NUST School of Electrical Engineering and Computer Science KTH Applied Information Security Lab. Installation Manual

NUST School of Electrical Engineering and Computer Science KTH Applied Information Security Lab

Installation Manual

Symmetric Cryptographic Key Management

Faiza Fakhar

School of Electrical Engineering & Computer Science, National University of Science & Technology

Table of Contents

2.1.1 Cloud Environment Preparation ... 5

2.1.2 Required Software ... 6

2.1.3 Software Installation Guide ... 7

2.1.4 Pre-installation Test ... 16 2.1.5 Enable SSL on JBoss ... 16 2.2 Installation Procedure ... 17 2.2.1 DB Script Running ... 17 2.2.2 WAR Configuration ... 18 2.2.3 Post-installation Test ... 19 2.3 Uninstall or Roll-back ... 20

Table of Figures

Figure 2.1: Deployment Environment ... 5

Figure 2.2: Servers Working ... 6

Figure 2.3: JAVA_HOME ... 7

Figure 2.4: Set JAVA_HOME ... 8

Figure 2.5: Starting JBOSS ... 9

Figure 2.6: Stooping JBOSS ... 10

Figure 2.7: MySql Installation Step2 ... 11

Figure 2.8: MySql Installation Step3 ... 11

Figure 2.9: MySql Installation Step 4 ... 12

Figure 2.10: MySql Installation Step 5 ... 12

Figure 2.11: MySql Installation Step 6 ... 13

Figure 2.12: MySql Installation Step 7 ... 13

Figure 2.13: MySql Workbench Start Screen ... 14

Figure 2.14: MySql Workbench Working View ... 15

Figure 2.15; MySql Workbench Query Execution ... 15

Figure 2.16: Key Store Generation ... 16

2.17: skcm.properties File ... 18

1 Introduction

1.1 Purpose

This document is provided to covers essential paraphernalia requirements, software functionalities and installation guidelines for symmetric cryptographic key

management prototype.

1.2 Product Information

Product

Symmetric Cryptographic Key Management

(SCKM)

Overview

SCKM is a protocol and has been developed to manage secure storage and retrieval of cryptographic keys in cloud based environment. Cryptographic keys are kept on secure data servers in traditional on-premise software deploying models. At cloud storage model, sensitive data storage is question mark with respect to security. There can be some insecure storage problem, or some type of access control weakness, which may lead in to the data access by any outside/inside malicious user. To build a robust crypto system strong algorithm and proper cryptographic key management techniques are required. This protocol is based on secret splitting and use enhanced Shamir’s algorithm for secret splitting. On the fly computation of cryptographic key enables integrity and privacy concerns related to cryptographic key management on cloud platform.

Most prominent feathers provided by SCKM are as follows:

 Key Splitting and storage on different servers.

 SSH support.

 PKCS#7 support.

 On the fly computation of cryptographic key.

2 Installation Manual

The main components that should be completely and correctly described in this manual are as follows:

 Prerequisites  Install procedure  Un-install procedure

2.1 Pre-requisites

Following list of prerequisites are required before the install can begin.  Cloud Environment Preparation

 Required Software

 Software Installation Guide

2.1.1 Cloud Environment Preparation

Cloud computing can be described as the next generation computing in progression of distributed computing. This paradigm mixes the features of utility, internet, grid and green computing and provides single working platform. Following figure describes a cloud model that used to test the proposed protocol. Client/Consumer/Application is the end-users who want to use cloud services. Cloud Providers are different vendors who own servers and computational environments. Cloud storage is different servers owned and managed by cloud provider. Cloud service provider provides variety of cloud services to its consumers however it can be classified in three layers i.e. Software as a service (SaaS), Platform as a service (PaaS) and Infrastructure as a service (IaaS). These layers differ in provision of services and underlying resource usage. Cloud Provider Consumer Data Data Data Data Data Data Cloud Storage Cloud Storage

Figure 2.1: Deployment Environment

We can either use the available services of different cloud vendors such as Amazon EC2 cloud which can be taken by registering on there website. A self supported guide of how to use Amazon services is available on http://aws.amazon.com/. On the other hand we can setup our own cloud environment. There are several infrastructure bases clouds available such as OpenStack. We can setup these clouds by using there available guides for example to setup OpenStack we can use require document from http://docs.openstack.org/trunk/openstack-compute/install/yum/content/

After getting register on any type of cloud environment we can take single or multiple virtual machines to setup our application. We require two types of servers for this application;

 Database Server

 Application Server

Figure 2.2: Servers Working

Database server is a virtual machine at where application data will resides it will used cloud storage that can be on different physical location of cloud or can be resides on the same physical location. Furthermore, database server requires some database on it. For our application we are using Mysql community server which should be install on database server before deploying proposed protocol prototype. Installation steps and further details are given in next section. More than one server can be act as database server as our proposed protocol requires more than one database servers.

Application server is a virtual machine where application executable will installed. In cloud environment more than one application server can be used for load balancing. An important aspect of deployment environment is both application and database server can resides on the same virtual machine. This all deployment design is dependent on available resources.

2.1.2 Required Software

 Application servers should hold following software components;  JBoss version 4.0.5.GA

 JAVA version 1.6.0_23

 Mysql community-5.6.10.1  MySQL WorkBench (Optional)

2.1.3 Software Installation Guide

 Java

Symmetric Cryptographic Key Management Protocol requires version 1.6.0_23. The download link for java is available at the following page.

http://www.oracle.com/technetwork/java/javase/archive-139210.html Following link specifies the procedure for installation of Java

http://www.java.com/en/download/help/ie_online_install.xml

By default JDK is installed in C:\Program Files (x86)\java\jdk<version>. After installation check the JAVA_HOME environment variable and set it if it is not already set.

Check JAVA_HOME environment variable

1. Open a command prompt window

2. At the command prompt, type set and press ENTER key

3. Find JAVA_HOME in the command output and verify that it matches the path to your JDK installation directory.

4. If you cannot find JAVA_HOME environment variable or it points to the wrong directory, then set JAVA_HOME environment variable as mentioned in the procedure below.

Set JAVA_HOME environment variable

1. Right-click My Computer and select Properties 2. Go to the Advanced tab.

(In Windows 7, right-click Computer and select Advanced System Settings, then Environment variables.)

3. If the Environment variable JAVA_HOME does not exist in User variables

or System variable, create it

Figure 2.4: Set JAVA_HOME

4. To create JAVA_HOME environment variable, click the New button.

5. Set the value of JAVA_HOME environment variable to the path of your JDK installation directory, for example C:\Program Files\Java\jdk1.6.0_21\

 JBOSS

JBOSS (Java Beans Open Source Software) is cross platform application server written in Java and is executed on java platform. It features an embedded Apache Tomcat servlet container. It is open source software under LGPL (Lesser General

Public License). JBOSS Application Server is downloaded as compressed zip file from the following link.

http://www.jboss.org/jbossas/downloads

Symmetric Cryptographic Key Management software requires 4.0.5 version of JBOSS Application server which is available in zip format at the following link http://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.0.5.GA

To use JBOSS Application Server simply unzip the downloaded file. Starting and Stopping JBOSS Application Server

Following is the procedure for starting JBOSS Application Server.

1. Before running JBOSS Application Server you need to ensure that JAVA 1.6 is installed and JAVA_HOME environment variable is set.

2. To start JBOSS Application Server, go to the directory where you unzip the downloaded file.

3. Go to the bin subfolder in the installation directory 4. Execute run.bat batch file.

Figure 2.5: Starting JBOSS

Following is the procedure for stopping JBOSS Application Server.

1. To stop the JBOSS Application Server, go to the directory where you unzip the downloaded file.

2. Go to the bin subfolder in the installation directory. 3. Execute shutdown.bat batch file with –S switch.

 MySQL

MySQL is an open source database server from Oracle. MySQL Community Server can be downloaded from

http://dev.mysql.com/downloads/mysql/

Select the Microsoft as platform and click the download link located at the bottom of the above page. There are both 32 bit and 64 bit version of MySQL. Select the version appropriate to your architecture.

Following is the procedure for installation of MySQL.

1. MySQL wizard will guide you to the step by step installation of MySQL. 2. After initial screen and license agreement, the wizard will ask for the type of

setup. There are five options. Choose the Developer Default option. In this step of, installation path and datapath can be changed.

Figure 2.7: MySql Installation Step2

3. The next step will check the dependencies for the option selected by the user. MySQL requires Dot Net Framework version 4 which is downloadable from (http://www.microsoft.com/en-pk/download/details.aspx?id=17718)

Figure 2.8: MySql Installation Step3

4. Click Next Button and then Execute button in the next step to start the installation

Figure 2.9: MySql Installation Step 4

5. After the installation is complete the wizard will ask for configuration. In the first step of the configuration select Development Machine for Server Configuration. Leave rest of the option unchanged.

Figure 2.10: MySql Installation Step 5

6. In the next step set the root password as appropriate. Here additional user may be added.

Figure 2.11: MySql Installation Step 6

7. In the third and final step of configuration, specify the Window Service Details.

 MySQL WorkBench

MYSQL WorkBench is front end of the MySQL Community Server. MySQL WorkBench installer can be downloaded from the following link.

http://dev.mysql.com/downloads/tools/workbench/

Select the Microsoft as platform and click the download link located at the bottom of the above page.

Click mysql-workbench-community-6.0.8-win32.msi file downloaded above to install it. Installation is a simple wizard which will guide you through each and every step. After installation run the MySQL workbench, following screen should appear.

Figure 2.13: MySql Workbench Start Screen

Select DataBase->Connect to database to connect to database. After entering the Username and password, the following screen should appear

Figure 2.14: MySql Workbench Working View

The query can be entered in the query pane.

2.1.4 Pre-installation Test

Before deploying our proposed application on jboss please verify jboss is working properly or not. First start jboss as mentioned above and than type following url in browser which can verify jboss correct installation;

http://<serverurl>:<port>/

2.1.5 Enable SSL on JBoss

In today’s Internet focused world, the SSL protocol is typically used when a web browser needs to securely connect to a web server over the inherently insecure Internet. Technically, SSL is a transparent protocol which requires little interaction from the end user when establishing a secure session. To enable SSL in our deployed application following steps can be required.

1. Stop the JBOSS Server

Generating a Self Signed Certificate using Java Key Tools

2. An SSL Certificate is used for distributing public key and verifying the identity of the server to whom the user is sending the information. Certificate is generally signed by trusted third party. However for testing the application we can use self signed certificate i.e. the certificate signed by user itself instead of third party.

3. Keytool is an important tool that comes with Java for generating self signed certificate.

4. Ensure that Java is installed and JAVA_HOME environment variable is set. 5. Run the following command at the command prompt.

keytool -genkey -alias tomcat -keyalg RSA -keystore NAME_OF_KEYSTORE -validity NUMBER_OF_DAYS –keysize 2048

6. Copy the generated key store file into the jboss/server/default/conf/ directory. 7. Copy the generated key store file into the jboss/bin/ directory.

8. Edit the server.xml file from jboss/server/default/deploy/jbossweb-tomcat55.sar/.

9. SSL-connector should be consfigured like:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->

<Connectorport="THE_PORT_YOU_LIKE" address="${jboss.bind.address}"

maxThreads="100"strategy="ms"maxHttpHeaderSize="8192" emptySessionPath="true"

scheme="https"secure="true"clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/THE_KEYSTORE_NAME" keystorePass="PASSWORD_FOR_THE_KEYSTORE"sslProtocol= "TLS"/> 10. Now you should be able to access application through https. Remember to use

https:// instead of http:// in your browser-url, or else application will fail. 11. Remember that if you want to disable the non-secured port 8080 (or custom),

making sure that people can only access through https, comment and disable that connector in the same server.xml.

2.2 Installation Procedure

In software engineering, a WAR file (or Web application Archive) is a JAR file used to distribute a collection of Java Server Pages, Java Servlets, Java classes, XML files, tag libraries, static web pages (HTML and related files) and other resources that together constitute a web application. Our proposed protocol WAR name is skcm.war which is used to deploy on Jboss server to use our proposed software. Following is the list of files which will be provided to deploy our given software skcm ver. 1.0.0.

1. skcm.sql 2. skcm.war

skcm.sql contains the data base script and war file contains webpages and other source archive.

2.2.1 DB Script Running

1. First step is the verification of database server on all machines and creation of required database with data tables.

2. Login to mysql database throw workbench one by one on all data base servers machines.

3. Copy all script from file skcm.sql on My SQL workbenck query execution pane.

4. Execute query as given in above section. 5. Commit all changes.

2.2.2 WAR Configuration

Each WAR requires some configuration changes to access external parameters such as database servers urls etc. For this purpose there files contains properties files which are a type of text file and provides dynamic binding with java source. Our project WAR also contains such file with the name of skcm.properties. It requires database server information and can be modifying as follows;

a) Stop the JBoss application server.

b) Copy the executable file skcm.war in jboss/server/default/deploy. c) Open skcm.war in winrar.

d) Go to skcm.war\WEB-INF\classes\com\faiza and open skcm.properties file in any file editor as given in the Figure;

2.17: skcm.properties File

e) In this prototype we assume 10 database servers that can be on same location as well as resides on different locations. This property file contains all information related to those server, i.e. path or ip of database server will require in ServerUrl parameter, username of each server will

come in user parameter; password of each database server will come in pass parameter.

f) Furthermore, Keystore name, Alias and password generated in step 2.1.5 is also require in Keystore, ALIAS, PSWD parameter respectively.

g) Change above parameter with respect to existing installations. h) Save this file.

i) Start the JBoss application server to verify above configurations. Important Note: Only change right hand side values in property file.

2.2.3 Post-installation Test

 Enable SSL on Jboss as mentioned above.

 Type https://<serverurl>:<port> to check configured ssl support on the server.

 Application can be access by typing https://<serverurl>:<port>/skcm in browser as shown in figure;

Following instructions are recommended for this application user:

a) The application is tested on the following versions of Windows operating system:

i. Windows 7 Ultimate, 32 bit

ii. Windows 7 Professional Service Pack 1, 64 bit

b) Make sure Windows Internet Explorer 8 is installed on every client machine. c) Make sure that application URL is added in trusted sites of the user. e.g.,

Figure 2.18: Add URL in Trusted Sites

2.3 Uninstall or Roll-back

1. By removing application war from jboss will uninstall application from application server.

2. By removing all databases from database server will remove application from database server and can not more accessible to anyone.