How to install self-signed certification on Windows 2012 R2 for RDP?


Recently, I have some issue about the RDP security. I try to find out how to use my own certification. Please note that it is not recommend that I use self-signed certification. Because it can make more complex trouble. However, I do not have any certification. So I will use self-signed certification for this post.


1. Pre-requisite


Before I start this post. I need to prepare the self-signed certification. In this post, I will write how to create certification with openssl. In addition, I need to merge and covert from "cert (crt)" to "pfx". In windows, the matched private key is necessary according to certification which I want to insert. 


# create CSR (Certificate Signing Request) file

openssl req -new -key crenet-pri.pem -out crenet.csr


# create certificate file

openssl x509 -req -days 365 -in crenet.csr -signkey crenet-pri.pem -out crenet.crt


# create "pfx" file 

openssl pkcs12 -export -in crenet.crt -inkey crenet-pri.pem -out crenet.pfx


2. Install certification feature and Import certificate file.


Run "mmc" and open the console. In here, I can install and configure the certification.



There is nothing at first. I need to install the certification. 



I need to follow "File > Add/Remove Snap-ins"



And choose the what I want to install. In my case, Certificates is chosen. After "Add the Certificate for Snap-in". I can see the menu like below. Select "Computer account".



Select "Local computer"



After finishing the above steps, I can see the "Certificates" category on the left of side. In "Certificates > Personal > All Tasks > Import", I can see my self-signed certificate.



Now, I can start the "Certificate Import Wizard". Click "Next"



There is the form to insert the path for certificate which is the "pfx" file.



Input the optional values if I used the values.



Select the location which the certificate is located in. In this case, "Personal" is used.



Now I can check all of information.



Click Finish. I can check the certification which is located in Personal like below.



Now, I have done to insert my certificate.


3. Check the certification status and activate the certification.


After installation and import process above, I can check the detail of certification which is installed with "double click".  If it is status is good. I can see the comment "You have a private key that corresponds to this certificate".



Now, self-signed certification is imported with correct steps and status. Now, I need to check "Thumbprint" to activate and covert this certification from default. In Details, I can see the "Thumbprint" like below.




This value of "Thumbprint" is necessary. This value is used with command line below. There are two types of command. In my case, I will use "Command mode"


# Command mode 

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT" 


# Powershell mode

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}


In the CMD, I can run like below and I will confirm that "Update is successful".



4. Access the Remote Desktop

 

Now, I will access and I can confirm the certification is changed like below.


 

Basically, RDP is encrypted by TLS. With the steps above. It is more customized.



I can see the TLS handshake by the wireshark packets.


5. (Optional) Enforce the RDP data and connection encryption level.


In this post. there are several steps to make more secure RDP connection. In the middle of contents, "Local Group Policy Editor" are used to enhance the security. Run "gpedit.msc" at first.



In "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security", there are several parameter which I have to change.


1. Set Client Connection Encryption Level (Enable/High Level)

2. Require Secure RPC communication. (Enable)

3. Require Use of Specific Security Layer for Remote (RDP) connections. (Enable/SSL)

4. Require user authentication for remote connections by using Network Level Authentication (Enable)



Reference 


[ 1 ] https://www.geocerts.com/support/how-to-export-import-ssl-certificate-between-windows-servers 

[ 2 ] https://www.youtube.com/watch?v=qDwF0_ax6_w

[ 3 ] http://createnetech.tistory.com/12?category=679927

[ 4 ] https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

[ 5 ] https://www.howtogeek.com/175087/how-to-enable-and-secure-remote-desktop-on-windows/ 

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to upgrade DNSSEC for bind9?  (0) 2019.09.16
How to configure DNS bind9 configuration in Ubuntu  (0) 2019.09.12
How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu?  (0) 2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu?  (0) 2018.10.19
How does create Intermediate certificate with openssl?  (0) 2018.10.19

AWS Region ICMP and Inter Ability-Zone (AZ) Latency time estimation.



1. 2018. 11. 22

   


AWS_Region_ICMP.xlsx

AWS_InterAZ_ICMP.xlsx



저작자표시 비영리 변경금지

'Cloud Study > AWS' 카테고리의 다른 글

Why dose not the OSPFv2 of FRRouting work over AWS VPC environment?  (0) 2020.06.05
How to use AWS AppStream 2.0?  (1) 2019.01.03
How to use AWS workspace?  (0) 2019.01.02
How to Install AWS JAVA SDK in Ubuntu 16.04, Linux  (1) 2018.09.13
How to Upload Object into S3 with multipart-upload using S3API CLI  (0) 2018.09.11

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu?


From this post, I run multi-machine cluster basic mode. Now, I will run multi-machine cluster with TLS/SSL security. I am not the security engineer. I am not friendly about TLS/SSL concepts. I studied about key and chain concept before, however it still difficult to understand it. In this documentation, there are 2 things required,  a unique key pair (member.crt, member.key) and shared cluster CA certificate (ca.crt). In this post, I address how to create these.


1. Overview the command for multi-machine cluster with TLS/SSL.


From this documentation, the commands are look like below.


etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

  --listen-peer-urls https://172.22.0.96:2380 \

  --listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.96:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

  --cert-file=/path/to/infra0-client.crt --key-file=/path/to/infra0-client.key \

  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

  --peer-cert-file=/path/to/infra0-peer.crt --peer-key-file=/path/to/infra0-peer.key


etcd --name infra1 --initial-advertise-peer-urls https://172.22.0.33:2380 \

  --listen-peer-urls https://172.22.0.33:2380 \

  --listen-client-urls https://172.22.0.33:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.33:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

  --cert-file=/path/to/infra1-client.crt --key-file=/path/to/infra1-client.key \

  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

  --peer-cert-file=/path/to/infra1-peer.crt --peer-key-file=/path/to/infra1-peer.key


etcd --name infra2 --initial-advertise-peer-urls https://172.22.0.133:2380 \

  --listen-peer-urls https://172.22.0.133:2380 \

  --listen-client-urls https://172.22.0.133:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.133:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

  --cert-file=/path/to/infra2-client.crt --key-file=/path/to/infra2-client.key \

  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

  --peer-cert-file=/path/to/infra2-peer.crt --peer-key-file=/path/to/infra2-peer.key 


From command line above, there is something unknown like below. I need certificate. However, I do not know how and what can I obtain these.


  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

  --cert-file=/path/to/infra2-client.crt --key-file=/path/to/infra2-client.key \

  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

  --peer-cert-file=/path/to/infra2-peer.crt --peer-key-file=/path/to/infra2-peer.key  


"cfssl" can do for these. In this Git link, there are introduction about "cfssl" like below.


This demonstrates using Cloudflare's cfssl to easily generate certificates for an etcd cluster. 


2. Download and install the "cfssl"


In this documentation, there are installation guide and usage


mkdir ~/bin

curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

chmod +x ~/bin/{cfssl,cfssljson} 

export PATH=$PATH:~/bin 


It is so simple. I verify the version.


# cfssl version

Version: 1.2.0

Revision: dev

Runtime: go1.6


3. Create root certificate (CA).


In the command, there are 2 root certificate, ca-client.crt and ca-peer.crt. It will be shared between all hosts. Thus, I create these certificate on single host and copy into others. To create root certificate, I need 2 files, "config.json" and "csr.json". The contents is here.


# vi ca-client-config.json

{

  "signing": {

    "default": {

        "usages": [

          "signing",

          "key encipherment",

          "server auth",

          "client auth"

        ],

        "expiry": "8760h"

    }

  }

}


# vi ca-client-csr.json

{ "CN": "CA Client", "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "Honest Achmed's Used Certificates", "OU": "Hastily-Generated Values Divison", "L": "San Francisco", "ST": "California", "C": "US" } ] }


I create "ca-client-config.json" and "ca-client-csr.json" for ca-client certificate. I have to create more for ca-peer certificate. CN name should be different.


# vi ca-peer-config.json

{

  "signing": {

    "default": {

        "usages": [

          "signing",

          "key encipherment",

          "server auth",

          "client auth"

        ],

        "expiry": "8760h"

    }

  }

}


# vi ca-peer-csr.json

{ "CN": "CA Peer", "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "Honest Achmed's Used Certificates", "OU": "Hastily-Generated Values Divison", "L": "San Francisco", "ST": "California", "C": "US" } ] }


Now, I can generate with files above. Please, note that I will obtain some files which is named "ca.csr", "ca-key.pem" and "ca.pem"


# cfssl gencert -initca ca-client-csr.json | cfssljson -bare ca-client -

# cfssl gencert -initca ca-peer-csr.json | cfssljson -bare ca-peer -


I can verify this is normally good or not. 


# openssl x509 -noout -text -in ca-client.pem

# openssl x509 -noout -text -in ca-peer.pem


It's good. I can generate intermediate certification with this certificate. Therefore I need to copy these files into other hosts. I move files on each directory like below. (I create these directory on every hosts)


# mkdir ~/cert/clientm

# cp ca-client* ~/cert/client/

# ls ~/cert/client/

ca-client-key.pem ca-client.pem ca-client-config.json


# mkdir ~/cert/peer

# cp ca-peer* ~/cert/peer/

# ls ~/cert/peer/

ca-peer-key.pem  ca-peer.pem 

 

In this documentation, there are several security models. Example 2 (Red) and Example 3(Blue) are matched with the command above.


etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

  --listen-peer-urls https://172.22.0.96:2380 \

  --listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.96:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

  --cert-file=/path/to/infra0-client.crt --key-file=/path/to/infra0-client.key \

  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

  --peer-cert-file=/path/to/infra0-peer.crt --peer-key-file=/path/to/infra0-peer.key 


At first, In example 2, I need server to run "etcd" and I need client certificate to get response. And second, In example 3, I need peer certificate to communicate between hosts.


4. Create server, client and peer certificate.


Look at this post, there are way to generate each certificate. I create server certificate. To create, I need to "server.json" file. In this Git, there are sample JSON file. For server.json, hosts information are most important.


IP's currently in the config should be replaced/added with IP addresses of each cluster node, please note 127.0.0.1 is always required for loopback  


# cat server.json

{

  "CN": "infra0-client",

  "hosts": [

    "172.22.0.96",

    "127.0.0.1"

  ],

  "key": {

    "algo": "ecdsa",

    "size": 384

  },

  "names": [

    {

      "O": "autogenerated",

      "OU": "etcd cluster",

      "L": "the internet"

    }

  ]

}


# cat server.json

{

  "CN": "infra1-client",

  "hosts": [

    "172.22.0.33",

    "127.0.0.1"

  ],

  "key": {

    "algo": "ecdsa",

    "size": 384

  },

  "names": [

    {

      "O": "autogenerated",

      "OU": "etcd cluster",

      "L": "the internet"

    }

  ]

}


# cat server.json { "CN": "infra2-client", "hosts": [ "172.22.0.133", "127.0.0.1" ], "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "the internet" } ] }


I will generate server certificate. Please note that the command above use the name "infra-client", however, this is server certification, it is not client certificate.


# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=server server.json | cfssljson -bare infra0-client

# mv infra0-client* client/


# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=server server.json | cfssljson -bare infra1-client

# mv infra1-client* client/


# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=server server.json | cfssljson -bare infra2-client

# mv infra2-client* client/


"-profile=server" option makes server certificate. Next, I create the peer certificate. Also I need "peer.json" file. This file is similar with "server.json". However, CommonName (CN) should be different.


# cat peer.json

{

  "CN": "infra0-peer",

  "hosts": [

    "172.22.0.96",

    "127.0.0.1"

  ],

  "key": {

    "algo": "ecdsa",

    "size": 384

  },

  "names": [

    {

      "O": "autogenerated",

      "OU": "etcd cluster",

      "L": "the internet"

    }

  ]

}


# cat peer.json

{

  "CN": "infra1-peer",

  "hosts": [

    "172.22.0.33",

    "127.0.0.1"

  ],

  "key": {

    "algo": "ecdsa",

    "size": 384

  },

  "names": [

    {

      "O": "autogenerated",

      "OU": "etcd cluster",

      "L": "the internet"

    }

  ]

}


# cat peer.json { "CN": "infra2-peer", "hosts": [ "172.22.0.133", "127.0.0.1" ], "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "the internet" } ] }


I generate peer certificate with peer.json file above. "-profile=peer" is adopted at this time.


# cfssl gencert -ca=peer/ca-peer.pem -ca-key=peer/ca-peer-key.pem -config=peer/ca-peer-config.json -profile=peer peer.json | cfssljson -bare infra0-peer

# mv infra0-peer* peer/


# cfssl gencert -ca=peer/ca-peer.pem -ca-key=peer/ca-peer-key.pem -config=peer/ca-peer-config.json -profile=peer peer.json | cfssljson -bare infra1-peer

# mv infra1-peer* peer/


# cfssl gencert -ca=peer/ca-peer.pem -ca-key=peer/ca-peer-key.pem -config=peer/ca-peer-config.json -profile=peer peer.json | cfssljson -bare infra2-peer

# mv infra2-peer* peer/


I create server certificate and peer certificate. Therefore, I can run "etcd" with both certificate. However, I need client certificate to obtain response. I will use same root certificate of the server. I need "client.json" file.


# cat client.json { "CN": "infra0", "hosts": [""], "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "the internet" } ] }


# cat client.json
{
  "CN": "infra1",
  "hosts": [""],
  "key": {
    "algo": "ecdsa",
    "size": 384
  },
  "names": [
    {
      "O": "autogenerated",
      "OU": "etcd cluster",
      "L": "the internet"
    }
  ]
}

# cat client.json
{
  "CN": "infra2",
  "hosts": [""],
  "key": {
    "algo": "ecdsa",
    "size": 384
  },
  "names": [
    {
      "O": "autogenerated",
      "OU": "etcd cluster",
      "L": "the internet"
    }
  ]
}


I generate peer certificate with client.json file above. "-profile=client" is adopted at this time.


# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=client client.json | cfssljson -bare infra0


# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=client client.json | cfssljson -bare infra1


# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=client client.json | cfssljson -bare infra2


5. Run etcd in security mode.


I ready all certificate to run in security mode. Final command looks like below.


etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

  --listen-peer-urls https://172.22.0.96:2380 \

  --listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.96:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --client-cert-auth --trusted-ca-file=client/ca-client.pem \

  --cert-file=client/infra0-client.pem --key-file=client/infra0-client-key.pem \

  --peer-client-cert-auth --peer-trusted-ca-file=peer/ca-peer.pem \

  --peer-cert-file=peer/infra0-peer.pem --peer-key-file=peer/infra0-peer-key.pem


etcd --name infra1 --initial-advertise-peer-urls https://172.22.0.33:2380 \

  --listen-peer-urls https://172.22.0.33:2380 \

  --listen-client-urls https://172.22.0.33:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.33:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --client-cert-auth --trusted-ca-file=client/ca-client.pem \

  --cert-file=client/infra1-client.pem --key-file=client/infra1-client-key.pem \

  --peer-client-cert-auth --peer-trusted-ca-file=peer/ca-peer.pem \

  --peer-cert-file=peer/infra1-peer.pem --peer-key-file=peer/infra1-peer-key.pem


etcd --name infra2 --initial-advertise-peer-urls https://172.22.0.133:2380 \

  --listen-peer-urls https://172.22.0.133:2380 \

  --listen-client-urls https://172.22.0.133:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.133:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --client-cert-auth --trusted-ca-file=client/ca-client.pem \

  --cert-file=client/infra2-client.pem --key-file=client/infra2-client-key.pem \

  --peer-client-cert-auth --peer-trusted-ca-file=peer/ca-peer.pem \

  --peer-cert-file=peer/infra2-peer.pem --peer-key-file=peer/infra2-peer-key.pem


At this time, I do not know command line to put and get. However, there is sample curl command in this documentation (Example 2).


curl --cacert client/ca-client.pem --cert infra0.pem --key infra0-key.pem -L https://172.22.0.96:2379/v2/keys/foo -XPUT -d value=bar -v 


# curl --cacert client/ca-client.pem --cert infra0.pem --key infra0-key.pem -L https://172.22.0.96:2379/v2/keys/foo -XPUT -d value=bar -v * Trying 172.22.0.96... * Connected to 172.22.0.96 (172.22.0.96) port 2379 (#0) * found 1 certificates in client/ca-client.pem * found 592 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: infra0-client (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: EC * certificate version: #3 * subject: L=the internet,O=autogenerated,OU=etcd cluster,CN=infra0-client * start date: Fri, 19 Oct 2018 16:34:00 GMT * expire date: Sat, 19 Oct 2019 16:34:00 GMT * issuer: C=US,ST=California,L=San Francisco,O=Honest Achmed's Used Certificates,OU=Hastily-Generated Values Divison,CN=CA Client * compression: NULL * ALPN, server did not agree to a protocol > PUT /v2/keys/foo HTTP/1.1 > Host: 172.22.0.96:2379 > User-Agent: curl/7.47.0 > Accept: */* > Content-Length: 9 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 9 out of 9 bytes < HTTP/1.1 201 Created < Content-Type: application/json < X-Etcd-Cluster-Id: e3631873cee60c62 < X-Etcd-Index: 17 < X-Raft-Index: 26 < X-Raft-Term: 47 < Date: Fri, 19 Oct 2018 17:33:13 GMT < Content-Length: 90 < {"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}


# curl --cacert client/ca-client.pem --cert infra0.pem --key infra0-key.pem -L https://172.22.0.96:2379/v2/keys/foo

{"action":"get","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}


I can see the result {"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}. It's works now.


6. Run automatic certificate mode


So far, I do so many step to run in security mode. It's is not simple. Because of this, etcd offers automatic certificate mode. In this mode, etcd create certificate automatically. "--auto-tls" and "--peer-auto-tls" are replaced instead of part for certificate.


etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

  --listen-peer-urls https://172.22.0.96:2380 \

  --listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.96:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --auto-tls \

  --peer-auto-tls


etcd --name infra1 --initial-advertise-peer-urls https://172.22.0.33:2380 \

  --listen-peer-urls https://172.22.0.33:2380 \

  --listen-client-urls https://172.22.0.33:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.33:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --auto-tls \

  --peer-auto-tls


etcd --name infra2 --initial-advertise-peer-urls https://172.22.0.133:2380 \

  --listen-peer-urls https://172.22.0.133:2380 \

  --listen-client-urls https://172.22.0.133:2379,https://127.0.0.1:2379 \

  --advertise-client-urls https://172.22.0.133:2379 \

  --initial-cluster-token etcd-cluster-1 \

  --initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

  --initial-cluster-state new \

  --auto-tls \

  --peer-auto-tls


In Example 4 of this documentation, "curl -k https://127.0.0.1:2379/v2/keys/foo -Xput -d value=bar -v" command is used. (This site also useful)


# curl -k -X "PUT" https://127.0.0.1:2379/v2/keys/seoul -d value='seoul'

{"action":"set","node":{"key":"/seoul","value":"seoul","modifiedIndex":18,"createdIndex":18}}


# curl -k https://127.0.0.1:2379/v2/keys/seoul

{"action":"get","node":{"key":"/seoul","value":"seoul","modifiedIndex":18,"createdIndex":18}}


# curl -k -X "DELETE" https://127.0.0.1:2379/v2/keys/seoul


Now, I can use with simple model.


Reference


[ 1 ] http://createnetech.tistory.com/16

[ 2 ] http://createnetech.tistory.com/14

[ 3 ] http://createnetech.tistory.com/12

[ 4 ] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/clustering.md

[ 5 ] https://coreos.com/etcd/docs/latest/op-guide/security.html

[ 6 ] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md

[ 7 ] https://coreos.com/os/docs/latest/generate-self-signed-certificates.html

[ 8 ] https://github.com/etcd-io/etcd/tree/master/hack/tls-setup

[ 9 ] https://coreos.com/etcd/docs/latest/demo.html

[ 10 ] https://www.mkyong.com/web/curl-put-request-examples/

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to configure DNS bind9 configuration in Ubuntu  (0) 2019.09.12
How to install self-signed certification on Windows 2012 R2 for RDP?  (0) 2018.12.14
How to use etcd (multi-machine cluster basic mode) in Ubuntu?  (0) 2018.10.19
How does create Intermediate certificate with openssl?  (0) 2018.10.19
How to use ECDSA?  (0) 2018.10.18

+ Recent posts

티스토리툴바