Difference between revisions of "Using an Aladdin eToken PRO to store grid certificates"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(122 intermediate revisions by 4 users not shown)
Line 1: Line 1:
A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates.
+
<table>
 +
<td>A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates.
 +
</td>
 +
<td width="120">
 +
[[Image:EToken Blue Pro.png]]
 +
</td>
 +
</table>
 +
 
 +
This is an update to the original Aladdin eToken page. The old page can be found [[Using_an_Aladdin_eToken_PRO_to_store_grid_certificates_(Old)|here]].
  
 
==Platform support==
 
==Platform support==
Line 8: Line 16:
 
** Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
 
** Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
 
** Fedora Core 4 or higher
 
** Fedora Core 4 or higher
** Suse 10 or higher
+
** Suse 9.3 or higher
 
* MacOS X
 
* MacOS X
  
 
This document tries to explain the ''tinkering'' ...
 
This document tries to explain the ''tinkering'' ...
  
Note that not all functions are available on all platforms. Currently , it is not possible to reformat an eToken on Linux. This can only be done on Windows (and perhaps MacOS, but this is untested).
+
'''Notes'''
 +
* not all functions are available on all platforms. Currently, it is not possible to reformat an eToken on Linux. This can only be done on Windows (and perhaps MacOS, but this is untested).
 +
* there is no native 64bit platform support. It is possible to use an eToken on an x86_64 architecture but it requires 32bit versions of all relevant tools (<tt>pcsc-lite</tt>, <tt>openssl</tt>, etc)
  
 
==Downloading the Aladdin eToken RTE software==
 
==Downloading the Aladdin eToken RTE software==
Line 19: Line 29:
 
Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:
 
Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:
 
* Windows: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/2c0/RTE_3.65.zip
 
* Windows: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/2c0/RTE_3.65.zip
* Linux: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/179/eToken_PKI_Client_for_Linux_v3_65.rar
+
* Linux: http://www.aladdin.ru/upload/iblock/609/eToken_PKI_Client_4_55_Linux.rar
* MacOS: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/973/PKI_3_65_Mac.zip
+
* Mac OS X: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/973/PKI_3_65_Mac.zip
 +
 
 +
If you're running Windows XP or Vista you can also use the newer PKI Client 4.5/4.55 software:
 +
* PKI Client 4.55: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/547/eToken_PKI_Client_4.55_Win.zip
 +
However, you need to make sure that your eToken is initialized in '''3.65 compatible mode''' under the '''Advanced Settings''' screen otherwise your token is inaccessible on any other platform than Windows.
  
 
(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)
 
(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)
Line 27: Line 41:
  
 
===Important===
 
===Important===
As of yet, do '''NOT''' install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.
+
Do '''NOT''' install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.
  
 
==Installing the Aladdin eToken RTE software==
 
==Installing the Aladdin eToken RTE software==
Line 33: Line 47:
 
===Windows===
 
===Windows===
 
Unzip the RTE_3.65.zip archive and install <tt>RTE_3.65.msi</tt> file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken).  
 
Unzip the RTE_3.65.zip archive and install <tt>RTE_3.65.msi</tt> file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken).  
 +
 +
The RTE software is now installed in "default" mode. To get a few more administration options, including a nifty <tt>initialization</tt> button in the eToken Properties screen, set/change the registry key
 +
  HKLM\SOFTWARE\Aladdin\eToken\eTProperties\Advanced:DWORD = 0x1F
 +
(default value is 0x1).
  
 
You can now continue on to [[#Testing_the_eToken_RTE_software|Testing the eToken RTE software]].
 
You can now continue on to [[#Testing_the_eToken_RTE_software|Testing the eToken RTE software]].
Line 38: Line 56:
 
===Linux===
 
===Linux===
  
====Prerequisites====
+
There are two ways to install the necessary tools:
Before running the installation script, verify that the PC/SC Lite <tt>pcscd</tt> deamon is installed on your box. The eToken installation script is '''very''' picky about the location where this deamon is installed and will refuse to continue if it is not present in
+
* manual installation using the Aladdin <tt>petoken</tt> installation script. You have chosen the difficult path. Instructions can be found in [[Aladdin eToken PRO Manual Installation]].
  /usr/local/sbin/pcscd
+
* install a package for your distribution which does all the hard work for you. There are two flavours: one for RPM based systems, and one for Debian based systems.<br>The RPM has been tested on
If your <tt>pcscd</tt> deamon is installed elsewhere then create a symlink.
+
** CentOS 4 / Scientific Linux 4 (rhel4), i686 and x86_64 architectures
 +
** Fedora Core 5 (fc5), i686 architecture
 +
** OpenSuSE 10.1, 10.3 (suse10), i686 architecture,<br>while the [[Installing the Debian eToken package|Debian package]] is known to work on
 +
** Debian 4.0 stable (codename etch)
 +
** Ubuntu 6.06 LTS
 +
** Ubuntu 7.04
  
====RHEL4 Pre-installation====
+
====Contents of the pre-built packages====
  
The [[Media:Mkproxy.tar.gz|Mkproxy.tar.gz]] tarball contains all the required binaries for RHEL4 compatible platforms. After unpacking the tarball, copy over the files to their respective locations:
+
The RPM and Debian packages contain the following.  
  cd ./rhel4
 
  cp -rp bin/*  /usr/local/bin
 
  cp -rp lib/*  /usr/local/lib
 
  cp -rp sbin/* /usr/local/sbin
 
  
====Running the Aladdin installation script====
+
* Aladdin eToken RTE 3.65 software (in binary form only).
Unpack the .rar file using
+
* the <tt>mkproxy</tt> script to generate grid proxies (see [[Using an Aladdin eToken PRO to generate grid proxies]] for details).
  rar x eToken_PKI_Client_for_Linux_v3_65.rar
+
* <tt>pkcs11-tool</tt> command from the <tt>opensc</tt> package ( http://www.opensc-project.org/ )
which will extract the files
+
* a patched version of the <tt>engine_pkcs11</tt> module, also from the <tt>opensc</tt> package ( http://www.opensc-project.org/ ). This patch allows for PINs longer than 11 characters.
* <tt>etoken-3-65.3-linux-Fedora-i386.tar.gz</tt> : Fedora Core 4 and higher
+
* a patched version of <tt>openssl</tt> v0.9.8d to allow the user to generate short-lived proxies (the patched file is x509.c; the patch has been submitted to the <tt>openssl-dev</tt> mailing list).
* <tt>etoken-3-65.3-linux-redhat-i386.tar.gz</tt> : Redhat Enterprise Linux 4 and higher
+
* system <tt>/etc/init.d</tt> startup scripts to correctly start the <tt>etokend</tt> and <tt>etsrvd</tt> daemons at system startup.
* <tt>etoken-3-65.3-linux-suse-i386.tar.gz</tt> : Novell Suse Linux
+
* hotplugging scripts to allow the correct hotplugging of your USB eToken device. These hotplugging scripts work on all Linux 2.6+ kernels, including 2.6.16 and above.
(and a few others) to the current directory.
+
* PC/SC-lite <tt>pcscd</tt> Smart Card daemon v1.3.1, plus system startup script.  
  
Extract the <tt>.tar.gz</tt> tarball that closest matches your Linux distribution. All files will be extracted to a directory <tt>etoken-3-65.3-linux-i386</tt>. <tt>cd</tt> into this directory and run the installation program:
+
All binaries are installed in <tt>/opt/etoken-pro</tt>. The system startup and configuration scripts are installed in their appropriate location.
  ./petoken install 4
 
where the number '''4''' indicates how many tokens you wish to support simultaneously (this is the default value).
 
  
  ./petoken install 4
+
====Debian packages====
  Starting Aladdin eTokend daemon:
+
Instructions for obtaining and installing the software for Debian based systems can be found [[Installing the Debian eToken package|here.]]
 
+
 
  Starting pcscd daemon:
+
====RPM packages====
 
+
Instructions on how to build and install the <tt>etoken-mkproxy</tt> rpm are [[Building and installing the eToken RPM|here]].
  Modifying /etc/ld.so.conf
 
  Aladdin Etoken RTE installation finished
 
  Warning: you have two pcscd installations (in /usr and in /usr/local)
 
  
Installation is complete. The installation script will have installed the appropriate deamons and <tt>/etc/init.d</tt> startup script, such that the eToken software is loaded at system startup. For more details, see [[#Linux_eToken_daemons|Linux eToken daemons]].
+
For Nikhef, SARA and IGTF members the following will also work:
 +
  # FC5:
 +
  rpm -ivh http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken-mkproxy/etoken-mkproxy-LATEST.fc5.i386.rpm
 +
  # RHEL4:
 +
  rpm -ivh http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken-mkproxy/etoken-mkproxy-LATEST.rhel4.i386.rpm
 +
  # Suse10:
 +
  rpm -ivh http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken-mkproxy/etoken-mkproxy-LATEST.suse10.i386.rpm
  
The <tt>petoken</tt> installation script is a total nightmare. If anything goes wrong during installation then the installation is aborted. You will need to run
+
====Manual installation====
  ./petoken uninstall
+
Instructions on how to manually install the Aladdin eToken software using the <tt>petoken</tt> install script can be found in
before you can continue.
+
[[Aladdin eToken PRO Manual Installation]].
'''However''' , the 'uninstall' command '''also''' erases the installation program itself, so you need to unpack the .tar.gz tarball again before you can continue.
 
  
====Post-installation cleanup====
+
====Differences between manual and packaged installations====
If you have installed the Aladdin RTE software on a Linux system which uses <tt>udev</tt> to provide hotplugging device support - i.e. Fedora Core 5 or any system running Linux kernel 2.6.16 or higher - then you need to do a post-installation cleanup. If this step is skipped your eToken will not be accessible after the next reboot.
+
There are some differences between manual installations and installation of the pre-built packages above:
  
1. install this version of [[Media:Etoken.conf|etoken.conf]] in <tt>/etc/reader.conf.d</tt>
+
Manual installation:
  # Aladdin eToken virtual reader #0
+
* Most of the files end up in <tt>/usr/local/bin</tt>, <tt>/usr/local/lib</tt> and <tt>/usr/local/sbin</tt>.
  FRIENDLYNAME    "AKS ifdh"
+
* the <tt>mkproxy</tt> script is not included in the manual installation. You can download it separately, including all required binaries by following the instructions in [[Using an Aladdin eToken PRO to generate grid proxies]].
  DEVICENAME      /dev/null
 
  LIBPATH          /usr/local/lib/aksifdh.so
 
  CHANNELID        0x11111111
 
   
 
  # Aladdin eToken virtual reader #1
 
  FRIENDLYNAME    "AKS ifdh"
 
  DEVICENAME      /dev/null
 
  LIBPATH          /usr/local/lib/aksifdh.so
 
  CHANNELID        0x11111112
 
   
 
  # Aladdin eToken virtual reader #2
 
  FRIENDLYNAME    "AKS ifdh"
 
  DEVICENAME      /dev/null
 
  LIBPATH          /usr/local/lib/aksifdh.so
 
  CHANNELID        0x11111113
 
   
 
  # Aladdin eToken virtual reader #3
 
  FRIENDLYNAME    "AKS ifdh"
 
  DEVICENAME      /dev/null
 
  LIBPATH          /usr/local/lib/aksifdh.so
 
  CHANNELID        0x11111114
 
  
2. install these [[Media:20-etoken.rules|20-etoken.rules]] in <tt>/etc/udev/rules.d</tt>:
+
Package installation:
+
* Most of the files end up in <tt>/opt/etoken-pro</tt>, with a single symlink in <tt>/usr/local/lib</tt>.
   ACTION=="add", SUBSYSTEM=="usb_device", \
+
* the package includes a patched version of the <tt>openssl x509</tt> command which allows you to specify short-lived certificates/proxies, much like the <tt>grid-proxy-init</tt> tool:
    SYSFS{idVendor}=="0529", SYSFS{idProduct}=="0600", SYSFS{product}=="Token 4.2*", \
+
   /opt/etoken-pro/bin/mkproxy --valid 4:00
      RUN="/etc/hotplug.d/usb/etoken.hotplug"
+
This patched version of the <tt>openssl</tt> command is now also included in the <tt>mkproxy</tt> tarballs.
  
3. install this version of the [[Media:etoken.hotplug|etoken.hotplug]] script in <tt>/etc/hotplug.d/usb</tt>:
+
===Mac OS X===
 +
You can use the eToken PRO on Mac OS X 10.4 and above in the same way as on Linux. Just download and install the [http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/973/PKI_3_65_Mac.zip Aladdin drivers] and the [http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken_mkproxy_1.41.dmg etoken_mkproxy package] (universal binaries).
  
  #!/usr/bin/perl
+
The latest 4.55 package for MacOSX is also at [http://www.aladdin.ru/upload/iblock/672/eToken_PKI_Client_4_55_Mac.zip at Aladdin.ru]
  use Socket;
 
  #use Data::Dumper;
 
   
 
  open STDERR, ">> /var/log/etoken.log";
 
   
 
  #print STDERR Dumper(\%ENV);
 
   
 
  # check environment
 
  die "Call with undefined environment is ignored" unless defined($ENV{"DEVNAME"}) && defined($ENV{"ACTION"});
 
   
 
  $device = $ENV{"DEVNAME"};
 
   
 
  # build request structure for insertion/removal
 
  $data_len = length($device) + 1;  # one more for null-terminator
 
  $magic = 0x55AAAA55;
 
  $insert_token = 1;
 
  $remove_token = 2;
 
  $command = ($ENV{ACTION} eq "add") ? $insert_token : $remove_token;
 
  $data = pack("IIIIIIa" . $data_len, $magic, 0, 0, $command, $data_len, 0, $device);
 
  $socket_name = "/var/tmp/.etokend";
 
   
 
  # open socket with eTokend
 
  socket (SOCK,PF_UNIX,SOCK_STREAM, 0) or die "socket: $!";
 
  connect (SOCK, sockaddr_un($socket_name)) or die "connect $socket_name: $!";
 
  print SOCK $data;
 
  close SOCK;
 
  
===MacOS===
+
The software installs into
Details not yet known.
+
/usr/local/etoken-pro
 +
by default.
  
 
===Testing the eToken RTE software===
 
===Testing the eToken RTE software===
Line 152: Line 126:
 
You can access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).
 
You can access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).
  
If you have installed Cygwin ( http://www.cygwin.com/ ) and the [[Media:Mkproxy.tar.gz|Mkproxy.tar.gz]] tarball you can also access your eToken using the <tt>pkcs11-tool</tt> command:
+
If you have installed Cygwin ( http://www.cygwin.com/ ) and the [[Media:Mkproxy-cygwin.tar.gz|Mkproxy-cygwin.tar.gz]] tarball you can also access your eToken using the <tt>pkcs11-tool</tt> command:
  
 
* start a Cygwin shell
 
* start a Cygwin shell
* go to the directory where you have unpacked the [[Media:Mkproxy.tar.gz|Mkproxy.tar.gz]] tarball
+
* go to the directory where you have unpacked the [[Media:Mkproxy-cygwin.tar.gz|Mkproxy-cygwin.tar.gz]] tarball
 
* type
 
* type
   cd cygwin/bin
+
   ./etoken-pro/bin/pkcs11-tool --module=$WINDIR\\system32\\etpkcs11.dll -L
  ./pkcs11-tool --module=$WINDIR\\system32\\etpkcs11.dll -L
+
to list all inserted tokens.
to list all inserted tokens (mind the double back-slashes!)
 
  
 
'''Note''' This works only if you are logged in locally on the Windows machine. This will '''not''' work when logging in remotely using either a Cygwin <tt>sshd</tt> service or Remote Desktop.
 
'''Note''' This works only if you are logged in locally on the Windows machine. This will '''not''' work when logging in remotely using either a Cygwin <tt>sshd</tt> service or Remote Desktop.
  
 
====Linux====
 
====Linux====
If you have installed either the <tt>opensc</tt> toolkit or the the [[Media:Mkproxy.tar.gz|Mkproxy.tar.gz]] tarball you can access your eToken using the <tt>pkcs11-tool</tt> command:
+
If you have installed the <tt>etoken-mkproxy</tt> RPM you can access your eToken using the <tt>pkcs11-tool</tt> command:
 +
  /opt/etoken-pro/bin/pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L
 +
which should return
 +
  Available slots:
 +
  Slot 0          AKS ifdh 00 00
 +
    token state:  uninitialized
 +
  Slot 1          (empty)
 +
  Slot 2          (empty)
 +
  Slot 3          (empty)
  
* go to the directory where you have unpacked the [[Media:Mkproxy.tar.gz|Mkproxy.tar.gz]] tarball
+
If you have performed a manual installation then you can find the <tt>pkcs11-tool</tt> in the tarball for your platform (or in the <tt>opensc</tt> toolkit):
 +
* FC5: [[Media:Mkproxy-fc5.tar.gz|Mkproxy-fc5.tar.gz]]
 +
* RHEL4: [[Media:Mkproxy-rhel4.tar.gz|Mkproxy-rhel4.tar.gz]]
 +
* Suse10: [[Media:Mkproxy-suse10.tar.gz|Mkproxy-suse10.tar.gz]]
 +
 
 +
Then
 +
* go to the directory where you have unpacked the <tt>Mkproxy-''<platform>''</tt> tarball
 
* type
 
* type
   export PATH=$PATH:''<platform>''/bin
+
   export PATH=$PATH:$PWD/etoken-pro/bin
 +
  export LD_LIBRARY_PATH=$PWD/etoken-pro/lib:$LD_LIBRARY_PATH
 
* then type
 
* then type
 
   pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L
 
   pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L
Line 181: Line 169:
 
Congratulations, your eToken is ready for use!
 
Congratulations, your eToken is ready for use!
  
===Linux eToken daemons===
+
====Mac OS X====
On Linux, the eToken RTE installation scripts sets up 3 daemons
 
* <tt>/etc/rc''N''.d/S10etoken -> ../init.d/etokend</tt>
 
* <tt>/etc/rc''N''.d/S20etoken -> ../init.d/pcscd</tt>
 
* <tt>/etc/rc''N''.d/S30etoken -> ../init.d/etsrvd</tt>
 
(Nice naming convention, eh?)
 
  
where ''N'' is the runlevel at which the daemons are started (usually 2345).
+
If you have installed the eToken PRO mkproxy package '''and''' the Aladdin drivers, you can open a terminal window with a command prompt and type (with the token inserted, of course):
  
The first deamon, <tt>etokend</tt>, is the low level daemon which talks to the eToken itself.
+
/usr/local/etoken-pro/bin/pkcs11-tool --module /usr/local/lib/libetpkcs11.so -L
  
The second deamon, <tt>pcscd</tt>, is the PC/SC card service. Unfortunately, the eToken installer '''overwrites''' any existing <tt>pcscd</tt> scripts. If you want, you can safely restore the <tt>pcscd</tt> script from your favorite Linux distribution. However, it is important that this daemon is started ''after'' the <tt>etokend</tt> daemon is started.
+
which should return:
 +
Available slots:
 +
Slot 0          AKS ifdh 0 0
 +
  token state:  uninitialized
 +
Slot 1          (empty)
  
The <tt>etsrvd</tt> daemon is started last. It is not strictly required to access your eToken, but it does speed up access by a factor of 2 or more. Sometimes this daemon does not seem to start at system boot-up, however. A manual (re)start of the daemon usually fixes this.
+
If this succeeds, your eToken is ready for use.
  
 
===Why not use the OpenSC tools?===
 
===Why not use the OpenSC tools?===
The OpenSC project ( http://www.opensc.org ) also provides driver software for Aladdin eTokens. However, the OpenSC software stack only supports eTokens running Siemens CardOS M4. Our eTokens use a newer version of the Siemens CardOS. On the eToken itself the CardOS version is printed ('''4.2B''') but you can also retrieve it on Linux using
+
The OpenSC project ( http://www.opensc-project.org/ ) also provides driver software for Aladdin eTokens. Versions up to and including 0.11.2 did not support the CardOS version used on our eTokens.
  
   # lsusb -v -d 0529:0600 | grep iProduct
+
'''Update:''' As of <tt>opensc-0.11.3</tt> CardOS version 4.2B is supported!
    iProduct                2 Token 4.25.1.2 2.6.189
+
 
This means that this eToken is running CardOS '''4.25.1.2''', which is ''not'' supported by OpenSC. Even the latest development version of OpenSC (cvs HEAD branch) , which claims support for CardOS 4.2+, cannot successfully connect to these eTokens.
+
The OpenSC <tt>cardos-info</tt> command still gives
 +
   Info : CardOS V4.2B (C) Siemens AG 1994-2005
 +
  Chip type: 123
 +
  Serial number: 26 57 ad 07 0f 21
 +
  Full prom dump:
 +
  33 66 00 45 CB CB CB CB 7B FF 26 57 AD 07 0F 21 3f.E....{.&W...!
 +
  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
 +
  '''OS Version: 200.9 (unknown Version)'''
 +
  Current life cycle: 32 (administration)
 +
  Security Status of current DF:
 +
  Free memory : 0
 +
  ATR Status: 0x0 ROM-ATR
 +
  Packages installed:
 +
  Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
 +
  Free eeprom memory: 23167
 +
  System keys: PackageLoadKey (version 0xfe, retries 10)
 +
  System keys: StartKey (version 0xff, retries 10)
 +
  Path to current DF:
 +
  66 66 50 00 02 01 ffP...
 +
 
 +
but you can access the token using the <tt>opensc-explorer</tt> and <tt>pkcs15-*</tt> commands.
 +
 
 +
'''However'''....
 +
 
 +
it seems you can either use an eToken using the OpenSC software or (''XOR'') use Aladdin's proprietary software, that is, information stored on an eToken using the OpenSC is not visible to the Aladdin software and vice versa. Also, as the OpenSC software has no notion of 'FIPS compliant' it will (probably) not be possible to put the eToken in FIPS-compliant mode.
 +
 
 +
Thus, we stick with Aladdin's eToken software and our mixed set of utilities for now...
  
 
==Initializing your eToken (Windows only)==
 
==Initializing your eToken (Windows only)==
'''Note'''' Currently you can only initialize your eToken on the Windows platform. It will '''not''' work on Linux, especially changing the SOPIN is not working. This is most likely due to missing functionality in the Linux Aladdin RTE software.
+
'''Note''' Currently you can only initialize your eToken on the Windows platform. It will '''not''' work on Linux, especially changing the SOPIN is not working. This is most likely due to missing functionality in the Linux Aladdin RTE software.
  
 
To initialize your eToken for the first time you can use either the Windows client software (Start->Programs->eToken->eToken Properties) or you can use <tt>pkcs11-tool</tt> :
 
To initialize your eToken for the first time you can use either the Windows client software (Start->Programs->eToken->eToken Properties) or you can use <tt>pkcs11-tool</tt> :
Line 240: Line 253:
  
 
==Using your eToken in Firefox==
 
==Using your eToken in Firefox==
A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox. To add your eToken as a security device , follow these steps
+
A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox.
* Start Firefox
 
* (Linux) Go to Edit->Preferences->Advanced->Tab "Encryption"
 
* (Windows) Go to Tools->Options->Advanced->Tab "Encryption"
 
* Click on 'Security Devices'
 
You should see a screen similar to
 
  
[[Image:Cert firefox sec devices.png|this]].
+
This is explained in [[Using an Aladdin eToken with firefox]].
* Click on 'Load'
 
* In the next screen, enter a (possibly useful) name for this module and Click on 'Browse' to select the appropriate PKCS11 module
 
[[Image:Cert firefox load pkcs11.png]]
 
* (Linux) choose <tt>/usr/local/lib/libetpkcs11.so</tt>
 
* (Windows) choose <tt>%WINDIR%\\system32\\etpkcs11.dll</tt>
 
* Click 'OK'
 
You are now ready to use your eToken as a PKCS11 device within Firefox and can import your existing X509 grid certificate (in PKCS12 format!) into your browser. Make sure that you select the eToken as the security device where you want to store the grid certificate.
 
  
A similar procedure applies to Thunderbird, so that you can use an X509 certificate from your eToken to digitally sign your email messages with. In Thunderbird 1.5 , a similar screen can be found under Edit->Preferences->Privacy->Tab "Security".
+
==Generating or storing a grid certificate on the eToken==
 +
Now that you have initialized your eToken you can either generate a new certificate/private key pair on the eToken itself (very secure!) or you can load your existing grid certificate onto the eToken.  
  
==Generating or storing a grid certificate on the eToken==
+
This is explained in [[Storing your grid certificate on an Aladdin eToken]].
Now that you have initialized your eToken you can either generate a new certificate/private key pair on the eToken itself (very secure!) or you can load your existing grid certificate onto the eToken. This is explained in [[Storing your grid certificate on an Aladdin eToken]].
 
  
 
==Generating grid proxies using an eToken==
 
==Generating grid proxies using an eToken==
It is also possible to generate a grid proxy using the eToken. This is explained in [[Using an Aladdin eToken PRO to generate grid proxies]].
+
It is also possible to generate a grid proxy using the eToken.  
 +
 
 +
This is explained in [[Using an Aladdin eToken PRO to generate grid proxies]].
 +
 
 +
==Using an eToken in Java==
 +
Sun's Java SDK has pretty good support for external PKCS11 libraries. See
 +
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html for details.
 +
 
 +
To use your eToken create a configuration file, e.g. /tmp/java-pkcs11.cfg:
 +
  name = eToken
 +
  library = /opt/etoken-pro/lib/libetpkcs11.so
 +
Now you can use the Java keytool to access your eToken:
 +
  # keytool -keystore NONE -storetype PKCS11 -list \
 +
    -providerClass sun.security.pkcs11.SunPKCS11 \
 +
    -providerArg  /tmp/java-pkcs11.cfg
 +
  Enter keystore password:
 +
 
 +
  Keystore type: PKCS11
 +
  Keystore provider: SunPKCS11-eToken
 +
 
 +
  Your keystore contains 1 entry
 +
 
 +
  (eTCAPI) Jan Just Keijser's NIKHEF ID, PrivateKeyEntry,
 +
  Certificate fingerprint (MD5): 39:04:61:C9:D8:8F:0D:2E:F0:59:B5:59:28:06:7D:47
 +
To avoid having to type
 +
  -providerClass sun.security.pkcs11.SunPKCS11 \
 +
  -providerArg  /tmp/java-pkcs11.cfg
 +
you can statically configure the java.security file: add a line
 +
  security.provider.9=sun.security.pkcs11.SunPKCS11 <PATH>/java-pkcs11.cfg
 +
to the <tt>$JAVA_HOME/jre/lib/security/java.security</tt> file and now you can use
 +
  # keytool -keystore NONE -storetype PKCS11 -list
 +
to get the same output as before.

Latest revision as of 11:17, 5 December 2019

A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates.

EToken Blue Pro.png

This is an update to the original Aladdin eToken page. The old page can be found here.

Platform support

With some tinkering it is possible to use an eToken on

  • Windows
  • Linux:
    • Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
    • Fedora Core 4 or higher
    • Suse 9.3 or higher
  • MacOS X

This document tries to explain the tinkering ...

Notes

  • not all functions are available on all platforms. Currently, it is not possible to reformat an eToken on Linux. This can only be done on Windows (and perhaps MacOS, but this is untested).
  • there is no native 64bit platform support. It is possible to use an eToken on an x86_64 architecture but it requires 32bit versions of all relevant tools (pcsc-lite, openssl, etc)

Downloading the Aladdin eToken RTE software

Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:

If you're running Windows XP or Vista you can also use the newer PKI Client 4.5/4.55 software:

However, you need to make sure that your eToken is initialized in 3.65 compatible mode under the Advanced Settings screen otherwise your token is inaccessible on any other platform than Windows.

(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)

To unpack the Linux archive, the rar command is required.

Important

Do NOT install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.

Installing the Aladdin eToken RTE software

Windows

Unzip the RTE_3.65.zip archive and install RTE_3.65.msi file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken).

The RTE software is now installed in "default" mode. To get a few more administration options, including a nifty initialization button in the eToken Properties screen, set/change the registry key 

 HKLM\SOFTWARE\Aladdin\eToken\eTProperties\Advanced:DWORD = 0x1F

(default value is 0x1).

You can now continue on to Testing the eToken RTE software.

Linux

There are two ways to install the necessary tools:

  • manual installation using the Aladdin petoken installation script. You have chosen the difficult path. Instructions can be found in Aladdin eToken PRO Manual Installation.
  • install a package for your distribution which does all the hard work for you. There are two flavours: one for RPM based systems, and one for Debian based systems.
    The RPM has been tested on
    • CentOS 4 / Scientific Linux 4 (rhel4), i686 and x86_64 architectures
    • Fedora Core 5 (fc5), i686 architecture
    • OpenSuSE 10.1, 10.3 (suse10), i686 architecture,
      while the Debian package is known to work on
    • Debian 4.0 stable (codename etch)
    • Ubuntu 6.06 LTS
    • Ubuntu 7.04

Contents of the pre-built packages

The RPM and Debian packages contain the following.

  • Aladdin eToken RTE 3.65 software (in binary form only).
  • the mkproxy script to generate grid proxies (see Using an Aladdin eToken PRO to generate grid proxies for details).
  • pkcs11-tool command from the opensc package ( http://www.opensc-project.org/ )
  • a patched version of the engine_pkcs11 module, also from the opensc package ( http://www.opensc-project.org/ ). This patch allows for PINs longer than 11 characters.
  • a patched version of openssl v0.9.8d to allow the user to generate short-lived proxies (the patched file is x509.c; the patch has been submitted to the openssl-dev mailing list).
  • system /etc/init.d startup scripts to correctly start the etokend and etsrvd daemons at system startup.
  • hotplugging scripts to allow the correct hotplugging of your USB eToken device. These hotplugging scripts work on all Linux 2.6+ kernels, including 2.6.16 and above.
  • PC/SC-lite pcscd Smart Card daemon v1.3.1, plus system startup script.

All binaries are installed in /opt/etoken-pro. The system startup and configuration scripts are installed in their appropriate location.

Debian packages

Instructions for obtaining and installing the software for Debian based systems can be found here.

RPM packages

Instructions on how to build and install the etoken-mkproxy rpm are here.

For Nikhef, SARA and IGTF members the following will also work: 

 # FC5:
 rpm -ivh http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken-mkproxy/etoken-mkproxy-LATEST.fc5.i386.rpm
 # RHEL4:
 rpm -ivh http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken-mkproxy/etoken-mkproxy-LATEST.rhel4.i386.rpm
 # Suse10:
 rpm -ivh http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken-mkproxy/etoken-mkproxy-LATEST.suse10.i386.rpm

Manual installation

Instructions on how to manually install the Aladdin eToken software using the petoken install script can be found in Aladdin eToken PRO Manual Installation.

Differences between manual and packaged installations

There are some differences between manual installations and installation of the pre-built packages above:

Manual installation:

  • Most of the files end up in /usr/local/bin, /usr/local/lib and /usr/local/sbin.
  • the mkproxy script is not included in the manual installation. You can download it separately, including all required binaries by following the instructions in Using an Aladdin eToken PRO to generate grid proxies.

Package installation:

  • Most of the files end up in /opt/etoken-pro, with a single symlink in /usr/local/lib.
  • the package includes a patched version of the openssl x509 command which allows you to specify short-lived certificates/proxies, much like the grid-proxy-init tool:
 /opt/etoken-pro/bin/mkproxy --valid 4:00

This patched version of the openssl command is now also included in the mkproxy tarballs.

Mac OS X

You can use the eToken PRO on Mac OS X 10.4 and above in the same way as on Linux. Just download and install the Aladdin drivers and the etoken_mkproxy package (universal binaries).

The latest 4.55 package for MacOSX is also at at Aladdin.ru

The software installs into 

/usr/local/etoken-pro

by default.

Testing the eToken RTE software

Windows

You can access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).

If you have installed Cygwin ( http://www.cygwin.com/ ) and the Mkproxy-cygwin.tar.gz tarball you can also access your eToken using the pkcs11-tool command: 

 ./etoken-pro/bin/pkcs11-tool --module=$WINDIR\\system32\\etpkcs11.dll -L

to list all inserted tokens.

Note This works only if you are logged in locally on the Windows machine. This will not work when logging in remotely using either a Cygwin sshd service or Remote Desktop.

Linux

If you have installed the etoken-mkproxy RPM you can access your eToken using the pkcs11-tool command: 

 /opt/etoken-pro/bin/pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L

which should return 

 Available slots:
 Slot 0           AKS ifdh 00 00
   token state:   uninitialized
 Slot 1           (empty)
 Slot 2           (empty)
 Slot 3           (empty)

If you have performed a manual installation then you can find the pkcs11-tool in the tarball for your platform (or in the opensc toolkit):

Then

  • go to the directory where you have unpacked the Mkproxy-<platform> tarball
  • type
 export PATH=$PATH:$PWD/etoken-pro/bin
 export LD_LIBRARY_PATH=$PWD/etoken-pro/lib:$LD_LIBRARY_PATH
  • then type
 pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L

which should return 

 Available slots:
 Slot 0           AKS ifdh 00 00
   token state:   uninitialized
 Slot 1           (empty)
 Slot 2           (empty)
 Slot 3           (empty)

Congratulations, your eToken is ready for use!

Mac OS X

If you have installed the eToken PRO mkproxy package and the Aladdin drivers, you can open a terminal window with a command prompt and type (with the token inserted, of course): 

/usr/local/etoken-pro/bin/pkcs11-tool --module /usr/local/lib/libetpkcs11.so -L

which should return: 

Available slots:
Slot 0           AKS ifdh 0 0
  token state:   uninitialized
Slot 1           (empty)

If this succeeds, your eToken is ready for use.

Why not use the OpenSC tools?

The OpenSC project ( http://www.opensc-project.org/ ) also provides driver software for Aladdin eTokens. Versions up to and including 0.11.2 did not support the CardOS version used on our eTokens.

Update: As of opensc-0.11.3 CardOS version 4.2B is supported!

The OpenSC cardos-info command still gives 

 Info : CardOS V4.2B (C) Siemens AG 1994-2005
 Chip type: 123
 Serial number: 26 57 ad 07 0f 21
 Full prom dump:
 33 66 00 45 CB CB CB CB 7B FF 26 57 AD 07 0F 21 3f.E....{.&W...!
 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
 OS Version: 200.9 (unknown Version)
 Current life cycle: 32 (administration)
 Security Status of current DF:
 Free memory : 0
 ATR Status: 0x0 ROM-ATR
 Packages installed:
 Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
 Free eeprom memory: 23167
 System keys: PackageLoadKey (version 0xfe, retries 10)
 System keys: StartKey (version 0xff, retries 10)
 Path to current DF:
 66 66 50 00 02 01 ffP...

but you can access the token using the opensc-explorer and pkcs15-* commands.

However....

it seems you can either use an eToken using the OpenSC software or (XOR) use Aladdin's proprietary software, that is, information stored on an eToken using the OpenSC is not visible to the Aladdin software and vice versa. Also, as the OpenSC software has no notion of 'FIPS compliant' it will (probably) not be possible to put the eToken in FIPS-compliant mode.

Thus, we stick with Aladdin's eToken software and our mixed set of utilities for now...

Initializing your eToken (Windows only)

Note Currently you can only initialize your eToken on the Windows platform. It will not work on Linux, especially changing the SOPIN is not working. This is most likely due to missing functionality in the Linux Aladdin RTE software.

To initialize your eToken for the first time you can use either the Windows client software (Start->Programs->eToken->eToken Properties) or you can use pkcs11-tool : 

 pkcs11-tool --module $WINDIR\\system32\\etpkcs11.dll --init-token --label "Your Label" --so-pin Your_New_SO_PIN

where Your_New_SO_PIN is the new Security Officer Password. You will be prompted for the existing SOPIN (through a pop window). The default value for the SOPIN is '1234567890' After typing in the correct (old) SOPIN you will see a message like this: 

 Token successfully initialized

You can now use 

 pkcs11-tool ---module $WINDIR\\system32\\etpkcs11.dll -L

to view the status of your eToken: 

 Available slots:
 Slot 0           AKS ifdh 00 00
   token state:   uninitialized
 Slot 1           (empty)

As you can see it remains in the status "uninitialized" but it is ready for use.

Initializing your user PIN

After initializing or reformatting your eToken you must initialize the user password ('PIN') before you can store any data on it. Initializing the user PIN can be done on both Windows and Linux.

Note

On Windows 

 PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll

On Linux 

 PKCS11_MOD=/usr/local/lib/libetpkcs11.so

The user PIN is initialized using 

 # pkcs11-tool --module $PKCS11_MOD --init-pin
 Please enter SO PIN:
 Please enter the new PIN:
 Please enter the new PIN again:
 User PIN successfully initialized

Please choose your user PIN carefully. It must be between 6 to 12 characters long. If your PIN is more than 12 characters then you will not be able to access your eToken using openssl commands , nor will you be able to generate grid proxies using your eToken!

Using your eToken in Firefox

A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox.

This is explained in Using an Aladdin eToken with firefox.

Generating or storing a grid certificate on the eToken

Now that you have initialized your eToken you can either generate a new certificate/private key pair on the eToken itself (very secure!) or you can load your existing grid certificate onto the eToken.

This is explained in Storing your grid certificate on an Aladdin eToken.

Generating grid proxies using an eToken

It is also possible to generate a grid proxy using the eToken.

This is explained in Using an Aladdin eToken PRO to generate grid proxies.

Using an eToken in Java

Sun's Java SDK has pretty good support for external PKCS11 libraries. See http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html for details.

To use your eToken create a configuration file, e.g. /tmp/java-pkcs11.cfg: 

 name = eToken
 library = /opt/etoken-pro/lib/libetpkcs11.so

Now you can use the Java keytool to access your eToken: 

 # keytool -keystore NONE -storetype PKCS11 -list \
   -providerClass sun.security.pkcs11.SunPKCS11 \
   -providerArg   /tmp/java-pkcs11.cfg 
 Enter keystore password:
 
 Keystore type: PKCS11
 Keystore provider: SunPKCS11-eToken
 
 Your keystore contains 1 entry
 
 (eTCAPI) Jan Just Keijser's NIKHEF ID, PrivateKeyEntry,
 Certificate fingerprint (MD5): 39:04:61:C9:D8:8F:0D:2E:F0:59:B5:59:28:06:7D:47

To avoid having to type 

 -providerClass sun.security.pkcs11.SunPKCS11 \
 -providerArg   /tmp/java-pkcs11.cfg

you can statically configure the java.security file: add a line 

 security.provider.9=sun.security.pkcs11.SunPKCS11 <PATH>/java-pkcs11.cfg

to the $JAVA_HOME/jre/lib/security/java.security file and now you can use 

 # keytool -keystore NONE -storetype PKCS11 -list

to get the same output as before.

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=Using_an_Aladdin_eToken_PRO_to_store_grid_certificates&oldid=10873"