'분류 전체보기' 카테고리의 글 목록 (4 Page)

분류 전체보기

How to install self-signed certification on Windows 2012 R2 for RDP? 2018.12.14
AWS Region ICMP Latency time estimation. 2018.11.22
How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? 2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu? 2018.10.19
How does create Intermediate certificate with openssl? 2018.10.19
How to use ECDSA? 2018.10.18
How to use the public, private key-pair and certificate? 2018.10.16
How to make connection of Strongswan with Azure? 2018.10.11
How to create Spot instance in Packet.net cloud? 2018.10.11
What to use WMI(Windows Management Instrumentation) from remote Linux server? 2018.10.01

How to install self-signed certification on Windows 2012 R2 for RDP?

ejunwiths 2018. 12. 14. 10:52

2018. 12. 14. 10:52

How to install self-signed certification on Windows 2012 R2 for RDP?

Recently, I have some issue about the RDP security. I try to find out how to use my own certification. Please note that it is not recommend that I use self-signed certification. Because it can make more complex trouble. However, I do not have any certification. So I will use self-signed certification for this post.

1. Pre-requisite

Before I start this post. I need to prepare the self-signed certification. In this post, I will write how to create certification with openssl. In addition, I need to merge and covert from "cert (crt)" to "pfx". In windows, the matched private key is necessary according to certification which I want to insert.

# create CSR (Certificate Signing Request) file

openssl req -new -key crenet-pri.pem -out crenet.csr

# create certificate file

openssl x509 -req -days 365 -in crenet.csr -signkey crenet-pri.pem -out crenet.crt

# create "pfx" file

openssl pkcs12 -export -in crenet.crt -inkey crenet-pri.pem -out crenet.pfx

2. Install certification feature and Import certificate file.

Run "mmc" and open the console. In here, I can install and configure the certification.

There is nothing at first. I need to install the certification.

I need to follow "File > Add/Remove Snap-ins".

And choose the what I want to install. In my case, Certificates is chosen. After "Add the Certificate for Snap-in". I can see the menu like below. Select "Computer account".

Select "Local computer"

After finishing the above steps, I can see the "Certificates" category on the left of side. In "Certificates > Personal > All Tasks > Import", I can see my self-signed certificate.

Now, I can start the "Certificate Import Wizard". Click "Next"

There is the form to insert the path for certificate which is the "pfx" file.

Input the optional values if I used the values.

Select the location which the certificate is located in. In this case, "Personal" is used.

Now I can check all of information.

Click Finish. I can check the certification which is located in Personal like below.

Now, I have done to insert my certificate.

3. Check the certification status and activate the certification.

After installation and import process above, I can check the detail of certification which is installed with "double click". If it is status is good. I can see the comment "You have a private key that corresponds to this certificate".

Now, self-signed certification is imported with correct steps and status. Now, I need to check "Thumbprint" to activate and covert this certification from default. In Details, I can see the "Thumbprint" like below.

This value of "Thumbprint" is necessary. This value is used with command line below. There are two types of command. In my case, I will use "Command mode"

# Command mode

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

# Powershell mode

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

In the CMD, I can run like below and I will confirm that "Update is successful".

4. Access the Remote Desktop

Now, I will access and I can confirm the certification is changed like below.

Basically, RDP is encrypted by TLS. With the steps above. It is more customized.

I can see the TLS handshake by the wireshark packets.

5. (Optional) Enforce the RDP data and connection encryption level.

In this post. there are several steps to make more secure RDP connection. In the middle of contents, "Local Group Policy Editor" are used to enhance the security. Run "gpedit.msc" at first.

In "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security", there are several parameter which I have to change.

1. Set Client Connection Encryption Level (Enable/High Level)

2. Require Secure RPC communication. (Enable)

3. Require Use of Specific Security Layer for Remote (RDP) connections. (Enable/SSL)

4. Require user authentication for remote connections by using Network Level Authentication (Enable)

Reference

[ 1 ] https://www.geocerts.com/support/how-to-export-import-ssl-certificate-between-windows-servers

[ 2 ] https://www.youtube.com/watch?v=qDwF0_ax6_w

[ 3 ] http://createnetech.tistory.com/12?category=679927

[ 4 ] https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

[ 5 ] https://www.howtogeek.com/175087/how-to-enable-and-secure-remote-desktop-on-windows/

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to upgrade DNSSEC for bind9? (0)	2019.09.16
How to configure DNS bind9 configuration in Ubuntu (0)	2019.09.12
How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? (0)	2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu? (0)	2018.10.19
How does create Intermediate certificate with openssl? (0)	2018.10.19

AWS Region ICMP Latency time estimation.

ejunwiths 2018. 11. 22. 15:52

2018. 11. 22. 15:52

AWS Region ICMP and Inter Ability-Zone (AZ) Latency time estimation.

1. 2018. 11. 22

AWS_Region_ICMP.xlsx

AWS_InterAZ_ICMP.xlsx

저작자표시 비영리 변경금지

'Cloud Study > AWS' 카테고리의 다른 글

Why dose not the OSPFv2 of FRRouting work over AWS VPC environment? (0)	2020.06.05
How to use AWS AppStream 2.0? (1)	2019.01.03
How to use AWS workspace? (0)	2019.01.02
How to Install AWS JAVA SDK in Ubuntu 16.04, Linux (1)	2018.09.13
How to Upload Object into S3 with multipart-upload using S3API CLI (0)	2018.09.11

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu?

ejunwiths 2018. 10. 19. 16:04

2018. 10. 19. 16:04

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu?

From this post, I run multi-machine cluster basic mode. Now, I will run multi-machine cluster with TLS/SSL security. I am not the security engineer. I am not friendly about TLS/SSL concepts. I studied about key and chain concept before, however it still difficult to understand it. In this documentation, there are 2 things required, a unique key pair (member.crt, member.key) and shared cluster CA certificate (ca.crt). In this post, I address how to create these.

1. Overview the command for multi-machine cluster with TLS/SSL.

From this documentation, the commands are look like below.

etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

--listen-peer-urls https://172.22.0.96:2380 \

--listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.96:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

--cert-file=/path/to/infra0-client.crt --key-file=/path/to/infra0-client.key \

--peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

--peer-cert-file=/path/to/infra0-peer.crt --peer-key-file=/path/to/infra0-peer.key

etcd --name infra1 --initial-advertise-peer-urls https://172.22.0.33:2380 \

--listen-peer-urls https://172.22.0.33:2380 \

--listen-client-urls https://172.22.0.33:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.33:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

--cert-file=/path/to/infra1-client.crt --key-file=/path/to/infra1-client.key \

--peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

--peer-cert-file=/path/to/infra1-peer.crt --peer-key-file=/path/to/infra1-peer.key

etcd --name infra2 --initial-advertise-peer-urls https://172.22.0.133:2380 \

--listen-peer-urls https://172.22.0.133:2380 \

--listen-client-urls https://172.22.0.133:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.133:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

--cert-file=/path/to/infra2-client.crt --key-file=/path/to/infra2-client.key \

--peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

--peer-cert-file=/path/to/infra2-peer.crt --peer-key-file=/path/to/infra2-peer.key

From command line above, there is something unknown like below. I need certificate. However, I do not know how and what can I obtain these.

--client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

--cert-file=/path/to/infra2-client.crt --key-file=/path/to/infra2-client.key \

--peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

--peer-cert-file=/path/to/infra2-peer.crt --peer-key-file=/path/to/infra2-peer.key

"cfssl" can do for these. In this Git link, there are introduction about "cfssl" like below.

This demonstrates using Cloudflare's cfssl to easily generate certificates for an etcd cluster.

2. Download and install the "cfssl"

In this documentation, there are installation guide and usage.

mkdir ~/bin

curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

chmod +x ~/bin/{cfssl,cfssljson}

export PATH=$PATH:~/bin

It is so simple. I verify the version.

# cfssl version

Version: 1.2.0

Revision: dev

Runtime: go1.6

3. Create root certificate (CA).

In the command, there are 2 root certificate, ca-client.crt and ca-peer.crt. It will be shared between all hosts. Thus, I create these certificate on single host and copy into others. To create root certificate, I need 2 files, "config.json" and "csr.json". The contents is here.

# vi ca-client-config.json

{

"signing": {

"default": {

"usages": [

"signing",

"key encipherment",

"server auth",

"client auth"

"expiry": "8760h"

}

# vi ca-client-csr.json

{ "CN": "CA Client", "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "Honest Achmed's Used Certificates", "OU": "Hastily-Generated Values Divison", "L": "San Francisco", "ST": "California", "C": "US" } ] }

I create "ca-client-config.json" and "ca-client-csr.json" for ca-client certificate. I have to create more for ca-peer certificate. CN name should be different.

# vi ca-peer-config.json

{

"signing": {

"default": {

"usages": [

"signing",

"key encipherment",

"server auth",

"client auth"

"expiry": "8760h"

}

# vi ca-peer-csr.json

{ "CN": "CA Peer", "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "Honest Achmed's Used Certificates", "OU": "Hastily-Generated Values Divison", "L": "San Francisco", "ST": "California", "C": "US" } ] }

Now, I can generate with files above. Please, note that I will obtain some files which is named "ca.csr", "ca-key.pem" and "ca.pem"

# cfssl gencert -initca ca-client-csr.json | cfssljson -bare ca-client -

# cfssl gencert -initca ca-peer-csr.json | cfssljson -bare ca-peer -

I can verify this is normally good or not.

# openssl x509 -noout -text -in ca-client.pem

# openssl x509 -noout -text -in ca-peer.pem

It's good. I can generate intermediate certification with this certificate. Therefore I need to copy these files into other hosts. I move files on each directory like below. (I create these directory on every hosts)

# mkdir ~/cert/clientm

# cp ca-client* ~/cert/client/

# ls ~/cert/client/

ca-client-key.pem ca-client.pem ca-client-config.json

# mkdir ~/cert/peer

# cp ca-peer* ~/cert/peer/

# ls ~/cert/peer/

ca-peer-key.pem ca-peer.pem

In this documentation, there are several security models. Example 2 (Red) and Example 3(Blue) are matched with the command above.

etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

--listen-peer-urls https://172.22.0.96:2380 \

--listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.96:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \

--cert-file=/path/to/infra0-client.crt --key-file=/path/to/infra0-client.key \

--peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \

--peer-cert-file=/path/to/infra0-peer.crt --peer-key-file=/path/to/infra0-peer.key

At first, In example 2, I need server to run "etcd" and I need client certificate to get response. And second, In example 3, I need peer certificate to communicate between hosts.

4. Create server, client and peer certificate.

Look at this post, there are way to generate each certificate. I create server certificate. To create, I need to "server.json" file. In this Git, there are sample JSON file. For server.json, hosts information are most important.

IP's currently in the config should be replaced/added with IP addresses of each cluster node, please note 127.0.0.1 is always required for loopback

# cat server.json

{

"CN": "infra0-client",

"hosts": [

"172.22.0.96",

"127.0.0.1"

"key": {

"algo": "ecdsa",

"size": 384

"names": [

{

"O": "autogenerated",

"OU": "etcd cluster",

"L": "the internet"

}

]

}

# cat server.json

{

"CN": "infra1-client",

"hosts": [

"172.22.0.33",

"127.0.0.1"

"key": {

"algo": "ecdsa",

"size": 384

"names": [

{

"O": "autogenerated",

"OU": "etcd cluster",

"L": "the internet"

}

]

}

# cat server.json { "CN": "infra2-client", "hosts": [ "172.22.0.133", "127.0.0.1" ], "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "the internet" } ] }

I will generate server certificate. Please note that the command above use the name "infra-client", however, this is server certification, it is not client certificate.

# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=server server.json | cfssljson -bare infra0-client

# mv infra0-client* client/

# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=server server.json | cfssljson -bare infra1-client

# mv infra1-client* client/

# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=server server.json | cfssljson -bare infra2-client

# mv infra2-client* client/

"-profile=server" option makes server certificate. Next, I create the peer certificate. Also I need "peer.json" file. This file is similar with "server.json". However, CommonName (CN) should be different.

# cat peer.json

{

"CN": "infra0-peer",

"hosts": [

"172.22.0.96",

"127.0.0.1"

"key": {

"algo": "ecdsa",

"size": 384

"names": [

{

"O": "autogenerated",

"OU": "etcd cluster",

"L": "the internet"

}

]

}

# cat peer.json

{

"CN": "infra1-peer",

"hosts": [

"172.22.0.33",

"127.0.0.1"

"key": {

"algo": "ecdsa",

"size": 384

"names": [

{

"O": "autogenerated",

"OU": "etcd cluster",

"L": "the internet"

}

]

}

# cat peer.json { "CN": "infra2-peer", "hosts": [ "172.22.0.133", "127.0.0.1" ], "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "the internet" } ] }

I generate peer certificate with peer.json file above. "-profile=peer" is adopted at this time.

# cfssl gencert -ca=peer/ca-peer.pem -ca-key=peer/ca-peer-key.pem -config=peer/ca-peer-config.json -profile=peer peer.json | cfssljson -bare infra0-peer

# mv infra0-peer* peer/

# cfssl gencert -ca=peer/ca-peer.pem -ca-key=peer/ca-peer-key.pem -config=peer/ca-peer-config.json -profile=peer peer.json | cfssljson -bare infra1-peer

# mv infra1-peer* peer/

# cfssl gencert -ca=peer/ca-peer.pem -ca-key=peer/ca-peer-key.pem -config=peer/ca-peer-config.json -profile=peer peer.json | cfssljson -bare infra2-peer

# mv infra2-peer* peer/

I create server certificate and peer certificate. Therefore, I can run "etcd" with both certificate. However, I need client certificate to obtain response. I will use same root certificate of the server. I need "client.json" file.

# cat client.json { "CN": "infra0", "hosts": [""], "key": { "algo": "ecdsa", "size": 384 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "the internet" } ] }

# cat client.json

{

"CN": "infra1",

"hosts": [""],

"key": {

"algo": "ecdsa",

"size": 384

"names": [

{

"O": "autogenerated",

"OU": "etcd cluster",

"L": "the internet"

}

]

}

# cat client.json

{

"CN": "infra2",

"hosts": [""],

"key": {

"algo": "ecdsa",

"size": 384

"names": [

{

"O": "autogenerated",

"OU": "etcd cluster",

"L": "the internet"

}

]

}

I generate peer certificate with client.json file above. "-profile=client" is adopted at this time.

# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=client client.json | cfssljson -bare infra0

# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=client client.json | cfssljson -bare infra1

# cfssl gencert -ca=client/ca-client.pem -ca-key=client/ca-client-key.pem -config=client/ca-client-config.json -profile=client client.json | cfssljson -bare infra2

5. Run etcd in security mode.

I ready all certificate to run in security mode. Final command looks like below.

etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

--listen-peer-urls https://172.22.0.96:2380 \

--listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.96:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--client-cert-auth --trusted-ca-file=client/ca-client.pem \

--cert-file=client/infra0-client.pem --key-file=client/infra0-client-key.pem \

--peer-client-cert-auth --peer-trusted-ca-file=peer/ca-peer.pem \

--peer-cert-file=peer/infra0-peer.pem --peer-key-file=peer/infra0-peer-key.pem

etcd --name infra1 --initial-advertise-peer-urls https://172.22.0.33:2380 \

--listen-peer-urls https://172.22.0.33:2380 \

--listen-client-urls https://172.22.0.33:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.33:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--client-cert-auth --trusted-ca-file=client/ca-client.pem \

--cert-file=client/infra1-client.pem --key-file=client/infra1-client-key.pem \

--peer-client-cert-auth --peer-trusted-ca-file=peer/ca-peer.pem \

--peer-cert-file=peer/infra1-peer.pem --peer-key-file=peer/infra1-peer-key.pem

etcd --name infra2 --initial-advertise-peer-urls https://172.22.0.133:2380 \

--listen-peer-urls https://172.22.0.133:2380 \

--listen-client-urls https://172.22.0.133:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.133:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--client-cert-auth --trusted-ca-file=client/ca-client.pem \

--cert-file=client/infra2-client.pem --key-file=client/infra2-client-key.pem \

--peer-client-cert-auth --peer-trusted-ca-file=peer/ca-peer.pem \

--peer-cert-file=peer/infra2-peer.pem --peer-key-file=peer/infra2-peer-key.pem

At this time, I do not know command line to put and get. However, there is sample curl command in this documentation (Example 2).

curl --cacert client/ca-client.pem --cert infra0.pem --key infra0-key.pem -L https://172.22.0.96:2379/v2/keys/foo -XPUT -d value=bar -v

# curl --cacert client/ca-client.pem --cert infra0.pem --key infra0-key.pem -L https://172.22.0.96:2379/v2/keys/foo -XPUT -d value=bar -v * Trying 172.22.0.96... * Connected to 172.22.0.96 (172.22.0.96) port 2379 (#0) * found 1 certificates in client/ca-client.pem * found 592 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: infra0-client (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: EC * certificate version: #3 * subject: L=the internet,O=autogenerated,OU=etcd cluster,CN=infra0-client * start date: Fri, 19 Oct 2018 16:34:00 GMT * expire date: Sat, 19 Oct 2019 16:34:00 GMT * issuer: C=US,ST=California,L=San Francisco,O=Honest Achmed's Used Certificates,OU=Hastily-Generated Values Divison,CN=CA Client * compression: NULL * ALPN, server did not agree to a protocol > PUT /v2/keys/foo HTTP/1.1 > Host: 172.22.0.96:2379 > User-Agent: curl/7.47.0 > Accept: */* > Content-Length: 9 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 9 out of 9 bytes < HTTP/1.1 201 Created < Content-Type: application/json < X-Etcd-Cluster-Id: e3631873cee60c62 < X-Etcd-Index: 17 < X-Raft-Index: 26 < X-Raft-Term: 47 < Date: Fri, 19 Oct 2018 17:33:13 GMT < Content-Length: 90 < {"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}

# curl --cacert client/ca-client.pem --cert infra0.pem --key infra0-key.pem -L https://172.22.0.96:2379/v2/keys/foo

{"action":"get","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}

I can see the result {"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}. It's works now.

6. Run automatic certificate mode

So far, I do so many step to run in security mode. It's is not simple. Because of this, etcd offers automatic certificate mode. In this mode, etcd create certificate automatically. "--auto-tls" and "--peer-auto-tls" are replaced instead of part for certificate.

etcd --name infra0 --initial-advertise-peer-urls https://172.22.0.96:2380 \

--listen-peer-urls https://172.22.0.96:2380 \

--listen-client-urls https://172.22.0.96:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.96:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--auto-tls \

--peer-auto-tls

etcd --name infra1 --initial-advertise-peer-urls https://172.22.0.33:2380 \

--listen-peer-urls https://172.22.0.33:2380 \

--listen-client-urls https://172.22.0.33:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.33:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--auto-tls \

--peer-auto-tls

etcd --name infra2 --initial-advertise-peer-urls https://172.22.0.133:2380 \

--listen-peer-urls https://172.22.0.133:2380 \

--listen-client-urls https://172.22.0.133:2379,https://127.0.0.1:2379 \

--advertise-client-urls https://172.22.0.133:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=https://172.22.0.96:2380,infra1=https://172.22.0.33:2380,infra2=https://172.22.0.133:2380 \

--initial-cluster-state new \

--auto-tls \

--peer-auto-tls

In Example 4 of this documentation, "curl -k https://127.0.0.1:2379/v2/keys/foo -Xput -d value=bar -v" command is used. (This site also useful)

# curl -k -X "PUT" https://127.0.0.1:2379/v2/keys/seoul -d value='seoul'

{"action":"set","node":{"key":"/seoul","value":"seoul","modifiedIndex":18,"createdIndex":18}}

# curl -k https://127.0.0.1:2379/v2/keys/seoul

{"action":"get","node":{"key":"/seoul","value":"seoul","modifiedIndex":18,"createdIndex":18}}

# curl -k -X "DELETE" https://127.0.0.1:2379/v2/keys/seoul

Now, I can use with simple model.

Reference

[ 1 ] http://createnetech.tistory.com/16

[ 2 ] http://createnetech.tistory.com/14

[ 3 ] http://createnetech.tistory.com/12

[ 4 ] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/clustering.md

[ 5 ] https://coreos.com/etcd/docs/latest/op-guide/security.html

[ 6 ] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md

[ 7 ] https://coreos.com/os/docs/latest/generate-self-signed-certificates.html

[ 8 ] https://github.com/etcd-io/etcd/tree/master/hack/tls-setup

[ 9 ] https://coreos.com/etcd/docs/latest/demo.html

[ 10 ] https://www.mkyong.com/web/curl-put-request-examples/

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to configure DNS bind9 configuration in Ubuntu (0)	2019.09.12
How to install self-signed certification on Windows 2012 R2 for RDP? (0)	2018.12.14
How to use etcd (multi-machine cluster basic mode) in Ubuntu? (0)	2018.10.19
How does create Intermediate certificate with openssl? (0)	2018.10.19
How to use ECDSA? (0)	2018.10.18

How to use etcd (multi-machine cluster basic mode) in Ubuntu?

ejunwiths 2018. 10. 19. 15:55

2018. 10. 19. 15:55

How to use etcd (multi-machine cluster basic mode) in Ubuntu?

Recently, I have found interesting solution. it is called as etcd. It is Distributed reliable key-value store. What is the key-value store?. It is similar with dictionary in Python. This etcd make dictionary items can be put and get on any hosts.

1. Prerequesite

The etcd is used for cluster environment. Therefore, I will prepare 3 servers with ubuntu.

infra0 172.22.0.96 infra0.example.com

infra1 172.22.0.33 infra1.example.com

infra2 172.22.0.133 infra2.example.com

2. Get etcd release

I have ubuntu server. I need the etcd release for ubuntu. In this documentation. There is installation guide for Linux.

ETCD_VER=v3.3.10

# choose either URL

GOOGLE_URL=https://storage.googleapis.com/etcd

GITHUB_URL=https://github.com/etcd-io/etcd/releases/download

DOWNLOAD_URL=${GOOGLE_URL}

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz

rm -rf /tmp/etcd-download-test

mkdir -p /tmp/etcd-download-test

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz

tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz

/tmp/etcd-download-test/etcd --version

ETCDCTL_API=3 /tmp/etcd-download-test/etcdctl version

I will run this command on every hosts. "/tmp" directory is used in command above. However, In my case, I will change the directory "/home/ubunut"

# mkdir -p /home/ubuntu/etcd-download-test

# curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o

# /home/ubuntu/etcd-${ETCD_VER}-linux-amd64.tar.gz

# tar xzvf /home/ubuntu/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /home/ubuntu/etcd-download-test --strip-components=1

# rm -f /home/ubuntu/etcd-${ETCD_VER}-linux-amd64.tar.gz

I can check the installation version with both of commands.

/home/ubuntu/etcd-download-test/etcd --version

ETCDCTL_API=3 /home/ubuntu/etcd-download-test/etcdctl version

# /home/ubuntu/etcd-download-test/etcd --version

etcd Version: 3.3.10

Git SHA: 27fc7e2

Go Version: go1.10.4

Go OS/Arch: linux/amd64

More efficient, I will export the directory in PATH environment.

# export PATH=$PATH:/home/ubuntu/etcd-download-test

# vi /root/.bashrc

PATH=$PATH:/home/ubuntu/etcd-download-test

# source /root/.bashrc

3. Running in multi-machine cluster basic mode

I can run in single standalone mode. The command line usage is here. At first, run in single mode

# etcd

I can put and get data. "ETCDCTL_API=3" is important parameter. It should be exist.

# ETCDCTL_API=3 etcdctl put mykey "this is awesome"

# ETCDCTL_API=3 etcdctl get mykey

mykey

this is awesome

Also I can see the result with JSON format like below. If I want to find more example of command usage, look this documentation.

# export ETCDCTL_API=3

# etcdctl --endpoints=localhost:2379 put foo "Hello World!"

# etcdctl --endpoints=localhost:2379 get foo --write-out="json"

{"header":{"cluster_id":14841639068965178418,"member_id":10276657743932975437,"revision":3,"raft_term":2},"kvs":[{"key":"Zm9v","create_revision":3,"mod_revision":3,"version":1,"value":"SGVsbG8gV29ybGQh"}],"count":1}

# etcdctl --endpoints=localhost:2379 get foo

foo

Hello World!

Even if this single mode works, but etcd is more powerful in mult-machin cluster mode. Look this documentation. To run cluster mode, there are 2 things important. IP address to listen and announce and IP address for peer hosts.

etcd --name infra0 --initial-advertise-peer-urls http://172.22.0.96:2380 \

--listen-peer-urls http://172.22.0.96:2380 \

--listen-client-urls http://172.22.0.96:2379,http://127.0.0.1:2379 \

--advertise-client-urls http://172.22.0.96:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=http://172.22.0.96:2380,infra1=http://172.22.0.33:2380,infra2=http://172.22.0.133:2380 \

--initial-cluster-state new

etcd --name infra1 --initial-advertise-peer-urls http://172.22.0.33:2380 \

--listen-peer-urls http://172.22.0.33:2380 \

--listen-client-urls http://172.22.0.33:2379,http://127.0.0.1:2379 \

--advertise-client-urls http://172.22.0.33:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=http://172.22.0.96:2380,infra1=http://172.22.0.33:2380,infra2=http://172.22.0.133:2380 \

--initial-cluster-state new

etcd --name infra2 --initial-advertise-peer-urls http://172.22.0.133:2380 \

--listen-peer-urls http://172.22.0.133:2380 \

--listen-client-urls http://172.22.0.133:2379,http://127.0.0.1:2379 \

--advertise-client-urls http://172.22.0.133:2379 \

--initial-cluster-token etcd-cluster-1 \

--initial-cluster infra0=http://172.22.0.96:2380,infra1=http://172.22.0.33:2380,infra2=http://172.22.0.133:2380 \

--initial-cluster-state new

For peer communicate, the 2380 port is used. For data communication, the 2379 port is used. Therefore, "127.0.0.1:2379" is necessary to request to localhost. However, this is not necessary to announce. These command above should be run on each host. After running, I can get the status of clustering.

# ETCDCTL_API=3 etcdctl --endpoints=172.22.0.96:2379,172.22.0.33:2379,172.22.0.133:2379 endpoint health

172.22.0.96:2379 is healthy: successfully committed proposal: took = 2.385219ms

172.22.0.133:2379 is healthy: successfully committed proposal: took = 2.847419ms

172.22.0.33:2379 is healthy: successfully committed proposal: took = 2.292504ms

Now, I have done everything to cluster multi-hosts. In multi-hosts environments, I put data into anywhere, I can get data from anywhere.

# ETCDCTL_API=3 etcdctl --endpoints=172.22.0.96:2379 put foo "Hello World!"

# ETCDCTL_API=3 etcdctl --endpoints=172.22.0.133:2379 get foo

foo

Hello World!

Finally, I can use the "etcd" little.

Reference

[ 1 ] https://github.com/etcd-io/etcd

[ 2 ] https://github.com/etcd-io/etcd/releases

[ 3 ] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/clustering.md

[ 4 ] https://coreos.com/etcd/docs/latest/demo.html

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to install self-signed certification on Windows 2012 R2 for RDP? (0)	2018.12.14
How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? (0)	2018.10.19
How does create Intermediate certificate with openssl? (0)	2018.10.19
How to use ECDSA? (0)	2018.10.18
How to use the public, private key-pair and certificate? (0)	2018.10.16

How does create Intermediate certificate with openssl?

ejunwiths 2018. 10. 19. 00:16

2018. 10. 19. 00:16

How does create Intermediate certificate with openssl?

It is difficult to understand this intermediate certificate. I wonder why this intermediate is necessary?. I have found this documentation over Internet.

The purpose of using an intermediate CA is primarily for security. The root key can be kept offline and used as infrequently as possible. If the intermediate key is compromised, the root CA can revoke the intermediate certificate and create a new intermediate cryptographic pair.

I studied about the chain concept. I focused if the encryption with private key of root certificate and decryption with public key of child certificate are possible, reverse versa?. (The answer is "Not Possible"). The reason is to hide the root CA for security.

1. Prerequisite

This is the default directory structure to generate intermediate certificate.

# mkdir /root/ca

# cd /root/ca

# mkdir certs crl newcerts private

# chmod 700 private

# touch index.txt

# echo 1000 > serial

To generate "Key", "CSR" (Certificate Signing Reqeust) and. CRT (Certificate), I need configuration for each case, In reference documentation, there are 2 types of configuration for Root CA and Intermediate CA. At this time, I need Root CA configuration. It looks like below.

# vi /root/ca/openssl.cnf

# OpenSSL root CA configuration file.

# Copy to `/root/ca/openssl.cnf`.

[ ca ]

# `man ca`

default_ca = CA_default

[ CA_default ]

# Directory and file locations.

dir = /root/ca

certs = $dir/certs

crl_dir = $dir/crl

new_certs_dir = $dir/newcerts

database = $dir/index.txt

serial = $dir/serial

RANDFILE = $dir/private/.rand

# The root key and root certificate.

private_key = $dir/private/ca.key.pem

certificate = $dir/certs/ca.cert.pem

# For certificate revocation lists.

crlnumber = $dir/crlnumber

crl = $dir/crl/ca.crl.pem

crl_extensions = crl_ext

default_crl_days = 30

# SHA-1 is deprecated, so use SHA-2 instead.

default_md = sha256

name_opt = ca_default

cert_opt = ca_default

default_days = 375

preserve = no

policy = policy_strict

[ policy_strict ]

# The root CA should only sign intermediate certificates that match.

# See the POLICY FORMAT section of `man ca`.

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ policy_loose ]

# Allow the intermediate CA to sign a more diverse range of certificates.

# See the POLICY FORMAT section of the `ca` man page.

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

# Options for the `req` tool (`man req`).

default_bits = 2048

distinguished_name = req_distinguished_name

string_mask = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.

default_md = sha256

# Extension to add when the -x509 option is used.

x509_extensions = v3_ca

[ req_distinguished_name ]

# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.

countryName = Country Name (2 letter code)

stateOrProvinceName = State or Province Name

localityName = Locality Name

0.organizationName = Organization Name

organizationalUnitName = Organizational Unit Name

commonName = Common Name

emailAddress = Email Address

# Optionally, specify some defaults.

countryName_default = GB

stateOrProvinceName_default = England

localityName_default =

0.organizationName_default = Alice Ltd

organizationalUnitName_default =

emailAddress_default =

[ v3_ca ]

# Extensions for a typical CA (`man x509v3_config`).

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical, CA:true

keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]

# Extensions for a typical intermediate CA (`man x509v3_config`).

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical, CA:true, pathlen:0

keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]

# Extensions for client certificates (`man x509v3_config`).

basicConstraints = CA:FALSE

nsCertType = client, email

nsComment = "OpenSSL Generated Client Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]

# Extensions for server certificates (`man x509v3_config`).

basicConstraints = CA:FALSE

nsCertType = server

nsComment = "OpenSSL Generated Server Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

keyUsage = critical, digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth

[ crl_ext ]

# Extension for CRLs (`man x509v3_config`).

authorityKeyIdentifier=keyid:always

[ ocsp ]

# Extension for OCSP signing certificates (`man ocsp`).

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

keyUsage = critical, digitalSignature

extendedKeyUsage = critical, OCSPSigning

There are lots of options in there. I can not explain all of things. For the reproduction of this test, I check the directory path at first.

[ CA_default ]

# Directory and file locations.

dir = /root/ca

In this post, I create "/root/ca" directory before, therefore I do not need to change this value. However, it need to be changed if I want to work on other directory.

2. Create root key and root certificate

I generate RSA private key which is most used with "openssl genrsa" command. (Please, note that If there is no option like "-aes256", there is no process to enter the password)

# cd /root/ca

# openssl genrsa -aes256 -out private/ca.key.pem 4096

Enter pass phrase for ca.key.pem: secretpassword

Verifying - Enter pass phrase for ca.key.pem: secretpassword

# chmod 400 private/ca.key.pem

And then, I create Root CA certificate with the Private key which is generated earlier. (In this case, I do not use the CSR). The "-x509" option is the option which is necessary when I create certificate

# cd /root/ca

# openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

Enter pass phrase for ca.key.pem: secretpassword

You are about to be asked to enter information that will be incorporated

into your certificate request.

-----

Country Name (2 letter code) [XX]:GB

State or Province Name []:England

Locality Name []:

Organization Name []:Alice Ltd

Organizational Unit Name []:Alice Ltd Certificate Authority

Common Name []:Alice Ltd Root CA

Email Address []:

# chmod 444 certs/ca.cert.pem

In this case, Root CA is not changed for a long time. So "-days 7300" (almost 20 years) is defined. Because of this, the Private key of Root should be secret. I can see more detail information with "verification" command. In the result, I can see the "issuer" and "validity" information. Also I can see the certificate include the Public Key Info.

# openssl x509 -noout -text -in certs/ca.cert.pem

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=GB, ST=England, O=Alice Ltd, OU=Alice Ltd Certificate Authority, CN=Alice Ltd Root CA

Validity

Not Before: Oct 19 00:53:19 2018 GMT

Not After : Oct 14 00:53:19 2038 GMT

Subject: C=GB, ST=England, O=Alice Ltd, OU=Alice Ltd Certificate Authority, CN=Alice Ltd Root CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

X509v3 Authority Key Identifier:

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

Signature Algorithm: sha256WithRSAEncryption

Therefore, I can extract the Public key.

# mkdir public

# openssl x509 -pubkey -in certs/ca.cert.pem -noout > public/pub.ca.cert.pem

-----BEGIN PUBLIC KEY-----

Something ................ xxxxxxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----

3. Create intermediate pair

To generate the Intermediate certificate, I need to make sub-directory under the root directory.

# mkdir /root/ca/intermediate

# cd /root/ca/intermediate

# mkdir certs crl csr newcerts private

# chmod 700 private

# touch index.txt

# echo 1000 > serial

# echo 1000 > /root/ca/intermediate/crlnumber

"echo 1000 > /root/ca/intermediate/crlnumber" is used for tracking certificate revocation lists. In this post, I do not handle about this. I also need configuration for intermediate certificate. Most of the contents are same with Root's configuration. 5 things are different.

[ CA_default ]

dir = /root/ca ==> /root/ca/intermediate

private_key = $dir/private/ca.key.pem ==> $dir/private/intermediate.key.pem

certificate = $dir/certs/ca.cert.pem ==> $dir/certs/intermediate.cert.pem

crl = $dir/crl/ca.crl.pem ==> $dir/crl/intermediate.crl.pem

policy = policy_strict ==> policy_loose

I generate RSA Private key. this key is independent with Root Private key. This intermediate certificate is usually not used for end-point such as the server and client. I think it is kinds of sub-Root certificate. (However, this is one of cases. I can use intermediate certificate on server and client also.)

# cd /root/ca

# openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096

Enter pass phrase for intermediate.key.pem: secretpassword

Verifying - Enter pass phrase for intermediate.key.pem: secretpassword

# chmod 400 intermediate/private/intermediate.key.pem

Now I need to generate certificate signing request (CSR) at this time. During this step, The Common Name must be different. CSR includes several information such as "common Name". I can create certificate without this CSR. (In the Root case, I did not create CSR at that time.

# cd /root/ca

# openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem

Enter pass phrase for intermediate.key.pem: secretpassword

You are about to be asked to enter information that will be incorporated

into your certificate request.

-----

Country Name (2 letter code) [XX]:GB

State or Province Name []:England

Locality Name []:

Organization Name []:Alice Ltd

Organizational Unit Name []:Alice Ltd Certificate Authority

Common Name []:Alice Ltd Intermediate CA

Email Address []:

Now, I will generate intermediate certificate with this CSR. Please, note that I will use root certificate and configuration to create intermediate

# cd /root/ca

# openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem

Using configuration from openssl.cnf

Enter pass phrase for /root/ca/private/ca.key.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 4096 (0x1000)

Validity

Not Before: Oct 19 01:20:29 2018 GMT

Not After : Oct 16 01:20:29 2028 GMT

Subject:

countryName = GB

stateOrProvinceName = England

organizationName = Alice Ltd

organizationalUnitName = Alice Ltd Certificate Authority

commonName = Alice Ltd Intermediate CA

X509v3 extensions:

X509v3 Subject Key Identifier:

X509v3 Authority Key Identifier:

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

Certificate is to be certified until Oct 16 01:20:29 2028 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

# chmod 444 intermediate/certs/intermediate.cert.pem

During creation, I can see the detail information. Also, I can see mote detail with "verification" command.

# # openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 4096 (0x1000)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=GB, ST=England, O=Alice Ltd, OU=Alice Ltd Certificate Authority, CN=Alice Ltd Root CA

Validity

Not Before: Oct 19 01:20:29 2018 GMT

Not After : Oct 16 01:20:29 2028 GMT

Subject: C=GB, ST=England, O=Alice Ltd, OU=Alice Ltd Certificate Authority, CN=Alice Ltd Intermediate CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

X509v3 Authority Key Identifier:

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

Signature Algorithm: sha256WithRSAEncryption

This certificate also include the public key, therefore I can extract the public key from certificate

# mkdir intermediate/public

# openssl x509 -pubkey -in intermediate/certs/intermediate.cert.pem -noout > intermediate/public/pub.intermediate.cert.pem

-----BEGIN PUBLIC KEY-----

Something ........ xxxxxxxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----

4. Verify the intermediate certificate

I obtain "Private key", "CSR" and "Certificate" files for intermediate. I have some question how does this cert guarantee?. "openssl verfify -CAfile" command show intermediate cert is certified by root certificate.

# openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem

intermediate/certs/intermediate.cert.pem: OK

4-1. [Optional] The relationship between Root Key and Intermediate Key.

Someone can think like me, the intermediate certificate inherit from the root certification. Therefore, I can encrypt with intermediate public key and decrypt with root private key or reverse versa. The answer is "No" (RSA operation error is happend)

# echo "welecom ssl world" > message

[ Intermediate public encrypt + Root private decrypt ]

# openssl rsautl -encrypt -inkey intermediate/public/pub.intermediate.cert.pem -pubin -in message -out encrypted-message

# openssl rsautl -decrypt -inkey private/ca.key.pem -in encrypted-message -out decrypted-message

RSA operation error

[ Root public encrypt + Intermediate private decrypt ]

# openssl rsautl -encrypt -inkey public/pub.ca.cert.pem -pubin -in message -out encrypted-message

# openssl rsautl -decrypt -inkey intermediate/private/intermediate.key.pem -in encrypted-message -out decrypted-message

RSA operation error

5. Create the certificate chain file

In the documentation, there are reason why the chain file is necessary.

When an application (eg, a web browser) tries to verify a certificate signed by the intermediate CA, it must also verify the intermediate certificate against the root certificate.

Thus, it is necessary to confirm if the intermediate certificate come from root certificate. To create chain, I will merge both certificate into single file.

# cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

# chmod 444 intermediate/certs/ca-chain.cert.pem

6. Sign server and client certificates

Before, I do this step. I need to know what is difference between server certificate and client certificate. Before, I write this post, I only consider web server such as Apache. In this Apache case, the server certificate is necessary. Server certificate focus if this server is safe or not. Client certificate focus if my request to the server is safe or not. So usually, client certificate is doing after server certificate. In this post, I will handle server certificate.

I think this intermediate certificate is kinds of sub-root certificate. So this intermediate should be hidden for the security. (Don't worry, if this intermediate certificate is stolen, I can delete and re-create with Root certificate again) Anyway, I can create certificate for end-point.

# cd /root/ca

# openssl genrsa -aes256 -out intermediate/private/www.example.com.key.pem 2048

# chmod 400 intermediate/private/www.example.com.key.pem

The reason why I use 2048 bit to create RSA key. Usually, the certificate for end-point should be short expiration day. So, 2048 bit is much efficient. After this, I create the CSR with private key. And I use intermediate configuration file to generate. (At this time, it looks like another intermediate certificate). Note that the Common Name cannot be the same as either your root or intermediate certificate.

# cd /root/ca

# openssl req -config intermediate/openssl.cnf -key intermediate/private/www.example.com.key.pem -new -sha256 -out intermediate/csr/www.example.com.csr.pem

Enter pass phrase for www.example.com.key.pem: secretpassword

You are about to be asked to enter information that will be incorporated

into your certificate request.

-----

Country Name (2 letter code) [XX]:US

State or Province Name []:California

Locality Name []:Mountain View

Organization Name []:Alice Ltd

Organizational Unit Name []:Alice Ltd Web Services

Common Name []:www.example.com

Email Address []:

Now, I will create the certificate. Please note, I used "server_cert" option, because I suppose I create certificate for web-server. However if I want the certificate for client, I use "user_cert"

To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used on a server, use the server_cert extension. If the certificate is going to be used for user authentication, use the usr_cert extension. Certificates are usually given a validity of one year, though a CA will typically give a few days extra for convenience.

# cd /root/ca

# openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/www.example.com.csr.pem -out intermediate/certs/www.example.com.cert.pem

# chmod 444 intermediate/certs/www.example.com.cert.pem

I can verify this certificate. At this time, I do not verify with the certificate of the intermediate. I verify with ca-chain which are generated earlier.

# openssl x509 -noout -text -in intermediate/certs/www.example.com.cert.pem

# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.example.com.cert.pem

I will deploy my web server with these certificate and chain. At this time, I do not need to merge again the ca-chain.cert.pem.

ca-chain.cert.pem

www.example.com.key.pem

www.example.com.cert.pem

I compare the configuration. In "-config" option of "openssl ca", it decide the "issuer". Therefore, intermediate's issuer is root and server's issuer is intermediate. In "extension" option, it decide the rule or type of certificate. Becuase of this, the server handle another type of intermediate certificate which is issued by (sub-root) intermediate certificate.

Therefore, the certification does not need to merge at this time. I do test again to check the relationship between intermediate certifications. In the result, I can not encrypt and decrypt.

# openssl rsautl -encrypt -inkey intermediate/public/pub.www.example.com.cert.pem -pubin -in message -out encrypt-message

# openssl rsautl -decrypt -inkey intermediate/private/intermediate.key.pem -in encrypt-message -out decrypt-message

RSA operation error

Reference

[ 1 ] https://jamielinux.com/docs/openssl-certificate-authority/index.html#openssl-certificate-authority

[ 2 ] https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html

[ 3 ] https://www.websecurity.symantec.com/security-topics/client-certificates-vs-server-certificates

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? (0)	2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu? (0)	2018.10.19
How to use ECDSA? (0)	2018.10.18
How to use the public, private key-pair and certificate? (0)	2018.10.16
What to use WMI(Windows Management Instrumentation) from remote Linux server? (0)	2018.10.01

How to use ECDSA?

ejunwiths 2018. 10. 18. 11:07

2018. 10. 18. 11:07

How to use ECDSA?

Recently, I have some changes to know about "ECDSA" to signature the messages. I am not the security engineer. So, I can not explain all of things about this. Before, I read about this. I only think about the encryption and decryption. However, "ECDSA" shows another mechanism. Most of the documentations, "ECDSA" uses to sign and verfication. Let's think about RSA case, the RSA focus on "How can the file encrypt and decrypt". Therefore, encrypted-file is created and transferred to the destination. However, the ECDSA case is different. the ECDSA focus on "How can this message confirm to be same with others". Therefore, no encrypted-file is created, but the signature is generated. The destination has already known the message, it is verified with this signature. In this post, I will use "openssl" mainly.

1. Create the Private key

In ECDSA algorithm, the concept of the private and public key. I can create a private key at first. With the private key, I can generate the signature for the some messages.

# openssl ecparam -genkey -name sect571r1 -out private.pem

Above, there is "name" field which has already defined. With "-list_curves" option, I can check what name is possible. In my case, "sect571r1" is one what I choose.

# # openssl ecparam -list_curves

secp112r1 : SECG/WTLS curve over a 112 bit prime field

secp112r2 : SECG curve over a 112 bit prime field

secp128r1 : SECG curve over a 128 bit prime field

secp128r2 : SECG curve over a 128 bit prime field

secp160k1 : SECG curve over a 160 bit prime field

secp160r1 : SECG curve over a 160 bit prime field

secp160r2 : SECG/WTLS curve over a 160 bit prime field

secp192k1 : SECG curve over a 192 bit prime field

secp224k1 : SECG curve over a 224 bit prime field

secp224r1 : NIST/SECG curve over a 224 bit prime field

secp256k1 : SECG curve over a 256 bit prime field

secp384r1 : NIST/SECG curve over a 384 bit prime field

secp521r1 : NIST/SECG curve over a 521 bit prime field

prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field

prime192v2: X9.62 curve over a 192 bit prime field

prime192v3: X9.62 curve over a 192 bit prime field

prime239v1: X9.62 curve over a 239 bit prime field

prime239v2: X9.62 curve over a 239 bit prime field

prime239v3: X9.62 curve over a 239 bit prime field

prime256v1: X9.62/SECG curve over a 256 bit prime field

sect113r1 : SECG curve over a 113 bit binary field

sect113r2 : SECG curve over a 113 bit binary field

sect131r1 : SECG/WTLS curve over a 131 bit binary field

sect131r2 : SECG curve over a 131 bit binary field

sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field

sect163r1 : SECG curve over a 163 bit binary field

sect163r2 : NIST/SECG curve over a 163 bit binary field

sect193r1 : SECG curve over a 193 bit binary field

sect193r2 : SECG curve over a 193 bit binary field

sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field

sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field

sect239k1 : SECG curve over a 239 bit binary field

sect283k1 : NIST/SECG curve over a 283 bit binary field

sect283r1 : NIST/SECG curve over a 283 bit binary field

sect409k1 : NIST/SECG curve over a 409 bit binary field

sect409r1 : NIST/SECG curve over a 409 bit binary field

sect571k1 : NIST/SECG curve over a 571 bit binary field

sect571r1 : NIST/SECG curve over a 571 bit binary field

c2pnb163v1: X9.62 curve over a 163 bit binary field

c2pnb163v2: X9.62 curve over a 163 bit binary field

c2pnb163v3: X9.62 curve over a 163 bit binary field

c2pnb176v1: X9.62 curve over a 176 bit binary field

c2tnb191v1: X9.62 curve over a 191 bit binary field

c2tnb191v2: X9.62 curve over a 191 bit binary field

c2tnb191v3: X9.62 curve over a 191 bit binary field

c2pnb208w1: X9.62 curve over a 208 bit binary field

c2tnb239v1: X9.62 curve over a 239 bit binary field

c2tnb239v2: X9.62 curve over a 239 bit binary field

c2tnb239v3: X9.62 curve over a 239 bit binary field

c2pnb272w1: X9.62 curve over a 272 bit binary field

c2pnb304w1: X9.62 curve over a 304 bit binary field

c2tnb359v1: X9.62 curve over a 359 bit binary field

c2pnb368w1: X9.62 curve over a 368 bit binary field

c2tnb431r1: X9.62 curve over a 431 bit binary field

wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field

wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field

wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field

wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field

wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field

wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field

wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field

wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field

wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field

wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field

wap-wsg-idm-ecid-wtls12: WTLS curvs over a 224 bit prime field

Oakley-EC2N-3:

IPSec/IKE/Oakley curve #3 over a 155 bit binary field.

Not suitable for ECDSA.

Questionable extension field!

Oakley-EC2N-4:

IPSec/IKE/Oakley curve #4 over a 185 bit binary field.

Not suitable for ECDSA.

Questionable extension field!

brainpoolP160r1: RFC 5639 curve over a 160 bit prime field

brainpoolP160t1: RFC 5639 curve over a 160 bit prime field

brainpoolP192r1: RFC 5639 curve over a 192 bit prime field

brainpoolP192t1: RFC 5639 curve over a 192 bit prime field

brainpoolP224r1: RFC 5639 curve over a 224 bit prime field

brainpoolP224t1: RFC 5639 curve over a 224 bit prime field

brainpoolP256r1: RFC 5639 curve over a 256 bit prime field

brainpoolP256t1: RFC 5639 curve over a 256 bit prime field

brainpoolP320r1: RFC 5639 curve over a 320 bit prime field

brainpoolP320t1: RFC 5639 curve over a 320 bit prime field

brainpoolP384r1: RFC 5639 curve over a 384 bit prime field

brainpoolP384t1: RFC 5639 curve over a 384 bit prime field

brainpoolP512r1: RFC 5639 curve over a 512 bit prime field

brainpoolP512t1: RFC 5639 curve over a 512 bit prime field

2. Create the Public key

Now, I can create the public key with private key.

# openssl ec -in private.pem -pubout -out public.pem

read EC key

writing EC key

3. Sign the message

Before sign the message, I create message file like below.

# cat message

this is test message to check ecdsa with openssl

Now, I sign this message file with "openssl dgst" command.

# openssl dgst -sha1 -sign private.pem message > message-sign.bin

In this case, I choose the "sha1" hashing algorithm. (Default, sha256) However, I can choose with more options.

# openssl dgst --help

unknown option '--help'

options are

-c to output the digest with separating colons

-r to output the digest in coreutils format

-d to output debug info

-hex output as hex dump

-binary output in binary form

-hmac arg set the HMAC key to arg

-non-fips-allow allow use of non FIPS digest

-sign file sign digest using private key in file

-verify file verify a signature using public key in file

-prverify file verify a signature using private key in file

-keyform arg key file format (PEM or ENGINE)

-out filename output to filename rather than stdout

-signature file signature to verify

-sigopt nm:v signature parameter

-hmac key create hashed MAC with key

-mac algorithm create MAC (not neccessarily HMAC)

-macopt nm:v MAC algorithm parameters or key

-engine e use engine e, possibly a hardware device.

-md4 to use the md4 message digest algorithm

-md5 to use the md5 message digest algorithm

-ripemd160 to use the ripemd160 message digest algorithm

-sha to use the sha message digest algorithm

-sha1 to use the sha1 message digest algorithm

-sha224 to use the sha224 message digest algorithm

-sha256 to use the sha256 message digest algorithm

-sha384 to use the sha384 message digest algorithm

-sha512 to use the sha512 message digest algorithm

-whirlpool to use the whirlpool message digest algorithm

4. Verify the message

I got some signature for message. Now I can my message which I have already gotten with this signature.

# cp message received-message

# openssl dgst -sha1 -verify public.pem -signature message-sign.bin received-message

Verified OK

If I change the contents in received-message file like below.

# cat received-message

this is test message to check ecdsa with openssl

more information

# openssl dgst -sha1 -verify public.pem -signature message-sign.bin received-message

Verification Failure

I will get the verification failure

Reference

[ 1 ] https://superuser.com/questions/737574/openssl-ecdsa-sign-and-verify-file

[ 2 ] https://www.openssl.org/docs/man1.0.2/apps/ecparam.html

[ 3 ] https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? (0)	2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu? (0)	2018.10.19
How does create Intermediate certificate with openssl? (0)	2018.10.19
How to use the public, private key-pair and certificate? (0)	2018.10.16
What to use WMI(Windows Management Instrumentation) from remote Linux server? (0)	2018.10.01

How to use the public, private key-pair and certificate?

ejunwiths 2018. 10. 16. 11:37

2018. 10. 16. 11:37

How to use the public, private key-pair and certificate?

I can meet lots of SSL certification to protect web server host. I am not the security engineer. Therefore, It is difficult to understand the relationship private-public key pair and the certification. I have recently found the answer from here. Now I will follow these if it works or not. In this post, I will use "openssl" to handle.

1. Install the "openssl" on ubuntu

Basically, this openssl has been installed on ubuntu, therfore, I do not need to install again.

# apt-get install openssl

2. Generate the private keys

In this post, I create private key of 2048 size with RSA algorithm at first.

# openssl genrsa -out myprivate.pem 2048

Generating RSA private key, 2048 bit long modulus

......+++

...............................................+++

e is 65537 (0x10001)

# cat myprivate.pem

-----BEGIN RSA PRIVATE KEY-----

something............xxxxxxxxxxxxxxxxxxxxxxxxx

-----END RSA PRIVATE KEY-----

3. Generate the public keys

With the private key, I can generate the public key with RSA key management command.

# openssl rsa -in myprivate.pem -outform PEM -pubout -out public.pem

writing RSA key

# cat public.pem

-----BEGIN PUBLIC KEY-----

something............xxxxxxxxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----

4. Create a CSR (Certificate Signing Request)

To create a CSR, "req" command is for PKCS#10 X.509 Certificate Signing Request (CSR) Management. CSR should be created with the private key which is created. During creation, some information are required to insert.

# openssl req -new -key myprivate.pem -out mycert.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:KR

State or Province Name (full name) [Some-State]:SEOUL

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

After above status, I will get csr file.

5. Create a Self-signed Certificate

With the create CSR file and Private key, I can create the Self-signed Certificate (CRT) file, which I can share.

# openssl x509 -req -days 365 -in mycert.csr -signkey myprivate.pem -out cert.crt

Signature ok

subject=/C=KR/ST=SEOUL/O=Internet Widgits Pty Ltd

Getting Private key

I create the CRT file with expiration. (-days option define the date to expire). This is important because CRT file can be shared.

6. How to Use these Keys and Certifications

Now, I have four files (Public-Private Key Pairs, CSR and CRT files). At first, I create sample documentation.

# cat this_sample.txt

Hi, I am doing some test now

Before I encrypt file above. I want to see the command option of "openssl rsautl". In this command, I will use -encrypt and -decrypt options. Please note that -encrypt require "public key" not "private key" and reverse versa. "-pkcs" option is default pandding option.

# openssl rsautl --help

Usage: rsautl [options]

-in file input file

-out file output file

-inkey file input key

-keyform arg private key format - default PEM

-pubin input is an RSA public

-certin input is a certificate carrying an RSA public key

-ssl use SSL v2 padding

-raw use no padding

-pkcs use PKCS#1 v1.5 padding (default)

-oaep use PKCS#1 OAEP

-sign sign with private key

-verify verify with public key

-encrypt encrypt with public key

-decrypt decrypt with private key

-hexdump hex dump output

-engine e use engine e, possibly a hardware device.

-passin arg pass phrase source

Now, I encrypt this file with Public key with RSA utility command which are used for signing, verification, encryption and decryption. Please, note "-pubin" option is important factor to encrypt file.

# openssl rsautl -encrypt -inkey public.pem -pubin -in this_sample.txt -out encrypted_sample

Now, I have encrypted file. At this time, I have some question. How can I recover this file.

# openssl rsautl -decrypt -inkey myprivate.pem -keyform PEM -in encrypted_sample -out decrypted_sample

# cat decrypted_sample

Hi, I am doing some test now

It's works. However, I have something left. What is the CRT file for?. CRT file can be shared. Someone can get the public key from this CRT file.

# openssl x509 -pubkey -in cert.crt -out certpubkey.pem

-----BEGIN PUBLIC KEY-----

something......... xxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----

With this public key, I can send some file with encryption.

7. Encrypt with Private Key and Decrypt with Public Key

So far, I encrypt with Public key and I decrypt with Private key. However, I have question if it is do with reverse. The answer is "yes". However, it is not possible with "openssl" command line. Therefore, I can not handle this anymore at this time in this post.

Reference

[ 1 ] https://security.stackexchange.com/questions/108508/how-do-i-produce-a-ca-signed-public-key

[ 2 ] https://unix.stackexchange.com/questions/296697/how-to-encrypt-a-file-with-private-key

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? (0)	2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu? (0)	2018.10.19
How does create Intermediate certificate with openssl? (0)	2018.10.19
How to use ECDSA? (0)	2018.10.18
What to use WMI(Windows Management Instrumentation) from remote Linux server? (0)	2018.10.01

How to make connection of Strongswan with Azure?

ejunwiths 2018. 10. 11. 14:35

2018. 10. 11. 14:35

How to make connection of Strongswan with Azure?

In this post, I will write the way how to create the connection using Strongswan for IPsec connection for Azure VPN connection. In AWS, it is not difficult, because AWS offer the configuration for Strongswan and Openswan. However, Azure does not offer it. Because of I can not know the Peer VPN status. it is not simple.

1. About test environment.

My test environment is like below.

On-prem Host and VPN server <------> Internet <------> Azure VPN <------> Azure vNet <------> Azure Host

A) On-prem Host and VPN server - 10.0.0.0/8

B) Azure Host - 172.21.0.0/16

2. Create local network gateway

Local network gateway means the on-premise site. Therefore, I need to insert on-premise network information into these fields.

A) IP address : On-premise VPN Device Public IP address.

B) Address space : On-premise Network range which is used.

In my case, Address space should be "10.0.0.0/8". After generation, I can modify in the configuration of the resource. If I need to add more network range. I have add in here.

3. Create virtual network gateway

Virtual network gateway means the endpoint of Azure site. I insert the Azure vNet information into here. Before, I create the virtual network gateway. I need to create the "gateway subnet" where VPN instance is located in. In subnet of vNet, I can see the button "Gateway subnet".

Don't worry if I create the gateway subnet or not. If I don't, It will be created automatically. The menu for create virtual network gateway look like below.

A) SKU

SKU	S2S/VNet	P2S	BW
VpnGw1	Max 30*	Max 128**	650Mbps
VpnGw2	Max 30*	Max 128**	1Gbps
VpnGw3	Max 30*	Max 128**	1.25Gbps
Basic	Max 10	Max 128	100Mbps

B) Virtual Network : The vNet which I want to connect with on-premise site.

C) Public IP address : Azure VPN Public IP address. (Note, I can not make static IP address)

After creation, I can see that virtual network gateway and public IP address are created in my resource group like below.

4. Create connection

Now, I prepare each point for the Azure and On-premise site. I need to connect between them. So I will create connection. During this process, I need to select "local network gateway" and "virtual network gateway" which are created at above.

A) Shared key (PSK) : It is kind of the password. Therefore, I should be secret and shared with peers.

And I can see more detail. Also I can change PSK values

After connection, I can download the configuration file.

It looks like

tidcne-s2s-connection-1.txt

5. Update the routing table.

Now, I prepared all of infrastructure. However, it is not perfect. Because of I need to control the traffic flow. I hope I remember "I choose Route-based, not Policy-based VPN". I need to update my routing table like below. In my route table, I need to watch the subnet which are associate. In my case, I want to all network to connect with my on-premise. therefore I associated all networks.

In route tap, I add the on-premise network range with "virtual network gateway" as next hop. In my case, 10.0.0.0/8 network should be transfer to the virtual network gateway.

6. Create on-premise VPN server.

From now, I create the on-premise VPN server which are installed with Strongswan. I use "apt-get".

# apt-get install strongswan

# ipsec version

Linux strongSwan U5.3.5/K4.4.0-134-generic

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil, Switzerland

See 'ipsec --copyright' for copyright information.

7. Configure packet forwarding enable.

# vi /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

# sysctl -p /etc/sysctl.conf

net.ipv4.ip_forward = 1

# cat /proc/sys/net/ipv4/ip_forward

8. Configure preshared key (PSK)

This PSK is similar with the password. It should be the same between peers. This information will be inserted into /etc/ipsec.secrets. The string is <leftside IPaddress> <rightside IPaddress> : PSK "xxxxxxxxx"

# vi /etc/ipsec.secrets

1xx.7x.3x.4x 1x.1xx.1xx.7x : PSK "xxxxxx_xxxx"

9. Configure IPsec configuration.

This is the IPsec configuration. I will add some information in /etc/ipsec.conf.

# vi /etc/ipsec.conf

conn azure

authby=secret

type=tunnel

left=147.75.105.103 # My Public IP address

leftsubnet=0.0.0.0/0 # My IP address space / protected network(s)

right=52.231.73.164 #Azure Dynamic Gateway

rightsubnet=172.21.0.0/24,172.21.1.0/24 #Azure Vnet prefixes

auto=route

keyexchange=ikev2 # Mandatory for Dynamic / Route-based gateway

mark=100

There are some important things I need to focus. First, Azure only support ikev2. Second, I can write multiple subnet in left/rightsubnet field because the mode is ikev2. If I want to use ikev1, only first subnet before comma is valid. Third, mark field is necessary when the VPN should have multiple connection. This mark value is used to separate interface

This is the Sample configuration for IKEv2

config setup

# strictcrlpolicy=yes

uniqueids = no

# Add connections here.

# Sample VPN connections

conn Tunnel1

auto=start

left=%defaultroute

leftid=46.101.124.161

right=52.231.191.30

type=tunnel

leftauth=psk

rightauth=psk

keyexchange=ikev2

ike=aes256-sha1-modp1024

ikelifetime=1h

esp=aes256gcm128

lifetime=1h

keyingtries=%forever

leftsubnet=0.0.0.0/0

rightsubnet=0.0.0.0/0

dpddelay=10s

dpdtimeout=30s

dpdaction=restart

mark=100

Please Look https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

10. Create virtual tunnel interface on VPN host.

If I remove "mark" value in /etc/ipsec.conf, All of packet are transferred over encryption by VPN. That is not what I want. I want to specific network traffic can transfer over VPN. This is the reason why I use mark and virtual tunnel interface is necessary. At first I need to merge the routing table because the strongswan create another route table to handle.

# vi /etc/strongswan.d/charon.conf

install_routes=no

I will create "tunnel interface" with "ip link add". Look at the below. I used the name "vti1" as interface name. Please, note that the mark values should be the same.

# sudo ip link add vti1 type vti local 147.75.105.103 remote 52.231.73.164 key 100

# sudo ip link set vti1 up mtu 1419

# sudo ip route add 172.21.0.0/24 dev vti1

# sudo ip route add 172.21.1.0/24 dev vti1

# sysctl -w "net.ipv4.conf.vti1.disable_policy=1"

11. Check the IPsec status.

Now, I can do all of things for the IPsec VPN connection. I can check the status for this with "ipsec status" command.

# ipsec status azure

Routed Connections:

azure{1}: ROUTED, TUNNEL, reqid 1

azure{1}: 0.0.0.0/0 === 172.21.0.0/24 172.21.1.0/24

Security Associations (1 up, 0 connecting):

azure[1]: ESTABLISHED 76 minutes ago, 147.75.105.103[147.75.105.103]...52.231.73.164[52.231.73.164]

azure{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4e7887b_i f62d7a96_o

azure{3}: 0.0.0.0/0 === 172.21.0.0/24 172.21.1.0/24

On the GUI of Azure, I also can check the status for VPN connection.

12. Troubleshooting

My Azure Host has the IP address with "172.21.1.4". Therefore, I try to ping on on-premise VPN host like below. However, there is no answer.

# ping 172.21.1.4

84 packets transmitted, 0 received, 100% packet loss, time 83664ms

So I dump the packet to analysis this issue. I can see the NONESP and ESP pakcets. Thus, the ICMP is sending to destination.

# tcpdump -ni bond0 host 52.231.73.164

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on bond0, link-type EN10MB (Ethernet), capture size 262144 bytes

07:30:44.805879 IP xxx.xxx.xxx.xxx.4500 > yy.yyy.yy.yyy.4500: NONESP-encap: isakmp: child_sa inf2

07:30:44.806508 IP yy.yyy.yy.yyy.4500 > xxx.xxx.xxx.xxx.4500: NONESP-encap: isakmp: child_sa inf2[IR]

07:30:50.168456 IP xxx.xxx.xxx.xxx > yy.yyy.yy.yyy: ESP(spi=0x60237774,seq=0xc), length 132

07:30:51.176661 IP xxx.xxx.xxx.xxx > yy.yyy.yy.yyy: ESP(spi=0x60237774,seq=0xd), length 132

I will give you answer for this issue. It is happen due to the source IP address. In this case, the ICMP packet will send to destination with interface IP address which is selected by routing table. I will check my network security group for Azure. I will add the interface IP address.

Please, note on-premise network range should be added in this network security group. Now I can do ping.

# ping 172.21.1.4

PING 172.21.1.4 (172.21.1.4) 56(84) bytes of data.

64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=42 time=191 ms

64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=42 time=192 ms

However, the IP address which is returned is not private IP address of the Azure host. It will be the Public IP address. Because, the source IP address from on-premise VPN host is the public IP address. So I will do some trick for this. I will use the SNAT like below.

# iptables -t nat -A POSTROUTING -d 172.21.0.0/24 -o vti1 -j SNAT --to-source 10.99.8.131

# iptables -t nat -A POSTROUTING -d 172.21.1.0/24 -o vti1 -j SNAT --to-source 10.99.8.131

Now, I will do ping again.

# ping 172.21.1.4

PING 172.21.1.4 (172.21.1.4) 56(84) bytes of data.

64 bytes from 172.21.1.4: icmp_seq=1 ttl=64 time=192 ms

64 bytes from 172.21.1.4: icmp_seq=2 ttl=64 time=193 ms

So, I have done all of things. I can have IPsec VPN connection between on-premise and Azure.

Reference

[ 1 ] https://tscr.io/2018/01/03/azure-routed-vpn-with-strongswan-on-linux/

[ 2 ] https://docs.microsoft.com/ko-kr/azure/vpn-gateway/vpn-gateway-about-vpngateways

[ 3 ] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

저작자표시 비영리 변경금지

How to create Spot instance in Packet.net cloud?

ejunwiths 2018. 10. 11. 09:54

2018. 10. 11. 09:54

How to create Spot instance in Packet.net cloud?

I usually use this Packet.net cloud which offers the bare-metal public cloud. It is so much useful. AWS, Azure and GCP also offer public cloud. However, they base on the virtualization environment which make unknown issues. The cost is not cheap due to bare-metal offering. However, I don't worry about this cost, because they have spot instance. Please note, the instance will be removed without alarms and notification. Therefore it is not proper for the production.

1. Create new server.

I create the new server in my projects like below.

After "Click" the "New Server" button, I can see the "Deploy On Demand Servers", which insert some information to generate the servers.

2. Configure spot price.

When I deploy with information on the blanked field above figure, I can obtain the normal server which pay the full-cost. However, I do not want this in this post. I can see the "Options" button which is tagged with "SSH & USER DATA"

After open the category, I can see the "Spot Market Options". When I insert the price which I want to pay, I can get the spot instance. Please note that the current bid is changeable. So I need to look this information more carefully.

3. Deploy server.

Now, I am ready to deploy the spot instance. It is so simple. Now I can see the my processing status. I can see the "Type" information which is written with "Spot Instance"

4. Troubleshooting.

This is not about the Packet.net. I want to talk about Linux configuration. In my case, I usually use Ubuntu. After login, I can not "apt-get update", because of the repository issue. Most of usually, OS request to IPv4 address. However, IPv6 request is happend sometimes. In this case, I need to change some configuration. I have add single file in "/etc/apt/apt.conf.d/99force-ipv4"

# echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4

Acquire::ForceIPv4 "true";

After then, I can run "apt-get" something. However, if I can "apt-get" something without this above, I do not need this.

Reference

[ 1 ] https://www.packet.com/

[ 2 ] https://unix.stackexchange.com/questions/9940/convince-apt-get-not-to-use-ipv6-method

저작자표시 비영리 변경금지

What to use WMI(Windows Management Instrumentation) from remote Linux server?

ejunwiths 2018. 10. 1. 13:23

2018. 10. 1. 13:23

What to use WMI(Windows Management Instrumentation) from remote Linux server?

Usually, I can access and run some command with SSH. In this case, I used "Paramiko" module. This is sample code which I create. However, I have some questions from here. It is if is possible to access and run some command with RDP. At this time. I can not found any solution for this. But I have found about "WMI (Windows Management Instrucmentation)". It make I can get some information which is offered by Window OS with WMI.

1. Install python-wmi-client-wrapper.

In this "Git", there is the way how to installation for this.

pip install wmi-client-wrapper

2. Install WMI

"WMI" is the package for Window OS. Therefore, the wrapper is necessary. The first step is to obtain these wrapper. Thus, I still need "WMI" main module. In my case, I used Ubuntu 16.04 LTS, and I will install WMI 1.3.16.

ulimit -n 100000

cd /tmp

mkdir wmic

cd wmic

apt install autoconf gcc libdatetime-perl make build-essential g++ python-dev

wget http://www.opsview.com/sites/default/files/wmi-1.3.16.tar_.bz2

bunzip2 wmi-1.3.16.tar_.bz2

tar -xvf wmi-1.3.16.tar_

cd wmi-1.3.16/

After above, I need edit some line of file to make and build this WMI.

vim Samba/source/pidl/pidl

:583 (to jump to line 583)

remove the word defined before @$pidl

:wq

========= Look here =============

$pidl = Parse::Pidl::IDL::parse_file($idl_file, \@opt_incdirs);

defined @$pidl || die "Failed to parse $idl_file"; >>>> @$pidl || die "Failed to parse $idl_file";

require Parse::Pidl::Typelist;

=============================

And I need export some values also.

export ZENHOME=/usr

make "CPP=gcc -E -ffreestanding"

cp Samba/source/bin/wmic /bin

Now, I can use WMI and WMI-wrapper. From now, I will do some sample code.

3. Create the sample code.

I will create some sample code to obtain the Window Processor Information.

import wmi_client_wrapper as wmi

wmic = wmi.WmiClientWrapper(

username="Administrator",

password="password",

host="172.22.0.123",

)

output = wmic.query("SELECT * FROM Win32_Processor")

After run this command, I will get some result with JSON format.

# ./sample.py

[{'L2CacheSize': '0', 'VMMonitorModeExtensions': False, 'ConfigManagerErrorCode': '0', 'VoltageCaps': '0', 'PowerManagementSupported': False, 'LoadPercentage': '12', 'SerialNumber': '', 'ThreadCount': '0', 'Version': '', 'MaxClockSpeed': '2400', 'CpuStatus': '1', 'PartNumber': '', 'SecondLevelAddressTranslationExtensions': False, 'Revision': '16130', 'Status': 'OK', 'PNPDeviceID': None, 'L2CacheSpeed': '0', 'AddressWidth': '64', 'ConfigManagerUserConfig': False, 'ErrorCleared': False, 'ProcessorId': '1789FBFF000306F2', 'ProcessorType': '3', 'DeviceID': 'CPU0', 'CurrentVoltage': '0', 'CurrentClockSpeed': '2400', 'Manufacturer': 'GenuineIntel', 'Name': 'Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz', 'InstallDate': None, 'Level': '6', 'AssetTag': '', 'SocketDesignation': 'CPU 1', 'NumberOfCores': '1', 'Caption': 'Intel64 Family 6 Model 63 Stepping 2', 'StatusInfo': '3', 'Architecture': '9', 'UniqueId': None, 'PowerManagementCapabilities': 'NULL', 'OtherFamilyDescription': None, 'Description': 'Intel64 Family 6 Model 63 Stepping 2', 'CreationClassName': 'Win32_Processor', 'NumberOfLogicalProcessors': '1', 'Family': '5', 'ErrorDescription': None, 'Characteristics': '2816', 'UpgradeMethod': '1', 'SystemName': 'EC2AMAZ-JC32MSV', 'NumberOfEnabledCore': '108', 'LastErrorCode': '0', 'ExtClock': '0', 'Stepping': None, 'VirtualizationFirmwareEnabled': False, 'Role': 'CPU', 'L3CacheSize': '0', 'L3CacheSpeed': '0', 'Availability': '3', 'SystemCreationClassName': 'Win32_ComputerSystem', 'DataWidth': '64'}]

4. Troubleshooting

During I try this, I do not open any security rule for this. I am question for this. I want to know if what port is used for this running. I dump the packet on my host. "135" Port are used. This port is RPC for Window. It is default opened.

04:19:44.298786 IP 172.22.0.216.46372 > 172.22.0.123.135: Flags [S], seq 2010311507, win 26883, options [mss 8961,sackOK,TS val 2762852 ecr 0,nop,wscale 7], length 0

04:19:44.299089 IP 172.22.0.123.135 > 172.22.0.216.46372: Flags [S.], seq 1265146297, ack 2010311508, win 8192, options [mss 8961,nop,w cale 8,sackOK,TS val 1122704139 ecr 2762852], length 0

04:19:44.299098 IP 172.22.0.216.46372 > 172.22.0.123.135: Flags [.], ack 1, win 211, options [nop,nop,TS val 2762853 ecr 1122704139], length 0

I run "netstat -an" on Window. The result is look like below.

TCP 172.22.0.123:59796 52.23.123.168:443 ESTABLISHED

TCP 172.22.0.123:60018 198.252.206.25:443 ESTABLISHED

TCP [::]:135 [::]:0 LISTENING

TCP [::]:445 [::]:0 LISTENING

Reference

[ 1 ] https://www.shellandco.net/wmic-command-ubuntu-16-04-lts/

[ 2 ] https://askubuntu.com/questions/885407/installing-wmic-on-ubuntu-16-04-lts

[ 3 ] https://github.com/kanzure/python-wmi-client-wrapper

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? (0)	2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu? (0)	2018.10.19
How does create Intermediate certificate with openssl? (0)	2018.10.19
How to use ECDSA? (0)	2018.10.18
How to use the public, private key-pair and certificate? (0)	2018.10.16

PREV 이전 1 2 3 4 5 NEXT 다음

netgo