You can use certificate chains to validate a Netprobe connection from the Gateway
The Secure Communications documentation mentions using certificate chains for validating secure connections between Geneos components but does not offer many examples. Please see below for more.
It is possible to use SSL certificate chains to limit which Netprobes a Gateway will connect to.
In order for this to work, the Gateway needs to test the Netprobe's SSL certificate.
It does this by passing the SSL Certificate authority cert to the Gateway using the -ssl-certificate-chain command line option.
It assumes Gateway is extracted to one directory and Netprobe to another; both will be run on the same box.
# Create Certificate Authority One (certs signed by this Certificate Authority will be trusted) openssl genrsa -out trustedCA.key 2048 openssl req -x509 -new -nodes -key trustedCA.key -days 1024 -out trustedCA.pem -subj "/CN=certificateAuthority" # Create Netprobe Key using CA-1 openssl genrsa -out trustedNp.key 2048 openssl req -new -key trustedNp.key -out trustedNp.csr -subj "/CN=netprobe" openssl x509 -req -in trustedNp.csr -CA trustedCA.pem -CAkey trustedCA.key -CAcreateserial -out trustedNp.crt -days 30 cat trustedNp.crt trustedNp.key > trustedNp.pem # Create Certificate Authority Two (keys signed by this Certificate Authority will be not be trusted and we
Having created the certificates, do the following:
Copy trustedCA.pem to the Gateway directory and start the Gateway with the following command line option:
./gateway2.linux_64 -ssl-certificate-chain ./trustedCA.pem
To start the Netprobe, on the same server as the Gateway, copy trustedNp.pem to the Netprobe directory and start the Netprobe with the following command line:
./netprobe.linux_64 -secure -ssl-certificate ./trustedNp.pem
Assuming your Gateway is configured to connect the local Netprobe using the Secure option you should see the connection and the word SECURE in the security column of the Probe Data gateway plugin.
To show what happens when the Netprobe certificate is not signed by the right certificate authority, stop the Netprobe and copy untrustedNp.pem to the Netprobe directory.
Restart the Netprobe using the untrusted certificate from above:
./netprobe.linux_64 -secure -ssl-certificate ./untrustedNp.pem
You should the Gateway refusing to connect to the Netprobe. You will see lines as follows in the Gateway log indicating that the gateway does not trust the keycert that the Netprobe is using
... SSLContext SSL Connection(=>127.0.0.1:7036) Verification Issue: certificate signature failure: Issuer:/CN=certificateAuthority
It is worth noting that Geneos components do not check the certificate Subject or other metadata so that the same certificates can be shared across multiple Geneos components, e.g. The same trustedNp.pem certificate can be bundled with all Netprobes and the gateway will only check the validity of the certificate itself and will not track if it is used multtiple times or if the hostname etc. matches any of the details. This may change in the future if necessary but would probably be an optional check.