Main Page

From A-Space Developer Manual

Jump to: navigation, search

This wiki is not sponsored by the US Government. It is an independent project meant to supplement the official documentation.

The purpose of this wiki is to build a definitive resource for integrating LAMP-based services into BRIDGE, the Director of National Intelligence's testbed for new analysis tools. The official BRIDGE integration guide is targeted at Java- and .net-based services. You may want to read the FAQ to get up to speed on what BRIDGE is all about and why it's worth developing for.

Contents

[edit] The Basic Requirements

There are a few things you need to know and have if you want to get started:

  • Everything you build has to be entirely Web-based. No desktop installations, including any Web-based services that run on top of a local installation like Greasemonkey.
  • You have to host your tool yourself, and you will need your own server, virtual or otherwise. I use Slicehost and love it.
  • Your host has to be SSL-enabled. More details on this below.

[edit] Step 1: Become a BRIDGE user

Go sign up for a BRIDGE user certificate. Wait a while...maybe a few minutes, maybe a few days...and you'll get an email saying your user certificate has been approved. It'll tell you how to install that certificate into your browser.

[edit] Step 2: SSL and Certificates

From a terminal, SSH into your server and: 

sudo a2enmod ssl

That will enable the Apache SSL module, which allows you to generate keys and certificate requests.

You're now going to generate a private key and a certificate request. cd to a private directory where you'd like to save them (I created a directory called certs under /etc/ssl), then 

sudo openssl genrsa -des3 -out www.mydomain.com.key 2048

That's slightly different from the official BRIDGE instructions, which don't include the -des3. des3 will ask you to generate a passkey; you'll then have to provide that passkey each and every time you restart your server, which you'll be doing a lot. If you forget it, starting over is quite a pain. You don't have to use des3, but I do.

Replace "www.mydomain.com" with whatever you like; it doesn't necessarily have to be a domain name. 

sudo openssl req –new –key www.mydomain.com.key –out servicename.bridge-ic.net.csr

Replace "www.mydomain.com.key" with whatever you used in the previous command. "servicename.bridge-ic.net.csr" is not as flexible: you must choose a name for the thing you're building for BRIDGE and use it here in place of "servicename". Then you'll get a few prompts for information. VeriSign has a few instructions mutuellefor these prompts; I don't know how hard-and-fast they are, but I followed them and had no problems.

After this, you'll have two files: a .key file and a .csr file. The .key file is private; never share it with anyone. Take a look at the .csr file with: 

sudo cat servicename.bridge-ic.net.csr

You'll see something like this: 

-----BEGIN CERTIFICATE REQUEST-----
MIIBuzCCASKLJHeroiehri3878eEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREw
DwYDVQQLKherhekh*783rhkrhj3831UEChMZQ29sbGFib3Jhdldkhre8HJHWgQ29
cGFueTEikilefJKHFNSF37RUEWIOJKJLRKHJ83R489eryFjvLmNvbTCBnzANBgkq
hkiGc0k0b0r0o0w0n0f0o0x0j0u0m0p0s0o0v0e0r0t0h0e0NYdle8v0YSayV6pu
EeNTL5UtFji5Y7fNuEaIL4tKoIPtBCWumiwj2bA66mA3n2JH0KoD/FdAuXqQBTUy
O+hu+LtJYVGkIoehklhKLJEHrjh873ruIU*Wr4ihjefO+rzEoi4uS52nhbgW3my7
KrArEFkCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAE07NuVGlqlB9gCeG4KH0AKm
n88PlaJNIKGfNN2P2SmKChWLPzcsPOixPffQ3gHg4AZBUgxLkA/vBXBKlWrottYA
iaHsCD7UgnxCdyvESLKDjhriehrklE*78*&kKjrerKJKtG6HgKgxk0ofpi5ws8TD
-----END CERTIFICATE REQUEST-----

Copy all of that stuff. Then go paste it into the form on the BRIDGE server certificate request form. You won't be able to access that form unless you've completed step 1 above and are accessing the site from a browser with your BRIDGE user certificate.

After this, you'll get an email telling you how to download your cert file, called servicename.bridge-ic.net.cert. Put that into the same directory as your other certs.

Next, copy the below text. It is the BRIDGE public certificate: 

-----BEGIN CERTIFICATE-----
MIIEaDCCA1CgAwIBAgIJAIxgBI6t8WbBMA0GCSqGSIb3DQEBBQUAMH8xEjAQBgNV
BAMTCUJSSURHRS1JQzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRIw
EAYDVQQHEwlBcmxpbmd0b24xDzANBgNVBAoTBkJSSURHRTEkMCIGCSqGSIb3DQEJ
ARYVc3VwcG9ydEBicmlkZ2UtaWMubmV0MB4XDTA5MDIyNTA3MDAyNVoXDTE0MDIy
NDA3MDAyNVowfzESMBAGA1UEAxMJQlJJREdFLUlDMQswCQYDVQQGEwJVUzERMA8G
A1UECBMIVmlyZ2luaWExEjAQBgNVBAcTCUFybGluZ3RvbjEPMA0GA1UEChMGQlJJ
REdFMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGJyaWRnZS1pYy5uZXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5mDNFDuFBe5VeIa9cfG6dk8C20Xvl
Q2FHTaWMFOrPRnOWboV0a5JwT8BVFK8J6U2/17B2VtNg679AwqihsOlHoNxO9Dy0
InhFfPBi7pQhBLaRnd/qv53V1TG/i0Pr3jFS9wz9BX0EYCskodHDEvx9VhreTnpy
tYKOrVhnyIkWY03QWHUNnXifQsnTATPfwu0hjETh43CaAkbq9qMQ2TMCo7pfy9tR
wozGpOJSYYjQGDxOhO1YLndR3qvIkwsxLjpoNggvBFyq1RvvTWmY059BPLAyeuK5
ZkgvA0g8DxxxFupaCKDxGHvzCkYReFlbfifuBpNYeQ8ISFhFEoSrOsQbAgMBAAGj
geYwgeMwHQYDVR0OBBYEFLT8BygaXl2VwqJI6QGbriCFpxbvMIGzBgNVHSMEgasw
gaiAFLT8BygaXl2VwqJI6QGbriCFpxbvoYGEpIGBMH8xEjAQBgNVBAMTCUJSSURH
RS1JQzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRIwEAYDVQQHEwlB
cmxpbmd0b24xDzANBgNVBAoTBkJSSURHRTEkMCIGCSqGSIb3DQEJARYVc3VwcG9y
dEBicmlkZ2UtaWMubmV0ggkAjGAEjq3xZsEwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQUFAAOCAQEAg9AQzGLNSQxKmvWvMR7uQpuziXmtXxYVwnGGb0ms+vHRaLQ4
4bLCaVOuui5m4FiQqpSUyXBWUdkDN6OGosanifu5sjb/1darXwzit4kykvLX8DLf
Gz0ujvKNGiHHCI6sYskruAsqaiXAooKYLAOi0/bb8WLrSfXROFrd9ZMvLFJhaJi+
PJ6MxozHtBYfF+j/+LXRbNwzDMx3UXvMFWnwZSm17WkMqQ901nnAIF9M9NFQNB6p
jwL7cuWSlt5yIwzbRn55diXol98qbwVt2fTNACRZthTuA6kZG4sOMUHPWtro341D
RCUCfoqhy6ENoJ/tDE5kbpA24fdHAidNPqEkmQ==
-----END CERTIFICATE-----

Create a new file in your certificates directory and call it bridge-ic.net.cert. Paste the above into that file, save it, and close it.

Almost done. We need one last certificate: the revoked user certificate certificate. This helps you authenticate each user. Copy and paste the below into a new file called bridge-ic.net.crl, and save it to your /certs directory: 

-----BEGIN X509 CRL-----
MIICpjCCAY4wDQYJKoZIhvcNAQEFBQAwfzESMBAGA1UEAxMJQlJJREdFLUlDMQsw
CQYDVQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExEjAQBgNVBAcTCUFybGluZ3Rv
bjEPMA0GA1UEChMGQlJJREdFMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGJyaWRn
ZS1pYy5uZXQXDTA5MDMyNjA0MDAwMVoXDTEwMDMyNjA0MDAwMVowgd0wEgIBCRcN
MDkwMjI3MTkwMzU1WjASAgEKFw0wOTAyMjcxOTAwMDFaMBICAQsXDTA5MDIyNzE5
MDMwNVowEgIBDBcNMDkwMjI3MTkwMzM1WjASAgENFw0wOTAyMjcxOTAzNDVaMBIC
AQ4XDTA5MDIyNzE5MDI0N1owEgIBJRcNMDkwMzA5MjAzOTQ3WjASAgExFw0wOTAz
MTYxNTAwMjdaMBICAT0XDTA5MDMxNzEzMjEzM1owEgIBWhcNMDkwMzIzMTkyMTI2
WjATAgIAgxcNMDkwMzI1MTQzNDQ4WjANBgkqhkiG9w0BAQUFAAOCAQEApACilmgv
NQg5DfYUekWNxaUXgQCPeMstzTKQl4iuxXrG1mPEe38v3N7N4SGkg7LX4y+sauM1
X4m644hxVIJYWM337PwTPd/SO1XXqN+I+r3/57v+ZXH8VeyGMqO8nsft4IsFV+tu
nTWaBjji2IMQkNgDGlu22XRrkKtDFS/HdLYClrQTEfdXU7EfvAUlzferJdy8PgK0
Vpx6gccCR1sgiox6kBChdbtZNnICtp9vX9zyvA/+1ZqK/gmbw1OJ0M32M2AaIjtS
KrJO9Tcub6Uju/v0DSK8y5iUiVBSKOWNChRkOmvsNqKsTggwj+OmuvzQiJeqwWws
hyX+uPR+ecClWA==
-----END X509 CRL-----

[edit] Server Configuration

Next we have to set up our Apache site configuration file. Open the conf file that corresponds to the site you're creating, or create it if it doesn't exist. 

    SSLEngine On 
    SSLCertificateFile /etc/ssl/certs/myservicename.bridge-ic.net.cer 
    SSLCertificateKeyFile /etc/ssl/certs/myservicename.bridge-ic.net.key 
    SSLVerifyClient require 
    SSLVerifyDepth 10 
    SSLCACertificateFile /etc/ssl/certs/bridge-ic.net.cer 
    SSLCARevocationFile /etc/ssl/certs/bridge-ic.net.crl
Retrieved from "http://matthewburton.org/a-space/index.php?title=Main_Page"
Personal tools