Version 5 - History - PT-TLS SWIMA Server - strongSwan

PT-TLS SWIMA Server » History » Version 5

Andreas Steffen, 07.07.2017 18:15

-Andreas Steffen
+h1. PT-TLS SWIMA Server
 Andreas Steffen
-Andreas Steffen
+h2. Installing the strongSwan TNC Software
 Andreas Steffen
-Andreas Steffen
+First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
-Andreas Steffen
+<pre>
-Andreas Steffen
+ sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Download the lastest strongSwan tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Unpack the tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+tar xf strongswan-5.6.0dr1.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+and change into the strongSwan build directory
-Andreas Steffen
+<pre>
-Andreas Steffen
+cd strongswan-5.6.0dr1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Configure strongSwan with the following options
-Andreas Steffen
+<pre>
-Andreas Steffen
+./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Build and install strongSwan with the commands
-Andreas Steffen
+<pre>
-Andreas Steffen
+make; sudo make install
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Setting up a Certificate Authority using the strongSwan "pki" Tool
 Andreas Steffen
-Andreas Steffen
+The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where
-Andreas Steffen
+all keys and certificates are going to be stored
-Andreas Steffen
+<pre>
-Andreas Steffen
+  sudo -s
-Andreas Steffen
+  mkdir /etc/pts
-Andreas Steffen
+  mkdir /etc/pts/pki
-Andreas Steffen
+  cd /etc/pts/pki
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
-Andreas Steffen
+pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The CA certificate can be listed with the following command
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --print --in caCert.pem
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 08:19:08 2017, ok
-Andreas Steffen
+             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
-Andreas Steffen
+  serial:    3a:98:52:2e:75:a5:a5:8b
-Andreas Steffen
+  flags:     CA CRLSign self-signed
-Andreas Steffen
+  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
-Andreas Steffen
+  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --print --in serverCert.pem
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 09:07:31 2017, ok
-Andreas Steffen
+             not after  Jul 07 09:07:31 2021, ok (expires in 1460 days)
-Andreas Steffen
+  serial:    40:53:6a:88:f5:52:50:3b
-Andreas Steffen
+  altNames:  tnc.example.com
-Andreas Steffen
+  flags:     serverAuth
-Andreas Steffen
+  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
-Andreas Steffen
+  subjkey:   9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+cp caCert.pem /etc/swanctl/x509ca
-Andreas Steffen
+cp serverCert.pem /etc/swanctl/x509
-Andreas Steffen
+cp serverKey.pem /etc/swanctl/ecdsa
-Andreas Steffen
+</pre>

Project

General

Profile

strongSwan

PT-TLS SWIMA Server » History » Version 5