PT-TLS SWIMA Client » History » Version 22
Version 21 (Andreas Steffen, 18.07.2017 19:43) → Version 22/26 (Andreas Steffen, 20.07.2017 08:42)
h1. PT-TLS SWIMA Client
{{>toc}}
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the latest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr3.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr3.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr3
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
h2. Configure the strongSwan "sw-collector" Tool
The [[SwCollector|sw-collector]] *sw-collector* tool allows all software installation events to be collected and stored in an SQLite database. Currently only *apt* history logs generated by the *dpkg* packet manager (Debian, Ubuntu, etc.) can be parsed. We set up a clean collector database with the command
<pre>
sudo -s
mkdir /etc/pts
cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db
</pre>
The [[SwCollector|sw-collector]] *sw-collector* needs some options defined in */etc/strongswan.conf*
<pre>
sw-collector {
database = sqlite:///etc/pts/collector.db
history = /var/log/apt/history.log
first_time = 2017-02-15T20:20:34Z
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
}
}
</pre>
The date of the original OS installation can be found e.g. with the command
<pre>
ls -l --full-time /var/log/bootstrap.log
-rw-r--r-- 1 root root 57457 2017-02-15 12:20:34.000000000 -0800 /var/log/bootstrap.log
</pre>
Then we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run
<pre>
sudo sw-collector --debug 1
First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
processing "/etc/lsb-release" file
operating system name is 'Ubuntu'
operating system version is '16.04 x86_64'
Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721
Upgrade:
Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721
Install:
Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721
Upgrade:
Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721
Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721
Purge:
Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721
Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721
Install:
Upgrade:
Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721
Install:
Upgrade:
Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721
Install:
Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721
Install:
Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721
Install:
Upgrade:
Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721
Install:
Merging:
merged 1741 installed packages, 1741 registered in database
</pre>
h2. Creating a Client Certificate
Using the strongSwan [[IpsecPki|pki]] *pki* tool and the CA created in the [[SwimaServer|PT-TLS SWIMA Server]] section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory
<pre>
pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem
pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem
</pre>
The PKCS#10 certificate request can now be signed by the CA
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem
</pre>
The certificate info can be displayed with
<pre>
pki --print --in client1_Cert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 22:58:17 2017, ok
not after Jul 07 22:58:17 2021, ok (expires in 1460 days)
serial: 30:b7:f1:4b:e4:64:3a:5e
altNames: client1.example.com
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
pubkey: ECDSA 256 bits
keyid: f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25
subjkey: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
</pre>
h2. Configuring the strongSwan "pt-tls-client" Tool
The [[PtTlsClient|pt-tls-client]] *pt-tls-client* tool needs some configurations in */etc/strongswan.conf*
<pre>
pt-tls-client {
load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
plugins {
imc-os {
device_cert = /etc/pts/pki/client1_Cert.pem
}
imc-swima {
swid_full = yes
swid_database = sqlite:///etc/pts/collector.db
}
}
}
</pre>
The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC client
<pre>
#IMC-Configuration
IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so
IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so
</pre>
The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in */etc/pts/options*
<pre>
--connect tnc.example.com
--cert /etc/pts/pki/caCert.pem
--cert /etc/pts/pki/client1_Cert.pem
--key /etc/pts/pki/client1_Key.pem
--debug 1
</pre>
The SWIMA measurements on the endpoint are now transmitted using the simple command
<pre>
pt-tls-client --optionsfrom /etc/pts/options
</pre>
{{>toc}}
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the latest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr3.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr3.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr3
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
h2. Configure the strongSwan "sw-collector" Tool
The [[SwCollector|sw-collector]] *sw-collector* tool allows all software installation events to be collected and stored in an SQLite database. Currently only *apt* history logs generated by the *dpkg* packet manager (Debian, Ubuntu, etc.) can be parsed. We set up a clean collector database with the command
<pre>
sudo -s
mkdir /etc/pts
cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db
</pre>
The [[SwCollector|sw-collector]] *sw-collector* needs some options defined in */etc/strongswan.conf*
<pre>
sw-collector {
database = sqlite:///etc/pts/collector.db
history = /var/log/apt/history.log
first_time = 2017-02-15T20:20:34Z
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
}
}
</pre>
The date of the original OS installation can be found e.g. with the command
<pre>
ls -l --full-time /var/log/bootstrap.log
-rw-r--r-- 1 root root 57457 2017-02-15 12:20:34.000000000 -0800 /var/log/bootstrap.log
</pre>
Then we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run
<pre>
sudo sw-collector --debug 1
First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
processing "/etc/lsb-release" file
operating system name is 'Ubuntu'
operating system version is '16.04 x86_64'
Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721
Upgrade:
Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721
Install:
Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721
Upgrade:
Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721
Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721
Purge:
Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721
Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721
Install:
Upgrade:
Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721
Install:
Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721
Install:
Upgrade:
Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721
Install:
Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721
Install:
Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721
Install:
Upgrade:
Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721
Install:
Merging:
merged 1741 installed packages, 1741 registered in database
</pre>
h2. Creating a Client Certificate
Using the strongSwan [[IpsecPki|pki]] *pki* tool and the CA created in the [[SwimaServer|PT-TLS SWIMA Server]] section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory
<pre>
pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem
pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem
</pre>
The PKCS#10 certificate request can now be signed by the CA
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem
</pre>
The certificate info can be displayed with
<pre>
pki --print --in client1_Cert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 22:58:17 2017, ok
not after Jul 07 22:58:17 2021, ok (expires in 1460 days)
serial: 30:b7:f1:4b:e4:64:3a:5e
altNames: client1.example.com
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
pubkey: ECDSA 256 bits
keyid: f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25
subjkey: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
</pre>
h2. Configuring the strongSwan "pt-tls-client" Tool
The [[PtTlsClient|pt-tls-client]] *pt-tls-client* tool needs some configurations in */etc/strongswan.conf*
<pre>
pt-tls-client {
load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
plugins {
imc-os {
device_cert = /etc/pts/pki/client1_Cert.pem
}
imc-swima {
swid_full = yes
swid_database = sqlite:///etc/pts/collector.db
}
}
}
</pre>
The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC client
<pre>
#IMC-Configuration
IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so
IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so
</pre>
The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in */etc/pts/options*
<pre>
--connect tnc.example.com
--cert /etc/pts/pki/caCert.pem
--cert /etc/pts/pki/client1_Cert.pem
--key /etc/pts/pki/client1_Key.pem
--debug 1
</pre>
The SWIMA measurements on the endpoint are now transmitted using the simple command
<pre>
pt-tls-client --optionsfrom /etc/pts/options
</pre>