Menu Close

Konfigurácia podpory TLS v OpenIMSCore

Úvod

OpenIMSCore poskytuje možnosť šifrovanej komunikácie prostredníctvom TLS. TLS sa aktivuje konfiguráciou P-CSCF. P-CSCF umožňuje šifrované spojenie (TLS) cez rozhranie Gm. P-CSCF musí poskytovať platný certifikát. TLS User Endpoint nemusí mať platný certifikát.  

Protokol Transport Layer Security (TLS) poskytuje možnosti na zabezpečenie komunikácie na Internete. TLS poskytuje koncový bod overovania a komunikácia utajenie cez internet pomocou šifrovania.

Inštalácia OpenSSL

apt-get install openssl
apt-get install liblwt-ssl-ocaml-dev

 

Remake ser_ims

cd /usr/src/openimscore            //zdrojový adresár         
make all include_modules=tls    

V /usr/src/openimscore/modules/tls by sa mal nachádzať súbor tls.so. Cestu k tomuto súboru je treba nastaviť v /etc/openimscore/pcscf.cfg. Napríklad vytvorením symbolického odkazu na súbor /usr/lib/ser/modules/tls.so.

 ln –s /usr/lib/ser/modules/tls.so /usr/lib/ser/modules/tls.so

Odkomentovať v /etc/openimscore/pcscf.cfg nasledovne riadky, kde je v poznamke #Uncomment here to enable TLS respektíve zakomentovať tie kde je #Comment here to enable TLS. 

# Uncomment here to enable TLS
listen=tls:127.0.0.1
tls_port_no=4061
enable_tls=yes
 ...
 # Comment here to enable TLS!
#modparam("pcscf","use_tls",0)
 ...
 # Uncomment here to enable TLS!
modparam("pcscf","use_tls",1)
modparam("pcscf","tls_port",4061) 
 ...
 # Uncomment here to enable TLS 
loadmodule "/usr/lib/ser/modules/tls.so"  # cesta k modulu (1)

modparam("tls", "tls_method", "TLSv1")
modparam("tls", "private_key", "/opt/OpenIMSCore/PCSCF_CA2/pcscf_private_key.pem")
modparam("tls", "certificate", "/opt/OpenIMSCore/PCSCF_CA2/pcscf_cert.pem")
modparam("tls", "ca_list", "/opt/OpenIMSCore/PCSCF_CA2/pcscf_ca_list.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 0)
modparam("tls","tls_disable_compression", 1)

Vytvorenie certifikatov

Vslastné certifikáty sa dajú generovať skriptom, ktorý sa nachádza v zdrojovom adresári u mňa /usr/src/openimscore/cfg/tls_prepare.sh. Editovaním premennej DIR skriptu, zmeníme adresár kam sa budú certifikáty generovať.

DIR="/opt/OpenIMSCore"
DIR_NAME="PCSCF_CA2"

cd $DIR

echo Creating CA certificate
echo -----------------------
echo 1. create CA dir
        mkdir $DIR_NAME
        cd $DIR_NAME

...

Po spustení skriptu vyplníme zopár údajov:

dôležité je: Common Name (eg, YOUR name) []: pcscf.operator-d.local 

Creating CA certificate
-----------------------
1. create CA dir
2. create ca dir structure and files  (see ca(1))
2. create CA private key
Generating RSA private key, 2048 bit long modulus
.................................+++
.......................+++
e is 65537 (0x10001)
3. create CA self-signed certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SK
State or Province Name (full name) [Some-State]:Zilina
Locality Name (eg, city) []:Zilina
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Zilina
Organizational Unit Name (eg, section) []:Katedra
Common Name (eg, YOUR name) []:pcscf.operator-d.local
Email Address []:medvedik@gmail.com
Creating a server/client certificate
------------------------------------
1. create a certificate request (and its private key in privkey.pem)
WARNING: the organization name should be the same as in the ca certificate.
Generating a 1024 bit RSA private key
.....++++++
..............++++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SK
State or Province Name (full name) [Some-State]:Zilina
Locality Name (eg, city) []:Zilina
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Zilina
Organizational Unit Name (eg, section) []:Katedra
Common Name (eg, YOUR name) []:pcscf.operator-d.local
Email Address []:medvedik@gmail.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:medvedik
An optional company name []:pcscf.operator-d.local
2. sign it with the ca certificate
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 13 09:58:15 2011 GMT
            Not After : May 12 09:58:15 2012 GMT
        Subject:
            countryName               = SK
            stateOrProvinceName       = Zilina
            organizationName          = University of Zilina
            organizationalUnitName    = Katedra
            commonName                = pcscf.operator-d.local
            emailAddress              = medvedik@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                46:57:52:AE:0B:1C:85:8D:05:D2:E2:5D:DB:C9:BD:42:FD:46:D1:AB
            X509v3 Authority Key Identifier: 
                keyid:A1:FE:E4:B6:43:48:FF:6C:4B:EB:D3:2B:CF:0E:E7:9E:73:09:09:3C
 
Certificate is to be certified until May 12 09:58:15 2012 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Setting ser to use the certificate
----------------------------------
1. create the ca list file:
for each of your ca certificates that you intend to use do:

 Nastavenie cesty k certifikátom

Upravenie  /etc/openimscore/pcscf.cfg nastavenie cesty k súborom ktoré sme vygenerovali skriptom v tls_prepare.sh

modparam("tls", "tls_method", "TLSv1")
modparam("tls","private_key", "/opt/OpenIMSCore/PCSCF_CA/pcscf_private_key.pem)
modparam("tls","certificate", "/opt/OpenIMSCore/PCSCF_CA/pcscf_cert.pem")
modparam("tls", "ca_list","/opt/OpenIMSCore/PCSCF_CA/pcscf_ca_list.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 0)
modparam("tls","tls_disable_compression", 1)

Reštartovanie pcscf servera

Výpis z logu, keď sa spustil pcscf s TLS.
#
# Launch pcscf - Thu May 12 16:36:08 CEST 2011
#
Listening on
             udp: 158.193.139.95 [158.193.139.95]:4060
             tcp: 158.193.139.95 [158.193.139.95]:4060
             tls: 158.193.139.95 [158.193.139.95]:4061
Aliases:
             *: pcscf.operator-d.local:4060

Záver

Po splnení všetkých konfiguračných krokov, sa nám nepodarilo TLS v OpenIMSCore otestovať, pretože IMS klient (Boghe_1.0.58.550 ) vo verzií s ktorou sme pracovali  nemal implementovanú podporu TLS. Podpora TLS pre tohto klienta je plánovaná v ďalšej release verzií.

Attachments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.