SSL settings

SSL is available for 5 services:

• for an https connection with an nginx configuration;
• for RabbitMQ;
• for PostgreSQL with an authentication by certificate;

In the nominal case, enabling SSL for at least one of these services generates a PKI made of a root CA and, for each mechanism, an intermediate CA and some other stuff. Every CA and https certificate requires an openssl configuration file. These files are set in the appropriate directory in ./extras/pki/conf: root.config at the root, a <service>/ca.config in the https, rabbitmq and psql directories and configuration file corresponding to https clients in https directory. The configuration files are copied in the corresponding directories during their generation.

The PKI is generated in the infra directory ./infras/<infra-name>/pki where <infra-name> is the ansible variable infra_name in group_vars/all.yml (defaults to “Qb”). The PKI is described in infras/<infra-name>/<infra-name>-infra.yml. During the provisioning, ansible updates the PKI (or creates it) according to this file. To erase the PKI, delete the infra directory first.

HTTPS

Enable HTTPS

To enable SSL on the frontend server, edit group_vars/all.yml with:

frontend_openssl: True
nginx_https_enabled: True  # require frontend_openssl
nginx_https_client_enabled: True  # require nginx_https_enabled

Note

HTTPS and HTTP connections can operate at the same time.

Note

nginx_https_enabled [required] activates the server’s certificate verification. nginx_https_client_enabled [optional] activates the client’s certificate verification.

Generate certificates

The crypto objects for an https connection are generated in infras/<infra-name>/pki/https. By default, these are:

• a CA (key, certificate, chained certificate, database and CRL);
• a server (key, certificate, chained certificate);
• a client (key, certificate, chained certificate).

$ tree infras/Qb/pki/https
infras/Qb/pki/https/
├── ca
│   ├── 01.pem
│   ├── 02.pem
│   ├── ca-chain.crt
│   ├── ca.config
│   ├── ca.crt
│   ├── ca.key
│   ├── db
│   │   ├── ca.crl.srl
│   │   ├── ca.crl.srl.old
│   │   ├── ca.crt.srl
│   │   ├── ca.crt.srl.old
│   │   ├── ca.db
│   │   ├── ca.db.attr
│   │   ├── ca.db.attr.old
│   │   └── ca.db.old
│   └── https.crl
├── clients
│   ├── client-chain.crt
│   ├── client.config
│   ├── client.crt
│   ├── client.key
│   └── revoked
└── server
    ├── server-chain.crt
    ├── server.config
    ├── server.crt
    └── server.key

Add a client

To add a client:

• edit infras/<infra-name>/<infra-name>-infra.yml with:

  ---
  
  infra:
    name: Qb
    https:
      clients:
        running:
          - name: client
          - name: new_client #there we indicate a the name of the new user
        revoked: []
  

• add an openssl configuration file ./extras/pki/conf/https/<client-name>.config corresponding to the new user.

• provision with ansible: it copies the previous file in clients directory.

Revoke a client

To revoke a client:

• edit infras/<infra-name>/<infra-name>-infra.yml with:

  ---
  
  infra:
    name: Qb
  
    clients:
      running:
        - name: client
      revoked:
        - name: bad_user # the user is now in revoked list and not in running list
  

• provision with ansible: it revokes the user with the user’s CA and moves its stuff in clients/revoked/.

RabbitMQ

Enable SSL on RabbitMQ

To enable SSL in RabbitMQ, edit group_vars/brain.yml with:

rabbitmq_ssl: True

Note

If you are updating an already running no_ssl version, do the following on irma-brain RabbitMQ server:

$ sudo rabbitmqctl stop_app
$ sudo rabbitmqctl reset
$ sudo rabbitmqctl start_app
# create again the RabbitMQ vhosts, usernames and passwords:
$ sudo ./extras/scripts/rabbitmq/rmq_adduser.sh probe probe mqprobe
$ sudo ./extras/scripts/rabbitmq/rmq_adduser.sh brain brain mqbrain
$ sudo ./extras/scripts/rabbitmq/rmq_adduser.sh frontend frontend mqfrontend

Certificates generation

The crypto objects for RabbitMQ with SSL are generated in infras/<infra-name>/pki/rabbitmq. These are:

• a CA (key, certificate, chained certificate and database);
• a server brain (key, certificate);
• 3 clients for the entities frontend, brain and probe (key, certificate).

$ tree infras/Qb/pki/rabbitmq
infras/Qb/pki/rabbitmq/
├── ca
│   ├── 01.pem
│   ├── 02.pem
│   ├── 03.pem
│   ├── 04.pem
│   ├── ca-chain.crt
│   ├── ca.config
│   ├── ca.crt
│   ├── ca.key
│   └── db
│       ├── ca.crt.srl
│       ├── ca.crt.srl.old
│       ├── ca.db
│       ├── ca.db.attr
│       ├── ca.db.attr.old
│       └── ca.db.old
├── clients
│   ├── brain-client.crt
│   ├── brain-client.key
│   ├── frontend-client.crt
│   ├── frontend-client.key
│   ├── probe-client.crt
│   └── probe-client.key
└── server
    ├── brain.crt
    └── brain.key

Note

In RabbitMQ case, only the CA needs a openssl configuration file.

Postgresql

Enable SSL on Postgresql

To activate SSL in PostgreSQL service, edit group_vars/brain.yml with:

postgresql_ssl: True

Generate certificates

The crypto objects for PostgreSQL with SSL are generated in infras/<infra-name>/pki/psql. These are:

• a CA (key, certificate, chained certificate, a CRL and database);
• a server (key, certificate);
• a client frontend (key, certificate).

$ tree infras/Qb/pki/psql
infras/Qb/pki/psql/
├── ca
│   ├── 01.pem
│   ├── 02.pem
│   ├── ca-chain.crt
│   ├── ca.config
│   ├── ca.crt
│   ├── ca.key
│   ├── db
│   │   ├── ca.crl.srl
│   │   ├── ca.crl.srl.old
│   │   ├── ca.crt.srl
│   │   ├── ca.crt.srl.old
│   │   ├── ca.db
│   │   ├── ca.db.attr
│   │   ├── ca.db.attr.old
│   │   └── ca.db.old
│   └── psql.crl
├── clients
│   ├── frontend.config
│   ├── frontend.crt
│   ├── frontend.key
│   └── revoked
└── server
    ├── server.config
    ├── server.crt
    └── server.key

Revoke a client

To revoke a client:

• edit infras/<infra-name>/<infra-name>-infra.yml with:

  ---
  
  infra:
    name: Qb
  
    psql:
      clients:
        revoked:
          - name: bad_user # bad_user is now in revoked list and no longer in running list
  

• provision with ansible: it revokes the user with the user’s CA and moves its stuff in clients/revoked/.

External PKI

It is also possible to use an external PKI for one or more of these services, for the root entity or the whole Irma’s PKI. In this case, it is necessary to provide the corresponding cryptographic objects in PEM format. To specify which PKI’s part are provided by an external PKI, edit group_vars/all.yml :

root_external: False
pki_rabbitmq_external: False
pki_https_external: False
pki_psql_external: False

By default, the automatic generation of the whole PKI is activated and all variables for external PKI are set to False.

External root

To use a external root, edit group_vars/all.yml with:

root_external: True
root_external_key: root_key.key
root_external_cert: root_cert.crt

Note

root_key.key and root_external_cert must contain the paths to respectively the key and the certificate of the external root entity.

The Irma’s PKI will be generated with this external root as authority.

External HTTPS PKI

To use an external PKI for HTTPS and disable the automatic generation of a new one, edit group_vars/all.yml with:

pki_https_external: True

Provide the cryptographic objects and specify the paths editing group_vars/frontend.yml:

frontend_openssl_certificates:
  cert:
   src: https_server.crt
   dst: /etc/nginx/certs/{{ hostname }}.crt
  key:
   src: https_server.key
   dst: /etc/nginx/certs/{{ hostname }}.key
  ca:
   src: https_ca_cert.crt
   dst: /etc/nginx/certs/ca.crt
  chain:
   src: https_ca_chain.crt
   dst: /etc/nginx/certs/ca-chain.crt
  crl:
   src: https_crl.crl
   dst: /etc/nginx/certs/https.crl

Note

frontend_openssl_certificates.cert.src is the path to the server’s certificate frontend_openssl_certificates.key.src is the path to the server’s private key frontend_openssl_certificates.ca.src is the path to the CA’s certificate frontend_openssl_certificates.chain.src is the path to the CA’s certification chain frontend_openssl_certificates.crl.src is the path to the CRL

External RabbitMQ PKI

To use an external PKI for RabbitMQ and disable the automatic generation of a new one, edit group_vars/all.yml with:

pki_rabbitmq_external: True

Provide the cryptographic objects and specify the paths editing group_vars/all.yml:

rabbitmq_cacert : ca-chain.crt
rabbitmq_server_key : server.key
rabbitmq_server_cert: server.crt
rabbitmq_frontend_key: frontend-client.key
rabbitmq_frontend_cert: frontend-client.crt
rabbitmq_brain_key: brain-client.key
rabbitmq_brain_cert: brain-client.crt
rabbitmq_probe_key: probe-client.key
rabbitmq_probe_cert: probe-client.crt

Note

rabbitmq_cacert is the path to the CA’s certification chain rabbitmq_server_key is the path to the server’s private key rabbitmq_server_cert is the path to the server’s certificate rabbitmq_frontend_key is the path to the frontend’s private key rabbitmq_fontend_cert is the path to the frontend’s certificate rabbitmq_brain_key is the path to the brain’s private key rabbitmq_brain_cert is the path to the brain’s certificate rabbitmq_probe_key is the path to the probes’ private key rabbitmq_probe_cert is the path to the probes’ certificate

External PostgreSQL PKI

To use an external PKI for PostgreSQL and disable the automatic generation of a new one, edit group_vars/all.yml with:

pki_psql_external: True

Provide the cryptographic objects and specify the paths editing group_vars/sql-server.yml:

postgresql_ssl_cert_src_path: server.crt
postgresql_ssl_key_src_path: server.key
postgresql_ssl_ca_src_path: ca-chain.crt
postgresql_ssl_crl_src_path: psql.crl

Note

postgresql_ssl_cert_src_path is the path to the server’s certificate postgresql_ssl_key_src_path is the path to the server’s private key postgresql_ssl_ca_src_path is the path to the CA’s certificate chain postgresql_ssl_crl_src_path is the path to the CRL