Using an Aladdin eToken PRO to store grid certificates

From PDP/Grid Wiki
Jump to navigationJump to search

A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates.

Platform support

With some tinkering it is possible to use an eToken on

  • Windows
  • Linux:
    • Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
    • Fedora Core 4 or higher
    • Suse 10 or higher
  • MacOS X

This document tries to explain the tinkering ...

Downloading the Aladdin eToken RTE software

Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:

(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)

To unpack the Linux archive, the rar command is required.

Important

As of yet, do NOT install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.

Installing the Aladdin eToken RTE software

Windows

Unzip the RTE_3.65.zip archive and install RTE_3.65.msi file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken). You can now access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).

If you have installed Cygwin ( http://www.cygwin.com/ ) and the Mkproxy.tar.gz tarball you can also access your eToken using the pkcs11-tool command:

  • start a Cygwin shell
  • go to the directory where you have unpacked the Mkproxy.tar.gz tarball
  • type
 cd cygwin/bin
 ./pkcs11-tool --module=c:\\windows\\system32\\etpkcs11.dll -L

to list all inserted tokens.

Linux

Prerequisites

Before running the installation script, verify that the PC/SC Lite pcscd deamon is installed on your box. The eToken installation script is very picky about the location where this deamon is installed and will refuse to continue if it is not present in

/usr/local/sbin/pcscd

If your pcscd deamon is installed elsewhere then create a symlink.

Aladdin installation script

Unpack the .rar file using

rar x eToken_PKI_Client_for_Linux_v3_65.rar

which will extract the files

  • etoken-3-65.3-linux-Fedora-i386.tar.gz : Fedora Core 4 and higher
  • etoken-3-65.3-linux-redhat-i386.tar.gz : Redhat Enterprise Linux 4 and higher
  • etoken-3-65.3-linux-suse-i386.tar.gz : Novell Suse Linux

(and a few others) to the current directory.

Extract the .tar.gz tarball that closest matches your Linux distribution. All files will be extracted to a directory etoken-3-65.3-linux-i386. Now, cd into this directory and run the installation program:

./petoken install 4

where the number 4 indicates how many tokens you wish to support simultaneously (this is the default value).

./petoken install 4
Starting Aladdin eTokend daemon:
 
Starting pcscd daemon:
 
Modifying /etc/ld.so.conf
Aladdin Etoken RTE installation finished
Warning: you have two pcscd installations (in /usr and in /usr/local)

Installation is complete.

The petoken installation script is a total nightmare. If anything goes wrong during installation then the installation is aborted. You will need to run

./petoken uninstall

before you can continue. However , the 'uninstall' command also erases the installation program itself, so you need to unpack the .tar.gz tarball again before you can continue.


Fedora Core 5 Post-installation cleanup

If you have installed the Aladdin RTE software on a Fedora Core 5 distribution (or something compatible), then you need to do a post-installation cleanup. If this step is skipped your eToken will not be accessible after the next reboot.

  1. install this version of etoken.conf in /etc/reader.conf.d or save the /etc/reader.conf file cd /etc/reader.conf.d cp /etc/reader.conf etoken.conf modify the etoken.conf to list only the Aladdin entries. The contents of the file should be # Aladdin eToken virtual reader #0 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111111 # Aladdin eToken virtual reader #1 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111112 # Aladdin eToken virtual reader #2 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111113 # Aladdin eToken virtual reader #3 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111114
  2. install these 20-etoken.rules in /etc/udev/rules.d: ACTION=="add", SUBSYSTEM=="usb_device", \ SYSFS{idVendor}=="0529", SYSFS{idProduct}=="0600", SYSFS{product}=="Token 4.2*", \ RUN="/etc/hotplug.d/usb/etoken.hotplug"

MacOS

Details not yet known.

Generating grid proxies using an eToken

It is also possible to generate a grid proxy using the eToken. This is explained in Using an Aladdin eToken PRO to generate grid proxies.