here

Procedures for Utilizing the Secure Authentication ModuleS.

The switch must be programmed. Detailed instructions for doing this are beyond the scope of this document. For the purposes of discussing the other configuration file modifications required, it is assumed that the switch has been programed with a VLAN2 IP address of 192.168.6.100, the attestation server has been configured with an IP address of 192.168.6.1, and the client system has been configured with an IP address of 192.168.6.10. The switch has been programmed with the secret = rad123 and the shortname of haptest. These values will be used later in the freeradius-server configuration.

System Preparation

1. Build all of the RPMs from the source RPMs. This should yield 22 binary RPMs. Presumably these are build on the same type of system you are going to install on. Note that at this time, it appears that the attestation server requires a 32bit CentOS 5.x system. The client system can either be a 32bit or 64 bit system, and you should end up with either .i386.rpm files for x86_64.rpm files. The modules that must be built for the client system are [kernel2.6.18], [trousers], [wpa-supplicant], [Attestation Utilities], [Client Registration], [RIMM Library], [Platform Trust Services], [Integrity Measurement Collector], [Trusted Network Connect Client], [hostimserver], and the [TCG Interface Library].

2. Build the Server RPMs on a 32bit CentOS or RHWL 5.4 system. The relevant modules are: [freeradius-server], [Verify IMR], and [Key Manager].

3. Build the [RIMM Tools] binary RPM. You will also need the [RIMM Library] RPM. Install them on the system that you are going to use to build the RIMM.

Building the RIMM

1. Determine the RPMs that are going to be installed on your client systems. Don't forget the ones that were build in step 1 of System Preparation. This may the manifest from the kickstart file, or any other list of files rpms that will be installed on your client systems. Create a list with the RPMs, ordered approximately in the order in which they will be installed. (e.g. rpmlist).

2. Create a repository of all of the RPMs that will be used on the client systems. (e.g. /repo)

3. Run the command buildreleaserpm. This will create a rimm-release file that is used to identify the particular release for later identification. Copy this rpm to the repository created in step 2. Make sure you add this rpm to the end of the list created in step 1.

4. As root, create a working directory in which to build a file system image (e.g. /tmp/working). WARNING: Do not use the live system for this. We will be deleting critical system files, and the system will not boot after we are done. Again as root, run the command # buildHost -w /tmp/working -r /repo -l rpmlist). This will create the file system image from which we will build the RIMM. after this is finished, execute the command # chown -R <owner>:<group> /tmp/working to change the owner ship of everything to you. Owner and group are substituted with your actual owner and group names.

5. Logging in as yourself (<owner> above), execute the command $ process_files -w /tmp/working -e /etc/attest/excludelist . Note that excludelist is a set of files and directories that are going to be discarded, as they are either irrelevant to attestation, or are changable, and are therefore not amenable to attestation. If there are files (such as man pages) that are being discarded that you wish to preserve, or files that are currently being preserved, and you wish to discard them, edit the excludelist file appropriately.

6. Now build the RIMM. Execute the command $ buildrimm -w /tmp/working -d . which will build the RIMM in the current directory.Note that the RIMM file will be named rimm-1.0.1.vxxxxxxxxxx where xxxxxxxxxx is the number of seconds since the epoch.

7. Copy the RIMM file created in step 6 and the rpm file created in step 3 to a thumbdrive.

Building the client system.

1. Install a copy of RHEL5.4 (32 or 64 bit, depending on which one you built the RPMs for). During the installation and first boot configure the IP address (e.g. 192.168.6.10) and hostname (e.g. client1). This is the name by which this system will be known by the attestation server.

2. After first boot completes, login as root, and install the kernel RPMs (there should be 3 of them), and the other RPMs you build for this system (10 additional RPMs). Also install the rpm from the thumb drive that was created in step 3 of the Building the RIMM section.

3. Change to the /etc/directory, and edit the wpa-supplicant.conf file. The line:
   ca_cert = /etc/certs/root.pem should be changed to
   ca_cert = /etc/attest/pdpca_cert.pem.

4. Edit the fstab file and add the line:
   securityfs /sys/kernel/security securityfs defaults 0 0
   at the end of the file.

5. Reboot the system, and during the reboot, clear the TPM, and reactivate it.

6. Logon as root again, and run the following commands.
   # fbInitTPM -g -s /etc/attest/tpm_password
   # genpcrs
   # genaikcsr
   This performs basic Client Registration by taking ownership of the TPM, generating the two keys that attestation requires, generating the "golden" PCR verification block, and generating the Certificate Signing Request for the Attestation Identity Key. See the instructions under [Client Registration] for the command line arguments available with each of these programs.

7. Copy the files /etc/attest/<hostname>.pcr and /etc/attest/<aik_<hostname>_csr.pem to a thumb drive for transport to the attestation server.

Building the Attestation Server

1. Install a 32 bit CentOS or RHEL5.4 system. During installation and first boot configure the IP address for the attestation server. Be sure to use the address you specified when configuring the switch (e.g. 192.168.6.1). Define the host name as PDP (Policy Decision Point), or whatever name you consider appropriate for your attestation server.

2. Logon as root. Install the RPMs built in step 2 of System Preparation.

3. Copy the RIMM file from the thumbdrive to the directory /etc/attest

4. Copy the file /etc/attest/PDPCA/pdpca_cert.pem to the directory /etc/raddb/certs.

5. change to the directory /etc/raddb/certs, edit the file radiusd.cnf to change the output password to whatever value you wish to use to maintain the security of the radiusd private key, and execute the command ./createradcert. This will create three files radius_csr.pem, radius_cert.pem and radius_prikey.pem, the latter file protected by the password selected above.

6. Change to the directory /etc/raddb and edit the file clients.conf. Edit the section that starts client 10.0.11.112. Change the IP address (10.0.11.112 in this instance) to the IP address of the VLAN configured in the switch (e.g. 192.168.6.100). Set the secret value and shortname values to those configured in the switch for talking on this port.

7. Edit the file eap.conf. Set the private_key_password to the value configured in step 13. Change the private_key_file value to $(certdir)/radius_prikey.pem. Change the certificate_file to $(certdir)/radius_cert.pem, and change the CA_file to $(certdir)/pdpca_cert.pem.

8. Restart the radiusd daemon by executing the command # service radiusd restart

9. Change to the directory /etc/attest/clients and create the directory <hostname>, where hostname is the host name assigned to the client system during installation and configuration. Make sure the directory is only readable and writable to userid radiusd.

10. Restart the Key Manager by executing the command # service kmdaemon restart

11. Copy the file <aik_<hostname>_csr.pem to the directory /var/pdpworking.

12. Copy the file <hostname>.pcr to the directory /var/pdpworking.

13. Copy the file /etc/attest/PDPCA/pdpca_cert.pem to the thumbdrive

On the Client system

1. Copy the file pdpca_cert.pem from the thumb drive to /etc/attest.

2. Restart the attestation server by executing the command # service attestation restart.