This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Systemtap Compile Server Phase 2 (SSL) Now Available
- From: Dave Brolley <brolley at redhat dot com>
- To: systemtap at sources dot redhat dot com
- Date: Wed, 24 Dec 2008 14:26:22 -0500
- Subject: Systemtap Compile Server Phase 2 (SSL) Now Available
Hi Everyone,
I just pushed the changes for the next phase of the Systemtap Compile
Server, which is the use of SSL for secure connection between the client
and server and for signing of the server's response. This is a first cut
implementation and some work is still needed to make it more robust and
easily usable, but you should be able to play around with it now without
many problems.
The major change, for usability, is in the management of the
certificates and keys which are used to authenticate each server.
Currently, much of the work is done for you as follows:
1) Running 'make' will generate a server certificate and key database in
$bld/ssl/server. A copy of the server's certificate will also be
generated in $bld/ssl/server/stap-server.cert. A certificate database
containing the server's certificate will also be created for the
client's use in $bld/ssl/client.
2) The simplest way to use the client/server is to install it using
'make install'. This will install the
server's certificate and key in /etc/systemtap/ssl/server and the
client's copy of the server's certificate in /etc/systemtap/ssl/client.
You can then simply
stap-start-server
stap-client <normal stap arguments>
Note that since the server requires access to its private key, only the
user who ran the 'make install' can start the server in this way.
However, any user can use the client against a running server.
3) If you want to run the client or server out of the build tree you can
use:
stap-start-server <port> $bld/ssl/server
stap-client --ssl=$bld/ssl/client <normal stap arguments>
Since the server needs access to it's private key, only the user which
did the 'make' can run the server out of the build tree. However, any
user can use the client against a running server using the client's copy
of the certificate from the build tree.
4) Any user can create his own certificate/key in order to start a
server using
stap-gen-server-cert <dir>
This will generate a server certificate and key database in
<dir>/server. A copy of the server's certificate will also be generated
in <dir>/stap-server.cert. A certificate database containing the
server's certificate will also be created for the client's use in
<dir>/client. This user can then start a server using
stap-start-server <port> <dir>/server
stap-client --ssl=<dir>/client <normal stap arguments>
Since the server needs access to it's private key, only the user which
generate the certificate/keys can start the server with this
certificate/key. However, any user can use the client against a running
server using the client's copy of this certificate.
5) A user wishing to access different servers can either use the --ssl
option on stap-client each time or he can add the certificate of each
server he wishes to use to his local certificate database using
stap-add-server-cert <certfile> <dir>/client
where <certfile> is the stap-server.cert file from the server's
certificate/key database directory and <dir> is the directory used on
stap-gen-server-cert. This is analagous to adding your ssh public key to
the authorized_keys file on machines you wish to access using ssh.
One known bug is that full path names are currently required when
specifying the certificate database directories on stap-start-server and
stap-client.
Let me know what you all think and if you see or find any problems.
Thanks,
Dave