PT-TLS SWIMA Server » History » Version 13
« Previous -
Version 13/35
(diff) -
Next » -
Current version
Andreas Steffen, 07.07.2017 21:10
PT-TLS SWIMA Server¶
- Table of contents
- PT-TLS SWIMA Server
Installing the strongSwan TNC Software¶
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
Download the lastest strongSwan tarball
wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
Unpack the tarball
tar xf strongswan-5.6.0dr1.tar.bz2
and change into the strongSwan build directory
cd strongswan-5.6.0dr1
Configure strongSwan with the following options
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
Build and install strongSwan with the commands
make; sudo make install
The following TNC server options have to be configured in /etc/strongswan.conf
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.org
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
Setting up a CA using the strongSwan "pki" Tool¶
The strongSwan pki tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
sudo -s mkdir /etc/pts mkdir /etc/pts/pki cd /etc/pts/pki
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
The CA certificate can be listed with the following command
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
cp caCert.pem /etc/swanctl/x509ca cp serverCert.pem /etc/swanctl/x509 cp serverKey.pem /etc/swanctl/ecdsa
Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands
sudo systemctl enable strongswan-swanctl sudo systemctl start strongswan-swanctl
In all subsequent reboots the strongswan-swanctl service will be started automatically. The following swanctl command shows that the service is running and that the certificates and keys have been loaded
swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits, has private key
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
List of X.509 CA Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
Install Apache Web Server¶
An Apache web server equipped with a Web Server Gateway Interface (WSGI) module is installed on Ubuntu by the single command
sudo apt install apache2 libapache2-mod-wsgi
In order to secure the access to the web server we enable TLS
a2enmod ssl
Configure strongTNC Virtual Web Server¶
In the /etc/apache2/sites-available directory create the following configuration file and name it e.g. tnc:
WSGIPythonPath /var/www/tnc
<VirtualHost *:443>
ServerName tnc.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
WSGIPassAuthorization On
SSLEngine on
SSLCertificateFile /etc/swanctl/x509/serverCert.pem
SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
</VirtualHost>
The tnc log directory is created with
sudo mkdir /var/log/apache2/tnc
Initialize PTS Database¶
I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:
cd /usr/share/strongswan/templates/database/imv/ sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db sudo chgrp www-data /etc/pts /etc/pts/config.db sudo chmod g+w /etc/pts /etc/pts/config.db
Installing the strongTNC Policy Manager¶
strongTNC is a web application based on the Django framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required. For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.
Install strongTNC¶
The strongTNC project is hosted on GitHub. The latest release can be installed as follows
wget https://github.com/strongswan/strongTNC/archive/master.zip unzip master.zip sudo mv strongTNC-master /var/www/tnc sudo chown -R www-data:www-data /var/www/tnc
Install Python/Django¶
If not present yet, install the following Ubuntu packages
sudo apt install python-pip python-dev libxml2-dev libxslt1-dev
In the /var/www/tnc directory execute the command
sudo pip install -r requirements.txt
which updates the Django version if necessary and installs various Python modules.
Configure strongTNC¶
Copy config/settings.sample.ini to /etc/strongTNC/settings.ini and adapt the settings to your preferences.
[debug] DEBUG=0 TEMPLATE_DEBUG=0 DEBUG_TOOLBAR=0 [db] DJANGO_DB_URL=sqlite:////var/www/tnc/django.db STRONGTNC_DB_URL = sqlite:////etc/pts/config.db [localization] LANGUAGE_CODE=en-us TIME_ZONE=Europe/Zurich [admins] Your Name: jane.doe@strongswan.org Another Admin: joe.doe@strongswan.org [security] SECRET_KEY=<secret key>
Newer strongTNC versions do not come with a default django.db database where the login passwords are stored. If the database is missing create /var/www/tnc/django.db with the following command
sudo python /var/www/tnc/manage.py migrate --database meta
Next set the strongTNC access passwords to "ietf99hackathon" in our example:
sudo python /var/www/tnc/manage.py setpassword --> Please enter a new password for admin-user: <admin-user password> --> Granting write_access permission. Looking for readonly-user in database... --> Please enter a new password for readonly-user: <readonly-user password> Passwords updated successfully!
In order to get a correct display of the strongTNC web pages you have to execute the following command
sudo python /var/www/tnc/manage.py collectstatic
Start strongTNC Virtual Web Server¶
Now enable the virtual web server in the /etc/apache2/sites-enabled directory and start it:
cd /etc/apache2/sites-enabled sudo ln -s ../sites-available/tnc tnc sudo service apache2 restart