jonah instructions.htm

IBM提供的CA认证系统

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="Author" content="Michael S. Shanzer">
   <title>Jonah Instructions</title>
</head>
<body>

<center>
<h1>
Jonah PKIX Freeware Code</h1></center>

<center>
<h2>
Snapshot 4</h2></center>
This document describes how to build, install and run snapshot 4 of the
Jonah PKIX freeware code. Jonah is a freeware implementation of the PKIX
standards. It implements RFC-2459, RFC-2510, RFC-2511, and RFC-2587. The
code is a Java GUI built on top of a C++ back end. Crypto, LDAP, and PKCS
#11 interfaces are provided by CDSA. The freeware code uses Cylink's Foundation
Suite cryptographic toolkit for the underlying cryptography. There was
a paper published in the 8th USENIX Security Symposium Proceedings on Jonah.
A copy of the paper can be found at <a href="http://www.foobar.com/papers/usenix-jonah.html">http://www.foobar.com/papers/usenix-jonah.html</a>.
The mailing list <b><tt><nobr><a href="mailto:imc-pfl@imc.org">imc-pfl@imc.org</a></nobr></tt></b>
should be used for any questions or discussion of the Jonah freeware.
<p>
The code includes CDSA and CSSM code based on version 1.2 of CDSA, which is
now obsolete. The latest (as of this writing 05/03/00) enhanced CDSA 
specification is available at 
<A HREF="http://www.opengroup.org/publications/catalog/c902.htm">
http://www.opengroup.org/publications/catalog/c902.htm</A>)
<p>
Intel has decided to "open source" the Intel CDSA reference
implementation. Intel is presently finishing its implementation of the
enhanced specification (called CDSA Version 2 Release 3.0) which will be
available in May 2000.  This implementation is also being ported to Linux.
<p>
Based upon these changes, we suggest that any active development employing
CDSA interfaces be targeted at the new CDSA Version 2 Release 3.0 code base
available starting in May 2000 at 
<A HREF="http://developer.intel.com/ial/security/">
http://developer.intel.com/ial/security</A> 
and other "open source" mirror sites.
<p>
Distributors of this software should be aware that in spite of changes
to U.S. Export regulations allowing "open source" security software to
be more freely exported, that export or reexport to countries for which
the U.S. has an "embargoed goods" policy remains prohibited and distributors
of this software are bound by the license agreement to comply with all
applicable laws and regulations.
<p>This document is divided into the following sections:
<ul>
<li>
<a href="#building">Building Jonah on Solaris and/or Windows</a></li>

<li>
<a href="#installation">Installing Jonah</a></li>

<li>
<a href="#running">Running Jonah</a></li>
</ul>

<hr>
<h2>
<a NAME="building"></a>Building Jonah on Solaris and/or Windows</h2>

<h3>
Prerequisites</h3>
Prerequisites for building Jonah for Windows:
<ul>
<li>
Microsoft Windows NT, Version 4, Service Pack 3</li>

<li>
Microsoft Visual C++, Version 5 or 6</li>

<li>
Mortice Kern Systems MKS Toolkit, Version 6.1 (Any UNIX tools package for
windows might work, but we only tested with MKS).</li>

<li>
Sun JDK, Version 1.1.7 or higher
</li>
</ul>
Prerequisites for building Jonah for Solaris:
<ul>
<li>
Solaris 2.7</li>

<li>
Sun Works 5.0 C/C++ compiler with the following patches:</li>

<ul>
<li>
107311-05</li>

<li>
107357-02</li>

<li>
106327-05</li>

<li>
107289-03</li>
</ul>

<li>
Sun JDK, Version 1.1.7 or higher</li>
</ul>
All the above software must be installed on the build machine. If possible,
default directory locations should be chosen during software installation.
<p>Prerequisites for running Jonah:
<ul>
<li>
Microsoft Windows NT, Version 4, Service Pack 3 or Solaris 2.7</li>

<li>
Sun JRE R1.1.6 or higher</li>
</ul>

<h3>
Files</h3>
This snapshot provides full source for all components of Jonah.
<p>This snapshot of Jonah is divided into several gziped tar files. 
These files
are:
<ul>
<li>
<b><a href="ode-binaries.tar.gz">ode-binaries</a></b> - ODE executables for
Windows and Solaris. ODE is used to build jonah.</li>

<li>
<b><a href="jonah-src.tar.gz">jonah-src</a></b> - The main Jonah source tree.</li>

<li>
<b><a href="cylink.tar.gz">cylink</a></b> - The Cylink Foundation Suite
cryptographic toolkit.</li>
</ul>
Each file should be unzipped into its own directory, taking care to preserve
any stored directory structure while unzipping the archives.
<h3>
Changes since previous snapshot</h3>

<ul>
<li>
Solaris port</li>

<li>
bootstrap and installation procedure</li>

<li>
message protection has been implemented</li>

<li>
bug fixes / interopabilty changes</li>
</ul>

<h3>
Overview of the main build process</h3>
The Jonah build environment is based on the Open Group's "Open Development
Environment" (ODE) which allows multiple developers to work simultaneously
on a common source tree, with each developer creating a "sandbox" in which
she can edit, compile and test code for any part of the system, prior to
publishing it by placing it back in the common tree. A sandbox is a sparsely
populated copy of the common source tree ("backing tree"). The build process
is designed to look for required files first in the sandbox, and only if
they are not found will the build process search the backing tree for them.
<ol>
<li>
First, unpack the ODE tools. We shipped ODE binaries for Sparc/Solaris
and Intel/Windows NT. If you want to build your own ODE binaries the sources
are available from <a href="ftp://ftp.opengroup.org/pub/dce122/ode">ftp://ftp.opengroup.org/pub/dce122/ode</a>. The directory that you extracted
ODE into will be referred to as <strong>$ODEDIR</strong></li>

<li>
Add the ODE tools directory to your path (<strong>$ODEDIR</strong>\i386_win32 for Windows
<strong>$ODEDIR</strong>/sparc_solaris for Solaris)</li>

<li>
Make the directory to store the jonah src tree (referred to as <strong>$JONAHDIR</strong>)
and extract the contents of 04-Jonah.ZIP into that directory</li>

<li>
Jonah requires three PKCS#11 header files that are available from RSA Labs.
These header files can be found on the RSA Labs' web site at
<a href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html">http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html</a>. <b>Go
to the&nbsp;<italic>2.01</italic> section</b>, and download <b>pkcs11.h</b>,
<b>pkcs11t.h</b> and <b>pkcs11f.h</b> into <b><strong>$JONAHDIR</strong>/src/Include</b>.</li>

<br><i>Please make sure you get the header files from the <b>2.01</b> section.
Not 2.0 or 2.10 but 2.01.</i>
<li>
Make a directory to contain your sandboxes (directory referred to as <strong>$SANDBOXDIR</strong>)</li>

<li>Check and change if necessary the setting of <strong>JDKDIR</strong>
and <strong>JDKDRIVE</strong> in 
<tt><strong>$JONAHDIR/rules_mk/std.mk</strong></tt> to make sure the settings
correspond to where the JDK has been installed. <strong>JDKDRIVE</strong>
should only be used on Windows, and it should be set to the drive letter and
trailing ':' that the JDK is installed on for example:
<tt>JDKDRIVE ?= d:</tt>
</li>

<li>
create a sandbox using the following command:
<br><i><strong>$SANDBOX</strong> is the name of the sandbox. A directory with this name well
be created in <strong>$SANDBOXDIR</strong>.</i>
</li>

<br><tt>mksb -back <strong>$JONAHDIR</strong> -dir <strong>$SANDBOXDIR</strong> <strong>$SANDBOX</strong></tt>
<br>
If this is the first time you have created a sandbox mksb asks you for a list
machines that this sandbox is going to be used on. You can just hit return
to get the default answer of all the platforms listed there, or you can 
type in a colon seperated list of machines (i386_win32 & sparc_solaris are the
only two that have been tested). If you specify more then one machine the same
sandbox can be used to build jonah on different platforms.
<li>
Jonah uses CDSA to allow different Crypto Service Providers (CSP) to be
dynamically chosen. The Jonah freeware implementation uses the <b>Cylink
Foundation Suite</b> as its CSP. The suite must be obtained and built according
to the instructions found <a href="cylink.html">elsewhere</a>. Once built:</li>

<ul>
<li>
locate the <b>CTK</b> subdirectory in the toolkit and copy the object library
<b>(On NT: full.lib or on Solaris: full.a)</b> into your backing tree:
<br><tt><nobr><strong>$JONAHDIR</strong>/src/CDSA/imports/CYLINK/ctk/libcylink.a</nobr>
</tt> for Solaris
<br><tt><nobr><strong>$JONAHDIR</strong>/src/CDSA/imports/CYLINK/ctk/cylink.lib</nobr></tt><b> for
NT</b>
<li>
copy all of the header files from CTK/Include directory from the Cylink
toolkit into your backing tree:
<br><tt><nobr><strong>$JONAHDIR</strong>/src/CDSA/imports/CYLINK/ctk/include</nobr></tt></ul>

<li>
Start working on that sandbox by using the following command:</li>

<br><tt>workon -sb <strong>$SANDBOX</strong></tt>
<br>This starts up a new shell with the working directory being <tt><strong>$SANDBOXDIR</strong>/<strong>$SANDBOX</strong>/src</tt>
<li>
The jonah tree contains some tools that are needed to build the rest of
jonah. To build these tools run:</li>

<br><tt>build setup_all</tt>
<br>this builds the tools and installs them in:
<tt><strong>$SANDBOXDIR</strong>/<strong>$SANDBOX</strong>/tools/<strong>$ARCH</strong>/bin</tt>
(where <strong>$ARCH</strong> is either sparc_solaris or i386_win32). This directory should
either be added to your path or the contents should be copied somewhere
that is in your path.
<li>
Build the rest of jonah by running the command:</li>

<br><tt>build</tt>
<li>
Once the build has successfully completed you need to run:</li>

<br><tt>build install_all</tt>
<br>This takes all the libraries and programs that are needed to run jonah
and copies them to <tt><strong>$SANDBOXDIR</strong>/<strong>$SANDBOX</strong>/ship/<strong>$ARCH</strong>/jonah_gui</tt>.
<hr>
<h2>
<a NAME="installation"></a>Installing Jonah</h2>
On each computer on which you wish to run a Jonah component (CA, RA or
end-entity), you must perform the following installation tasks:
<ol>
<li>
If you do not have the Java Runtime Environment (JRE) 1.1.6 or higher on
the computer, you must install it. It may be obtained from the Sun website
at <a href="http://java.sun.com/products/jdk/1.1/jre/index.html">http://java.sun.com/products/jdk/1.1/jre/index.html</a>.
If possible, accept the default installation directory. Make sure that
the directory with the jre executable is in your path.</li>

<li>
Copy the contents of <tt><strong>$SANDBOXDIR</strong>/<strong>$SANDBOX</strong>/ship/<strong>$ARCH</strong>/jonah_gui</tt>
to some place that that is in your PATH (and on Solaris this directory
needs to be in your LD_LIBRARY_PATH as well). This directory will be referred
to as <b>$PKIXDIR</b>.</li>

<li>
The next step is to install the CDSA framework and the various plugins.
This is done by running an installer program for each each component. The
installer program stores some important information in one of two places.
On Windows it stores the information in the Windows Registry. On Solaris
it stores the information in a local DBM file. By default the file is created
in the current working directory and has a base name of CssmRegistry, and
all programs will look for this file in the current working directory when
they need it. This behavour is probably not very usefull, so you 
must set the following environment
variables:</li>
<ul>
<li>
<b>CSSM_ODMDIR</b> - Directory to create the files (default: '.')</li>

<li>
<b>CSSM_REGISTRYFILE</b> - Basename of the registry database files (default:
"CssmRegistry")</li>
</ul>
<b>These are only needed on solaris</b>
<p>Jonah comes with the following CDSA components with the name of the
installer program and library name
<table BORDER >
<tr>
<td><b>Component</b></td>

<td><b>Installer</b></td>

<td><b>NT Library</b></td>