Project

General

Profile

History

strongSwan User Documentation » Trusted Network Connect (TNC) HOWTO » Software Inventory Message and Attributes for PA-TNC (SWIMA) »

PT-TLS SWIMA Client » History » Version 14

« Previous - Version 14/26 (diff) - Next » - Current version
Andreas Steffen, 08.07.2017 08:36

PT-TLS SWIMA Client

Installing the strongSwan TNC Software

First we have to install some additional Ubuntu packages needed for the strongSwan TNC build

 sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev

Download the lastest strongSwan tarball

wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2

Unpack the tarball

tar xf strongswan-5.6.0dr1.tar.bz2

and change into the strongSwan build directory

cd strongswan-5.6.0dr1

Configure strongSwan with the following options

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl

Build and install strongSwan with the commands

make; sudo make install

Configure the strongSwan "sw-collector" Tool

The sw-collector tool allows all software installation events to be collected and stored in an SQLite database. Currently only apt history logs generated by the dpkg packet manager (Debian, Ubuntu, etc.) can be parsed. Since the tool is installed in a rather unusual place together with other strongSwan executables, we define the following symbolic link

sudo ln -s /usr/libexec/ipsec/sw-collector /usr/sbin/sw-collector

Then we set up a clean collector database with the command

sudo -s
mkdir /etc/pts
cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db

The sw-collector needs some options defined in the /etc/strongswan.conf/ configuration file

sw-collector {
  database = sqlite:///etc/pts/collector.db
  history = /var/log/apt/history.log
  first_time = 2017-02-15T20:20:34Z
  rest_api {
    uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
  }
}

The date of the original OS installation can be found e.g. with the command

ls -l --full-time /var/log/bootstrap.log
-rw-r--r-- 1 root root 57457 2017-02-15 12:20:34.000000000 -0800 /var/log/bootstrap.log

Then we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run

sudo sw-collector --debug 1

First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
processing "/etc/lsb-release" file
operating system name is 'Ubuntu'
operating system version is '16.04 x86_64'
Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721
  Upgrade:
Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721
  Install:
Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721
  Upgrade:
Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721
Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721
  Purge:
Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721
Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721
  Install:
  Upgrade:
Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721
  Install:
  Upgrade:
Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721
  Install:
  Upgrade:
Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721
  Install:
Merging:
  merged 1741 installed packages, 1741 registered in database

Creating a Client Certificate

Using the strongSwan pki tool and the CA created in the PT-TLS SWIMA Server section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory

pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem
pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem

The PKCS#10 certificate request can now be signed by the CA

 pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem

The certificate info can be displayed with

pki --print --in client1_Cert.pem
  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 22:58:17 2017, ok
             not after  Jul 07 22:58:17 2021, ok (expires in 1460 days)
  serial:    30:b7:f1:4b:e4:64:3a:5e
  altNames:  client1.example.com
  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
  pubkey:    ECDSA 256 bits
  keyid:     f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25
  subjkey:   32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d

Configuring the strongSwan "pt-tls-client" Tool

The pt-tls-client tool need some configurations in "/etc/strongswan.conf" 

pt-tls-client {
  load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite

  plugins {
    tnccs-20 {
      max_batch_size = 131056
      max_message_size = 131024
    }
  }
}

libtls {
  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}

libimcv {
  plugins {
    imc-os {
      device_cert = /etc/pts/pki/client1_Cert.pem
    }
    imc-swima {
      swid_full = yes
      swid_database = sqlite:///etc/pts/collector.db
    }
  }
}

The /etc/tnc_config file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC server

#IMC-Configuration
IMC "OS"        /usr/lib/ipsec/imcvs/imc-os.so
IMC "SWIMA"     /usr/lib/ipsec/imcvs/imc-swima.so

The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in the "/etc/pts/options" file

--connect tnc.example.com
--cert /etc/pts/pki/caCert.pem
--cert /etc/pts/pki/client1_Cert.pem
--key /etc/pts/pki/client1_Key.pem
--debug 1

Next we install the following shortcut for the pt-tls-client tool

sudo ln -s /usr/libexec/ipsec/pt-tls-client/ /usr/bin/pt-tls-client

The SWIMA measurements on the endpoint are now transmitted with the simple command

pt-tls-client --optionsfrom /etc/pts/options