Yarnman Photon Powered (YM-PH) - Advanced Platform Configuration

Key and Configuration Encryption

A script will be added in the future to automate creation of the clevis.json although it will require out of band collection of the thp

  1. Collect the thp (thumbprint for each tang servers individually this is a unique identifier for each nodes tang server

    1. yarnman@ym-ph-test [ ~ ]$ sudo ym-service-commands.sh tang-thp E7SN3eGxrnyoGiHGJBt4GDU8MRw OR if older versions this command was previously yarnman@ym-ph-test [ ~ ]$ sudo ym-service-commands.sh tang-adv E7SN3eGxrnyoGiHGJBt4GDU8MRw
  2. Run the key and config encryption

    • Node1 sudo ym-encrypt-at-rest.sh Database key found proceeding Number of pins required for decryption :1 Number of pins this must be equal or greater than the number of pins required for decryption :3 Enter URL for tang server 1 :http://10.101.10.13:6655 Enter THP for tang server 1 :o38piqOs5UwunlcUmqMVwulml34 Connection successful to : http://10.101.10.10:6655 Enter URL for tang server 2 :http://10.101.10.11:6655 Enter THP for tang server 2 :0Lqk7DroJ0g3patTCgTweMUAHPc Connection successful to : http://10.101.10.11:6655 Enter URL for tang server 3 :http://10.101.10.12:6655 Enter THP for tang server 3 :GEpmSTQfz8ctVxdgQEp_rnS3za Connection successful to : http://10.101.10.12:6655 ... Node4 sudo ym-encrypt-at-rest.sh Database key found proceeding Number of pins required for decryption :1 Number of pins this must be equal or greater than the number of pins required for decryption :3 Enter URL for tang server 1 :http://10.101.10.10:6655 Enter THP for tang server 1 :DwLco7FJtXWxFTprQ5M3cojJsZo Connection successful to : http://10.101.10.10:6655 Enter URL for tang server 2 :http://10.101.10.11:6655 Enter THP for tang server 2 :0Lqk7DroJ0g3patTCgTweMUAHPc Connection successful to : http://10.101.10.11:6655 Enter URL for tang server 3 :http://10.101.10.12:6655 Enter THP for tang server 3 :GEpmSTQfz8ctVxdgQEp_rnS3za Connection successful to : http://10.101.10.12:6655

       

Do not include the Local server in the encryption at rest. If you have 4 Nodes, you will enter in Number of Pins as 3, and exclude the IP address of the local server

Customisation

These manual customisations will be moved into scripts in a future release

When editing .yml document ensure that the correct space indentation for the relevent lines

Yarnman Application Additional Ports

With yarn_man Photon additional steps are required for https://yarnlab.atlassian.net/wiki/spaces/YSP/pages/2730950753

  1. Enable the Additional listening port with the ym-edit-config command

    • yarnman@yarnman-1 [ ~ ]$ sudo ym-edit-config.sh enable-local-admin-access
    • You will be prompted to restart the Yarnman service

    • Port 3999 is the default alternative port to be used

  2. The following file is modified by the script. Snippet shown for reference

    • /var/opt/yarnlab/yarnman/docker-compose-override.yml

  3. Create the 2nd Administration application and ensure the port is 3999 and binding address is 0.0.0.0

  4. You will now be able to access the second administration application on port 3999 using https://<IP address>:3999/

    • NOTE that http to https redirect will not work on this port and https:// must be entered

    • It is suggested to use in private browser or similar as the authentication sessions will conflict with LDAP users and the older session will close

Enable database access for Replication

  1. Enable the listening port for couchdb for replication

    • You will be prompted to restart the yarnman service

    • Port 6984 will be used

  2. The following file is modified by the script. Snippet shown for reference

    • /var/opt/yarnlab/yarnman/docker-compose-override.yml

    • Optionally access to couchdb can be restricted to IP addresses using iptables

 

Changing private key default passphrase

  1. This step requires root access

    • to switch to root access run the following command “su root” and enter the root password set during installation

    • If the encryption at rest process has been run previously the private key must be decrypted

      • If the key is not encrypted skip the decryption step

      • to verify run the following command If no file is found that means the key is encrypted

      •  

      • to verify the key is encrypted

  2. Switch into docker container by running the following command - Note that the prompt changes from the root to container shell

  3. to decrypt the key run the following command

  4. reset permissions

    • chmod 600 /opt/yarnlab/yarnman/config/private-encryption-key.pem

  5. change passphrase from default “yarnman”

  6. backup old key

  7. exit the container shell

    • verify the key is decrypted and ensure the that

  8. add new passphrase to /var/opt/yarnlab/yarnman/config/local.yaml

    • TO update yq -i '.encryption.dbPassphrase = "somepassword"' /var/opt/yarnlab/yarnman/config/local.yaml

  9. encrypt passphrase

    • verify

  10. re encrypt keys

  11. restart services

    • verify while services are restarting look for

 

Setup Couchdb Replication

  1. login to yarnman administration application web interface

  2. Navigate to Authentication database

    • Rename the Default Authentication Database name from “Central DB” to “<Node Name> Central DB” or other suitably unique name

  3. Navigate to Authentication Policies

    • Rename the Default Authentication Policy name from “Central DB-Only Policy” to “<Node Name> Central DB-Only Policy” or other suitably unique name

    •  

  4. Navigate to Nodes and select the Standalone node

  5. Update the yarnman node name

    •  

  6. Navigate to Nodes , select the node you wanted to setup and click on the Replication tab

  7. Click on Add Replication

    • Enter the source and target connection strings

  8. Once replication is setup status can be reviewed by clicking on the replication address, eg https://10.101.10.10:6984 . If the replication shows blank, the Sync button can be pressed to kick off replication again.

     

  9. Repeat for each pair of nodes to achieve a full mesh

    • If there are 2 datacenters repeat for each primary node in each data centre -

      • 2 node - 2 replications

        • n1->n2

        • n2->n1

      • 3 node - 6 replications

        • n1->n2

        • n1->n3

        • n2->n1

        • n2->n3

        • n3->n1

        • n3->n2

      • 4 node - 12 replications

        • n1->n2

        • n1->n3

        • n1->n4

        • n2->n1

        • n2->n3

        • n2->n4

        • n3->n1

        • n3->n2

        • n3->n4

        • n4->n1

        • n4->n2

        • n4->n3

Yarnman HTTP Certificate Notes

This is a manual proces until https://yarnlab.atlassian.net/browse/YMN-4962

Generate CSR

  1. Switch user to root

  2. Run the following command to create the CSR request config file

  3. Run the following command to generate the CSR

    • Command Syntax

    • All of the following need to be replaced

      • ${COUNTRY}

      • ${STATE}

      • ${LOCATION}

      • ${ORGANIZATION}

      • ${FUNCTION}

      • ${FQDN}

    • Example

  4. Collect CSR for signing

    1. Option 1- SFTP download from /var/opt/yarnlab/upgrade/

      1. cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr

    2. Option 2 - copy content from your ssh terminal to obtain the base64 text

      1. cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr

  5. Once signed certificate has been received from CA

    1. Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates

  6. rename/move existing SSL public certificate

  7. Update public certificate

    • Option 1
      upload to /tmp from your sftp program, set/validate correct permission and restart yarnman

    • Option 2
      use nano to paste the contents of the base64 certificate

Verification

Verify contents of CSR

Verify the certificate is valid with openssl command

 

Configuring Intermediate CA Certificates

Typical format for standard SSL.

/var/opt/yarnlab/yarnman/config/

ssl-cert.cert - Standard certificate sent to clients

ssl-key.pem - Private key file for checking response

In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/

add files in order of the cert chain so the files in the directory look like

The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.

Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.

File permissions should be as follow

If required to change the owner and group

If required to change the permissions

restart yarnman

Verification

If you have multiple intermediates

Photon iptables

In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)

In this example we will allow traffic to couchdb from ip address

  • 10.202.30.10

  • 10.202.30.11

  • 10.101.10.36

You will need to su as root to modify this file.

Modify the Existing ruleset applied on startup /etc/systemd/scripts/ip4save

We need to add the table/filter :DOCKER-USER - [0:0] under the existing filter/table list and the required firewall rules at the bottom before the COMMIT

The File will look similar to

Reload the server for the firewall rules to take affect

You can verify the ruleset with the command in a root prompt

some output removed from the other tables and docker internal but this shows 10.202.30.10 , 10.202.30.11, 10.101.10.36 can communicate with TCP/6984 and everything else is dropped . You can see 55 packets have been blocked, and 9 packets have been allowed from 10.202.30.11

default ip4save

This is the default of /etc/systemd/scripts/ip4save

on the off-chance you need to rollback to it

 

To add other firewall rules eg allow traffic only between 3 ips to Clevins-Tang insert them above the COMMIT line eg

Final file will look like /etc/systemd/scripts/ip4save

Logging

With IPtables you need to LOG before dropping the packet, the simplest way is to duplicate the rule with the LOG jump

Monitoring

watch can be used to repeat the same command, to watch the counters increase

 

Highlight keywords from Log and current packet counts