Using an Aladdin eToken PRO to store grid certificates

From PDP/Grid Wiki
Jump to navigationJump to search

A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates.

Platform support

With some tinkering it is possible to use an eToken on

  • Windows
  • Linux:
    • Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
    • Fedora Core 4 or higher
    • Suse 10 or higher
  • MacOS X

This document tries to explain the tinkering ...

Downloading the Aladdin eToken RTE software

Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:

(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)

To unpack the Linux archive, the rar command is required.

Important

As of yet, do NOT install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.

Installing the Aladdin eToken RTE software

Windows

Unzip the RTE_3.65.zip archive and install RTE_3.65.msi file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken).

You can now continue on to Using the eToken RTE software.

Linux

Prerequisites

Before running the installation script, verify that the PC/SC Lite pcscd deamon is installed on your box. The eToken installation script is very picky about the location where this deamon is installed and will refuse to continue if it is not present in

/usr/local/sbin/pcscd

If your pcscd deamon is installed elsewhere then create a symlink.

RHEL4 Pre-installation

The Mkproxy.tar.gz tarball contains all the required binaries for RHEL4 compatible platforms. After unpacking the tarball, copy over the files to their respective locations:

cd ./rhel4
cp -rp bin/*  /usr/local/bin
cp -rp lib/*  /usr/local/lib
cp -rp sbin/* /usr/local/sbin

Running the Aladdin installation script

Unpack the .rar file using

rar x eToken_PKI_Client_for_Linux_v3_65.rar

which will extract the files

  • etoken-3-65.3-linux-Fedora-i386.tar.gz : Fedora Core 4 and higher
  • etoken-3-65.3-linux-redhat-i386.tar.gz : Redhat Enterprise Linux 4 and higher
  • etoken-3-65.3-linux-suse-i386.tar.gz : Novell Suse Linux

(and a few others) to the current directory.

Extract the .tar.gz tarball that closest matches your Linux distribution. All files will be extracted to a directory etoken-3-65.3-linux-i386. Now, cd into this directory and run the installation program:

./petoken install 4

where the number 4 indicates how many tokens you wish to support simultaneously (this is the default value).

./petoken install 4
Starting Aladdin eTokend daemon:
 
Starting pcscd daemon:
 
Modifying /etc/ld.so.conf
Aladdin Etoken RTE installation finished
Warning: you have two pcscd installations (in /usr and in /usr/local)

Installation is complete. The installation script will have installed the appropriate deamons and /etc/init.d startup script, such that the eToken software is loaded at system startup. The /etc/init.d scripts that the installation script adds or modifies are

  • /etc/init.d/pcscd
  • /etc/init.d/etoken
  • /etc/rcN.d/S10etoken -> ../init.d/etoken
  • /etc/rcN.d/S20etoken -> ../init.d/pcscd


The petoken installation script is a total nightmare. If anything goes wrong during installation then the installation is aborted. You will need to run

./petoken uninstall

before you can continue. However , the 'uninstall' command also erases the installation program itself, so you need to unpack the .tar.gz tarball again before you can continue.

Post-installation cleanup

If you have installed the Aladdin RTE software on a Fedora Core 5 distribution (or any system running Linux kernel 2.6.16 or higher), then you need to do a post-installation cleanup. If this step is skipped your eToken will not be accessible after the next reboot.

1. install this version of etoken.conf in /etc/reader.conf.d:

 # Aladdin eToken virtual reader #0
FRIENDLYNAME     "AKS ifdh"
DEVICENAME       /dev/null
LIBPATH          /usr/local/lib/aksifdh.so
CHANNELID        0x11111111
  
# Aladdin eToken virtual reader #1
FRIENDLYNAME     "AKS ifdh"
DEVICENAME       /dev/null
LIBPATH          /usr/local/lib/aksifdh.so
CHANNELID        0x11111112
  
# Aladdin eToken virtual reader #2
FRIENDLYNAME     "AKS ifdh"
DEVICENAME       /dev/null
LIBPATH          /usr/local/lib/aksifdh.so
CHANNELID        0x11111113
  
# Aladdin eToken virtual reader #3
FRIENDLYNAME     "AKS ifdh"
DEVICENAME       /dev/null 
LIBPATH          /usr/local/lib/aksifdh.so
CHANNELID        0x11111114

2. install these 20-etoken.rules in /etc/udev/rules.d:

ACTION=="add", SUBSYSTEM=="usb_device", \
  SYSFS{idVendor}=="0529", SYSFS{idProduct}=="0600", SYSFS{product}=="Token 4.2*", \
    RUN="/etc/hotplug.d/usb/etoken.hotplug"

MacOS

Details not yet known.

Using the eToken RTE software

Windows

You can access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).

If you have installed Cygwin ( http://www.cygwin.com/ ) and the Mkproxy.tar.gz tarball you can also access your eToken using the pkcs11-tool command:

  • start a Cygwin shell
  • go to the directory where you have unpacked the Mkproxy.tar.gz tarball
  • type
 cd cygwin/bin
 ./pkcs11-tool --module=c:\\windows\\system32\\etpkcs11.dll -L

to list all inserted tokens.

Linux

If you have install either the opensc toolkit or the the Mkproxy.tar.gz tarball you can access your eToken using the pkcs11-tool command:

  • go to the directory where you have unpacked the Mkproxy.tar.gz tarball
  • type
 export PATH=$PATH:<platform>/bin
  • then type
 pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L

which should return

Available slots:
Slot 0           AKS ifdh 00 00
  token state:   uninitialized
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
  • you can use
 pkcs11-tool --module /usr/local/lib/libetpkcs11.so -O

to retrieve all public objects on the eToken:

Certificate Object, type = X.509 cert
  label:      (eTCAPI) Jan Just Keijser's NIKHEF ID
  ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Public Key Object; RSA 1024 bits
  label:      eTCAPI public key
  ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Usage:      encrypt, verify, wrap

Using your eToken in Firefox

A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox. To add your eToken as a security device , follow these steps

  • Start Firefox
  • (Linux) Go to Edit->Preferences->Advanced->Tab "Encryption"
  • (Windows) Go to Tools->Options->Advanced->Tab "Encryption"

You should now see a screen similar to this.

  • Select 'Load'
  • In the next screen, enter a (possibly useful) name for this module and Click on 'Browse' to select the appropriate PKCS11 module
  • Linux: choose /usr/local/lib/libetpkcs11.so
  • Windows: choose %WINDIR%\\system32\\etpkcs11.dll
  • Click 'OK'

You are now ready to use your eToken as a PCS11 device within Firefox. A similar procedure applies to Thunderbird, so that you can use an X509 certificate from your eToken to digitally sign your email messages with.

You can now proceed to import your existing X509 grid certificate into your browser. Make sure that you select the eToken as the security device where you want to store the grid certificate.

Generating a new grid certificate ON the eToken

Davidg, plz fill this in ;-)


Generating grid proxies using an eToken

It is also possible to generate a grid proxy using the eToken. This is explained in Using an Aladdin eToken PRO to generate grid proxies.

Why not use the OpenSC tools?

The OpenSC project ( http://www.opensc.org ) also provides driver software for Aladdin eTokens. However, the OpenSC software stack only supports eTokens running Siemens CardOS M4. Our eTokens use a newer version of the Siemens CardOS:

# lsusb -v -d 0529:0600 | grep iProduct
  iProduct                2 Token 4.25.1.2 2.6.189

This means that this eToken is running CardOS 4.25.1.2, which is not supported by OpenSC. Even the latest development version of OpenSC (cvs HEAD branch) , which claims support for CardOS 4.2+, cannot successfully connect to these eTokens.