Setup of YubiKey Validation Servers (YK-VAL)

All of our YubiKey validation servers are built on VM Ware virtual systems. This gives us greater flexibility when it comes to updating server specifications. To start however, all our validation servers have the following characteristics.

• OS: Ubuntu 14.04 with Standard CSCF packages
• RAM: 8GB
• DISK: 100GB
• CPU: 2
• NICS: 1

Most of what follows is either copied directly or a modification (based upon our installation experience) of the Yubico Installation Instructions for a YubiKey OTP Validation Server (YK-VAL). We recommend that one follow this document and the Yubico document in parallel. https://developers.yubico.com/yubikey-val/Installation.html

Essentially, three services are being installed and configured on the local server.

• !YubiKey OTP Validation Server or YK-VAL
• !MySQL Database Server
• !Apache2 Web Server

The general assumption is that the installer has root access to the new validation server as that level of authority will be required.

Step 1: YK-VAL Service Installation

The Yubico installation instructions refer to obtaining source code from their GIT hub. However, our experience has shown that git installation was not successful. Installation process from available resource packages was easier to perform. Therefore, download and install the latest YK-VAL server release. The current CSCF validation cluster is based upon yubikey-val-2.27.tgz. This gzip (.tgz) file can be acquired directly from the following location. https://developers.yubico.com/yubikey-val/Releases/

Unpack the resource package into the /tmp folder of the new validation server. Perform make install.

Step 2: Install Web Server and PHP

YubiKey validation is backended by a local web server and all validation requests are sent using http or https.

Installation will include the fo0llowing packages::

• apache2
• php5
• php5-curl
• php-pear

This can all be done at once with the following command: #> apt-get install apache2 php5 php5-curl php-pear

Step 3: Database Installation

We will be using MySQL for the database services. So this setup is based upon Step 3A in the Yubico documentation. Step 3B, involving Postgres database service can be ignored.

Installation will include the fo0llowing packages::

• mysql-server
• php5-mysql

This can all be done at once with the following command: #> apt-get install mysql-server php5-mysql

If you run into errors when installing the above packages then run the following command and then re-run the database software installation. #> apt-get -f install

The installation asks for a MySQL "root" password, it is recommend that one be specified. To avoid having to specify a password when using the MySQL tool interactively, you can store the password in /root/.my.cnf. For example:

/root/.my.cnf:

[client]
user = root
password = YOURPASSWORD

Ensure that read access to this file is limited to its owner.

The database (called ykval) will need to be initialized using the following commands:

#> echo 'create database ykval' | mysql
#> mysql ykval < /usr/share/doc/yubikey-val/ykval-db.sql

You also need to create a database user for the "verifier" interface, normally called ykval_verifier:

#> mysql --silent ykval
mysql> CREATE USER 'ykval_verifier'@'localhost'; \
GRANT SELECT,INSERT,UPDATE(modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost'; \
GRANT SELECT,INSERT,UPDATE(id, secret, active) ON ykval.clients TO 'ykval_verifier'@'localhost'; \
GRANT SELECT,INSERT,UPDATE,DELETE ON ykval.queue TO 'ykval_verifier'@'localhost'; \
SET PASSWORD FOR 'ykval_verifier'@'localhost' = PASSWORD('yourpassword'); \
FLUSH PRIVILEGES;
mysql> \q
#>

Step 4: Setup Verify OTP Interface

This is fairly simple run of the make command but must be run in the source directory of the YubiKey validation server. It essentially sets up a series of symlinks in the web source directory to the corresponding php executables. The entire output of the make command is shown here so permit verification of a sucessful install.

#> make symlink
install -d /var/www/wsapi/2.0
ln -sf /usr/share/yubikey-val/ykval-verify.php /var/www/wsapi/2.0/verify.php
ln -sf /usr/share/yubikey-val/ykval-sync.php /var/www/wsapi/2.0/sync.php
ln -sf /usr/share/yubikey-val/ykval-resync.php /var/www/wsapi/2.0/resync.php
ln -sf 2.0/verify.php /var/www/wsapi/verify.php
#> 

Step 5: Include Path Configuration

This is also fairly straight forward. Just ensure the following files exist and have the following content.

/etc/default/ykval-queue:

DAEMON_ARGS="/etc/yubico/val:/usr/share/yubikey-val"

And...

/var/www/wsapi/2.0/.htaccess:

RewriteEngine on
RewriteRule ^([^/\.\?]+)(\?.*)?$ $1.php$2 [L]
<IfModule mod_php5.c>
  php_value include_path ".:/etc/yubico/val:/usr/share/yubikey-val"
</IfModule>

Step 6: YK-VAL Configuration

The Yubico guide for this step recommends copying a /etc/yubico/val/ykval-config.php-template file over to the /etc/yubico/val/ykval-config.php to create an initial configuration. This "template" file is not present in our original installation (this may have been fixed by now) but the actual /etc/yubico/val/ykval-config.php is in place from the installation so this is what we worked with. I followed most the recommended settings for /etc/yubico/val/ykval-config.php. The password is the one set for the ykval database created earlier in Step 3.

If this is the first validation server to be built then there is no SYNC_POOL yet so those options can be left unchanged - array empty. The same would also be true for the YKVAL_ALLOWED_SYNC_POOL array. But the example below carries the finished setup to work with our existing five server cluster. Note that the value for YKVAL_SYNC_SECURE_LEVEL is not the default. This value specifies what percentage of the SYNC_POOL must be up and running in order to validations to be accepted. Also not that near the end of the config file in the otp2ksmurls function the location of the YK-KSM servers is specified. KSM service can be incorporated into a Validation server but it is recommended that this function be separated on its own server.

/etc/yubico/val/ykval-config.php:

if(!include '/etc/yubico/val/config-db.php') {
        $dbuser='ykval_verifier';
        $dbpass='BlahBlahBlahBlah';
        $basepath='';
        $dbname='ykval';
        $dbserver='';
        $dbport='';
        $dbtype='mysql';
}


# For the validation interface.
$baseParams = array ();
$baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1"; # "oci:oracledb" for Oracle DB (with OCI library)
$baseParams['__YKVAL_DB_USER__'] = $dbuser;
$baseParams['__YKVAL_DB_PW__'] = $dbpass;
$baseParams['__YKVAL_DB_OPTIONS__'] = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION);


# For the validation server sync
$baseParams['__YKVAL_SYNC_POOL__'] = array(/*"http://api2.example.com/wsapi/2.0/sync",*/
                                           "https://yubikey-val-2.cscf.uwaterloo.ca/wsapi/2.0/sync.php",
                                           "https://yubikey-val-3.cscf.uwaterloo.ca/wsapi/2.0/sync.php",
                                           "https://yubikey-val-4.cscf.uwaterloo.ca/wsapi/2.0/sync.php",
                                           "https://yubikey-val-5.cscf.uwaterloo.ca/wsapi/2.0/sync.php"
                                          /* "http://api4.example.com/wsapi/2.0/sync"*/);
# An array of IP addresses allowed to issue sync requests
# NOTE: You must use IP addresses here.
$baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array(/*"1.2.3.4",*/
                                                   "10.15.152.60",
                                                   "10.15.154.60",
                                                   "172.19.155.62",
                                                   "172.19.154.64"
                                                   /*"3.4.5.6"*/);

# An array of IP addresses allowed to issue YubiKey activation/deactivation
# requests through ykval-revoke.php. NOTE: You must use IP addresses here.
$baseParams['__YKREV_IPS__'] = array(/*"127.0.0.1"*/);
# An array of IP addresses allowed to issue database resync requests through
# ykval-resync.php. NOTE: You must use IP addresses here.
#$baseParams['__YKRESYNC_IPS__'] = array("127.0.0.1");
#Use the same as for issuing sync requests:
$baseParams['__YKRESYNC_IPS__'] = $baseParams['__YKVAL_ALLOWED_SYNC_POOL__'];

# Specify how often the sync daemon awakens
$baseParams['__YKVAL_SYNC_INTERVAL__'] = 20;
# Specify how long the sync daemon will wait for response
$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;
# Specify how old entries in the database should be considered aborted attempts
$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;

# These are settings for the validation server.
$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 0;
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;


// otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
// CLIENT.  The URLs must be fully qualified, i.e., contain the OTP
// itself.
function otp2ksmurls ($otp, $client) {
  //if ($client == 42) {
  //  return array("http://another-ykkms.example.com/wsapi/decrypt?otp=$otp");
  //}

  //if (preg_match ("/^dteffujehknh/", $otp)) {
  //  return array("http://different-ykkms.example.com/wsapi/decrypt?otp=$otp");
  //}

  return array(
               //"http://ykkms1.example.com/wsapi/decrypt?otp=$otp",
                "https://yubikey-ksm-1.cscf.uwaterloo.ca/wsapi/decrypt.php?otp=$otp",
                "https://yubikey-ksm-2.cscf.uwaterloo.ca/wsapi/decrypt.php?otp=$otp",
                "https://yubikey-ksm-3.cscf.uwaterloo.ca/wsapi/decrypt.php?otp=$otp"
               //"http://ykkms2.example.com/wsapi/decrypt?otp=$otp",
        //      "http://127.0.0.1/wsapi/decrypt?otp=$otp"
               );
}

?>

Step 7: Apache Configuration

This step will include Step 7B from the Yubico installation guide which is the mod_ssl configuration for estblishing https. As the guide points out, the mod_ssl package is normally pre-installed and just requires activation. NOTE: In Yubico's installation guide in step 7, the references to the names of the apache ykval and ykval-ssl configuration files are wrong. They should be as follows. /etc/apache2/sites-available/ykval.conf /etc/apache2/sites-available/ykval-ssl.conf Otherwise, apache will not recognize them.

When creating the /etc/apache2/sites-available/ykval.conf file for the apache server, I modified the following two values.

ServerName clustrum202.cscf.uwaterloo.ca ServerAdmin ctucker@cs.uwaterloo.ca

As seen below.

/etc/apache2/sites-available/ykval.conf:

<VirtualHost *:80>
  ServerName yubikey-val-1.cscf.uwaterloo.ca
  ServerAdmin ctucker@cs.uwaterloo.ca

  DocumentRoot /var/www/
  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>
  <Directory /var/www/>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

  ErrorLog /var/log/apache2/ykval-error.log
  LogLevel warn

  CustomLog /var/log/apache2/ykval-access.log "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
  ServerSignature On

</VirtualHost>

HTTPS is strictly speaking not required, but it is strongly recommend it. Hence the configuration of ykval-ssl.confbelow. This configuration requires the specification of a series of certificate files. These certificate files are generated in a separate process - see CreateCertAuth.

/etc/apache2/sites-available/ykval-ssl.conf:

<VirtualHost *:443>
  ServerName yubikey-val-1.cscf.uwaterloo.ca
  ServerAdmin ctucker@cs.uwaterloo.ca

  SSLEngine on
  SSLCertificateFile /etc/ssl/private/yubikey-val-1.crt
  SSLCertificateChainFile /etc/ssl/private/yubikey-val-1.csr
  SSLCertificateKeyFile /etc/ssl/private/yubikey-val-1.key

  DocumentRoot /var/www/
  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>
  <Directory /var/www/>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

  ErrorLog /var/log/apache2/ykval-ssl-error.log
  LogLevel warn

  CustomLog /var/log/apache2/ykval-ssl-access.log "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
  ServerSignature On

</VirtualHost>

Then configure apache with the following commands.

#> a2enmod rewrite
Enabling module rewrite.
Run '/etc/init.d/apache2 restart' to activate new configuration!
#> a2dissite default
Site default disabled.
Run '/etc/init.d/apache2 reload' to activate new configuration!
#> a2ensite ykval ykval-ssl
Enabling site ykval.
Enabling site ykval-ssl.
Run '/etc/init.d/apache2 reload' to activate new configuration!
#> /etc/init.d/apache2 restart
#>

Step 8: Logging

The PHP interface uses syslog for logging of incoming requests. The facility is LOG_LOCAL0. To place these messages in a separate file, you can add the following to /etc/syslog.conf, or if you use rsyslog, create a file /etc/rsyslog.d/ykval.conf with this content:

user@val:~$ sudo sh -c 'cat > /etc/rsyslog.d/ykval.conf' local0.* -/var/log/ykval.log user@val:~$ sudo /etc/init.d/rsyslog restart ... user@val:~$

The - before the filename avoids syncing the file after each write, which is recommended for performance.

The log file can grow large quickly, so it is a good idea to setup rotation of log files. Here is an example that rotates the log file weekly. Create a file /etc/logrotate.d/ykval like this:

user@val:~$ sudo sh -c 'cat > /etc/logrotate.d/ykval' /var/log/ykval.log { weekly dateext compress missingok rotate 9999 notifempty postrotate invoke-rc.d rsyslog reload > /dev/null endscript } user@val:~$

You may want to modify the default /etc/logrotate.d/apache2, useful things to add are dateext and compress and change rotate to something large if you want to retain logs. Step 8.1: Fix default log (optional)

Unfortunately, most default syslog configuration, including the syslog.conf configuration file on Debian, will also log all entries to /var/log/syslog and/or /var/log/messages.

I am not aware of any way to avoid this without modifying these other rules. To avoid YK-VAL log entries in these other files, you must modify the default rules. For example, edit the following lines of /etc/rsyslog.conf (or /etc/syslog.conf if you don’t use rsyslog):

*.=debug; auth,authpriv.none; news.none;mail.none -/var/log/debug .;auth,authpriv.none -/var/log/syslog .=info;.=notice;*.=warn; auth,authpriv.none; cron,daemon.none; mail,news.none -/var/log/messages

Change them into:

*.=debug; auth,authpriv.none; news.none;mail.none;local0.none -/var/log/debug .;auth,authpriv.none,local0.none -/var/log/syslog .=info;.=notice;*.=warn; auth,authpriv.none; cron,daemon.none; local0.none; mail,news.none -/var/log/messages

Idempotent commands to speed this up:

user@host:~$ sudo perl -pi -e 's/;auth,authpriv.none/;auth,local0.none,authpriv.none/' /etc/rsyslog.conf user@host:~$ sudo perl -pi -e 's/news.none;mail.none/news.none;local0.none;mail.none/' /etc/rsyslog.conf user@host:~$ sudo perl -pi -e 's/cron,daemon.none/cron,daemon.none;local0.none/' /etc/rsyslog.conf user@host:~$ sudo /etc/init.d/rsyslog restart

Step 9: Start Sync Daemon

When using yubikey-val in a sync pool, you need to have the ykval-queue daemon running to ensure that data is synchronized between the servers in the pool. The easiest way of running this is to simply invoke ykval-queue in a shell:

user@val:~$ sudo ykval-queue

However, the recommended approach is to automate running this process in the background, by use of an init script or similar. Instructions on doing so vary depending on your operating system. Step 10: Sync data from an existing server (optional)

If you’re adding a new server to an existing pool, you can synchronize all YubiKey counter data from one of the existing servers. To do so, the server you want to sync from needs to be configured to allow it. Do this by editing /etc/yubico/val/ykval-config.php on the existing server, adding the new servers IP address to the YKRESYNC_IPS setting. You’ll most likely want to add the IP to the YKVAL_ALLOWED_SYNC_POOL setting as well. You also need to edit this file on the new server, adding the existing server(s) IP address(es) to YKVAL_ALLOWED_SYNC_POOL.

Once these permissions have been configured, you can initiate the full sync by running the following command from the new server:

user@val:~$ ykval-synchronize http:///wsapi/2.0/resync all

Step 11: Test it

You can test the service by requesting a URL. Using wget, for example:

user@val:~$ wget -q -O - 'http://localhost/wsapi/2.0/verify?id=1&nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh' h=/QVWkl5VlcX+Or1A2b3vOeoLEwI= t=2010-05-17T14:48:15Z0355 otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak status=NO_SUCH_CLIENT

user@val:~$

Naturally, you will need to import client keys into the database for the verify function to work properly.

Installed yubikey-val-2.27 Downloaded it directly from https://developers.yubico.com/yubikey-val/Releases/ instead of relying on git as stated in the installation web guide.

Yubico has a web page with instructions upon how to install their server software for their yubikeys. https://developers.yubico.com/yubikey-val/Installation.html

Officially, this service is called "Yubikey Validation Server (YK-VAL)"

From the yubikey installation page...

"The purpose of the Yubikey validation server is to validate Yubikey OTPs. The validation server is written in PHP, and thus needs a web server and a database. We will use Apache and MySQL, but with small modifications it should be possible to use with other implementations too (e.g., lighttpd and PostgreSQL)."

Within step 1 of the yubikey installation guideline (https://developers.yubico.com/yubikey-val/Installation.html) it states to download the Validation Server software as a GIT with the following command.

#> git clone git://developers.yubico.com/yubikey-val.git

But this does not work...

root@ubuntu1204-006:/tmp/yubi# git clone git://developers.yubico.com/yubikey-val.git Cloning into 'yubikey-val'... fatal: unable to connect to developers.yubico.com: developers.yubico.com[0: 212.71.250.67]: errno=Connection refused developers.yubico.com[1: 2a01:7e00::f03c:91ff:fedb:c4a6]: errno=Network is unreachable Tue, Jan 6 2015 10:10 Clayton Tucker (ctucker) commented Alternately, I had to go to github.com (https://github.com/Yubico/yubikey-val) and download the source in ZIP format on windows.cs and then transfer the ZIP file to clustrum202. There I unpacked the source code in the local /tmp directory.

The make install then works from there.

root@clustrum202:/tmp/yubi/yubikey-val-master# make install

Step 2: Install web server and PHP5 which the validation service will use.

So install: apache2 php5 php5-curl php-pear

root@clustrum202:/tmp/yubi/yubikey-val-master# apt-get install apache2 php5 php5-curl php-pear

Step 3 involves installing the database software. There are two approaches: implement with MySQL or implement with PostgreSQL

For this prototype we will use MySQL...

The installation will prompt for a password for the database root user. I will implement Jason's (Testart) standard for said password.

root@clustrum202:/tmp/yubi/yubikey-val-master# apt-get install mysql-server php5-mysql

I was also advised when repeating "apt-get install mysql-server php5-mysql" to to run the following in order to correct some of the errors encountered above.

root@clustrum202:/etc/pam.d# apt-get -f install

This seems to have made everything happy.

root@clustrum202:/etc/pam.d# apt-get install mysql-server php5-mysql

Step 4 is fairly simple but must be run in the source directory of the yubikey validation server.

root@clustrum202:/tmp/yubi/yubikey-val-master# make symlink

Step 5 is also fairly straight forward. Just run the commands provided.

root@clustrum202:/tmp/yubi/yubikey-val-master# sh -c 'cat > /etc/default/ykval-queue' DAEMON_ARGS="/etc/yubico/val:/usr/share/yubikey-val" ^C root@clustrum202:/tmp/yubi/yubikey-val-master#

And

root@clustrum202:/tmp/yubi/yubikey-val-master# sh -c 'cat > /var/www/wsapi/2.0/.htaccess' RewriteEngine on RewriteRule ^([^/\.\?]+)(\?.*)?$ $1.php$2 [L] php_value include_path ".:/etc/yubico/val:/usr/share/yubikey-val" ^C root@clustrum202:/tmp/yubi/yubikey-val-master#

The last part about creating the symbolic link to the newly created .htaccess file should be done in the /var/www/wsapi directory.

root@clustrum202:/var/www/wsapi# ln -s 2.0/.htaccess /var/www/wsapi/.htaccess root@clustrum202:/var/www/wsapi# ls -la total 12 drwxr-xr-x 3 root root 4096 Jan 6 10:53 . drwxr-xr-x 4 root root 4096 Jan 6 10:40 .. drwxr-xr-x 2 root root 4096 Jan 6 10:49 2.0 lrwxrwxrwx 1 root root 13 Jan 6 10:53 .htaccess -> 2.0/.htaccess lrwxrwxrwx 1 root root 14 Jan 6 10:40 verify.php -> 2.0/verify.php

Step 6: YK-VAL Configuration

The guide recommends copying a /etc/yubico/val/ykval-config.php-template file over to the /etc/yubico/val/ykval-config.php to create an initial configuration. This "template" file is not present in our installation but the actual /etc/yubico/val/ykval-config.php is in place so we will work with that for now.

I followed most the recommended settings for ykval-config.php. The password is the one set for the ykval database created earlier in Step 3.

We don't have a SYNC_POOL yet so those options were left unchanged - array empty.

And I did update YKVAL_DB_OPTIONS to read as was recommended. $baseParams['__YKVAL_DB_OPTIONS__'] = array(PDO::ATTR_PERSISTENT => true);

Step 7: Apache configuration

When creating the /etc/apache2/sites-available/ykval file for the apache server, I modified the following two values.

ServerName clustrum202.cscf.uwaterloo.ca ServerAdmin ctucker@cs.uwaterloo.ca

We will also follow Step 7B: HTTPS via mod_ssl in order to create the HTTPS web service.

With respect to certificates, I partially followed the recommendations in the guide by first creating a key called clustrum202.cscf.uwaterloo.ca-key.pem

#> certtool -p --outfile clustrum202.cscf.uwaterloo.ca-key.pem

But then instead of relying on a traditional certificate authority I created a self signing certificate based upon the key.

#> certtool --generate-self-signed --load-privkey clustrum202.cscf.uwaterloo.ca-key.pem

Answers to some of the questions put to the user are listed below. This is for a web server with signing and encryption.

Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Alternative Name (not critical):

DNSname

clustrum202.cscf.uwaterloo.ca

IPAddress

10.15.155.60 Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical):

1. b6c32420431f6143207e6e49d7fe0165104f7e CRL Distribution points (not critical):

URI

clustrum202.cscf.uwaterloo.ca/crl

The certificate portion of the output from certtool --generate-self-signed ...

I saved as clustrum202.cscf.uwaterloo.ca-chain.pem

Both clustrum202.cscf.uwaterloo.ca-key.pem and clustrum202.cscf.uwaterloo.ca-chain.pem are stashed in /etc/ssl/private

As part of step 7, three lines in the file /etc/apache2/sites-available/ykval-ssl.conf had to be edited from the provided example.

SSLCertificateFile /etc/ssl/private/api.example.com-chain.pem SSLCertificateChainFile /etc/ssl/private/api.example.com-chain.pem SSLCertificateKeyFile /etc/ssl/private/api.example.com-key.pem

to read

SSLCertificateFile /etc/ssl/private/clustrum202.cscf.uwaterloo.ca-chain.pem SSLCertificateChainFile /etc/ssl/private/clustrum202.cscf.uwaterloo.ca-chain.pem SSLCertificateKeyFile /etc/ssl/private/clustrum202.cscf.uwaterloo.ca-key.pem

NOTE: In the guide in step 7, the references to the names of the apache ykval and ykval-ssl configuration files are wrong. They should be as follows.

/etc/apache2/sites-available/ykval.conf /etc/apache2/sites-available/ykval-ssl.conf

Otherwise, apache will not recognize them.

After all of this it is a good idea to restart the apache2 service

#> service apache2 restart

I followed the step 8 logging configuration instructions. However, I skipped step 8.1 as I am not concerned (at the moment) about logs from YK-VAL ending up in the messages log.

Looks like steps 9 and 10 are not required as we are on just one protype server and not a sync pool yet.

NOTE: When setting the value (password) of YKVAL_DB_PW in step 6 (configuring YK-VAL), the password is to be the MySQL password for the ykval_verifier'@'localhost user created within MySQL in step 3A (configuring MySQL).

/etc/yubico/val/ykval-config.php: $baseParams['__YKVAL_DB_PW__'] = ;

So I ran the test listed in Step 11:

The test output was consistent with the example provided in the guide.

root@clustrum202:/var/log# wget -q -O - 'http://localhost/wsapi/2.0/verify?id=1&nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh' h=quK6GXwX9ERdgwtr5/er8o5wD0o= t=2015-01-06T21:55:09Z0121 status=NO_SUCH_CLIENT

I have elected to replace the key and certificate used for implementing https service as I suspect that I did not properly sign the self signed certificate in the original setup.

So first generate a new key and certificate authority together. #> openssl req -nodes -new -x509 -keyout experiment101.key -out experiment101.cert

Create a request for a certificate to be signed by your key. openssl x509 -x509toreq -days 2000 -in experiment101.cert -signkey experiment101.key -out experiment101.req

Generate the signed certificate. openssl x509 -req -days 2000 -in experiment101.req -signkey experiment101.key -out experiment101.crt

Then I edited the certificate lines of the /etc/apache2/sites-available/ykval-ssl.conf file to the following

SSLCertificateFile /etc/ssl/private/yubikey-val-CA1.crt SSLCertificateChainFile /etc/ssl/private/yubikey-val-CA1.cert SSLCertificateKeyFile /etc/ssl/private/yubikey-val-CA1.key

NOTE: I had renamed all the files gereneted above from experiment101.* to yubikey-val-CA1.*

I then restarted the apache web server. service apache2 restart

I also installed yubikey-val-CA1.crt into the certs depository of the local system.

Copied yubikey-val-CA1.crt to /usr/share/ca-certificates/CSCF/yubikey-val-CA1.crt Updated the /etc/ca-certificates.conf file to include the line... CSCF/yubikey-val-CA1.crt

Ran update-ca-certificates

OOPS! Got this backwards somewhat.

The key and certificate generation were correct but they were not properly implemented into the apache2 https configuration.

In the certificate request step I changed the FQDN of the valiadation server to yubikey-val.cscf.uwaterloo.ca. This should have been updated in the apache configuration file below.

Also I got the certificate and the certificate chain reversed - below is the correct configuration. Also it is the certificate file (yubikey-val-CA1.cert) that requires export to the client systems.

/etc/apache2/sites-available/ykval-ssl.conf:

ServerName yubikey-val.cscf.uwaterloo.ca ServerAdmin ctucker@cs.uwaterloo.ca

SSLEngine on SSLCertificateFile /etc/ssl/private/yubikey-val-CA1.cert SSLCertificateChainFile /etc/ssl/private/yubikey-val-CA1.crt SSLCertificateKeyFile /etc/ssl/private/yubikey-val-CA1.key

DocumentRoot /var/www/ Options FollowSymLinks AllowOverride None Options FollowSymLinks AllowOverride All Order allow,deny allow from all

ErrorLog /var/log/apache2/ykval-ssl-error.log LogLevel warn

CustomLog /var/log/apache2/ykval-ssl-access.log "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" ServerSignature On

-- ClaytonTucker - 2015-09-03