Project

General

Profile

History

strongSwan User Documentation » Trusted Network Connect (TNC) HOWTO » Software Inventory Message and Attributes for PA-TNC (SWIMA) »

PT-TLS SWIMA Server » History » Version 3

« Previous - Version 3/35 (diff) - Next » - Current version
Andreas Steffen, 07.07.2017 17:21

PT-TLS SWIMA Server

Installing the strongSwan TNC Software

First we have to install some additional Ubuntu packages needed for the strongSwan TNC build

 sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev

Download the lastest strongSwan tarball

wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2

Unpack the tarball

tar xf strongswan-5.6.0dr1.tar.bz2

and change into the strongSwan build directory

cd strongswan-5.6.0dr1

Configure strongSwan with the following options

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd

Build and install strongSwan with the commands

make; sudo make install

Setting up a Certificate Authority using the strongSwan "pki" Tool

The strongSwan pki tool is very powerful and easy to use. First we create a directory where
all keys and certificates are going to be stored

  sudo -s
  mkdir /etc/pts
  mkdir /etc/pts/pki
  cd /etc/pts/pki

Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate

pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem

The CA certificate can be listed with the following command

pki --print --in caCert.pem
  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 08:19:08 2017, ok
             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
  serial:    3a:98:52:2e:75:a5:a5:8b
  flags:     CA CRLSign self-signed
  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  pubkey:    ECDSA 256 bits
  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84