1 files changed, 354 insertions, 0 deletions

diff --git a/doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd b/doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd
new file mode 100644
index 00000000..d877621c
--- /dev/null
+++ b/doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRootd
@@ -0,0 +1,354 @@
+[[PageOutline]]

+

+[[TracNav(doc/RPKI/TOC)]]

+

+= Ubuntu trusty 14.04 RPKI Install with rootd =

+

+Given a running Ubuntu 14.04 server, this should take an hour or

+less.

+

+== Rationale ==

+

+Due to the ravages of time and the business of hackers, documentation of

+the arcane process of installing the RPKI CA software has not kept as

+current as it might.  Additionally, back in the day, we thought that

+installing a root instance would be exceedingly rare, so tools and

+documentation of that process are poor.  This page attempts to patch

+that pothole.

+

+Many users will be happy installing a rootless CA instance.  This page

+may still help them as it puts everything in one place; just skip the

+root parts.

+

+But a root instance turns out to be very helpful for:

+* Experimenting, where one does not want to mess up the global RPKI

+* Certifying use of RFC1918 and other private spaces

+* Running private environments

+

+== Prerequisites ==

+

+You can start with the following:

+* A small VM, 4GB disk, 512MB RAM, one processor

+* Ubuntu 14.04 i386 server version

+* opensshd, and

+* Emacs, of course

+

+I am lazy and log in as root as pretty much everything I do is going to

+require being root.  If you like sudo, then just prefix a lot with it.

+

+This example uses apt-get.  If you prefer other tools, see the more

+detailed page,

+https://trac.rpki.net/wiki/doc/RPKI/Installation/DebianPackages.

+

+== Install the Basic RPKI CA and RP Software ==

+

+You should only need to perform these steps once for any particular

+machine.

+

+Add the GPG public key for this repository (optional, but APT will whine

+unless you do this): 

+{{{

+wget -q -O - http://download.rpki.net/APT/apt-gpg-key.asc | sudo apt-key add -

+}}}

+

+Configure APT to use this repository (for Ubuntu Trusty systems):

+{{{

+wget -q -O /etc/apt/sources.list.d/rpki.list http://download.rpki.net/APT/rpki.trusty.list

+}}}

+

+Update available packages:

+{{{

+apt-get update

+}}}

+

+Install the software:

+{{{

+apt-get install rpki-rp rpki-ca

+}}}

+

+You will be prompted to enter

+{{{

+New password for the MySQL "root" user:

+}}}

+This will be the password for root@localhost on the MySQL server.  Make

+one up, save it somewhere safe, and enter it twice.  [ insert lecture on

+strong passwords. ]

+

+== Minimal Configuration ==

+

+This example install uses the server hostname `test.dfw.rg.net`.  Any

+use of that hostname below will have to be replaced with your host's

+name, of course.

+

+=== Relying Party - rcynic ===

+

+The RP (Relying Party) software should have installed and should be

+running.  You can test it by browsing to

+https://test.dfw.rg.net/rcynic/.  It uses a self-signed TLS certificate;

+you can be lazy and decided to accept it as opposed to installing a real

+one generated from from your own TLS CA; your call.

+

+The rcynic web page had not populated yet because the cron job to

+populate is generated for a socially polite cache which fetches once an

+hour.

+{{{

+test.dfw.rg.net:/root# crontab -u rcynic -l

+MAILTO=root

+49 * * * *      exec /usr/bin/rcynic-cron

+}}}

+Do not change this now as it would place an asocial load on the global

+RPKI.

+

+If you plan to use the rpki-rtr protocol to feed a router from the RP

+cache you just installed, check `/etc/xinetd.d/rpki-rtr` to be sure the

+port number is 323, the IANA assigned port, as opposed to some old hacks

+that were used pre [http://www.rfc-editor.org/rfc/rfc6810.txt RFC 6810].

+{{{

+cat /etc/xinetd.d/rpki-rtr

+service rpki-rtr

+{

+    type           = UNLISTED

+    flags          = IPv4

+    socket_type    = stream

+    protocol       = tcp

+    port           = 323

+    wait           = no

+    user           = rpkirtr

+    server         = /usr/bin/rpki-rtr

+    server_args    = server /var/rcynic/rpki-rtr

+}

+}}}

+

+The configuration for rcynic is in `/etc/rcynic.conf`.  Note that it

+says to use the trust anchors in the directory

+`/etc/rpki/trust-anchors`.  As you intend to install the created root

+instance's trust anchor there, try to remembered how to find it.

+

+=== CA Configuration - rpki.conf ===

+

+`/etc/rpki.conf` is the core configuration file for the CA.  You need to

+make very minimal changes.  If you want an explanation for all the

+options, go to https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration.

+Get coffee first.

+

+`handle` is generated as `test_dfw_rg_net`.  You may want to change it

+to something more intuitive such as `testCA`.  You do not really need to

+do this, but let's assume you do.

+

+`run_rootd` was generated as `no` because most folk do not want to run

+rootd.  But if you intend to have the rootd part of this exercise,

+change it to `yes`.

+

+Observe that the `publication_base_directory` expands/decodes to

+`/usr/share/rpki/publication`.  Similarly, `bpki_servers_directory`

+decodes to `/usr/share/rpki`.

+

+That is it for configuration or `/etc/rpki.conf`!

+

+=== Creating a Root Certificate ===

+

+At this point, you may want to

+{{{

+cd /usr/share/rpki

+}}}

+so that everything is in one place; otherwise it is easy to get

+confused.

+

+If you intend to run a root CA, i.e. run rootd, you need to create a

+root certificate with all possible resources, i.e.\\

+ASs 0-4294967295,\\

+0.0.0.0/0, and\\

+0::/0

+

+sra made a great hack to do this, so you so not have to go through all

+the arcane (and not working for me) instructions on

+https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/CreatingRoot

+

+{{{

+wget https://subvert-rpki.hactrn.net/trunk/potpourri/generate-root-certificate --no-check-certificate

+}}}

+And then

+{{{

+python generate-root-certificate 

+}}}

+

+This should give you

+{{{

+/usr/share/rpki# ls -l root.*

+-rw-r--r-- 1 root root 1056 Aug  7 06:55 root.cer

+-rw-r--r-- 1 root root 1194 Aug  7 06:55 root.key

+-rw-r--r-- 1 root root  439 Aug  7 06:55 root.tal

+}}}

+

+For security considerations, the root certificate really should not be

+in the publication point.  And the script does not make a stash for it.

+so you should make and use one.

+{{{

+mkdir /usr/share/rpki/publication.root

+rsync root.cer /usr/share/rpki/publication.root

+}}}

+

+Remember that RP software runs from the trust anchors in

+`/etc/rpki/trust-anchors`.  In this example, you want the root to be the

+only trust anchor, so

+{{{

+rm /etc/rpki/trust-anchors/*

+rsync root.tal /etc/rpki/trust-anchors/TestRoot.tal

+}}}

+

+And now it it safe to hack rcynic's crontab to be frequent

+{{{

+crontab -u rcynic -l

+MAILTO=root

+*/10 * * * *    exec /usr/bin/rcynic-cron

+}}}

+

+=== rsyncd Configuration ===

+

+Next, you want to get the rsync daemon working.  First you need to tell

+the rsync daemon what it should serve.  Remember that we decided to

+serve root and data separately.  So configure `/etc/rsyncd.conf` as

+follows: 

+{{{

+cat > /etc/rsyncd.conf << EOF

+uid             = nobody

+gid             = rcynic

+

+[root]

+    use chroot          = no

+    read only           = yes

+    transfer logging    = yes

+    path                = /usr/share/rpki/publication.root

+    comment             = ROOT publication

+

+[rpki]

+    use chroot          = no

+    read only           = yes

+    transfer logging    = yes

+    path                = /usr/share/rpki/publication

+    comment             = RPKI publication

+EOF

+}}}

+

+Then tell xinetd to run the rsync deamon when asked and then to restart

+xinetd

+{{{

+cat > /etc/xinetd.d/rsync << EOF

+service rsync

+{

+    disable         = no

+    socket_type     = stream

+    port            = 873

+    protocol        = tcp

+    wait            = no

+    user            = root

+    server          = /usr/bin/rsync

+    server_args     = --daemon

+    log_on_failure  += USERID

+}

+EOF

+service xinetd restart

+}}}

+

+It is recommended that you test it from a remote system

+{{{

+rsync rsync://test.dfw.rg.net/root/root.cer

+-rw-r--r--        1056 2015/08/07 16:28:10 root.cer

+}}}

+

+== CA Data Initialization ==

+

+The remaining configuration was done using the RPKI software itself.

+

+=== Starting Services ===

+

+Before configuring the CA daemon and database, you should first restart the

+daemons.

+{{{

+service rpki-ca restart

+}}}

+You should see all four daemons running

+{{{

+/bin/ps axu | grep rpki.conf | grep -v grep

+root      1541  0.1  4.0  42244 20580 ?        Ss   Aug07   2:15 /usr/bin/python /usr/lib/rpki/irdbd --config /etc/rpki.conf --log-level warning --log-syslog daemon

+root      1543  0.1  2.8  35144 14232 ?        Ss   Aug07   3:37 /usr/bin/python /usr/lib/rpki/rpkid --config /etc/rpki.conf --log-level warning --log-syslog daemon

+root      1546  0.0  1.9  33584  9780 ?        Ss   Aug07   0:00 /usr/bin/python /usr/lib/rpki/pubd --config /etc/rpki.conf --log-level warning --log-syslog daemon

+root      1559  0.0  1.8  24496  9608 ?        Ss   Aug07   0:22 /usr/bin/python /usr/lib/rpki/rootd --config /etc/rpki.conf --log-level warning --log-syslog daemon

+}}}

+

+=== Initializing the CA ===

+

+The command utility, `rpkic` is a CLI for dealing with the CA.  This

+example uses it instead of the GUI, especially for initial setup, as it

+is easier to copy and paste into a wiki.  The CLI has tab completion,

+and the other features offered by readline().

+

+rpkic has the concept of the current identity.  Initially, it starts

+with the identity from the handle in `/etc/rpki.conf`, testCA in this

+example

+{{{

+rpkic

+rpkic> 

+}}}

+

+Before you do anything else, you need to initialize the CA.

+{{{

+rpkic> initialize

+Wrote /usr/share/rpki/testCA.testCA.repository-request.xml

+This is the "repository offer" file for you to use if you want to publish in your own repository

+Writing /usr/share/rpki/ca.crl

+Writing /usr/share/rpki/rootd.key

+Writing /usr/share/rpki/rootd.cer

+Writing /usr/share/rpki/child.cer

+}}}

+

+The root instance will need a repository, so it should accept its own

+offer made above

+{{{

+rpkic> configure_publication_client /usr/share/rpki/testCA.testCA.repository-request.xml

+This looks like an offer, checking

+This client's parent is rootd

+Don't know where to nest this client, defaulting to top-level

+Client calls itself 'testCA', we call it 'testCA'

+Client says its parent handle is 'testCA'

+Wrote /usr/share/rpki/testCA.repository-response.xml

+Send this file back to the publication client you just configured

+}}}

+

+And then configure the repository using the response

+{{{

+rpkic> configure_repository /usr/share/rpki/testCA.repository-response.xml

+Repository calls us 'testCA'

+Repository response associated with parent_handle 'testCA'

+rpkic> 

+}}}

+

+You can  see if it is publishing

+{{{

+ls -l /usr/share/rpki/publication

+total 16

+-rw-r--r-- 1 root root  433 Aug  7 07:38 root.crl

+-rw-r--r-- 1 root root 1747 Aug  7 07:38 root.mft

+drwxr-xr-x 2 root root 4096 Aug  7 07:38 testCA/

+-rw-r--r-- 1 root root 1219 Aug  7 07:38 testCA.cer

+}}}

+

+=== The GUI Should Now Work ===

+

+One simple test is to try the GUI.  But first you need to set up the GUI

+superuser password.  [ insert lecture on strong passwords ]

+{{{

+rpki-manage createsuperuser

+Username (leave blank to use 'root'): 

+Email address: randy@psg.com

+Password: 

+Password (again): 

+Superuser created successfully.

+}}}

+and write it down somewhere safe.

+

+Then you can point your browser at `https://test.dfw.rg.net`, and you

+should see the login page.  Enter the user 'root' and the password from

+createsuperuser above.  This should take you to testCA's dashboard.  For

+some reason, it often comes up with no resources; so push the Refresh

+button, and it should show that you own the whole Internet!