Geneos - Netprobe - How to use SSL Certificate Chains to Validate Netprobes

You can use certificate chains to validate a Netprobe connection from the Gateway

The Secure Communications documentation mentions using certificate chains for validating secure connections between Geneos components see below an example of the use:

Proposal

It is possible to use SSL certificate chains to limit which Netprobes a Gateway will connect to. In order for this to work, the Gateway needs to test the Netprobe's SSL certificate.It does this by passing the SSL Certificate authority cert to the Gateway using the -ssl-certificate-chain command line option.

Below is an example of doing this with self signed certificates. However, we strongly advise that you use correctly generated company signed certificates. It assumes Gateway is extracted to one directory and Netprobe to another; both will be run on the same box.

# Create Certificate Authority One (certs signed by this Certificate Authority will be trusted)
openssl genrsa -out trustedCA.key 2048
openssl req -x509 -new -nodes -key trustedCA.key -days 1024 -out trustedCA.pem -subj "/CN=certificateAuthority"

# Create Netprobe Key using CA-1
openssl genrsa -out trustedNp.key 2048
openssl req -new -key trustedNp.key -out trustedNp.csr -subj "/CN=netprobe"
openssl x509 -req -in trustedNp.csr -CA trustedCA.pem -CAkey trustedCA.key -CAcreateserial -out trustedNp.crt -days 30
cat trustedNp.crt trustedNp.key > trustedNp.pem

# Create Certificate Authority Two  (keys signed by this Certificate Authority will be not be trusted and we
# cannot connect to netprobes that use keys signed by this CA)
openssl genrsa -out untrustedCA.key 2048
openssl req -x509 -new -nodes -key untrustedCA.key -days 1024 -out untrustedCA.pem -subj "/CN=certificateAuthority"

# Create different Netprobe Key using CA-2
openssl genrsa -out untrustedNp.key 2048
openssl req -new -key untrustedNp.key -out untrustedNp.csr -subj "/CN=netprobe"
openssl x509 -req -in untrustedNp.csr -CA untrustedCA.pem -CAkey untrustedCA.key -CAcreateserial -out untrustedNp.crt -days 30
cat untrustedNp.crt untrustedNp.key > untrustedNp.pem 

Having created the certificates, copy trustedCA.pem to the Gateway directory and start the Gateway with the following command line option:

./gateway2.linux_64 -ssl-certificate-chain ./trustedCA.pem

To start the Netprobe, on the same server as the Gateway, copy trustedNp.pem to the Netprobe directory and start the Netprobe with the following command line:

./netprobe.linux_64 -secure -ssl-certificate ./trustedNp.pem

Assuming your Gateway is configured to connect the local Netprobe using the Secure option, you should see the connection and the word SECURE in the security column of the Probe Data gateway plugin.

To show what happens when the Netprobe certificate is not signed by the right certificate authority, stop the Netprobe and copy untrustedNp.pem to the Netprobe directory.

Restart the Netprobe using the untrusted certificate from above:

./netprobe.linux_64 -secure -ssl-certificate ./untrustedNp.pem

You should see the Gateway refusing to connect to the Netprobe. You will see lines as follows in the Gateway log indicating that the gateway does not trust the keycert that the Netprobe is using

... SSLContext  SSL Connection(=>127.0.0.1:7036) Verification Issue: certificate signature failure[7]: Issuer:/CN=certificateAuthority

It is worth noting that Geneos components do not check the certificate Subject or other metadata so that the same certificates can be shared across multiple Geneos components, e.g. The same trustedNp.pem certificate can be bundled with all Netprobes and the gateway will only check the validity of the certificate itself and will not track if it is used multiple times or if the hostname etc. matches any of the details. This may change in the future if necessary but would probably be an optional check.