Installation of Contrail Security Services
Install and test ConSec in 5 minutes - Contrail Security packages
The purpose of this package is to help bootstrapping the federation security services provided by Contrail packages.
The main problem of the packages is setting up necessary details like service certificates, initial service properties etc.
Scripts provided by this package install CA Server, OAuth AS Server, Federation API and DEMO java program that tests
all these services with simple scenario: gets OAuth token from the AS and queries CA Server for delegated certificate
with the OAuth token provided. These scripts asume that we install the packages on clean Ubuntu 12.04 server. We will update this package with additional services like Federation Web and IdP soon.
You can grab the installation package here: https://github.com/alescernivec/contrail-root-ca
Install the package:
# apt-get install git
# git clone https://github.com/alescernivec/contrail-root-ca.git
# cd contrail-root-ca
Usage
Take clean Ubuntu 12.04 image.
This will set up contrail testing repository - latest testing packages from Contrail:
# echo "deb http://contrail.ow2.org/repositories/binaries/testing/xUbuntu_12.04/ ./" >> /etc/apt/sources.list
# ### as an alternative (if upper does not work):
# echo "deb http://download.opensuse.org/repositories/home:/contrail:/testing/xUbuntu_12.04/ ./" >> /etc/apt/sources.list
# wget -O - http://contrail.ow2.org/repositories/contrail.pub | sudo apt-key add -
# apt-get update
This installs basic security packages and configures the keys, certificates and service packages.
Voila, your ConSec is running!
Testing
How to test installed components? You should first install basic sec packages with "notest". After that, issue
# ./install.sh test
Now, navigate back to the checked out dir with oauth-java-client-demo maven project.
Ask for an oauth2 token for user contrailuser :
$ /usr/share/contrail/oauth-client-cred-flow-demo/oauth-client-cred-flow-demo.sh getToken caa6e102-8ff0-400f-a120-23149326a936
If you get an error, something is missconfigured.
You should get something similar to:
Received access token: 965ec95f-9d51-3561-945f-ed9ad831663c
Now, get the cert:
Of course, change the token UUID with the one obtained in the step before.
You should get the delegated certificate indicating everything works!
Details
Basic contrail security services consist of:
- contrail-ca-server Contrail CA Server
- contrail-federation-api Contrail Federation API
- contrail-federation-db Contrail Federation Database
- contrail-oauth-as Contrail Oauth AS
- contrail-security-commons Contrail Security Commons
List of services that are provided with the certificates:
- contrail-ca-server
- contrail-oauth-as
- contrail-federation-api
- contrail-federation-web
Troubleshooting
# Problems when generating certificates
If you get this:
Adding contrail-federation-id-prov-support's cert to truststore
unable to load certificate
139844895221408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
keytool error: java.lang.Exception: Certificate not imported, alias <contrail-federation-id-prov-support> already exists
Adding ROOT CA's cert to the truststore
keytool error: java.lang.Exception: Certificate not imported, alias <rootCa> already exists
issue
With that, RootCA is cleaned and certificates are regenerated. Now, try again with the whole installation. You should be fine.
Problems when patching files
If you get messages like
Reversed (or previously applied) patch detected! Assume -R? [n]
for any service, just answer "no" and you should be fine. File has already been patches.
If something is wrong with Keystore
This should return 6 entries
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 6 entries
contrail-ca-server, Nov 18, 2013, trustedCertEntry,
Certificate fingerprint (MD5): B1:FB:22:9A:99:BA:3B:17:E0:CF:5A:C0:25:36:CA:04
rootca, Nov 18, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 66:F7:3C:4A:33:4C:7D:FE:5D:86:2D:18:2E:79:B8:07
contrail-federation-web, Nov 18, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 52:2C:C9:75:4C:CA:6F:18:72:F9:B9:48:DD:A5:DB:FA
contrail-federation-api, Nov 18, 2013, trustedCertEntry,
Certificate fingerprint (MD5): F0:69:67:92:25:75:CD:44:48:8E:AF:1D:B3:AD:72:34
oauth-java-client-demo, Nov 18, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 92:06:3D:3C:A9:EB:D5:33:8A:96:C7:5F:34:18:88:F3
contrail-oauth-as, Nov 18, 2013, trustedCertEntry,
Certificate fingerprint (MD5): C9:92:87:FE:05:C1:F9:AB:FA:A7:33:39:79:7E:C3:6F
List of certificates and locations (for each service):
/etc/tomcat6/$SERVICE/$SERVICE.jks
/etc/tomcat6/$SERVICE/$SERVICE.pkcs12
Internal CA usage
You do not need to read this if you do not care about the details on how the keys and certs are generated.
Demonstrates how to create everything you need for signing e.g. host certificates by using exising CA cert and key files.
First, generate what you need for the CA to work. Navigate to some empty directory and issue:
./bin/create_ca.sh
This creates all neccessary keys, certs, keystores, truststores:
./bin/create_service_certs.sh
To clean up:
./bin/clean.sh
More details
You do not need to read this if you do not care about the details on how the keys and certs are generated.
Example follows on how to sign the CSR. in takes path to the server's CSR, out takes output to the new cervers cert (signed one). keyfile points to root CA's key, cert points to the root CA's certificate.
openssl ca -config CARoot/ca.conf -in ../ca-server-csr.pem -out ../ca-server-cert.pem -keyfile /var/lib/contrail/ca-server/rootca-key.pem -cert /var/lib/contrail/ca-server/rootca-cert.pem -verbose -batch
An example on how to check the newly generated cert:
openssl x509 -text -in ../ca-server-cert.pem -noout
Example how to revoke some cert:
openssl ca -revoke ./CARoot/ca.db.certs/01.pem -config CARoot/ca.conf -keyfile /var/lib/contrail/ca-server/rootca-key.pem -cert /var/lib/contrail/ca-server/rootca-cert.pem -verbose
And just for fun, example how to generate pkcs12 file:
openssl pkcs12 -export -in ca-server-cert.pem -inkey ca-server-key.pem -CAfile /tmp/all-ca-certs.pem -out /var/lib/contrail/ca-server/ks.p12 -caname root -chain
Quick install of the web portal
Spin up some Debian Squeeze or Ubuntu 12.04 VM.
I assume we are working with Ubuntu 12.04 with an IP of 10.1.0.10 . Add apt sources:
wget -O - http://contrail.ow2.org/repositories/contrail.pub | sudo apt-key add -
sudo apt-get update
Now, install contrail-federation packages:
apt-get install -y contrail-federation contrail-federation-id-prov-support
On host machine from which you whish to test the portal, add this into your /etc/hosts . Remember the IP of the federation node ( 10.1.0.10 ).
10.1.0.10 multi.contrail-idp.contrail.eu
Now, on the host's web browser, navigate to https://contrail-federation-web.contrail.eu . You will be presented with the choice of Id providers to authenticate with. Choose Log in with Contrail DB and enter username, password: contrailuser , password or admin , password or coordinator , password . These credentials will work for contrail user , contrail administrator and contrail coordinator .
For setting up advanced feature, please follow next sections.
Note: If you would like to authenticate against Shibboleth testshib, you will need to add metadata of multi.contrail-idp.contrail.eu to testshib portal. Else you will get this error message:
Setting up the services
Prerequisites
Assuming you will install
- Federation-web portal (contrail-federation-web)
- Federation-api (contrail-federation-api)
- Authorization Server - AS (contrail-oauth-as)
- Identity Provider - IdP (contrail-id-prov-support)
- Certificate Authority - CA (contrail-ca-server)
on one machine (as simplest installation and with minimum requirements), you will need at least two entries in the DNS zones file to resolve the host via HTTPS with installed components:
- The host: portal.<host>.<domain>
- the IdP (multi.<host>.<domain>)
- The portal (portal. <host>.<domain>)
Since the OAuth-AS and CA server are internal components, these can listen on the port 8443 (tomcat). In the further examples we will assume <host>.<domain> = contrail.xlab.si. The list of ports you will need is:
- HTTP (not so important),
- HTTPS (the portal and the IdP),
- 8443 (oauth-as, CA server),
- 8444 (the demo OAuth application needed to test the OAuth, IdP and the CA).
Federation API
Federation API is the central database for the federation. It holds information about Contrail users, user applications, supported clouds, physical resources, etc.
Installation
You will be prompted by the installer for the root/pwd of the MySQL database. Remember the uname/password of the admin user since other packages (e.g. contrail-oauth-as ) will prompt you for the credentials.
The IdP
Installation
Location:
https://multi.contrail.xlab.si/simplesaml
Adding OAuthAS as an SP
In order to use OAuth-AS we will need a working IdP first. Install the package contrail-federation-id-prov-support. It contains the installation of the IdP (SimpleSAMLphp). The installation does install apache script for you but you will need to modify the certificate part if you use other certificates (not the one provided by the package). Demo certificates of the IdP reside under /usr/share/simplesamlphp-1.9.0/certs . Metadata will change with different certificates. Moreover, you will need to update the saml20-sp-remote.xml (under /usr/share/simplesamlphp-1.9.0/metadata ) of the IdP to recognize your OAuth-AS (working as an SP):
'AssertionConsumerService' => 'https://contrail.xlab.si:8443/oauth-as/acs',
'SingleLogoutService' => 'https://contrail.xlab.si:8443/oauth-as/ls',
);
To get IdP’s metadata, navigate to https://multi.contrail.xlab.si/simplesaml/saml2/idp/metadata.php (use your URI). Use the SAML2.0 metadata and copy these under OAuthAS saml-metadata.xml file). An example is given here . Now, after the installation, you should navigate to the URI of the IdP to test the installation. You should be able to log-in via the IdP using Contrail DB authentication source (it just returns some of the attributes).
Adding Web Portal as an SP
Edit /etc/contrail/contrail-federation-web/federation-web.conf to resemble something linke this:
FEDERATION_API_URL = 'http://localhost:8080/federation-api'
SLA_EXTRACTOR_BASE = 'http://localhost:8080/rest-monitoring/sla/slaextractor'
MONITORING_BASE = 'http://localhost:8080/rest-monitoring/monitoring'
ZOOKEEPER_BASE = '127.0.0.1:2181'
ONLINE_CA_USE=False
ONLINE_CA_URI='https://one-test.contrail.rl.ac.uk:8443/ca/portaluser'
FEDERATION_WEB='https://portal.contrail.xlab.si'
FEDERATION_WEB_LOCAL_METADATA='/usr/lib/contrail/federation-web-branches/extra/remote_metadata.xml'
FEDERATION_WEB_CERT='/usr/lib/contrail/federation-web-branches/extra/oauth2/oauth-python-client-demo.pem'
FEDERATION_WEB_KEY='/usr/lib/contrail/federation-web-branches/extra/oauth2/oauth-python-client-demo.key'
FEDERATION_WEB_CA_FILE='/usr/lib/contrail/federation-web-branches/extra/ca.crt'
TRUSTSTORE_DIR = '/etc/contrail/truststore'
SSL_USE_DELEGATED_USER_CERT=True
MULTI_IDP_FEDERATION='https://multi.contrail.xlab.si'
FEDERATION_AUTH_ENDPOINT = FEDERATION_API_URL + '/usersutils/authenticate'
OAUTH2_AS_URI = 'https://contrail.xlab.si:8443'
ONLINE_OAUTH2_CA_USE=True
ONLINE_OAUTH2_CA_URI='https://contrail.xlab.si:8443/ca/o/delegateduser'
The important are SSL_USE_DELEGATED_USER_CERT , MULTI_IDP_FEDERATION , OAUTH2_AS_URI and ONLINE_OAUTH2_CA_US , ONLINE_OAUTH2_CA_URI .
Check that URIs correspond to your URIs.
Also, copy the IdP's metadata ( https://multi.contrail.xlab.si/simplesaml/saml2/idp/metadata.php ) to the location of FEDERATION_WEB_LOCAL_METADATA . It should resemble to this:
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://multi.contrail.xlab.si/simplesaml/saml2/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDkDCCAngCAgE2MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNVBAYTAlNJMREwDwYDVQQIDAhTbG92ZW5pYTESMBAGA1UEBwwJTGp1YmxqYW5hMREwDwYDVQQKDAhDb250cmFpbDELMAkGA1UEAwwCQ0ExJDAiBgkqhkiG9w0BCQEWFWFsZXMuY2Vybml2ZWNAeGxhYi5zaTAeFw0xMzA0MDMwODMwNTRaFw0yMzA0MDEwODMwNTRaMIGgMQswCQYDVQQGEwJTSTERMA8GA1UECBMIU2xvdmVuaWExEjAQBgNVBAcTCUxqdWJsamFuYTEUMBIGA1UEChMLWExBQiBkLm8uby4xETAPBgNVBAsTCFJlc2Vh