1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
[[PageOutline]]
[[TracNav(doc/RPKI/TOC)]]
= Ubuntu trusty 14.04 RPKI Relying Party Cache Install =
Given a running Ubuntu 14.04 server, this should take ten minutes.
== Ingredients ==
You can start with the following:
* A small VM, 4GB disk, 512MB RAM, one processor
* Ubuntu 14.04 i386 server version
* opensshd, and
* Emacs, of course
I am lazy and log in as root as pretty much everything I do is going to
require being root. If you like sudo, then just prefix a lot with it.
This example uses apt-get. If you prefer other tools, see the more
detailed page,
https://trac.rpki.net/wiki/doc/RPKI/Installation/DebianPackages.
== Install the Basic RPKI RP Software ==
You should only need to perform these steps once for any particular
machine.
Add the GPG public key for this repository (optional, but APT will whine
unless you do this):
{{{
wget -q -O - http://download.rpki.net/APT/apt-gpg-key.asc | sudo apt-key add -
}}}
Configure APT to use this repository (for Ubuntu Trusty systems):
{{{
wget -q -O /etc/apt/sources.list.d/rpki.list http://download.rpki.net/APT/rpki.trusty.list
}}}
Update available packages:
{{{
apt-get update
}}}
Install the software:
{{{
apt-get install rpki-rp
}}}
== Minimal Configuration ==
This example install uses the server hostname `test.dfw.rg.net`. Any
use of that hostname below will have to be replaced with your host's
name, of course.
=== Relying Party - rcynic ===
The RP (Relying Party) software should have installed and should be
running. You can test it by browsing to
https://test.dfw.rg.net/rcynic/. It uses a self-signed TLS certificate;
you can be lazy and decided to accept it as opposed to installing a real
one generated from from your own TLS CA; your call.
The rcynic web page had not populated yet because the cron job to
populate is generated for a socially polite cache which fetches once an
hour.
{{{
test.dfw.rg.net:/root# crontab -u rcynic -l
MAILTO=root
49 * * * * exec /usr/bin/rcynic-cron
}}}
Do not change this now as it would place an asocial load on the global
RPKI.
If you plan to use the rpki-rtr protocol to feed a router from the RP
cache you just installed, check `/etc/xinetd.d/rpki-rtr` to be sure the
port number is 323, the IANA assigned port, as opposed to some old hacks
that were used pre [http://www.rfc-editor.org/rfc/rfc6810.txt RFC 6810].
{{{
cat /etc/xinetd.d/rpki-rtr
service rpki-rtr
{
type = UNLISTED
flags = IPv4
socket_type = stream
protocol = tcp
port = 323
wait = no
user = rpkirtr
server = /usr/bin/rpki-rtr
server_args = server /var/rcynic/rpki-rtr
}
}}}
The configuration for rcynic is in `/etc/rcynic.conf`. Note that it
says to use the trust anchors in the directory
`/etc/rpki/trust-anchors`. As you intend to install the created root
instance's trust anchor there, try to remembered how to find it.
That's it!
|
