{"id":452,"date":"2011-05-24T16:33:00","date_gmt":"2011-05-24T14:33:00","guid":{"rendered":""},"modified":"2018-11-01T01:06:18","modified_gmt":"2018-11-01T00:06:18","slug":"konfiguracia-podpory-tls-v-openimscore","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/konfiguracia-podpory-tls-v-openimscore\/","title":{"rendered":"Konfigur\u00e1cia podpory TLS v OpenIMSCore"},"content":{"rendered":"

Úvod<\/strong><\/h1>\n

OpenIMSCore poskytuje mo\u017enos\u0165 šifrovanej komunikácie prostredníctvom TLS. TLS sa aktivuje konfiguráciou P-CSCF. P-CSCF umo\u017e\u0148uje šifrované spojenie (TLS) cez rozhranie Gm. P-CSCF musí poskytova\u0165 platný certifikát. TLS User Endpoint nemusí ma\u0165 platný certifikát. <\/span> <\/p>\n

Protokol Transport Layer Security<\/b> (TLS<\/b>) poskytuje mo\u017enosti na zabezpe\u010denie komunikácie na Internete. TLS poskytuje koncový bod overovania a komunikácia utajenie cez internet pomocou šifrovania.<\/span><\/p>\n

Inštalácia OpenSSL<\/span><\/b><\/h1>\n
apt-get install openssl<\/span>\r\napt-get install liblwt-ssl-ocaml-dev<\/span><\/pre>\n
 <\/span><\/p>\n
Remake ser_ims<\/span><\/b><\/p>\n
cd \/usr\/src\/openimscore            <\/span>\/\/zdrojový adresár         <\/span><\/span>\r\nmake all include_modules=tls    <\/span><\/span><\/pre>\n
V \/usr\/src\/openimscore\/modules\/tls<\/i> by sa mal nachádza\u0165 súbor tls.so.<\/b> Cestu k tomuto súboru je treba nastavi\u0165 v \/etc\/openimscore\/pcscf.cfg. Napríklad vytvorením symbolického odkazu na súbor <\/span>\/usr\/lib\/ser\/modules\/tls.so<\/span><\/i>.<\/span> <\/span><\/p>\n
\r\n ln –s \/usr\/lib\/ser\/modules\/tls.so <\/i>\/usr\/lib\/ser\/modules\/tls.so<\/b><\/span>
<\/span><\/pre>\n
Odkomentova\u0165 v \/etc\/openimscore\/pcscf.cfg nasledovne riadky, kde je v poznamke <\/span>#<\/span>Uncomment here to enable TLS <\/span><\/i>respektíve zakomentova\u0165 tie kde je #Comment here to enable TLS.<\/i><\/span> <\/p>\n
# Uncomment here to enable TLS<\/span>\r\nlisten=tls:127.0.0.1<\/span>\r\ntls_port_no=4061<\/span>\r\nenable_tls=yes<\/span>\r\n ...<\/span>\r\n # Comment here to enable TLS!<\/span>\r\n#modparam("pcscf","use_tls",0)<\/span>\r\n ...<\/span>\r\n # Uncomment here to enable TLS!<\/span>\r\nmodparam("pcscf","use_tls",1)<\/span>\r\nmodparam("pcscf","tls_port",4061) <\/span>\r\n ...<\/span>\r\n # Uncomment here to enable TLS <\/span>\r\nloadmodule "\/usr\/lib\/ser\/modules\/tls.so"  <\/span># cesta k modulu (1)<\/span><\/b>\r\n\r\nmodparam("tls", "tls_method", "TLSv1")<\/span>\r\nmodparam("tls", "private_key", "\/opt\/OpenIMSCore\/PCSCF_CA2\/pcscf_private_key.pem")<\/span>\r\nmodparam("tls", "certificate", "\/opt\/OpenIMSCore\/PCSCF_CA2\/pcscf_cert.pem")<\/span>\r\nmodparam("tls", "ca_list", "\/opt\/OpenIMSCore\/PCSCF_CA2\/pcscf_ca_list.pem")<\/span>\r\nmodparam("tls", "verify_certificate", 1)<\/span>\r\nmodparam("tls", "require_certificate", 0)<\/span>\r\nmodparam("tls","tls_disable_compression", 1)<\/span>\r\n<\/pre>\n
Vytvorenie certifikatov<\/span><\/b><\/h1>\n
Vslastné certifikáty sa dajú generova\u0165 skriptom, ktorý sa nachádza v zdrojovom adresári u m\u0148a \/usr\/src\/openimscore\/cfg\/tls_prepare.sh<\/i>. Editovaním premennej DIR skriptu, zmeníme adresár kam sa budú certifikáty generova\u0165.<\/span><\/p>\n
DIR="\/opt\/OpenIMSCore"<\/span>\r\nDIR_NAME="PCSCF_CA2"<\/span>\r\n\r\ncd $DIR<\/span>\r\n\r\necho Creating CA certificate<\/span>\r\necho -----------------------<\/span>\r\necho 1. create CA dir<\/span>\r\n        <\/span>mkdir $DIR_NAME<\/span>\r\n        <\/span>cd $DIR_NAME<\/span>\r\n\r\n...<\/span><\/pre>\n
Po spustení skriptu vyplníme zopár údajov:<\/span><\/p>\n
dôle\u017eité je: Common Name (eg, YOUR name) []: pcscf.operator-d.local<\/i><\/span> <\/p>\n
Creating CA certificate<\/span>\r\n-----------------------<\/span>\r\n1. create CA dir<\/span>\r\n2. create ca dir structure and files  <\/span>(see ca(1))<\/span>\r\n2. create CA private key<\/span>\r\nGenerating RSA private key, 2048 bit long modulus<\/span>\r\n.................................+++<\/span>\r\n.......................+++<\/span>\r\ne is 65537 (0x10001)<\/span>\r\n3. create CA self-signed certificate<\/span>\r\nYou are about to be asked to enter information that will be incorporated<\/span>\r\ninto your certificate request.<\/span>\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.<\/span>\r\nThere are quite a few fields but you can leave some blank<\/span>\r\nFor some fields there will be a default value,<\/span>\r\nIf you enter '.', the field will be left blank.<\/span>\r\n-----<\/span>\r\nCountry Name (2 letter code) [AU]:SK<\/span>\r\nState or Province Name (full name) [Some-State]:Zilina<\/span>\r\nLocality Name (eg, city) []:Zilina<\/span>\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:University of Zilina<\/span>\r\nOrganizational Unit Name (eg, section) []:Katedra<\/span>\r\nCommon Name (eg, YOUR name) []:pcscf.operator-d.local<\/span>\r\nEmail Address []:medvedik@gmail.com<\/span>\r\nCreating a server\/client certificate<\/span>\r\n------------------------------------<\/span>\r\n1. create a certificate request (and its private key in privkey.pem)<\/span>\r\nWARNING: the organization name should be the same as in the ca certificate.<\/span>\r\nGenerating a 1024 bit RSA private key<\/span>\r\n.....++++++<\/span>\r\n..............++++++<\/span>\r\nwriting new private key to 'privkey.pem'<\/span>\r\n-----<\/span>\r\nYou are about to be asked to enter information that will be incorporated<\/span>\r\ninto your certificate request.<\/span>\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.<\/span>\r\nThere are quite a few fields but you can leave some blank<\/span>\r\nFor some fields there will be a default value,<\/span>\r\nIf you enter '.', the field will be left blank.<\/span>\r\n-----<\/span>\r\nCountry Name (2 letter code) [AU]:SK<\/span>\r\nState or Province Name (full name) [Some-State]:Zilina<\/span>\r\nLocality Name (eg, city) []:Zilina<\/span>\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:University of Zilina<\/span>\r\nOrganizational Unit Name (eg, section) []:Katedra<\/span>\r\nCommon Name (eg, YOUR name) []:pcscf.operator-d.local<\/span>\r\nEmail Address []:medvedik@gmail.com<\/span>\r\n <\/span>\r\nPlease enter the following 'extra' attributes<\/span>\r\nto be sent with your certificate request<\/span>\r\nA challenge password []:medvedik<\/span>\r\nAn optional company name []:pcscf.operator-d.local<\/span>\r\n2. sign it with the ca certificate<\/span>\r\nUsing configuration from \/usr\/lib\/ssl\/openssl.cnf<\/span>\r\nCheck that the request matches the signature<\/span>\r\nSignature ok<\/span>\r\nCertificate Details:<\/span>\r\n        <\/span>Serial Number: 1 (0x1)<\/span>\r\n        <\/span>Validity<\/span>\r\n            <\/span>Not Before: May 13 09:58:15 2011 GMT<\/span>\r\n            <\/span>Not After : May 12 09:58:15 2012 GMT<\/span>\r\n        <\/span>Subject:<\/span>\r\n            <\/span>countryName               <\/span>= SK<\/span>\r\n            <\/span>stateOrProvinceName       <\/span>= Zilina<\/span>\r\n            <\/span>organizationName          <\/span>= University of Zilina<\/span>\r\n            <\/span>organizationalUnitName    <\/span>= Katedra<\/span>\r\n            <\/span>commonName                <\/span>= pcscf.operator-d.local<\/span>\r\n            <\/span>emailAddress              <\/span>= medvedik@gmail.com<\/span>\r\n        <\/span>X509v3 extensions:<\/span>\r\n            <\/span>X509v3 Basic Constraints: <\/span>\r\n                <\/span>CA:FALSE<\/span>\r\n            <\/span>Netscape Comment: <\/span>\r\n                <\/span>OpenSSL Generated Certificate<\/span>\r\n            <\/span>X509v3 Subject Key Identifier: <\/span>\r\n                <\/span>46:57:52:AE:0B:1C:85:8D:05:D2:E2:5D:DB:C9:BD:42:FD:46:D1:AB<\/span>\r\n            <\/span>X509v3 Authority Key Identifier: <\/span>\r\n                <\/span>keyid:A1:FE:E4:B6:43:48:FF:6C:4B:EB:D3:2B:CF:0E:E7:9E:73:09:09:3C<\/span>\r\n <\/span>\r\nCertificate is to be certified until May 12 09:58:15 2012 GMT (365 days)<\/span>\r\nSign the certificate? [y\/n]:y<\/span>\r\n <\/span>\r\n <\/span>\r\n1 out of 1 certificate requests certified, commit? [y\/n]y<\/span>\r\nWrite out database with 1 new entries<\/span>\r\nData Base Updated<\/span>\r\nSetting ser to use the certificate<\/span>\r\n----------------------------------<\/span>\r\n1. create the ca list file:<\/span>\r\nfor each of your ca certificates that you intend to use do:<\/span><\/pre>\n
 Nastavenie cesty k certifikátom<\/span><\/b><\/h1>\n
Upravenie  <\/span>\/etc\/openimscore\/pcscf.cfg<\/i> nastavenie cesty k súborom ktoré sme vygenerovali skriptom v tls_prepare.sh<\/span><\/p>\n
modparam("tls", "tls_method", "TLSv1")<\/span>\r\nmodparam("tls","private_key", "\/opt\/OpenIMSCore\/PCSCF_CA\/pcscf_private_key.pem)<\/b><\/span>\r\nmodparam("tls","certificate", "\/opt\/OpenIMSCore\/PCSCF_CA\/pcscf_cert.pem")<\/b><\/span>\r\nmodparam("tls", "ca_list","\/opt\/OpenIMSCore\/PCSCF_CA\/pcscf_ca_list.pem")<\/b><\/span>\r\nmodparam("tls", "verify_certificate", 1)<\/span>\r\nmodparam("tls", "require_certificate", 0)<\/span>\r\nmodparam("tls","tls_disable_compression", 1)<\/span>
<\/span><\/pre>\n
Reštartovanie pcscf servera<\/span><\/b><\/h1>\n
Výpis z logu, ke\u010f sa spustil pcscf s TLS.<\/span>\r\n#<\/span>\r\n# Launch pcscf - Thu May 12 16:36:08 CEST 2011<\/span>\r\n#<\/span>\r\nListening on<\/span>\r\n             <\/span>udp: 158.193.139.95 [158.193.139.95]:4060<\/span>\r\n             <\/span>tcp: 158.193.139.95 [158.193.139.95]:4060<\/span>\r\n             <\/span>tls: 158.193.139.95 [158.193.139.95]:4061<\/span>\r\nAliases:<\/span>\r\n             <\/span>*: pcscf.operator-d.local:4060<\/span>
<\/span>\r\n<\/pre>\n
Záver<\/span><\/b><\/h1>\n
Po splnení všetkých konfigura\u010dných  krokov, sa nám nepodarilo TLS v OpenIMSCore otestova\u0165, preto\u017ee IMS  klient (Boghe_1.0.58.550 ) vo verzií s ktorou sme pracovali  <\/span>nemal implementovanú podporu TLS. Podpora TLS pre tohto klienta je plánovaná v \u010falšej release verzií. <\/span><\/p>","protected":false},"excerpt":{"rendered":"
Úvod<\/strong><\/h1>\n
OpenIMSCore poskytuje mo\u017enos\u0165 šifrovanej komunikácie  prostredníctvom TLS. TLS sa aktivuje konfiguráciou P-CSCF. P-CSCF  umo\u017e\u0148uje šifrované spojenie (TLS) cez rozhranie Gm. P-CSCF musí  poskytova\u0165 platný certifikát. TLS User Endpoint nemusí ma\u0165 platný  certifikát. <\/span> <\/p>","protected":false},"author":1059,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[729,733],"tags":[],"class_list":["post-452","post","type-post","status-publish","format-standard","hentry","category-ngn-ims","category-ngn-ims-openimscore"],"taxonomy_info":{"category":[{"value":729,"label":"NGN\/IMS"},{"value":733,"label":"OpenIMSCore"}]},"featured_image_src_large":false,"author_info":{"display_name":"","author_link":"https:\/\/nil.uniza.sk\/en\/author\/"},"comment_info":1,"category_info":[{"term_id":729,"name":"NGN\/IMS","slug":"ngn-ims","term_group":0,"term_taxonomy_id":727,"taxonomy":"category","description":"","parent":0,"count":7,"filter":"raw","cat_ID":729,"category_count":7,"category_description":"","cat_name":"NGN\/IMS","category_nicename":"ngn-ims","category_parent":0},{"term_id":733,"name":"OpenIMSCore","slug":"ngn-ims-openimscore","term_group":0,"term_taxonomy_id":731,"taxonomy":"category","description":"","parent":729,"count":5,"filter":"raw","cat_ID":733,"category_count":5,"category_description":"","cat_name":"OpenIMSCore","category_nicename":"ngn-ims-openimscore","category_parent":729}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/1059"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=452"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/452\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}