Dog Tag is an Enterprise-class open source Certificate Authority that Red Hat purchased from AOL back in 2004. Red Hat opened it up to the open source community in 2008. Dog Tag supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more.
Most importantly, it is an available CA that has been tested for use with Cisco’s BYOD solution using Cisco’s Identity Services Engine 1.2 & newer.
Note: There is also an Enterprise level version of DogTag known as the Red Hat Certificate System.
Before we go any further, I need to send a huge call-out to Vivek Santuka who prototyped & pioneered this initiative at work. Also a call-out to Brian Sak for updating the work that Vivek did.
Prerequisites
Dog Tag will run on most Red Hat variants. For the purposes of this document, we will focus on Fedora Core 15 (32-bit). This is the version that is known to work and has been tested with ISE 1.2. This version of Fedora can be installed with the minimum option and will leverage the Apache web server, PHP, and the open source directory server.
Install 32-bit Fedora 15
Step 1: Boot the machine with the 32-bit Fedora 15 ISO file or DVD available here:
http://dl.fedoraproject.org/pub/fedora/linux/releases/15/Fedora/i386/iso/
Step 2: Select "Install system with basic video driver"
Aaron Woland Figure1 - Install Screen
The “Minimal” installation type is all that you need for this use-case.
Aaron Woland Figure2 - Minimal Installation
Accept the default choices for the remainder of the installation
Configure Networking
The Certificate Authority should have a static IP Address to ensure that communication is always optimal. There is a component of the setup wizard that will allow you to configure the network prior to the installation finishing. However, the majority of the time those settings do not seem to be maintained and when the Fedora operating system is fully installed there is no assigned IP Address, as seen in figure 3.
Note: It is assumed that you are logged in as “root” to perform the activities in this document. If not, use the “su –“ command to change your login context to the superuser (root).
After the installation, verify if there is an IP Address. Use the ifconfig eth0 command. Figure 3 shows the result when no IP Address has been configured.
Aaron Woland Figure3 - No IP Address
Using your favorite editor, edit the ifcfg-eth0 file to setup the network stack for the interface.
Example-1: Edit the ifcfg-eth0 file
[root@atw-dogtag01 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
- With the ifcfg-eth0 file open, ensure that the ONBOOT option is set to “yes”. This is ensuring the interface will be on when the system reboots.
- Ensure the BOOTPROTO option is set to “none”. This configures the interface to use a static IP address.
- Set the IPADDR option to be the desired IP address of the server, and the NETMASK to be the subnet mask for that IP address.
- The DNS1 and DNS2 options may be used to point the server to the correct DNS server(s).
- Use the GATEWAY option to specify the IP Address of the default-gateway.
Example-2 below shows the details of a configured ifcfg-eth0 file:
Example-2: Configured ifcfg-eth0 file
[root@atw-dogtag01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0″
HWADDR=”00:50:56:B8:BC:08″
ONBOOT=”yes”
NM_CONTROLLED=”yes”
BOOTPROTO=none
IPADDR=10.1.100.229
NETMASK=255.255.255.0
USERCTL=yes
TYPE=Ethernet
DNS1=10.1.100.103
GATEWAY=10.1.100.1
Ensure the network starts at boot with the “chkconfig network on” command.
Example-3: Ensuring network starts at boot, and restarting the service
[root@atw-dogtag01 ~]# chkconfig network on
[root@atw-dogtag01 ~]# service network restart
Install Packages with yum
Fedora uses a software package manager called “yum” to manage the installed packages within the operating system. yum provides the advantage of identifying dependencies and helping to manage the installation of the application and all of that applications dependencies. See http://fedoraproject.org/wiki/Yum for more on yum.
We will use yum to update this Fedora 15 server to the latest packages, as well as install needed applications such as NTP.
Configure Proxy (if needed)
The setup used to write this document required a proxy server to access the Internet. Therefore this procedure was included. If your environment does not require a proxy to access the Internet, please go to Procedure 2.
Step 1 Use your favorite text editor to edit the yum configuration file located at /etc/yum.conf
Example 4 – Editing the yum configuration file
[root@atw-dogtag01 ~]# vi /etc/yum.conf
Step 2 Add a line for with a field of “proxy=” followed by the URL and Port for your proxy server
Example 5 – Complete yum.conf file
[root@atw-dogtag01 ~]# cat /etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
proxy=http://proxy.esl.cisco.com:8080
Update system with yum
Step 1 Add a yum plugin to choose the fastest location to download from. This plugin saved hours during the writing of this paper.
Example 6 – Installing the fastest mirror plugin
[root@atw-dogtag01 ~]# yum install yum-plugin-fastestmirror
Step 2 Update all installed packages with the “yum update” command
Example 7 – Updating all installed packages with yum
[root@atw-dogtag01 ~]# yum update
Loaded plugins: fastestmirror
Determining fastest mirrors
<<SNIP>>
Transaction Summary
================================================================================
Install 4 Package(s)
Upgrade 104 Package(s)
Total download size: 89 M
Is this ok [y/N]:
Install and Configure the NTP Service
Certificates require strict time synchronization. It’s recommended to use the network time protocol (NTP) to ensure the time is accurate on the Certificate Authority. The NTP service (aka: NTP daemon) is not installed by default with the minimal installation of Fedora 15, so we will use yum to install it.
- Install the NTP Service with the “yum install ntp” command
- Use the “chkconfig ntpd on” command to ensure ntp daemon starts at boot
- Use the ntpdate ntp_server_ip_address command to sync to an NTP source
- Ensure the service is started with the “ntpd start” command
Example 8 – Installing, syncing and starting NTP
[root@atw-dogtag01 ~]# yum install ntp
[root@atw-dogtag01 ~]#
<span> <strong>chkconfig ntpd on</strong></span>[root@atw-dogtag01 ~]# ntpdate 172.25.73.1
31 Jul 13:47:44 ntpdate[11361]: step time server 172.25.73.1 offset 64.503042 sec
[root@atw-dogtag01 ~]# /etc/init.d/ntpd start
Starting ntpd (via systemctl): [ OK ]
[root@atw-dogtag01 ~]#
Install the LDAP server
Dog Tag uses an open source LDAP server called “Directory Server” to store its data. Before you can install Dog Tag, Directory Server must be installed and prepared.
Step 1 Install the LDAP server package with the “yum install 389-ds” command
Step 2 Create a new user named “ds389” to be used by the Directory Server
Example 9 – Installing Directory Server and creating the service account
[root@atw-dogtag01 ~]# yum install 389-ds
[root@atw-dogtag01 ~]# useradd ds389
Step 3 Launch the Directory Server configuration wizard using the setup-ds.plscript located in /usr/sbing/setup-ds.pl
Example 10 – Launching the setup script
[root@atw-dogtag01 ~]# /usr/sbin/setup-ds.pl
Step 4 Accept the defaults. Once you reach the portion where the wizard is asking for a System User, you will need to change the default (nobody) to the ds389 user. Use the ds389 for the group as well, as seen in Example – 11
Example 11 – Setting the System User and Group to ds389
==============================================================================
The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the server,
create this user and group using your native operating
system utilities.
System User [nobody]: ds389
System Group [nobody]: ds389
Step 5 Set the password for the Directory Manager
Example 12 – Setting the Directory Manager password and successs message
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
Your new DS instance ‘atw-dogtag01′ was successfully created.
Exiting . . .
Log file is ‘/tmp/setupo0Vx6g.log’
Install the PHP services
Step 1 Use yum to install php as seen in example 13
Example 13 – installing php with yum
[root@atw-dogtag01 ~]# yum install php
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package php.i686 0:5.3.13-1.fc15 will be installed
–> Processing Dependency: php-common(x86-32) = 5.3.13-1.fc15 for package: php-5.3.13-1.fc15.i686
–> Processing Dependency: php-cli(x86-32) = 5.3.13-1.fc15 for package: php-5.3.13-1.fc15.i686
–> Running transaction check
—> Package php-cli.i686 0:5.3.13-1.fc15 will be installed
—> Package php-common.i686 0:5.3.13-1.fc15 will be installed
–> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
php i686 5.3.13-1.fc15 updates 1.1 M
Installing for dependencies:
php-cli i686 5.3.13-1.fc15 updates 2.2 M
php-common i686 5.3.13-1.fc15 updates 547 k
Transaction Summary
================================================================================
Install 3 Package(s)
Total download size: 3.9 M
Installed size: 13 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction
Installing : php-common-5.3.13-1.fc15.i686 1/3
Installing : php-cli-5.3.13-1.fc15.i686 2/3
Installing : php-5.3.13-1.fc15.i686 3/3
Installed:
php.i686 0:5.3.13-1.fc15
Dependency Installed:
php-cli.i686 0:5.3.13-1.fc15 php-common.i686 0:5.3.13-1.fc15
Complete!
[root@atw-dogtag01 ~]#
Step 2 Start the apache (httpd) and Directory Server (dirsrv) services and configure them to start on bootup as seen in example 4
Example 14 – Starting the apache and directory server services
[root@atw-dogtag01 ~]# service httpd start
Starting httpd (via systemctl): [ OK ]
[root@atw-dogtag01 ~]# service dirsrv start
Starting dirsrv:
atw-dogtag01… already running [ OK ]
[root@atw-dogtag01 ~]# chkconfig dirsrv on
[root@atw-dogtag01 ~]# chkconfig httpd on
[root@atw-dogtag01 ~]#
Install DogTag
Step 1 Install DogTag with the yum install pki-ca command as seen in Example 15
Example 15 – installing DogTag
[root@atw-dogtag01 ~]# yum install pki-ca
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package pki-ca.noarch 0:9.0.20-1.fc15 will be installed
–> Processing Dependency: pki-selinux = 9.0.20-1.fc15 for package: pki-ca-9.0.20-1.fc15.noarch
–> Processing Dependency: pki-common = 9.0.20-1.fc15 for package: pki-ca-9.0.20-1.fc15.noarch
–> Processing Dependency: pki-ca-theme >= 9.0.0 for package: pki-ca-9.0.20-1.fc15.noarch
–> Running transaction check
—> Package dogtag-pki-ca-theme.noarch 0:9.0.11-1.fc15 will be installed
–> Processing Dependency: dogtag-pki-common-theme = 9.0.11-1.fc15 for package: dogtag-pki-ca-theme-9.0.11-1.fc15.noarch
—> Package pki-common.noarch 0:9.0.20-1.fc15 will be installed
Modify the Firewall Rules (IPTables)
In order to connect to the DogTag service on the ports used in procedure 3, you must modify the Linux server’s host-firewall (iptables) to allow the connections. Since this is not an iptables document, and in order to keep this simple, let’s just turn off iptables.
Step 1 Stop the firewall service with the “service iptables stop” command
Step 2 Keep the firewall from starting when the server is booted with the “chkconfig iptables off” command.
Example 16 – Shutting off the Firewall
[root@atw-dogtag01 ~]# service iptables stop
Stopping iptables (via systemctl): [ OK ]
[root@atw-dogtag01 ~]# chkconfig iptables off
[root@atw-dogtag01 ~]#
Create a new CA Instance
Now that DogDag is installed, you need to create a new Certificate Authority instance. The following is using ports that we have preferred to use. You may change any of the parameters in the following section to suite the needs of your organization.
Step 1 Create a pki instance using the pkicreate command with the following options: