Using an Aladdin eToken PRO to store grid certificates

From PDP/Grid Wiki
Jump to navigationJump to search
A very secure way to store grid certificates is on an Aladdin eToken (http://www.aladdin.com/eToken/default.asp). These tokens are so-called smartcards with a USB form factor. They can be used to securely generate and store X509 certificates and/or SSH keys. The public part of an X509 certificate can be accessed by an application, but the corresponding private key can never be copied off an eToken. This, in theory, makes such a device ideal for storing sensitive data such as grid certificates.

EToken Blue Pro.png

Platform support

With some tinkering it is possible to use an eToken on

  • Windows
  • Linux:
    • Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4)
    • Fedora Core 4 or higher
    • Suse 9.3 or higher
  • MacOS X

This document tries to explain the tinkering ...

Notes

  • not all functions are available on all platforms. Currently, it is not possible to reformat an eToken on Linux. This can only be done on Windows (and perhaps MacOS, but this is untested).
  • there is no native 64bit platform support. It is possible to use an eToken on an x86_64 architecture but it requires 32bit versions of all relevant tools (pcsc-lite, openssl, etc)

Downloading the Aladdin eToken RTE software

Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web:

(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)

To unpack the Linux archive, the rar command is required.

Important

As of yet, do NOT install the PKI Client 4.0 software (Windows only)! eTokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.

Installing the Aladdin eToken RTE software

Windows

Unzip the RTE_3.65.zip archive and install RTE_3.65.msi file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken).

The RTE software is now installed in "default" mode. To get a few more administration options, including a nifty initialization button in the eToken Properties screen, set/change the registry key

 HKLM\SOFTWARE\Aladdin\eToken\eTProperties\Advanced:DWORD = 0x1F

(default value is 0x1).

You can now continue on to Testing the eToken RTE software.

Linux

There are two ways to install the necessary tools:

  • manual installation using the Aladdin petoken installation script. You have chosen the difficult path. Instructions can be found in Aladdin eToken PRO Manual Installation.
  • install the etoken-mkproxy RPM which does all the hard work for you. Instructions on how to build and install this RPM are below. This RPM has been tested on
    • CentOS 4 / Scientific Linux 4 (rhel4), i686 and x86_64 architectures
    • Fedora Core 5 (fc5), i686 architecture

An OpenSuSE RPM and Debian/Ubuntu package are in the works.


Unfortunately we are not allowed to post binary RPMs on this site publicly, as it includes a repackaged version of the Aladdin RTE software. For Nikhef, SARA and IGTF members a binary RPM is available in http://www.nikhef.nl/grid/ndpf/files/Aladdin-eToken/etoken-mkproxy/

Contents of the etoken-mkproxy RPM

What's in the etoken-mkproxy RPM?

  • Aladdin RTE 3.65 software (in binary RPMs only).
  • mkproxy script.
  • pkcs11-tool command from the opensc package.
  • patched version of openssl v0.9.8b to allow the user to generate short-lived proxies (the patched file is x509.c; the patch has been submitted to the openssl-dev mailing list).
  • system /etc/init.d startup scripts to correctly start the etokend and etsrvd daemons at system startup
  • hotplugging scripts to allow the correct hotplugging of your USB eToken device. These hotplugging scripts work on all Linux 2.6+ kernels, including 2.6.16 and above.
  • PC/SC-lite pcscd Smart Card daemon v1.3.1, plus system startup script. This daemon is used only if no /etc/init.d/pcscd file is detected during RPM installation.

Building the etoken-mkproxy RPM

If you use a ~/.rpmmacros file you can build the RPM as a non-root user. For example, with the following .rpmmacros file

 %HOME                   %(echo "$HOME")
 %_topdir                %{HOME}/rpmbuild
 %_tmppath               %{_topdir}/tmp

and accompanying directory structure

 ~/rpmbuild/tmp
 ~/rpmbuild/SRPMS
 ~/rpmbuild/SOURCES
 ~/rpmbuild/BUILD
 ~/rpmbuild/SPECS
 ~/rpmbuild/RPMS/i386

you can build the etoken-proxy RPM in your home directory.

 rpm -i http://www.nikhef.nl/~janjust/etoken/etoken-mkproxy-LATEST.nosrc.rpm
  • Unpack the .rar file using
 rar x eToken_PKI_Client_for_Linux_v3_65.rar

which will extract the files

  • etoken-3-65.3-linux-Fedora-i386.tar.gz : Fedora Core 4 and higher
  • etoken-3-65.3-linux-redhat-i386.tar.gz : Redhat Enterprise Linux 4 and higher
  • etoken-3-65.3-linux-suse-i386.tar.gz : Novell Suse Linux

(and a few others) to the current directory.

Grab the .tar.gz tarball that closest matches your Linux distribution and place it in the SOURCES directory of your rpmbuild tree, e.g. with the directory structure from above

 ~/rpmbuild/SOURCES

Now build the RPM using

 rpmbuild -bb ~/rpmbuild/SPECS/etoken-mkproxy.spec

This will take quite some time, but eventually you should end up with a file

 ~/rpmbuild/RPMS/i386/etoken-mkproxy-<VERSION>.<PLATFORM>.i386.rpm

where <VERSION> is the latest and greatest version of the etoken-mkproxy RPM and <PLATFORM> is the platform type on which the RPM is built:

  • 'rhel4' for CentOS 4 / Scientific Linux 4 / RedHat Enterprise Linux 4
  • 'fc5' for Fedora Core 5
  • 'suse9' for SuSE and openSuSE

Installing the etoken-mkproxy RPM

Installing the etoken-mkproxy RPM is quite simple but requires root access.

 rpm -i ~/rpmbuild/RPMS/i386/etoken-mkproxy-<VERSION>.<PLATFORM>.i386.rpm

where again, <VERSION> is the latest and greatest version of the etoken-mkproxy RPM and <PLATFORM> is the platform type on which the RPM is built:

  • 'rhel4' for CentOS 4 / Scientific Linux 4 / RedHat Enterprise Linux 4
  • 'fc5' for Fedora Core 5
  • 'suse9' for SuSE and openSuSE

The RPM will install the necessary startup scripts in /etc/init.d, after which it will start the eToken daemons etokend and etsrvd.

NOTE that there is only a i386 version of the etoken-mkproxy RPM. This is because the Aladdin RTE software is available only for 32-bit platforms. This RPM will install correctly on x86_64 architectures as well, however.

Congratulations! You are now ready to use your Aladdin eToken PRO on Linux!

Manual installation

Instructions on how to manually install the Aladdin eToken software using the petoken install script can be found in Aladdin eToken PRO Manual Installation.

Differences between manual and RPM installations

There are some differences between manual installations and installation of the RPM above:

Manual installation:

  • Most of the files end up in /usr/local/bin, /usr/local/lib and /usr/local/sbin.
  • the mkproxy script is not included in the manual installation.
  • the mkproxy script from the Mkproxy.tar.gz tarball can only generate proxies that are valid <N> days, where N is an integer

RPM installation:

  • Most of the files end up in /opt/etoken-pro, with a symlink in /usr/local/lib.
  • an RPM-specific version of the mkproxy script is included.
  • the RPM includes a patched version of the openssl x509 command which allows you to specify short-lived certificates/proxies, much like the grid-proxy-init tool:
 /opt/etoken-pro/bin/mkproxy --valid 4:00

MacOS

Details not yet known.

Testing the eToken RTE software

Windows

You can access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).

If you have installed Cygwin ( http://www.cygwin.com/ ) and the Mkproxy.tar.gz tarball you can also access your eToken using the pkcs11-tool command:

  • start a Cygwin shell
  • go to the directory where you have unpacked the Mkproxy.tar.gz tarball
  • type
 cd cygwin/bin
 ./pkcs11-tool --module=$WINDIR\\system32\\etpkcs11.dll -L

to list all inserted tokens (mind the double back-slashes!)

Note This works only if you are logged in locally on the Windows machine. This will not work when logging in remotely using either a Cygwin sshd service or Remote Desktop.

Linux

If you have installed the etoken-mkproxy RPM you can access your eToken using the pkcs11-tool command:

 /opt/etoken-pro/bin/pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L

which should return

 Available slots:
 Slot 0           AKS ifdh 00 00
   token state:   uninitialized
 Slot 1           (empty)
 Slot 2           (empty)
 Slot 3           (empty)

If you have performed a manual installation then you can find the pkcs11-tool in the [Media:Mkproxy.tar.gz|Mkproxy.tar.gz]] tarball (or in the opensc toolkit):

  • go to the directory where you have unpacked the Mkproxy.tar.gz tarball
  • type
 export PATH=$PATH:<platform>/bin
  • then type
 ./pkcs11-tool --module=/usr/local/lib/libetpkcs11.so -L

which should return

 Available slots:
 Slot 0           AKS ifdh 00 00
   token state:   uninitialized
 Slot 1           (empty)
 Slot 2           (empty)
 Slot 3           (empty)

Congratulations, your eToken is ready for use!

Why not use the OpenSC tools?

The OpenSC project ( http://www.opensc.org ) also provides driver software for Aladdin eTokens. However, the OpenSC software stack only supports eTokens running Siemens CardOS M4. Our eTokens use a newer version of the Siemens CardOS. On the eToken itself the CardOS version is printed (4.2B) but you can also retrieve it on Linux (as root) using

 # lsusb -v -d 0529:0600 | grep iProduct
   iProduct                2 Token 4.25.1.2 2.6.189

This means that this eToken is running CardOS 4.25.1.2, which is not supported by OpenSC. Even the latest development version of OpenSC (cvs HEAD branch) , which claims support for CardOS 4.2+, cannot successfully connect to these eTokens.

The OpenSC cardos-info command gives

 Info : CardOS V4.2B (C) Siemens AG 1994-2005
 Chip type: 123
 Serial number: 26 57 ad 07 0f 21
 Full prom dump:
 33 66 00 45 CB CB CB CB 7B FF 26 57 AD 07 0F 21 3f.E....{.&W...!
 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
 OS Version: 200.9 (unknown Version)
 Current life cycle: 32 (administration)
 Security Status of current DF:
 Free memory : 0
 ATR Status: 0x0 ROM-ATR
 Packages installed:
 Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
 Free eeprom memory: 23167
 System keys: PackageLoadKey (version 0xfe, retries 10)
 System keys: StartKey (version 0xff, retries 10)
 Path to current DF:
 66 66 50 00 02 01 ffP...

where the unknown CardOS version is particularly worrisome.

Also, it seems you can either use an eToken using the OpenSC software or (XOR) use Aladdin's proprietary software, that is, information stored on an eToken using the OpenSC is not visible to the Aladdin software and vice versa. So even if we do manage to get OpenSC working then we would still have issues if some poor Windhoos schmuck decided to use the Aladdin tools.

Initializing your eToken (Windows only)

Note Currently you can only initialize your eToken on the Windows platform. It will not work on Linux, especially changing the SOPIN is not working. This is most likely due to missing functionality in the Linux Aladdin RTE software.

To initialize your eToken for the first time you can use either the Windows client software (Start->Programs->eToken->eToken Properties) or you can use pkcs11-tool :

 pkcs11-tool --module $WINDIR\\system32\\etpkcs11.dll --init-token --label "Your Label" --so-pin Your_New_SO_PIN

where Your_New_SO_PIN is the new Security Officer Password. You will be prompted for the existing SOPIN (through a pop window). The default value for the SOPIN is '1234567890' After typing in the correct (old) SOPIN you will see a message like this:

 Token successfully initialized

You can now use

 pkcs11-tool ---module $WINDIR\\system32\\etpkcs11.dll -L

to view the status of your eToken:

 Available slots:
 Slot 0           AKS ifdh 00 00
   token state:   uninitialized
 Slot 1           (empty)

As you can see it remains in the status "uninitialized" but it is ready for use.

Initializing your user PIN

After initializing or reformatting your eToken you must initialize the user password ('PIN') before you can store any data on it. Initializing the user PIN can be done on both Windows and Linux.

Note

On Windows

 PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll

On Linux

 PKCS11_MOD=/usr/local/lib/libetpkcs11.so

The user PIN is initialized using

 # pkcs11-tool --module $PKCS11_MOD --init-pin
 Please enter SO PIN:
 Please enter the new PIN:
 Please enter the new PIN again:
 User PIN successfully initialized

Please choose your user PIN carefully. It must be between 6 to 12 characters long. If your PIN is more than 12 characters then you will not be able to access your eToken using openssl commands , nor will you be able to generate grid proxies using your eToken!

Using your eToken in Firefox

A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox.

This is explained in Using an Aladdin eToken with firefox.

Generating or storing a grid certificate on the eToken

Now that you have initialized your eToken you can either generate a new certificate/private key pair on the eToken itself (very secure!) or you can load your existing grid certificate onto the eToken.

This is explained in Storing your grid certificate on an Aladdin eToken.

Generating grid proxies using an eToken

It is also possible to generate a grid proxy using the eToken.

This is explained in Using an Aladdin eToken PRO to generate grid proxies.