diff options
Diffstat (limited to 'doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd.md')
| -rw-r--r-- | doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd.md | 395 |
1 files changed, 395 insertions, 0 deletions
diff --git a/doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd.md b/doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd.md new file mode 100644 index 00000000..d5f750ae --- /dev/null +++ b/doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd.md @@ -0,0 +1,395 @@ +# Ubuntu trusty 14.04 RPKI Install with rootd + +Given a running Ubuntu 14.04 server, this should take an hour or less. + +## Rationale + +Due to the ravages of time and the business of hackers, documentation of the +arcane process of installing the RPKI CA software has not kept as current as +it might. Additionally, back in the day, we thought that installing a root +instance would be exceedingly rare, so tools and documentation of that process +are poor. This page attempts to patch that pothole. + +Many users will be happy installing a rootless CA instance. This page may +still help them as it puts everything in one place; just skip the root parts. + +But a root instance turns out to be very helpful for: + + * Experimenting, where one does not want to mess up the global RPKI + * Certifying use of RFC1918 and other private spaces + * Running private environments + +## Prerequisites + +You can start with the following: + + * A small VM, 4GB disk, 512MB RAM, one processor + * Ubuntu 14.04 i386 server version + * opensshd, and + * Emacs, of course + +I am lazy and log in as root as pretty much everything I do is going to +require being root. If you like sudo, then just prefix a lot with it. + +This example uses apt-get. If you prefer other tools, see the more detailed +page, <https://trac.rpki.net/wiki/doc/RPKI/Installation/DebianPackages>. + +## Install the Basic RPKI CA and RP Software + +You should only need to perform these steps once for any particular machine. + +Add the GPG public key for this repository (optional, but APT will whine +unless you do this): + + + + wget -q -O - http://download.rpki.net/APT/apt-gpg-key.asc | sudo apt-key add - + + +Configure APT to use this repository (for Ubuntu Trusty systems): + + + + wget -q -O /etc/apt/sources.list.d/rpki.list http://download.rpki.net/APT/rpki.trusty.list + + +Update available packages: + + + + apt-get update + + +Install the software: + + + + apt-get install rpki-rp rpki-ca + + +You will be prompted to enter + + + + New password for the MySQL "root" user: + + +This will be the password for root@localhost on the MySQL server. Make one up, +save it somewhere safe, and enter it twice. [ insert lecture on strong +passwords. ] + +## Minimal Configuration + +This example install uses the server hostname `test.dfw.rg.net`. Any use of +that hostname below will have to be replaced with your host's name, of course. + +### Relying Party - rcynic + +The RP (Relying Party) software should have installed and should be running. +You can test it by browsing to <https://test.dfw.rg.net/rcynic/>. It uses a +self-signed TLS certificate; you can be lazy and decided to accept it as +opposed to installing a real one generated from from your own TLS CA; your +call. + +The rcynic web page had not populated yet because the cron job to populate is +generated for a socially polite cache which fetches once an hour. + + + + test.dfw.rg.net:/root# crontab -u rcynic -l + MAILTO=root + 49 * * * * exec /usr/bin/rcynic-cron + + +Do not change this now as it would place an asocial load on the global RPKI. + +If you plan to use the rpki-rtr protocol to feed a router from the RP cache +you just installed, check `/etc/xinetd.d/rpki-rtr` to be sure the port number +is 323, the IANA assigned port, as opposed to some old hacks that were used +pre [RFC 6810][1]. + + + + cat /etc/xinetd.d/rpki-rtr + service rpki-rtr + { + type = UNLISTED + flags = IPv4 + socket_type = stream + protocol = tcp + port = 323 + wait = no + user = rpkirtr + server = /usr/bin/rpki-rtr + server_args = server /var/rcynic/rpki-rtr + } + + +The configuration for rcynic is in `/etc/rcynic.conf`. Note that it says to +use the trust anchors in the directory `/etc/rpki/trust-anchors`. As you +intend to install the created root instance's trust anchor there, try to +remembered how to find it. + +### CA Configuration - rpki.conf + +`/etc/rpki.conf` is the core configuration file for the CA. You need to make +very minimal changes. If you want an explanation for all the options, go to +<https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration>. Get coffee first. + +`handle` is generated as `test_dfw_rg_net`. You may want to change it to +something more intuitive such as `testCA`. You do not really need to do this, +but let's assume you do. + +`run_rootd` was generated as `no` because most folk do not want to run rootd. +But if you intend to have the rootd part of this exercise, change it to `yes`. + +Observe that the `publication_base_directory` expands/decodes to +`/usr/share/rpki/publication`. Similarly, `bpki_servers_directory` decodes to +`/usr/share/rpki`. + +That is it for configuration or `/etc/rpki.conf`! + +### Creating a Root Certificate + +At this point, you may want to + + + + cd /usr/share/rpki + + +so that everything is in one place; otherwise it is easy to get confused. + +If you intend to run a root CA, i.e. run rootd, you need to create a root +certificate with all possible resources, i.e. +ASs 0-4294967295, +0.0.0.0/0, and +0::/0 + +sra made a great hack to do this, so you so not have to go through all the +arcane (and not working for me) instructions on +<https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/CreatingRoot> + + + + wget https://subvert-rpki.hactrn.net/trunk/potpourri/generate-root-certificate --no-check-certificate + + +And then + + + + python generate-root-certificate + + +This should give you + + + + /usr/share/rpki# ls -l root.* + -rw-r--r-- 1 root root 1056 Aug 7 06:55 root.cer + -rw-r--r-- 1 root root 1194 Aug 7 06:55 root.key + -rw-r--r-- 1 root root 439 Aug 7 06:55 root.tal + + +For security considerations, the root certificate really should not be in the +publication point. And the script does not make a stash for it. so you should +make and use one. + + + + mkdir /usr/share/rpki/publication.root + rsync root.cer /usr/share/rpki/publication.root + + +Remember that RP software runs from the trust anchors in `/etc/rpki/trust- +anchors`. In this example, you want the root to be the only trust anchor, so + + + + rm /etc/rpki/trust-anchors/* + rsync root.tal /etc/rpki/trust-anchors/TestRoot.tal + + +And now it it safe to hack rcynic's crontab to be frequent + + + + crontab -u rcynic -l + MAILTO=root + */10 * * * * exec /usr/bin/rcynic-cron + + +### rsyncd Configuration + +Next, you want to get the rsync daemon working. First you need to tell the +rsync daemon what it should serve. Remember that we decided to serve root and +data separately. So configure `/etc/rsyncd.conf` as follows: + + + + cat > /etc/rsyncd.conf << EOF + uid = nobody + gid = rcynic + + [root] + use chroot = no + read only = yes + transfer logging = yes + path = /usr/share/rpki/publication.root + comment = ROOT publication + + [rpki] + use chroot = no + read only = yes + transfer logging = yes + path = /usr/share/rpki/publication + comment = RPKI publication + EOF + + +Then tell xinetd to run the rsync deamon when asked and then to restart xinetd + + + + cat > /etc/xinetd.d/rsync << EOF + service rsync + { + disable = no + socket_type = stream + port = 873 + protocol = tcp + wait = no + user = root + server = /usr/bin/rsync + server_args = --daemon + log_on_failure += USERID + } + EOF + service xinetd restart + + +It is recommended that you test it from a remote system + + + + rsync rsync://test.dfw.rg.net/root/root.cer + -rw-r--r-- 1056 2015/08/07 16:28:10 root.cer + + +## CA Data Initialization + +The remaining configuration was done using the RPKI software itself. + +### Starting Services + +Before configuring the CA daemon and database, you should first restart the +daemons. + + + + service rpki-ca restart + + +You should see all four daemons running + + + + /bin/ps axu | grep rpki.conf | grep -v grep + root 1541 0.1 4.0 42244 20580 ? Ss Aug07 2:15 /usr/bin/python /usr/lib/rpki/irdbd --config /etc/rpki.conf --log-level warning --log-syslog daemon + root 1543 0.1 2.8 35144 14232 ? Ss Aug07 3:37 /usr/bin/python /usr/lib/rpki/rpkid --config /etc/rpki.conf --log-level warning --log-syslog daemon + root 1546 0.0 1.9 33584 9780 ? Ss Aug07 0:00 /usr/bin/python /usr/lib/rpki/pubd --config /etc/rpki.conf --log-level warning --log-syslog daemon + root 1559 0.0 1.8 24496 9608 ? Ss Aug07 0:22 /usr/bin/python /usr/lib/rpki/rootd --config /etc/rpki.conf --log-level warning --log-syslog daemon + + +### Initializing the CA + +The command utility, `rpkic` is a CLI for dealing with the CA. This example +uses it instead of the GUI, especially for initial setup, as it is easier to +copy and paste into a wiki. The CLI has tab completion, and the other features +offered by readline(). + +rpkic has the concept of the current identity. Initially, it starts with the +identity from the handle in `/etc/rpki.conf`, testCA in this example + + + + rpkic + rpkic> + + +Before you do anything else, you need to initialize the CA. + + + + rpkic> initialize + Wrote /usr/share/rpki/testCA.testCA.repository-request.xml + This is the "repository offer" file for you to use if you want to publish in your own repository + Writing /usr/share/rpki/ca.crl + Writing /usr/share/rpki/rootd.key + Writing /usr/share/rpki/rootd.cer + Writing /usr/share/rpki/child.cer + + +The root instance will need a repository, so it should accept its own offer +made above + + + + rpkic> configure_publication_client /usr/share/rpki/testCA.testCA.repository-request.xml + This looks like an offer, checking + This client's parent is rootd + Don't know where to nest this client, defaulting to top-level + Client calls itself 'testCA', we call it 'testCA' + Client says its parent handle is 'testCA' + Wrote /usr/share/rpki/testCA.repository-response.xml + Send this file back to the publication client you just configured + + +And then configure the repository using the response + + + + rpkic> configure_repository /usr/share/rpki/testCA.repository-response.xml + Repository calls us 'testCA' + Repository response associated with parent_handle 'testCA' + rpkic> + + +You can see if it is publishing + + + + ls -l /usr/share/rpki/publication + total 16 + -rw-r--r-- 1 root root 433 Aug 7 07:38 root.crl + -rw-r--r-- 1 root root 1747 Aug 7 07:38 root.mft + drwxr-xr-x 2 root root 4096 Aug 7 07:38 testCA/ + -rw-r--r-- 1 root root 1219 Aug 7 07:38 testCA.cer + + +### The GUI Should Now Work + +One simple test is to try the GUI. But first you need to set up the GUI +superuser password. [ insert lecture on strong passwords ] + + + + rpki-manage createsuperuser + Username (leave blank to use 'root'): + Email address: randy@psg.com + Password: + Password (again): + Superuser created successfully. + + +and write it down somewhere safe. + +Then you can point your browser at `https://test.dfw.rg.net`, and you should +see the login page. Enter the user 'root' and the password from +createsuperuser above. This should take you to testCA's dashboard. For some +reason, it often comes up with no resources; so push the Refresh button, and +it should show that you own the whole Internet! + + [1]: http://www.rfc-editor.org/rfc/rfc6810.txt + |