PT-TLS SWIMA Server » History » Version 14
Version 13 (Andreas Steffen, 07.07.2017 21:10) → Version 14/35 (Andreas Steffen, 07.07.2017 21:20)
h1. PT-TLS SWIMA Server
{{>toc}}
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the lastest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr1.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr1
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
The following TNC server options have to be configured in */etc/strongswan.conf* /etc/strongswan.conf
<pre>
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.org
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
</pre>
The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMVs) are loaded by the TNC server
<pre>
#IMV-Configuration
IMV "OS" /usr/lib/ipsec/imcvs/imv-os.so
IMV "SWIMA" /usr/lib/ipsec/imcvs/imv-swima.so
</pre>
h2. Setting up a CA using the strongSwan "pki" Tool
The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
<pre>
sudo -s
mkdir /etc/pts
mkdir /etc/pts/pki
cd /etc/pts/pki
</pre>
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
<pre>
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
</pre>
The CA certificate can be listed with the following command
<pre>
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
<pre>
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
</pre>
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
</pre>
<pre>
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
</pre>
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
<pre>
cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa
</pre>
Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands
<pre>
sudo systemctl enable strongswan-swanctl
sudo systemctl start strongswan-swanctl
</pre>
In all subsequent reboots the *strongswan-swanctl* service will be started automatically. The following *swanctl* command shows that the service is running and that the certificates and keys have been loaded
<pre>
swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits, has private key
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
List of X.509 CA Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
h2. Install Apache Web Server
An Apache web server equipped with a *Web Server Gateway Interface (WSGI)* module is installed on Ubuntu by the single command
<pre>
sudo apt install apache2 libapache2-mod-wsgi
</pre>
In order to secure the access to the web server we enable TLS
<pre>
a2enmod ssl
</pre>
h3. Configure strongTNC Virtual Web Server
In the */etc/apache2/sites-available* directory create the following configuration file and name it e.g. *tnc*:
<pre>
WSGIPythonPath /var/www/tnc
<VirtualHost *:443>
ServerName tnc.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
WSGIPassAuthorization On
SSLEngine on
SSLCertificateFile /etc/swanctl/x509/serverCert.pem
SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
</VirtualHost>
</pre>
The *tnc* log directory is created with
<pre>
sudo mkdir /var/log/apache2/tnc
</pre>
h2. Initialize PTS Database
I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:
<pre>
cd /usr/share/strongswan/templates/database/imv/
sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db
sudo chgrp www-data /etc/pts /etc/pts/config.db
sudo chmod g+w /etc/pts /etc/pts/config.db
</pre>
h2. Installing the strongTNC Policy Manager
strongTNC is a web application based on the "Django":https://www.djangoproject.com/ framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required. For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.
h3. Install strongTNC
The "strongTNC project":https://github.com/strongswan/strongTNC/ is hosted on GitHub. The latest release can be installed as follows
<pre>
wget https://github.com/strongswan/strongTNC/archive/master.zip
unzip master.zip
sudo mv strongTNC-master /var/www/tnc
sudo chown -R www-data:www-data /var/www/tnc
</pre>
h3. Install Python/Django
If not present yet, install the following Ubuntu packages
<pre>
sudo apt install python-pip python-dev libxml2-dev libxslt1-dev
</pre>
In the */var/www/tnc* directory execute the command
<pre>
sudo pip install -r requirements.txt
</pre>
which updates the Django version if necessary and installs various Python modules.
h3. Configure strongTNC
Copy *config/settings.sample.ini* to */etc/strongTNC/settings.ini* and adapt the settings to your preferences.
<pre>
[debug]
DEBUG=0
TEMPLATE_DEBUG=0
DEBUG_TOOLBAR=0
[db]
DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
[localization]
LANGUAGE_CODE=en-us
TIME_ZONE=Europe/Zurich
[admins]
Your Name: jane.doe@strongswan.org
Another Admin: joe.doe@strongswan.org
[security]
SECRET_KEY=<secret key>
</pre>
Newer strongTNC versions do not come with a default django.db database where the login passwords are stored. If the database is missing create */var/www/tnc/django.db* with the following command
<pre>
sudo python /var/www/tnc/manage.py migrate --database meta
</pre>
Next set the strongTNC access passwords to "ietf99hackathon" in our example:
<pre>
sudo python /var/www/tnc/manage.py setpassword
--> Please enter a new password for admin-user: <admin-user password>
--> Granting write_access permission.
Looking for readonly-user in database...
--> Please enter a new password for readonly-user: <readonly-user password>
Passwords updated successfully!
</pre>
In order to get a correct display of the strongTNC web pages you have to execute the following command
<pre>
sudo python /var/www/tnc/manage.py collectstatic
</pre>
h3. Start strongTNC Virtual Web Server
Now enable the virtual web server in the */etc/apache2/sites-enabled* directory and start it:
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../sites-available/tnc tnc
sudo service apache2 restart
</pre>
{{>toc}}
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the lastest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr1.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr1
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
The following TNC server options have to be configured in */etc/strongswan.conf* /etc/strongswan.conf
<pre>
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.org
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
</pre>
The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMVs) are loaded by the TNC server
<pre>
#IMV-Configuration
IMV "OS" /usr/lib/ipsec/imcvs/imv-os.so
IMV "SWIMA" /usr/lib/ipsec/imcvs/imv-swima.so
</pre>
h2. Setting up a CA using the strongSwan "pki" Tool
The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
<pre>
sudo -s
mkdir /etc/pts
mkdir /etc/pts/pki
cd /etc/pts/pki
</pre>
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
<pre>
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
</pre>
The CA certificate can be listed with the following command
<pre>
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
<pre>
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
</pre>
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
</pre>
<pre>
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
</pre>
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
<pre>
cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa
</pre>
Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands
<pre>
sudo systemctl enable strongswan-swanctl
sudo systemctl start strongswan-swanctl
</pre>
In all subsequent reboots the *strongswan-swanctl* service will be started automatically. The following *swanctl* command shows that the service is running and that the certificates and keys have been loaded
<pre>
swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits, has private key
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
List of X.509 CA Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
h2. Install Apache Web Server
An Apache web server equipped with a *Web Server Gateway Interface (WSGI)* module is installed on Ubuntu by the single command
<pre>
sudo apt install apache2 libapache2-mod-wsgi
</pre>
In order to secure the access to the web server we enable TLS
<pre>
a2enmod ssl
</pre>
h3. Configure strongTNC Virtual Web Server
In the */etc/apache2/sites-available* directory create the following configuration file and name it e.g. *tnc*:
<pre>
WSGIPythonPath /var/www/tnc
<VirtualHost *:443>
ServerName tnc.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
WSGIPassAuthorization On
SSLEngine on
SSLCertificateFile /etc/swanctl/x509/serverCert.pem
SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
</VirtualHost>
</pre>
The *tnc* log directory is created with
<pre>
sudo mkdir /var/log/apache2/tnc
</pre>
h2. Initialize PTS Database
I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:
<pre>
cd /usr/share/strongswan/templates/database/imv/
sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db
sudo chgrp www-data /etc/pts /etc/pts/config.db
sudo chmod g+w /etc/pts /etc/pts/config.db
</pre>
h2. Installing the strongTNC Policy Manager
strongTNC is a web application based on the "Django":https://www.djangoproject.com/ framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required. For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.
h3. Install strongTNC
The "strongTNC project":https://github.com/strongswan/strongTNC/ is hosted on GitHub. The latest release can be installed as follows
<pre>
wget https://github.com/strongswan/strongTNC/archive/master.zip
unzip master.zip
sudo mv strongTNC-master /var/www/tnc
sudo chown -R www-data:www-data /var/www/tnc
</pre>
h3. Install Python/Django
If not present yet, install the following Ubuntu packages
<pre>
sudo apt install python-pip python-dev libxml2-dev libxslt1-dev
</pre>
In the */var/www/tnc* directory execute the command
<pre>
sudo pip install -r requirements.txt
</pre>
which updates the Django version if necessary and installs various Python modules.
h3. Configure strongTNC
Copy *config/settings.sample.ini* to */etc/strongTNC/settings.ini* and adapt the settings to your preferences.
<pre>
[debug]
DEBUG=0
TEMPLATE_DEBUG=0
DEBUG_TOOLBAR=0
[db]
DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
[localization]
LANGUAGE_CODE=en-us
TIME_ZONE=Europe/Zurich
[admins]
Your Name: jane.doe@strongswan.org
Another Admin: joe.doe@strongswan.org
[security]
SECRET_KEY=<secret key>
</pre>
Newer strongTNC versions do not come with a default django.db database where the login passwords are stored. If the database is missing create */var/www/tnc/django.db* with the following command
<pre>
sudo python /var/www/tnc/manage.py migrate --database meta
</pre>
Next set the strongTNC access passwords to "ietf99hackathon" in our example:
<pre>
sudo python /var/www/tnc/manage.py setpassword
--> Please enter a new password for admin-user: <admin-user password>
--> Granting write_access permission.
Looking for readonly-user in database...
--> Please enter a new password for readonly-user: <readonly-user password>
Passwords updated successfully!
</pre>
In order to get a correct display of the strongTNC web pages you have to execute the following command
<pre>
sudo python /var/www/tnc/manage.py collectstatic
</pre>
h3. Start strongTNC Virtual Web Server
Now enable the virtual web server in the */etc/apache2/sites-enabled* directory and start it:
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../sites-available/tnc tnc
sudo service apache2 restart
</pre>