Changes between Version 1 and Version 2 of Web/SecureProfileDelivery

Timestamp:

Mar 21, 2010, 10:16:22 AM (16 years ago)

Author:

loomis

Comment:

--

Web/SecureProfileDelivery

@@ -9 +9 @@
 Administering a CA is a complex task. Here we'll only sketch how to set a mini-CA, with the help of OpenSSL.
 If you are using a Red Hat variant, the easiest way is to use the package openss-perl for this. It contains a script called CA.pl, which will do everything we need.
- /etc/pki/tls/misc/CA.pl -newca
-Then, answer all the questions it will prompt. You'll find your generated CA on ../../CA.
+{{{
+/etc/pki/tls/misc/CA.pl -newca
+}}}
+Then, answer all the questions it will prompt. You'll find your generated CA on `../../CA`.
 
 == Generating certificates for each node ==
@@ -21 +23 @@
 == Generating the CA ==
 Install the package SINDES-ca, which is available at CERN's repository. **I need a link here!!** Then, edit /etc/sindes/ca.config; make sure to set O, OU and CN.
-
+{{{
  [ req_distinguished_name ]
  O = IIHE
  OU = GRID
  CN = Local BEgrid client CA
-
-Edit /etc/sindes/sindesrc: in [MISC], set correctly domain (and use it correctly in sindessh !).
+}}}
+Edit `/etc/sindes/sindesrc`: in ![MISC], set correctly domain (and use it correctly in sindessh !).
 Next, set the default validity of the certificates, f.i, 10 years:
-
+{{{
  default_days = 3650
-
-Run "sindes-bootstrap-ca -a" to generate all certificates etc, and check the output carefully. This also generates a rpm with the CA certifiacte called {{eg}}.
-Now, edit /etc/httpd/conf.d/sindes-ssl.conf, and make sure your profile directory is not readable by any other virtual host.
+}}}
+Run "sindes-bootstrap-ca -a" to generate all certificates etc, and check the output carefully. This also generates a rpm with the CA certificat called {{eg}}.
+Now, edit `/etc/httpd/conf.d/sindes-ssl.conf`, and make sure your profile directory is not readable by any other virtual host.
 
 == Configuring the AII server ==
-Edit /etc/aii/aii-shellfe.conf to ensure it uses the correct certificates, too:
-
+Edit `/etc/aii/aii-shellfe.conf` to ensure it uses the correct certificates, too:
+{{{
  cdburl = https://f.q.d.n/profiles
  cert_file = /etc/sindes/certs/apache.crt
  key_file = /etc/sindes/keys/apache.key
  ca_file = /etc/sindes/certs/ca.crt
+}}}
 
 == Node configuration ==
@@ -49 +52 @@
 
 You'll have to include somewhere on your profile:
-
- include {'components/sindes_getcert/config'};
-
+{{{
+include {'components/sindes_getcert/config'};
+}}}
 Next, you have to install the SINDES-client package:
-
+{{{
  "/software/packages"=pkg_repl("SINDES-client","1.0.0-3","noarch");
-
+}}}
 (check that package is already present on your repositories!!). Now, we choose the X.509 fields for our certificate and assign them to the component's tree:
-
+{{{
  "/software/components/sindes_getcert/x509_O" = "desired crt /o field";
  "/software/components/sindes_getcert/x509_OU" = "desired crt /ou field";
-
+}}}
 Next, decide where to store the certificate, key and CA information:
-
+{{{
  "/software/components/sindes_getcert/cert_dir" = "/etc/sindes/certs";
  "/software/components/sindes_getcert/client_key" = "client_key.pem";
@@ -69 +72 @@
  "/software/components/sindes_getcert/ca_cert" = SINDES_SITE_CA_CERT_NAME;
  "/software/components/sindes_getcert/ca_cert_rpm" = SINDES_SITE_CA_RPM_NAME;
-
+}}}
 
 === Configuring AII ===
 
 During the node's installation, it must use the values of the sindes_getcert component to generate the certificates. We said we want to download the profile only if there is a certificate. How do we solve this?
-Easy: let AII configure SINDES first, then generate the certificates and finally, download the profile. We handle this with a simple AII hook, present in SVN. Its name is <tt>aii-sindes</tt>.
-
+Easy: let AII configure SINDES first, then generate the certificates and finally, download the profile. We handle this with a simple AII hook, present in SVN. Its name is `aii-sindes`.
+{{{
  "/system/aii/hooks/post_reboot/0/module" = "aii_sindes";
  "/system/aii/hooks/remove/0/module" = "aii_sindes";
  "/system/aii/hooks/boot/0/module" = "aii_sindes";
-
+}}}
 The {{remove}} hook will make all actions needed to revoke the host's certificate. The {{boot}} hook will open the time window. The {{post_reboot}} hook will generate the bash script that will request the certificates during the node's installation.
 
 = Configuring CCM =
 No matter the way you choose for generating your certificates, you need to tell CCM to use them to download the profile. Just set the following on the profile:
-
+{{{
  "/software/components/ccm/key_file" = "/path/to/key/file";
  "/software/components/ccm/cert_file" = "/path/to/cert/file";
@@ -90 +93 @@
  "/software/components/ccm/ca_dir" = "/path/to/ca/dir";
  "/software/components/ccm/world_readable"= 0;
-
+}}}
 If you use SINDES, those paths can be automatically derived, like this:
-
+{{{
  "/software/components/ccm/key_file" =
      value("/software/components/sindes_getcert/cert_dir") + "/" +
@@ -105 +108 @@
      value("/software/components/sindes_getcert/cert_dir");
  "/software/components/ccm/world_readable"= 0;
+}}}
 
 = Configuring Apache =
 Make sure your profile directory is not readable by any other virtual host. We will need to check that the certificate belongs to the node that presents it, so we allow DNS lookups:
-
+{{{
  HostnameLookups On
-
+}}}
 Now, restrict the access to the profiles directory:
-
+{{{
  <Directory "/var/www/https/profiles">
      Options +Indexes
@@ -123 +127 @@
      SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_HOST}
  </Directory>
-
+}}}
 Finally, the installation server is special: it must be allowed to download all profiles, to generate the appropriate Kickstarts:
-
+{{{
  RewriteMap ACLmap txt:/var/www/acl/ACLmap.txt
  RewriteCond ${ACLmap:%{REMOTE_HOST}|NO} NO
  RewriteRule ^/profiles/.*$ /profiles/profile_%{REMOTE_HOST}.xml
-
+}}}
 And to let the install server to download all profiles, edit /var/www/acl/ACLmap.txt:
-
+{{{
  echo aii-server.my.domain YES > /var/www/acl/ACLmap.txt
+}}}
 
 = References =