PT-TLS SWIMA Client » History » Version 14
Andreas Steffen, 08.07.2017 08:36
| 1 | 1 | Andreas Steffen | h1. PT-TLS SWIMA Client |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 12 | Andreas Steffen | {{>toc}} |
| 4 | 12 | Andreas Steffen | |
| 5 | 1 | Andreas Steffen | h2. Installing the strongSwan TNC Software |
| 6 | 1 | Andreas Steffen | |
| 7 | 4 | Andreas Steffen | First we have to install some additional Ubuntu packages needed for the strongSwan TNC build |
| 8 | 4 | Andreas Steffen | <pre> |
| 9 | 7 | Andreas Steffen | sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev |
| 10 | 4 | Andreas Steffen | </pre> |
| 11 | 4 | Andreas Steffen | |
| 12 | 1 | Andreas Steffen | Download the lastest strongSwan tarball |
| 13 | 1 | Andreas Steffen | <pre> |
| 14 | 2 | Andreas Steffen | wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2 |
| 15 | 1 | Andreas Steffen | </pre> |
| 16 | 1 | Andreas Steffen | |
| 17 | 5 | Andreas Steffen | Unpack the tarball |
| 18 | 1 | Andreas Steffen | <pre> |
| 19 | 1 | Andreas Steffen | tar xf strongswan-5.6.0dr1.tar.bz2 |
| 20 | 2 | Andreas Steffen | </pre> |
| 21 | 2 | Andreas Steffen | |
| 22 | 2 | Andreas Steffen | and change into the strongSwan build directory |
| 23 | 2 | Andreas Steffen | <pre> |
| 24 | 6 | Andreas Steffen | cd strongswan-5.6.0dr1 |
| 25 | 2 | Andreas Steffen | </pre> |
| 26 | 2 | Andreas Steffen | |
| 27 | 2 | Andreas Steffen | Configure strongSwan with the following options |
| 28 | 2 | Andreas Steffen | <pre> |
| 29 | 6 | Andreas Steffen | ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl |
| 30 | 4 | Andreas Steffen | </pre> |
| 31 | 4 | Andreas Steffen | |
| 32 | 4 | Andreas Steffen | Build and install strongSwan with the commands |
| 33 | 4 | Andreas Steffen | <pre> |
| 34 | 1 | Andreas Steffen | make; sudo make install |
| 35 | 7 | Andreas Steffen | </pre> |
| 36 | 7 | Andreas Steffen | |
| 37 | 7 | Andreas Steffen | h2. Configure the strongSwan "sw-collector" Tool |
| 38 | 7 | Andreas Steffen | |
| 39 | 10 | Andreas Steffen | The *sw-collector* tool allows all software installation events to be collected and stored in an SQLite database. Currently only *apt* history logs generated by the *dpkg* packet manager (Debian, Ubuntu, etc.) can be parsed. Since the tool is installed in a rather unusual place together with other strongSwan executables, we define the following symbolic link |
| 40 | 1 | Andreas Steffen | <pre> |
| 41 | 9 | Andreas Steffen | sudo ln -s /usr/libexec/ipsec/sw-collector /usr/sbin/sw-collector |
| 42 | 9 | Andreas Steffen | </pre> |
| 43 | 9 | Andreas Steffen | |
| 44 | 9 | Andreas Steffen | Then we set up a clean collector database with the command |
| 45 | 9 | Andreas Steffen | <pre> |
| 46 | 7 | Andreas Steffen | sudo -s |
| 47 | 7 | Andreas Steffen | mkdir /etc/pts |
| 48 | 7 | Andreas Steffen | cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db |
| 49 | 7 | Andreas Steffen | </pre> |
| 50 | 7 | Andreas Steffen | |
| 51 | 7 | Andreas Steffen | The *sw-collector* needs some options defined in the */etc/strongswan.conf*/ configuration file |
| 52 | 7 | Andreas Steffen | <pre> |
| 53 | 7 | Andreas Steffen | sw-collector { |
| 54 | 7 | Andreas Steffen | database = sqlite:///etc/pts/collector.db |
| 55 | 7 | Andreas Steffen | history = /var/log/apt/history.log |
| 56 | 7 | Andreas Steffen | first_time = 2017-02-15T20:20:34Z |
| 57 | 7 | Andreas Steffen | rest_api { |
| 58 | 8 | Andreas Steffen | uri = https://admin-user:ietf99hackathon@tnc.example.com/api/ |
| 59 | 7 | Andreas Steffen | } |
| 60 | 7 | Andreas Steffen | } |
| 61 | 7 | Andreas Steffen | </pre> |
| 62 | 7 | Andreas Steffen | |
| 63 | 7 | Andreas Steffen | The date of the original OS installation can be found e.g. with the command |
| 64 | 7 | Andreas Steffen | <pre> |
| 65 | 7 | Andreas Steffen | ls -l --full-time /var/log/bootstrap.log |
| 66 | 1 | Andreas Steffen | -rw-r--r-- 1 root root 57457 2017-02-15 12:20:34.000000000 -0800 /var/log/bootstrap.log |
| 67 | 9 | Andreas Steffen | </pre> |
| 68 | 9 | Andreas Steffen | |
| 69 | 9 | Andreas Steffen | Then we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run |
| 70 | 9 | Andreas Steffen | <pre> |
| 71 | 9 | Andreas Steffen | sudo sw-collector --debug 1 |
| 72 | 9 | Andreas Steffen | |
| 73 | 9 | Andreas Steffen | First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721 |
| 74 | 9 | Andreas Steffen | processing "/etc/lsb-release" file |
| 75 | 9 | Andreas Steffen | operating system name is 'Ubuntu' |
| 76 | 9 | Andreas Steffen | operating system version is '16.04 x86_64' |
| 77 | 9 | Andreas Steffen | Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721 |
| 78 | 9 | Andreas Steffen | Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721 |
| 79 | 9 | Andreas Steffen | Upgrade: |
| 80 | 9 | Andreas Steffen | Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721 |
| 81 | 9 | Andreas Steffen | Install: |
| 82 | 9 | Andreas Steffen | Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721 |
| 83 | 9 | Andreas Steffen | Install: |
| 84 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721 |
| 85 | 9 | Andreas Steffen | Upgrade: |
| 86 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721 |
| 87 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721 |
| 88 | 9 | Andreas Steffen | Purge: |
| 89 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721 |
| 90 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721 |
| 91 | 9 | Andreas Steffen | Install: |
| 92 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721 |
| 93 | 9 | Andreas Steffen | Install: |
| 94 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721 |
| 95 | 9 | Andreas Steffen | Install: |
| 96 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721 |
| 97 | 9 | Andreas Steffen | Install: |
| 98 | 9 | Andreas Steffen | Upgrade: |
| 99 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721 |
| 100 | 9 | Andreas Steffen | Install: |
| 101 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721 |
| 102 | 9 | Andreas Steffen | Install: |
| 103 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721 |
| 104 | 9 | Andreas Steffen | Install: |
| 105 | 9 | Andreas Steffen | Upgrade: |
| 106 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721 |
| 107 | 9 | Andreas Steffen | Install: |
| 108 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721 |
| 109 | 9 | Andreas Steffen | Install: |
| 110 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721 |
| 111 | 9 | Andreas Steffen | Install: |
| 112 | 9 | Andreas Steffen | Upgrade: |
| 113 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721 |
| 114 | 9 | Andreas Steffen | Install: |
| 115 | 9 | Andreas Steffen | Merging: |
| 116 | 9 | Andreas Steffen | merged 1741 installed packages, 1741 registered in database |
| 117 | 1 | Andreas Steffen | </pre> |
| 118 | 11 | Andreas Steffen | |
| 119 | 11 | Andreas Steffen | h2. Creating a Client Certificate |
| 120 | 11 | Andreas Steffen | |
| 121 | 11 | Andreas Steffen | Using the strongSwan *pki* tool and the CA created in the [[SwimaServer|PT-TLS SWIMA Server]] section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory |
| 122 | 11 | Andreas Steffen | <pre> |
| 123 | 11 | Andreas Steffen | pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem |
| 124 | 11 | Andreas Steffen | pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem |
| 125 | 11 | Andreas Steffen | </pre> |
| 126 | 11 | Andreas Steffen | |
| 127 | 11 | Andreas Steffen | The PKCS#10 certificate request can now be signed by the CA |
| 128 | 11 | Andreas Steffen | <pre> |
| 129 | 11 | Andreas Steffen | pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem |
| 130 | 11 | Andreas Steffen | </pre> |
| 131 | 11 | Andreas Steffen | |
| 132 | 11 | Andreas Steffen | The certificate info can be displayed with |
| 133 | 11 | Andreas Steffen | <pre> |
| 134 | 11 | Andreas Steffen | pki --print --in client1_Cert.pem |
| 135 | 11 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" |
| 136 | 11 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 137 | 11 | Andreas Steffen | validity: not before Jul 07 22:58:17 2017, ok |
| 138 | 11 | Andreas Steffen | not after Jul 07 22:58:17 2021, ok (expires in 1460 days) |
| 139 | 11 | Andreas Steffen | serial: 30:b7:f1:4b:e4:64:3a:5e |
| 140 | 11 | Andreas Steffen | altNames: client1.example.com |
| 141 | 11 | Andreas Steffen | authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 142 | 11 | Andreas Steffen | subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d |
| 143 | 11 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 144 | 11 | Andreas Steffen | keyid: f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25 |
| 145 | 11 | Andreas Steffen | subjkey: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d |
| 146 | 11 | Andreas Steffen | </pre> |
| 147 | 11 | Andreas Steffen | |
| 148 | 11 | Andreas Steffen | h2. Configuring the strongSwan "pt-tls-client" Tool |
| 149 | 11 | Andreas Steffen | |
| 150 | 11 | Andreas Steffen | The *pt-tls-client* tool need some configurations in "/etc/strongswan.conf" |
| 151 | 11 | Andreas Steffen | <pre> |
| 152 | 11 | Andreas Steffen | pt-tls-client { |
| 153 | 14 | Andreas Steffen | load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite |
| 154 | 14 | Andreas Steffen | |
| 155 | 11 | Andreas Steffen | plugins { |
| 156 | 11 | Andreas Steffen | tnccs-20 { |
| 157 | 11 | Andreas Steffen | max_batch_size = 131056 |
| 158 | 11 | Andreas Steffen | max_message_size = 131024 |
| 159 | 11 | Andreas Steffen | } |
| 160 | 11 | Andreas Steffen | } |
| 161 | 11 | Andreas Steffen | } |
| 162 | 13 | Andreas Steffen | |
| 163 | 13 | Andreas Steffen | libtls { |
| 164 | 13 | Andreas Steffen | suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| 165 | 13 | Andreas Steffen | } |
| 166 | 13 | Andreas Steffen | |
| 167 | 13 | Andreas Steffen | libimcv { |
| 168 | 13 | Andreas Steffen | plugins { |
| 169 | 13 | Andreas Steffen | imc-os { |
| 170 | 13 | Andreas Steffen | device_cert = /etc/pts/pki/client1_Cert.pem |
| 171 | 13 | Andreas Steffen | } |
| 172 | 13 | Andreas Steffen | imc-swima { |
| 173 | 13 | Andreas Steffen | swid_full = yes |
| 174 | 13 | Andreas Steffen | swid_database = sqlite:///etc/pts/collector.db |
| 175 | 13 | Andreas Steffen | } |
| 176 | 13 | Andreas Steffen | } |
| 177 | 13 | Andreas Steffen | } |
| 178 | 13 | Andreas Steffen | </pre> |
| 179 | 13 | Andreas Steffen | |
| 180 | 13 | Andreas Steffen | The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC server |
| 181 | 13 | Andreas Steffen | <pre> |
| 182 | 13 | Andreas Steffen | #IMC-Configuration |
| 183 | 13 | Andreas Steffen | IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so |
| 184 | 13 | Andreas Steffen | IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so |
| 185 | 11 | Andreas Steffen | </pre> |
| 186 | 11 | Andreas Steffen | |
| 187 | 11 | Andreas Steffen | The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in the "/etc/pts/options" file |
| 188 | 11 | Andreas Steffen | <pre> |
| 189 | 11 | Andreas Steffen | --connect tnc.example.com |
| 190 | 11 | Andreas Steffen | --cert /etc/pts/pki/caCert.pem |
| 191 | 11 | Andreas Steffen | --cert /etc/pts/pki/client1_Cert.pem |
| 192 | 11 | Andreas Steffen | --key /etc/pts/pki/client1_Key.pem |
| 193 | 11 | Andreas Steffen | --debug 1 |
| 194 | 11 | Andreas Steffen | </pre> |
| 195 | 11 | Andreas Steffen | |
| 196 | 11 | Andreas Steffen | Next we install the following shortcut for the pt-tls-client tool |
| 197 | 11 | Andreas Steffen | <pre> |
| 198 | 11 | Andreas Steffen | sudo ln -s /usr/libexec/ipsec/pt-tls-client/ /usr/bin/pt-tls-client |
| 199 | 11 | Andreas Steffen | </pre> |
| 200 | 11 | Andreas Steffen | |
| 201 | 11 | Andreas Steffen | The SWIMA measurements on the endpoint are now transmitted with the simple command |
| 202 | 11 | Andreas Steffen | <pre> |
| 203 | 11 | Andreas Steffen | pt-tls-client --optionsfrom /etc/pts/options |
| 204 | 11 | Andreas Steffen | </pre> |