SSL connection isn't working

[kvaps]

As I understand it is not implemented yet?

# linstor node create m8c2 10.36.129.92 --communication-type SSL
ERROR:
Description:
    Registration of node 'm8c2' failed due to an unknown exception.
Details:
    Node: m8c2

ErrorReport-5BB35A2A-00000-000000.log

[kvaps]

same for 0.6.5

[rp-]

As I understand it is not implemented yet?

It is implemented, but not documented or very well tested.

It isn't as simple as adding satellites with SSL communication type, you would need to create a keystore file and a trustdb and also configure all satellite with an SSL connection.

[raltnoeder]

Encrypted controller-satellite communication is only half-implemented, because there is no mutual authentication yet. So it's only half useful as of now, because anyone could connect to a satellite and pretend to be a controller.

Client-controller connections do work (one of our debug console clients has used SSL connections since mid 2017), but SSL is not yet implemented in the current LINSTOR CLI client.

For SSL connections to work, the server's private key and certificate must be stored in a keystore file, and the certificate of the certificate authority that signed the server certificates must be in a truststore file. An SSL connector must be configured in the controller configuration, and the keystore, truststore and passphrases for the entries stored in those files must be set for that connector.
For controller-satellite communication, it will be necessary to add either a shared secret or a client certificate in the future, as this will be required for mutual authentication. This is the part that is not yet implemented and therefore not required as of now.

[kvaps]

@rp-, @raltnoeder thanks, I see. It's not critical now.

About certificate authority and host certificates itself, do I right understand that simple using FreeIPA can automate this process in the future?

For now I just want to avoid any commands execution on controller from satellite nodes. Is there any plans for adding simple authentication algorithm, like passphrase/access token?

I don't like the idea that everyone can do everything on the controller if I allow access from the satellites to it.

[raltnoeder]

I have not used FreeIPA, but at first glance, the description of it does not say anything about FreeIPA's ability to manage SSL certificates.

Satellite connection are only privileged to update certain information using certain APIs (e.g., update the free space information on storage pools). Apart from that, a satellite connection is subject to the same security limitations as any other connection to the controller.

If mandatory authentication is enabled, controller commands can only be issued after signing in with a valid identity/password combination. At the RBAC and MAC security levels, access to controller objects (such as nodes, resources, etc.) are subject to access control checks, regardless of whether mandatory authentication is enabled or disabled (connections that have not signed in are assigned the PUBLIC role and PUBLIC security domain).

[kvaps]

freeipa

FreeIPA can manage certificates.
I think it can be really helpful for the linstor. (take a look if you interested in it)
Any way, I was interested more into authentication mechanism than SSL.

If mandatory authentication is enabled, controller commands can only be issued after signing in with a valid identity/password combination

Could you little describe please, how can I configure lintor-client and controller for use password-enabled authentication for execute remote commands on the controller.

Is it supported by proxmox/kubernetes/opennebula plugins?

[raltnoeder]

As of now, authentication is not implemented on the client side. While it is partly implemented on the server side (by the SignIn API), the server does not yet implement APIs to create identities/credentials, roles, security types/domains and corresponding rules, or to modify the access controls of any objects.
Our internal experiments with those features currently still require manual intervention in the database and modification of the security context associated with client connections using debug functions. In other words, it does not currently have a user interface.

[kvaps]

Hi, I found simplest solution for me

My linstor configured to accept only local connections:

 /usr/share/linstor-server/bin/linstor-config set-plain-listen /etc/linstor/database.cfg 127.0.0.1

Then I've configured stunnel with PSK authentication

On server:

# cat /etc/stunnel/stunnel.conf
[PSK server]
accept = 0.0.0.0:3377
connect = 3376
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
# cat /etc/stunnel/psk.txt
test1:oaP4EishaeSaishei6rio6xeeph3az
test2:yah5uS4aijooxilier8iaphuwah1Lo

On client:

# cat /etc/stunnel/stunnel.conf
[PSK client 1]
client = yes
accept = 127.0.0.1:3376
connect = linstor-controller:3377
PSKsecrets = /etc/stunnel/psk.txt
# cat /etc/stunnel/psk.txt
test1:oaP4EishaeSaishei6rio6xeeph3az

Afterwards I can use secure connection to the linstor-controller very easy.
I don't even need to specify --controllers option on the clients.
It is uses 127.0.0.1:3376 by default, so connection goes through secure tunnel.

[beornf]

Any updates on implementing mutual SSL authentication for controller-satellite and client-controller connections?

I have configured a keystore and truststore by updating settings on the controller and enabled SSL. Is there a way to turn on client certificate verification on the satellite and/or controller?

I can write a PR if you can point me in the direction of where I can make this change in Java.

[ghernadi]

PRs are always very welcome :)

We have not tested that feature recently, so it might "just work".

The classes you are looking for are here, where many of the Ssl* classes extend Tcp* which are the parent package. I guess you will most likely want to look at SslTcpConnectorService and SslTcpConnectorPeer classes.