Configure mTLS Authentication

Mutual TLS (mTLS) authentication or two-way authentication refers to the two parties (GigaVUE-FM & GCB, and Pcapper & GCB) authenticating each other at the same time in an authentication protocol. mTLS can protect against adversarial attacks and ensure information integrity.

GigaVUE-FM supports mTLS (basic authentication) using the username and password. Proper certificates need to be installed on both GigaVUE-FM and your environment, as default generated certificates will not work with mTLS.

Note:  During GigaVUE-FM upgrade, the files only with the .crt or .key under /etc/pki/tls extensions will be retained.

Configure mTLS Authentication in GigaVUE-FM

Follow the below steps to configure mTLS authentication in GigaVUE-FM:

  1. Log in to the GigaVUE-FM CLI.
  2. Ensure that you have the following certificates and keys in the /home/User/certsAndKeys directory:

    Note:  The names of the certificates and keys are configurable and can be changed. You must make sure that you use the same names in the configurations that follow.

    • fmServerCertificate.pem: public certificate file in PEM format to be used by GigaVUE-FM when acting as a server.
    • fmServerCertificateKey.pem: private key file in PEM format to be used by GigaVUE-FM when acting as a server.
    • fmServerCACertificate.pem: public certificate file in PEM format of the CA which issued the fmServerCertificate.pem to be used by GigaVUE-FM when acting as a server.

      Note:  fmServerCACertificate.pem certificate needs to be imported into client's TrustStore, including browser if it is not issued by one of the trusted CAs.

    • fmClientCertificate.pem: public certificate file in PEM format to be used by GigaVUE-FM when acting as a client.
    • fmClientCertificateKey.pem: private key file in PEM format to be used by GigaVUE-FM when acting as a client.
    • fmClientCACertificate.pem: public certificate file in PEM format of the CA which issued the fmClientCertificate.pem to be used by GigaVUE-FM when acting as a client.

    Note:  If the same certificate is used when GigaVUE-FM is a client and as a server, the three fmServer*.pem files will be the same as the three fmClient*.pem files.

  3. Change to the directory where the above files are stored.

    cd /home/User/certsAndKeys

  4. Add fmClientCACertificate.pem to the GigaVUE-FM trust store:
    sudo cp fmClientCACertificate.pem   /etc/pki/ca-trust/source leader in a bidirectional clock relationship (formerly master)/anchors/
    sudo update-ca-trust extract
  5. Install the certificates and private key to make GigaVUE-FM act as a server.
    1. Backup the existing certificate and copy new FM certificate fmServerCertificate.pem.
      sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/BACKUP_localhost.crt
      sudo cp fmServerCertificate.pem /etc/pki/tls/certs/localhost.crt
    2. Backup the existing private key and copy new GigaVUE-FM key fmServerCertificateKey.pem
      sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/BACKUP_localhost.key
      sudo cp fmServerCertificateKey.pem /etc/pki/tls/private/localhost.key
      .
    3. GigaVUE-FM uses a public key (cms.p12 file) to encrypt the Security Assertion Markup Language (SAML) messages. Since for mTLS to work, we need valid certificates installed in FM, generate a new public key using the following command:
      sudo openssl pkcs12 -export -name CMS -out /etc/gigamon/cms.p12 \
      -inkey /etc/pki/tls/private/localhost.key -in /etc/pki/tls/certs/localhost.crt -passout pass:cms123
  6. Install the certificates and private key to make GigaVUE-FM act as a client.
    1. Copy new client certificate fmClientCertificate.pem.
      sudo cp fmClientCertificate.pem /etc/pki/tls/certs/fmClientCertificate.crt
    2. Copy new client key fmClientCertificateKey.pem.
      sudo cp fmClientCertificateKey.pem /etc/pki/tls/private/fmClientCertificateKey.key
    3. Copy new client CA public certificate fmClientCACertificate.pem.

      Note:  This certificate needs to be imported into GigaVUE-FM Trust Store.

      sudo cp fmClientCACertificate.pem /etc/pki/tls/certs/fmClientCACertificate.crt
  7. Generate KeyStore for GigaVUE-FM to act as a client
    1. Create a client certificate chain file.
      sudo cat /etc/pki/tls/certs/fmClientCACertificate.crt \
      	/etc/pki/tls/certs/fmClientCertificate.crt \
      	/etc/pki/tls/private/fmClientCertificateKey.key | sudo tee /etc/pki/tls/certs/fmClient.chain.crt > /dev/null
    2. Create a client certificate chain file in PKCS12 format.
      sudo openssl pkcs12 -export -in /etc/pki/tls/certs/fmClient.chain.crt \
      -out /etc/pki/tls/certs/fmClient.chain.p12 \
      -passout pass:changeit
    3. Create Java keystore
      sudo keytool -importkeystore -srckeystore /etc/pki/tls/certs/fmClient.chain.p12 \
      -srcstoretype pkcs12 \
      -destkeystore /etc/pki/tls/certs/fmClientJKS.crt \
      -storepass changeit
    4. Make the keystore readable.
      sudo chmod 644/etc/pki/tls/certs/fmClientJKS.crt
    5. Configure GigaVUE-FM load balancer functionality.
      cat /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.pem
      curl -XPOST "localhost:4466/fmcs/configureLoadBalancer?pretty" -H "Content-Type: application/json" -d '{"custom_certificate" : true}'
    6. Restart Apache Web Server.
      sudo systemctl restart httpd
    7. Restart the GigaVUE-FM.
      sudo systemctl restart tomcat@cms.service

GigaVUE-FM is not responsible for any PKI or certificate management activities.

Configure mTLS Authentication in GCB

Follow the below steps to configure mTLS authentication in GCB:

Note:  Before you begin, you must generate the ca_cert.pem, gcb_cert.pem and gcb_key.pemcertificates for FM-GCB mTLS configuration.

  1. Copy the generated ca_cert.pem, gcb_cert.pem and gcb_key.pem certificates that you generated, to a folder.

  2. Create a secret using mTLS for GCB in Kubernetes by using the below command and giving respective path to each file:

    kubectl create secret generic <secret-name> --from-file=gcb-ca-root-cert=<path to file> --from-file=gcb_cert=<path to file> --from-file=gcb-pvt-key=<path to file>

  3. Use the above created secret in the following snippet from gcb-cntlr YAML file. 

    - mountPath: /etc/gcbcerts
    mountPropagation: None
    name: gcb-tls
     
    volumes:
    - name: gcb-tls
    secret:
    secretName: gcb-tls