PT-TLS SWIMA Client¶
- Table of contents
- PT-TLS SWIMA Client
Installing the strongSwan TNC Software¶
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
Download the latest strongSwan tarball
wget https://download.strongswan.org/strongswan-5.7.0dr8.tar.bz2
Unpack the tarball
tar xf strongswan-5.7.0dr8.tar.bz2
and change into the strongSwan build directory
cd strongswan-5.7.0dr8
Configure strongSwan with the following options
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl
Build and install strongSwan with the commands
make; sudo make install
Configure the strongSwan "sw-collector" Tool¶
The sw-collector tool allows all software installation events to be collected and stored in an SQLite database. Currently only apt history logs generated by the dpkg packet manager (Debian, Ubuntu, etc.) can be parsed. We set up a clean collector database with the command
sudo -s mkdir /etc/pts cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db
The sw-collector needs some options defined in /etc/strongswan.conf
sw-collector { database = sqlite:///etc/pts/collector.db history = /var/log/apt/history.log # first_file = /var/log/bootstrap.log # first_time = 2017-02-15T20:20:34Z rest_api { uri = https://admin-user:ietf99hackathon@tnc.example.com/api/ } }
By default the installation date of the original Linux OS will be determined from the creation date of the file /var/log/bootstrap.log. If this file does not existe then another file name can be given using the first_file parameter. As alternative an approximate installation date can be set with the first_time parameter. Now we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run
sudo sw-collector --debug 1 First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721 processing "/etc/lsb-release" file operating system name is 'Ubuntu' operating system version is '16.04 x86_64' Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721 Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721 Upgrade: Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721 Install: Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721 Install: Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721 Upgrade: Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721 Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721 Purge: Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721 Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721 Install: Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721 Install: Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721 Install: Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721 Install: Upgrade: Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721 Install: Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721 Install: Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721 Install: Upgrade: Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721 Install: Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721 Install: Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721 Install: Upgrade: Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721 Install: Merging: merged 1741 installed packages, 1741 registered in database
Creating a Client Certificate¶
Using the strongSwan pki tool and the CA created in the PT-TLS SWIMA Server section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory
pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem
The PKCS#10 certificate request can now be signed by the CA
pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem
The certificate info can be displayed with
pki --print --in client1_Cert.pem subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" validity: not before Jul 07 22:58:17 2017, ok not after Jul 07 22:58:17 2021, ok (expires in 1460 days) serial: 30:b7:f1:4b:e4:64:3a:5e altNames: client1.example.com authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d pubkey: ECDSA 256 bits keyid: f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25 subjkey: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
Configuring the strongSwan "pt-tls-client" Tool¶
The pt-tls-client tool needs some configurations in /etc/strongswan.conf
pt-tls-client { load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite plugins { tnccs-20 { max_batch_size = 131056 max_message_size = 131024 } } } libtls { suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { plugins { imc-os { device_cert = /etc/pts/pki/client1_Cert.pem } imc-swima { swid_full = yes swid_database = sqlite:///etc/pts/collector.db } } }
The /etc/tnc_config file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC client
#IMC-Configuration IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so
The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in /etc/pts/options
--connect tnc.example.com --cert /etc/pts/pki/caCert.pem --cert /etc/pts/pki/client1_Cert.pem --key /etc/pts/pki/client1_Key.pem --key-type ecdsa --debug 1
The SWIMA measurements on the endpoint are now transmitted using the simple command
pt-tls-client --optionsfrom /etc/pts/options