InformaCam Server Installation Instructions v1

Overview

  • Current beta is run:
    • on Ubuntu 11.04/Natty
    • given the purpose of InformaCam, it is highly recommended that this server run on a box that is under your complete control
  • Required Dependencies
    • Oracle Java 1.7
    • Maven
    • CometD /Jetty
    • FFMPEG (Git branch)
      • libx264
    • lighttpd
    • php5-cgi
    • Tor
    • CouchDB

Installation Preparation

This installation document assumes you are on Ubuntu, and that the base directory will be home/ubuntu. Make a directory that will house the packages you need to install, as well as a number of directories that will be used by the InformaCam system:


mkdir packages clients engine interface log scripts synergy

  • packages will house dependency applications that will need to be installed
  • clients will be used to hold the certificates of clients using InformaCam; any user/device interacting with the InformaCam system will be required to have a key
  • interface will be the home for the web application that communicates with the client as well as the interface to the back-end administrative UI
  • scripts will house various daemon scripts that will perform tasks useful to InformaCam system (e.g., setting up a new device certificate, etc.)
  • synergy will house InformaCam's certificates

If this is a fresh install, remember to update your repositories.


sudo apt-get update

There are a few packages that you will need to assist you in the installation.

  • Install Git
    If you don't already have Git installed, do so now:


sudo-apt get install git

Once Git is installed, you will have to give this instance a key (or use an existing one). See these instructions on setting up an SSH key for Git:
https://help.github.com/articles/generating-ssh-keys

  • Install Curl


sudo apt-get install curl

Install Java

You will need to install Oracle Java to run InformaCam Server, as CometD relies on this version of Java. It is recommended you install this version of Java before installing the other dependencies.
Note: InformaCam will be moving towards a standard Java version in future versions.

Follow the instructions provided here:
http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html

Make sure that Java version shows 1.7.0_10, and then update the variable to point to this version:


sudo gedit /etc/environment

Add/Update JAVA_HOME (double-check this path structure to make sure you have the correct path):


JAVA_HOME="usr/lib/jvm/java-7-oracle"

Install Maven

You need the latest version of Maven installed. The working stack of InformaCam is using Maven 3.0.4 at the moment. apache.org provides a list of distros:https://www.apache.org/dyn/closer.cgi/maven/maven-3/3.0.4/. Find a working one, and copy the link to the mirror you have selected.

Go to the packages directory you created and begin the install:


cd /home/ubuntu/packages
wget {link to selected distro here}

Make sure the tar is downloaded and copy the file name.


tar -xvzf {the tar file's name}
rm {the tar file's name}
sudo mkdir /usr/local/apache-maven
sudo cp -R apache-maven-3.0.4/* /usr/local/apache-maven

Then update/add the following to your environment variables:


M2_HOME="usr/local/apache-maven/apache-maven-3.0.4"
MAVEN_HOME="usr/local/apache-maven/apache-mave-3.0.4"
M
="/usr/local/apache-maven/apache-maven-3.0.4/bin"
@

Also update the PATH to include /usr/local/apache-maven/apache-maven-3.0.4, and save and close.
Test that it points to the correct version, and remove old versions if necessary:


mvn -version

Install CometD/ Jetty

Install the latest version of CometD. The version used in the current working stack of InformaCam is 2.4.3. You can link to the tar's available at: http://cometd.org/documentation/building

Go to the packages directory you created and begin the install:


cd /home/ubuntu/packages
wget {link to selected distro here}

Make sure the tar downloaded and copy the file name.


unpack tar -xvzf {the tar file's name}
rm {the tar file's name}
cd cometd-2.4.3

Then install CometD into Maven; the following will skip the test scripts (process takes a while):


sudo mvn clean install -DskipTests=true

Install FFmpeg

FFmpeg has branched. The official FFmpeg repo is incompatible with the requirements of InformaCam. So, you will need to use the FFmpeg branch available on git, here: https://github.com/FFmpeg/FFmpeg


cd /home/ubuntu/packages
git clone git@github.com:FFmpeg/FFmpeg.git

You need to build FFmpeg. You will need to install GCC (compiler for these packages) and some other packages that will help with build process. You also need the libx264 library:


sudo apt-get install gcc
sudo apt-get install build-essential
sudo apt-get install yasm
sudo apt-get install pkg-config
sudo apt-get install libx264-dev

Once these are installed (note: FFmpeg install takes a while):


cd FFmpeg
./configure
make
sudo make install
apt-get install ffmpeg2theora

install lighttpd

Install lighttpd, and a dependency, php5-cgi


cd /home/ubuntu/packages
sudo apt-get install lighttpd
sudo apt-get install php-5cgi

To make sure lighttpd is installed, open a browser, and go to 127.0.0.1. You should see the lighttpd placeholder page. You will need to make some changes to lighttpd configuration, but you will need to complete the Tor installation first.

Install Tor

Install a stable version of Tor. You will need to add the correct repository, and add the correct gpg key before install.

sudo gedit /etc/sources.list

At the end of your sources.list add the following (the distribution for the current working stack of InformaCam is natty), and add the key:


deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt-get update
apt-get install deb.torproject.org-keyring

The key ring project installed above will make sure you have the most current signing key. Now install Tor.


apt-get install tor

Install CouchDB

CouchDB is the database used by the InformaCam system. It should be noted that the database itself does not contain sensitive information; it instead contains pointers to other files that do.


cd ~/
mkdir couchDB
sudo apt-get install couchdb

Documents created by CouchDB are automatically dumped in usr/var. The best way to deal with this situation it to create symbolic link to where want to store couchDB documents.

@
cd /usr/local/var
sudo su
cd couchdb
ls
@code

Copy the version number of CouchDB that was just installed, make a copy in the couchDB directory you made earlier, and create a symbolic link.


cd {past version # here}
mv *~/home/ubuntu/couchdb
ln -s /var/lib/couchdb/1.0.1/ /home/ubuntu/couchdb/

You then need to change the permissions on the CouchDB directory you created.


cd /home/ubunutu
chmod -R couchdb:couchdb couchdb/

You will need to create an admin account, and export an alias of this account+ server (so you don't have to keep typing it).


curl -X PUT http://127.0.0.1:5984/_config/admins/{your username here} -d '"{your password here}"' ""
CDB="http://{yourusernamehere}:{yourpasswordhere}@127.0.0.1:5984"
export CDB

You will also need to create 4 databases:


curl -X PUT $CDB/submissions
curl -X PUT $CDB/sources
curl -X PUT $CDB/derivatives
curl -X PUT $CDB/admin

You will later populate these databases with some InformaCam specific scripts.

Install InformaCam Server

Now install the back-end to the InformaCam System. This is housed on git. Install this in the interface directory you created.


cd ~/interface
git clone git@github.com:guardianproject/InformaCam-Server.git

Install custom scripts

You can always pull the latest version of the scripts from git.


cd ~/
git clone git@github.com:harlo/InformaCam-Server-Package.git

Move the contents of the git repo to their appropriate directories on your installation.


cp -R ClientUploads/ ~/interface/
cd scripts
cp -R * ~/scripts
cd ../
cp add_new_clients.sh

You also need to create some views for each of the databases you created in CouchDB.


cd ~/scripts/couch
curl -X PUT -d @admin.json #CDB/admin/_design/admin
curl -X PUT -d @derivatives.json #CDB/derivatives/_design/derivatives
curl -X PUT -d @sources.json #CDB/sources/_design/sources
curl -X PUT -d @submissions.json #CDB/submissions/_design/submissions

And verify that your databases have been created


sudo ls ../../couchdb/

H2. Setup local constants.

You will need to create a local constants file, in the following directory, and call it LocalConstants.java:
/home/ubuntu/interface/InformaCam-Server/src/main/java/org/witness/informacam/utils/

Inside of the file, put the following:

@
package org.witness.informa.utils;

public class LocalConstants {
public final static String WEB_ROOT = "/home/ubuntu";
public final static String USERNAME = "couchDB user name here";
public final static String PASSWORD = "couchDB password here";
public static final Object SERVER_URL = "onion address here";
public static final String SUDOER = null; //if server needs login password enter it here otherwise leave null
public static final String SCRIPTS_ROOT = "/home/ubuntu/scripts";
public static final String CLIENT_TEMP = "/home/ubuntu/clients/temp/";
public static final String ORGANIZATION_NAME = "your_org_name_here";
public static final class ScriptsRoot {
public static final String PY = SCRIPTS_ROOT + "py/";
}
public static final String LOG_ROOT = "/home/ubuntu/log/application_server/";
}
@

Tor has not yet assigned an onion address (you will add this to your constants later). But at this point the InformaCam Server should run:


mvn run jetty

Got to {your instance's uRL}:8080/InformaCam-Server. You should see the InformaCam Server running at this point.

Setup Hidden Services

While the server is running, you still need to setup the hidden services, using Tor, for the full system to work.


cd ~/
cd synergy
mkdir ca
mkdir ClientUpload

The ClientUpload directory is the corresponding directory that exists at interface/ClientUpload. But you need to make sure only the Tor client can see this one, with permissions and adjusting the Tor settings:


sudo chown -R debian-tor:debian-tor ClientUpload/
sudo vi /etc/tor/torc

Scroll down to hidden services of the document and insert:


HiddenServiceDir /home/ubunutu/synergy/ClientUpload/
HiddenServicePort 443 127.0.0.1:443

You also need to setup the server to recognize something on port 443. First, open the php.ini file, and add/uncomment the following:


cgi.fix_pathinfo =1

Next, you will need to open and update the lighttpd.conf file located in home/ubuntu/etc/lighttpd. Add the following within the server.modules array:


"mod_fastcgi"

Then skip to the end of the file, and add the following:


fastcgi.server = (".php" => ((
"bin-path"=>"/usr/bin/php5-cgi",
"socket"=>"/tmp/php.socket"
)))

Add the following to the end of the conf file and save and close:

$SERVER["socket"]=="localhost:443" {
ssl.engine="enable"
}

You will need to come back to this a little later and update the server information, once you have the certificates established.

Setup Certification Authority

You will now setup the default keys for the InformaCam system, and modify settings to have InformaCam act as a certification authority.

First, open the openssl.cnf file (located at /etc/openssl/). Modify the default to point to your server. Then create a manifest for your default right below. The configuration should look something like this:

@ ####################################################################
[ ca ]
default_ca = InformaCamServer
#default_ca = CA_default ####################################################################

[InformaCamServer]

dir = /home/ubuntu/synergy/ca
database = $dir/index.txt
serial = $dir/serial
private_key = $dir/informacam.key
certificate = $dir/informacam.crt
default_days = 365
default_md = sha1
new_certs_dir = $dir/new_certs
policy = policy_match
@

Scroll down and change the following:


organizationalUnitName = match

Save and close. Then in InformaCam's certificate directory, create a directory for new certificates:


mkdir ~/synergy/ca/new_certs/

Next, create a certificate for the InformaCam system:


cd ~/synergy/ca/
sudo openssl genrsa -out informacam.key
openssl req -new -key informacam.key -out informacam.csr

At the prompts, enter the appropriate information. Then sign:


sudo openSSL x509 -req -days 365 -in informacam.csr -signkey informacam.key -out informacam.crt
sudo openssl ca -gencrl -out /etc/ssl/private/informacam.crl -crldays 7

You also need a key and certificate for your web server.


cd ~/synergy/ca
sudo openssl genrsa -out synergy.key
sudo openssl req -new -key synergy.key -out synergy.csr

At the prompts enter the appropriate information. Then you need to sign the new key with the InformaCam certificate, and cat them into a pem file.

sudo openssl ca -in synergy.csr -cert informacam.crt -keyfile informacam.key -out synergy.crt
cat synergy.key synergy.crt > synergy.pem

Now that you have CA authority setup, update your lighttpd settings to include the following (the server name needs to be the name you set in the server certificate):


$SERVER["socket"]=="localhost:443" {
ssl.engine="enable"
server.document-root="/home/ubuntu/interface/ClientUpload"
server.name="InformaCam Server"
ssl.pemfile="/home/ubuntu/synergy/ca/synergy.pem"
ssl.ca-file="/home/ubuntu/synergy/ca/informacam.crt"
ssl.verifyclient.activate="enable"
ssl.verifyclient.enforce="enable"
}

Set Onion Address

You now need to set your onion address. You will need to restart Tor and the web server for Tor to assign.


sudo /etc/init.d/tor restart
sudo /etc/init.d/lighttpd restart
cd ~/synergy/ClientUpload
sudo ls -la
sudo gedit hostname

You should see the debian-tor hostname and private_key file when you ls. Copy and paste the address in the hostname once you have opened it. You need to add this address to the InformaCam java constants file (that you had setup earlier).


gedit /home/ubuntu/interface/InformaCam-Server/src/main/java/org/witness/informacam/utils/LocalConstants.java

Copy and paste the onion address (including 'https://' in front of the address in the hostname file), into the following:

public static final Object SERVER_URL = "https://onion address here";

Then open the Tor browser, and try going to the onion address. You should see a series of errors that you are doing the right thing. First, in a javascript console, you should see that the connection was aborted. You should also be told that "This Connection is Untrusted," since this is a self-signed certificate. Accept and Confirm the security exception. After you have accepted and confirmed, you should see SSL handshake errors.

Create Client Certificate

If you are seeing these errors above, you are on the right path. The computer connecting (i.e., the client) to InformaCam system, needs a certificate as well for the system to work. So, now you need to create a client certificate.


cd ~/clients
mkdir {name of client certificate is for}
cd {name of client certificate is for}
sudo openssl genrsa -des3 -out {name of client certificate is for}.key 1024
sudo openssl req -new -key {name of client certificate is for}.key -out {name of client certificate is for}.csr

At the prompts enter the appropriate information. Then you need to sign the new key with the synergy certificate, and cat them into a pem file.

sudo openssl ca -in {name of client certificate is for}.csr -cert synergy.crt -keyfile synergy.key -out {name of client certificate is for}.crt
cat {name of client certificate is for}.key {name of client certificate is for}.crt > {name of client certificate is for}.pem

The pem file you will give to the client, to store in the appropriate location on their system.

Create Client Certificate

There are some useful scripts that you installed in a previous step, that you need to update some the path and certificate information to run successfully.
  • new_client.py script is for when you want to add new user to informacam to use the system on their mobile device (i.e., record vid and submit to repo)
  • new_admin.py is script to create new admin for informacam. (right now there are no administrators, so you should run this one shortly after you have completed installation so a user can access the server)

To make these scripts work you will need to update the constants.pi script to contain the accurate paths to the directories you have set on your system.

cd ~/scripts
gedit constants.pi

Save and close

Also available in: PDF HTML TXT