PT-TLS SWIMA Client » History » Version 26
Andreas Steffen, 05.08.2018 21:23
| 1 | 1 | Andreas Steffen | h1. PT-TLS SWIMA Client |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 12 | Andreas Steffen | {{>toc}} |
| 4 | 12 | Andreas Steffen | |
| 5 | 1 | Andreas Steffen | h2. Installing the strongSwan TNC Software |
| 6 | 1 | Andreas Steffen | |
| 7 | 4 | Andreas Steffen | First we have to install some additional Ubuntu packages needed for the strongSwan TNC build |
| 8 | 4 | Andreas Steffen | <pre> |
| 9 | 7 | Andreas Steffen | sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev |
| 10 | 4 | Andreas Steffen | </pre> |
| 11 | 4 | Andreas Steffen | |
| 12 | 15 | Andreas Steffen | Download the latest strongSwan tarball |
| 13 | 1 | Andreas Steffen | <pre> |
| 14 | 25 | Andreas Steffen | wget https://download.strongswan.org/strongswan-5.7.0dr8.tar.bz2 |
| 15 | 1 | Andreas Steffen | </pre> |
| 16 | 1 | Andreas Steffen | |
| 17 | 5 | Andreas Steffen | Unpack the tarball |
| 18 | 1 | Andreas Steffen | <pre> |
| 19 | 25 | Andreas Steffen | tar xf strongswan-5.7.0dr8.tar.bz2 |
| 20 | 2 | Andreas Steffen | </pre> |
| 21 | 2 | Andreas Steffen | |
| 22 | 2 | Andreas Steffen | and change into the strongSwan build directory |
| 23 | 2 | Andreas Steffen | <pre> |
| 24 | 25 | Andreas Steffen | cd strongswan-5.7.0dr8 |
| 25 | 2 | Andreas Steffen | </pre> |
| 26 | 2 | Andreas Steffen | |
| 27 | 2 | Andreas Steffen | Configure strongSwan with the following options |
| 28 | 2 | Andreas Steffen | <pre> |
| 29 | 6 | Andreas Steffen | ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl |
| 30 | 4 | Andreas Steffen | </pre> |
| 31 | 4 | Andreas Steffen | |
| 32 | 4 | Andreas Steffen | Build and install strongSwan with the commands |
| 33 | 4 | Andreas Steffen | <pre> |
| 34 | 1 | Andreas Steffen | make; sudo make install |
| 35 | 7 | Andreas Steffen | </pre> |
| 36 | 7 | Andreas Steffen | |
| 37 | 9 | Andreas Steffen | h2. Configure the strongSwan "sw-collector" Tool |
| 38 | 9 | Andreas Steffen | |
| 39 | 22 | Andreas Steffen | The [[SwCollector|sw-collector]] tool allows all software installation events to be collected and stored in an SQLite database. Currently only *apt* history logs generated by the *dpkg* packet manager (Debian, Ubuntu, etc.) can be parsed. We set up a clean collector database with the command |
| 40 | 9 | Andreas Steffen | <pre> |
| 41 | 7 | Andreas Steffen | sudo -s |
| 42 | 7 | Andreas Steffen | mkdir /etc/pts |
| 43 | 7 | Andreas Steffen | cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db |
| 44 | 7 | Andreas Steffen | </pre> |
| 45 | 7 | Andreas Steffen | |
| 46 | 22 | Andreas Steffen | The [[SwCollector|sw-collector]] needs some options defined in */etc/strongswan.conf* |
| 47 | 7 | Andreas Steffen | <pre> |
| 48 | 7 | Andreas Steffen | sw-collector { |
| 49 | 7 | Andreas Steffen | database = sqlite:///etc/pts/collector.db |
| 50 | 7 | Andreas Steffen | history = /var/log/apt/history.log |
| 51 | 26 | Andreas Steffen | # first_file = /var/log/bootstrap.log |
| 52 | 26 | Andreas Steffen | # first_time = 2017-02-15T20:20:34Z |
| 53 | 7 | Andreas Steffen | rest_api { |
| 54 | 8 | Andreas Steffen | uri = https://admin-user:ietf99hackathon@tnc.example.com/api/ |
| 55 | 7 | Andreas Steffen | } |
| 56 | 7 | Andreas Steffen | } |
| 57 | 9 | Andreas Steffen | </pre> |
| 58 | 9 | Andreas Steffen | |
| 59 | 26 | Andreas Steffen | By default the installation date of the original Linux OS will be determined from the creation date of the file */var/log/bootstrap.log*. If this file does not existe then another file name can be given using the *first_file* parameter. As alternative an approximate installation date can be set with the *first_time* parameter. Now we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run |
| 60 | 9 | Andreas Steffen | <pre> |
| 61 | 9 | Andreas Steffen | sudo sw-collector --debug 1 |
| 62 | 9 | Andreas Steffen | |
| 63 | 9 | Andreas Steffen | First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721 |
| 64 | 9 | Andreas Steffen | processing "/etc/lsb-release" file |
| 65 | 9 | Andreas Steffen | operating system name is 'Ubuntu' |
| 66 | 9 | Andreas Steffen | operating system version is '16.04 x86_64' |
| 67 | 9 | Andreas Steffen | Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721 |
| 68 | 9 | Andreas Steffen | Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721 |
| 69 | 9 | Andreas Steffen | Upgrade: |
| 70 | 9 | Andreas Steffen | Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721 |
| 71 | 9 | Andreas Steffen | Install: |
| 72 | 9 | Andreas Steffen | Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721 |
| 73 | 9 | Andreas Steffen | Install: |
| 74 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721 |
| 75 | 9 | Andreas Steffen | Upgrade: |
| 76 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721 |
| 77 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721 |
| 78 | 9 | Andreas Steffen | Purge: |
| 79 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721 |
| 80 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721 |
| 81 | 9 | Andreas Steffen | Install: |
| 82 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721 |
| 83 | 9 | Andreas Steffen | Install: |
| 84 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721 |
| 85 | 9 | Andreas Steffen | Install: |
| 86 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721 |
| 87 | 9 | Andreas Steffen | Install: |
| 88 | 9 | Andreas Steffen | Upgrade: |
| 89 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721 |
| 90 | 9 | Andreas Steffen | Install: |
| 91 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721 |
| 92 | 9 | Andreas Steffen | Install: |
| 93 | 9 | Andreas Steffen | Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721 |
| 94 | 9 | Andreas Steffen | Install: |
| 95 | 9 | Andreas Steffen | Upgrade: |
| 96 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721 |
| 97 | 9 | Andreas Steffen | Install: |
| 98 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721 |
| 99 | 9 | Andreas Steffen | Install: |
| 100 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721 |
| 101 | 9 | Andreas Steffen | Install: |
| 102 | 9 | Andreas Steffen | Upgrade: |
| 103 | 9 | Andreas Steffen | Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721 |
| 104 | 9 | Andreas Steffen | Install: |
| 105 | 9 | Andreas Steffen | Merging: |
| 106 | 9 | Andreas Steffen | merged 1741 installed packages, 1741 registered in database |
| 107 | 1 | Andreas Steffen | </pre> |
| 108 | 11 | Andreas Steffen | |
| 109 | 11 | Andreas Steffen | h2. Creating a Client Certificate |
| 110 | 11 | Andreas Steffen | |
| 111 | 22 | Andreas Steffen | Using the strongSwan [[IpsecPki|pki]] tool and the CA created in the [[SwimaServer|PT-TLS SWIMA Server]] section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory |
| 112 | 11 | Andreas Steffen | <pre> |
| 113 | 11 | Andreas Steffen | pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem |
| 114 | 11 | Andreas Steffen | pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem |
| 115 | 11 | Andreas Steffen | </pre> |
| 116 | 11 | Andreas Steffen | |
| 117 | 11 | Andreas Steffen | The PKCS#10 certificate request can now be signed by the CA |
| 118 | 11 | Andreas Steffen | <pre> |
| 119 | 11 | Andreas Steffen | pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem |
| 120 | 11 | Andreas Steffen | </pre> |
| 121 | 11 | Andreas Steffen | |
| 122 | 11 | Andreas Steffen | The certificate info can be displayed with |
| 123 | 11 | Andreas Steffen | <pre> |
| 124 | 11 | Andreas Steffen | pki --print --in client1_Cert.pem |
| 125 | 11 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" |
| 126 | 11 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 127 | 11 | Andreas Steffen | validity: not before Jul 07 22:58:17 2017, ok |
| 128 | 11 | Andreas Steffen | not after Jul 07 22:58:17 2021, ok (expires in 1460 days) |
| 129 | 11 | Andreas Steffen | serial: 30:b7:f1:4b:e4:64:3a:5e |
| 130 | 11 | Andreas Steffen | altNames: client1.example.com |
| 131 | 11 | Andreas Steffen | authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 132 | 11 | Andreas Steffen | subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d |
| 133 | 11 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 134 | 11 | Andreas Steffen | keyid: f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25 |
| 135 | 11 | Andreas Steffen | subjkey: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d |
| 136 | 11 | Andreas Steffen | </pre> |
| 137 | 11 | Andreas Steffen | |
| 138 | 11 | Andreas Steffen | h2. Configuring the strongSwan "pt-tls-client" Tool |
| 139 | 11 | Andreas Steffen | |
| 140 | 22 | Andreas Steffen | The [[PtTlsClient|pt-tls-client]] tool needs some configurations in */etc/strongswan.conf* |
| 141 | 11 | Andreas Steffen | <pre> |
| 142 | 11 | Andreas Steffen | pt-tls-client { |
| 143 | 14 | Andreas Steffen | load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite |
| 144 | 14 | Andreas Steffen | |
| 145 | 11 | Andreas Steffen | plugins { |
| 146 | 11 | Andreas Steffen | tnccs-20 { |
| 147 | 11 | Andreas Steffen | max_batch_size = 131056 |
| 148 | 11 | Andreas Steffen | max_message_size = 131024 |
| 149 | 11 | Andreas Steffen | } |
| 150 | 11 | Andreas Steffen | } |
| 151 | 11 | Andreas Steffen | } |
| 152 | 13 | Andreas Steffen | |
| 153 | 13 | Andreas Steffen | libtls { |
| 154 | 13 | Andreas Steffen | suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| 155 | 13 | Andreas Steffen | } |
| 156 | 13 | Andreas Steffen | |
| 157 | 13 | Andreas Steffen | libimcv { |
| 158 | 13 | Andreas Steffen | plugins { |
| 159 | 13 | Andreas Steffen | imc-os { |
| 160 | 13 | Andreas Steffen | device_cert = /etc/pts/pki/client1_Cert.pem |
| 161 | 13 | Andreas Steffen | } |
| 162 | 13 | Andreas Steffen | imc-swima { |
| 163 | 13 | Andreas Steffen | swid_full = yes |
| 164 | 13 | Andreas Steffen | swid_database = sqlite:///etc/pts/collector.db |
| 165 | 13 | Andreas Steffen | } |
| 166 | 13 | Andreas Steffen | } |
| 167 | 13 | Andreas Steffen | } |
| 168 | 13 | Andreas Steffen | </pre> |
| 169 | 13 | Andreas Steffen | |
| 170 | 19 | Andreas Steffen | The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC client |
| 171 | 13 | Andreas Steffen | <pre> |
| 172 | 13 | Andreas Steffen | #IMC-Configuration |
| 173 | 13 | Andreas Steffen | IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so |
| 174 | 13 | Andreas Steffen | IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so |
| 175 | 11 | Andreas Steffen | </pre> |
| 176 | 11 | Andreas Steffen | |
| 177 | 1 | Andreas Steffen | The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in */etc/pts/options* |
| 178 | 18 | Andreas Steffen | <pre> |
| 179 | 11 | Andreas Steffen | --connect tnc.example.com |
| 180 | 11 | Andreas Steffen | --cert /etc/pts/pki/caCert.pem |
| 181 | 11 | Andreas Steffen | --cert /etc/pts/pki/client1_Cert.pem |
| 182 | 11 | Andreas Steffen | --key /etc/pts/pki/client1_Key.pem |
| 183 | 24 | Andreas Steffen | --key-type ecdsa |
| 184 | 11 | Andreas Steffen | --debug 1 |
| 185 | 11 | Andreas Steffen | </pre> |
| 186 | 11 | Andreas Steffen | |
| 187 | 21 | Andreas Steffen | The SWIMA measurements on the endpoint are now transmitted using the simple command |
| 188 | 11 | Andreas Steffen | <pre> |
| 189 | 11 | Andreas Steffen | pt-tls-client --optionsfrom /etc/pts/options |
| 190 | 11 | Andreas Steffen | </pre> |