PT-TLS SWIMA Server » History » Version 8
Andreas Steffen, 07.07.2017 20:17
| 1 | 1 | Andreas Steffen | h1. PT-TLS SWIMA Server |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 1 | Andreas Steffen | h2. Installing the strongSwan TNC Software |
| 4 | 1 | Andreas Steffen | |
| 5 | 1 | Andreas Steffen | First we have to install some additional Ubuntu packages needed for the strongSwan TNC build |
| 6 | 1 | Andreas Steffen | <pre> |
| 7 | 2 | Andreas Steffen | sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev |
| 8 | 1 | Andreas Steffen | </pre> |
| 9 | 1 | Andreas Steffen | |
| 10 | 1 | Andreas Steffen | Download the lastest strongSwan tarball |
| 11 | 1 | Andreas Steffen | <pre> |
| 12 | 1 | Andreas Steffen | wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2 |
| 13 | 1 | Andreas Steffen | </pre> |
| 14 | 1 | Andreas Steffen | |
| 15 | 1 | Andreas Steffen | Unpack the tarball |
| 16 | 1 | Andreas Steffen | <pre> |
| 17 | 1 | Andreas Steffen | tar xf strongswan-5.6.0dr1.tar.bz2 |
| 18 | 1 | Andreas Steffen | </pre> |
| 19 | 1 | Andreas Steffen | |
| 20 | 1 | Andreas Steffen | and change into the strongSwan build directory |
| 21 | 1 | Andreas Steffen | <pre> |
| 22 | 1 | Andreas Steffen | cd strongswan-5.6.0dr1 |
| 23 | 1 | Andreas Steffen | </pre> |
| 24 | 1 | Andreas Steffen | |
| 25 | 1 | Andreas Steffen | Configure strongSwan with the following options |
| 26 | 1 | Andreas Steffen | <pre> |
| 27 | 1 | Andreas Steffen | ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd |
| 28 | 1 | Andreas Steffen | </pre> |
| 29 | 1 | Andreas Steffen | |
| 30 | 1 | Andreas Steffen | Build and install strongSwan with the commands |
| 31 | 1 | Andreas Steffen | <pre> |
| 32 | 1 | Andreas Steffen | make; sudo make install |
| 33 | 1 | Andreas Steffen | </pre> |
| 34 | 3 | Andreas Steffen | |
| 35 | 7 | Andreas Steffen | The following TNC server options have to be configured in /etc/strongswan.conf |
| 36 | 7 | Andreas Steffen | <pre> |
| 37 | 7 | Andreas Steffen | charon-systemd { |
| 38 | 7 | Andreas Steffen | journal { |
| 39 | 7 | Andreas Steffen | default = 1 |
| 40 | 7 | Andreas Steffen | tnc = 2 |
| 41 | 7 | Andreas Steffen | imv = 3 |
| 42 | 7 | Andreas Steffen | pts = 2 |
| 43 | 7 | Andreas Steffen | } |
| 44 | 7 | Andreas Steffen | syslog { |
| 45 | 7 | Andreas Steffen | auth { |
| 46 | 7 | Andreas Steffen | default = 0 |
| 47 | 7 | Andreas Steffen | } |
| 48 | 7 | Andreas Steffen | } |
| 49 | 7 | Andreas Steffen | plugins { |
| 50 | 7 | Andreas Steffen | tnccs-20 { |
| 51 | 7 | Andreas Steffen | max_batch_size = 131056 |
| 52 | 7 | Andreas Steffen | max_message_size = 131024 |
| 53 | 7 | Andreas Steffen | } |
| 54 | 7 | Andreas Steffen | tnc-pdp { |
| 55 | 7 | Andreas Steffen | server = tnc.example.org |
| 56 | 7 | Andreas Steffen | pt_tls { |
| 57 | 7 | Andreas Steffen | enable = yes |
| 58 | 7 | Andreas Steffen | } |
| 59 | 7 | Andreas Steffen | radius { |
| 60 | 7 | Andreas Steffen | enable = no |
| 61 | 7 | Andreas Steffen | } |
| 62 | 7 | Andreas Steffen | } |
| 63 | 7 | Andreas Steffen | } |
| 64 | 7 | Andreas Steffen | } |
| 65 | 7 | Andreas Steffen | |
| 66 | 7 | Andreas Steffen | libtls { |
| 67 | 7 | Andreas Steffen | suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| 68 | 7 | Andreas Steffen | } |
| 69 | 7 | Andreas Steffen | |
| 70 | 7 | Andreas Steffen | libimcv { |
| 71 | 7 | Andreas Steffen | database = sqlite:///etc/pts/config.db |
| 72 | 7 | Andreas Steffen | policy_script = ipsec imv_policy_manager |
| 73 | 7 | Andreas Steffen | plugins { |
| 74 | 7 | Andreas Steffen | imv-swima { |
| 75 | 7 | Andreas Steffen | rest_api { |
| 76 | 7 | Andreas Steffen | uri = https://admin-user:ietf99hackathon@tnc.example.com/api/ |
| 77 | 7 | Andreas Steffen | timeout = 360 |
| 78 | 7 | Andreas Steffen | } |
| 79 | 7 | Andreas Steffen | } |
| 80 | 7 | Andreas Steffen | } |
| 81 | 7 | Andreas Steffen | } |
| 82 | 7 | Andreas Steffen | </pre> |
| 83 | 7 | Andreas Steffen | |
| 84 | 3 | Andreas Steffen | h2. Setting up a Certificate Authority using the strongSwan "pki" Tool |
| 85 | 3 | Andreas Steffen | |
| 86 | 6 | Andreas Steffen | The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where all keys and certificates are going to be stored |
| 87 | 3 | Andreas Steffen | <pre> |
| 88 | 3 | Andreas Steffen | sudo -s |
| 89 | 3 | Andreas Steffen | mkdir /etc/pts |
| 90 | 3 | Andreas Steffen | mkdir /etc/pts/pki |
| 91 | 3 | Andreas Steffen | cd /etc/pts/pki |
| 92 | 3 | Andreas Steffen | </pre> |
| 93 | 3 | Andreas Steffen | |
| 94 | 3 | Andreas Steffen | Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate |
| 95 | 3 | Andreas Steffen | <pre> |
| 96 | 3 | Andreas Steffen | pki --gen --type ecdsa --size 256 --outform pem > caKey.pem |
| 97 | 3 | Andreas Steffen | pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem |
| 98 | 3 | Andreas Steffen | </pre> |
| 99 | 3 | Andreas Steffen | |
| 100 | 3 | Andreas Steffen | The CA certificate can be listed with the following command |
| 101 | 3 | Andreas Steffen | <pre> |
| 102 | 3 | Andreas Steffen | pki --print --in caCert.pem |
| 103 | 3 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 104 | 3 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 105 | 3 | Andreas Steffen | validity: not before Jul 07 08:19:08 2017, ok |
| 106 | 3 | Andreas Steffen | not after Jul 07 08:19:08 2027, ok (expires in 3651 days) |
| 107 | 3 | Andreas Steffen | serial: 3a:98:52:2e:75:a5:a5:8b |
| 108 | 3 | Andreas Steffen | flags: CA CRLSign self-signed |
| 109 | 3 | Andreas Steffen | subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 110 | 3 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 111 | 3 | Andreas Steffen | keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63 |
| 112 | 3 | Andreas Steffen | subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 113 | 3 | Andreas Steffen | </pre> |
| 114 | 4 | Andreas Steffen | |
| 115 | 4 | Andreas Steffen | <pre> |
| 116 | 4 | Andreas Steffen | pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem |
| 117 | 4 | Andreas Steffen | </pre> |
| 118 | 4 | Andreas Steffen | |
| 119 | 4 | Andreas Steffen | <pre> |
| 120 | 4 | Andreas Steffen | pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem |
| 121 | 4 | Andreas Steffen | </pre> |
| 122 | 4 | Andreas Steffen | |
| 123 | 4 | Andreas Steffen | <pre> |
| 124 | 4 | Andreas Steffen | pki --print --in serverCert.pem |
| 125 | 4 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server" |
| 126 | 4 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 127 | 4 | Andreas Steffen | validity: not before Jul 07 09:07:31 2017, ok |
| 128 | 4 | Andreas Steffen | not after Jul 07 09:07:31 2021, ok (expires in 1460 days) |
| 129 | 4 | Andreas Steffen | serial: 40:53:6a:88:f5:52:50:3b |
| 130 | 4 | Andreas Steffen | altNames: tnc.example.com |
| 131 | 4 | Andreas Steffen | flags: serverAuth |
| 132 | 4 | Andreas Steffen | authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 133 | 4 | Andreas Steffen | subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce |
| 134 | 4 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 135 | 4 | Andreas Steffen | keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1 |
| 136 | 4 | Andreas Steffen | subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce |
| 137 | 1 | Andreas Steffen | </pre> |
| 138 | 4 | Andreas Steffen | |
| 139 | 6 | Andreas Steffen | The server key and the server and CA certificates are needed by the strongSwan TNC server and are therefore copied to the default locations. |
| 140 | 5 | Andreas Steffen | <pre> |
| 141 | 5 | Andreas Steffen | cp caCert.pem /etc/swanctl/x509ca |
| 142 | 5 | Andreas Steffen | cp serverCert.pem /etc/swanctl/x509 |
| 143 | 5 | Andreas Steffen | cp serverKey.pem /etc/swanctl/ecdsa |
| 144 | 5 | Andreas Steffen | </pre> |
| 145 | 8 | Andreas Steffen | Right after installation the strongSwan TNC daemon has to be enabled and started as a systemd service with the following commands |
| 146 | 8 | Andreas Steffen | <pre> |
| 147 | 8 | Andreas Steffen | sudo systemctl enable strongswan-swanctl |
| 148 | 8 | Andreas Steffen | sudo systemctl start strongswan-swanctl |
| 149 | 8 | Andreas Steffen | </pre> |
| 150 | 8 | Andreas Steffen | |
| 151 | 8 | Andreas Steffen | In all subsequent reboots the *strongswan-swanctl* service will be started automatically. The following *swanctl* command shows that the service is running and that the certificates and keys have been loaded |
| 152 | 8 | Andreas Steffen | <pre> |
| 153 | 8 | Andreas Steffen | swanctl --list-certs |
| 154 | 8 | Andreas Steffen | |
| 155 | 8 | Andreas Steffen | List of X.509 End Entity Certificates |
| 156 | 8 | Andreas Steffen | |
| 157 | 8 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server" |
| 158 | 8 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 159 | 8 | Andreas Steffen | validity: not before Jul 07 09:07:31 2017, ok |
| 160 | 8 | Andreas Steffen | not after Jul 07 09:07:31 2021, ok (expires in 1460 days) |
| 161 | 8 | Andreas Steffen | serial: 40:53:6a:88:f5:52:50:3b |
| 162 | 8 | Andreas Steffen | altNames: tnc.example.com |
| 163 | 8 | Andreas Steffen | flags: serverAuth |
| 164 | 8 | Andreas Steffen | authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 165 | 8 | Andreas Steffen | subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce |
| 166 | 8 | Andreas Steffen | pubkey: ECDSA 256 bits, has private key |
| 167 | 8 | Andreas Steffen | keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1 |
| 168 | 8 | Andreas Steffen | subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce |
| 169 | 8 | Andreas Steffen | |
| 170 | 8 | Andreas Steffen | List of X.509 CA Certificates |
| 171 | 8 | Andreas Steffen | |
| 172 | 8 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 173 | 8 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 174 | 8 | Andreas Steffen | validity: not before Jul 07 08:19:08 2017, ok |
| 175 | 8 | Andreas Steffen | not after Jul 07 08:19:08 2027, ok (expires in 3651 days) |
| 176 | 8 | Andreas Steffen | serial: 3a:98:52:2e:75:a5:a5:8b |
| 177 | 8 | Andreas Steffen | flags: CA CRLSign self-signed |
| 178 | 8 | Andreas Steffen | subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 179 | 8 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 180 | 8 | Andreas Steffen | keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63 |
| 181 | 8 | Andreas Steffen | subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 182 | 8 | Andreas Steffen | </pre> |