I am guessing i am not the only one trying to get the validation server running and got stuck.
The setup guide is incomplete and it does not say what version it was written for, i am guessing for a version before the 1.1 release.
Anyhow, here are all the quirks i ran into when setting up the server.
So i wanted to run my own validation server and use it with keys reprogrammed with the personalization tool (Yubico Configuration Utility).
The setup guide assumes you are requesting your keys from Yubico and (i assume) you get them b64-encoded, not modhex like in the configuration utility gives them to you.
In my case i will be using the following key created by the configuration utility.
Yuikey ID: 3e594965416c
Yubikey AES Key: 3e787c4d5f77586d32363e314e537c53
(This is the hex encoded output you get from the configuration utility)
* Setting up the database
In the documentation there is a section called "Database Setup & Table Relations". I imported the database from the db_schema.sql file.
The step that didnt quite work was when i needed to insert my key into the yubikey table. The example query did not work since the column names are wrong.
The guide assumes you already have your key in b65 format and the text is a bit confusing.
So how do i go from the format the configuration utility gives me to the format needed to insert my key?
The guide talks briefly about this in section 6 but it is a bit confusing and the example did not work for me. I ended up doing a simple php script to solve the problem.
(Yes, some code is stolen from the yubico-php-lib project)
<?php
function hex2bin($h)
{
if (!is_string($h)) return null;
$r='';
for ($a=0; $a<strlen($h); $a+=2) { $r.=chr(hexdec($h{$a}.$h{($a+1)})); }
return $r;
}
// This data is what you get when running yubico configuration utility. These number are hex encoded. For example the result of using php:s bin2hex
$yubikeyId = "3e594965416c";
$aesKey = "3e787c4d5f77586d32363e314e537c53";
echo "Base 64 encoded tokenId: " . base64_encode(hex2bin($yubikeyId))."\n";
echo "Base 64 encoded AES KEY: " . base64_encode(hex2bin($aesKey))."\n";
?>
This gives us the following output:
Base 64 encoded tokenId: PllJZUFs
Base 64 encoded AES KEY: Pnh8TV93WG0yNj4xTlN8Uw==
Now we have a working query to insert.
INSERT INTO `yubikeys` VALUES (1,1,1,'2007-10-03 16:11:50','2007-10-22 22:08:18','PllJZUFs','M2U3ODdjNGQ1Zjc3NTg2ZDMyMzYzZTMxNGU1MzdjNTM=',0,0,0,NULL)
* Compiling the war file
Check out the code and change the src/web.xml if you dont use the default password in the guide.
Compile using ant. (The chunk of text with warnings can be ignored)
Deploy the war file.
Check your catalina.out for any errors.
If you start getting errors like "java.io.CharConversionException" like i did there are some things to check.
I actually got this error for several different reasons.
First check your my.cnf, try adding the following.
[client]
default-character-set=utf8
[mysqld]
default-character-set=utf8
If it still does not work check what Java VM you are using.
I noticed that on my system "gij (GNU libgcj) version 4.1.2 20070626 " was installed by default and was giving me errors.
Works fine both with the ibm and sun version. Guess this can differ alot.
* Validating a otp
The server should be up and running and all should work fine, until you try to validate a OTP. The log will give you a sql exception that the column sessionUse does not exist.
Add it to the database: ALTER TABLE `yubikeys` ADD `sessionUse` INT( 11 ) NOT NULL AFTER `high`
Try it with:
http://<ip>:8080/wsapi/verify?id=1&otp=eugkfkhgfbhrugnukercncgtftkhkbvjcunddnggikef
This installation was made on a 64 bit RHEL5 system.
This now runs together with radius, openvpn, ssh and all other crazy applications.
Thats all, hope this can save someone some time.
Login
FAQ
Search
