret key) –Self Signed CA Certificate (from altready generated request) (Accept defaults) –Rebuild CA Chain

19 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 19 CA Initialization General Initialization Phase II (Create the initial administrator) –Create a new request (Fill in the form and generate csr for CA Administrator) –Edit the request (Optional) –Issue the certificate –Handle the certificate Certificate and Keypair, PKCS#12, click Download. –Import into browser. Restart browser

20 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 20 CA Initialization General Initialization –Phase III (Create the initial RA certificate) –Create a new request (Fill in the form. Change Role to RA Operator. Generate csr for RA Op) –Edit the request. –Issue the certificate. –Handle the certificate Download. –Import into browser.

21 IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America RA

22 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 22 RA installation Follow the same steps for install the operating system, apache2, postgresql, and the requirements. Please install openssh, and close the ports than you don’t want to use.

23 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 23 Ra installation Install Openca –adminra@ra:/usr/local/src/OpenCA-0.9.2.5$./configure --with- openca-user=openca --with-openca-group=openca --with-web- host=ra.cecalc.ula.ve --with-httpd-user=www-data --with-httpd- group=www-data --with-cgi-fs-prefix=/usr/lib/cgi-bin --with- htdocs-fs-prefix=/var/www --with-openca- prefix=/usr/local/openca/ra --with-etc- prefix=/usr/local/openca/ra/etc --with-module- prefix=/usr/local/openca/ra/modules --disable-external-modules - -enable-dbi --enable-rbac –adminra@ra:/usr/local/src/OpenCA-0.9.2.5$ make –adminra@ra:/usr/local/src/OpenCA-0.9.2.5$ make install- common –adminra@ra:/usr/local/src/OpenCA-0.9.2.5$ make install-online

24 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 24 RA Configuration ra:/usr/local/src/OpenCA-0.9.2.5$ cd /usr/local/openca/ra/etc ra:/usr/local/openca/ra/etc$ cp config.xml config.xml.orig ra:/usr/local/openca/ra/etc$ vi config.xml ra:/usr/local/openca/ra/etc$ diff -Nuar config.xml.orig config.xml --- config.xml.orig2007-03-01 16:24:37.000000000 -0400 +++ config.xml2007-03-01 16:26:54.000000000 -0400 @@ -55,7 +55,7 @@ strings in national languages here. --> ca_organization - + CeCalCULA

25 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 25 RA Configuration strings in national languages here. --> ca_locality - + Universidad de Los Andes <!-- @@ -72,7 +72,7 @@ this country code is ALWAYS two characters long --> ca_country - + VE sendmail @@ -84,7 +84,7 @@ service_mail_account - + ca@cecalc.ula.ve policy_link

26 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 26 RA Configuration –cd servers –ra$ cp ra.conf.template ra.conf.template.orig –ra$ vi ra.conf.template –ra$ diff -Naur ra.conf.template.orig ra.conf.template --- ra.conf.template.orig2007-03-01 16:28:13.000000000 -0400 +++ ra.conf.template2007-03-01 16:29:11.000000000 -0400 @@ -190,7 +190,7 @@ SET_REQUEST_SERIAL_IN_DN "N" REQUEST_SERIAL_NAME "sn" -SET_CERTIFICATE_SERIAL_IN_DN "Y" +SET_CERTIFICATE_SERIAL_IN_DN "N" CERTIFICATE_SERIAL_NAME "serialNumber" DN_WITHOUT_EMAIL "YES"

27 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 27 RA Configuration Edit loa.xml files to make sure CPS.1 points to this correct CPS location: –sed –i 's|http://some.url.org/cps|http://ra.cecalc.ula.ve/pub/cps.html|g' \ /usr/local/openca/openca/etc/loa.xml Change the cps number 1.2.3.1 1.2.3.3.5 @psec This files must be the same in the CA machine.

28 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 28 RA Configuration Create empty files for Dataexchange: –touch $OPENCA_HOME/ra/var/tmp/ca-down –touch $OPENCA_HOME/ra/var/tmp/ra-down –touch $OPENCA_HOME/ra/var/tmp/ra-local –chown www-data:www-data $OPENCA_HOME/ra/var/tmp/* Change the values in config.xml –dataexchange_device_up: Replace /dev/fd0 by /usr/local/openca/ra/var/tmp/ca-down –dataexchange_device_down: Replace /dev/fd0 by /usr/local/openca/ra/var/tmp/ra-down –dataexchange_device_local: Replace /dev/fd0 by /usr/local/openca/ra/var/tmp/ra-local

29 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 29 RA Configuration Change password for root login /usr/local/openca/ca/bin/openca-digest sha1 'mypasswd‘ cd /usr/local/openca/openca/etc/access_control grep -li ' ' *.template For each match in templates do: sed –i 's| Actual Passwd | New Passwd | g' \ /usr/local/openca/openca/etc/access_control/xxx.template

30 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 30 RA Configuration Configure the templates in cp /usr/local/openca/ra/etc/servers/ra.conf.template /usr/local/openca/ra/etc/servers/ra.conf.template.orig Edit ra.conf.template

31 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 31 RA Initialization Configure –ra:/usr/local/openca/ra/etc/configure_etc.sh Copy the startup script: –ra:/usr/local/openca/ra/etc$./configure_etc.sh Start the service –cp $OPENCA_HOME/openca_rc /etc/init.d/ –/etc/init.d/openca_rc start

32 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 32 RA Initialization Go to https://ra/ra Administration Server Init Init New Node Import Configuration under "PKI Setup". This step should report sucess after prompting for confirmation.

33 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 33 RA Intialization

34 IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Dataexchange

35 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 35 Dataexchange Go to https://localhost/ca –Administration –Dataexchange –Enroll data to a lower level of the hierarchy –Configuration Next, download 'Configuration' on ra-node as follows: Go to https://ra/ra –Administration –Dataexchange –Download data from a higher level of the hierarchy –Configuration

36 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 36 Dataexchange Go to https://localhost/cahttps://localhost/ca –Administration –Dataexchange –Enroll data to a lower level of the hierarchy –All Next, download 'All' on ra-node as follows: Go to https://hostname/ra-node –Administration –Dataexchange –Download data from a higher level of the hierarchy –All

37 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 37 Dataexchange

38 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 38 Dataexchange

39 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 39 CRL Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Last Update: Jul 10 16:06:59 2007 GMT Next Update: Aug 9 16:06:59 2007 GMT CRL extensions: X509v3 CRL Number: 1 No Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption ……. -----BEGIN X509 CRL-----

40 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 40 References http://www.dartmouth.edu/~deploypki/CA/OpenCA- LiveCD.htmlhttp://www.dartmouth.edu/~deploypki/CA/OpenCA- LiveCD.html http://solar.murty.net/~murty/files/openca.INSTALL.txt http://openca.oliwel.de/docs/guide/html_chunked/ch07. htmlhttp://openca.oliwel.de/docs/guide/html_chunked/ch07. html http://www.vpac.org/twiki/bin/view/APACgrid/CAInstall Guide#Notes_about_the_installationhttp://www.vpac.org/twiki/bin/view/APACgrid/CAInstall Guide#Notes_about_the_installation http://www.openxpki.org/docs/guide/html_chunked/ape s04.htmlhttp://www.openxpki.org/docs/guide/html_chunked/ape s04.html http://www.vpac.org/twiki/bin/view/APACgrid/CAInstall Guide093http://www.vpac.org/twiki/bin/view/APACgrid/CAInstall Guide093

Download ppt "IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Review Installation Openca ULAGrid Certification Authority Vanessa."

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Getting Started To start the process, procure the Digital Signature Certificate Enrollment Kit from Signature World or its Registration Authorities. The.

Getting Started To start the process, procure the Digital Signature Certificate Enrollment Kit from Signature World or its Registration Authorities. The.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
MKCL’s (ERA)Online Examination Software Installation & User Guide For use by Yashwantrao Chavan Maharashtra Open University (YCMOU)

MKCL’s (ERA)Online Examination Software Installation & User Guide For use by Yashwantrao Chavan Maharashtra Open University (YCMOU)
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.

Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.
Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118.

Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118.
Linux Operations and Administration

Linux Operations and Administration
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
Apache Server. -2--2- The Apache Server Apache is a WWW server that implements the HTTP protocol. Apache runs as a daemon. This means that it is a resident.

Apache Server The Apache Server Apache is a WWW server that implements the HTTP protocol. Apache runs as a daemon. This means that it is a resident.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

Similar presentations

Ads by Google