Version 20 - History - PT-TLS SWIMA Server - strongSwan

PT-TLS SWIMA Server » History » Version 20

Andreas Steffen, 08.07.2017 07:20

-Andreas Steffen
+h1. PT-TLS SWIMA Server
 Andreas Steffen
-Andreas Steffen
+{{>toc}}
 Andreas Steffen
-Andreas Steffen
+h2. Installing the strongSwan TNC Software
 Andreas Steffen
-Andreas Steffen
+First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
-Andreas Steffen
+<pre>
-Andreas Steffen
+ sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Download the lastest strongSwan tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Unpack the tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+tar xf strongswan-5.6.0dr1.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+and change into the strongSwan build directory
-Andreas Steffen
+<pre>
-Andreas Steffen
+cd strongswan-5.6.0dr1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Configure strongSwan with the following options
-Andreas Steffen
+<pre>
-Andreas Steffen
+./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Build and install strongSwan with the commands
-Andreas Steffen
+<pre>
-Andreas Steffen
+make; sudo make install
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The following TNC server options have to be configured in */etc/strongswan.conf*
-Andreas Steffen
+<pre>
-Andreas Steffen
+charon-systemd {
-Andreas Steffen
+  journal {
-Andreas Steffen
+    default = 1
-Andreas Steffen
+    tnc = 2
-Andreas Steffen
+    imv = 3
-Andreas Steffen
+    pts = 2
 Andreas Steffen
-Andreas Steffen
+  syslog {
-Andreas Steffen
+    auth {
-Andreas Steffen
+      default = 0
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+  plugins {
-Andreas Steffen
+    tnccs-20 {
-Andreas Steffen
+      max_batch_size = 131056
-Andreas Steffen
+      max_message_size = 131024
 Andreas Steffen
-Andreas Steffen
+    tnc-pdp {
-Andreas Steffen
+      server = tnc.example.org
-Andreas Steffen
+      pt_tls {
-Andreas Steffen
+        enable = yes
 Andreas Steffen
-Andreas Steffen
+      radius {
-Andreas Steffen
+        enable = no
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+libtls {
-Andreas Steffen
+  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+libimcv {
-Andreas Steffen
+  database = sqlite:///etc/pts/config.db
-Andreas Steffen
+  policy_script = ipsec imv_policy_manager
-Andreas Steffen
+  plugins {
-Andreas Steffen
+    imv-swima {
-Andreas Steffen
+      rest_api {
-Andreas Steffen
+        uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
-Andreas Steffen
+        timeout = 360
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+</pre>
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+The */etc/tnc_config* file defines which Integrity Measurement Collectors (IMVs) are loaded by the TNC server
-Andreas Steffen
+<pre>
-Andreas Steffen
+#IMV-Configuration
-Andreas Steffen
+IMV "OS"        /usr/lib/ipsec/imcvs/imv-os.so
-Andreas Steffen
+IMV "SWIMA"     /usr/lib/ipsec/imcvs/imv-swima.so
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Setting up a CA using the strongSwan "pki" Tool
 Andreas Steffen
-Andreas Steffen
+The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
-Andreas Steffen
+<pre>
-Andreas Steffen
+  sudo -s
-Andreas Steffen
+  mkdir /etc/pts
-Andreas Steffen
+  mkdir /etc/pts/pki
-Andreas Steffen
+  cd /etc/pts/pki
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
-Andreas Steffen
+pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The CA certificate can be listed with the following command
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --print --in caCert.pem
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 08:19:08 2017, ok
-Andreas Steffen
+             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
-Andreas Steffen
+  serial:    3a:98:52:2e:75:a5:a5:8b
-Andreas Steffen
+  flags:     CA CRLSign self-signed
-Andreas Steffen
+  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
-Andreas Steffen
+  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --print --in serverCert.pem
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 09:07:31 2017, ok
-Andreas Steffen
+             not after  Jul 07 09:07:31 2021, ok (expires in 1460 days)
-Andreas Steffen
+  serial:    40:53:6a:88:f5:52:50:3b
-Andreas Steffen
+  altNames:  tnc.example.com
-Andreas Steffen
+  flags:     serverAuth
-Andreas Steffen
+  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
-Andreas Steffen
+  subjkey:   9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
-Andreas Steffen
+<pre>
-Andreas Steffen
+cp caCert.pem /etc/swanctl/x509ca
-Andreas Steffen
+cp serverCert.pem /etc/swanctl/x509
-Andreas Steffen
+cp serverKey.pem /etc/swanctl/ecdsa
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The strongSwan *sw-collector* and *pt-tls-client* tools use the libcurl library for TLS connections. Because curl looks for X.509 certificate trust anchors in the /etc/ssl/certs directory, the private "IETF 99 Hackathon CA" must be added to the store of trusted CAs on each endpoint (i.e. TNC client) with the following commands
-Andreas Steffen
+<pre>
-Andreas Steffen
+cp caCert.pem /usr/local/share/ca-certificates/IETF99_Hackathon_CA.crt
-Andreas Steffen
+update-ca-certificates
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo systemctl enable strongswan-swanctl
-Andreas Steffen
+sudo systemctl start strongswan-swanctl
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+In all subsequent reboots the *strongswan-swanctl* service will be started automatically. The following *swanctl* command shows that the service is running and that the certificates and keys have been loaded
-Andreas Steffen
+<pre>
-Andreas Steffen
+ swanctl --list-certs
 Andreas Steffen
-Andreas Steffen
+List of X.509 End Entity Certificates
 Andreas Steffen
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 09:07:31 2017, ok
-Andreas Steffen
+             not after  Jul 07 09:07:31 2021, ok (expires in 1460 days)
-Andreas Steffen
+  serial:    40:53:6a:88:f5:52:50:3b
-Andreas Steffen
+  altNames:  tnc.example.com
-Andreas Steffen
+  flags:     serverAuth
-Andreas Steffen
+  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
-Andreas Steffen
+  pubkey:    ECDSA 256 bits, has private key
-Andreas Steffen
+  keyid:     15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
-Andreas Steffen
+  subjkey:   9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
 Andreas Steffen
-Andreas Steffen
+List of X.509 CA Certificates
 Andreas Steffen
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 08:19:08 2017, ok
-Andreas Steffen
+             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
-Andreas Steffen
+  serial:    3a:98:52:2e:75:a5:a5:8b
-Andreas Steffen
+  flags:     CA CRLSign self-signed
-Andreas Steffen
+  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
-Andreas Steffen
+  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Install Apache Web Server
 Andreas Steffen
-Andreas Steffen
+An Apache web server equipped with a *Web Server Gateway Interface (WSGI)* module is installed on Ubuntu by the single command
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo apt install apache2 libapache2-mod-wsgi
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+In order to secure the access to the web server we enable TLS
-Andreas Steffen
+<pre>
-Andreas Steffen
+a2enmod ssl
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h3. Configure strongTNC Virtual Web Server
 Andreas Steffen
-Andreas Steffen
+In the */etc/apache2/sites-available* directory create the following configuration file and name it e.g. *tnc.conf*:
-Andreas Steffen
+<pre>
-Andreas Steffen
+WSGIPythonPath /var/www/tnc
 Andreas Steffen
-Andreas Steffen
+<VirtualHost *:443>
-Andreas Steffen
+    ServerName tnc.example.com
-Andreas Steffen
+    ServerAdmin webmaster@localhost
 Andreas Steffen
-Andreas Steffen
+    DocumentRoot /var/www/tnc
 Andreas Steffen
-Andreas Steffen
+    <Directory /var/www/tnc/config>
-Andreas Steffen
+        <Files wsgi.py>
-Andreas Steffen
+            Order deny,allow
-Andreas Steffen
+            Allow from all
-Andreas Steffen
+        </Files>
-Andreas Steffen
+    </Directory>
 Andreas Steffen
-Andreas Steffen
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
-Andreas Steffen
+    WSGIPassAuthorization On
 Andreas Steffen
-Andreas Steffen
+    SSLEngine on
-Andreas Steffen
+    SSLCertificateFile    /etc/swanctl/x509/serverCert.pem
-Andreas Steffen
+    SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem
 Andreas Steffen
-Andreas Steffen
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
-Andreas Steffen
+    LogLevel warn
-Andreas Steffen
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
-Andreas Steffen
+</VirtualHost>
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The *tnc* log directory is created with
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo mkdir /var/log/apache2/tnc
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Initialize PTS Database
 Andreas Steffen
-Andreas Steffen
+I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:
-Andreas Steffen
+<pre>
-Andreas Steffen
+cd /usr/share/strongswan/templates/database/imv/
-Andreas Steffen
+sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db
-Andreas Steffen
+sudo chgrp www-data /etc/pts /etc/pts/config.db
-Andreas Steffen
+sudo chmod g+w /etc/pts /etc/pts/config.db
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Installing the strongTNC Policy Manager
 Andreas Steffen
-Andreas Steffen
+strongTNC is a web application based on the "Django":https://www.djangoproject.com/ framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required.  For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.
 Andreas Steffen
-Andreas Steffen
+h3. Install strongTNC
 Andreas Steffen
-Andreas Steffen
+The "strongTNC project":https://github.com/strongswan/strongTNC/ is hosted on GitHub. The latest release can be installed as follows
-Andreas Steffen
+<pre>
-Andreas Steffen
+wget https://github.com/strongswan/strongTNC/archive/master.zip
-Andreas Steffen
+unzip master.zip
-Andreas Steffen
+sudo mv strongTNC-master /var/www/tnc
-Andreas Steffen
+sudo chown -R www-data:www-data /var/www/tnc
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h3. Install Python/Django
 Andreas Steffen
-Andreas Steffen
+If not present yet, install the following Ubuntu packages
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo apt install python-pip python-dev libxml2-dev libxslt1-dev requests
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+In the */var/www/tnc* directory execute the command
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo pip install -r requirements.txt
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+which updates the Django version if necessary and installs various Python modules.
 Andreas Steffen
-Andreas Steffen
+h3. Configure strongTNC
 Andreas Steffen
-Andreas Steffen
+Copy *config/settings.sample.ini* to */etc/strongTNC/settings.ini* and adapt the settings to your preferences.
-Andreas Steffen
+<pre>
-Andreas Steffen
+[debug]
-Andreas Steffen
+DEBUG = 1
-Andreas Steffen
+TEMPLATE_DEBUG = 0
-Andreas Steffen
+SQL_DEBUG = 0
-Andreas Steffen
+DEBUG_TOOLBAR = 0
 Andreas Steffen
-Andreas Steffen
+[db]
-Andreas Steffen
+DJANGO_DB_URL = sqlite:////var/www/tnc/django.db
-Andreas Steffen
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
 Andreas Steffen
-Andreas Steffen
+[paths]
-Andreas Steffen
+STATIC_ROOT = static
 Andreas Steffen
-Andreas Steffen
+[security]
-Andreas Steffen
+ALLOWED_HOSTS = 127.0.0.1,tnc.example.com
-Andreas Steffen
+CSRF_COOKIE_SECURE = 1
 Andreas Steffen
-Andreas Steffen
+[localization]
-Andreas Steffen
+LANGUAGE_CODE = en-us
-Andreas Steffen
+TIME_ZONE = Etc/UTC
 Andreas Steffen
-Andreas Steffen
+[admins]
-Andreas Steffen
+Your Name: andreas.steffen@strongswan.org
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Create the django.db database where the login passwords are stored with the command
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo python /var/www/tnc/manage.py migrate --database meta
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Next set the strongTNC access passwords ("ietf99hackathon" in our example):
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo python /var/www/tnc/manage.py setpassword
-Andreas Steffen
+--> Please enter a new password for admin-user: ietf99hackathon
-Andreas Steffen
+--> Granting write_access permission.
-Andreas Steffen
+Looking for readonly-user in database...
-Andreas Steffen
+--> Please enter a new password for readonly-user: ietf99hackathon
-Andreas Steffen
+Passwords updated successfully!
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+In order to get a correct display of the strongTNC web pages you have to execute the following command
-Andreas Steffen
+<pre>
-Andreas Steffen
+sudo python /var/www/tnc/manage.py collectstatic
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h3. Start strongTNC Virtual Web Server
 Andreas Steffen
-Andreas Steffen
+Now enable the virtual web server in the */etc/apache2/sites-enabled* directory and start it:
-Andreas Steffen
+<pre>
-Andreas Steffen
+cd /etc/apache2/sites-enabled
-Andreas Steffen
+sudo ln -s ../sites-available/tnc.conf tnc.conf
-Andreas Steffen
+sudo systemctl restart apache2
-Andreas Steffen
+</pre>

Project

General

Profile

strongSwan

PT-TLS SWIMA Server » History » Version 20