Windows Installation

Manual for installation and utilization of METACentrum Tools

Installation
- Drivers of token iKey3000
- MetaCentrum Tools
Utilization
Complete lists of installer screenshots
- Driver iKey3000
- MetaCentrum Tools

You will need to install drivers and basic equipment for access to MetaCentrum resources for proper token utilization. The drivers are supplied on CD by the producer, the content of this CD can also downloaded. Applications that we have prepared for access to MetaCentrum can be downloaded too.

Instalation step by step:

Install iKey3000 driver.
Install METACentrum Tools.
If you are using Mozilla/Firefox broswer, you will need to install support for USB token, information here.
Register personal certificate in Personal information .

Installation of iKey3000 driver

Complete list of installer screenshots

Do not plug in token into USB port before finish of the installation! Administrator rights are required for installation of this driver.

Use file start.exe for driver installation. From displayed menu select "Installation of SafeSign for iKey 3000". Follow the wizard.
If you select user type of installation following parts are necessary for proper functionality of MetaCentrum Tools: PKCS#11, CSP and it is also recommended to select also Management of tokens.

Installation of MetaCentrum Tools

Unpack distribution package METACentrumTools.zip. Installation can be started by METACentrum\METACentrum Tools\setup.exe.

After language selection you will be prompted to select a directory where MetaCentrum Tools will be installed.

Installation contains following applications:

PKINIT - application taking care of obtaining Kerberos tickets using a personal certificate stored at the USB token.

GRID_PROXY_INIT - script creating a proxy certificate using the personal certificate stored at the USB token.

META Putty - Terminál for access to UNIX/Linux machines with GSSAPI support. Therefore after successful obtaining of tickets or proxy certificate the user is not required to enter password, the authentication proceeds using the personal certificate. Manual for utilization is available.

META WinSCP - Windows SCP client (program for secure access to files at UNIX/Linux machines), again with GSSAPI support. Manual for setting is available.

Notes for those of you interested in all settings that are set by the installer.
Values that the application set in variables of user's environment (HKEY_CURRENT_USER)

To environment variable PATH a path to {installation directory}\bin and {installation directory}\lib will be added.
To environment variable KRB5_CONFIG a path to file {installation directory}\etc\krb5.conf} will be inserted.
To environment variable KRB5CCNAME a cache identifier for Kerberos {Documents}\krbcc_(Windows username) will be inserted.
To environment variable X509_USER_PROXY a path to proxy certificate will be inserted.
To the list of programs that runs during user's log in program program leash32 will be added. This program is used for management of Kerberos tickets from MIT.
If it is selected then the installer will insert links to files pkinit_gui.bat, klist.bat, kdestroy.bat, grid_proxy_init.bat, putty.exe a winscp3.exe into Start menu.
If it is selected then the installer will insert links pointing to pkinit_gui.bat, grid_proxy_init.bat, putty.exe a winscp3.exe to Desktop.

Utilization of MetaCentrumTools

Command line utilization.

Command kinit - classical kinit requiring password for authentication
Command pkinit - modified kinit to perform authentication using USB token. Program requires login as a parameter. E.g. pkinit xnovak nebo pkinit xnovak@META
Command pkinit_gui - graphical interface for pkinitu, also this program accepts login as parameter
Command klist - listing of held tickets
Command kdestroy - erasing of held tickets
Command kf - renewal of tickets at remote machines. Usage: kf -l login machine, e.g.: kf -l xnovak skirit.ics.muni.cz
Command grid_proxy_init - creation of proxy certificate from certificate stored at USB token. A PIN to USB token is requested from the user.
Command init_and_deleg_proxy - script that creates proxy certificate and delegate it to entered machine. Usage: init_and_deleg_proxy xnovak@skurut4.cesnet.cz

The utilization of command from Start menu is the same as for the command line commands with the one and only exception: there is only pkinit in Start menu that has the same functionality as pkinit_gui.

Note: If we want pkinit and pkinit_gui to use always one same login then we can change files {METACentrum Tools installation directory}\bin\pkinit.bat a pkinit_gui.bat according to following example. Both programs use implicitly login as a parameter or the gui version will ask for it.

pkinit.bat
ukázka změněného souboru:

@echo off
rem Pokud chcete používat konkrétní login, odstraňte z následujících dvou řádků "rem" a místo <login> dejte požadovaný login
kinit -C ENGINE:CERT=slot_0,KEY=slot_0 xnovak
goto end

if "%1"=="" goto description else goto doit

:doit
	echo KINIT for %1
	kinit -C ENGINE:CERT=slot_0,KEY=slot_0 %1
	goto end

:description
	echo META Centrum Tools - KINIT
	echo.
	echo Usage: pkinit username[@realm]
	echo.
	echo For more infromation: http://meta.cesnet.cz
	goto end

:end

pkinit_gui.bat
Ukázka změněného souboru:

@echo off
rem Pokud chceme vždy použít konkrétní login, pak %1 nahradíme loginem, např. kinit_gui -C ENGINE:CERT=slot_0,KEY=slot_0 xnovak
kinit_gui -C ENGINE:CERT=slot_0,KEY=slot_0 xnovak

Problems troubleshooting

Q: The ticket cannot be obtained (Leash32 icon is not green after click).
A: Run cmd.exe (Start->Run), navigate to directory where you installed MetaCentrumTools (default: c:\Program Files\METACentrum\bin) and here run pkinit with your login as a parameter (for example: pkinit xnovak@META). Then compare error messages with next Q/A.

Q: Token nelze použít v ostatních programech, pokud ho jeden program použil.
A: OpenSC má defaultně nastaveno, že token zamyká první aplikace, která s ním začne pracovat. V OpenSC od META je zamykání zakázano. Toto nastavní lze měnit v souboru opensc.conf ({instalační adresář METACentrum Tools}\etc\opensc.conf), kde se změní hodnota lock_login na false.

Q: Non-correct behaviour of the token.
A: Often caused be PINs caching switched off. Set cache_pins to true in opensc.conf .

Q: cinit/pkinit can not contact any KDC server: cannot reach any KDC
A: Firewall blocks kerberos protocol. Change in {METACentrum Tools installation directory}\etc\krb5.conf line at your realm kdc = sirion.ics.muni.cz to kdc = tcp/sirion.ics.muni.cz:80 (if this does not help too, then use http/sirion.ics.muni.cz:80).

Q: An error message: no usable pa data wil appear during obtaining tickets.
A: KDC server is not able to authenticate yourself, please, first check if you have your certificate registered at META portal in section personal information. If yes and you still get the same message, please contact META administrators.

Utilization of Putty

The only change compared to classical utilization of program Putty is the authentication selection for SSH. We will select either "Kerberos 5" or "Globus GSI" and "Allow credential forwarding in GSSAPI/SSPI (SSH2)" at the page with the SSH authentication setings.

Utilization of Putty and WinSCP requires changes at SSH server side. We are preparing mass upgrade of our SSH servers that will contain required modifications. Until that time it is required for accessing MetaCentrum use machine skirit.ics.muni.cz. These values are entered in menu "Session". Access through GSI can be used at machine skurut4.cesnet.cz.

Utilization of WinSCP

Using the WinSCP program we have to change authentication settings. At first the option "Advanced option" must be seleted, then the menu "Authentication" at SSH will become available. There we wil select either "Attempt Kerberos 5 GSSAPI" or "Attempt GSI GSSAPI" authentication (SSH2)".

Complete list of iKey3000 driver installer screenshots

Kompletní seznam oken instalátoru METACentrumTools

Last changed:Thu May 21 14:23:12 CEST 2009