ARAN: A Secure Routing Protocol for Ad Hoc Networks






Home
Documentation Download



Documentation > Configuring arand

This page lists the steps required to configure arand for use. Configuration consists of configuring the network settings on each node, generating certificates for nodes with aranca, and entering the correct settings in the arand.conf configuration file.

What you need:

  • OpenSSL distribution
  • the aranca package

Configuration steps

  1. Configure network settings for each device
  2. Create a Certification Authority with aranca
  3. Generate a certificate and private key for each node with aranca
  4. Install the CA cert and the certificate, private key pair on each device
  5. Modify the arand.conf file on each node

  1. Configure network settings for each device

    The procedure for setting up an 802.11 card for use with arand will differ based on platform, wireless card type, etc. The important points are:

    • configure your devices to used 802.11 Ad-hoc mode (not infrastructure mode)
    • configure your devices with IP addresses to have the same subnet settings. For example, for three test devices, an example configuration would be:
      • Device 1: 10.1.1.1
      • Device 2: 10.1.1.2
      • Device 3: 10.1.1.3


  2. Create a Certification Authority with aranca

    You will need the openssl program installed. To determine if you have it, type `which openssl` in a shell. You will also need the aranca package. Download that from the download page.

    1. create a directory to work in 
      mkdir somedir
    2. copy the CA management script to your working directory 
      cp aranca.pl somedir
    3. switch into your work directory 
      cd somedir
    4. create a new CA with the aranca.pl CA management script 
      ./aranca.pl newca

      The script will generate a certificate and private key for the CA, as well as initialize the CA's database. It will ask for "PEM pass phrase", which is the passphrase to the CA's private key which is used to issue certificates.

      Creating a new Certification Authority

      the script created aran-ca, which is the database for your CA. A description of what it contains is below. CA directory structure


      cacert.pem: the CA's self-signed certificate
certs/:
crl/:
newcerts/: all certificates you generate will be recorded here
private/
	cakey.pem: The RSA private key of the CA
	serial: the serial number counter

  3. Generate a certificate and private key for each node with aranca

    1. switch to the work directory that you created in the previous step 
      cd somedir
    2. create a certificate for node 10.1.1.1 
      ./aranca.pl newcert 10.1.1.1

      The newcert command will create a certificate and private key for node 10.1.1.1. When you issue the command, if will ask you for a "PEM passphrase" for the certificate. This is a passphrase that will control access to node 10.1.1.1's private key, which is used for signing. It will then ask for the CA's passphrase so that the CA can sign the certificate for 10.1.1.1.

      Creating a new certificate

      After you run the newcert command for 10.1.1.1 successfully, you should have a directory called node-10.1.1.1 and a file called node-10.1.1.1.tar.gz. The node-10.1.1.1 directory contains node 10.1.1.1's certificate, and private key as well as the CA's certificate. The node-10.1.1.1.tar.gz file is just a gzipped tar archive of the node-10.1.1.1 directory. This file is created to make it easy to transfer the essential certificates and keys to 10.1.1.1

      result of creating a new certificate

      You would run the newcert command for each node you want to generate a certificate/private key pair for. To save time, you could type the IP addresses of the each node on the command line:

      ./aranca.pl newcert 10.1.1.1 10.1.1.2 10.1.1.3

  4. Install the CA cert and the device's certificate, private key pair

    Currently, the certificates and private key will be placed in one of the system "etc" directories depending on how the package was configured.(perhaps /usr/local/etc/arand). The following instructions assume this directory is $ARAND_ETC.

    To install node 10.1.1.1's certificate and private key:
    1. transfer node-10.1.1.1.tar.gz to 10.1.1.1 
      scp node-10.1.1.1.tar.gz root@10.1.1.1:
    2. on 10.1.1.1, copy node-10.1.1.1.tar.gz to the $ARAND_ETC directory 
      cp node-10.1.1.1.tar.gz $ARAND_ETC
    3. switch to arand's etc directory 
      cd $ARAND_ETC
    4. extract the certificates and key 
      tar xzvf node-10.1.1.1.tar.gz

  5. Modify the arand.conf file on each node

    The arand.conf exists in one of your system etc directories depending on how the package was configured. (perhaps /usr/local/etc/arand). The following instructions assume this directory is $ARAND_ETC.

    1. open $ARAND_ETC/arand.conf in an editor

    2. enter the correct full path for the following fields in the file:
      • ca_cert (default is $ARAND_ETC/trusted/ca_cert.pem)
      • my_cert (default is $ARAND_ETC/node-<ip-address>.pem)
      • my_private_key (default is $ARAND_ETC/key-<ip-address>.pem)

    3. enter the correct value for the network interface you are running arand on in the field:
      • interface (default is eth0)

    4. save the file






  Last updated at 1:00 PM, January 29, 2003.