Yubico Forum

This Tutorial provides a step-by-step guide of how to deploy a PHP validation server including the KSM

Requirements:
- PHP Web Server
- MySQL Database
- Yubikey USB Token

1. DOWNLOAD CONFIGURATION TOOL
First of all modify your Yubikey since we are not able to read the AES128 of our Yubikey. Keep in mind that you can't login to services from Yubico once you modified your Yubikey. Fortunately you can upload your modified Yubikey data to Yubico here to get it running with the Yubico server again: http://www.yubico.com/developers/aeskeys/
Ok, let's start with downloading and installing personalization tool. There is a binary version for Windows.
http://www.yubico.com/developers/personalization/

2. MODIFY YOUR YUBIKEY
Run the application "Yubico Configuration Utility" from Start Menu.
Select: "Create a dynamic Yubikey Configuration (OTP mode)"
Use a public identity
Desired Length: 6
Public ID String: ff 50 7d b6 68 de (I will use these example values in the tutorial but you can choose any other value)
Fixed Value
NEXT
Use a private identity
ID String: a9 f9 de ff 36 22
NEXT
AES Key: e1 6e 6e c2 5c 31 46 94 01 9e 44 40 ff c3 43 3b
NEXT
Output Format Flags: Send ENTER as the last keystroke
NEXT
The yubikeys are currently unprotected and I want to keep it that way
NEXT
Write to configuration 1
RUN
Close the application

3. DOWNLOAD YUBIKEY KEY STORAGE MODULE
Start your browser and go to http://code.google.com/p/yubikey-ksm/
Switch to source tab and copy the adress to your favourite SVN tool to download the sources.
Create a new directory on your PHP server named "yubico"
Create a new subdirectory on your PHP server named "ksm"
Copy all checked out files into the "ksm" directory.

4. SETUP MYSQL TABLES FOR KSM
Open ykksm-db.sql in a text editor.
Copy the "create table yubikeys" request and modify the first line to "create table ksm_yubikeys"
Execute the SQL command in your MySQL database to create a new table.
(In fact you can execute the complete sql file but I prefer to have all yubikey tables in the same database with the same MySQL user)
Insert new entry for your modified Yubikey:
INSERT INTO ksm_yubikeys (id, serialNr, publicName, created, internalName, aesKey, lockCode, creator, active, hardware)
VALUES (NULL , '1', 'vvgcitnhhjtu', '0000-00-00 00:00:00', 'a9f9deff3622', 'e16e6ec25c314694019e4440ffc3433b ', '', '', '1', '1');

5. CONFIGURE KEY STORAGE MODULE
Open ykksm-config.php in a text editor and update your MySQL configuration.
Open ykksm-decrypt.php in a text editor and modify the MYSQL queries since we decided to choose another name for our MySQL table in the last step. Search for " yubikeys" and replace with " ksm_yubikeys".

6. TEST THE NEW KSM WITH YOUR YUBIKEY
Launch your favourite browser and go to http://www.youraddress.com/yubico/ksm/y ... t.php?otp=
Put the cursor at the end of the browser's address field and tip with your finger on the Yubikey button to generate a one time password.
You should see something like this:
OK counter=0001 low=ef28 high=2f use=04

7. DOWNLOAD YUBIKEY PHP VALIDATION SERVER
Launch your favourite browser and go to http://code.google.com/p/yubikey-val-server-php/
Switch to source tab and copy the adress to your favourite SVN tool to download the sources.
Create a new subdirectory of "yubico" directory on your PHP server named "validation"
Copy all checked out files into the "validation" directory.

8. SETUP MYSQL TABLES FOR VALIDATION SERVER
Same procedure as in step 4...
Open ykval-db.sql in a text editor and copy the 2 "CREATE TABLE" SQL queries.
Modify the queries to "CREATE TABLE val_clients" and "CREATE TABLE val_yubikeys".
Insert new entry to the val_clients table:
INSERT INTO val_clients (id, active, created, secret, email, notes) VALUES
(1, 1, '2009-08-27 00:00:00', '', 'foo@bar.com', 'test');

9. CONFIGURE VALIDATION SERVER SOURCES
Open ykval-config.php in a text editor and update your MySQL configuration
Open ykval-verify.php and ykval-common.php in a text editor and modify the MYSQL queries since we chosed other names for our MySQL tables. Search for " yubikeys" and replace with " val_yubikeys" and " clients" with " val_clients".
Update the address for the key storage module in ykval-config.php:
Replace "http://ykkms1.example.com/wsapi/decrypt?otp=" with "http://www.youraddress.com/yubico/ksm/ykksm-decrypt.php?otp="

10. TEST THE VALIDATION SERVER
Launch your favourite browser and go to http://www.youraddress.com/yubico/valid ... ?id=1&otp=
Put the cursor at the end of the browser's address field and tip with your finger on the Yubikey button to generate a one time password.
You should see something like this:
h=nrZbVl6d+p8fh1CEPFdCfzneOYY=
t=2009-08-27T10:06:01Z0193
status=OK

Thank you for posting the detailed step by step guide !!!

Hi your explanation is really straight foward very good. However I am having a problem with the last part it is giving me an internal error. Can you help?

with this url
http://localhost/yubico/ksm/ykksm-decry ... vefreukcud

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, admin@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

sorry I'm still in step 6 till the setup of ksm

Hi I managed to find what was the problem the server module rewrite was not enabled. However I have another problem now

Notice: Use of undefined constant LOG_LOCAL0 - assumed 'LOG_LOCAL0' in C:\wamp\www\yubico\ksm\ykksm-config.php on line 6

Warning: openlog() expects parameter 3 to be long, string given in C:\wamp\www\yubico\ksm\ykksm-decrypt.php on line 34
ERR Syslog open error

Another step foward I had to change LOG_LOCAL0 to LOG_USER

Now another problem arises when validating and followed step by step your explanation I keep havin the error http 404 not found