GCB Reference

This section provides additional references useful for GCB.

Configure mTLS Authentication

Mutual TLS (mTLS) authentication or two-way authentication refers to the two parties (GigaVUE-FM & GCB, and Pcapper & GCB) authenticating each other at the same time in an authentication protocol. mTLS can protect against adversarial attacks and ensure information integrity.

GigaVUE-FM supports mTLS (basic authentication) using the username and password. Proper certificates need to be installed on both GigaVUE-FM and your environment, as default generated certificates will not work with mTLS.

Note:  During GigaVUE-FM upgrade, the files only with the .crt or .key under /etc/pki/tls extensions will be retained.

Configure mTLS Authentication in GigaVUE-FM

Follow the below steps to configure mTLS authentication in GigaVUE-FM:

  1. Log in to the GigaVUE-FM CLI.
  2. Ensure that you have the following certificates and keys in the /home/User/certsAndKeys directory:

    Note:  The names of the certificates and keys are configurable and can be changed. You must make sure that you use the same names in the configurations that follow.

    • fmServerCertificate.pem: public certificate file in PEM format to be used by GigaVUE-FM when acting as a server.
    • fmServerCertificateKey.pem: private key file in PEM format to be used by GigaVUE-FM when acting as a server.
    • fmServerCACertificate.pem: public certificate file in PEM format of the CA which issued the fmServerCertificate.pem to be used by GigaVUE-FM when acting as a server.

      Note:  fmServerCACertificate.pem certificate needs to be imported into client's TrustStore, including browser if it is not issued by one of the trusted CAs.

    • fmClientCertificate.pem: public certificate file in PEM format to be used by GigaVUE-FM when acting as a client.
    • fmClientCertificateKey.pem: private key file in PEM format to be used by GigaVUE-FM when acting as a client.
    • fmClientCACertificate.pem: public certificate file in PEM format of the CA which issued the fmClientCertificate.pem to be used by GigaVUE-FM when acting as a client.

    Note:  If the same certificate is used when GigaVUE-FM is a client and as a server, the three fmServer*.pem files will be the same as the three fmClient*.pem files.

  3. Change to the directory where the above files are stored.

    cd /home/User/certsAndKeys

  4. Add fmClientCACertificate.pem to the GigaVUE-FM trust store:
    sudo cp fmClientCACertificate.pem   /etc/pki/ca-trust/source/anchors/
    sudo update-ca-trust extract
  5. Install the certificates and private key to make GigaVUE-FM act as a server.
    1. Backup the existing certificate and copy new FM certificate fmServerCertificate.pem.
      sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/BACKUP_localhost.crt
      sudo cp fmServerCertificate.pem /etc/pki/tls/certs/localhost.crt
    2. Backup the existing private key and copy new GigaVUE-FM key fmServerCertificateKey.pem
      sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/BACKUP_localhost.key
      sudo cp fmServerCertificateKey.pem /etc/pki/tls/private/localhost.key
      .
    3. GigaVUE-FM uses a public key (cms.p12 file) to encrypt the Security Assertion Markup Language (SAML) messages. Since for mTLS to work, we need valid certificates installed in FM, generating a new public key using the following command:
      sudo openssl pkcs12 -export -name CMS -out /etc/gigamon/cms.p12 \
      -inkey /etc/pki/tls/private/localhost.key -in /etc/pki/tls/certs/localhost.crt -passout pass:cms123
  6. Install the certificates and private key to make GigaVUE-FM act as a client.
    1. Copy new client certificate fmClientCertificate.pem.
      sudo cp fmClientCertificate.pem /etc/pki/tls/certs/fmClientCertificate.crt
    2. Copy new client key fmClientCertificateKey.pem.
      sudo cp fmClientCertificateKey.pem /etc/pki/tls/private/fmClientCertificateKey.key
    3. Copy new client CA public certificate fmClientCACertificate.pem.

      Note:  This certificate needs to be imported into GigaVUE-FM Trust Store.

      sudo cp fmClientCACertificate.pem /etc/pki/tls/certs/fmClientCACertificate.crt
  7. Generate KeyStore for GigaVUE-FM to act as a client
    1. Create a client certificate chain file.
      sudo cat /etc/pki/tls/certs/fmClientCACertificate.crt \
      	/etc/pki/tls/certs/fmClientCertificate.crt \
      	/etc/pki/tls/private/fmClientCertificateKey.key | sudo tee /etc/pki/tls/certs/fmClient.chain.crt > /dev/null
    2. Create a client certificate chain file in PKCS12 format.
      sudo openssl pkcs12 -export -in /etc/pki/tls/certs/fmClient.chain.crt \
      -out /etc/pki/tls/certs/fmClient.chain.p12 \
      -passout pass:changeit
    3. Create Java keystore
      sudo keytool -importkeystore -srckeystore /etc/pki/tls/certs/fmClient.chain.p12 \
      -srcstoretype pkcs12 \
      -destkeystore /etc/pki/tls/certs/fmClientJKS.crt \
      -storepass changeit
    4. Make the keystore readable.
      sudo chmod 644/etc/pki/tls/certs/fmClientJKS.crt
    5. Configure GigaVUE-FM load balancer functionality.
      cat /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.pem
      curl -XPOST "localhost:4466/fmcs/configureLoadBalancer?pretty" -H "Content-Type: application/json" -d '{"custom_certificate" : true}'
    6. Note:   Ensure to not delete the EOL characters (at the end of each line) from the certificate file. If there is no EOL character at the end of certificate file, insert one.

    7. Restart Apache Web Server.
      sudo systemctl restart httpd
    8. Restart the GigaVUE-FM.
      sudo systemctl restart tomcat@cms.service

GigaVUE-FM is not responsible for any PKI or certificate management activities.

Configure mTLS Authentication in GCB

Follow the below steps to configure mTLS authentication in GCB:

Note:  Before you begin, you must generate the ca_cert.pem, gcb_cert.pem and gcb_key.pemcertificates for FM-GCB mTLS configuration.

  1. Copy the generated ca_cert.pem, gcb_cert.pem and gcb_key.pem certificates that you generated, to a folder.

  2. Create a secret using mTLS for GCB in Kubernetes by using the below command and giving respective path to each file:

    kubectl create secret generic <secret-name> --from-file=gcb-ca-root-cert=<path to file> --from-file=gcb_cert=<path to file> --from-file=gcb-pvt-key=<path to file>
  3. Use the above created secret in the following snippet from gcb-cntlr YAML file.

    - mountPath: /etc/gcbcerts
    mountPropagation: None
    name: gcb-tls
    volumes:
    - name: gcb-tls
    secret:
    secretName: gcb-tls