Key Escrow Service

Server

The server install begins with the wfu.tar.gz file. Download and unzip the file.

  tar xvzf wfu.tar.gz

This will create a directory containing the client and server files. The directory is named wfu. The server is built using a configure script. The following process is a typical server install:

 tar xvzf wfu.tar.gz
 cd wfu

 ./configure --prefix=/usr/local/wfu \
             --enable-auth=ldap      \
             --enable-log=syslog     \
             --enable-inetd 

 make 
 make install

A typical server install will enable the LDAP system for authentication and enable logging to syslog. The MySQL, OpenSSL, XML and OpenLDAP headers and libraries are in the default RedHat/Fedora location. After building the libwfu.a, the inetd server is compiled and linked. Given the prefix of /usr/local/wfu, the server, library and header files will be installed into bin, lib and include, respectively.

The server is executed via xinetd. We will need to create a user, define a service, and set up the xinetd configuration file:

Create a user account for the server process to use.

useradd escrow
Select a service name. Create an entry in /etc/services for this service. The TCP_PORT number will be the one chosen in the template.xml file.
The following will add an entry to /etc/services, but you should add the entry in the proper order.
cat >> /etc/services<<EOF escrow 1111/tcp EOF

Create a configuration file in /etc/xinetd.d for the service. The name of this file should be the same as the name of the service you chose in the previous step. The user you chose in the first step will be used in this file.

cat > /etc/xinetd.d/escrow<<EOF
service escrow
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = escrow
        server          = /usr/local/wfu/bin/inetd
        server_args     = /usr/local/wfu/config.xml
        protocol        = tcp
}
EOF

You will need to restart xinetd. Make sure xinetd is configured to start upon boot.

The server_args must be set to the server's XML configuration file. To create this configuration file, make a copy of the template.xml file we created earlier. Remove the <RSA_PRIVATE> section from this file.

cp /usr/local/wfu/template.xml /usr/local/wfu/config.xml

vi /usr/local/wfu/config.xml

Remove the <RSA_PRIVATE> ... </RSA_PRIVATE> section from this file!

WARNING

When in production, make sure the <RSA_PRIVATE> ... </RSA_PRIVATE> key is not on the server. The absence of the <RSA_PRIVATE> key creates an obstacle to an attacker. If the server was compromised, the attacker would have to break the RSA encryption before the data had any value.