PKI
Overview Copied
PKI or Public Key Infrastructure is a system of processes, technologies, and policies that allows the encryption and signing of data.
This package provides commands for the opsview user to generate Root CA and self signed SSL certificates using that CA. The package name is opsview-pki
in the repos.
- Allows to generate root, client and server SSL certificates.
- It is recommended to be installed on the master server.
- This component is not dependant on opsview-watchdog.
SSL Copied
A name for TLS Transport Layer Security. They are cryptographic protocols used to provide communications security, over computer networks.
Root CA Copied
Certificate authority which will sign all created server and client certificates.
Dependencies Copied
The package has no external dependencies; it can be installed on any system which has the package level dependency opsview-setup
and openssl
installed. It is recommended, however, for this package to be installed on the server where opsview-orchestrator
is installed.
Installation Copied
Refer to Advanced Automated Installation.
Configuration Copied
Note
This step is automatically performed by Opsview Deploy and should not be run again. You can check this by looking for/opt/opsview/etc/ssl/ca.crt
. If this file exists, then no further configuration steps are required.
Configuration of this component requires running of the /opt/opsview/pki/bin/pki
command as shown below.
Run the following command as the root user.
# /opt/opsview/pki/bin/pki init
#This should take you through a series of questions and extract of that interaction is below.
Preparing initial configuration
Please select your Distinguished Name (org or cn_only): org
Please enter the common name:e.g widgits.com
Please enter your Country Name (2 letter code): UK
Please enter your State or Province Name (full name): Berkshire
Please enter your Locality Name (eg, city): Reading
Please enter your Organization Name (e.g. company): Opsview
Please enter your Email Address: admin@opsview.com
Please enter your Organizational Unit Name (e.g. section): Development
Please enter validity of Certificates (including CA) in days: 3650
Please select certificate type (rsa or ec): rsa
Please enter your RSA key size: 2048
Please enter your Cryptographic digest to use: sha256
Configuration file created\n
Initilizing SSL infrastructure
* Setting up your environment
* Generating DH prime numbers
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................+++*++*
* Generating root CA
Generating a 2048 bit RSA private key
.........+++
...................................................................................+++
writing new private key to '/opt/opsview/pki/ssl/private/ca.key.TnBhItygFP'
-----
ROOT CA certificate is now available in /opt/opsview/etc/ssl/ca.crt
If you have answered all questions correctly you should find the Root CA certificate in the /opt/opsview/etc/ssl/ca.crt
.
Generating certificates Copied
As we have done the initial setup above the generating of the certificates is fairly easy as mentioned in the code block below.
Note
When generating certificates, please make sure the common name given to the command params client-cert and server-cert are unique as OpenSSL cannot generate requests on the same common name.
Server certificate Copied
This step is used to create server certificates which may be used when securing the Opsview Agent.
This will use the defaults from the /opt/opsview/pki/etc/vars
to generate the certificate.
Run the following command as the root user.
Run the pki command with the server-cert
param.
# /opt/opsview/pki/bin/pki server-cert opsview.com
Generating a 2048 bit RSA private key
........+++
...........+++
writing new private key to '/opt/opsview/pki/ssl/private/opsview.com.key.Qwbjr72AQh'
-----
Using configuration from /opt/opsview/pki/libexec/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : 'UK'
stateOrProvinceName :'Berkshire'
localityName :'Reading'
organizationName :'Opsview'
organizationalUnitName:'Development'
commonName :'opsview.com'
emailAddress :'admin@opsview.com'
Certificate is to be certified until Feb 27 15:25:05 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Server certificate is now available in /opt/opsview/etc/ssl/opsview.com.pem
Client certificate Copied
This will use the defaults from the /opt/opsview/pki/etc/vars
to generate a client certificate.
Run the following command as the root user.
Run the pki command with client-cert param.
# /opt/opsview/pki/bin/pki client-cert opsview-client
Generating a 2048 bit RSA private key
............................................+++
..........+++
writing new private key to '/opt/opsview/pki/ssl/private/opsview-client.key.j2YPqNF9Jq'
-----
Using configuration from /opt/opsview/pki/libexec/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :'UK'
stateOrProvinceName :'Berkshire'
localityName :'Reading'
Write out database with 1 new entries
Data Base Updated
Client certificate is now available in /opt/opsview/etc/ssl/opsview-client.pem
Installing certificates Copied
To demonstrate the usage of the SSL certs, we have an opsview 6.0 setup where the messagequeue is installed on a remote host, and the connection between load balancers of the client (could be orchestrator or collector) and server (messagequeue server) is encrypted.
Please be advised this is not the only possible scenario which can be encrypted using the ssl certificates. Any components which use opsview-loadbalancer to connect can be used to connect using SSL certificates too. Not all scenarios are listed here, but any other setup would be based on the setup given below.
Server certificate install Copied
We are going to install the server certificate on our second server and modify the Loadbalancer config for messagequeue as we want our connection between the loadbalancers encrypted via SSL.
Note that these instructions assume that you have already created your own server certificate, please do not just use the example server certificate that results from following the “Generating Certificates” instructions above.
# Copy the Server cert created to the remote host where messagequeue and datastore is installed.
$ sudo rsync -gov /opt/opsview/etc/ssl/monitor.opsview.com.pem /opt/opsview/etc/ssl/ca.crt <root_user>@<messagequeue_hostname_or_IP_address_here>:/opt/opsview/etc/ssl/
# ssh to the messagequeue server and edit the messagequeue.cfg for loadbalancer on that server. Add the following lines in the config file.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg
listen messagequeue
bind 0.0.0.0:35672 ssl crt /opt/opsview/etc/ssl/monit.opsview.com.pem ca-file /opt/opsview/etc/ssl/ca.crt verify required no-sslv3
...
server messagequeue 127.0.0.1:5672 check inter 5s
#save the file and restart opsview-loadbalancer.
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer
Client certificate install Copied
Next, assuming that we created our certificates on the Orchestrator, we are simply going to modify the Loadbalancer config for messagequeue as we want our connection between the loadbalancers encrypted via SSL.
Note: These instructions assume that you have already created your own client certificate, please don’t just use the example client certificate that results from following the “Generating Certificates” instructions above.
# Open the messagequeue.cfg in vim or whichever editor you prefer.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg
# Edit the lines below or add them if they do not exist.
listen messagequeue
bind 0.0.0.0:35672
...
server messagequeue <Remote server hostname or IP address>:35672 ssl ca-file /opt/opsview/etc/ssl/ca.crt crt /opt/opsview/etc/ssl/client.opsview.com.pem verify required verifyhost <Common name of the server certificate> no-sslv3
# Restart the loadbalancer
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer
Testing the SSL connection Copied
To verify that we can connect using the generated certificates between client and server we can run the following commands on the client and server respectively.
# On the server run the following command:
$ openssl s_server -msg -verify 1 -accept 35672 -cert /opt/opsview/etc/ssl/monit.opsview.com.pem -state -debug -no_ssl3 -tls1_2
# On the client run the following command:
$ openssl s_client -connect <Remote server hostname or IP address>:35672 -verify 1 -CAfile /opt/opsview/etc/ssl/ca.crt -cert /opt/opsview/etc/ssl/client.opsview.com.pem -showcerts -state -tls1_2 -msg -debug
Allowing for Non-SSL traffic within a LAN at the same time as SSL from a WAN (Optional) Copied
For encrypting traffic between datacenters while leaving messages within the LAN unencrypted, it is possible to add another pathway to the Loadbalancer config for messagequeue for local traffic:
- Server — listens on 2 ports, one SSL for WAN traffic and one non-SSL for LAN traffic.
- Client on same LAN — talks to the non-SSL port on the server.
- Client on WAN — talks to the SSL port on the server (configuration is unchanged from the instructions above).
Server Copied
# Open the messagequeue.cfg in vim or whichever editor you prefer.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg
# Keep the ssl lines the same as they were entered in the previous step
listen messagequeue
bind 0.0.0.0:35672 ssl crt /opt/opsview/etc/ssl/monit.opsview.com.pem ca-file /opt/opsview/etc/ssl/ca.crt verify required no-sslv3
...
server messagequeue 127.0.0.1:5672 check inter 5s
# Just below in the file, include another pathway for non-SSL traffic
# IMPORTANT: Set the bind port to a spare port. This port number is needed for other components in the LAN to connect using (e.g. 35673)
listen messagequeue-no-ssl
bind 0.0.0.0:35673
...
server messagequeue 127.0.0.1:5672 check inter 5s
# Restart the loadbalancer
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer
Client on same LAN Copied
# Open the messagequeue.cfg in vim or whichever editor you prefer.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg
# IMPORTANT: Set the server port to the listening non-SSL port on the server. (e.g. 35673)
listen messagequeue
bind 0.0.0.0:35672
...
server messagequeue <Remote server hostname or IP address>:35673
# Restart the loadbalancer
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer
Management Copied
To recreate the CA, users will have to delete the following directories and files as the Opsview user.
$ rm /opt/opsview/pki/etc/vars
$ rm -rf /opt/opsview/pki/ssl
$ rm -rf /opt/opsview/etc/ssl/*
# Run pki again
$ /opt/opsview/pki/bin/pki init