This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Systemtap Compile Server Phase 2 (SSL) Now Available


Hi Everyone,

I just pushed the changes for the next phase of the Systemtap Compile Server, which is the use of SSL for secure connection between the client and server and for signing of the server's response. This is a first cut implementation and some work is still needed to make it more robust and easily usable, but you should be able to play around with it now without many problems.

The major change, for usability, is in the management of the certificates and keys which are used to authenticate each server. Currently, much of the work is done for you as follows:

1) Running 'make' will generate a server certificate and key database in $bld/ssl/server. A copy of the server's certificate will also be generated in $bld/ssl/server/stap-server.cert. A certificate database containing the server's certificate will also be created for the client's use in $bld/ssl/client.

2) The simplest way to use the client/server is to install it using 'make install'. This will install the
server's certificate and key in /etc/systemtap/ssl/server and the client's copy of the server's certificate in /etc/systemtap/ssl/client. You can then simply


   stap-start-server
   stap-client <normal stap arguments>

Note that since the server requires access to its private key, only the user who ran the 'make install' can start the server in this way. However, any user can use the client against a running server.

3) If you want to run the client or server out of the build tree you can use:

     stap-start-server <port> $bld/ssl/server
     stap-client --ssl=$bld/ssl/client <normal stap arguments>

Since the server needs access to it's private key, only the user which did the 'make' can run the server out of the build tree. However, any user can use the client against a running server using the client's copy of the certificate from the build tree.

4) Any user can create his own certificate/key in order to start a server using

stap-gen-server-cert <dir>

This will generate a server certificate and key database in <dir>/server. A copy of the server's certificate will also be generated in <dir>/stap-server.cert. A certificate database containing the server's certificate will also be created for the client's use in <dir>/client. This user can then start a server using

     stap-start-server <port> <dir>/server
     stap-client --ssl=<dir>/client <normal stap arguments>

Since the server needs access to it's private key, only the user which generate the certificate/keys can start the server with this certificate/key. However, any user can use the client against a running server using the client's copy of this certificate.

5) A user wishing to access different servers can either use the --ssl option on stap-client each time or he can add the certificate of each server he wishes to use to his local certificate database using

stap-add-server-cert <certfile> <dir>/client

where <certfile> is the stap-server.cert file from the server's certificate/key database directory and <dir> is the directory used on stap-gen-server-cert. This is analagous to adding your ssh public key to the authorized_keys file on machines you wish to access using ssh.

One known bug is that full path names are currently required when specifying the certificate database directories on stap-start-server and stap-client.

Let me know what you all think and if you see or find any problems.

Thanks,
Dave


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]