SAMI Installation Guide

SAMI Installation Guide

The Secure and Accountable Measurement Infrastructure (SAMI) is a collection of software tools designed to aid researchers and engineers in managing internet measurements from various vantage points within the internet. SAMI has several different components: the SAMI probe (samid/scheduled); the Configuration Point Of Contact (CPOC), or cpocd; the Data Analysis Client (DAC), or dacd; and the Measurement Client (MC). This document describes the installation procedure for both the full source release and binary distribution of version 1.0 of the SAMI package.

If you encounter any problems or you have any questions, please contact us atsami-info@psc.edu“>sami-info@psc.edu.

Notes:

 

  • Please see the SAMI overview if you are not familiar with the software suite.
  • For security considerations, please see the security document.
  • The SAMI software suite requires the following additional libraries. Please install these prior to building the SAMI software suite.
  • OpenSSL 9.6.7 or greater
  • Xerces 2.2 or greater (which may require Iconv)
  • Akenti 1.4 or greater (which requires OpenLDAP and CppUnit) only for SAMI probes and CPOCs. MCs and DACs do not require Akenti.
  • This version of the SAMI software is know to run on NetBSD 1.6.2 and 2.0, FreeBSD 4.8 and 5.3, and Linux 2.6.
  • Please note that in this document, INSTALL_DIRECTORY represents the SAMI root directory.

 

Building from Source

Untar the SAMI source package, configure and build, where x and y are the major and minor releases of the software, respectively.:

tar -xzpvf sami-x.y.src.tar.gz cd sami-x.y/src ./configure --prefix=$HOME  	--with-ssl-dir=PATH_TO_OPENSSL_INSTALLATION  	--with-xerces-dir=PATH_TO_XERCES_INSTALLATION  	--with-iconv-dir=PATH_TO_ICONV_INSTALLATION  	--with-ldap-dir=PATH_TO_LDAP_INSTALLATION  	--with-akenti-dir=PATH_TO_AKENTI_INSTALLATION make && make install   

Installation notes

 

  • You only need to specify those installation paths that are not in the standard location (e.g., /lib or /usr/lib)
  • ./configure --help will give you a complete set of options.
  • To make (pseudo) static binaries, type make static, but make certain that all libraries needed are specified with the --with-*-dir options to configure. Using make static will produce a binary with static inclusion of Akenti, Xerces, Ldap, and Iconv (the least standard of the additional libraries needed.) Using make openssl-static will also statically include the OpenSSL libraries. And using make system-static will generate fully static binaries.

 

Building from Binary Distribution

Simply untar the SAMI release that matches your system:

    tar -C $HOME -xzpvf sami-x.y-SYSNAME-RELEASE[-STATIC].tar.gz 

Prerequisites to Running the SAMI Probe

To run a SAMI probe, you need:

 

  • the samid, scheduled, and master-script binaries,
  • system invocation scripts,
  • a HOST X.509 certificate signed by a Certificate Authority that is accepted by the CPOCadministering this SAMI probe,
  • the private and public keys used by the HOST X.509 certificate,
  • and the CA’s X.509 certificate.

 

Note that if you are willing to wait to be fully operational, then you only need the X.509 certificates and the samid component. After startup, the remaining SAMI components will be automatically downloaded by the CPOC during its regular update time.

Xerces 2.[2-6] has a bug in the way it opens schema files (it opens them with a mode of “r+”). Akenti 1.5 uses the following two schema files:

 

  • AkentiCertificate.xsd
  • AkentiProtocol.xsd

 

These files need to be writable by user sami and need to be in the directoryINSTALL_DIR/akenti/xml/schema in order for Akenti to work. (Note: Typing   make install   or untarring the binary tar file will do this for you.)

Obtaining Host and CA X.509 Certificates

To acquire a HOST X.509 certificate, you need to generate a Certificate Signing Request (CSR). To generate a CSR you must first generate a HOST key:

ssh-keygen -t rsa -C "`hostname`'s SAMI key" -f keys/id_rsa-`hostname` 

You do not want a pass-phrase on your HOST key, so make certain that the directory ~/keys is set to mode 700, and that the private key file (id_rsa-HOSTNAME) is set to mode 600.

Now, generate your CSR via:

openssl req -new -key keys/id_rsa-HOSTNAME -out `hostname`.csr 

It’s a good idea to know beforehand what fields in the Distinguished Name (DN) your CA uses. For example, they may want /OU set to either ‘people’ or ‘hosts’.

Next, e-mail your CSR to the CA that your CPOC is using, and finally, upon receiving your HOST X.509 certificate and the CA certificate, place them in ~/certs, and ~/ca-certs respectively, e.g.:

~/certs/HOSTNAME.pem ~/ca-certs/e7c4527b.0 

where e7c4527b is the ‘hash’ of the CA’s DN, in this example.

Diffie-Hellman

The following additional step is needed only if you did not install a binary distribution, or you did not run make install on the source distribution:

If you intend to use Diffie-Hellman ciphers, you will need to generate the Diffie-Hellman parameters:

openssl dhparam -out rand/dhparam-1024.pem -2 1024 

Prerequisites to running a Configuration Point Of Contact

To run a Configuration Point of Contact (CPOC), you need:

 

  • the cpocd,
  • a HOST X.509 certificate, signed by a Certificate Authority (CA) that you choose to use,
  • the private and public keys used by the HOST X.509 certificate, and
  • the CA’s X.509 certificate.

 

Obtaining HOST and CA X.509 Certificates

To acquire the HOST X.509 certificate, you need to generate a Certificate Signing Request (CSR). To generate a CSR, first generate a HOST key:

ssh-keygen -t rsa -C "`hostname`'s CPOC key" -f keys/id_rsa-`hostname` 

As this is the CPOC, and will control all policy for all SAMI probes within its domain, this key should be kept secured. Be sure to set a good pass-phrase.

Generate your CSR via:

openssl req -new -key keys/id_rsa-HOSTNAME -out `hostname`.csr 

It’s a good idea to know beforehand what fields in the Distinguished Name (DN) your CA uses. For example, they may want /OU set to either ‘people’ or ‘hosts’.

Next, e-mail your CSR to the Certificate Authority that your CPOC is using, and finally, upon receiving your HOST X.509 certificate and the CA certificate, place them in ~/certs, and ~/ca-certs respectively, e.g.:

~/certs/HOSTNAME.pem ~/ca-certs/e7c4527b.0 

where e7c4527b is the ‘hash’ of the CA’s DN, in this example.

Prerequisites to Running a Measurement Client

To run a MC or DAC, you need:

 

  • the mc binary,
  • a USER X.509 certificate, signed by a Certificate Authority (CA) that is accepted by the CPOCadministering the SAMI probes that you plan to use,
  • the private and public keys used by your USER X.509 certificate, and
  • the CA’s X.509 certificate.

 

Acquiring USER and CA X.509 Certificates

Using a Kerberos Certificate Authority

To acquire the USER X.509 certificate using a Kerberos Certificate Authority, convert your Kerberos ticket to a kx509 certificate:

kx509

then store the certificate to disk:

klist -o INSTALL_DIRECTORY/certs/USERNAME.pem

Note that the file generated by klist -o filename contains both the certificate and the key!

Using a non-Kerberos Certificate Authority

To acquire a USER X.509 certificate from a non-Kerberos CA, you need to generate a Certificate Signing Request (CSR). First generate your USER key, if you don’t already have one in ~/.ssh:

ssh-keygen -t rsa -C "USERNAME's SAMI key" -f keys/id_rsa-USERNAME 

Note: please set a pass-phrase to encrypt your private key!

Now, generate your CSR via:

openssl req -new -key keys/id_rsa-USERNAME -out `hostname`.csr 

Note that it’s a good idea to know beforehand what fields in the DN your CA uses. For example, they may want /OU set to either ‘people’ or ‘hosts’.

Next, e-mail your CSR to the Certificate Authority that the CPOC is using. Finally, upon receiving your USER X.509 certificate and the CA certificate, place them in ~/certs, and ~/ca-certs respectively, e.g.:

~/certs/HOSTNAME.pem ~/ca-certs/e7c4527b.0 

where e7c4527b is the hash of the CA’s DN, in this example.

Configuring and Running SAMI Components

Follow the directions in the SAMI Probe Usage Guide, the CPOC Usage Guide, and the MC Usage Guide to configure and run the appropriate components.