Version 21 - History - PT-TLS SWIMA Client - strongSwan

PT-TLS SWIMA Client » History » Version 21

Andreas Steffen, 18.07.2017 19:43

-Andreas Steffen
+h1. PT-TLS SWIMA Client
 Andreas Steffen
-Andreas Steffen
+{{>toc}}
 Andreas Steffen
-Andreas Steffen
+h2. Installing the strongSwan TNC Software
 Andreas Steffen
-Andreas Steffen
+First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
-Andreas Steffen
+<pre>
-Andreas Steffen
+ sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Download the latest strongSwan tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+wget https://download.strongswan.org/strongswan-5.6.0dr3.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Unpack the tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+tar xf strongswan-5.6.0dr3.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+and change into the strongSwan build directory
-Andreas Steffen
+<pre>
-Andreas Steffen
+cd strongswan-5.6.0dr3
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Configure strongSwan with the following options
-Andreas Steffen
+<pre>
-Andreas Steffen
+./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Build and install strongSwan with the commands
-Andreas Steffen
+<pre>
-Andreas Steffen
+make; sudo make install
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Configure the strongSwan "sw-collector" Tool
 Andreas Steffen
-Andreas Steffen
+The *sw-collector* tool allows all software installation events to be collected and stored in an SQLite database. Currently only *apt* history logs generated by the *dpkg* packet manager (Debian, Ubuntu, etc.) can be parsed. We set up a clean collector database with the command
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo -s
-Andreas Steffen
+mkdir /etc/pts
-Andreas Steffen
+cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The *sw-collector* needs some options defined in */etc/strongswan.conf*
-Andreas Steffen
+<pre>
-Andreas Steffen
+sw-collector {
-Andreas Steffen
+  database = sqlite:///etc/pts/collector.db
-Andreas Steffen
+  history = /var/log/apt/history.log
-Andreas Steffen
+  first_time = 2017-02-15T20:20:34Z
-Andreas Steffen
+  rest_api {
-Andreas Steffen
+    uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The date of the original OS installation can be found e.g. with the command
-Andreas Steffen
+<pre>
-Andreas Steffen
+ls -l --full-time /var/log/bootstrap.log
-Andreas Steffen
+-rw-r--r-- 1 root root 57457 2017-02-15 12:20:34.000000000 -0800 /var/log/bootstrap.log
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Then we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo sw-collector --debug 1
 Andreas Steffen
-Andreas Steffen
+First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
-Andreas Steffen
+processing "/etc/lsb-release" file
-Andreas Steffen
+operating system name is 'Ubuntu'
-Andreas Steffen
+operating system version is '16.04 x86_64'
-Andreas Steffen
+Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
-Andreas Steffen
+Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721
-Andreas Steffen
+  Upgrade:
-Andreas Steffen
+Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721
-Andreas Steffen
+  Upgrade:
-Andreas Steffen
+Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721
-Andreas Steffen
+Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721
-Andreas Steffen
+  Purge:
-Andreas Steffen
+Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721
-Andreas Steffen
+Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+  Upgrade:
-Andreas Steffen
+Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+  Upgrade:
-Andreas Steffen
+Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+  Upgrade:
-Andreas Steffen
+Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721
-Andreas Steffen
+  Install:
-Andreas Steffen
+Merging:
-Andreas Steffen
+  merged 1741 installed packages, 1741 registered in database
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Creating a Client Certificate
 Andreas Steffen
-Andreas Steffen
+Using the strongSwan *pki* tool and the CA created in the [[SwimaServer|PT-TLS SWIMA Server]] section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem
-Andreas Steffen
+pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The PKCS#10 certificate request can now be signed by the CA
-Andreas Steffen
+<pre>
-Andreas Steffen
+ pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The certificate info can be displayed with
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --print --in client1_Cert.pem
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 22:58:17 2017, ok
-Andreas Steffen
+             not after  Jul 07 22:58:17 2021, ok (expires in 1460 days)
-Andreas Steffen
+  serial:    30:b7:f1:4b:e4:64:3a:5e
-Andreas Steffen
+  altNames:  client1.example.com
-Andreas Steffen
+  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25
-Andreas Steffen
+  subjkey:   32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Configuring the strongSwan "pt-tls-client" Tool
 Andreas Steffen
-Andreas Steffen
+The *pt-tls-client* tool needs some configurations in */etc/strongswan.conf*
-Andreas Steffen
+<pre>
-Andreas Steffen
+pt-tls-client {
-Andreas Steffen
+  load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite
 Andreas Steffen
-Andreas Steffen
+  plugins {
-Andreas Steffen
+    tnccs-20 {
-Andreas Steffen
+      max_batch_size = 131056
-Andreas Steffen
+      max_message_size = 131024
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+libtls {
-Andreas Steffen
+  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+libimcv {
-Andreas Steffen
+  plugins {
-Andreas Steffen
+    imc-os {
-Andreas Steffen
+      device_cert = /etc/pts/pki/client1_Cert.pem
 Andreas Steffen
-Andreas Steffen
+    imc-swima {
-Andreas Steffen
+      swid_full = yes
-Andreas Steffen
+      swid_database = sqlite:///etc/pts/collector.db
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC client
-Andreas Steffen
+<pre>
-Andreas Steffen
+#IMC-Configuration
-Andreas Steffen
+IMC "OS"        /usr/lib/ipsec/imcvs/imc-os.so
-Andreas Steffen
+IMC "SWIMA"     /usr/lib/ipsec/imcvs/imc-swima.so
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in */etc/pts/options*
-Andreas Steffen
+<pre>
-Andreas Steffen
+--connect tnc.example.com
-Andreas Steffen
+--cert /etc/pts/pki/caCert.pem
-Andreas Steffen
+--cert /etc/pts/pki/client1_Cert.pem
-Andreas Steffen
+--key /etc/pts/pki/client1_Key.pem
-Andreas Steffen
+--debug 1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The SWIMA measurements on the endpoint are now transmitted using the simple command
-Andreas Steffen
+<pre>
-Andreas Steffen
+pt-tls-client --optionsfrom /etc/pts/options
-Andreas Steffen
+</pre>

Project

General

Profile

strongSwan

PT-TLS SWIMA Client » History » Version 21