Aladdin eToken PRO Manual Installation

From PDP/Grid Wiki
Revision as of 13:19, 5 February 2008 by Janjust@nikhef.nl (talk | contribs) (→‎Post-installation cleanup)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Manual Installation of the eToken PRO software on Linux

Prerequisites

Before running the installation script, verify that the PC/SC Lite pcscd deamon is installed on your box. The eToken installation script is very picky about the location where this deamon is installed and will refuse to continue if it is not present in

 /usr/local/sbin/pcscd

If your pcscd deamon is installed elsewhere then create a symlink.

The RTE software is linked against the following shared libraries:

  • /lib/ld-linux.so.2
  • libc.so.6
  • libdl.so.2
  • libgcc_s.so.1
  • libm.so.6
  • libpcsclite.so.0 (Note: it is safe to symlink libpcsclite.so.0 to libpcsclite.so.1)
  • libpthread.so.0
  • libusb-0.1.so.4
  • Fedora and RedHat tarballs: libstdc++.so.6
  • Suse tarball: libstdc++.so.5

It may be possible to use the eToken RTE software on other Linux distributions, provided that these shared libraries are present.

RHEL4 Pre-installation

The Mkproxy-rhel4.tar.gz tarball contains all the required binaries for RHEL4 compatible platforms. After unpacking the tarball, copy over the files to their respective locations:

 cp -rp bin/*  /usr/local/bin
 cp -rp lib/*  /usr/local/lib
 cp -rp sbin/* /usr/local/sbin

Running the Aladdin installation script

Unpack the .rar file using

 rar x eToken_PKI_Client_for_Linux_v3_65.rar

which will extract the files

  • etoken-3-65.3-linux-Fedora-i386.tar.gz : Fedora Core 4 and higher
  • etoken-3-65.3-linux-redhat-i386.tar.gz : Redhat Enterprise Linux 4 and higher
  • etoken-3-65.3-linux-suse-i386.tar.gz : Novell Suse Linux

(and a few others) to the current directory.

Extract the .tar.gz tarball that closest matches your Linux distribution. All files will be extracted to a directory etoken-3-65.3-linux-i386. cd into this directory and run the installation program:

 ./petoken install 4

where the number 4 indicates how many tokens you wish to support simultaneously (this is the default value).

 ./petoken install 4
 Starting Aladdin eTokend daemon:
 
 Starting pcscd daemon:
 
 Modifying /etc/ld.so.conf
 Aladdin Etoken RTE installation finished
 Warning: you have two pcscd installations (in /usr and in /usr/local)

Installation is complete. The installation script will have installed the appropriate deamons and /etc/init.d startup script, such that the eToken software is loaded at system startup.

The petoken installation script is a total nightmare. If anything goes wrong during installation then the installation is aborted. You will need to run

 ./petoken uninstall

before you can continue. However , the 'uninstall' command also erases the installation program itself, so you need to unpack the .tar.gz tarball again before you can continue.

Post-installation cleanup

The system startup/shutdown scripts that come with the RTE software are quite atrocious. In most cases the etsrvd daemon will fail to come up at boot time. By installing these custom versions of the etokend and etsrvd scripts the startup success ratio dramatically improves, plus, they print pretty OK or FAILURE messages too.

  • RedHat/Fedora users: install this version of etokend in /etc/init.d
  • RedHat/Fedora users: install this version of etsrvd in /etc/init.d
  • SuSE users: install this version of etokend in /etc/init.d
  • SuSE users: install this version of etsrvd in /etc/init.d
  • run
 chkconfig --level 2345 etokend on
 chkconfig --level 2345 etsrvd on

to enable the services. You can also remove the old startup scripts as installed by the RTE software

 rm -f /etc/rc?.d/S10etoken
 rm -f /etc/rc?.d/S30etoken

If you have installed the Aladdin RTE software on a Linux system which uses udev to provide hotplugging device support - i.e. Fedora Core 5 or any system running Linux kernel 2.6.16 or higher - then you need to do a post-installation cleanup. If this step is skipped your eToken will not be accessible after the next reboot.

1. install this version of etoken.conf in /etc/reader.conf.d:

  # Aladdin eToken virtual reader #0
 FRIENDLYNAME     "AKS ifdh"
 DEVICENAME       /dev/null
 LIBPATH          /usr/local/lib/aksifdh.so
 CHANNELID        0x11111111
   
 # Aladdin eToken virtual reader #1
 FRIENDLYNAME     "AKS ifdh"
 DEVICENAME       /dev/null
 LIBPATH          /usr/local/lib/aksifdh.so
 CHANNELID        0x11111112
   
 # Aladdin eToken virtual reader #2
 FRIENDLYNAME     "AKS ifdh"
 DEVICENAME       /dev/null
 LIBPATH          /usr/local/lib/aksifdh.so
 CHANNELID        0x11111113
   
 # Aladdin eToken virtual reader #3
 FRIENDLYNAME     "AKS ifdh"
 DEVICENAME       /dev/null 
 LIBPATH          /usr/local/lib/aksifdh.so
 CHANNELID        0x11111114

2. install these 20-etoken.rules in /etc/udev/rules.d:

 ACTION=="add", SUBSYSTEM=="usb_device", \
   SYSFS{idVendor}=="0529", SYSFS{idProduct}=="0600", SYSFS{product}=="Token 4.2*", \
     RUN="/etc/hotplug.d/usb/etoken.hotplug"
 
 # Sigh: Kernel 2.6.22+ changed the SUBSYSTEM name...
 ACTION=="add", SUBSYSTEM=="usb", \
   SYSFS{idVendor}=="0529", SYSFS{idProduct}=="0600", SYSFS{product}=="Token 4.2*", \
     RUN="/etc/hotplug.d/usb/etoken.hotplug"

Note: In kernel 2.6.22+ the SUBSYSTEM name was changed from 'usb_device' to 'usb'. Hence the double ACTION rule.

3. For systems that use udev, i.e. all systems with Linux kernel 2.6.16+ install this version of the etoken.hotplug script in /etc/hotplug.d/usb:

 #!/usr/bin/perl
 use Socket;
 #use Data::Dumper;
 
 open STDERR, ">> /var/log/etoken.log";
  
 #print STDERR Dumper(\%ENV);
  
 # check environment
 # is hotplugging enabled in the kernel -> then we're not running udev
 $hotplug = `/sbin/sysctl kernel.hotplug`;
 chomp $hotplug;
 if ($hotplug =~ /kernel.hotplug = (\W+)/)
 {
     die "Call with undefined environment is ignored"
         unless defined($ENV{"DEVICE"}) && defined($ENV{"ACTION"});
  
     $device = $ENV{"DEVICE"};
 }
 else
 {
     die "Call with undefined environment is ignored"
         unless defined($ENV{"DEVNAME"}) && defined($ENV{"ACTION"});
  
     $device = $ENV{"DEVNAME"};
     $device =~ s/dev/proc/;
 }
  
 # build request structure for insertion/removal
 $data_len = length($device) + 1;   # one more for null-terminator
 $magic = 0x55AAAA55;
 $insert_token = 1;
 $remove_token = 2;
 $command = ($ENV{ACTION} eq "add") ? $insert_token : $remove_token;
 $data = pack("IIIIIIa" . $data_len, $magic, 0, 0, $command, $data_len, 0, $device);
 $socket_name = "/var/tmp/.etokend";
  
 # open socket with eTokend
 socket (SOCK,PF_UNIX,SOCK_STREAM, 0) or die "socket: $!";
 connect (SOCK, sockaddr_un($socket_name)) or die "connect $socket_name: $!";
 print SOCK $data;
 close SOCK;