jonah instructions.htm

IBM提供的CA认证系统

<td><b>Solaris Library</b></td>
</tr>

<tr>
<td>CSSM framework&nbsp;</td>

<td>install_cssm&nbsp;</td>

<td>cssm32.dll&nbsp;</td>

<td>libcssm32.so</td>
</tr>

<tr>
<td>Cylink CSP&nbsp;</td>

<td>install_ibmcylinkcsp&nbsp;</td>

<td>ibmcylinkcsp.dll&nbsp;</td>

<td>libibmcylinkcsp.so</td>
</tr>

<tr>
<td>Virtual Smart card&nbsp;</td>

<td>install_pkcsvsc&nbsp;</td>

<td>pkcsvsc.dll&nbsp;</td>

<td>libpkcsvsc.so</td>
</tr>

<tr>
<td>LDAP&nbsp;</td>

<td>install_ldapdl&nbsp;</td>

<td>ldapdl.dll&nbsp;</td>

<td>libldapdl.so</td>
</tr>

<tr>
<td>Trust Policy&nbsp;</td>

<td>install_jonahtp&nbsp;</td>

<td>jonahtp.dll&nbsp;</td>

<td>libjonahtp.so</td>
</tr>
</table>

<p>To fully install CDSA you need to run each of the installer programs.
It does not matter which order you run them in as long as they all get
run. There are two ways of running the installer program. The first way
is to specify all the information needed on the command line. The format
of this would be:
<br><i><tt><nobr>install_program libraryname </nobr></tt></i><tt><nobr><b>$PKIXDIR</b>
install</nobr></tt
<br>So for example if I want to install the CDSA framework on NT and I
had all of the PKIX libraries and executables in c:\pkix I would run the
following command:
<br><tt>install_cssm cssm32.dll c:\pkix install
</tt>If you have installed
an earlier snapshot of Jonah on the machine, you should first run the installers
and specify "uninstall" as the action.
<br>The other method of running the install programs is to not supply any
arguments and supply the information as it is prompted for.
<br>
There is a sample shell script and batch file call install_addins and
install_addins.bat located in <strong><tt>$PKIXDIR</tt></strong> that can
be modified to do the installs for you.
<li>
The next step is to install the prototype ini files on your system. The
ini files are located in: 
<strong><tt>$JONAHDIR</strong>/src/SampleINI/<strong>$ARCH</tt></strong>. 
These should
get copied to <b>c:\</b> on windows machines or <b>/etc</b> on Solaris.
See <a href="JonahINI.html">the ini file documentation</a> for information
on what is contained in these files.</li>

<li>
Now it is time to create a Virtual Smart Card (VSC) that will be used to
store the private keys and certificates for this entity. This is done by
running the <tt>initsc</tt> command. Depending on which entity you intend
to run on what machine determines the argument to initsc.</li>

<br>If you intend to run a CA you should run <tt>initsc -C</tt>
<br>For an RA you should run <tt>initsc -R</tt>
<br>and for an End Entity (EE) you should run <tt>initsc</tt>
<br>These can all be on the same machine or different machines. Where the
VSC lives is specified in the INI files. If you have installed jonah before
you should remove the smart card files before trying to run initsc again.
<br>initsc well prompt you for a user PIN and a SO pin. <strong>The user PIN is
what you will need most of the time, but you should remember both.</strong>
<li>
In <b><tt>$PKIXDIR</tt></b> there are three script files. One for starting
the CA, one for starting the RA, and one for starting the EE. On windows
these are called <tt>JonahCA.bat, JonahRA.bat, and JonahEE.bat.</tt> On
Solaris these are called <tt>run_ca, run_ra, and run_ee</tt> If your paths
and everything are set up correctly on windows the batch should work as
is. On solaris the script files will probably need to be edited. Near the
top of these shell scripts there is a line that looks like:</li>

<br><tt>PKIXDIR=/usr/pkix</tt>
<br>you should replace /usr/pkix with <b><tt>$PKIXDIR</tt></b>
<li>
If you installed a previous version of jonah, or you are trying to re-install
this version there are some files that need to be cleaned up before you
try to run. If you look in the INI file for the server you are trying to
install/re-install there is a section <b><tt>[ObjectStore]</tt></b> with
two settings in that section <tt>Name</tt> and <tt>Path</tt>. You should
delete all files in
<tt>Path</tt> that have a base name of <tt>Name</tt>
and any extension. So if you are on a Solaris machine and Path is set to
<tt>/tmp</tt> and name is set to <tt>jonahee</tt> you would do something
like:</li>

<br><tt>rm /tmp/jonahee.*</tt>
<li>
Get ready to run jonah!</li>
</ol>

<hr>
<h2>
<a NAME="running"></a>Running Jonah</h2>
OK, so now jonah has been built and installed now it is time to run.
<ol>
<li>
change directory to <strong>$PKIXDIR</strong></li>

<li>
start the CA by running <tt>JonahCA.bat</tt> on windows or <tt>run_ca</tt>
on solaris.</li>

<li>
You'll get put into the wizard to set up the CA. The first window describes
the various steps involved. Hit the <b>Next</b> button to start the process:</li>

<table BORDER >
<tr>
<td>Type in the X.500 distinguished name for the CA 
<i>(ex. /C=us/O=Iris Associates/OU=Jonah Development/CN=Jonah CA)</i>. 
You can either type the name in the text field or click on the properties 
button to use a tool to help compose the name. Click on <b>Next</b> 
when done.</td>

<td ALIGN=CENTER><img src="images/ca2.jpg" height=362 width=307></td>
</tr>

<tr>
<td>You must specify the hostname and port number that the CA should be
listening on for CMP messages. The default port is 829. Be warned that
829 is a UNIX reserved port, so if you pick 829 you need to run the CA
as root. Also, if you plan on running the CA and RA on the same machine
this needs to be different then the port the RA is going to listen on, and 
it would make sense to use 829 for the RA so you should pick a different port
for the CA.
Click on <b>Next</b> when done.</td>

<td ALIGN=CENTER><img src="images/ca3.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The next window lets you specify the start and end dates for this CA's
self signed certificate. The default is for it to start today and last
for a year. Click on <b>Next</b> when done.</td>

<td ALIGN=CENTER><img src="images/ca4.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The next dialog has you specify the key type and length. Currently
the only option that is supported in the key type section is <b><tt>EE
Generated (Local) Key</tt></b>. Selecting anything else should give you
an error dialog when you click on next. The only algorithm choice in the
freeware code is id-dsa, and you can pick either a 512 bit key or a 1024
bit key. Since this is a CA key there are certain key usage bits that have
to be set, and you can select some of the others if you desire. When you
are done with all the choices on this screen, click <b>Next</b>.</td>

<td ALIGN=CENTER><img src="images/ca5.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The next window deals with CPS issues which is currently not supported
in Jonah, so just click <b>Next</b>.</td>

<td ALIGN=CENTER><img src="images/ca6.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The next dialog has you specify max subtree length and permitted sub-trees
for naming constraints. Click <b>Next</b> when done.</td>

<td ALIGN=CENTER><img src="images/ca7.jpg" height=362 width=307></td>
</tr>

<tr>
<td>Now the CA is going to generate a key pair and a self signed cert.
It needs the PIN for the virtual smart cart (the User PIN you specified
when you ran initsc -C). Type this pin in the text area under
<tt>Certificate
Authority Password:</tt> and click <b>Next</b> when done. This is going
to generate a key so it might take a little bit of time before the next
window shows up.</td>

<td ALIGN=CENTER><img src="images/ca8.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The next step writes out information to a file that will be needed
by an RA when it wants to register with a CA. This file contains the URL
for the CA and the CA's self signed certificate. There is nothing in this
file that needs to be protected so it can get published somewhere public.
After you specify the name of the file click <b>Next</b>.</td>

<td ALIGN=CENTER><img src="images/ca9.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The CA has been bootstrapped, you can click on <b>Finish</b> to shut
down the server and then re-run it as you did in step 2.&nbsp;</td>

<td ALIGN=CENTER><img src="images/ca10.jpg" height=362 width=307></td>
</tr>

<tr>
<td>When you re-run the server you'll get a dialog saying that enrollment
needs to be performed. This is just telling you that you have a CA running
but it does not know about any RAs yet. Click on <b>OK</b></td>

<td ALIGN=CENTER><img src="images/raxx.jpg" height=117 width=270></td>
</tr>

<tr>
<td>When you start up the CA you are going to be prompted for the
virtual smart card User PIN so the CA can do its work. Type in the PIN
in the Password text area and click on <b>OK</b>.</td>

<td ALIGN=CENTER><img src="images/ca12.jpg" height=141 width=303></td>
</tr>

<tr>
<td ALIGN=CENTER COLSPAN="2">The CA is now up and running and waiting for
requests!</td>
</tr>
</table>

<li>
Now we need to go through a similar process for the RA. So start the RA
change directory to <strong>$PKIXDIR</strong> and run <tt>JonahRA.bat</tt> on windows or
<tt>run_ra</tt> on solaris.</li>

<li>
You'll get put into the wizard to set up the RA. This wizard is almost
identical to the wizard for setting up the CA. In fact the first 5 steps
from the above process are identical for the RA. The difference are: The
RA needs to have a different name from the CA, and the network configuration
might be different. If the RA and the CA are running on the same machine
you must make sure you pick different port numbers for each server. I would
recommend picking 829 (the default port specified in RFC-2510) for the
RA and picking a different number for the CA, but you can pick any numbers
you want (as long as you are root on Solaris, if you are not root, you
can pick any number you want over 1024).</li>

<table BORDER >
<tr>
<td>after you have gone through the first 5 dialogs you'll hit a new screen.
This is the LDAP configuration screen. Since the RA does all the communications
with the LDAP server for the CA the RA needs to know how to talk to LDAP.
This dialog is used for you to to specify the LDAP server, the authorization
name, and the authorization password. <b>warning! This information is going
to be stored in the RA's INI file! So you want to try and protect the INI
file from enemy hands! (yea</b><i>, I know, that is not great, but hey,
it's freeware).</i></td>

<td ALIGN=CENTER><img src="images/ra7.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The next window prompts you for the User PIN for the RA's virtual smart
card. The RA is going to generate a key pair and a self signed cert and
store this on the VSC.</td>

<td ALIGN=CENTER><img src="images/ra8.jpg" height=362 width=307></td>
</tr>

<tr>
<td>The RA is now ready to be shut down and re-started. Click on <b>Finish</b>
and restart the RA by running the same command as before.</td>

<td ALIGN=CENTER><img src="images/ra9.jpg" height=362 width=307></td>
</tr>

<tr>
<td>When you re-start the RA you'll get the same enrollment message you
got when you restarted the CA. When you click on <b>OK</b></td>

<td ALIGN=CENTER><img src="images/raxx.jpg" height=117 width=270></td>
</tr>

<tr>
<td>You'll be prompted for the RA virtual smart card User PIN the same
way you were for the CA.&nbsp;</td>

<td ALIGN=CENTER><img src="images/ra11.jpg" height=141 width=303></td>
</tr>