Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Difficult agent mTLS configuration
See original GitHub issueIs your an issue a feature request? If so, please raise it as an enhancement
Environment
- OS / version:
- Processor architecture:
- TPM Manufacturer:
- Keylime version: current latest 37d338f
Description
keylime agent uses the following options for mTLS
# The name of the RSA key that Keylime should use for protecting shares of U/V.
rsa_keyname = tci_rsa_key
# The name of the X509 certificate that is used for mTLS. Uses the rsa_keyname as a key.
mtls_cert = tci_mtls_cert
# The CA that signs the client certificates of the tenant and verifier.
# If set to default it tries to use /var/lib/keylime/cv_ca/cacert.crt
keylime_ca = default
keylime verifier uses
# mTLS configuration for connecting to the agent.
# Set 'agent_mtls_cert' to 'CV' for using the CV CA for the connections.
agent_mtls_cert = CV
agent_mtls_private_key =
agent_mtls_private_key_pw =
and tenant also uses
# mTLS configuration for connecting to the agent.
# Set 'agent_mtls_cert' to 'CV' for using the CV CA for the connections.
agent_mtls_cert = CV
agent_mtls_private_key =
agent_mtls_private_key_pw =
There are the following issues with this configuration:
-
rsa_keynameandmtls_certassumes file names or paths relative to/var/lib/keylime/secure. This is not mentioned and in contradiction tokeylime_caor mTLS related options of tenant or verifier which assume absolute paths. -
absolute paths for cloud agent should be also supported
-
when a file cannot be accessed due to incorrect path the message should be printed visibly (Warning or Error, currently only Debug).
-
agent mtls certificate needs to be self-signed, this fact is not documented
-
naming convention for agent options - should have similar names as tenant and verifier.
keylime_cashould be rather namedca_certormtls_ca_cert. -
verifier and tenant do not mention which CA cert is being used if ‘CV’ is not set.
Issue Analytics
- State:
- Created 2 years ago
- Comments:11 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@THS-on From my point of view, yes, #1068 addresses the issues pointed here
I think most of the options related with keys/certificates configurations are confusing or not clear:
In
cloud_verifiersection:tls_dir: could be more explicit, likeca_dir,cv_ca_dir, orverifier_ca_dirregistrar_tls_dir: similar to above, could beregistrar_ca_dirorregistrar_access_ca_dir. I understand it is difficult to select a name as it is not usual to have the option to select different keys/certs to use for each individual connection. The description comments could also be more explicit (e.g.The following options set the keys and certificates the verifier will use as a client to connect to the registrar.)registrar_my_cert: could beregistrar_access_certor something similar. The confusing part is to understand why we have registrar options incloud_verifiersection.registrar_private_key: the most confusing option, made me ask “why would any entity know other entity’s private key?”. This again could be something likeregistrar_access_private_key. A comment specifying explicitly the purpose of this option, like mentioned above, could clarify it.agent_mtls_cert,agent_mtls_private_key,agent_mtls_private_key_pw: these are not as confusing as the registrar related options, but consistency on naming would be nice. A clear and explicit comment about the purpose would be a plus.In
tentantsection:my_certandprivate_keyare used in this case, but again some consistency is missing.