CCNP Security SISAS 300-208 Official Cert Guide (2015)
Part VIII: Appendixes
Appendix C. Using the Dogtag CA for BYOD
As of ISE 1.2, no certificate authority (CA) is built in to ISE, and it requires an external CA. Whatever the reason, some installations require an alternative to the Microsoft CA. This appendix was created to show one such alternative to the MS Certificate Authority.
What Is Dogtag, and Why Use It?
Dogtag is an enterprise-class open source CA that Red Hat purchased from AOL back in 2004. Red Hat opened it up to the open source community in 2008. Dogtag supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more.
Note
An enterprise-level version of Dogtag known as the Red Hat Certificate System also exists.
Prerequisites
Dogtag will run on most Red Hat variants. For the purposes of this appendix, we will focus on Fedora Core 15 (32-bit). This is the version that is known to work and has been tested with ISE 1.2. This version of Fedora can be installed with the minimum option and will leverage the Apache web server, PHP, and the open source directory server.
Installing 32-bit Fedora 15
Before you can install Dogtag, you have to install a base operating system and its components. As a prerequisite, you must ensure that a DNS entry exists for the host, so it can be reached by its fully qualified domain name (FQDN):
Step 1. Boot the machine with the 32-bit Fedora 15 ISO file or DVD available here: https://mirrors.fedoraproject.org/publiclist/Fedora/15/
Step 2. Select Install system with Basic Video Driver, as shown in Figure C-1.
Figure C-1 Install the system with a basic video driver.
Step 3. The minimal installation type is all you need for this use case. So, select the Minimal software set, as shown in Figure C-2.
Figure C-2 Use the minimal installation type.
Step 4. Accept the default choices for the remainder of the installation.
Configuring Networking
The CA should have a static IP address to ensure that communication is always optimal. One component of the setup wizard enables you to configure the network prior to the installation finishing. However, with Fedora 15, the majority of the time those settings do not seem to be maintained, and when the Fedora operating system is fully installed, there is no assigned IP address, as shown in Figure C-3.
Figure C-3 No IP address after installation.
Note
It is assumed that you are logged in as root to perform the activities in this document. If not, use the su - command to change your login context to the superuser (root).
Step 1. After the installation, verify whether an IP address exists. Use the ifconfig eth0 command. Figure C-3 shows the result when no IP address has been configured.
Step 2. Using your favorite editor, edit the ifcfg-eth0 file to set up the network stack for the interface. This example is using the vi editor, as shown in Example C-1.
Example C-1 Editing the ifcfg-eth0 File
[root@atw-dogtag01 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
Step 3. With the ifcfg-eth0 file open, ensure that the ONBOOT option is set to yes. This ensures that the interface will be on when the system reboots.
Step 4. Ensure the BOOTPROTO option is set to none. This configures the interface to use a static IP address.
Step 5. Set the IPADDR option to be the desired IP address of the server, and set the NETMASK to be the subnet mask for that IP address.
Step 6. You can use the DNS1 and DNS2 options to point the server to the correct DNS server(s).
Step 7. Use the GATEWAY option to specify the IP address of the default gateway. Example C-2 shows the details of a configured ifcfg-eth0 file.
Example C-2 Configured ifcfg-eth0 File
[root@atw-dogtag01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
HWADDR="00:50:56:B8:BC:08"
ONBOOT="yes"
NM_CONTROLLED="yes"
BOOTPROTO=none
IPADDR=10.1.100.229
NETMASK=255.255.255.0
USERCTL=yes
TYPE=Ethernet
DNS1=10.1.100.103
GATEWAY=10.1.100.1
Step 8. Ensure the network starts at boot with the chkconfig network on command.
Example C-3 Ensuring the Network Starts at Boot and Restarting the Service
[root@atw-dogtag01 ~]# chkconfig network on
[root@atw-dogtag01 ~]# service network restart
Installing Packages with yum
Fedora uses a software package manager called yum to manage the installed packages within the operating system. yum provides the advantage of identifying dependencies and helping to manage the installation of the application and all of that application’s dependencies. Seehttp://fedoraproject.org/wiki/Yum for more on yum.
In this section you will use yum to update the Fedora 15 server to have the latest packages, as well as install needed applications such as NTP.
Configuring Proxy (if Needed)
The setup used to write this section required a proxy server to access the Internet. Therefore, this procedure was included. If your environment does not require a proxy to access the Internet, you can skip this section. Do the following:
Step 1. Use your favorite text editor to edit the yum configuration file located at /etc/yum.conf (see Example C-4).
Example C-4 Editing the yum Configuration File
[root@atw-dogtag01 ~]# vi /etc/yum.conf
Step 2. Add a line for with a field of proxy= followed by the URL and port for your proxy server. The completed file is shown in Example C-5.
Example C-5 The Complete yum.conf File
[root@atw-dogtag01 ~]# cat /etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
proxy=http://proxy.woland.com:8080
Updating System Packages with yum
With Linux systems, software applications are known as packages. yum is the package manager used to install and update the packages:
Step 1. Add a yum plug-in to choose the fastest location from which to download, as seen in Example C-6. This plug-in saved hours during the writing of this book.
Example C-6 Installing the Fastest Mirror Plug-in
[root@atw-dogtag01 ~]# yum install yum-plugin-fastestmirror
Step 2. Update all the installed packages with the yum update command, as seen in Example C-7.
Example C-7 Updating All Installed Packages with yum
[root@atw-dogtag01 ~]# yum update
Loaded plugins: fastestmirror
Determining fastest mirrors
<<SNIP>>
Transaction Summary
================================================================================
Install 4 Package(s)
Upgrade 104 Package(s)
Total download size: 89 M
Is this ok [y/N]:
Installing and Configuring the NTP Service
Certificates require strict time synchronization. It’s recommended that you use the network time protocol (NTP) to ensure the time is accurate on the CA. The NTP service (all called NTP daemon) is not installed by default with the minimal installation of Fedora 15, so we will use yum to install it:
Step 1. Install the NTP service with the yum install ntp command.
Step 2. Use the chkconfig ntpd on command to ensure the NTP daemon starts at boot.
Step 3. Use the ntpdate ntp_server_ip_address command to sync to an NTP source.
Step 4. Ensure the service is started with the /etc/init.d/ntpd start command.
The four steps are also shown in Example C-8.
Example C-8 Installing, Syncing, and Starting NTP
[root@atw-dogtag01 ~]# yum install ntp
[root@atw-dogtag01 ~]# chkconfig ntpd on
[root@atw-dogtag01 ~]# ntpdate [ip-address]
31 Jul 13:47:44 ntpdate[11361]: step time server [ip-address] offset 64.503042 sec
[root@atw-dogtag01 ~]# /etc/init.d/ntpd start
Starting ntpd (via systemctl): [ OK ]
[root@atw-dogtag01 ~]#
Installing the LDAP Server
Dogtag uses an open source LDAP server called Directory Server to store its data. Before you can install Dogtag, Directory Server must be installed and prepared:
Step 1. Install the LDAP server package with the yum install 389-ds command.
Step 2. Create a new user named ds389 to be used by the Directory Server.
Both steps are shown in Example C-9.
Example C-9 Installing Directory Server and Creating the Service Account
[root@atw-dogtag01 ~]# yum install 389-ds
[root@atw-dogtag01 ~]# useradd ds389
Step 3. Launch the Directory Server configuration wizard using the setup-ds.pl script located in /usr/sbin/setup-ds.pl, as seen in Example C-10.
Example C-10 Launching the Setup Script
[root@atw-dogtag01 ~]# /usr/sbin/setup-ds.pl
Step 4. Accept the defaults. When you reach the portion where the wizard is asking for a system user, you will need to change the default (nobody) to the ds389 user. Use the ds389 user for the group as well, as shown in Example C-11.
Example C-11 Setting the System User and Group to ds389
==============================================================================
The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the server,
create this user and group using your native operating
system utilities.
System User [nobody]: ds389
System Group [nobody]: ds389
Step 5. Set the password for the Directory Manager, as shown in Example C-12.
Example C-12 Setting the Directory Manager password and Success Message
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
Your new DS instance 'atw-dogtag01' was successfully created.
Exiting . . .
Log file is '/tmp/setupo0Vx6g.log'
Installing the PHP Services
Step 1. Use yum to install PHP, as shown in Example C-13.
Example C-13 Installing PHP with yum
[root@atw-dogtag01 ~]# yum install php
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package php.i686 0:5.3.13-1.fc15 will be installed
--> Processing Dependency: php-common(x86-32) = 5.3.13-1.fc15 for package: php-
5.3.13-1.fc15.i686
--> Processing Dependency: php-cli(x86-32) = 5.3.13-1.fc15 for package: php-
5.3.13-1.fc15.i686
--> Running transaction check
---> Package php-cli.i686 0:5.3.13-1.fc15 will be installed
---> Package php-common.i686 0:5.3.13-1.fc15 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
php i686 5.3.13-1.fc15 updates 1.1 M
Installing for dependencies:
php-cli i686 5.3.13-1.fc15 updates 2.2 M
php-common i686 5.3.13-1.fc15 updates 547 k
Transaction Summary
================================================================================
Install 3 Package(s)
Total download size: 3.9 M
Installed size: 13 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction
Installing : php-common-5.3.13-1.fc15.i686 1/3
Installing : php-cli-5.3.13-1.fc15.i686 2/3
Installing : php-5.3.13-1.fc15.i686 3/3
Installed:
php.i686 0:5.3.13-1.fc15
Dependency Installed:
php-cli.i686 0:5.3.13-1.fc15 php-common.i686 0:5.3.13-1.fc15
Complete!
[root@atw-dogtag01 ~]#
Step 2. Start the Apache (httpd) and Directory Server (dirsrv) services, and configure them to start on bootup, as shown in Example C-14.
Example C-14 Starting the Apache and Directory Server Services
[root@atw-dogtag01 ~]# service httpd start
Starting httpd (via systemctl): [ OK ]
[root@atw-dogtag01 ~]# service dirsrv start
Starting dirsrv:
atw-dogtag01... already running [ OK ]
[root@atw-dogtag01 ~]# chkconfig dirsrv on
[root@atw-dogtag01 ~]# chkconfig httpd on
[root@atw-dogtag01 ~]#
Installing and Configuring Dogtag
Now that all the perquisite services are installed and prepared, you are ready to install the Dogtag certificate authority.
Install the Dogtag CA with the yum install pki-ca command, as shown in Example C-15.
Example C-15 Installing Dogtag
[root@atw-dogtag01 ~]# yum install pki-ca
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pki-ca.noarch 0:9.0.20-1.fc15 will be installed
--> Processing Dependency: pki-selinux = 9.0.20-1.fc15 for package:
pki-ca-9.0.20-1.fc15.noarch
--> Processing Dependency: pki-common = 9.0.20-1.fc15 for package: pki-ca-9.0.20-1.
fc15.noarch
--> Processing Dependency: pki-ca-theme >= 9.0.0 for package: pki-ca-9.0.20-1.fc15.
noarch
--> Running transaction check
---> Package dogtag-pki-ca-theme.noarch 0:9.0.11-1.fc15 will be installed
--> Processing Dependency: dogtag-pki-common-theme = 9.0.11-1.fc15 for package:
dogtag-pki-ca-theme-9.0.11-1.fc15.noarch
---> Package pki-common.noarch 0:9.0.20-1.fc15 will be installed
Modifying the Firewall Rules (iptables)
To connect to the Dogtag service on the ports used with Dogtag, you must modify the Linux server’s host firewall (iptables) to allow the connections. Obviously, the best choice is to put specific rules into iptables that will allow the communication on the ports. However, to keep this simple, these instructions walk you through disabling iptables:
Step 1. Stop the firewall service with the service iptables stop command.
Step 2. Keep the firewall from starting when the server is booted with the chkconfig iptables off command.
Example C-16 Shutting Off the Firewall
[root@atw-dogtag01 ~]# service iptables stop
Stopping iptables (via systemctl): [ OK ]
[root@atw-dogtag01 ~]# chkconfig iptables off
[root@atw-dogtag01 ~]#
Creating a New CA Instance
Now that Dogtag is installed, you need to create a new CA instance. The following uses ports that the author prefers to use. You can change any of the parameters in the following section to suit the needs of your organization:
Step 1. Create a PKI instance using the pkicreate command with the following options:
pki_instance_root=/var/lib—This sets the root location to store the pki instance. Based on the settings used in Example C-17, it will be placed in directory /var/lib/ise-ca.
pki_instance_name=ise-ca—This names the new CA instance ise-ca. You can replace this with another name to suit the needs of your organization.
subsystem_type=ca—This sets the subsystem to be a CA. Other possible subsystems are not applicable to this guide.
agent_secure_port=9443—Agent services are where an administrator can see which certificate has been provisioned, revoke certificates, and so on.
ee_secure_port=9444—This sets the SSL port for EnE-Entities web services.
ee_secure_client_auth_port=9446—This sets the SSL port for EnE-Entities authentication.
admin_secure_port=9447—This is the default port to use to access the CA Services Page as the administrator.
unsecure_port=9180—This sets the regular port number. When not specified, it will be randomly generated.
tomcat_server_port=9701
user=pkiuser
group=pkiuser
redirect conf=/etc/ise-ca—This configures the configuration data to be stored in /etc/ise-ca.
redirect logs=/var/log/ise-ca—This configures the logs to be in the /var/log/ise-ca directory.
verbose—This sets the install to be in verbose mode, to provide you with as much detail as possible.
Example C-17 Creating the PKI Instance
pkicreate -pki_instance_root=/var/lib -pki_instance_name=ise-ca -subsystem_
type=ca -agent_secure_port=9443 -ee_secure_port=9444 -ee_secure_client_auth_
port=9446 -admin_secure_port=9447 -unsecure_port=9180 -tomcat_server_port=9701
-user=pkiuser -group=pkiuser -redirect conf=/etc/ise-ca -redirect logs=/var/log/
ise-ca -verbose
Note
If you run the pkicreate command as provided here, are given an admin GUI URL that does NOT contain the FQDN, and are unable to connect to the GUI, you might be missing a DNS entry for your FQDN. It is imperative that this DNS entry exists, either in the DNS server given in the Linux configuration or as part of the /etc/hosts file. After remedying the absence of DNS entry, run the pkiremove command as provided here:
pkiremove -pki_instance_root=/var/lib -pki_instance_name=ise-ca
After removing the erroneous PKI instance, rerun the pkicreate command as provided in Example C-17:
Step 2. Proceed with the graphical configuration of the Dogtag CA.
After the setup script completes running, a message is displayed with a unique URL to access the Dogtag GUI and complete the CA installation, as shown in Example C-18 in highlighted text.
Example C-18 Example of Unique URL to Dogtag GUI
Installation information recorded in /var/log/ise-ca-install.log.
[debug] run_command(/sbin/service pki-cad restart ise-ca)
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://atw-dogtag01.ise.local:9447/ca/admin/console/config/login?pin=UUVMDHRvTojQ
rdeod91e
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart ise-ca
Step 3. Click Next from the Welcome screen, as shown in Figure C-4.
Figure C-4 The Dogtag certificate system Welcome screen.
Step 4. Create a new security domain. Name that security domain ISE BYOD Domain and click Next, as shown in Figure C-5.
Figure C-5 Create the security domain.
Step 5. Name the subsystem Certificate Authority and click Next, as shown in Figure C-6.
Figure C-6 The subsystem name is Certificate Authority.
Step 6. Select Make This a Self-Signed Root CA Within This New PKI Hierarchy, as shown in Figure C-7.
Figure C-7 Make this a self-signed root CA.
Of course, this could become a subordinate CA of an existing CA. However, that is not the focus of this appendix.
Step 7. The internal database is the Directory Server (ds389) that we installed earlier. All the settings should be filled in correctly, as shown in Figure C-8. Add the Directory Manager password created earlier in Example C-12.
Figure C-8 Add the directory manager password.
Step 8. Generate the key pairs. The default of RSA with SHA256 and a key size of 2048 bits will work fine. Click Next, as shown in Figure C-9. As always, please reference your corporate security policy to ensure that these values are sufficient.
Figure C-9 Generate the key pairs.
Step 9. The certificate subject names can be left at their default values, as shown in Figure C-10. Click Next.
Figure C-10 Default subject names.
Step 10. If an action is needed, it will appear in red. If no actions are required, click Next, as shown in Figure C-11.
Figure C-11 Required actions will be in red.
Step 11. Provide a password and export the CA’s key pair, as shown in Figure C-12. Store the key pair in a secure location. If you must restore this CA from a backup, this key pair will be required. Furthermore, compromise of this key pair would be equivalent to a compromise of this entire PKI infrastructure. Protect this key pair with the utmost care.
Figure C-12 Export and securely store the key pairs.
Step 12. The new root CA certificate will be imported into your browser or your system certificate store. You can select for which purposes the certificate should be trusted, as shown in Figure C-13.
Figure C-13 Trust the certificate.
Step 13. Create an administrative certificate to identify you (the administrator) to the CA for administrative purposes, as shown in Figure C-14.
Figure C-14 Administrator certificate.
Step 14. You must now install that certificate into your browser, as shown in Figure C-15, so your browser will identify you when connecting to the CA. Be sure you back up and store this key in a secure location because you will not be able to administer the CA without this certificate.
Figure C-15 Import the administrator certificate.
Step 15. You are finished with the GUI-based configuration, as shown in Figure C-16.
Figure C-16 Done.
Note
Although the GUI configuration is complete, we are not ready to begin using the CA just yet. We still need to add a custom script and modify some more configuration files.
Step 16. After configuration, the server cannot be operated until the service pki-cad restart ise-ca command has been run, shown in Example C-19.
Example C-19 Restart the CA
[root@atw-dogtag01 ~]# /sbin/service pki-cad restart ise-ca
Stopping ise-ca: [ OK ]
Starting ise-ca: [ OK ]
[root@atw-dogtag01 ~]#
Step 17. You can access the administrative interface, but you’re not ready to add it to ISE yet.
Enabling and Configuring SCEP
In this procedure, we will enable and configure Simple Certificate Enrollment Protocol (SCEP) by directly modifying the CS.cfg file:
Step 1. Back up the CS.cfg file before making any changes, as shown in Example C-20.
Example C-20 Backup of the CS.cfg File
[root@atw-dogtag01 ~]# cp /etc/ise-ca/CS.cfg /etc/ise-ca/CS.cfg.bak
Step 2. Open the CS.cfg file in a text editor, such as vi, as shown in Example C-21.
Example C-21 Edit the CS.cfg File
[root@atw-dogtag01 ~]# vi /etc/ise-ca/CS.cfg
Step 3. Add the following lines to the bottom of the CS.cfg file, and save the changes:
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.hashAlgorithm=SHA256
ca.scep.nonceSizeLimit=16
Step 4. Back up the caRouterCert.cfg file before making any changes, as shown in Example C-22.
Example C-22 Backing Up the caRouterCert.cfg File
[root@atw-dogtag01 ~]# cp /var/lib/ise-ca/profiles/ca/caRouterCert.cfg /var/lib/
ise-ca/profiles/ca/caRouterCert.cfg.bak
Step 5. Edit the caRouterCert.cfg file using a text editor. Delete the value for the variable auth.instance_id, and save your changes. Example C-23 shows the editing of the file, and the end result should look like Example C-24.
Example C-23 Edit the caRouterCert.cfg File
[root@atw-dogtag01 ~]# vi /var/lib/ise-ca/profiles/ca/caRouterCert.cfg
Example C-24 The Final Setting for auth.instance_id= field in the caRouterCert.cfg File
[root@atw-dogtag01 ise-ca]# cat /var/lib/ise-ca/profiles/ca/caRouterCert.cfg
desc=This certificate profile is for enrolling router certificates.
visible=false
enable=true
enableBy=admin
auth.instance_id=
name=One Time Pin Router Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
<<SNIP>>
Step 6. Restart the CA services with the service pki-cad restart command, as shown in Example C-25.
Example C-25 Restart the CA Services
[root@atw-dogtag01 ise-ca]# service pki-cad restart
Stopping ise-ca: [ OK ]
Starting ise-ca: [ OK ]
Preparing Apache
Step 1. Move the Apache welcome.conf file to disable the default installation, as shown in Example C-26.
Example C-26 Move the welcome.conf File
[root@atw-dogtag01 ise-ca]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/
welcome.conf.bak
Step 2. Create a new file called scepproxy.php at /var/www/html, as shown in Example C-27.
Example C-27 Creating the scepproxy.php File
[root@atw-dogtag01 ise-ca]# vi /var/www/html/scepproxy.php
Step 3. Populate the file with the following PHP script, and save the file when completed. Example C-28 shows the full PHP script.
Example C-28 Contents for the scepproxy.php File
<?php
$ops = $_GET['operation'];
$msg= $_GET['message'];
$order = array("\r\n", "\n", "\r", " ");
$msg = str_replace($order, "", $msg);
$msg = rawurldecode($msg);
$msg=urlencode($msg);
if ($ops == "GetCACaps")
{
echo "";
}
else
{
$url = "http://127.0.0.1/ca/cgi-bin/pkiclient.exe?operation=".$ops."&message=".$
msg;
$ch = curl_init();
curl_setopt($ch, CURLOPT_PORT, 9180);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
//curl_setopt($ch, CURLOPT_POST, 1);
$body = curl_exec($ch);
curl_close($ch);
if ($ops=="PKIOperation")
{
header("Content-Type: application/x-pki-message");
}
else
{
header("Content-Type: application/x-x509-ca-cert");
}
echo $body;
}
?>
Step 4. Restart the Apache service to reflect your changes with the service httpd restart command, as shown in Example C-29.
Example C-29 Restarting the Web Server
[root@atw-dogtag01 ise-ca]# service httpd restart
Restarting httpd (via systemctl): [ OK ]
[root@atw-dogtag01 ise-ca]#
The Dogtag installation is complete. You are ready to add this CA to ISE for BYOD certificate provisioning.
Configuring ISE to Use the New Dogtag CA
This document is assuming that you already have your BYOD policies ready, or you will create them afterwards. In this section, we will focus on the simple task of adding the new Dogtag CA to ISE for purposes of SCEP provisioning the BYOD certificates.
Adding Dogtag to the SCEP RA Profiles
From the ISE administrative GUI, we will add the Dogtag server to the SCEP RA profiles:
Step 1. Navigate to Administration > System > Certificates > SCEP RA Profiles, and click Add.
Step 2. Name the RA DogTag and enter a description.
Step 3. Enter the Dogtag server URL of http://<server_name>/scepproxy.php, as shown in Figure C-17.
Figure C-17 SCEP profile configuration.
Step 4. Click Test Connectivity.
Step 5. Click Submit.
You are finished and ready to use Dogtag as the CA for BYOD onboarding.