Smartcard 2.0 - Do It Yourself
- Smartcard2.0 Do It Yourself
- Unpack software
- Make symbolic links
- Update java with unlimited strength crypto
- set path in the environment file and make a link in /usr/local
- Put binaries in place
- Add users
- Install extra packages on top of Debian base
- Automatic start of jboss
- make sshd more secure
- Make www-links
- fix permissions
Smartcard2.0 Do It Yourself
This guide helps you gather hardware and building a image/serverinstallation from scratch The hard part here it to get cards that work, altough the solution is made to be independend of the cards and the cards driver, there needs to be some adjustments and fine tuning for all cards/drivers we've tested. Right now we recommend the Gemalto "SetCOS 4.4.1, unintialized cards, that can be reformatted", we can help you order cards so you'll get the right cards. Any card readers that support PCSC, and preferable is CCID compliant, should work. We have used:
- Gemalto's PC USB-SL Reader
- Omnikey's CardMan 3021 USB
- Omnikey's CardMan 3121 USB
Unpack software
Gather the software packages need (in /tmp) and unpack them to /usr/local with these commands:
- # cd /usr/local
- # tar jxvf /tmp/apache-ant-1.7.0-bin.tar.bz2
- # tar jxvf /tmp/ejbca-3.5.6.tar.bz2
- # tar jxvf /tmp/hardtokenmgmt_1_0-beta7.zip
- # unzip /tmp/jboss-4.2.2.GA.zip
- # sh /tmp/jdk-6u4-linux-i586.bin
Make symbolic links
- # cd /usr/local
- # ln -s apache-ant-1.7.0 ant
- # ln -s ejbca-3.5.6 ejbca
- # ln -s hardtokenmgmt_1_0-beta7 htmf
- # ln -s jdk1.6.0_04 java
- # ln -s jboss-4.2.2.GA jboss
Update java with unlimited strength crypto
- # cd /usr/local/java/jre/lib/security
- # unzip /tmp/jce_policy-6.zip
- # mv jce/*jar .
- # rm -rf jce
set path in the environment file and make a link in /usr/local
- # cd /usr/local
- # vi /usr/local/htmf/src/inst/smartcard20/environment
- Update the defined export:s to the places you unpacked
- # ln -s /usr/local/htmf/src/inst/smartcard20/environment /usr/local/environment
- # ln -s /usr/local/htmf/src/inst/smartcard20/htmf-setup /usr/local/htmf-setup
Put binaries in place
- A JBoss zip file is needed by htmf-setup
- # cp jboss-4.2.2.GA.zip /usr/local
- put netid in the www-dir:
- # cp /tmp/4.7.0.14_WM_EVAL_XP.zip ${HTMF_HOME}/src/inst/smartcard20/www/4.7.0.14_WM_EVAL_XP.zip
- put jre in the www-dir:
- # cp /tmp/jre-6u4-windows-i586-p.exe ${HTMF_HOME}/src/inst/smartcard20/www/jre-6u4-windows-i586-p.exe
Add users
- # useradd -m htmf
- # passwd htmf (set htmf)
- # useradd -m jboss
- add including of environment to jboss and htmf users ~/.bashrc (put it in the end)
# htmf env
if [ -f /usr/local/environment ]; then
. /usr/local/environment
fi
Automatic start of jboss
- # cp /usr/local/htmf/src/inst/smartcard20/jboss-init.d /etc/init.d/jboss
- # ln -s /etc/init.d/jboss /etc/rc3.d/S95jboss
- # chmod +x /etc/init.d/jboss
- # mkdir -p /var/cache/jboss4/tmp
- # mkdir -p /var/log/jboss4/
make sshd more secure
make sure you add your ssh-key to /home/htmf/.ssh/authorized_keys first
- # vi /etc/ssh/sshd_config
- add/change these:
- PasswordAuthentication no
- PermitRootLogin no