Setting up and running the public server for a deployment.

Pre-requisites

• You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
• You have defined a domain name for your antitheft server -- for example antitheft.yourproject.foo.tld
• XOs have been keyjected (or manufactured) with your public keys
• XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
• XOs have a localised OS build that sets the domain if your antitheft server.

Setup Public Server

The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.

• Perform a minimal installation, using the kickstart file outlined in http://fedoraproject.org/wiki/Features/MinimalPlatform
• Configure hostname to match the domain name assigned
• Configure network to match IP address assigned -- it is strongly recommended to disable NetworkManager and use network-scripts instead. To do this, use chkconfig to turn NetworkManager off, and the "network" service on, and configure the network interfaces in the usual way.
  • Experimental: F-12 has improvements that allow NetworkManager to be used in a server role.

Add packages from XS repository

Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6

Install the required packages:

yum install xs-activation-server moodle-xs olpc-bios-crypto

Create Server Keys, Configure services

On the public server,

• Use obc-makekey to create "server.private" and "server.public"
• Place them in /library/xs-activation/keys
• Copy server.public to a directory in the MSS -- /root/publicserver/server.public

On the MSS, create initial delegations towards the server key.

• Prepare a CSV file ("allxos.csv") with the following 3 fields:
  • "Server" - which must contain 'server'
  • SN
  • UUID
• mkdir /root/publicserver/delegations/
• Create the following "create-public-server-delegations.sh" script to make the delegations

 #/bin/bash -e 
 obc-make-server-delagations --csv /path/to/allxos.csv --serverkeys /root/publicserver \
    --outdir /root/publicserver/delegations 90 /root/masterkeys/oats
 mv /root/publicserver/delegations/{server.sig,d-oats.sig}
 obc-make-server-delagations --act --csv /path/to/allxos.csv --serverkeys /root/publicserver \
    --outdir /root/publicserver/delegations 90 /root/masterkeys/lease
 mv /root/publicserver/delegations/{server.sig,d-lease.sig}
 pushd /root/publicserver/delegations/
 sha1sum d-*.sig > manifest.sha1

• Run the script!
• Copy the resulting delegations to a USB stick

 rm -fr /media/mydisk/xs-activation/*
 mkdir /media/mydisk/xs-activation/
 cp /root/publicserver/delegations/* /media/mydisk/xs-activation/

Now inserting this USB stick on the Public Server will load up the delegations under /library/xs-activation/lease-delegations and /library/xs-activation/oats-delegations. Executing find library/xs-activation/*-delegations -type f will show the delegation files.

Monthly update of delegations

Usage and maintenance