under construction for v0.1.2 release

OpenPlatformTrustServices v0.1.2 Server Setup Guide (DRAFT)

1. Introduction

1.1 Overview

This is a demonstration using KNOPPIX - CD bootable Operating System - for experiencing the Remote Attestation which is the fundamental capability provided by Trusted Computing technology.

This KNOPPIX supports Trusted Boot and client software for Remote Attestation, and can be validated by demo Validation Service on Internet. When the validation results in success without any known vulnerability, the client will be able to use a service like a demonstration service of vulnerability search.

This guide is for setting up the server which used in this experiment. Any information you can share with us, including your test result and trouble, will be very helpful and appreciated. The following mailing-lists are available for such reporting.

1.2 Composition

This guidance shows about how to setup the server on the “Red Hat Enterprise Linux 4”.

  • Server OS: Red Hat Enterprise Linux 4
  • Database Server: PostgreSQL
  • HTTP Server: Apache
  • Java runtime: Sun JDK 6
  • Application Server: Tomcat
  • Validation App: OpenPlatformTrustServices v0.1.2 (TBD)

Supported Clients

  • KNOPPIX 5.1.1 for Trusted Computing Geeks v1.0.1
  • KNOPPIX 5.3.1 for Trusted Computing Geeks (TBD)

Section 3 presents the construction of a database server. Section 4 describes about the application server. Section 5 describes about the interface to access the database.

2. Required Packages

2.1 Preparing the Operating System

Install a Red Hat Enterprise Linux 4.

After installation, you have to disable prelink function by modifying /etc/sysconfig/prelink file.

In order to confirm a setup immediately, execute the following command.
$ prelink -ua

2.2 Java 6

Download a RPM package of Java Runtime Environment Version 6, and install it.

2.3 PostgreSQL

Install PostgreSQL Server RPM package.

$ rpm -q postgresql-server
Start postgresql server, and set the password for postgres user.
# /sbin/service postgresql start
# passwd postgres

3. Setup Database

3.1 Configuration

3.1.1 (OPTION) enable remote access

Edit /var/lib/pgsql/data/postgresql.conf

tcpip_socket = true
Also edit /var/lib/pgsql/data/pg_hba.conf
host all all password
local all all password

3.1.2 Start PostgreSQL service

Start the postgresql server.

# /sbin/service postgresql start

3.1.3 Environment variable PGDATA

Set the environment variable for the administrator of the database.

> su postgres
Password: xxxxxxxx
> export PGDATA=/var/lib/pgsql/data

3.2 Account Creation

3.2.1 Create an administrator account

To create an administrator account, login to the database by administrator privilege and enter a new password for an administrator.

> createuser -a -d -P ptsadmin
Enter password for new user: xxxxxxxx
Enter it again: xxxxxxxx

3.2.2 Create a user account

To create a user account, login to the database by administrator privilege and enter a new password for a new user.

> createuser -A -D -P ptsuser
Enter password for new user: xxxxxxxx
Enter it again: xxxxxxxx

3.3 Create database

Create two databases. One is an integrity information database for knoppix named "iidb_knoppix", and the other is a vulnerability database named "vul".

> createdb -E utf8 iidb_knoppix
> createdb -E utf8 vul

3.4 Inserting data

Install following two Open Platform Trust Services.

3.4.1 Creating the table schema

Run the script, /opt/OpenPlatformTrustServices/database/dbsetup.sh of openpts-tools.

Confirm the configuration of the database and modify them if needed. To create the database, select S) Setup New Databases.

$ sh /opt/OpenPlatformTrustServices/database/dbsetup.sh
S) Setup New Databases
C) Show Current Configuration
L) Show State
B) Backup Databases
D) Delete Databases
Q) Exit

When you use the same variables as examples 3.2 and 3.3, the setting becomes to the following values.

  • DB type :postgres
  • DB admin :ptsadmin
  • DB user :ptsuser
  • Vulnerability Database name :vul
  • Integrity Information Database 0 name :iidb_knoppix

3.4.2 Setup Integrity Information Database of current host

At first, run the KNOPPIX on the client platform to correct package information.

To get package information from current host, execute the script /opt/OpenPlatformTrustServices/bin/deb-all.sh of openpts-tools. The argument is a directory name. In the following example, “knoppix” is the directory name to store the corrected information. This shell script runs “deb-meta.pl”, “deb-file.pl sha1” and “deb-file.pl md5”.

$ sh /opt/OpenPlatformTrustServices/bin/deb-all.sh knoppix

At the host using rpm packages, just run tools/package/rpm/rpm-all.sh in a similar manner as the debian host.

After running this command, we can get the data files in the directory. The files are

  • packagelist.txt
  • tm3-data.txt
  • data/
  • NAME_VERSION.metadata
  • NAME_VERSION.md5.filelist
  • NAME_VERSION.sha1.filelist

In order to import in the database, transport these data to the server. To use the openpts command at /opt/OpenPlatformTrustServices/bin/openpts, setup the database configuration.

Copy /opt/OpenPlatformTrustServices/database/ibatis/sqlMapsConfig.properties.sample to sqlMapsConfig.properties and edit it according to your environment. When you use the same variables as examples 3.2 and 3.3, the following values are used in setting.

  • driver=org.postgresql.Driver
  • username=ptsadmin
  • password=xxxxxxxx
  • url_vul=jdbc:postgresql://localhost/vul
  • url_iidb0=jdbc:postgresql://localhost/iidb_knoppix

To insert the data into Integrity Information Database, run the following command. The last argument is the data directory which storing the package information. The “—dbindex” is the database index listed as url_iidb in sqlMapsConfig.properties. If you want to use the database of “url_iidb0”, add “–dbindex 0”.

$ /opt/OpenPlatformTrustServices/bin/openpts debimport --dbindex 0 --inputdir

3.4.3 Setup Vulnerability Database

Get the vulnerability information via Internet. We need CVE data and DSA (Debian Security Advisory) data to check the security of KNOPPIX.

CVE is released from 2002 to 2008 (from nvdcve-2002.xml to nvdcve-2008.xml). To setup cve_definitions table, execute the following command for each year. In this example, the xml files are saved at “—outputdir /tmp”.

$ /opt/OpenPlatformTrustServices/bin/openpts cve --xmlfile
http://nvd.nist.gov/download/nvdcve-2008.xml --outputdir /tmp

To store the DSA data to debian_security_advisories table, execute the following command for each year from 2000 to 2008.

$ /opt/OpenPlatformTrustServices/bin/openpts dsainfo --url
http://www.debian.org/security/2008/ --outdir /tmp

Then, get the detail information for each DSA entry, and make it reflected to the database of package information.

$ /opt/OpenPlatformTrustServices/bin/openpts dsadetail --outdir /tmp
$ /opt/OpenPlatformTrustServices/bin/openpts dsasync --dbindex 0

If you use the RPM package of Red Hat, get OVAL information instead of DSA. In this case, the argument “–distribution” is for the version number of Red Hat.

$ /opt/OpenPlatformTrustServices/bin/openpts oval --dbindex 0 --xmlfile
https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml --distribution rhel5

3.5 Maintenance

3.5.1 Performance

In PostgreSQL, you can recover an unnecessary domain by performing VACUUM.


REINDEX command re-create the INDEX which was created beforehand.


3.5.2 Backup

You can write out the database to a file as SQL.

$ pg_dump database_name > file_name.sql

3.5.3 Restore

To restore the backup files to database,

$ psql -e database_name < file_name.sql
$ pg_restore –d database_name file_name.sql

4. Setup the Validation Server and demo site

4.1 Setup the demo site conencted by valid client

Example, demo user is
account : guest
password : password

htpasswd -c /var/www/.htaccess guest
mkdir /var/www/html/demo

Edit /var/www/html/demo/.htaccess

AuthType  Basic
AuthName "Password Required"
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
Require valid-user

Edit /var/www/html/demo/index.html put any contents

4.2 Install Tomcat

Download a Tomcat 5.5, and install it.

# cd /opt
# tar xvfz /home/munetoh/Desktop/apache-tomcat-5.5.26.tar.gz
# /opt/apache-tomcat-5.5.26/bin/catalina.sh run

Check the URL, http://localhost:8080/

4.2 Install OpenPlatformTrustServices

Install the following two Open Platform Trust Services.

$ cd OpenPlatformTrustServices-0.1.1
$ sudo make setup-jars
$ make all
$ sudo make install
$ cd OpenPlatformTrustServices-0.1.1
$ sudo make setup-jars
$ make all
$ make servlet
$ sudo make install-servlet
$ cp /opt/OpenPlatformTrustServices/database/ibatis/sqlMapsConfig.properties /opt/apache-tomcat-5.5.26//webapps/pva/WEB-INF/classes/sqlMapsConfig.properties

Note) ID & PW to access the demo site is hard coded (Sorry). fix the string at 104 line in src/tcdemo/Server.java

Restart the Tomcat and check the existance of validation app on http://localhost:8080/pva/

4.3 Start the server

4.3.1 normal mode

4.3.2 debug mode

# /opt/apache-tomcat-5.5.26/bin/catalina.sh run


5. Interface to the Database (option)

5.1 GUI

These tools are the viewer for the PostgreSQL database.

5.1.1 Setup the phpPgAdmin (TBD)

Download RPM package for RHEL4 http://rpm.pbone.net/index.php3/stat/4/idpl/6893237/com/phpPgAdmin-4.2-1.el4.noarch.rpm.html

#  rpm -ivh /home/munetoh/Desktop/phpPgAdmin-4.2-1.el4.noarch.rpm


Copyright IBM Japan, Ltd. 2008 *) This work is sponsored by the Ministry of Economy. Trade and Industry, Japan (METI) under contract for the New-Generation Information Security R&D Program. *) Linux is a trademark of Linus Torvalds. All trademarks, logos, service marks, and other materials used in this site are the property of IBM corp. or other entities.