| DHCP | DNS | Apache | Greenpass prefs | Java | netpbm | other | python |
| SDSI | W3C | XML-RPC | FreeRadius | Java | AuthServer | OpenSSL | Greenpass Prefs |
/doc
/edu
/gpcensrcor
/gpradsrc
| DHCP | DNS | Apache | Greenpass prefs | Java | netpbm | other | applet | python |
DHCP server is located on gpcentral server. It was part of default Red Hat 9 install. Create the /etc/dhcpd.conf file. Here is an example:
#
# Global Settings
#
# Turn on Dynamic DNS:
ddns-update-style interim;
ddns-updates on;
# Don't allow clients to update DNS, make the server do it
# based on the hostname passed by the DHCP client:
deny client-updates;
allow unknown-clients;
#
# 192.168.0.0/255.255.255.0 Scope Settings
#
subnet 10.0.0.0 netmask 255.255.255.0 {
# Range of DHCP assigned addresses for this scope
range 10.0.0.81 10.0.0.199;
# 1 day
default-lease-time 86400;
# 2 days
max-lease-time 172800;
# Configure the client's default Gateway:
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
#option routers 192.168.0.1;
# Configure the client's DNS settings:
option domain-name "voidmain.home";
option domain-name-servers 10.0.0.2;
# If you want the client to be configured to also use
# a WINS server:
#option netbios-name-servers 192.168.0.2;
#option netbios-node-type 8;
}
[Note: has pointer to address of domain-name-servers on Net 10.x.x.x]
DNS server is located on gpcentral server. Bind v9.2.3 was part of default Red Hat 9 install. [Note: "named" won't start from a terminal logged in as root. Start with Red Hat GUI for services]
The main DNS server configuration file is /etc/named.conf The directory that defines the wildcard zone is /var/named/wildcard.zone. Files in this directory have to owned by user "named" in group "named".
Create /etc/named.conf file. Here is an example:
options {
directory "/var/named";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type master;
file "wildcard.zone";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
#zone "voidmain.home" in {
# type master;
# file "voidmain.home.zone";
# allow-update { localhost; };
#};
zone "0.0.10.in-addr.arpa" IN {
type master;
file "10.0.0.rev";
allow-update { localhost; };
};
include "/etc/rndc.key";
Create files in /var/named referenced by /etc/named.conf
# untar /var/named files for gpcentral su cd / tar -xvf dupin-var-named.tar
Create the /var/named/wildcard.zone file. Here is an example:
$ORIGIN .
$TTL 10 ; 1 hour
@ IN SOA ns1.voidmain.home. root.ns1.voidmain.home. (
5 ; serial
21600 ; refresh (6 hours)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS ns1.voidmain.home.
A 10.0.0.1
MX 10 mail.voidmain.home.
TXT "Void Main Home"
$TTL 10 ; 12 hours
dhcp A 10.0.0.1
#dmz1 A 172.16.1.2
fw A 10.0.0.1
gateway A 10.0.0.1
mail A 10.0.0.1
ns1 A 10.0.0.1
pdc A 10.0.0.1
proxy A 10.0.0.1
www IN A 10.0.0.1
* A 10.0.0.1
Create the /var/named/10.0.0.rev file. Here is an example:
$ORIGIN .
$TTL 259200 ; 3 days
0.0.10.in-addr.arpa IN SOA ns1.voidmain.home. root.ns1.voidmain.home. (
2 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.voidmain.home.
$ORIGIN 0.0.10.in-addr.arpa.
1 PTR fw.voidmain.home.
PTR pdc.voidmain.home.
PTR www.voidmain.home.
PTR dhcp.voidmain.home.
PTR mail.voidmain.home.
PTR proxy.voidmain.home.
PTR gateway.voidmain.home.
PTR voidmain.home.
$TTL 43200 ; 12 hours
199 PTR BKG.voidmain.home.
Create the /var/named/localhost.zone file. Here is an example:
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
1 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
Create the /var/named/named.local file. Here is an example:
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
Apache configuration files can vary quite a bit depending on how you installed Apache, what defaults it came with, and what other modifications have been made. In general, however, there are just a few things you need to add to your httpd.conf file.
You probably want an alias URL at which people can access the Greenpass scripts. Add something along the lines of:
Alias /Greenpass/ "$GREENPASS_HOME/gpcensrc/web/"
Then set options for that directory:
<Directory "$GREENPASS_HOME/gpcensrc/web/cgi-bin">
Options +ExecCGI
AddHandler cgi-script .py
SetEnv PYTHONPATH "$GREENPASS_HOME/gpcensrc/lib"
SetEnv GREENPASS_PREFS "$GREENPASS_HOME/gpcensrc/prefs"
</Directory>
Here, we've made it possible to run Python CGI scripts in the given directory, and set up environment variables pointing to the directory of Python modules needed by the scripts and to the Greenpass preferences file used by the scripts, daemons, etc. More details about the prefs file appear below.
You probably want to set up access privileges for these directories also. See the Apache manual for details.
Now, set SSL options. You'll have to add these to the SSL virtual host section of your Apache configuration if it's set up that way. (for some servers this is added to /etc/httpd/conf.d/ssl.conf)
# Greenpass configuration
ServerName gpcentral.university.edu
SSLVerifyClient optional_no_ca
<Directory "$GREENPASS_HOME/gpcensrc/web">
SSLOptions +StdEnvVars +ExportCertData
</Directory>
The first line tells Apache to request client certificates from people who connect via HTTPS, without requiring them and ignoring the fact that it may not know the signing CAs. This little-used option allows us to grab public key values out of guest certificates. The SSLOptions line exports the client certificate (if there is one) to an environment variable, where it can be read and processed by our CGI scripts.
Finally, if you want your Web server to redirect requests to / to the Greenpass front page, add the following to your httpd.conf:
RedirectMatch ^/$ http://your.host.name/Greenpass/cgi-bin/grandcentral.py
NOTE: There is a regular expression for this purpose in the apache configuration file modifications.
NOTES: Apache Configuration in /etc/httpd/conf/httpd.conf (have to be root to edit)
set serverName and local host
set DocumentRoot "var/www/html" (this is default)
set <Directory xxx> to match DocumentRoot
cgi-bin should point to $GREENPASS_HOME/gpcensrc/web/cgi-bin/
<Directory> directives ref home dir of gpadmin
rewrite rules ref hostname of gpcentral
[Note: be sure not to duplicate .conf files in this directory, Apache will try to run all ".conf" files.]
cert store for apache located in /etc/httpd/conf/ssl.crt
references to cert file names in httpd.conf
A default file is in $GREENPASS_HOME/gpcensrc/prefs. Change all the paths given here to fit this location. Note that you'll need to set up a "dummy" CA using OpenSSL (the tempca directory contains one that the prefs file points to now, but its certificates will expire eventually).
#--edit Greenpass.prefs and ../GreenpassWebApps/prefs # edit setenv.sh #if not using /home/gpadmin update paths # in ../GreenpassWebApps/prefs edit IP address of Radius server to be "gpradius" IP (or will a DNS name work here?)
Customize gpcentral "$GREENPASS_HOME/gpcensrc/prefs" file:
## ## Greenpass configuration file ## [main] root = /home/gpadmin/GreenpassWebApps [introcache_d] uri = http://127.0.0.1:8111 [cookies] hash_expir_days = 365 chain_expir_days = 365 waiting_expir_hours = 5 [tempca_d] uri = http://127.0.0.1:8112 openssl_path = /usr/bin/openssl capath = /home/gpadmin/tempca crl = %(capath)s/crl.pem cakey = %(capath)s/private/cakey.pem cakeypass = %(capath)s/private/cakey.pass caconfig = %(capath)s/tempca.cnf [ccache_d] uri = http://129.170.253.74:8081 [visprint] cache_dir = /tmp visprint_path = /usr/local/bin/visprint ppmtojpeg_path = /usr/bin/ppmtojpeg
with Java package downloaded:
#install Java RPM as root cd /home/gpadmin rpm -iv j2sdk-1_4_2_05-linux-i586.rpm #check version and info rpm -qi j2sdk
# unpacked by gpcensrc.tar in jdaemons/lib cryptix32.jar jdsdi-0.5.jar xmlrpc-1.2-b1.jar # along with symlinks (from tar) for version independence cryptix.jar jsdsi.jar xmlrpc.jar
to use "ppmtojpeg" function
#install as root # libraries rpm -ivh netpbm_9.24-10.90.1_i386.rpm #scripts rpm -ivh netpbm-progs_9.24-10.90.1_i386.rpm
#compile these, binaries expected to be in /usr/local/bin # typically: cd package-dir ./configure ./make ./make install
#--Python Libraries #--for Albatross v1.10 #in the /doc dir, read installation.tex #--to install package, run this cmd: python setup.py install #--for M2Crypto v0.12 #--to install package, run this cmd: python setup.py build (or install??)
| SDSI | W3C | XML-RPC | FreeRadius | Java | AuthServer | OpenSSL | Greenpass Prefs |
download from: http://theory.lcs.mit.edu/~cis/sdsi.html Find the "current release" section of the page.
mkdir /usr/src/sdsi cd /usr/src/sdsi
tar xvf /download/sdsi20.tar cd sdsi20-0.4.5 ./configure ./make ./make install
Note from INSTALL file:
The simplest way to compile this package is:
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system.
Running `configure' takes awhile. While running, it prints some
messages telling which features it is checking for.
2. Type `make' to compile the package.
3. Optionally, type `make check' to run any self-tests that come with
the package.
4. Type `make install' to install the programs and any data files and
documentation.
5. You can remove the program binaries and object files from the
source code directory by typing `make clean'.
w3c-libwww-5.4.0-1.i386.rpm
to install:
rpm -ivh w3c-libwww-5.4.0-1.i386.rpm rpm -ivh xmlrpc-c-0.9.9-1.i386.rpm rpm -ivh xmlrpc-c-devel-0.9.9-1.i386.rpm
xmlrpc-c-0.9.9-1.i386.rpm xmlrpc-c-devel-0.9.9-1.i386.rpm (xmlrpc-c-apps-0.9.9-1.i386.rpm is optional)
A modified version of FreeRadius is used to make authorization decisions for the wireless AP. Modifications for FreeRadius 0.9.2 are current available here. Version 1.0.2 works much better with Windows supplicants. Modifications for it will be available soon.
build freeradius as follows:
(Note:the configure switch is needed because of the unusual location of the kerberos include files on Red Hat Linux. Kerberos is referenced by openssl, which is referenced by rlm_eap_tls)
cd /usr/src/freeradius/ ./configure --with-rlm-eap-tls-include-dir=/usr/kerberos/include/ make make install
binaries and libraries are installed in /usr/local by default
to build the rlm_eap_tls module:
cd /usr/src/freeradius/src/modules/rlm_eap/types/rlm_eap_tls ./configure --with-rlm-eap-tls-include-dir=/usr/kerberos/include/ make make install
[Note: if configure doesn't find kerberos (which includes openssl/ssl.h) it skips build of rlm_eap_tls]
Next add Greenpass modificationss to rlm_eap_tls/ and rebuild that module
NOTE: the current version of freeradius is 2006.03.20 freeradius-1.1.1.tar.gz, (currently released version: 1.1.1);
I am testing that our 102 mods work with that version
get GP patches to version 0.9.2 of the rlm_eap_tls module from: gp-sources/rad092mods.tar
and expand the tar file in the /usr/src/freeradius/src/modules/rlm_eap/types/rlm_eap_tls/ directory.
The rlm_eap_tls module is modified by replacing (or patching): cb.c and adding the files: extract.c hashify.c ssltospki.h ssltospki.c
[Note: extra debug statements added to rlm_eap_tls.c, eap_tls.c and mppe_keys.c can be useful]
[Note: patches for the older Radius 0.9.2 are found at gp-sources/rad092mods.tar]
To build another version of FreeRadius in another directory:
mkdir /usrrad mkdir /usrrad/local # copy freeradius tar file to usrrad/ and extract tar cd /usrrad/freeradius-version ./configure --prefix=/usrrad/local --with-rlm-eap-tls-include-dir=/usr/kerberos/include make make install
Download gpradsrc.tar from the web site
unpack the tar file in GPAdmin account recreating the greenpass/ directory
cd (greenpass install site) mkdir greenpass cd greenpass tar -xvf gpradius.tarYou can run the AuthServer directly from its jar file, or you can rebuild it using
cd gpradsrc source setenv.sh cd scripts ./buildauthserver.shWhich will use javac to compile and run some basic tests of the AuthServer. Once the AuthServer is built, it is not ready to be used until a source of Authority is chosen, and a first delegator is created.
Bootstrap tools -install in /home/gpadmin/bootstraptools/
by tar extract of "bootstraptools.tar"
for first delegator setup see: Creating First Delegator or 1.4 Trust Chain Setup.
Note: JSDSIAuthServer is probably best run on the same machine as the RADIUS server that'll be querying it. If that's a different machine than the Web server, move the jdaemons subdirectory to that machine (it includes the prerequisite JARs) and run it there.
First, set up OpenSSL to create the certificates:
(There was a problem with the Kerberos libraries because under Red Hat 9, the include files for Kerberos 5 required by OpenSSL were placed under /usr/kerberos/include, rather than /usr/include/kerberos, which OpenSSL was expecting. Creating a symlink between the two directories solves this problem.)
Download OpenSSL from www.openssl.org/source and install it, linking the libraries to be used by FreeRADIUS as directed by the <HOW-TO reference on EAP-TLS with FreeRADIUS with XSupplicant>.
Use OpenSSL to generate a trusted root certificate, a server certificate, and client certificates with the scripts provided by <HOW-TO reference on FreeRADIUS with Windows XP supplicant>.
The initial certificate script is /usr/local/openssl/ssl/certscript
Running this script will create a new root CA, a server certificate, and a client certificate (in that order). root is the name of the CA cert, cert-srv is the name of the server cert, and cert-clt is the name of the client cert. I forget which formats are created, but you want the PEM file for the CA and the server, and the P12 file for the client.
Running this script a second time will create a new CA, so use the clientCert script in the same directory to create further client certs. The new client cert will overwrite whatever was in the cert-clt file, so you should cp the cert after it is created. This will just create a single client certificate and sign it with the existing CA. The Extended Key Usage fields are read from the file xpextensions and sets the server certificate for Server Authentication and the client certs for Client Authentication.
Greenpass Prefs
Is this file being used? only used on gpcentral?
Customize gpradius "/home/gpadmin/greenpass/prefs" file:
Customize gpcentral "/home/gpadmin/GreenpassWebApps/setenv.sh" file:
Customize gpradius "/home/gpadmin/greenpass/setenv.sh" file:
##
## Example Greenpass configuration file
##
[main]
root = /home/gpadmin/GreenpassWebApps
[cookies]
hash_expir_days = 365
chain_expir_days = 365
waiting_expir_hours = 5
[introcache_d]
uri = http://127.0.0.1:8111
[tempca_d]
uri = http://127.0.0.1:8112
openssl_path = /usr/bin/openssl
capath = /home/gpadmin/tempca
crl = %(capath)s/crl.pem
cakey = %(capath)s/private/cakey.pem
cakeypass = %(capath)s/private/cakey.pass
caconfig = %(capath)s/tempca.cnf
[ccache_d]
uri = http://127.0.0.1:8081
[visprint]
cache_dir = /tmp
visprint_path = /usr/local/bin/visprint2
ppmtojpeg_path = /usr/bin/ppmtojpeg
PYTHONPATH="$PWD/lib"
GREENPASS_PREFS="$PWD/prefs"
JLIBS="$PWD/jdaemons/lib"
CLASSPATH=".:$JLIBS/cryptix.jar:$JLIBS/jsdsi.jar:$JLIBS/xmlrpc.jar"
export PYTHONPATH
export GREENPASS_PREFS
export CLASSPATH
PYTHONPATH="$PWD/lib"
GREENPASS_PREFS="$PWD/prefs"
#JLIBS="/home/gpadmin/greenpass/jdaemons/lib"
JLIBS="$PWD/jdaemons/lib"
CLASSPATH=".:$JLIBS/cryptix.jar:$JLIBS/jsdsi.jar:$JLIBS/xmlrpc.jar"
PATH="$PATH:/usr/java/j2sdk1.4.2_05/bin"
export PYTHONPATH
export GREENPASS_PREFS
export CLASSPATH
export PATH
Return to Main
1 Building Greenpass
2 Running Greenpass
Last edited May 2 2006 by KPM