(no commit message)

[devwiki.git] / trustrouterinfo.mdwn

<h2>BUILDING/INSTALLING A TRUST ROUTER</h2>

(Assumes you already have a Moonshot DVD installed.)

To check out the latest Moonshot code:

git clone --recursive git://git.project-moonshot.org/moonshot.git

The Trust Router depends on MIT Kerberos, OpenSSL, jansson and SQLite Version 3.  The dependencies for freeradius are discussed in the freeradius documentation.

To build and install a Trust Router, you need to separately 'make' and 'make install' in both the moonshot/trust_router and moonshot/freeradius-server directories, in that order.  The Moonshot Debian repositories include a moonshot-trust-router package and a freeradius package with Trust Router integration.  The Centos repository includes trust router packages but not Freeradius packages.

<h2>CONFIGURING A TRUST ROUTER</h2>

In addition to having a valid freeradius TLS/PSK configuration, a set of Trust Router and TID-specific configuration is required in order to use the Trust Router.

The Trust Router reads its configuration from a set of JSON configuration files (anything with a .cfg file extension) in the directory from which it is run.  These files can be generated by the
Moonshot Management Portal or configured by hand.  An example is found in the tr/portal.cfg and tr/manual.cfg files  in the trust_router sources.  Both files are needed.

The TIDC also requires specific configuration in the freeradius raddb/mods-available/realm configuration file.  Three new parameters have been added to the realm configuration: a default community (default_community), an RP realm (rp_realm) and a trust router (trust_router).  The default community will be used when no community is specified in a AAA request (over-riding on a per-request basis is TBD).  The RP realm is used in all TID requests from this proxy, and the trust_router is the IP address to which those requests will be sent.

For example:

realm suffix {<br/>
        format = suffix<br/>
        delimiter = "@"<br/>
        default_community = "testing.communities.ja.net"<br/>
        rp_realm = "painless-security.com"<br/>
        trust_router = "10.0.2.15"<br/>
}

In addition, the Freeradius RP will need credentials with which to access the trust router.  These credentials can be installed using the moonshot-webp command run as the same user freeradius runs as.  On debian, this is "freerad".

<h2>BRINGING UP/VERIFYING A TRUST ROUTER</h2>

To run all of the components needed to test the Trust Router, you will need to have at least two different nodes (or VMs) at different IP addresses.

On one node, you will run the IDP AAA Server and the TIDS.  The TIDS must run on the same machine as the AAA Server and have access to the keys database used by the AAA Server.  The TIDS is configured with the address where the AAA Server can be reached, and the filename of the SQL database.

Before running the IDP AAA Server, you will need to configure freeradius to use the SQL key database that will be shared with the TIDS.  This can be done by adding a file called 'psk' to the /etc/freeradius/mods-enabled directory with the following contents:

sql psksql {<br/>
  driver = "rlm_sql_sqlite"<br/>
  sqlite {<br/>
    filename = "/var/tmp/keys"<br/>
  }<br/>
}<br/>

You will also need to add 'psksql' to the existing 'instantiate' section in etc/freeradius/radiusd.conf.

Before running TIDS for the first time, create the SQL database using the following commands:

sqlite3 /var/tmp/keys<br/>
sqlite3>  create table psk_keys (keyid text primary key, key blob);<br/>
^D

Start the freeradius server (on Node-2, as root):>

root@debian:/opt/moonshot/sbin# ./radiusd -fxx -l stdout

Start the TID Server (on Node-2, as root):

root@debian:/opt/moonshot/bin# ./tids 10.1.10.90 gss_id /var/tmp/keys

The IP address is the address of the AAA server sharing /var/tmp/keys

The gss_id is the GSS name that will be used by the trustrouter to connect to the TIDS.  For example if trustrouter@apc.painless-security.com is provisioned as the identity, then enter trustrouter@apc.painless-security.com.

On the second virtual machine, you will run the freeradius RP AAA Proxy (with built-in TIDC), the Trust Router, the GSS Server and the GSS Client.  For example:

Starting the freeradius RP AAA Proxy (on Node-1, as root):

root@moonshot-proxy:/usr/local/sbin# ./radiusd -fxx -l stdout

Starting the Trust Router (on Node-1, as root):

root@moonshot-proxy:/home/margaret/moonshot/trust_router/tr# ./tr 

Starting the GSS server (on Node-1, as root):

root@moonshot-proxy:/home/margaret# gss-server host@localhost

Starting the GSS client (on Node-1, any user):

margaret@moonshot-proxy:~$ gss-client -spnego 127.0.0.1 host@localhost "test message"