PKI

Overview Copied

PKI or Public Key Infrastructure is a system of processes, technologies, and policies that allows the encryption and signing of data.

This package provides commands for the opsview user to generate Root CA and self signed SSL certificates using that CA. The package name is opsview-pki in the repos.

SSL Copied

A name for TLS Transport Layer Security. They are cryptographic protocols used to provide communications security, over computer networks.

Root CA Copied

Certificate authority which will sign all created server and client certificates.

Dependencies Copied

The package has no external dependencies; it can be installed on any system which has the package level dependency opsview-setup and openssl installed. It is recommended, however, for this package to be installed on the server where opsview-orchestrator is installed.

Installation Copied

Refer to Advanced Automated Installation.

Configuration Copied

Note

This step is automatically performed by Opsview Deploy and should not be run again. You can check this by looking for /opt/opsview/etc/ssl/ca.crt. If this file exists, then no further configuration steps are required.

Configuration of this component requires running of the /opt/opsview/pki/bin/pki command as shown below.

Run the following command as the root user.

# /opt/opsview/pki/bin/pki init
#This should take you through a series of questions and extract of that interaction is below.

Preparing initial configuration
Please select your Distinguished Name (org or cn_only): org
Please enter the common name:e.g widgits.com
Please enter your Country Name (2 letter code): UK
Please enter your State or Province Name (full name): Berkshire
Please enter your Locality Name (eg, city): Reading
Please enter your Organization Name (e.g. company): Opsview
Please enter your Email Address: admin@opsview.com
Please enter your Organizational Unit Name (e.g. section): Development
Please enter validity of Certificates (including CA) in days: 3650
Please select certificate type (rsa or ec): rsa
Please enter your RSA key size: 2048
Please enter your Cryptographic digest to use: sha256
Configuration file created\n
Initilizing SSL infrastructure
 * Setting up your environment
 * Generating DH prime numbers
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................+++*++*
 * Generating root CA
Generating a 2048 bit RSA private key
.........+++
...................................................................................+++
writing new private key to '/opt/opsview/pki/ssl/private/ca.key.TnBhItygFP'
-----
ROOT CA certificate is now available in /opt/opsview/etc/ssl/ca.crt

If you have answered all questions correctly you should find the Root CA certificate in the /opt/opsview/etc/ssl/ca.crt.

Generating certificates Copied

As we have done the initial setup above the generating of the certificates is fairly easy as mentioned in the code block below.

Note

When generating certificates, please make sure the common name given to the command params client-cert and server-cert are unique as OpenSSL cannot generate requests on the same common name.

Server certificate Copied

This step is used to create server certificates which may be used when securing the Opsview Agent.

This will use the defaults from the /opt/opsview/pki/etc/vars to generate the certificate. Run the following command as the root user.

Run the pki command with the server-cert param.

# /opt/opsview/pki/bin/pki server-cert opsview.com
Generating a 2048 bit RSA private key
........+++
...........+++
writing new private key to '/opt/opsview/pki/ssl/private/opsview.com.key.Qwbjr72AQh'
-----
Using configuration from /opt/opsview/pki/libexec/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          : 'UK'
stateOrProvinceName   :'Berkshire'
localityName          :'Reading'
organizationName      :'Opsview'
organizationalUnitName:'Development'
commonName            :'opsview.com'
emailAddress          :'admin@opsview.com'
Certificate is to be certified until Feb 27 15:25:05 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Server certificate is now available in /opt/opsview/etc/ssl/opsview.com.pem

Client certificate Copied

This will use the defaults from the /opt/opsview/pki/etc/vars to generate a client certificate. Run the following command as the root user.

Run the pki command with client-cert param.

# /opt/opsview/pki/bin/pki client-cert opsview-client
Generating a 2048 bit RSA private key
............................................+++
..........+++
writing new private key to '/opt/opsview/pki/ssl/private/opsview-client.key.j2YPqNF9Jq'
-----
Using configuration from /opt/opsview/pki/libexec/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :'UK'
stateOrProvinceName   :'Berkshire'
localityName          :'Reading'

Write out database with 1 new entries
Data Base Updated
Client certificate is now available in /opt/opsview/etc/ssl/opsview-client.pem

Installing certificates Copied

To demonstrate the usage of the SSL certs, we have an opsview 6.0 setup where the messagequeue is installed on a remote host, and the connection between load balancers of the client (could be orchestrator or collector) and server (messagequeue server) is encrypted.

Please be advised this is not the only possible scenario which can be encrypted using the ssl certificates. Any components which use opsview-loadbalancer to connect can be used to connect using SSL certificates too. Not all scenarios are listed here, but any other setup would be based on the setup given below.

Server certificate install Copied

We are going to install the server certificate on our second server and modify the Loadbalancer config for messagequeue as we want our connection between the loadbalancers encrypted via SSL.

Note that these instructions assume that you have already created your own server certificate, please do not just use the example server certificate that results from following the “Generating Certificates” instructions above.

# Copy the Server cert created to the remote host where messagequeue and datastore is installed.
$ sudo rsync -gov /opt/opsview/etc/ssl/monitor.opsview.com.pem /opt/opsview/etc/ssl/ca.crt <root_user>@<messagequeue_hostname_or_IP_address_here>:/opt/opsview/etc/ssl/
# ssh to the messagequeue server and edit the messagequeue.cfg for loadbalancer on that server. Add the following lines in the config file.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg

listen messagequeue
        bind            0.0.0.0:35672 ssl crt /opt/opsview/etc/ssl/monit.opsview.com.pem ca-file /opt/opsview/etc/ssl/ca.crt verify required no-sslv3
        ...
        server          messagequeue 127.0.0.1:5672 check inter 5s

#save the file and restart opsview-loadbalancer.
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer

Client certificate install Copied

Next, assuming that we created our certificates on the Orchestrator, we are simply going to modify the Loadbalancer config for messagequeue as we want our connection between the loadbalancers encrypted via SSL.

Note: These instructions assume that you have already created your own client certificate, please don’t just use the example client certificate that results from following the “Generating Certificates” instructions above.

# Open the messagequeue.cfg in vim or whichever editor you prefer.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg

# Edit the lines below or add them if they do not exist.
listen messagequeue
        bind            0.0.0.0:35672
        ...
        server           messagequeue <Remote server hostname or IP address>:35672 ssl ca-file /opt/opsview/etc/ssl/ca.crt crt /opt/opsview/etc/ssl/client.opsview.com.pem verify required verifyhost <Common name of the server certificate> no-sslv3

# Restart the loadbalancer
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer

Testing the SSL connection Copied

To verify that we can connect using the generated certificates between client and server we can run the following commands on the client and server respectively.

# On the server run the following command:
$ openssl s_server -msg -verify 1 -accept 35672 -cert /opt/opsview/etc/ssl/monit.opsview.com.pem -state -debug -no_ssl3 -tls1_2
# On the client run the following command:
$ openssl s_client -connect <Remote server hostname or IP address>:35672 -verify 1 -CAfile /opt/opsview/etc/ssl/ca.crt -cert /opt/opsview/etc/ssl/client.opsview.com.pem -showcerts -state -tls1_2 -msg -debug 

Allowing for Non-SSL traffic within a LAN at the same time as SSL from a WAN (Optional) Copied

For encrypting traffic between datacenters while leaving messages within the LAN unencrypted, it is possible to add another pathway to the Loadbalancer config for messagequeue for local traffic:

Server Copied

# Open the messagequeue.cfg in vim or whichever editor you prefer.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg

# Keep the ssl lines the same as they were entered in the previous step
listen messagequeue
        bind            0.0.0.0:35672 ssl crt /opt/opsview/etc/ssl/monit.opsview.com.pem ca-file /opt/opsview/etc/ssl/ca.crt verify required no-sslv3
        ...
        server          messagequeue 127.0.0.1:5672 check inter 5s


# Just below in the file, include another pathway for non-SSL traffic 
# IMPORTANT: Set the bind port to a spare port. This port number is needed for other components in the LAN to connect using (e.g. 35673)
listen messagequeue-no-ssl
        bind            0.0.0.0:35673 
        ...
        server          messagequeue 127.0.0.1:5672 check inter 5s
 
# Restart the loadbalancer
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer

Client on same LAN Copied

# Open the messagequeue.cfg in vim or whichever editor you prefer.
$ sudo vim /opt/opsview/loadbalancer/etc/messagequeue.cfg

# IMPORTANT: Set the server port to the listening non-SSL port on the server. (e.g. 35673)
listen messagequeue
        bind            0.0.0.0:35672
        ...
        server           messagequeue <Remote server hostname or IP address>:35673 

# Restart the loadbalancer
$ sudo /opt/opsview/watchdog/bin/opsview-monit restart opsview-loadbalancer

Management Copied

To recreate the CA, users will have to delete the following directories and files as the Opsview user.

$ rm /opt/opsview/pki/etc/vars
$ rm -rf /opt/opsview/pki/ssl
$ rm -rf /opt/opsview/etc/ssl/*
# Run pki again
$ /opt/opsview/pki/bin/pki init
["Opsview"] ["User Guide"]

Was this topic helpful?