Versions Compared

Old Version 19

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 20

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • config-master.php → FUNCTIONALITY_LOCATIONS → CONFASSISTANT_RADIUS = "NONE"
  • config-master.php → FUNCTIONALITY_LOCATIONS → CONFASSISTANT_SILVERBULLET = "LOCAL"
  • generate and install all the per-NRO server cert CAs in config/SilverbulletServerCerts/* (GitHub scripts available, will be executed by dev team)
  • generate and install the client cert issuing CA and corresponding (unprotected) private key in config/SilverbulletClientCerts/real.key and real.pem (see next section)

eduroam Managed IdP Client Certificate Root CA

It is crucial to have a trust anchor for all issued client certificates which is stable on the long-term. To that end, an offline hardware-backed CA is provisioned and kept in a physically safe position in GEANT property (TBD: where exactly is it stored, access controls to physical location). The CA itself is created with the CA generation script publicly available on GitHub.

...

  • install Raspian Stretch (or higher); required for having openssl 1.1+
  • install the package rng-tools (provides access to the built-in hardware random number generator under /dev/hwrng)
  • set the date and time (Raspberry Pi does not have a built-in clock)
  • after installing all needed packages, remove the Pi from the network and never connect it again.

Q to the SM: is it acceptable to take the preparatory steps before traveling to the signing ceremony? Or do everything live?


Info

IMPORTANT: adapt the settings/openssl-rsa.cnf  and settings/openssl-ecdsa.cnf settings before issuing the CA. In particular:

  • crlDistributionPoints
  • caIssuers;URI.0
  • OCSP;URI.0

...

If you ever need to revoke an intermediate, the corresponding scripts can be used (one variant for RSA, one for ECDSA, both to be called with the correspodning serial number of the certificate).

eduroam Managed IdP Server Certificate and CA set

eduroam installers will need to be configured with a server certificate trust (i.e. a root CA and a server name). To support the partitionability of the RADIUS service, each eduroam NRO gets its own self-signed root. This means approx. 200 self-signed CA certificates and server certificates need to be provisioned, all served by the RADIUS servers. The code to generate both the CA hierarchy and the FreeRADIUS configuration snippets to activate all those distinct personalities is available on GitHub.

...

Copy the server certificates, the private keys and the FreeRADIUS config snippets to the RADIUS servers.

Service Operation

Web Service (hosted.eduroam.org)

Main Services:

  • Apache2
  • MySQL / MariaDB
  • CAT PHP application

Logs:

  • /var/log/CAT/*
  • /var/log/apache2/*

RADIUS Servers (auth-1/2.hosted.eduroam.org)

Main Services:

  • FreeRADIUS 3

Logs:

  • /opt/tls/var/log/radius/*

OCSP Responder (ocsp.hosted.eduroam.org)

Main Services:

  • Apache2
  • PHP script for OCSP responses (contained in CAT distribution, utils/ocsp_web/*)

Logs:

  • /var/log/apache2/*

Interplay of the eduroam Managed IdP system components

...