Project

General

Profile

PT-TLS SWIMA Server

Installing the strongSwan TNC Software

First we have to install some additional Ubuntu packages needed for the strongSwan TNC build

 sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev

Download the lastest strongSwan tarball

wget https://download.strongswan.org/strongswan-5.6.0rc2.tar.bz2

Unpack the tarball

tar xf strongswan-5.6.0drc2.tar.bz2

and change into the strongSwan build directory

cd strongswan-5.6.0drc2

Configure strongSwan with the following options

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd

Build and install strongSwan with the commands

make; sudo make install

The following TNC server options have to be configured in /etc/strongswan.conf

charon-systemd {
  journal {
    default = 1
    tnc = 2
    imv = 3
    pts = 2
  }
  syslog {
    auth {
      default = 0
    }
  }
  plugins {
    tnccs-20 {
      max_batch_size = 131056
      max_message_size = 131024
    }
    tnc-pdp {
      server = tnc.example.com
      pt_tls {
        enable = yes
      }
      radius {
        enable = no
      }
    }
  }
}

libtls {
  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}

libimcv {
  database = sqlite:///etc/pts/config.db
  policy_script = ipsec imv_policy_manager
  plugins {
    imv-swima {
      rest_api {
        uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
        timeout = 360
      }
    }
  }
}

The /etc/tnc_config file defines which Integrity Measurement Validators (IMVs) are loaded by the TNC server

#IMV-Configuration
IMV "OS"        /usr/lib/ipsec/imcvs/imv-os.so
IMV "SWIMA"     /usr/lib/ipsec/imcvs/imv-swima.so

Setting up a CA using the strongSwan "pki" Tool

The strongSwan pki tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored

  sudo -s
  mkdir /etc/pts
  mkdir /etc/pts/pki
  cd /etc/pts/pki

Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate

pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem

The CA certificate can be listed with the following command

pki --print --in caCert.pem
  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 08:19:08 2017, ok
             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
  serial:    3a:98:52:2e:75:a5:a5:8b
  flags:     CA CRLSign self-signed
  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  pubkey:    ECDSA 256 bits
  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84

pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
pki --print --in serverCert.pem
  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Server" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 09:07:31 2017, ok
             not after  Jul 07 09:07:31 2021, ok (expires in 1460 days)
  serial:    40:53:6a:88:f5:52:50:3b
  altNames:  tnc.example.com
  flags:     serverAuth
  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
  pubkey:    ECDSA 256 bits
  keyid:     15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
  subjkey:   9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce

The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.

cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa

The strongSwan sw-collector and pt-tls-client tools use the libcurl library for TLS connections. Because curl looks for X.509 certificate trust anchors in the /etc/ssl/certs directory, the private "IETF 99 Hackathon CA" must be added to the store of trusted CAs on each endpoint (i.e. TNC client) with the following commands

cp caCert.pem /usr/local/share/ca-certificates/IETF99_Hackathon_CA.crt
update-ca-certificates

Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands

sudo systemctl enable strongswan-swanctl
sudo systemctl start strongswan-swanctl

In all subsequent reboots the strongswan-swanctl service will be started automatically. The following swanctl command shows that the service is running and that the certificates and keys have been loaded

 swanctl --list-certs

List of X.509 End Entity Certificates

  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Server" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 09:07:31 2017, ok
             not after  Jul 07 09:07:31 2021, ok (expires in 1460 days)
  serial:    40:53:6a:88:f5:52:50:3b
  altNames:  tnc.example.com
  flags:     serverAuth
  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
  pubkey:    ECDSA 256 bits, has private key
  keyid:     15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
  subjkey:   9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce

List of X.509 CA Certificates

  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 08:19:08 2017, ok
             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
  serial:    3a:98:52:2e:75:a5:a5:8b
  flags:     CA CRLSign self-signed
  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  pubkey:    ECDSA 256 bits
  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84

Install Apache Web Server

An Apache web server equipped with a Web Server Gateway Interface (WSGI) module is installed on Ubuntu by the single command

sudo apt install apache2 libapache2-mod-wsgi

In order to secure the access to the web server we enable TLS

a2enmod ssl

Configure strongTNC Virtual Web Server

In the /etc/apache2/sites-available directory create the following configuration file and name it e.g. tnc.conf:

WSGIPythonPath /var/www/tnc

<VirtualHost *:443>
    ServerName tnc.example.com
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/tnc

    <Directory /var/www/tnc/config>
        <Files wsgi.py>
            Order deny,allow
            Allow from all
        </Files>
    </Directory>

    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
    WSGIPassAuthorization On

    SSLEngine on
    SSLCertificateFile    /etc/swanctl/x509/serverCert.pem
    SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem

    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
</VirtualHost>

The tnc log directory is created with

sudo mkdir /var/log/apache2/tnc

Initialize PTS Database

I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:

cd /usr/share/strongswan/templates/database/imv/
sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db
sudo chgrp www-data /etc/pts /etc/pts/config.db
sudo chmod g+w /etc/pts /etc/pts/config.db

Installing the strongTNC Policy Manager

strongTNC is a web application based on the Django framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required. For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.

Installing strongTNC

The strongTNC project is hosted on GitHub. The latest release can be installed as follows

wget https://github.com/strongswan/strongTNC/archive/master.zip
unzip master.zip
sudo mv strongTNC-master /var/www/tnc
sudo chown -R www-data:www-data /var/www/tnc

Installing Python/Django

If not present yet, install the following Ubuntu packages

sudo apt install python-pip python-dev python-requests libxml2-dev libxslt1-dev

In the /var/www/tnc directory execute the command

sudo pip install -r requirements.txt

which updates the Django version if necessary and installs various Python modules.

Configuring strongTNC

Copy config/settings.sample.ini to /etc/strongTNC/settings.ini and adapt the settings to your preferences.

[debug]
DEBUG = 1
TEMPLATE_DEBUG = 0
SQL_DEBUG = 0
DEBUG_TOOLBAR = 0

[db]
DJANGO_DB_URL = sqlite:////var/www/tnc/django.db
STRONGTNC_DB_URL = sqlite:////etc/pts/config.db

[paths]
STATIC_ROOT = static

[security]
ALLOWED_HOSTS = 127.0.0.1,tnc.example.com
CSRF_COOKIE_SECURE = 1

[localization]
LANGUAGE_CODE = en-us
TIME_ZONE = Etc/UTC

[admins]
Your Name: andreas.steffen@strongswan.org

Configuring strongTNC Access Passwords

Create the django.db database where the login passwords are stored with the command

sudo python /var/www/tnc/manage.py migrate --database meta

Next set the strongTNC access passwords ("ietf99hackathon" in our example):

sudo python /var/www/tnc/manage.py setpassword
--> Please enter a new password for admin-user: ietf99hackathon
--> Granting write_access permission.
Looking for readonly-user in database...
--> Please enter a new password for readonly-user: ietf99hackathon
Passwords updated successfully!

as well as the admin password

sudo python /var/www/tnc/manage.py createsuperuser --database meta
--> Username (leave blank to use 'root'): admin
--> Email address: andreas.steffen@strongswan.org
--> Password: ietf99hackathon
--> Password (again): ietf99hackathon
Superuser created successfully.

In order to get a correct display of the strongTNC web pages you have to execute the following command

sudo python /var/www/tnc/manage.py collectstatic

Starting the strongTNC Virtual Web Server

Now enable the virtual web server in the /etc/apache2/sites-enabled directory and start it:

cd /etc/apache2/sites-enabled
sudo ln -s ../sites-available/tnc.conf tnc.conf
sudo systemctl restart apache2

Accessing the strongTNC Server

Since "tnc.example.com" cannot be resolved by DNS, add an entry to "/etc/hosts".

Bulk SWID Tag Import

Linux kernel image and linux kernel header SWID tags are huge so that you'd prefer to import them directly into the strongTNC database. Also for attestation use cases you'd want to collect the SWID tags from a trusted reference system and import them as files.

Generating SWID Tags in a Bulk

The sw-collector tool can generate all SWID tags that are not registered in the strongTNC database yet and store them in a file

sudo sw-collector --generate --installed --full > Tags/Ubuntu_16.04-x86_64-20170708.tags

  sending request to 'https://xxxx@tnc.example.com/api/sessions/0/swid-measurement/'...
  creating strongswan.org__Ubuntu_16.04-x86_64-activity-log-manager-0.9.7-0ubuntu23.16.04.1
  creating strongswan.org__Ubuntu_16.04-x86_64-apparmor-2.10.95-0ubuntu2.6
  creating strongswan.org__Ubuntu_16.04-x86_64-appmenu-qt5-0.3.0~16.04.20170216-0ubuntu1
  ...
  creating strongswan.org__Ubuntu_16.04-x86_64-vino-3.8.1-0ubuntu9.2
  creating strongswan.org__Ubuntu_16.04-x86_64-wget-1.17.1-1ubuntu1.2
  creating strongswan.org__ Ubuntu_16.04-x86_64-whoopsie-0.2.52.3
created 236 tags for unregistered installed software identifiers

Importing SWID Tags in a Bulk

sudo python /var/www/tnc/manage.py importswid Tags/Ubuntu_16.04-x86_64-20170708.tags

Added Ubuntu_16.04-x86_64-activity-log-manager-0.9.7-0ubuntu23.16.04.1
Added Ubuntu_16.04-x86_64-apparmor-2.10.95-0ubuntu2.6
Added Ubuntu_16.04-x86_64-appmenu-qt5-0.3.0~16.04.20170216-0ubuntu1
...
Added Ubuntu_16.04-x86_64-vino-3.8.1-0ubuntu9.2
Added Ubuntu_16.04-x86_64-wget-1.17.1-1ubuntu1.2
Added Ubuntu_16.04-x86_64-whoopsie-0.2.52.3