Using an Aladdin eToken PRO to store grid certificates
A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates. |
Platform support
With some tinkering it is possible to use an eToken on
- Windows
- Linux:
- Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
- Fedora Core 4 or higher
- Suse 9.3 or higher
- MacOS X
This document tries to explain the tinkering ...
Notes
- not all functions are available on all platforms. Currently, it is not possible to reformat an eToken on Linux. This can only be done on Windows (and perhaps MacOS, but this is untested).
- there is no native 64bit platform support. It is possible to use an eToken on an x86_64 architecture but it requires 32bit versions of all relevant tools (pcsc-lite, openssl, etc)
Downloading the Aladdin eToken RTE software
Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:
- Windows: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/2c0/RTE_3.65.zip
- Linux: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/179/eToken_PKI_Client_for_Linux_v3_65.rar
- MacOS: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/973/PKI_3_65_Mac.zip
(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)
To unpack the Linux archive, the rar command is required.
Important
As of yet, do NOT install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.
Installing the Aladdin eToken RTE software
Windows
Unzip the RTE_3.65.zip archive and install RTE_3.65.msi file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken).
You can now continue on to Testing the eToken RTE software.
Linux
Prerequisites
Before running the installation script, verify that the PC/SC Lite pcscd deamon is installed on your box. The eToken installation script is very picky about the location where this deamon is installed and will refuse to continue if it is not present in
/usr/local/sbin/pcscd
If your pcscd deamon is installed elsewhere then create a symlink.
The RTE software is linked against the following shared libraries. These must be present on the system for the eToken RTE software to work.
- Fedora and RedHat tarballs:
- /lib/ld-linux.so.2
- libc.so.6
- libdl.so.2
- libgcc_s.so.1
- libm.so.6
- libpcsclite.so.0 (Note: it is safe to symlink libpcsclite.so.0 to libpcsclite.so.1)
- libpthread.so.0
- libstdc++.so.6
- libusb-0.1.so.4
- Suse tarball:
- /lib/ld-linux.so.2
- libc.so.6
- libdl.so.2
- libgcc_s.so.1
- libm.so.6
- libpcsclite.so.0
- libpthread.so.0
- libstdc++.so.5
- libusb-0.1.so.4
It may be possible to use the eToken RTE software on other Linux distributions, provided that these shared libraries are present.
RHEL4 Pre-installation
The Mkproxy.tar.gz tarball contains all the required binaries for RHEL4 compatible platforms. After unpacking the tarball, copy over the files to their respective locations:
cd ./rhel4 cp -rp bin/* /usr/local/bin cp -rp lib/* /usr/local/lib cp -rp sbin/* /usr/local/sbin
Running the Aladdin installation script
Unpack the .rar file using
rar x eToken_PKI_Client_for_Linux_v3_65.rar
which will extract the files
- etoken-3-65.3-linux-Fedora-i386.tar.gz : Fedora Core 4 and higher
- etoken-3-65.3-linux-redhat-i386.tar.gz : Redhat Enterprise Linux 4 and higher
- etoken-3-65.3-linux-suse-i386.tar.gz : Novell Suse Linux
(and a few others) to the current directory.
Extract the .tar.gz tarball that closest matches your Linux distribution. All files will be extracted to a directory etoken-3-65.3-linux-i386. cd into this directory and run the installation program:
./petoken install 4
where the number 4 indicates how many tokens you wish to support simultaneously (this is the default value).
./petoken install 4 Starting Aladdin eTokend daemon: Starting pcscd daemon: Modifying /etc/ld.so.conf Aladdin Etoken RTE installation finished Warning: you have two pcscd installations (in /usr and in /usr/local)
Installation is complete. The installation script will have installed the appropriate deamons and /etc/init.d startup script, such that the eToken software is loaded at system startup. For more details, see Linux eToken daemons.
The petoken installation script is a total nightmare. If anything goes wrong during installation then the installation is aborted. You will need to run
./petoken uninstall
before you can continue. However , the 'uninstall' command also erases the installation program itself, so you need to unpack the .tar.gz tarball again before you can continue.
Post-installation cleanup
The system startup/shutdown scripts that come with the RTE software are quite atrocious. In most cases the etsrvd daemon will fail to come up at boot time. By installing these custom versions of the etokend and etsrvd scripts the startup success ratio dramatically improves, plus, they print pretty OK or FAILURE messages too.
chkconfig --level 2345 etokend on chkconfig --level 2345 etsrvd on
to enable the services. You can also remove the old startup scripts as installed by the RTE software
rm -f /etc/rc?.d/S10etoken rm -f /etc/rc?.d/S30etoken
If you have installed the Aladdin RTE software on a Linux system which uses udev to provide hotplugging device support - i.e. Fedora Core 5 or any system running Linux kernel 2.6.16 or higher - then you need to do a post-installation cleanup. If this step is skipped your eToken will not be accessible after the next reboot.
1. install this version of etoken.conf in /etc/reader.conf.d:
# Aladdin eToken virtual reader #0 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111111 # Aladdin eToken virtual reader #1 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111112 # Aladdin eToken virtual reader #2 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111113 # Aladdin eToken virtual reader #3 FRIENDLYNAME "AKS ifdh" DEVICENAME /dev/null LIBPATH /usr/local/lib/aksifdh.so CHANNELID 0x11111114
2. install these 20-etoken.rules in /etc/udev/rules.d:
ACTION=="add", SUBSYSTEM=="usb_device", \ SYSFS{idVendor}=="0529", SYSFS{idProduct}=="0600", SYSFS{product}=="Token 4.2*", \ RUN="/etc/hotplug.d/usb/etoken.hotplug"
3. install this version of the etoken.hotplug script in /etc/hotplug.d/usb:
#!/usr/bin/perl use Socket; #use Data::Dumper; open STDERR, ">> /var/log/etoken.log"; #print STDERR Dumper(\%ENV); # check environment die "Call with undefined environment is ignored" unless defined($ENV{"DEVNAME"}) && defined($ENV{"ACTION"}); $device = $ENV{"DEVNAME"}; # build request structure for insertion/removal $data_len = length($device) + 1; # one more for null-terminator $magic = 0x55AAAA55; $insert_token = 1; $remove_token = 2; $command = ($ENV{ACTION} eq "add") ? $insert_token : $remove_token; $data = pack("IIIIIIa" . $data_len, $magic, 0, 0, $command, $data_len, 0, $device); $socket_name = "/var/tmp/.etokend"; # open socket with eTokend socket (SOCK,PF_UNIX,SOCK_STREAM, 0) or die "socket: $!"; connect (SOCK, sockaddr_un($socket_name)) or die "connect $socket_name: $!"; print SOCK $data; close SOCK;
MacOS
Details not yet known.
Testing the eToken RTE software
Windows
You can access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).
If you have installed Cygwin ( http://www.cygwin.com/ ) and the Mkproxy.tar.gz tarball you can also access your eToken using the pkcs11-tool command:
- start a Cygwin shell
- go to the directory where you have unpacked the Mkproxy.tar.gz tarball
- type
cd cygwin/bin ./pkcs11-tool --module=$WINDIR\\system32\\etpkcs11.dll -L
to list all inserted tokens (mind the double back-slashes!)
Note This works only if you are logged in locally on the Windows machine. This will not work when logging in remotely using either a Cygwin sshd service or Remote Desktop.
Linux
If you have installed either the opensc toolkit or the the Mkproxy.tar.gz tarball you can access your eToken using the pkcs11-tool command:
- go to the directory where you have unpacked the Mkproxy.tar.gz tarball
- type
export PATH=$PATH:<platform>/bin
- then type
pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L
which should return
Available slots: Slot 0 AKS ifdh 00 00 token state: uninitialized Slot 1 (empty) Slot 2 (empty) Slot 3 (empty)
Congratulations, your eToken is ready for use!
Why not use the OpenSC tools?
The OpenSC project ( http://www.opensc.org ) also provides driver software for Aladdin eTokens. However, the OpenSC software stack only supports eTokens running Siemens CardOS M4. Our eTokens use a newer version of the Siemens CardOS. On the eToken itself the CardOS version is printed (4.2B) but you can also retrieve it on Linux (as root) using
# lsusb -v -d 0529:0600 | grep iProduct iProduct 2 Token 4.25.1.2 2.6.189
This means that this eToken is running CardOS 4.25.1.2, which is not supported by OpenSC. Even the latest development version of OpenSC (cvs HEAD branch) , which claims support for CardOS 4.2+, cannot successfully connect to these eTokens.
The OpenSC cardos-info command gives
Info : CardOS V4.2B (C) Siemens AG 1994-2005 Chip type: 123 Serial number: 26 57 ad 07 0f 21 Full prom dump: 33 66 00 45 CB CB CB CB 7B FF 26 57 AD 07 0F 21 3f.E....{.&W...! 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ OS Version: 200.9 (unknown Version) Current life cycle: 32 (administration) Security Status of current DF: Free memory : 0 ATR Status: 0x0 ROM-ATR Packages installed: Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63 Free eeprom memory: 23167 System keys: PackageLoadKey (version 0xfe, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF: 66 66 50 00 02 01 ffP...
where the unknown CardOS version is particularly worrisome.
Also, it seems you can either use an eToken using the OpenSC software or (XOR) use Aladdin's proprietary software, that is, information stored on an eToken using the OpenSC is not visible to the Aladdin software and vice versa. So even if we do manage to get OpenSC working then we would still have issues if some poor Windhoos schmuck decided to use the Aladdin tools.
Initializing your eToken (Windows only)
Note' Currently you can only initialize your eToken on the Windows platform. It will not work on Linux, especially changing the SOPIN is not working. This is most likely due to missing functionality in the Linux Aladdin RTE software.
To initialize your eToken for the first time you can use either the Windows client software (Start->Programs->eToken->eToken Properties) or you can use pkcs11-tool :
pkcs11-tool --module $WINDIR\\system32\\etpkcs11.dll --init-token --label "Your Label" --so-pin Your_New_SO_PIN
where Your_New_SO_PIN is the new Security Officer Password. You will be prompted for the existing SOPIN (through a pop window). The default value for the SOPIN is '1234567890' After typing in the correct (old) SOPIN you will see a message like this:
Token successfully initialized
You can now use
pkcs11-tool ---module $WINDIR\\system32\\etpkcs11.dll -L
to view the status of your eToken:
Available slots: Slot 0 AKS ifdh 00 00 token state: uninitialized Slot 1 (empty)
As you can see it remains in the status "uninitialized" but it is ready for use.
Initializing your user PIN
After initializing or reformatting your eToken you must initialize the user password ('PIN') before you can store any data on it. Initializing the user PIN can be done on both Windows and Linux.
Note
On Windows
PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll
On Linux
PKCS11_MOD=/usr/local/lib/libetpkcs11.so
The user PIN is initialized using
# pkcs11-tool --module $PKCS11_MOD --init-pin Please enter SO PIN: Please enter the new PIN: Please enter the new PIN again: User PIN successfully initialized
Please choose your user PIN carefully. It must be between 6 to 12 characters long. If your PIN is more than 12 characters then you will not be able to access your eToken using openssl commands , nor will you be able to generate grid proxies using your eToken!
Using your eToken in Firefox
A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox.
This is explained in Using an Aladdin eToken with firefox.
Generating or storing a grid certificate on the eToken
Now that you have initialized your eToken you can either generate a new certificate/private key pair on the eToken itself (very secure!) or you can load your existing grid certificate onto the eToken.
This is explained in Storing your grid certificate on an Aladdin eToken.
Generating grid proxies using an eToken
It is also possible to generate a grid proxy using the eToken.
This is explained in Using an Aladdin eToken PRO to generate grid proxies.