Install and test ConSec in 5 minutes - Contrail Security packages

The purpose of this package is to help bootstrapping the federation security services provided by Contrail packages.
The main problem of the packages is setting up necessary details like service certificates, initial service properties etc.
Scripts provided by this package install CA Server, OAuth AS Server, Federation API and DEMO java program that tests
all these services with simple scenario: gets OAuth token from the AS and queries CA Server for delegated certificate
with the OAuth token provided. These scripts asume that we install the packages on clean Ubuntu 12.04 server. We will update this package with additional services like Federation Web and IdP soon.

You can grab the installation package here: https://github.com/alescernivec/contrail-root-ca

Install the package:
# apt-get install git
# git clone https://github.com/alescernivec/contrail-root-ca.git
# cd contrail-root-ca

Usage

Take clean Ubuntu 12.04 image.

This will set up contrail testing repository - latest testing packages from Contrail:
# echo "deb http://contrail.ow2.org/repositories/binaries/testing/xUbuntu_12.04/ ./" >> /etc/apt/sources.list
# ### as an alternative (if upper does not work):
# echo "deb http://download.opensuse.org/repositories/home:/contrail:/testing/xUbuntu_12.04/ ./" >> /etc/apt/sources.list
# wget -O - http://contrail.ow2.org/repositories/contrail.pub | sudo apt-key add -
# apt-get update

This installs basic security packages and configures the keys, certificates and service packages. 

Voila, your ConSec is running!

Testing

How to test installed components? You should first install basic sec packages with "notest". After that, issue
# ./install.sh test

Now, navigate back to the checked out dir with oauth-java-client-demo maven project.

Ask for an oauth2 token for user  contrailuser :
$ /usr/share/contrail/oauth-client-cred-flow-demo/oauth-client-cred-flow-demo.sh getToken caa6e102-8ff0-400f-a120-23149326a936

If you get an error, something is missconfigured.

You should get something similar to:

Now, get the cert:

Of course, change the token UUID with the one obtained in the step before.

You should get the delegated certificate indicating everything works!

Details

Basic contrail security services consist of:

• contrail-ca-server Contrail CA Server
• contrail-federation-api Contrail Federation API
• contrail-federation-db Contrail Federation Database
• contrail-oauth-as Contrail Oauth AS
• contrail-security-commons Contrail Security Commons

List of services that are provided with the certificates:

• contrail-ca-server
• contrail-oauth-as
• contrail-federation-api
• contrail-federation-web

Troubleshooting

# Problems when generating certificates

If you get this:
Adding contrail-federation-id-prov-support's cert to truststore
unable to load certificate
139844895221408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
keytool error: java.lang.Exception: Certificate not imported, alias <contrail-federation-id-prov-support> already exists
Adding ROOT CA's cert to the truststore
keytool error: java.lang.Exception: Certificate not imported, alias <rootCa> already exists

issue 

With that, RootCA is cleaned and certificates are regenerated. Now, try again with the whole installation. You should be fine.

Problems when patching files

If you get messages like

for any service, just answer "no"  and you should be fine. File has already been patches.

If something is wrong with Keystore

This should return 6 entries

List of certificates and locations (for each service):

Internal CA usage

You do not need to read this if you do not care about the details on how the keys and certs are generated.

Demonstrates how to create everything you need for signing e.g. host certificates by using exising CA cert and key files.

First, generate what you need for the CA to work. Navigate to some empty directory and issue:
./bin/create_ca.sh
This creates all neccessary keys, certs, keystores, truststores:
./bin/create_service_certs.sh
To clean up:
./bin/clean.sh

More details

You do not need to read this if you do not care about the details on how the keys and certs are generated.

Example follows on how to sign the CSR. in takes path to the server's CSR, out takes output to the new cervers cert (signed one). keyfile points to root CA's key, cert points to the root CA's certificate.
openssl ca -config CARoot/ca.conf -in ../ca-server-csr.pem -out ../ca-server-cert.pem -keyfile /var/lib/contrail/ca-server/rootca-key.pem -cert /var/lib/contrail/ca-server/rootca-cert.pem -verbose -batch

An example on how to check the newly generated cert:
openssl x509 -text -in ../ca-server-cert.pem -noout

Example how to revoke some cert:
openssl ca -revoke ./CARoot/ca.db.certs/01.pem -config CARoot/ca.conf -keyfile /var/lib/contrail/ca-server/rootca-key.pem -cert /var/lib/contrail/ca-server/rootca-cert.pem -verbose

And just for fun, example how to generate pkcs12 file:
 openssl pkcs12 -export -in ca-server-cert.pem -inkey ca-server-key.pem -CAfile /tmp/all-ca-certs.pem -out /var/lib/contrail/ca-server/ks.p12 -caname root -chain

Quick install of the web portal

Spin up some Debian Squeeze or Ubuntu 12.04 VM.

I assume we are working with Ubuntu 12.04 with an IP of  10.1.0.10  . Add apt sources:

Now, install  contrail-federation  packages:

On host machine from which you whish to test the portal, add this into your  /etc/hosts . Remember the IP of the federation node  ( 10.1.0.10 ).

Now, on the host's web browser, navigate to https://contrail-federation-web.contrail.eu . You will be presented with the choice of Id providers to authenticate with. Choose  Log in with Contrail DB  and enter username, password:  contrailuser ,  password  or  admin ,  password  or  coordinator ,   password . These credentials will work for  contrail user ,  contrail administrator  and  contrail coordinator .

For setting up advanced feature, please follow next sections.

Note: If you would like to authenticate against Shibboleth testshib, you will need to add metadata of  multi.contrail-idp.contrail.eu  to testshib portal. Else you will get this error message:

Setting up the services

Prerequisites

Assuming you will install 

• Federation-web portal (contrail-federation-web)
• Federation-api (contrail-federation-api)
• Authorization Server - AS (contrail-oauth-as)
• Identity Provider - IdP (contrail-id-prov-support)
• Certificate Authority - CA (contrail-ca-server)

on one machine (as simplest installation and with minimum requirements), you will need at least two entries in the DNS zones file to resolve the host via HTTPS with installed components:

• The host: portal.<host>.<domain>
• the IdP (multi.<host>.<domain>) 
• The portal (portal. <host>.<domain>) 

Since the OAuth-AS and CA server are internal components, these can listen on the port 8443 (tomcat). In the further examples we will assume <host>.<domain> = contrail.xlab.si. The list of ports you will need is: 

• HTTP (not so important), 
• HTTPS (the portal and the IdP), 
• 8443 (oauth-as, CA server), 
• 8444 (the demo OAuth application needed to test the OAuth, IdP and the CA).

Federation API

Federation API is the central database for the federation. It holds information about Contrail users, user applications, supported clouds, physical resources, etc. 

Installation

You will be prompted by the installer for the root/pwd of the MySQL database. Remember the uname/password of the admin user since other packages (e.g.  contrail-oauth-as ) will prompt you for the credentials.

The IdP

Installation

Location:

 https://multi.contrail.xlab.si/simplesaml 

Adding OAuthAS as an SP

In order to use OAuth-AS we will need a working IdP first. Install the package contrail-federation-id-prov-support. It contains the installation of the IdP (SimpleSAMLphp). The installation does install apache script for you but you will need to modify the certificate part if you use other certificates (not the one provided by the package). Demo certificates of the IdP reside under  /usr/share/simplesamlphp-1.9.0/certs . Metadata will change with different certificates. Moreover, you will need to update the  saml20-sp-remote.xml  (under  /usr/share/simplesamlphp-1.9.0/metadata ) of the IdP to recognize your OAuth-AS (working as an SP):

To get IdP’s metadata, navigate to https://multi.contrail.xlab.si/simplesaml/saml2/idp/metadata.php  (use your URI). Use the SAML2.0 metadata and copy these under OAuthAS  saml-metadata.xml  file). An example is given here . Now, after the installation, you should navigate to the URI of the IdP to test the installation. You should be able to log-in via the IdP using Contrail DB authentication source (it just returns some of the attributes). 

Adding Web Portal as an SP

Edit /etc/contrail/contrail-federation-web/federation-web.conf to resemble something linke this:

The important are  SSL_USE_DELEGATED_USER_CERT , MULTI_IDP_FEDERATION ,  OAUTH2_AS_URI  and  ONLINE_OAUTH2_CA_US , ONLINE_OAUTH2_CA_URI .

Check that URIs correspond to your URIs.

Also, copy the IdP's metadata ( https://multi.contrail.xlab.si/simplesaml/saml2/idp/metadata.php ) to the location of  FEDERATION_WEB_LOCAL_METADATA . It should resemble to this: