Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Build and Install OpenAttestation (2.0)

chendave edited this page · 66 revisions

Table of Contents

Build Open Attestation (2.0)

System Requirement

The build environment has been validated in Ubuntu 12.10, Fedora 19.

Proxy Configuration Setup

If you build package behind firewall, you would need to setup following proxies in order to download source code and needed libraries.

 # export http_proxy= http://<proxy_server>:<proxy_port>
 # export https_proxy= https://<proxy_server>:<proxy_port>
 # export ftp_proxy= ftp://<proxy_server>:<proxy_port>

Install Required Packages

Take Ubuntu 12.10 OS for example, you need install follow required packages:

 # apt-get install git maven
 # apt-get install openjdk-7-jdk
 # apt-get install zip make g++ makeself

For SLES 11.2, you can fetch makeself package from OpenSuSE repository, and you need alias makeself.sh to makeself.

Download Source Code

Using git tool to download the source code code, suppose your code is located in home directory

 # cd $HOME
 # git clone https://github.com/OpenAttestation/OpenAttestation/

Build Source Code

Open Attestation 2.0 uses maven tool to build source code. Run the following commands to build the source code:

 # cd $HOME/OpenAttestation
 # git checkout v2.0
 # mvn clean install

Note: For RHEL OS, the package ‘makeself’ is missing, you need download the SPRM and compile the package to install makeself(http://rpmfind.net/linux/RPM/opensuse/12.1/noarch/makeself-2.1.5-3.1.1.noarch.html), for SLES OS, makeself is named makeself.sh, alias this shell script as ‘makeself’ and then it should be built successfully.

Attestation Server Installation

System Requirement

So far, the server installation has been verified on Ubuntu12.10, Fedora 19, SLES 11 SP2, opensuse 12.3, RHEL6.4.

Firewall configuration

Make sure TCP port 8181, 8080 are not blocked by firewall.
Ubuntu 12.10

 # ufw allow 8181
 # ufw allow 8080

Fedora 19

 # iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
 # iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

Install Required Packages

Install packages listed below:

 # apt-get install openjdk-7-jdk
 # apt-get install openssl
 # apt-get install libssl-dev

Also install the following packages:
Database system: MySQL 5.0 / MariaDB or later, or Postgresql
Java web application container: Glassfish 3.0 or later, or Tomcat 6.0 or later.

JDK Configuration

Open Attestation 2.0 uses Bouncycastle JCE provider, add the provider to the list of trusted in $JAVA_HOME/jre/lib/security/java.security like this:

 security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

Besides, copy corresponding jars to $JAVA_HOME/jre/lib/security to support the provider. Download these jars from Oracle website jce-6-download.

 # unzip jce_policy-6.zip
 # cp jce/*.jar  JAVA_HOME/jre/lib/security

Web Container Configuration

Attestation requires glassfish version 3.0 or later, or tomcat 6.0 or later.
Attestation needs install Jackson library into the web container’s endorsed modules directory. These libraries’ version must be 1.9 or later, you can find them from $HOME/OpenAttestation/services/AttestationService/target/AttestationService-{version}/WEB-INF/lib after building the attestation.
If you use glassfish as the web container, you need copy these jars to GLASSFISH_HOME/modules. Do like this:

 cp $HOME/OpenAttestation/services/AttestationService/target/AttestationService-{version}/WEB-INF/lib/jackson*.jar $GLASSFISH_HOME/modules

Database Initialization

Execute following commands to create database schema:

 mysql -uroot -ppassword -e 'create database mw_as'; 
 mysql -uroot -ppassword mw_as < database/mysql/src/main/resources/com/intel/mtwilson/database/mysql/mtwilson.sql

Create Configuration Files

We need to create some configuration files used by the later setup process. These configuration files include mtwilson.properties, privacyca-client.properties, PrivacyCA.properties, attestation-service.properties, trust-dashboard.properties and whitelist-portal.properties.

 # mkdir -p /etc/intel/cloudsecurity
 # cd /etc/intel/cloudsecurity
 # nano /etc/intel/cloudsecurity/mtwilson.properties
 mtwilson.api.baseurl=https://<server ip>:8181
 mtwilson.api.ssl.policy=TRUST_FIRST_CERTIFICATE
 mtwilson.db.driver=com.mysql.jdbc.Driver
 mtwilson.db.url=jdbc:mysql://localhost/mw_as 
 mtwilson.db.user=root
 mtwilson.db.password=password
 # nano /etc/intel/cloudsecurity/privacyca-client.properties
 PrivacyCaUrl=https://<server ip>:8181/HisPrivacyCAWebServices2
 PrivacyCaSubjectName=HIS_Privacy_CA
 PrivacyCaPassword=***replace***
 EndorsementCaSubjectName=Endorsement_CA_Rev_1
 EndorsementCaPassword=***replace***
 CertValidityDays=3652
 AikAuth=1111111111111111111111111111111111111111
 # nano /etc/intel/cloudsecurity/PrivacyCA.properties
 ClientFilesDownloadUsername=admin
 ClientFilesDownloadPassword=password
 # nano /etc/intel/cloudsecurity/attestation-service.properties
 com.intel.mountwilson.as.trustagent.timeout=3
 com.intel.mountwilson.as.attestation.hostTimeout=60
 com.intel.mountwilson.as.home=/var/opt/intel/aikverifyhome
 com.intel.mountwilson.as.aikqverify.cmd=aikqverify
 com.intel.mountwilson.as.openssl.cmd=openssl.sh
 saml.key.alias=samlkey1
 saml.keystore.file=SAML.jks
 saml.keystore.password=changeit
 saml.validity.seconds=3600
 saml.issuer=https://<server ip>:8181 
 saml.key.password=changeit
 privacyca.server=<server ip>
 com.intel.mtwilson.as.business.trust.sleepTime=1
 # nano /etc/intel/cloudsecurity/trust-dashboard.properties
 mtwilson.tdbp.keystore.dir=/etc/intel/cloudsecurity
 mtwilson.tdbp.keystore.password=password
 imagesRootPath = images/
 trustUnknow = images/Unknown.png
 trustTure = images/Trusted.png
 trustFalse = images/UnTrusted.png
 ubuntu = images/ubuntu.png
 vmware = images/vmware.png
 suse = images/suse.png
 kvm = images/kvm.png
 xen = images/xen.png
 mtwilson.tdbp.sessionTimeOut = 1800
 mtwilson.tdbp.paginationRowCount = 10
 # nano /etc/intel/cloudsecurity/whitelist-portal.properties
 mtwilson.wlmp.keystore.dir=/etc/intel/cloudsecurity
 mtwilson.wlmp.keystore.password=password
 mtwilson.wlmp.openSourceHypervisors=KVM;Xen
 mtwilson.wlmp.sessionTimeOut=1800
 mtwilson.wlmp.pagingSize=8

Install aikqverify

Attestation service must use “aikqverify” program, so you need to compile and install it located in $HOME/OpenAttestation/services/aikqverify/target/aikqverify-2.0.zip. Here are the steps:

 # cp $HOME/OpenAttestation/services/aikqverify/target/aikqverify-2.0.zip $HOME
 # cd $HOME
 # unzip aikqverify-2.0.zip
 # cd aikqverify-2.0
 # make
 # make install

Besides, you need to make sure glassfish or tomcat have the write permission for the directory of "/var/opt/intel/aikverifyhome/data".

Create SAML Signing Key

In this section, you will create a keystore SAML.jks with a signing private key, and this private key must be protected by a password. In addition, the corresponding public key is stored in saml.crt.pem file.

You can follow the below commands to generate these certificates. But you should modify the some fields according to your preference, find the definition in /etc/intel/cloudsecurity/attestation-service.properties.

 # cd /etc/intel/cloudsecurity
 # keytool -genkey -alias <saml.key.alias> -keyalg RSA  -keysize 2048 -keystore <saml.keystore.file> -storepass <saml.keystore.password> -dname "CN=AttestationService, OU=Mt Wilson, O=My Org, C=US" -validity 3650  -keypass <saml.key.password>
 # keytool -export -alias <saml.key.alias> -keystore <saml.keystore.file> -storepass <saml.keystore.password> -file saml.crt
 # openssl x509 -in saml.crt -inform der -out saml.crt.pem -outform pem

Create EK Signing Certificate

Here you will generate a certificate privacyca-endorsement.crt from endorsement.p12. Before doing it, you should run executable jar file to generate a password used to decrypt endorsement.p12.

The jar file will create a file /etc/intel/cloudsecurity/clientfiles/hisprovisioner.properties, and store the password in the file that defines the password as EndorsementP12Pass. The commands is as bellows:

 # cd /etc/intel/cloudsecurity
 # java -jar $HOME/OpenAttestation/trust-agent/HisPrivacyCAWebServices2/target/HisPrivacyCAWebServices2-2.0-setup.jar

Now you can import the privacyca-endorsement.crt from endorsement.p12, and just run the following commands:

 # export endorsement_password=EndorsementP12Pass
 # openssl pkcs12 -in clientfiles/endorsement.p12 -out privacyca-endorsement.pem -nokeys -passin env:endorsement_password
 # openssl x509 -inform pem -in privacyca-endorsement.pem -out privacyca-endorsement.crt -outform der
 # cp /etc/intel/cloudsecurity/clientfiles/PrivacyCA.cer /etc/intel/cloudsecurity/PrivacyCA.cer

Notes: replace "EndorsementP12Pass" with the value defined in hisprovisioner.properties.

Create Attestation Server Certificate

In this part, you will create an attestation server certificate, run the below commands:

 # cd $GLASSFISH_HOME/domains/domain1/config 

In case using tomcat as web container, please create a directory named "Certificate" in the $TOMCAT_HOME directory and go to "Certificate" instead.

 # rm -rf keystore.jks
 # keytool -genkey -alias s1as -keyalg RSA -keysize 2048 -keystore keystore.jks -storepass changeit -dname "CN=<server ip>, OU=Mt Wilson, O=My Org, C=US" -validity 3650 -ext san=IP:<server ip> -keypass changeit
 # keytool -exportcert -alias s1as -keystore keystore.jks -storepass changeit -file ssl.<server ip>.crt
 # openssl x509 -in ssl.<server ip>.crt -inform der -out ssl.<server ip>.crt.pem -outform pem

note: some field in the above command must consistent with the value you have set previously, such as "storepass".

Create Portal Signing Key

The following commands will create a keystore portal.jks, which is used for secure connection between Whitelist Portal and Trust Dashboard, and between Whitelist Service and Attestation Service. The "password" should be consistent with mtwilson.tdbp.keystore.password and mtwilson.wlmp.keystore.password from trust-dashboard.properties and whitelist-portal.properties.

 # cd /etc/intel/cloudsecurity
 # keytool -genkey -alias admin -keyalg RSA -keysize 2048 -keystore portal.jks -storepass password -dname "CN=Portal User, OU=Mt Wilson, O=My Org, C=US" -validity 3650 -keypass password
 # keytool -importcert -file saml.crt -keystore portal.jks -storepass password -alias "mtwilson (saml)"
 # keytool -importcert -file $GLASSFISH/domains/domain1/config/ssl.<server ip>.crt -keystore portal.jks -storepass password -alias "mtwilson (ssl)"

Note: For the last command of this section, replace the ssl certification directory with the corresponding directory in tomcat if using tomcat as the web container, "$TOMCAT_HOME/Certificate" for example.

Create oVirt Signing Key {optional}

Here you will create the ovirt.jks file used for secure communicating with oVirt, this is an optional step is only needed in oVirt environment. The default password is “password”, you can change the value. Follow the following commands to generate the ovirt.jks:

 # cd /etc/intel/cloudsecurity
 # keytool -genkey -alias ovirtssl -keyalg RSA  -keysize 2048 -keystore ovirt.jks -storepass password -dname "CN=<server ip>, OU=Mt Wilson, O=My Org, C=US" -validity 3650  -keypass password
 # keytool -export -alias ovirtssl -keystore ovirt.jks -storepass password -file ovirtssl.crt 
 # keytool -importcert -file $GLASSFISH/domains/domain1/config/ssl.<server ip>.crt -keystore ovirt.jks -storepass password  -alias "attestation server"

SSL Configuration

You need configure ciphers for SSL protocol, follow these steps to add suitable ciphers:

  • Login glassfish web portal, suggestion to login via localhost, for example, http://*.*.*.*:4848/common/index.jsf
  • Browse to Configuration > server-config > Network Config > Protocols > http-listener-2.
  • Click on the “SSL” tab, add follow ciphers:
TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA
  • Click “Save.”
  • restart domain
 # /usr/share/glassfish3/glassfish/bin/asadmin restart-domain

If using tomcat as the web container, please modify tomcat configuration file by executing follow shell scripts:

 sed -i "s/ <\/Service>/<Connector port=\"8181\" minSpareThreads=\"5\" maxSpareThreads=\"75\" enableLookups=\"false\" disableUploadTimeout=\"true\" acceptCount=\"100\" maxThreads=\"200\" scheme=\"https\" secure=\"true\" SSLEnabled=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" ciphers=\"TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA\" keystoreFile=\"Certificate\/keystore.jks\" keystorePass=\"changeit\" truststoreFile=\"Certificate\/keystore.jks\" truststorePass=\"changeit\" \/><\/Service>/g" $TOMCAT_HOME/conf/server.xml

Deploy The Web Services

Deploying the compiled web services is very easy.
Before deploying web services, please grant permission to the directory of "/etc/intel/cloudsecurity"

 # chmod -R 755 /etc/intel/cloudsecurity

In case of using glassfish as web container, you need to copy the compiled war package to $GLASSFISH_HOME/domains/domain1/autodeploy directory in following order (suppose the build server and attestation server is the same host).

 # cd $GLASSFISH_HOME/domains/domain1/autodeploy
 # cp $HOME/OpenAttestation/trust-agent/HisPrivacyCAWebServices2/target/HisPrivacyCAWebServices2.war HisPrivacyCAWebServices2.war
 # cp $HOME/OpenAttestation/services/WLMService/target/WLMService-2.0-core.war WLMService.war
 # cp $HOME/OpenAttestation/portals/WhiteListPortal/target/WhiteListPortal-2.0-core.war WhiteListPortal.war
 # cp $HOME/OpenAttestation/services/AttestationService/target/AttestationService-2.0-core.war AttestationService.war
 # cp $HOME/OpenAttestation/portals/TrustDashBoard/target/TrustDashBoard-2.0-core.war TrustDashBoard.war

After deploying it, you should manually restart glassfish by running:

 /usr/share/glassfish3/glassfish/bin/asadmin restart-domain

In case of using tomcat as web container, you need to copy the compiled war package to $TOMCAT_HOME/webapps directory in following order (suppose the build server and attestation server is the same host).

 # cd $TOMCAT_HOME/webapps
 # cp $HOME/OpenAttestation/trust-agent/HisPrivacyCAWebServices2/target/HisPrivacyCAWebServices2.war HisPrivacyCAWebServices2.war
 # cp $HOME/OpenAttestation/services/WLMService/target/WLMService-2.0-core.war WLMService.war
 # cp $HOME/OpenAttestation/portals/WhiteListPortal/target/WhiteListPortal-2.0-core.war WhiteListPortal.war
 # cp $HOME/OpenAttestation/services/AttestationService/target/AttestationService-2.0-core.war AttestationService.war
 # cp $HOME/OpenAttestation/portals/TrustDashBoard/target/TrustDashBoard-2.0-core.war TrustDashBoard.war

After deploying it, you should manually restart tomcat service by running:

 service tomcat6 restart

or

 service tomcat7 restart

Attestation Client Installation

Firewall configuration

Make sure TCP port 9999, 9998 are not blocked by firewall.
Ubuntu 12.10

 # ufw allow 9999
 # ufw allow 9998

Fedora 19

 # iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
 # iptables -A INPUT -p tcp --dport 9998 -j ACCEPT

Enable Intel® TXT in BIOS

Client system must have TPM 1.2 compliant device with driver installed, and TPM/TXT enabled in BIOS to perform the operation. Below is a example for HP8300 system:

  • Power on, ESC key -> Startup Menu -> Computer Setup(F10)
  • Security->Setup Password, set setup password as xxxxxx then F10 save it.
  • Security->System Security, enable vtx/vtd/Embeded Security Device/Trusted Execution Technology, F10 save it.
  • File->Save Changes and Exit.

Start Agent Service

If you install client package before, you should uninstall it.

 # service  tagent  uninstall  (uninstall service)
 # rm -rf /etc/intel/cloudsecurity/* /opt/intel/cloudsecurity/*

You just need run the bin file located in $HOME/OpenAttestation/trust-agent/TrustAgentLinuxInstaller/target/TrustAgentLinuxInstaller-2.0.bin. After installed the bin package, you should make sure tagent service is running. If it is inactive, you must manually start it.

 # cd $HOME
 # scp <server ip>:$HOME/OpenAttestation/trust-agent/TrustAgentLinuxInstaller/target/TrustAgentLinuxInstaller-2.0.bin .
 # ./TrustAgentLinuxInstaller-2.0.bin
 # service  tagent  status (check service)
 # service  tagent  start (start service)

Examples

At least OEM, OS, MLE, and HOST information should be added to Attestation Server’s White List database. You can open the following two links to add a trusted host.

 http://oatserver.*.com:8080/WhiteListPortal/home.html
 http://oatserver.*.com:8080/TrustDashBoard/home.html

Notes: oatserver.*.com should be the host name of attestation server.

OAT2.0 also provides command tools, these command tools can be used to create data in the console, for example, add OEM by executing follow command in the console, users can read "README" for more information.

 bash oat_oem -a -h his8 '{"Name":"OEM1","Description":"Newdescription"}'

Add OEM

Name: OEM1 Description: Newdescription
  • Click Add button

Add OS

  • Open the WhiteListPortal
  • Click OS-> Add OS, then fill the blank field shown in popup portal.
Name: OS1 Version: v1 Description: Test1
  • Click Add button

Add MLE

Add VMM Type MLE

  • Open the WhiteListPortal
  • Click MLE -> Add, and input the following info:
MLE-Type: VMM
HOST OS: OS1 V1
VMM Name: KVM
VMM Version: v123
Description: Test
Manifest List -> 18: CE796BD88E58890534CF6131571D5AF652293E55
Notes: "18" means PCR 18, the value could be got via "# cat /sys/.../pcrs" on oat agent system, but the space chars should be removed first.
  • Click Add Mle button

Add BIOS Type MLE

  • Open the WhiteListPortal
  • Click MLE -> Add, and input the following info:
MLE-Type: BIOS
OEM Vendor: OEM1
BIOS Name: NewMLE1
BIOS Version: v123
Description: Test
Manifest List -> 0: D8FE91C410E7A3F9CAD8C05F42AC2DDFF707902E
Notes: "0" means PCR 0, the value could be got via "# cat /sys/.../pcrs" on oat agent system, but the space chars should be removed first.
  • Click Add Mle button

Add HOST

  • Open TrustDashBoard portal
http://oatserver.*.com:8080/TrustDashBoard/home.html
  • Click Host Mangement -> Add Host, and input the following info:
Host Name: agent.*.com
Host Ip Address: 192.168.1.1
Host Port: 9999
OEM Vendor: OEM1
BIOS Info: New MLE1 v123
OS-VMM Info: OS1 v1|KVM:v123
Notes: by far, "IPAddress" and "Port" are not really used, so just leave a placeholder there. "HostName":"agent.*.com" should be the host name of the oat agent (same as what hostname cmd returns on the oat agent system).
  • Click Add Host button

Query HOST

  • Open TrustDashBoard portal
  • Click Home, choose the “agent.*.com”, and check its status.

Field Constraint

In our system, we made the constraint limit for every filed, and you need to refer to following values to input valid parameters. These fields is just for user input, and not containing all fields.

Host

Name Type Size
Name Varchar 40
IpAddress Varchar 20
Port Int 11
Description Varchar 100
Email Varchar 45

OEM

Name Type Size
Name Varchar 100
Description Varchar 200

OS

Name Type Size
Name Varchar 100
Version Varchar 50
Description Varchar 200

MLE

Name Type Size
Name Varchar 100
Version Varchar 100
Attestation_type Varchar 20
Required_Manifest_List Varchar 100
Description Varchar 200

Pcr_manifest

Name Type Size
Name Varchar 20
Value Varchar 100
PCR_Description Varchar 100
Something went wrong with that request. Please try again.