From: Dave Brolley <brolley@redhat.com>
To: systemtap@sources.redhat.com
Subject: Systemtap Compile Server Phase 2 (SSL) Now Available
Date: Thu, 25 Dec 2008 06:52:00 -0000 [thread overview]
Message-ID: <49528CDE.2070508@redhat.com> (raw)
Hi Everyone,
I just pushed the changes for the next phase of the Systemtap Compile
Server, which is the use of SSL for secure connection between the client
and server and for signing of the server's response. This is a first cut
implementation and some work is still needed to make it more robust and
easily usable, but you should be able to play around with it now without
many problems.
The major change, for usability, is in the management of the
certificates and keys which are used to authenticate each server.
Currently, much of the work is done for you as follows:
1) Running 'make' will generate a server certificate and key database in
$bld/ssl/server. A copy of the server's certificate will also be
generated in $bld/ssl/server/stap-server.cert. A certificate database
containing the server's certificate will also be created for the
client's use in $bld/ssl/client.
2) The simplest way to use the client/server is to install it using
'make install'. This will install the
server's certificate and key in /etc/systemtap/ssl/server and the
client's copy of the server's certificate in /etc/systemtap/ssl/client.
You can then simply
stap-start-server
stap-client <normal stap arguments>
Note that since the server requires access to its private key, only the
user who ran the 'make install' can start the server in this way.
However, any user can use the client against a running server.
3) If you want to run the client or server out of the build tree you can
use:
stap-start-server <port> $bld/ssl/server
stap-client --ssl=$bld/ssl/client <normal stap arguments>
Since the server needs access to it's private key, only the user which
did the 'make' can run the server out of the build tree. However, any
user can use the client against a running server using the client's copy
of the certificate from the build tree.
4) Any user can create his own certificate/key in order to start a
server using
stap-gen-server-cert <dir>
This will generate a server certificate and key database in
<dir>/server. A copy of the server's certificate will also be generated
in <dir>/stap-server.cert. A certificate database containing the
server's certificate will also be created for the client's use in
<dir>/client. This user can then start a server using
stap-start-server <port> <dir>/server
stap-client --ssl=<dir>/client <normal stap arguments>
Since the server needs access to it's private key, only the user which
generate the certificate/keys can start the server with this
certificate/key. However, any user can use the client against a running
server using the client's copy of this certificate.
5) A user wishing to access different servers can either use the --ssl
option on stap-client each time or he can add the certificate of each
server he wishes to use to his local certificate database using
stap-add-server-cert <certfile> <dir>/client
where <certfile> is the stap-server.cert file from the server's
certificate/key database directory and <dir> is the directory used on
stap-gen-server-cert. This is analagous to adding your ssh public key to
the authorized_keys file on machines you wish to access using ssh.
One known bug is that full path names are currently required when
specifying the certificate database directories on stap-start-server and
stap-client.
Let me know what you all think and if you see or find any problems.
Thanks,
Dave
reply other threads:[~2008-12-24 19:26 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49528CDE.2070508@redhat.com \
--to=brolley@redhat.com \
--cc=systemtap@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).