Using an Aladdin eToken PRO to store grid certificates
A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates.
Platform support
With some tinkering it is possible to use an eToken on
- Windows
- Linux:
- Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
- Fedora Core 4 or higher
- Suse 10 or higher
- MacOS X
This document tries to explain the tinkering ...
Downloading the Aladdin eToken RTE software
Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:
- Windows: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/2c0/RTE_3.65.zip
- Linux: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/179/eToken_PKI_Client_for_Linux_v3_65.rar
- MacOS: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/973/PKI_3_65_Mac.zip
(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)
To unpack the Linux archive, the rar command is required.
Important
As of yet, do NOT install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.
Installing the Aladdin eToken RTE software
Windows
Unzip the RTE_3.65.zip archive and install RTE_3.65.msi file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken). You can now access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).
If you have installed Cygwin ( http://www.cygwin.com/ ) and the Mkproxy.tar.gz tarball you can also access your eToken using the pkcs11-tool command:
- start a Cygwin shell
- go to the directory where you have unpacked the Mkproxy.tar.gz tarball
- type
cd cygwin/bin ./pkcs11-tool --module=c:\\windows\\system32\\etpkcs11.dll -L
to list all inserted tokens.
Linux
Prerequisites
Before running the installation script, verify that the PC/SC Lite pcscd deamon is installed on your box. The eToken installation script is very picky about the location where this deamon is installed and will refuse to continue if it is not present in
/usr/local/sbin/pcscd
If your pcscd deamon is installed elsewhere then create a symlink.
Unpack the .rar file using
rar x eToken_PKI_Client_for_Linux_v3_65.rar
which will extract the files
- etoken-3-65.3-linux-Fedora-i386.tar.gz : Fedora Core 4 and higher
- etoken-3-65.3-linux-redhat-i386.tar.gz : Redhat Enterprise Linux 4 and higher
- etoken-3-65.3-linux-suse-i386.tar.gz : Novell Suse Linux
(and a few others) to the current directory.
Extract the .tar.gz tarball that closest matches your Linux distribution. All files will be extracted to a directory etoken-3-65.3-linux-i386. Now, cd into this directory and run the installation program:
./petoken install 4
where the number 4 indicates how many tokens you wish to support simultaneously (this is the default value).
./petoken install 4 Starting Aladdin eTokend daemon: Starting pcscd daemon: Modifying /etc/ld.so.conf Aladdin Etoken RTE installation finished Warning: you have two pcscd installations (in /usr and in /usr/local)
Installation is complete.
MacOS
Details not yet known.
Generating grid proxies using an eToken
It is also possible to generate a grid proxy using the eToken. This is explained in Using an Aladdin eToken PRO to generate grid proxies.