PT-TLS SWIMA Server » History » Version 24
Version 23 (Andreas Steffen, 08.07.2017 08:17) → Version 24/35 (Andreas Steffen, 08.07.2017 08:26)
h1. PT-TLS SWIMA Server
{{>toc}}
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the lastest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr1.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr1
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
The following TNC server options have to be configured in */etc/strongswan.conf*
<pre>
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.com
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
</pre>
The */etc/tnc_config* file defines which Integrity Measurement Validators Collectors (IMVs) are loaded by the TNC server
<pre>
#IMV-Configuration
IMV "OS" /usr/lib/ipsec/imcvs/imv-os.so
IMV "SWIMA" /usr/lib/ipsec/imcvs/imv-swima.so
</pre>
h2. Setting up a CA using the strongSwan "pki" Tool
The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
<pre>
sudo -s
mkdir /etc/pts
mkdir /etc/pts/pki
cd /etc/pts/pki
</pre>
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
<pre>
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
</pre>
The CA certificate can be listed with the following command
<pre>
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
<pre>
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
</pre>
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
</pre>
<pre>
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
</pre>
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
<pre>
cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa
</pre>
The strongSwan *sw-collector* and *pt-tls-client* tools use the libcurl library for TLS connections. Because curl looks for X.509 certificate trust anchors in the /etc/ssl/certs directory, the private "IETF 99 Hackathon CA" must be added to the store of trusted CAs on each endpoint (i.e. TNC client) with the following commands
<pre>
cp caCert.pem /usr/local/share/ca-certificates/IETF99_Hackathon_CA.crt
update-ca-certificates
</pre>
Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands
<pre>
sudo systemctl enable strongswan-swanctl
sudo systemctl start strongswan-swanctl
</pre>
In all subsequent reboots the *strongswan-swanctl* service will be started automatically. The following *swanctl* command shows that the service is running and that the certificates and keys have been loaded
<pre>
swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits, has private key
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
List of X.509 CA Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
h2. Install Apache Web Server
An Apache web server equipped with a *Web Server Gateway Interface (WSGI)* module is installed on Ubuntu by the single command
<pre>
sudo apt install apache2 libapache2-mod-wsgi
</pre>
In order to secure the access to the web server we enable TLS
<pre>
a2enmod ssl
</pre>
h3. Configure strongTNC Virtual Web Server
In the */etc/apache2/sites-available* directory create the following configuration file and name it e.g. *tnc.conf*:
<pre>
WSGIPythonPath /var/www/tnc
<VirtualHost *:443>
ServerName tnc.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
WSGIPassAuthorization On
SSLEngine on
SSLCertificateFile /etc/swanctl/x509/serverCert.pem
SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
</VirtualHost>
</pre>
The *tnc* log directory is created with
<pre>
sudo mkdir /var/log/apache2/tnc
</pre>
h2. Initialize PTS Database
I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:
<pre>
cd /usr/share/strongswan/templates/database/imv/
sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db
sudo chgrp www-data /etc/pts /etc/pts/config.db
sudo chmod g+w /etc/pts /etc/pts/config.db
</pre>
h2. Installing the strongTNC Policy Manager
strongTNC is a web application based on the "Django":https://www.djangoproject.com/ framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required. For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.
h3. Installing strongTNC
The "strongTNC project":https://github.com/strongswan/strongTNC/ is hosted on GitHub. The latest release can be installed as follows
<pre>
wget https://github.com/strongswan/strongTNC/archive/master.zip
unzip master.zip
sudo mv strongTNC-master /var/www/tnc
sudo chown -R www-data:www-data /var/www/tnc
</pre>
h3. Installing Python/Django
If not present yet, install the following Ubuntu packages
<pre>
sudo apt install python-pip python-dev libxml2-dev libxslt1-dev requests
</pre>
In the */var/www/tnc* directory execute the command
<pre>
sudo pip install -r requirements.txt
</pre>
which updates the Django version if necessary and installs various Python modules.
h3. Configuring strongTNC
Copy *config/settings.sample.ini* to */etc/strongTNC/settings.ini* and adapt the settings to your preferences.
<pre>
[debug]
DEBUG = 1
TEMPLATE_DEBUG = 0
SQL_DEBUG = 0
DEBUG_TOOLBAR = 0
[db]
DJANGO_DB_URL = sqlite:////var/www/tnc/django.db
STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
[paths]
STATIC_ROOT = static
[security]
ALLOWED_HOSTS = 127.0.0.1,tnc.example.com
CSRF_COOKIE_SECURE = 1
[localization]
LANGUAGE_CODE = en-us
TIME_ZONE = Etc/UTC
[admins]
Your Name: andreas.steffen@strongswan.org
</pre>
h3. Configuring strongTNC Access Passwords
Create the django.db database where the login passwords are stored with the command
<pre>
sudo python /var/www/tnc/manage.py migrate --database meta
</pre>
Next set the strongTNC access passwords ("ietf99hackathon" in our example):
<pre>
sudo python /var/www/tnc/manage.py setpassword
--> Please enter a new password for admin-user: ietf99hackathon
--> Granting write_access permission.
Looking for readonly-user in database...
--> Please enter a new password for readonly-user: ietf99hackathon
Passwords updated successfully!
</pre>
as well as the *admin* password
<pre>
sudo python /var/www/tnc/manage.py createsuperuser --database meta
--> Username (leave blank to use 'root'): admin
--> Email address: andreas.steffen@strongswan.org
--> Password: ietf99hackathon
--> Password (again): ietf99hackathon
Superuser created successfully.
</pre>
In order to get a correct display of the strongTNC web pages you have to execute the following command
<pre>
sudo python /var/www/tnc/manage.py collectstatic
</pre>
h3. Starting the strongTNC Virtual Web Server
Now enable the virtual web server in the */etc/apache2/sites-enabled* directory and start it:
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../sites-available/tnc.conf tnc.conf
sudo systemctl restart apache2
</pre>
h3. Accessing the strongTNC Server
* The strongTNC GUI can be accessed as either "ReadOnly" *user* or "Read/Write" *admin-user* with "https://tnc.example.com/":https://tnc.example.com/
* The strongTNC REST API can accessed as *admin-user* with "https://tnc.example.com/api/":https://tnc.example.com/api/
* The Django database interface can be accessed as *admin* with "https://tnc.example.com/admin/":https://tnc.example.com/admin/
Since "tnc.example.com" cannot be resolved by DNS, add an entry to "/etc/hosts".
{{>toc}}
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the lastest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr1.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr1
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
The following TNC server options have to be configured in */etc/strongswan.conf*
<pre>
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.com
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
</pre>
The */etc/tnc_config* file defines which Integrity Measurement Validators Collectors (IMVs) are loaded by the TNC server
<pre>
#IMV-Configuration
IMV "OS" /usr/lib/ipsec/imcvs/imv-os.so
IMV "SWIMA" /usr/lib/ipsec/imcvs/imv-swima.so
</pre>
h2. Setting up a CA using the strongSwan "pki" Tool
The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
<pre>
sudo -s
mkdir /etc/pts
mkdir /etc/pts/pki
cd /etc/pts/pki
</pre>
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
<pre>
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
</pre>
The CA certificate can be listed with the following command
<pre>
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
<pre>
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
</pre>
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
</pre>
<pre>
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
</pre>
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
<pre>
cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa
</pre>
The strongSwan *sw-collector* and *pt-tls-client* tools use the libcurl library for TLS connections. Because curl looks for X.509 certificate trust anchors in the /etc/ssl/certs directory, the private "IETF 99 Hackathon CA" must be added to the store of trusted CAs on each endpoint (i.e. TNC client) with the following commands
<pre>
cp caCert.pem /usr/local/share/ca-certificates/IETF99_Hackathon_CA.crt
update-ca-certificates
</pre>
Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands
<pre>
sudo systemctl enable strongswan-swanctl
sudo systemctl start strongswan-swanctl
</pre>
In all subsequent reboots the *strongswan-swanctl* service will be started automatically. The following *swanctl* command shows that the service is running and that the certificates and keys have been loaded
<pre>
swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits, has private key
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
List of X.509 CA Certificates
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
h2. Install Apache Web Server
An Apache web server equipped with a *Web Server Gateway Interface (WSGI)* module is installed on Ubuntu by the single command
<pre>
sudo apt install apache2 libapache2-mod-wsgi
</pre>
In order to secure the access to the web server we enable TLS
<pre>
a2enmod ssl
</pre>
h3. Configure strongTNC Virtual Web Server
In the */etc/apache2/sites-available* directory create the following configuration file and name it e.g. *tnc.conf*:
<pre>
WSGIPythonPath /var/www/tnc
<VirtualHost *:443>
ServerName tnc.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
WSGIPassAuthorization On
SSLEngine on
SSLCertificateFile /etc/swanctl/x509/serverCert.pem
SSLCertificateKeyFile /etc/swanctl/ecdsa/serverKey.pem
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
</VirtualHost>
</pre>
The *tnc* log directory is created with
<pre>
sudo mkdir /var/log/apache2/tnc
</pre>
h2. Initialize PTS Database
I you haven't done so yet during the strongSwan TNC server installation, initialize the PTS SQLite database and give group "www-data" write permission:
<pre>
cd /usr/share/strongswan/templates/database/imv/
sudo cat tables.sql data.sql | sqlite3 /etc/pts/config.db
sudo chgrp www-data /etc/pts /etc/pts/config.db
sudo chmod g+w /etc/pts /etc/pts/config.db
</pre>
h2. Installing the strongTNC Policy Manager
strongTNC is a web application based on the "Django":https://www.djangoproject.com/ framework which itself makes use of the Python scripting language. At least Django 1.8 and Python 2.6.5 are required. For the following installation and configuration steps we assume an Ubuntu Linux platform but the procedure on other Linux distributions is quite similar.
h3. Installing strongTNC
The "strongTNC project":https://github.com/strongswan/strongTNC/ is hosted on GitHub. The latest release can be installed as follows
<pre>
wget https://github.com/strongswan/strongTNC/archive/master.zip
unzip master.zip
sudo mv strongTNC-master /var/www/tnc
sudo chown -R www-data:www-data /var/www/tnc
</pre>
h3. Installing Python/Django
If not present yet, install the following Ubuntu packages
<pre>
sudo apt install python-pip python-dev libxml2-dev libxslt1-dev requests
</pre>
In the */var/www/tnc* directory execute the command
<pre>
sudo pip install -r requirements.txt
</pre>
which updates the Django version if necessary and installs various Python modules.
h3. Configuring strongTNC
Copy *config/settings.sample.ini* to */etc/strongTNC/settings.ini* and adapt the settings to your preferences.
<pre>
[debug]
DEBUG = 1
TEMPLATE_DEBUG = 0
SQL_DEBUG = 0
DEBUG_TOOLBAR = 0
[db]
DJANGO_DB_URL = sqlite:////var/www/tnc/django.db
STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
[paths]
STATIC_ROOT = static
[security]
ALLOWED_HOSTS = 127.0.0.1,tnc.example.com
CSRF_COOKIE_SECURE = 1
[localization]
LANGUAGE_CODE = en-us
TIME_ZONE = Etc/UTC
[admins]
Your Name: andreas.steffen@strongswan.org
</pre>
h3. Configuring strongTNC Access Passwords
Create the django.db database where the login passwords are stored with the command
<pre>
sudo python /var/www/tnc/manage.py migrate --database meta
</pre>
Next set the strongTNC access passwords ("ietf99hackathon" in our example):
<pre>
sudo python /var/www/tnc/manage.py setpassword
--> Please enter a new password for admin-user: ietf99hackathon
--> Granting write_access permission.
Looking for readonly-user in database...
--> Please enter a new password for readonly-user: ietf99hackathon
Passwords updated successfully!
</pre>
as well as the *admin* password
<pre>
sudo python /var/www/tnc/manage.py createsuperuser --database meta
--> Username (leave blank to use 'root'): admin
--> Email address: andreas.steffen@strongswan.org
--> Password: ietf99hackathon
--> Password (again): ietf99hackathon
Superuser created successfully.
</pre>
In order to get a correct display of the strongTNC web pages you have to execute the following command
<pre>
sudo python /var/www/tnc/manage.py collectstatic
</pre>
h3. Starting the strongTNC Virtual Web Server
Now enable the virtual web server in the */etc/apache2/sites-enabled* directory and start it:
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../sites-available/tnc.conf tnc.conf
sudo systemctl restart apache2
</pre>
h3. Accessing the strongTNC Server
* The strongTNC GUI can be accessed as either "ReadOnly" *user* or "Read/Write" *admin-user* with "https://tnc.example.com/":https://tnc.example.com/
* The strongTNC REST API can accessed as *admin-user* with "https://tnc.example.com/api/":https://tnc.example.com/api/
* The Django database interface can be accessed as *admin* with "https://tnc.example.com/admin/":https://tnc.example.com/admin/
Since "tnc.example.com" cannot be resolved by DNS, add an entry to "/etc/hosts".