Systemtap Compile Server Phase 2 (SSL) Now Available

Systemtap Compile Server Phase 2 (SSL) Now Available

[Dave Brolley]

Hi Everyone,

I just pushed the changes for the next phase of the Systemtap Compile 
Server, which is the use of SSL for secure connection between the client 
and server and for signing of the server's response. This is a first cut 
implementation and some work is still needed to make it more robust and 
easily usable, but you should be able to play around with it now without 
many problems.

The major change, for usability, is in the management of the 
certificates and keys which are used to authenticate each server. 
Currently, much of the work is done for you as follows:

1) Running 'make' will generate a server certificate and key database in 
$bld/ssl/server. A copy of the server's certificate will also be 
generated in $bld/ssl/server/stap-server.cert. A certificate database 
containing the server's certificate will also be created for the 
client's use in $bld/ssl/client.

2) The simplest way to use the client/server is to install it using 
'make install'. This will install the
server's certificate and key in /etc/systemtap/ssl/server and the 
client's copy of the server's certificate in /etc/systemtap/ssl/client. 
You can then simply

    stap-start-server
    stap-client <normal stap arguments>

Note that since the server requires access to its private key, only the 
user who ran the 'make install' can start the server in this way. 
However, any user can use the client against a running server.

3) If you want to run the client or server out of the build tree you can 
use:

      stap-start-server <port> $bld/ssl/server
      stap-client --ssl=$bld/ssl/client <normal stap arguments>

Since the server needs access to it's private key, only the user which 
did the 'make' can run the server out of the build tree. However, any 
user can use the client against a running server using the client's copy 
of the certificate from the build tree.

4) Any user can create his own certificate/key in order to start a 
server using

    stap-gen-server-cert <dir>

This will generate a server certificate and key database in 
<dir>/server. A copy of the server's certificate will also be generated 
in <dir>/stap-server.cert. A certificate database containing the 
server's certificate will also be created for the client's use in 
<dir>/client. This user can then start a server using

      stap-start-server <port> <dir>/server
      stap-client --ssl=<dir>/client <normal stap arguments>

Since the server needs access to it's private key, only the user which 
generate the certificate/keys can start the server with this 
certificate/key. However, any user can use the client against a running 
server using the client's copy of this certificate.

5) A user wishing to access different servers can either use the --ssl 
option on stap-client each time or he can add the certificate of each 
server he wishes to use to his local certificate database using

    stap-add-server-cert <certfile> <dir>/client

where <certfile> is the stap-server.cert file from the server's 
certificate/key database directory and <dir> is the directory used on 
stap-gen-server-cert. This is analagous to adding your ssh public key to 
the authorized_keys file on machines you wish to access using ssh.

One known bug is that full path names are currently required when 
specifying the certificate database directories on stap-start-server and 
stap-client.

Let me know what you all think and if you see or find any problems.

Thanks,
Dave