Changes

Jump to: navigation, search

Sigul Signing Server Setup

5 bytes removed, 16:05, 12 May 2015
no edit summary
To begin setup, we have generate the certs which will be used for all sigul systems to authenticate between eachother. The bridge will be used as the CA for internal sigul communications.
1) Create an NSS database on the bridge, to hold the certificate information *AS user '''sigul ''' issue the following * Login as sigul:  su -s /bin/bash sigul  bridge_dir=/var/lib/sigul <-- This variable should be set to the location where sigul resides on the system certutil -d $bridge_dir -N <-- This will generate a new NSS database for the bridge at the location of the bridge_dir variable | [Be sure to remember your NSS Password|]
2) Now generate the CA (Certificate Authority) certificate, to be used accross all sigul components
* be sure to replace '''my-ca''' with whatever your desire your CA to be named, such as '''sigul-ca''' for example: certutil -d $bridge_dir -S -n my-ca -s 'CN=My CA' -t CT,, -x -v 120 <-- Be sure to replace my-ca with whatever your desire your CA to be named, such as sigul-ca for example.
3) Create a certificate for the bridge
* be sure to replace BRIDGE_HOSTNAME with the hostname of the machine it resides on: certutil -d $bridge_dir -S -n sigul-bridge-cert -s 'CN=BRIDGE_HOSTNAME' -c my-ca -t u,, -v 120 <-- be sure to replace BRIDGE_HOSTNAME with the hostname of the machine it resides on.
4) Now it is time to configure the bridge, edit the config at ''/etc/sigul/bridge.conf '' * AS '''ROOT'''* login as ROOT* edit ''/etc/sigul/bridge.conf'': - #/etc/sigul/bridge.conf [bridge] ... # You can leave most things at their default such as ports, or fas-account settings, if using FAS authentication. [daemon] ... # The default configuration assumes you set up a separate "sigul" user and group; # remove the [daemon] section if you want the bridge to run as the invoking user. # If you use a separate user and group issue: # chown sigul:sigul $bridge_dir/*.db [nss] nss-password: yournsspass <-- This will save you having to type it each time you start the bridge ...
- Under the [NSS] section you can set nss-password: yournsspass <-- This will save you having to type it each time you start the bridge  - The default configuration assumes you set up a separate "sigul" user and group; remove the [daemon] section if you want the bridge to run as the invoking user. * If you use a separate user and group issue: chown sigul:sigul $bridge_dir/*.db 5) After editing the config and setting up the certs, it is time for a test drive issue the following * AS '''ROOT''': sigul_bridge -v -v <-- This will * start the bridge in DEBUG mode, and all information will be logged in ''/var/log/sigul_bridge.log'': sigul_bridge -v -v * Check check the log file after starting sigul, if there are no errors you are good to go. |You ** you should see the first log message in ''/var/log/sigul_bridge.log'': 2011-11-24 16:41:42,214 DEBUG: Waiting for the client to connect - Stop * stop the sigul_bridge CRTL-C and start the service: service sigul_bridge start
=Sigul Server Setup=
To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new one.
1) Create the NSS database on the server, to hold the certificate information *AS user '''sigul ''' issue the following* login as sigul:
server_dir=/varsu -s /libbin/bash sigul <-- This variable should be set to the location where sigul resides on the system certutil -d $server_dir -N <-- This will * generate a new NSS database for the server at the location of the server_dir variable: server_dir=/var/lib/sigul | certutil -d $server_dir -N [Be sure to remember your NSS Password|]
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
* issue ON THE BRIDGE as user '''sigul''': - Issue: pk12util -d $bridge_dir -o myca-server.p12 -n my-ca <-- This file should now be copied over to the server and deleted from the bridge afterwards
* issue ON THE SERVER as user '''sigul''': - Issue: pk12util -d $server_dir -i myca-server.p12 rm myca-server.p12 certutil -d $server_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name* The sigul CA certs should now be imported
* The sigul CA certs should now be importedsure to replace SERVER_HOSTNAME with the hostname of the machine it resides on. certutil -d $server_dir -S -n sigul-server-cert -s 'CN=SERVER_HOSTNAME' -c my-ca -t u,, -v 120 <-- be sure to replace SERVER_HOSTNAME with the hostname of the machine it resides on.
3) Now it is time to configure the server, edit the config at ''/etc/sigul/server.conf '' * AS '''ROOT'''* login as ROOT* edit ''/etc/sigul/server.conf'' * Note the default ports#/etc/sigul/server.conf ... Edit at least [nss] bridge-hostname and the : # Put bridge hostname here ... [nssdaemon] section . .. # The default configuration assumes you set up a separate "sigul" user and group; # remove the [daemon] section if you want the server to run as the invoking user.
4) Now to create the database for the server which will hold all user and key entries issue the following * AS '''ROOT'''
sigul_server_create_db
5) Next Add the initial administrator * AS '''ROOT:'''
sigul_server_add_admin
6) After all is configured, it's time for a test drive * AS '''ROOT''': sigul_server -v -v <-- This will * start the server in DEBUG mode, and all information will be logged in ''/var/log/sigul_server'': sigul_server -v -v <--
* Check check the log file after starting sigul, if there are no errors you are good to go. |You * you should see the first log message in /var/log/sigul_server.log: 2011-11-24 16:36:42,154 DEBUG: Waiting for a request
- Stop * stop the sigul_server CRTL-C and start the service: service sigul_server start
=Sigul Client Setup=
1) Create the NSS database on the client, to hold the certificate information issue the following
* login as sigul:
client_dir=~su -s /bin/.bash sigul <-- This variable should be set to the location of sigul which is a folder under the user directory certutil -d $client_dir -N <-- This will * generate a new NSS database for the server at the location of the client_dir variable | client_dir=~/.sigul certutil -d $client_dir -N [Be sure to remember your NSS Password|]
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
* issue ON THE BRIDGE as user '''sigul''' - Issue: pk12util -d $bridge_dir -o myca-client.p12 -n my-ca <-- This file should now be copied over to the client and deleted from the bridge afterwards
* ON THE CLIENT as your users - Issue: pk12util -d $client_dir copy myca-i myca.p12 rm mycaclient.p12 certutil -d $client_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA namethe client machine
3) Next we have to generate the authentication certificate for the clientL* issue ON THE CLIENT as your own user certutil pk12util -d $client_dir -S -n siguli myca-client.p12 rm myca.p12 certutil -cert d $client_dir -s 'CN=YOURUSERNAME' M -c n my-ca -t uCT,, -v 120 <-- be sure to replace YOURUSERNAME with the user you are using on the client system, OR if using FAS authentication set the CN=YOUR FAS NAME.change my-ca to your CA name
43) Now it is time Next we have to configure generate the client, edit authentication certificate for the config at /etc/sigul/client.conf * AS ROOT - You can leave most things set as default except for the following: | bridge-hostname and server-hostname be sure to change those to match replace YOURUSERNAME with the hostnames of each of those machines. | under [client] user-name set this to the value of the admin user your setup you are using on the server previouslyclient system* OR set 'CN=YOUR FAS NAME' if using FAS authentication | If you wish to avoid entering an NSS password upon issuing each command, issue vi ~/. certutil -d $client_dir -S -n sigul/-client.conf and add the following lines: | [nss] nss-password: Your NSS PASScert -s 'CN=YOURUSERNAME' -c my-ca -t u,, -v 120
4) Now it is time to configure the client, edit the config at /etc/sigul/client.conf * AS '''ROOT'''
* login as ROOT
* edit ''/etc/sigul/client.conf''
# /etc/sigul/client.conf
[client]
bridge-hostname: # Put bridge hostname here
...
server-hostname: # Put server hostname here
...
user-name: # Put administrator login name if it is different from your UNIX user
...
 
* if you wish to avoid entering an NSS password upon issuing each command, create/edit ''~/.sigul/client.conf'' and add the following lines:
[nss]
nss-password: Your NSS PASS
5) After configuring your client, issue a test client command in DEBUG mode as follows:
sigul -v -v list-users * This should return a list of users on the server, at this point it should only really display the one admin user created before. * For Help on more commands issue : sigul --help-commands for a full list
6) Create an initial key once you are able to issue commands to sigul, issue the following:
sigul new-key -h <-- This * this will output the options that can be used with the key creation, use the ones you want, and generate the key. * Please please note when generating the key, it requires alot of Entropy on the server, so issue some commands to keep server busy and help it generate faster, usually a simple find / will generate enough for it to take about 2 minutes to generate the key.
=Sigul with koji Setup=

Navigation menu