Art History Marilyn Stokstad Third Edition Notes On Guitar. EToken PKI Client, Free Download by Aladdin Knowledge Systems. Kaspersky endpoint security 10 for windows (for workstations)..a superior resource website which bridges many of the gaps between aladdin etoken pro 64k driver.

About this document This is the official documentation to configure and install the eTokenServer servlet (v2.0.4). This document provides an in-depth overview of the light-weight crypto library, a standard-based solution developed by INFN Catania for central management of robot credentials and provisioning of digital proxies to get seamless and secure access to computing e-Infrastructures supporting the X.509 standard for Authorisation. In this solution robot certificates are available 24h per day on board of USB eToken PRO [] 32/64 KBytes smart cards having the following technical specification: We appreciate attribution. In case you would like to cite the Java light-weight crypto library in your papers, we recomment that you use the following reference. Ardizzone, R. Calanducci, M.

Scardaci and A. Schenone *The DECIDE Science Gateway* Journal of Grid Computing (2012) 10:689-70 DOI 10.1007/s10723-012-9242-3 We also would like to be notified about your publications that involve the use of the Java light-weight crypto libraries, as this will help us to document its usefulness. Kundli Serial All Episodes on this page. We like to feature links to these articles, with your permission, on our Web site.

Additional reference to the Java light-weight crypto library and other relevant activities can be fould at []. Licence Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and limitations under the License. Chapter I - System and Software Requirements This chapter provide the list of requirements and the basic information that you need to know to install and configure the servlet. # Server OS and Arch. Cert Disk Space CPU and RAM 1 Physical machine with at least 2 USB ports perfectly working SL release 5.10 (Boron) x86_64 GNU/Linux Yes >= 80 GB >= 4 cores >= 8 GB RAM Swap >=4 GB Comments: • The server must be registered to the DNS with direct adn reverse resolution; • Please set a human readable server hostname for your server (e.g.

Etoken); • The OS installation should include the X-server since it is needed to open etProps app; • This installation has been successfully tested with eToken PRO 32/64 KBytes USB smart cards; • At least 1 USB eToken PRO 75 KBytes must be available before the installation (contact SafeNet Inc. [] to find a neighbor reseller and get prices). Configure VOMS Trust Anchors The VOMS-clients APIs need local configuration to validate the signature on Attribute Certificates issued by trusted VOMS servers. The VOMS clients and APIs look for trust information in the /etc/grid-security/vomsdir directory. The vomsdir directory contains a directory for each trusted VO. Inside each VO two types of files can be found: • An LSC file contains a description of the certificate chain of the certificate used by a VOMS server to sign VOMS attributes.

• An X509 certificates used by the VOMS server to sign attributes. These files are commonly named using the following pattern.

'vo_name' 'hostname' 'port' 'dn' 'aliases' Where: • vo_name is the name of the VO served by the VOMS server, • hostname is the hostname where the VOMS server is running, • port is the port where the VOMS server is listening for incoming requests, • dn is the subject of certificate of the VOMS server, and the • aliases is an alias that can be used for this VOMS server (this is typically identical to the vo_name). System wide VOMSES configuration is maintained in the /etc/vomses file or directory. If the /etc/vomses/ is a directory, all the files contained in such directory are parsed looking fro VOMS contact information. Install in the /etc/vomses the contact information for each trust VO you want to support! An example of VOMS contact information can be downloaded from []. ]# tar zxf Mkproxy-rhel4.tar.gz ]# chown -R root.root etoken-pro/ ]# tree etoken-pro/ etoken-pro/ -- bin -- cardos-info -- mkproxy -- openssl `-- pkcs11-tool -- etc -- hotplug.d `-- usb `-- etoken.hotplug -- init.d -- etokend `-- etsrvd -- openssl.cnf -- reader.conf.d `-- etoken.conf `-- udev `-- rules.d `-- 20-etoken.rules `-- lib -- engine_pkcs11.so -- libcrypto.so.0.9.8 `-- libssl.so.0.9.8 Untar the archive and copy the files to their respective locations.

• Copy binary files. ]# cd /usr/lib/ ]# ln -s /usr/lib/libpcsclite.so.1.0.0 libpcsclite.so ]# ln -s /usr/lib/libpcsclite.so.1.0.0 libpcsclite.so.0 ]# ll libpcsclite.so* lrwxrwxrwx 1 root root 29 Feb 17 09:47 libpcsclite.so ->/usr/lib/libpcsclite.so.1.0.0 lrwxrwxrwx 1 root root 29 Feb 17 09:52 libpcsclite.so.0 ->/usr/lib/libpcsclite.so.1.0.0 lrwxrwxrwx 1 root root 20 Feb 17 09:04 libpcsclite.so.1 ->libpcsclite.so.1.0.0 -rwxr-xr-x 1 root root 92047 Jan 26 2007 libpcsclite.so.1.0.0 To administer the USB eToken PRO 64KB and add a new robot certificate, please refer to the Appendix I. ]# export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib ]# pkcs11-tool -L --module=/usr/lib/libeTPkcs11.so Available slots: **Slot 0** AKS ifdh 00 00 token label: **eToken** token manuf: Aladdin Ltd. Token model: eToken token flags: rng, login required, PIN initialized, token initialized, other flags=0x200 serial num: 001c3401 **Slot 1** AKS ifdh 01 00 token label: **eToken1** token manuf: Aladdin Ltd. Token model: eToken token flags: rng, login required, PIN initialized, token initialized, other flags=0x200 serial num: 001c0c05 [.] The current version of PKI_Client supports up to 16 different slots! Each slot can host a USB eToken PRO smart card. • Generating a standard proxy certificate.

]# mkproxy Starting Aladdin eToken PRO proxy generation Found X.509 certificate on eToken: label: (eTCAPI) MrBayes's GILDA ID id: 333a30 Your identity: /C=IT/O=GILDA/OU=Robots/L=INFN Catania/CN=MrBayes Generating a 512 bit RSA private key.++++++++++++.++++++++++++ writing new private key to 'proxykey.FM6588' ----- engine 'pkcs11' set. Signature ok subject=/C=IT/O=GILDA/OU=Robots/L=INFN Catania/CN=MrBayes/CN=proxy Getting CA Private Key PKCS#11 token PIN: ******* Your proxy is valid until: Wed Jan 16 01:22:01 CET 2012. ]# cat apache-tomcat-7.0.34/conf/server.xml [.] [.] Edit the /etc/sysconfig/iptables file in order to accept incoming connections on ports 8082 and 8443. • How to start, stop and check the Apache Tomcat server • Configure the JAVA_HOME env. Chapter IV - Usage In this chapter is show the administrator (only restricted access) web interface to interact with the RESTful “ligth-weight” crypto library which is configured for: • browsing the digital certificates available on the different smart cards; • generating VOMS-proxy for a given X.509 digital certificate.

• Accessing the RESTFul crypto library via WEB The root resource of the library is deployed at the URL /:8443/eTokenServer as shown in the figure below: The creation of a request to access the generic USB smat card and generates a proxy certificate is performed in few steps. • First and foremost we have to select a valid digital certificate from the list of available certificates (first accordion). • Afterwards, depending by the selected certificate, it will be possible to select a list of FQANs attributes which will be taken into account during the proxy creation process. • If necessary FQANs order can be changed in step 3: • Before to complete, some additional options can be specified in the 4th.

Step to customize the proxy requestID: • At the end, the complete requestID is available in step 5. Chapter V - Some RESTful APIs REST is an architectural style which defines a set of constraints that, when applied to the architecture of a distributed system, induces desiderable properties like lookse coupling and horizontal scalability. RESTful web services are the result of applying these constraints to services that utilize web standards such as URIs, HTTP, XML, and JSON.

Such services become part of the fabric of the web and can take advantage of years of web engineering to satisfy their clients’ needs. The Java API for RESTful web services (JAX-RS) is a new API that aims to make development of RESTful web services in Java simple and intuitive. In this chapter will be presented some examples of RESTful APIs used to request proxies certificates, list available robot certificates in the server-side and register long-term proxies on the MyProxy server. Appendix I - Administration of the eToken smart cards This appendix provides a brief explaination of the eToken Properties ( etProps) and the various configuration options available to the user. EToken Properties provides users with a configuration tool to perform basic token management such as password changes, viewing information, and viewing of certificates on the eToken. This appendix includes the following sections: • Initializing the eToken PRO 32/64 KBytes USB smart card; • Importing new certificates; • Renaming a token.

Contents • • • • • • • • • • • • • • • • • • • • • • • Platform support With some tinkering it is possible to use an eToken on • Windows • Linux: • Redhat Enterprise Linux 4 and compatible (Scientific Linux 4, CentOS 4) • Fedora Core 4 or higher • Suse 9.3 or higher • MacOS X This document tries to explain the tinkering. Notes • not all functions are available on all platforms. Currently, it is not possible to reformat an eToken on Linux. This can only be done on Windows (and perhaps MacOS, but this is untested). • there is no native 64bit platform support.

It is possible to use an eToken on an x86_64 architecture but it requires 32bit versions of all relevant tools ( pcsc-lite, openssl, etc) Downloading the Aladdin eToken RTE software Due to licensing restrictions we cannot supply the eToken drivers and libraries on this site, these need to be downloaded from Aladdin. You can find the required software on the web: • Windows: • Linux: • Mac OS X: If you're running Windows XP or Vista you can also use the newer PKI Client 4.5/4.55 software: • PKI Client 4.55: However, you need to make sure that your eToken is initialized in 3.65 compatible mode under the Advanced Settings screen otherwise your token is inaccessible on any other platform than Windows. (the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do.) To unpack the Linux archive, the command is required. Important Do NOT install the PKI Client 4.0 software (Windows only)!

ETokens initialized with this version of the Aladdin software are completely unusable by older releases. If you want to use your eToken on any other platform than Windows then stick with the RTE_3.65 software release instead.

Installing the Aladdin eToken RTE software Windows Unzip the RTE_3.65.zip archive and install RTE_3.65.msi file. After rebooting the operating system should recognize the eToken automatically when it is inserted (a red light will start to glow inside the eToken). The RTE software is now installed in 'default' mode. To get a few more administration options, including a nifty initialization button in the eToken Properties screen, set/change the registry key HKLM SOFTWARE Aladdin eToken eTProperties Advanced:DWORD = 0x1F (default value is 0x1). You can now continue on to. Linux There are two ways to install the necessary tools: • manual installation using the Aladdin petoken installation script. You have chosen the difficult path.

Instructions can be found in. • install a package for your distribution which does all the hard work for you.

There are two flavours: one for RPM based systems, and one for Debian based systems. The RPM has been tested on • CentOS 4 / Scientific Linux 4 (rhel4), i686 and x86_64 architectures • Fedora Core 5 (fc5), i686 architecture • OpenSuSE 10.1, 10.3 (suse10), i686 architecture, while the is known to work on • Debian 4.0 stable (codename etch) • Ubuntu 6.06 LTS • Ubuntu 7.04 Contents of the pre-built packages The RPM and Debian packages contain the following. • Aladdin eToken RTE 3.65 software (in binary form only). • the mkproxy script to generate grid proxies (see for details).

• pkcs11-tool command from the opensc package ( ) • a patched version of the engine_pkcs11 module, also from the opensc package ( ). This patch allows for PINs longer than 11 characters.

• a patched version of openssl v0.9.8d to allow the user to generate short-lived proxies (the patched file is x509.c; the patch has been submitted to the openssl-dev mailing list). • system /etc/init.d startup scripts to correctly start the etokend and etsrvd daemons at system startup. • hotplugging scripts to allow the correct hotplugging of your USB eToken device. These hotplugging scripts work on all Linux 2.6+ kernels, including 2.6.16 and above.

• PC/SC-lite pcscd Smart Card daemon v1.3.1, plus system startup script. All binaries are installed in /opt/etoken-pro. The system startup and configuration scripts are installed in their appropriate location. Debian packages Instructions for obtaining and installing the software for Debian based systems can be found RPM packages Instructions on how to build and install the etoken-mkproxy rpm are. For Nikhef, SARA and IGTF members the following will also work: # FC5: rpm -ivh # RHEL4: rpm -ivh # Suse10: rpm -ivh Manual installation Instructions on how to manually install the Aladdin eToken software using the petoken install script can be found in. Differences between manual and packaged installations There are some differences between manual installations and installation of the pre-built packages above: Manual installation: • Most of the files end up in /usr/local/bin, /usr/local/lib and /usr/local/sbin. • the mkproxy script is not included in the manual installation.

You can download it separately, including all required binaries by following the instructions in. Package installation: • Most of the files end up in /opt/etoken-pro, with a single symlink in /usr/local/lib. • the package includes a patched version of the openssl x509 command which allows you to specify short-lived certificates/proxies, much like the grid-proxy-init tool: /opt/etoken-pro/bin/mkproxy --valid 4:00 This patched version of the openssl command is now also included in the mkproxy tarballs. Mac OS X You can use the eToken PRO on Mac OS X 10.4 and above in the same way as on Linux. Just download and install the and the (universal binaries). The latest 4.55 package for MacOSX is also at The software installs into /usr/local/etoken-pro by default. Testing the eToken RTE software Windows You can access your eToken using the software installed by the RTE_3.65.msi installation package (usually in Start->Programs->eToken).

If you have installed Cygwin ( ) and the tarball you can also access your eToken using the pkcs11-tool command: • start a Cygwin shell • go to the directory where you have unpacked the tarball • type./etoken-pro/bin/pkcs11-tool --module=$WINDIR system32 etpkcs11.dll -L to list all inserted tokens. Note This works only if you are logged in locally on the Windows machine. This will not work when logging in remotely using either a Cygwin sshd service or Remote Desktop.