Yarnman Photon Powered (YM-PH) - Advanced Platform Configuration
- 1 Key and Configuration Encryption
- 2 Customisation
- 3 Setup Couchdb Replication
- 4 Yarnman HTTP Certificate Notes
- 4.1.1 Generate CSR
- 4.1.1.1.1 Verification
- 4.1.1.2 Configuring Intermediate CA Certificates
- 4.1.1.2.1 Verification
- 4.1.1 Generate CSR
- 4.2 Photon iptables
- 4.2.1 default ip4save
- 4.2.2 Logging
- 4.2.3 Monitoring
Key and Configuration Encryption
A script will be added in the future to automate creation of the clevis.json although it will require out of band collection of the thp
Collect the thp (thumbprint for each tang servers individually this is a unique identifier for each nodes tang server
yarnman@ym-ph-test [ ~ ]$ sudo ym-service-commands.sh tang-thp E7SN3eGxrnyoGiHGJBt4GDU8MRw OR if older versions this command was previously yarnman@ym-ph-test [ ~ ]$ sudo ym-service-commands.sh tang-adv E7SN3eGxrnyoGiHGJBt4GDU8MRw
Run the key and config encryption
Node1 sudo ym-encrypt-at-rest.sh Database key found proceeding Number of pins required for decryption :1 Number of pins this must be equal or greater than the number of pins required for decryption :3 Enter URL for tang server 1 :http://10.101.10.13:6655 Enter THP for tang server 1 :o38piqOs5UwunlcUmqMVwulml34 Connection successful to : http://10.101.10.10:6655 Enter URL for tang server 2 :http://10.101.10.11:6655 Enter THP for tang server 2 :0Lqk7DroJ0g3patTCgTweMUAHPc Connection successful to : http://10.101.10.11:6655 Enter URL for tang server 3 :http://10.101.10.12:6655 Enter THP for tang server 3 :GEpmSTQfz8ctVxdgQEp_rnS3za Connection successful to : http://10.101.10.12:6655 ... Node4 sudo ym-encrypt-at-rest.sh Database key found proceeding Number of pins required for decryption :1 Number of pins this must be equal or greater than the number of pins required for decryption :3 Enter URL for tang server 1 :http://10.101.10.10:6655 Enter THP for tang server 1 :DwLco7FJtXWxFTprQ5M3cojJsZo Connection successful to : http://10.101.10.10:6655 Enter URL for tang server 2 :http://10.101.10.11:6655 Enter THP for tang server 2 :0Lqk7DroJ0g3patTCgTweMUAHPc Connection successful to : http://10.101.10.11:6655 Enter URL for tang server 3 :http://10.101.10.12:6655 Enter THP for tang server 3 :GEpmSTQfz8ctVxdgQEp_rnS3za Connection successful to : http://10.101.10.12:6655
Do not include the Local server in the encryption at rest. If you have 4 Nodes, you will enter in Number of Pins as 3, and exclude the IP address of the local server
Customisation
These manual customisations will be moved into scripts in a future release
When editing .yml document ensure that the correct space indentation for the relevent lines
Yarnman Application Additional Ports
With yarn_man Photon additional steps are required for https://yarnlab.atlassian.net/wiki/spaces/YSP/pages/2730950753
Enable the Additional listening port with the ym-edit-config command
yarnman@yarnman-1 [ ~ ]$ sudo ym-edit-config.sh enable-local-admin-access
You will be prompted to restart the Yarnman service
Port 3999 is the default alternative port to be used
The following file is modified by the script. Snippet shown for reference
/var/opt/yarnlab/yarnman/docker-compose-override.yml
Create the 2nd Administration application and ensure the port is 3999 and binding address is 0.0.0.0
You will now be able to access the second administration application on port 3999 using https://<IP address>:3999/
NOTE that http to https redirect will not work on this port and https:// must be entered
It is suggested to use in private browser or similar as the authentication sessions will conflict with LDAP users and the older session will close
Enable database access for Replication
Enable the listening port for couchdb for replication
You will be prompted to restart the yarnman service
Port 6984 will be used
The following file is modified by the script. Snippet shown for reference
/var/opt/yarnlab/yarnman/docker-compose-override.yml
Optionally access to couchdb can be restricted to IP addresses using iptables
Changing private key default passphrase
This step requires root access
to switch to root access run the following command “su root” and enter the root password set during installation
If the encryption at rest process has been run previously the private key must be decrypted
If the key is not encrypted skip the decryption step
to verify run the following command If no file is found that means the key is encrypted
to verify the key is encrypted
Switch into docker container by running the following command - Note that the prompt changes from the root to container shell
to decrypt the key run the following command
reset permissions
chmod 600 /opt/yarnlab/yarnman/config/private-encryption-key.pem
change passphrase from default “yarnman”
backup old key
exit the container shell
verify the key is decrypted and ensure the that
add new passphrase to /var/opt/yarnlab/yarnman/config/local.yaml
TO update
yq -i '.encryption.dbPassphrase = "somepassword"' /var/opt/yarnlab/yarnman/config/local.yaml
encrypt passphrase
verify
re encrypt keys
restart services
verify while services are restarting look for
Setup Couchdb Replication
login to yarnman administration application web interface
Navigate to Authentication database
Rename the Default Authentication Database name from “Central DB” to “<Node Name> Central DB” or other suitably unique name
Navigate to Authentication Policies
Rename the Default Authentication Policy name from “Central DB-Only Policy” to “<Node Name> Central DB-Only Policy” or other suitably unique name
Navigate to Nodes and select the Standalone node
Update the yarnman node name
Navigate to Nodes , select the node you wanted to setup and click on the Replication tab
Click on Add Replication
Enter the source and target connection strings
Source Address Syntax https://10.222.1.4:6984 - NOTE that the default source address is 10.222.1.4
Source address: https://10.222.1.4:6984
Source username: architect
source password: somepassword
Remote address Syntax https://<TargetIP>:6984
Target address https://10.101.10.10:6984
Target username: architect
Target password: somepassword
Once replication is setup status can be reviewed by clicking on the replication address, eg https://10.101.10.10:6984 . If the replication shows blank, the Sync button can be pressed to kick off replication again.
Repeat for each pair of nodes to achieve a full mesh
If there are 2 datacenters repeat for each primary node in each data centre -
2 node - 2 replications
n1->n2
n2->n1
3 node - 6 replications
n1->n2
n1->n3
n2->n1
n2->n3
n3->n1
n3->n2
4 node - 12 replications
n1->n2
n1->n3
n1->n4
n2->n1
n2->n3
n2->n4
n3->n1
n3->n2
n3->n4
n4->n1
n4->n2
n4->n3
Yarnman HTTP Certificate Notes
This is a manual proces until https://yarnlab.atlassian.net/browse/YMN-4962
Generate CSR
Switch user to root
Run the following command to create the CSR request config file
copy the following content and replace servername.example.com with the Fully Qualified Domain Name of the server and sample@sample.com with an email address.
Run the following command to generate the CSR
Command Syntax
All of the following need to be replaced
${COUNTRY}
${STATE}
${LOCATION}
${ORGANIZATION}
${FUNCTION}
${FQDN}
Example
Collect CSR for signing
Option 1- SFTP download from /var/opt/yarnlab/upgrade/
cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr
Option 2 - copy content from your ssh terminal to obtain the base64 text
cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr
Once signed certificate has been received from CA
Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates
rename/move existing SSL public certificate
Update public certificate
Option 1
upload to /tmp from your sftp program, set/validate correct permission and restart yarnmanOption 2
use nano to paste the contents of the base64 certificate
Verification
Verify contents of CSR
Verify the certificate is valid with openssl command
Configuring Intermediate CA Certificates
Typical format for standard SSL.
/var/opt/yarnlab/yarnman/config/
ssl-cert.cert - Standard certificate sent to clients
ssl-key.pem - Private key file for checking response
In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/
add files in order of the cert chain so the files in the directory look like
The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.
Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.
File permissions should be as follow
If required to change the owner and group
If required to change the permissions
restart yarnman
Verification
If you have multiple intermediates
Photon iptables
In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)
In this example we will allow traffic to couchdb from ip address
10.202.30.10
10.202.30.11
10.101.10.36
You will need to su as root to modify this file.
Modify the Existing ruleset applied on startup /etc/systemd/scripts/ip4save
We need to add the table/filter :DOCKER-USER - [0:0]
under the existing filter/table list and the required firewall rules at the bottom before the COMMIT
The File will look similar to
Reload the server for the firewall rules to take affect
You can verify the ruleset with the command in a root prompt
some output removed from the other tables and docker internal but this shows 10.202.30.10
, 10.202.30.11
, 10.101.10.36
can communicate with TCP/6984 and everything else is dropped . You can see 55 packets have been blocked, and 9 packets have been allowed from 10.202.30.11
default ip4save
This is the default of /etc/systemd/scripts/ip4save
on the off-chance you need to rollback to it
To add other firewall rules eg allow traffic only between 3 ips to Clevins-Tang insert them above the COMMIT line eg
Final file will look like /etc/systemd/scripts/ip4save
Logging
With IPtables you need to LOG before dropping the packet, the simplest way is to duplicate the rule with the LOG jump
Monitoring
watch can be used to repeat the same command, to watch the counters increase
Highlight keywords from Log and current packet counts