Difference between revisions of "Tortixd"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "= Introduction = Tortixd is the web console daemon for ASL. == Settings == There is currently only one user configurable setting for Tortixd. That is the Access Contro...")
 
m (Generic instructions)
 
(8 intermediate revisions by 2 users not shown)
Line 15: Line 15:
 
One IP or CIDR per line. For example:
 
One IP or CIDR per line. For example:
  
1.2.3.4
+
1.2.3.4
10.0.0.0/8
+
10.0.0.0/8
  
 
Then reload the ASL security policy:
 
Then reload the ASL security policy:
  
asl -s -f
+
asl -s -f
  
 
This will block, and log, any access to port 30000 from IPs not on that list. Repeated attempts to connect will result in a shun of the offending IP as well.
 
This will block, and log, any access to port 30000 from IPs not on that list. Repeated attempts to connect will result in a shun of the offending IP as well.
 +
 +
If you want to allow all IPs to connect (this opens up the ASL web login page to everybody), add the following line to /etc/asl/firweall/tortixd-access-list:
 +
 +
0.0.0.0/0
 +
 +
== Log files ==
 +
 +
Tortixd use the follow directory for its log files:
 +
 +
 +
/var/log/tortixd
 +
 +
 +
=== asl_access_log ===
 +
 +
This contains any access requests to the non-SSL protected ASL web console port.  This is disable by default.  By default the ASL web console will only allow connections to its SSL port.  Therefore this file should be empty.  If it is not, that means someone has enabled non-SSL access to the ASL web console.
 +
 +
=== asl_error_log ===
 +
 +
This contains general errors the ASL web console has encountered.
 +
 +
=== asl_ssl_access_log ===
 +
 +
This contains any access requests to the SSL protected ASL web console port.  By default the ASL web console will only allow connections to its SSL port.
 +
 +
=== asl_ssl_error_log ===
 +
 +
This contains general errors with SSL support in the ASL web console, and other general errors the ASL web console may have encountered.
 +
 +
If you are having issues with setting up your own SSL certs, any errors will be logged in this file.
 +
 +
== SSL certificates ==
 +
 +
If you wish to configure the ASL web console to use a different SSL certificate check with your SSL vendor for instructions for setting up SSL keys and certificates for Apache.  Each SSL vendor may require you change different settings.  The ASL web console SSL settings are provided in this file:
 +
 +
''/var/asl/etc/httpd/conf.d/ssl.conf''
 +
 +
The following is provided as a courtesy, and should not be used unless you know what you are doing.  Always follow the instructions of your SSL vendor. 
 +
 +
=== Generic instructions ===
 +
 +
Step 1) Configure Apache to point to your SSL cert, key and CA bundle:
 +
 +
'''Important Note:  These files must be in directories, and their permissions must be configured to allow the tortix user to read them.  Unlike apache, for security reasons tortix does NOT start as root, and therefore cannot read any file on the system.'''
 +
 +
'''SSLCertificateFile'''
 +
 +
This is the path to your certificate file. 
 +
 +
Example:
 +
 +
''SSLCertificateFile  /your/path/to/your.cert''
 +
 +
'''SSLCertificateKeyFile'''
 +
 +
This is the path to your secret key.
 +
 +
Example:
 +
 +
''SSLCertificateKeyFile /your/path/to/your.key''
 +
 +
'''SSLCACertificateFile'''
 +
 +
This is the path to your certificate file.  Your SSL provider will provide you with this file.
 +
 +
Example:
 +
 +
''SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt''
 +
 +
Step 2)
 +
 +
Restart tortixd:
 +
 +
service tortixd restart
 +
 +
'''Note:  If you have questions about generating SSL keys and certs, please contact your SSL vendor.'''
 +
 +
=== Errors ===
 +
 +
====x509 certificate routines:X509_check_private_key:key values mismatch====
 +
 +
This errors means the private key file (that you supplied via your configuration) does not match the certificate (that you supplied via your configuration). This can happen if you mix up the key and certificate.  You can test this from the command line:
 +
 +
To make sure the files tally, display the modulus value of each file:
 +
 +
<pre>
 +
openssl rsa -noout -modulus -in FILE.key
 +
openssl req -noout -modulus -in FILE.csr
 +
openssl x509 -noout -modulus -in FILE.cer
 +
</pre>
 +
 +
If everything matches (same modulus), the files are compatible. If not, one of the file is not linked to the others.
 +
 +
Note: Modulus only applies on private keys and certificates using the RSA cryptographic algorithm. If you generated keys using ECC (Elliptic Curve Cryptography) private key or if your certificate is signed with ECC you won't find a modulus.

Latest revision as of 13:37, 15 November 2014

Contents

[edit] Introduction

Tortixd is the web console daemon for ASL.

[edit] Settings

There is currently only one user configurable setting for Tortixd. That is the Access Control List system for tortixd.

[edit] ACL system

If you want to block access to tortixd, except from certain IPs, just add the IPs to this file:

/etc/asl/firewall/tortixd-access-list

One IP or CIDR per line. For example:

1.2.3.4
10.0.0.0/8

Then reload the ASL security policy:

asl -s -f

This will block, and log, any access to port 30000 from IPs not on that list. Repeated attempts to connect will result in a shun of the offending IP as well.

If you want to allow all IPs to connect (this opens up the ASL web login page to everybody), add the following line to /etc/asl/firweall/tortixd-access-list:

0.0.0.0/0

[edit] Log files

Tortixd use the follow directory for its log files:


/var/log/tortixd


[edit] asl_access_log

This contains any access requests to the non-SSL protected ASL web console port. This is disable by default. By default the ASL web console will only allow connections to its SSL port. Therefore this file should be empty. If it is not, that means someone has enabled non-SSL access to the ASL web console.

[edit] asl_error_log

This contains general errors the ASL web console has encountered.

[edit] asl_ssl_access_log

This contains any access requests to the SSL protected ASL web console port. By default the ASL web console will only allow connections to its SSL port.

[edit] asl_ssl_error_log

This contains general errors with SSL support in the ASL web console, and other general errors the ASL web console may have encountered.

If you are having issues with setting up your own SSL certs, any errors will be logged in this file.

[edit] SSL certificates

If you wish to configure the ASL web console to use a different SSL certificate check with your SSL vendor for instructions for setting up SSL keys and certificates for Apache. Each SSL vendor may require you change different settings. The ASL web console SSL settings are provided in this file:

/var/asl/etc/httpd/conf.d/ssl.conf

The following is provided as a courtesy, and should not be used unless you know what you are doing. Always follow the instructions of your SSL vendor.

[edit] Generic instructions

Step 1) Configure Apache to point to your SSL cert, key and CA bundle:

Important Note: These files must be in directories, and their permissions must be configured to allow the tortix user to read them. Unlike apache, for security reasons tortix does NOT start as root, and therefore cannot read any file on the system.

SSLCertificateFile

This is the path to your certificate file.

Example:

SSLCertificateFile /your/path/to/your.cert

SSLCertificateKeyFile

This is the path to your secret key.

Example:

SSLCertificateKeyFile /your/path/to/your.key

SSLCACertificateFile

This is the path to your certificate file. Your SSL provider will provide you with this file.

Example:

SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Step 2)

Restart tortixd:

service tortixd restart

Note: If you have questions about generating SSL keys and certs, please contact your SSL vendor.

[edit] Errors

[edit] x509 certificate routines:X509_check_private_key:key values mismatch

This errors means the private key file (that you supplied via your configuration) does not match the certificate (that you supplied via your configuration). This can happen if you mix up the key and certificate. You can test this from the command line:

To make sure the files tally, display the modulus value of each file:

openssl rsa -noout -modulus -in FILE.key
openssl req -noout -modulus -in FILE.csr
openssl x509 -noout -modulus -in FILE.cer

If everything matches (same modulus), the files are compatible. If not, one of the file is not linked to the others.

Note: Modulus only applies on private keys and certificates using the RSA cryptographic algorithm. If you generated keys using ECC (Elliptic Curve Cryptography) private key or if your certificate is signed with ECC you won't find a modulus.

Personal tools