Project

General

Profile

History

strongSwan User Documentation » Trusted Network Connect (TNC) HOWTO » Software Inventory Message and Attributes for PA-TNC (SWIMA) »

PT-TLS SWIMA Server » History » Version 6

« Previous - Version 6/35 (diff) - Next » - Current version
Andreas Steffen, 07.07.2017 19:50

PT-TLS SWIMA Server

Installing the strongSwan TNC Software

First we have to install some additional Ubuntu packages needed for the strongSwan TNC build

 sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev

Download the lastest strongSwan tarball

wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2

Unpack the tarball

tar xf strongswan-5.6.0dr1.tar.bz2

and change into the strongSwan build directory

cd strongswan-5.6.0dr1

Configure strongSwan with the following options

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd

Build and install strongSwan with the commands

make; sudo make install

Setting up a Certificate Authority using the strongSwan "pki" Tool

The strongSwan pki tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored

  sudo -s
  mkdir /etc/pts
  mkdir /etc/pts/pki
  cd /etc/pts/pki

Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate

pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem

The CA certificate can be listed with the following command

pki --print --in caCert.pem
  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 08:19:08 2017, ok
             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
  serial:    3a:98:52:2e:75:a5:a5:8b
  flags:     CA CRLSign self-signed
  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  pubkey:    ECDSA 256 bits
  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84


pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem

pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem

pki --print --in serverCert.pem
  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Server" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 09:07:31 2017, ok
             not after  Jul 07 09:07:31 2021, ok (expires in 1460 days)
  serial:    40:53:6a:88:f5:52:50:3b
  altNames:  tnc.example.com
  flags:     serverAuth
  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
  pubkey:    ECDSA 256 bits
  keyid:     15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
  subjkey:   9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce

The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.

cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa