PKI or Public Key Infrastructure is a system of processes, technologies, and policies that allows the encryption and signing of data.
This package provides commands for the opsview user to generate Root CA and self signed SSL certificates using that CA. The package name is opsview-pki in the repos.
Allows to generate root, client and server SSL certificates.
It is recommended to be installed on the master server.
This component is not dependant on opsview-watchdog.
A name for TLS Transport Layer Security. They are cryptographic protocols used to provide communications security, over computer networks. Further reading on the details of TLS can be found at [https://en.wikipedia.org/wiki/Transport_Layer_Security](🔗)
##### Root CA:
Certificate authority which will sign all created server and client certificates. Please refer to [https://en.wikipedia.org/wiki/Root_certificate](🔗) for a detailed explanation.
The package has no external dependencies; it can be installed on any system which has the package level dependency `
opsview-setup` and `
openssl` installed. It is recommended, however, for this package to be installed on the server where `
opsview-orchestrator` is installed.
Refer to [Advanced Automated Installation](🔗).
This step is automatically performed by Opsview Deploy and should not be run again. You can check this by looking for `
/opt/opsview/etc/ssl/ca.crt`. If this file exists, then no further configuration steps are required.
Configuration of this component requires running of the `
/opt/opsview/pki/bin/pki` command as shown below.
Run the following command as the **root** user.
If you have answered all questions correctly you should find the Root CA certificate in the** /opt/opsview/etc/ssl/ca.crt**
## Generating Certificates
As we have done the initial setup above the generating of the certificates is fairly easy as mentioned in the code block below.
When generating certificates, please make sure the common name given to the command params client-cert/server-cert are unique as openssl cannot generate requests on the same common name.
#### Server certificate:
This step is used to create server certificates which may be used when securing the Opsview Agent.
This will use the defaults from the** /opt/opsview/pki/etc/vars** to generate the certificate. Run the following command as the **root** user.
Run the pki command with the `
#### Client certificate:
This will use the defaults from the** /opt/opsview/pki/etc/vars** to generate a client certificate. Run the following command as the **root** user.
Run the pki command with client-cert param.
## Installing Certificates
To demonstrate the usage of the SSL certs, we have an opsview 6.0 setup where the messagequeue is installed on a remote host, and the connection between load balancers of the client (could be orchestrator or collector) and server (messagequeue server) is encrypted.
Please be advised this is not the only possible scenario which can be encrypted using the ssl certificates. Any components which use opsview-loadbalancer to connect can be used to connect using SSL certificates too. Not all scenarios are listed here, but any other setup would be based on the setup given below.
### Server certificate install:
We are going to install the server certificate on our second server and modify the Loadbalancer config for messagequeue as we want our connection between the loadbalancers encrypted via SSL.
Note: These instructions assume that you have already created your own server certificate, please don't just use the example server certificate that results from following the "Generating Certificates" instructions above.
### Client certificate install:
Next, assuming that we created our certificates on the Orchestrator, we are simply going to modify the Loadbalancer config for messagequeue as we want our connection between the loadbalancers encrypted via SSL.
Note: These instructions assume that you have already created your own client certificate, please don't just use the example client certificate that results from following the "Generating Certificates" instructions above.
### Testing the SSL connection:
To verify that we can connect using the generated certificates between client and server we can run the following commands on the client and server respectively.
### (Optional) Allowing for Non-SSL traffic within a LAN at the same time as SSL from a WAN:
For encrypting traffic between datacenters while leaving messages within the LAN unencrypted, it is possible to add another pathway to the Loadbalancer config for messagequeue for local traffic:
Server - listens on 2 ports, one SSL for WAN traffic and one non-SSL for LAN traffic
Client on same LAN - talks to the non-SSL port on the server
Client on WAN - talks to the SSL port on the server (configuration is unchanged from the instructions above)
**Client on same LAN**
To recreate the CA, users will have to delete the following directories and files as the opsview user.