under construction for v0.1.2 release
OpenPlatformTrustServices v0.1.2 Server Setup Guide (DRAFT)
This is a demonstration using KNOPPIX - CD bootable Operating System - for experiencing the Remote Attestation which is the fundamental capability provided by Trusted Computing technology.
This KNOPPIX supports Trusted Boot and client software for Remote Attestation, and can be validated by demo Validation Service on Internet. When the validation results in success without any known vulnerability, the client will be able to use a service like a demonstration service of vulnerability search.
This guide is for setting up the server which used in this experiment. Any information you can share with us, including your test result and trouble, will be very helpful and appreciated. The following mailing-lists are available for such reporting.
This guidance shows about how to setup the server on the “Red Hat Enterprise Linux 4”.
Supported Clients
Section 3 presents the construction of a database server. Section 4 describes about the application server. Section 5 describes about the interface to access the database.
Install a Red Hat Enterprise Linux 4.
After installation, you have to disable prelink function by modifying /etc/sysconfig/prelink file.
PRELINKING=noIn order to confirm a setup immediately, execute the following command.
$ prelink -ua
Download a RPM package of Java Runtime Environment Version 6, and install it.
Install PostgreSQL Server RPM package.
$ rpm -q postgresql-serverStart postgresql server, and set the password for postgres user.
# /sbin/service postgresql start # passwd postgres
Edit /var/lib/pgsql/data/postgresql.conf
tcpip_socket = trueAlso edit /var/lib/pgsql/data/pg_hba.conf
host all all 127.0.0.1 255.255.255.255 password local all all password
Start the postgresql server.
# /sbin/service postgresql start
Set the environment variable for the administrator of the database.
> su postgres Password: xxxxxxxx > export PGDATA=/var/lib/pgsql/data
To create an administrator account, login to the database by administrator privilege and enter a new password for an administrator.
> createuser -a -d -P ptsadmin Enter password for new user: xxxxxxxx Enter it again: xxxxxxxx CREATE USER
To create a user account, login to the database by administrator privilege and enter a new password for a new user.
> createuser -A -D -P ptsuser Enter password for new user: xxxxxxxx Enter it again: xxxxxxxx CREATE USER
Create two databases. One is an integrity information database for knoppix named "iidb_knoppix", and the other is a vulnerability database named "vul".
> createdb -E utf8 iidb_knoppix CREATE DATABASE > createdb -E utf8 vul CREATE DATABASE
Install following two Open Platform Trust Services.
Run the script, /opt/OpenPlatformTrustServices/database/dbsetup.sh of openpts-tools.
Confirm the configuration of the database and modify them if needed. To create the database, select S) Setup New Databases.
$ sh /opt/OpenPlatformTrustServices/database/dbsetup.sh S) Setup New Databases C) Show Current Configuration L) Show State B) Backup Databases D) Delete Databases Q) Exit
When you use the same variables as examples 3.2 and 3.3, the setting becomes to the following values.
At first, run the KNOPPIX on the client platform to correct package information.
To get package information from current host, execute the script /opt/OpenPlatformTrustServices/bin/deb-all.sh of openpts-tools. The argument is a directory name. In the following example, “knoppix” is the directory name to store the corrected information. This shell script runs “deb-meta.pl”, “deb-file.pl sha1” and “deb-file.pl md5”.
$ sh /opt/OpenPlatformTrustServices/bin/deb-all.sh knoppix
At the host using rpm packages, just run tools/package/rpm/rpm-all.sh in a similar manner as the debian host.
After running this command, we can get the data files in the directory. The files are
In order to import in the database, transport these data to the server. To use the openpts command at /opt/OpenPlatformTrustServices/bin/openpts, setup the database configuration.
Copy /opt/OpenPlatformTrustServices/database/ibatis/sqlMapsConfig.properties.sample to sqlMapsConfig.properties and edit it according to your environment. When you use the same variables as examples 3.2 and 3.3, the following values are used in setting.
To insert the data into Integrity Information Database, run the following command. The last argument is the data directory which storing the package information. The “—dbindex” is the database index listed as url_iidb in sqlMapsConfig.properties. If you want to use the database of “url_iidb0”, add “–dbindex 0”.
$ /opt/OpenPlatformTrustServices/bin/openpts debimport --dbindex 0 --inputdir ~/knoppix/data/
Get the vulnerability information via Internet. We need CVE data and DSA (Debian Security Advisory) data to check the security of KNOPPIX.
CVE is released from 2002 to 2008 (from nvdcve-2002.xml to nvdcve-2008.xml). To setup cve_definitions table, execute the following command for each year. In this example, the xml files are saved at “—outputdir /tmp”.
$ /opt/OpenPlatformTrustServices/bin/openpts cve --xmlfile http://nvd.nist.gov/download/nvdcve-2008.xml --outputdir /tmp
To store the DSA data to debian_security_advisories table, execute the following command for each year from 2000 to 2008.
$ /opt/OpenPlatformTrustServices/bin/openpts dsainfo --url http://www.debian.org/security/2008/ --outdir /tmp
Then, get the detail information for each DSA entry, and make it reflected to the database of package information.
$ /opt/OpenPlatformTrustServices/bin/openpts dsadetail --outdir /tmp $ /opt/OpenPlatformTrustServices/bin/openpts dsasync --dbindex 0
If you use the RPM package of Red Hat, get OVAL information instead of DSA. In this case, the argument “–distribution” is for the version number of Red Hat.
$ /opt/OpenPlatformTrustServices/bin/openpts oval --dbindex 0 --xmlfile https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml --distribution rhel5
In PostgreSQL, you can recover an unnecessary domain by performing VACUUM.
REINDEX command re-create the INDEX which was created beforehand.
You can write out the database to a file as SQL.
$ pg_dump database_name > file_name.sql
To restore the backup files to database,
$ psql -e database_name < file_name.sql $ pg_restore –d database_name file_name.sql
Example, demo user is
account : guest
password : password
htpasswd -c /var/www/.htaccess guest mkdir /var/www/html/demo
Edit /var/www/html/demo/.htaccess
AuthType Basic AuthName "Password Required" AuthUserFile /var/www/.htpasswd AuthGroupFile /dev/null Require valid-user
Edit /var/www/html/demo/index.html put any contents
Download a Tomcat 5.5, and install it.
# cd /opt # tar xvfz /home/munetoh/Desktop/apache-tomcat-5.5.26.tar.gz # /opt/apache-tomcat-5.5.26/bin/catalina.sh run
Check the URL, http://localhost:8080/
Install the following two Open Platform Trust Services.
$ cd OpenPlatformTrustServices-0.1.1 $ sudo make setup-jars $ make all $ sudo make install
$ cd OpenPlatformTrustServices-0.1.1 $ sudo make setup-jars $ make all $ make servlet $ sudo make install-servlet $ cp /opt/OpenPlatformTrustServices/database/ibatis/sqlMapsConfig.properties /opt/apache-tomcat-5.5.26//webapps/pva/WEB-INF/classes/sqlMapsConfig.properties
Note) ID & PW to access the demo site is hard coded (Sorry). fix the string at 104 line in src/tcdemo/Server.java
Restart the Tomcat and check the existance of validation app on http://localhost:8080/pva/
# /opt/apache-tomcat-5.5.26/bin/catalina.sh run
/opt/apache-tomcat-5.5.26//webapps/pva/WEB-INF/classes/log4j.properties
These tools are the viewer for the PostgreSQL database.
Download RPM package for RHEL4 http://rpm.pbone.net/index.php3/stat/4/idpl/6893237/com/phpPgAdmin-4.2-1.el4.noarch.rpm.html
# rpm -ivh /home/munetoh/Desktop/phpPgAdmin-4.2-1.el4.noarch.rpm
Copyright IBM Japan, Ltd. 2008 *) This work is sponsored by the Ministry of Economy. Trade and Industry, Japan (METI) under contract for the New-Generation Information Security R&D Program. *) Linux is a trademark of Linus Torvalds. All trademarks, logos, service marks, and other materials used in this site are the property of IBM corp. or other entities.
[PageInfo]
LastUpdate: 2008-07-17 15:28:16, ModifiedBy: munetoh
[Permissions]
view:all, edit:login users, delete/config:members
Fork
edit