PT-TLS SWIMA Server » History » Version 7
Version 6 (Andreas Steffen, 07.07.2017 19:50) → Version 7/35 (Andreas Steffen, 07.07.2017 20:09)
h1. PT-TLS SWIMA Server
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the lastest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr1.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr1
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
The following TNC server options have to be configured in /etc/strongswan.conf
<pre>
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.org
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
</pre>
h2. Setting up a Certificate Authority using the strongSwan "pki" Tool
The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
<pre>
sudo -s
mkdir /etc/pts
mkdir /etc/pts/pki
cd /etc/pts/pki
</pre>
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
<pre>
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
</pre>
The CA certificate can be listed with the following command
<pre>
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
<pre>
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
</pre>
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
</pre>
<pre>
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
</pre>
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
<pre>
cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa
</pre>
h2. Installing the strongSwan TNC Software
First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
<pre>
sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
</pre>
Download the lastest strongSwan tarball
<pre>
wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
</pre>
Unpack the tarball
<pre>
tar xf strongswan-5.6.0dr1.tar.bz2
</pre>
and change into the strongSwan build directory
<pre>
cd strongswan-5.6.0dr1
</pre>
Configure strongSwan with the following options
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
</pre>
Build and install strongSwan with the commands
<pre>
make; sudo make install
</pre>
The following TNC server options have to be configured in /etc/strongswan.conf
<pre>
charon-systemd {
journal {
default = 1
tnc = 2
imv = 3
pts = 2
}
syslog {
auth {
default = 0
}
}
plugins {
tnccs-20 {
max_batch_size = 131056
max_message_size = 131024
}
tnc-pdp {
server = tnc.example.org
pt_tls {
enable = yes
}
radius {
enable = no
}
}
}
}
libtls {
suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-swima {
rest_api {
uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
timeout = 360
}
}
}
}
</pre>
h2. Setting up a Certificate Authority using the strongSwan "pki" Tool
The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored
<pre>
sudo -s
mkdir /etc/pts
mkdir /etc/pts/pki
cd /etc/pts/pki
</pre>
Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
<pre>
pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
</pre>
The CA certificate can be listed with the following command
<pre>
pki --print --in caCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 08:19:08 2017, ok
not after Jul 07 08:19:08 2027, ok (expires in 3651 days)
serial: 3a:98:52:2e:75:a5:a5:8b
flags: CA CRLSign self-signed
subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
pubkey: ECDSA 256 bits
keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
</pre>
<pre>
pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem
</pre>
<pre>
pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem
</pre>
<pre>
pki --print --in serverCert.pem
subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server"
issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
validity: not before Jul 07 09:07:31 2017, ok
not after Jul 07 09:07:31 2021, ok (expires in 1460 days)
serial: 40:53:6a:88:f5:52:50:3b
altNames: tnc.example.com
flags: serverAuth
authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
pubkey: ECDSA 256 bits
keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1
subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce
</pre>
The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations.
<pre>
cp caCert.pem /etc/swanctl/x509ca
cp serverCert.pem /etc/swanctl/x509
cp serverKey.pem /etc/swanctl/ecdsa
</pre>