PT-TLS SWIMA Server¶
- Table of contents
- PT-TLS SWIMA Server
Installing the strongSwan TNC Software¶
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
Download the lastest strongSwan tarball
wget https://download.strongswan.org/strongswan-5.6.0rc2.tar.bz2
Unpack the tarball
tar xf strongswan-5.6.0drc2.tar.bz2
and change into the strongSwan build directory
cd strongswan-5.6.0drc2
Configure strongSwan with the following options
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
Build and install strongSwan with the commands
make; sudo make install
The following TNC server options have to be configured in /etc/strongswan.conf
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.com
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
The /etc/tnc_config file defines which Integrity Measurement Validators (IMVs) are loaded by the TNC server
#IMV-Configuration IMV "OS" /usr/lib/ipsec/imcvs/imv-os.so IMV "SWIMA" /usr/lib/ipsec/imcvs/imv-swima.so
Setting up a CA using the strongSwan "pki" Tool¶
The strongSwan pki tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
sudo -s mkdir /etc/pts mkdir /etc/pts/pki cd /etc/pts/pki
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
The CA certificate can be listed with the following command
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
cp caCert.pem /etc/swanctl/x509ca cp serverCert.pem /etc/swanctl/x509 cp serverKey.pem /etc/swanctl/ecdsa
The strongSwan sw-collector and pt-tls-client tools use the libcurl library for TLS connections. Because curl looks for X.509 certificate trust anchors in the /etc/ssl/certs directory, the private "IETF 99 Hackathon CA" must be added to the store of trusted CAs on each endpoint (i.e. TNC client) with the following commands
cp caCert.pem /usr/local/share/ca-certificates/IETF99_Hackathon_CA.crt update-ca-certificates
Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands
sudo systemctl enable strongswan-swanctl sudo systemctl start strongswan-swanctl
In all subsequent reboots the strongswan-swanctl service will be started automatically. The following swanctl command shows that the service is running and that the certificates and keys have been loaded
swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits, has private key
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
List of X.509 CA Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
Install Apache Web Server¶
An Apache web server equipped with a Web Server Gateway Interface (WSGI) module is installed on Ubuntu by the single command
sudo apt install apache2 libapache2-mod-wsgi
In order to secure the access to the web server we enable TLS
a2enmod ssl
Configure strongTNC Virtual Web Server¶
In the /etc/apache2/sites-available directory create the following configuration file and name it e.g. tnc.conf:
WSGIPythonPath /var/www/tnc
<VirtualHost *:443>
ServerName tnc.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
WSGIPassAuthorization On
SSLEngine on
SSLCertificateFile /etc/swanctl/x509/serverCert.pem
SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
</VirtualHost>
The tnc log directory is created with
sudo mkdir /var/log/apache2/tnc
Initialize PTS Database¶
I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:
cd /usr/share/strongswan/templates/database/imv/ sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db sudo chgrp www-data /etc/pts /etc/pts/config.db sudo chmod g+w /etc/pts /etc/pts/config.db
Installing the strongTNC Policy Manager¶
strongTNC is a web application based on the Django framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required. For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.
Installing strongTNC¶
The strongTNC project is hosted on GitHub. The latest release can be installed as follows
wget https://github.com/strongswan/strongTNC/archive/master.zip unzip master.zip sudo mv strongTNC-master /var/www/tnc sudo chown -R www-data:www-data /var/www/tnc
Installing Python/Django¶
If not present yet, install the following Ubuntu packages
sudo apt install python-pip python-dev python-requests libxml2-dev libxslt1-dev
In the /var/www/tnc directory execute the command
sudo pip install -r requirements.txt
which updates the Django version if necessary and installs various Python modules.
Configuring strongTNC¶
Copy config/settings.sample.ini to /etc/strongTNC/settings.ini and adapt the settings to your preferences.
[debug] DEBUG = 1 TEMPLATE_DEBUG = 0 SQL_DEBUG = 0 DEBUG_TOOLBAR = 0 [db] DJANGO_DB_URL = sqlite:////var/www/tnc/django.db STRONGTNC_DB_URL = sqlite:////etc/pts/config.db [paths] STATIC_ROOT = static [security] ALLOWED_HOSTS = 127.0.0.1,tnc.example.com CSRF_COOKIE_SECURE = 1 [localization] LANGUAGE_CODE = en-us TIME_ZONE = Etc/UTC [admins] Your Name: andreas.steffen@strongswan.org
Configuring strongTNC Access Passwords¶
Create the django.db database where the login passwords are stored with the command
sudo python /var/www/tnc/manage.py migrate --database meta
Next set the strongTNC access passwords ("ietf99hackathon" in our example):
sudo python /var/www/tnc/manage.py setpassword --> Please enter a new password for admin-user: ietf99hackathon --> Granting write_access permission. Looking for readonly-user in database... --> Please enter a new password for readonly-user: ietf99hackathon Passwords updated successfully!
as well as the admin password
sudo python /var/www/tnc/manage.py createsuperuser --database meta --> Username (leave blank to use 'root'): admin --> Email address: andreas.steffen@strongswan.org --> Password: ietf99hackathon --> Password (again): ietf99hackathon Superuser created successfully.
In order to get a correct display of the strongTNC web pages you have to execute the following command
sudo python /var/www/tnc/manage.py collectstatic
Starting the strongTNC Virtual Web Server¶
Now enable the virtual web server in the /etc/apache2/sites-enabled directory and start it:
cd /etc/apache2/sites-enabled sudo ln -s ../sites-available/tnc.conf tnc.conf sudo systemctl restart apache2
Accessing the strongTNC Server¶
- The strongTNC GUI can be accessed as either "ReadOnly" user or "Read/Write" admin-user with https://tnc.example.com/
- The strongTNC REST API can accessed as admin-user with https://tnc.example.com/api/
- The Django database interface can be accessed as admin with https://tnc.example.com/admin/
Since "tnc.example.com" cannot be resolved by DNS, add an entry to "/etc/hosts".
Bulk SWID Tag Import¶
Linux kernel image and linux kernel header SWID tags are huge so that you'd prefer to import them directly into the strongTNC database. Also for attestation use cases you'd want to collect the SWID tags from a trusted reference system and import them as files.
Generating SWID Tags in a Bulk¶
The sw-collector tool can generate all SWID tags that are not registered in the strongTNC database yet and store them in a file
sudo sw-collector --generate --installed --full > Tags/Ubuntu_16.04-x86_64-20170708.tags sending request to 'https://xxxx@tnc.example.com/api/sessions/0/swid-measurement/'... creating strongswan.org__Ubuntu_16.04-x86_64-activity-log-manager-0.9.7-0ubuntu23.16.04.1 creating strongswan.org__Ubuntu_16.04-x86_64-apparmor-2.10.95-0ubuntu2.6 creating strongswan.org__Ubuntu_16.04-x86_64-appmenu-qt5-0.3.0~16.04.20170216-0ubuntu1 ... creating strongswan.org__Ubuntu_16.04-x86_64-vino-3.8.1-0ubuntu9.2 creating strongswan.org__Ubuntu_16.04-x86_64-wget-1.17.1-1ubuntu1.2 creating strongswan.org__ Ubuntu_16.04-x86_64-whoopsie-0.2.52.3 created 236 tags for unregistered installed software identifiers
Importing SWID Tags in a Bulk¶
sudo python /var/www/tnc/manage.py importswid Tags/Ubuntu_16.04-x86_64-20170708.tags Added Ubuntu_16.04-x86_64-activity-log-manager-0.9.7-0ubuntu23.16.04.1 Added Ubuntu_16.04-x86_64-apparmor-2.10.95-0ubuntu2.6 Added Ubuntu_16.04-x86_64-appmenu-qt5-0.3.0~16.04.20170216-0ubuntu1 ... Added Ubuntu_16.04-x86_64-vino-3.8.1-0ubuntu9.2 Added Ubuntu_16.04-x86_64-wget-1.17.1-1ubuntu1.2 Added Ubuntu_16.04-x86_64-whoopsie-0.2.52.3