Polycube Security¶
Polycube uses a security model based on X509 certificates to secure polycube daemon to polycube cli communication.
polycubed¶
Server authentication¶
In order to authenticate the server the cert
and key
parameters are needed.
Example:
# polycubed configuration file
cert: path to server certificate
key: path to server key
Client authentication¶
Polycubed supports 3 different modes to perform client authentication.
Mode 1: Certification authority based¶
This method requires you to create own signed certificates for the clients. Please see Create own certification authority with openssl to generate the client certificates.
In this mode the following parameters are needed:
cert
: server certificatekey
: server keycacert
: certification authority certificate used to authenticate clients
Any client with a certificate signed by that certification authority is able to use polycubed.
Configuration example:
# polycubed configuration file
# server certificate
cert: /home/user/server.crt
# server private key
key: /home/user/server.key
# CA certificate used to authenticate clients
cacert: /home/user/ca.crt
Mode 2: Certification Authority based with blacklist¶
This mode is an extension to Mode 1 that allows to deny the access to given certificates by passing the cert-black-list
, it is a folder containing hashed names for the banned certificates.
See How to generate hash links to certificates.
Configuration example:
# polycubed configuration file
cert: /home/user/server.crt
# server private key
key: /home/user/server.key
# CA certificate used to authenticate clients
cacert: /home/user/ca.crt
# folder with blacklisted certificates
cert-black-list: /home/user/my_black_list/
Mode 3: Whitelist based¶
This mode allows to use already existing client certificates by providing the cert-white-list
parameter that is a folder containing hash named client certificates allowed to access polycubed.
See How to generate hash links to certificates.
Configuration example:
# polycubed configuration file
cert: /home/user/server.crt
# server private key
key: /home/user/server.key
# folder with allowed certificates
cert-white-list: /home/user/my_white_list/
polycubectl¶
To enable a secure connection to polycubed the user has configure the following parameters for polycubectl. See polycubectl configuration to get more details.
url
: must start withhttps
cert
: client certificatekey
: client private keycacert
: certification authority certificate that signed the server certificate
Create own certification authority with openssl¶
You can create your own certification authority to issue certificates for polycubed and the clients.
Create certification authority
a. Create root key
openssl genrsa -des3 -out ca.key 4096
Remove the
-des3
if you don’t have to protect the key wiht a passphraseb. Create root certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt
Create polycubed certificate
This step can be skipped if you already have a valid certificate to be used.
a. Create polycubed private key
openssl genrsa -out server.key 2048
b. Create certificate request for polycubed
openssl req -new -key server.key -out server.csr
- Generate server certificate
The server certificate must have the alternative name set to the IP or domain where polycubed will run
Create a server.conf file with the following content. Add the DNS entries you need.
[req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = 127.0.0.1
Create certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out server.crt -days 1024 -sha256 -extfile server.conf -extensions req_ext
Create client certificate
a. Create client key
openssl genrsa -out client.key 2048
b. Create client certificate request
openssl req -new -key client.key -out client.csr
c. Generate client certificate
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out client.crt -days 1024 -sha256
Please keep a copy of the client certificates you generate, they could be uselful in the future in case you want to use the
cert-black-list
option.
How to generate hash links to certificates¶
The cert-black-list
and cert-white-list
parameters refer to a folder that contains certificates named by their hash value.
Follow these instructions to generate hash links to certificates:
# copy the certificates to your black or whitelist folder
$ cp client.crt myfolder/
$ cd myfolder
$ ls
client.crt
# create symbolic links
$ c_rehash .
Doing .
$ ls -l
9d75b5b3.0 -> client.crt
client1.crt
eb7bf4cd.0 -> client.crt
Please see the c_rehash tool to get more information.