aboutsummaryrefslogtreecommitdiff
path: root/doc/wiki-dump/doc%2FRPKI%2Fdoc%2FRPKI%2FInstallation%2FUbuntuRP.md
blob: dda5f83f8768237f298bca8d87ea0297d925b54a (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108


   

Ubuntu trusty 14.04 RPKI Relying Party Cache Install


Given a running Ubuntu 14.04 server, this should take ten minutes.


Ingredients


You can start with the following:


    

  • A small VM, 4GB disk, 512MB RAM, one processor 
    • 

  • Ubuntu 14.04 i386 server version 
    • 

  • opensshd, and 
    • 

  • Emacs, of course 
    • 



I am lazy and log in as root as pretty much everything I do is going to
require being root. If you like sudo, then just prefix a lot with it.


This example uses apt-get. If you prefer other tools, see the more detailed
page, https://trac.rpki.net/wiki/doc/RPKI/Installation/DebianPackages.


Install the Basic RPKI RP Software


You should only need to perform these steps once for any particular machine.


Add the GPG public key for this repository (optional, but APT will whine
unless you do this):


wget -q -O - http://download.rpki.net/APT/apt-gpg-key.asc | sudo apt-key add -




Configure APT to use this repository (for Ubuntu Trusty systems):


wget -q -O /etc/apt/sources.list.d/rpki.list http://download.rpki.net/APT/rpki.trusty.list




Update available packages:


apt-get update




Install the software:


apt-get install rpki-rp




Minimal Configuration


This example install uses the server hostname test.dfw.rg.net. Any use of
that hostname below will have to be replaced with your host's name, of course.


Relying Party - rcynic


The RP (Relying Party) software should have installed and should be running.
You can test it by browsing to https://test.dfw.rg.net/rcynic/. It uses a
self-signed TLS certificate; you can be lazy and decided to accept it as
opposed to installing a real one generated from from your own TLS CA; your
call.


The rcynic web page had not populated yet because the cron job to populate is
generated for a socially polite cache which fetches once an hour.


test.dfw.rg.net:/root# crontab -u rcynic -l
MAILTO=root
49 * * * *      exec /usr/bin/rcynic-cron




Do not change this now as it would place an asocial load on the global RPKI.


If you plan to use the rpki-rtr protocol to feed a router from the RP cache
you just installed, check /etc/xinetd.d/rpki-rtr to be sure the port number
is 323, the IANA assigned port, as opposed to some old hacks that were used
pre RFC 6810.


cat /etc/xinetd.d/rpki-rtr
service rpki-rtr
{
    type           = UNLISTED
    flags          = IPv4
    socket_type    = stream
    protocol       = tcp
    port           = 323
    wait           = no
    user           = rpkirtr
    server         = /usr/bin/rpki-rtr
    server_args    = server /var/rcynic/rpki-rtr
}




The configuration for rcynic is in /etc/rcynic.conf. Note that it says to
use the trust anchors in the directory /etc/rpki/trust-anchors. As you
intend to install the created root instance's trust anchor there, try to
remembered how to find it.


That's it!
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 06:21:14 +0000