Saturday, February 15, 2014

OpenSSL CA cannot sign request?!

Got the following error after signing one ore more requests?

failed to update database
TXT_DB error number 2


This is due to you are signing a request having duplicated CN.  That is, another request you signed before was having the same CN as the one you sign this time.

To allow signing duplicated CN, you need to edit the index.txt.attr file in your CA.  Change

unique_subject = yes

to

unique_subject = no

You will not encounter the same error again.

Thursday, January 30, 2014

Creating a CA on Ubuntu

A more formal setup for a CA this time compared to the previous "Quick and Dirty" notes.

First of all, install a fresh Ubuntu.  I choose 12.04 LTS Server because of longer term support.

After installation, run the update commands to patch the systems:
$ sudo apt-get updates
$ sudo apt-get dist-upgrade

Reboot the system, as the previous command also upgrade the kernel.

Let's edit the defaults for OpenSSL in Ubuntu.  Configuration file is located at /etc/ssl/openssl.cnf

Look for the following:

[ CA_default ]
dir = ./demoCA

Change it to:

[ CA_default ]
dir = /opt/WhiteHat-CA

Also look for

policy = policy_match

Change it to:

policy = policy_anything

You can also make changes to [ req_distinguished_name ] for different default values.

This time, as we create a static CA.  Let's put it in /opt/WhiteHat-CA (or any name you like under /opt that you specified in the configuration file above).

$ sudo mkdir /opt/WhiteHat-CA

We then secure it, making only root (sudoers) can access the CA.

$ sudo chmod 700 /opt/WhiteHat-CA

Create the nessessary folders in the CA:

$ sudo mkdir /opt/WhiteHat-CA/certs
$ sudo mkdir /opt/WhiteHat-CA/private
$ sudo mkdir /opt/WhiteHat-CA/newcerts

Create the serial number file

$ sudo echo 1000 > /opt/WhiteHat-CA/serial

And create the index.txt file

$ sudo touch /opt/WhiteHat-CA/index.txt

Lastly, we create the private key and the cert for the CA:

$ sudo openssl req -new -x509 -days 3652 \
-extensions v3_ca \
-keyout /opt/WhiteHat-CA/private/cakey.pem \
-out /opt/WhiteHat-CA/cacert.pem

That's it!

Since we secured the CA, if you need to operate the CA (execute openssl ca commands), you need to sudo in order to get have required permission.

Unofficial: Replacing HP ArcSight Logger private key and certificate for web management console

From management  console, it does not allow you to import a private key.  Sometimes if it is mandatory to pre-generate the key from another sources, you will not able to use the pre-generate key.

However, replacing the private key and certificate is not that difficult.  They are located at

/opt/arcsight/logger/userdata/platform/ssl.crt

assuming the installation folder is /opt/arcsight/logger.

The private key file, must be not encrypted (-nodes), is called server.crt.  The certificate file is called server.pem.

Replacing these two files with your own pre-generate private key and certificate, then restart the HP ArcSight Logger service.  This makes the newly loaded private key and certificate effective.

This is not officially supported by HP, I think.

Wednesday, January 29, 2014

Quick and Dirty Steps: Create a CA, Generate a CSR and Sign the CSR with OpenSSL (on Ubuntu)

It is actually fairly easy.  Default openssl options (on Ubuntu) points the CA to ./demoCA (a folder called "demoCA" in the currrent folder).

Create a CA:
mkdir demoCA
cd demoCA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt
openssl req -new -x509 -days 3652 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem

cd ..

Generate a CSR - on the folder containing "demoCA" folder:
openssl req -out A.csr -new -newkey rsa:2048 -keyout A.key

Sign the CSR with the CA - on the folder containing "demoCA" folder and A.csr:
openssl ca -out A.pem -infiles A.csr

Some time your device may only accept PKCS#12 format.  Once you have the key and the cert, you can convert it to PKCS#12:
openssl pkcs12 -export -in A.pem -inkey A.key -out A.p12 -name "A"

In order for your device to trust the cert (A.pem or A.p12), you will need to import the CA cert (./demoCA/cacert.pem).

Wednesday, January 22, 2014

iOS native IPSec VPN with a FortiGate using certificates and AD (LDAP) authentication

Is the title too complicated?  Let me explain a bit about the requirements:
  1. iOS native IPSec VPN - that is make VPN between an iOS device and a FortiGate without additional software install on the iOS device
  2. User credential checked against Active Directory (over LDAPS)
  3. Certificate based VPN (do not allow to use preshare key and allow on demand VPN with iOS device)
All in one shot!  This example uses FortiOS 4.0 MR3 Patch 15 (FOS 4.3.15).

You need a working Microsoft Active Directory Domain with Enterprise CA enabled.  Without this, you cannot really do LDAPS and hance authtication information will be travel in plain text from FortiGate to MSADDC.  I use Windows 2008R2.  IP address of your DC in this example is 192.168.1.1

Once the DC and CA (actually can be on the same computer for lab exercise demo) ready, you need to create a user group, say "VPN" in Active Directory Users and Computers.  At your domain controller, open a command prompt and enter the following:

dsquery group -name "VPN"

You should have a result looks like:

"CN=VPN,OU=Builtin,DC=domain,DC=com"

You will need this information in setting up the user group in FortGate in later stage.

First, you need to have your CA cert exported - you only need the CA cert, no need to export the key.  Then in FortiGate, create the CA cert entry:

config vpn certificate ca
    edit "EXAMPLE_CA"
        set ca "-----BEGIN CERTIFICATE-----

CONTENTS REMOVED DUE TO SECURITY - YOU SHOULD HAVE THE CERT HERE
-----END CERTIFICATE-----"
    next
end
In FortiGate, create a LDAPS entry.
config user ldap
    edit "EXAMPLE-DC"
        set server "192.168.1.1"
        set cnid "sAMAccountName"
        set dn "OU=Users,DC=example,DC=com"
        set port 636
        set type regular
        set username "example\\domainuser"
        set password ENC ENCRYPTEDPASSWORDGOESHERE
        set secure ldaps
        set ca-cert "EXAMPLE_CA"
    next

Then create the user group.  The group-name here is the result comes from the command prompt output in the DC.

config user group
    edit "LDAP-VPN"
        set member "EXAMPLE-DC"
            config match
                edit 1
                    set server-name "EXAMPLE-DC"
                    set group-name "CN=VPN,OU=Builtin,DC=domain,DC=com"
                next
            end
    next
end

Load a VPN cert.  REMEMBER THE COMMON NAME OF THIS CERT MUST MARCH THE CONNECTING HOSTNAME.  So if your iOS devices connects to vpn.example.com, then the common name of this cert must be the same.

config vpn certificate caedit "ipad"
        set password ENC ENCRYPTEDPASSWORDGOESHERE
        set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4BD4C7C7AC6240E3

CONTENTS REMOVED DUE TO SECURITY - YOU SHOULD HAVE THE KEY HERE

-----END RSA PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE-----
CONTENTS REMOVED DUE TO SECURITY - YOU SHOULD HAVE THE CERT HERE
-----END CERTIFICATE-----"
    next
end
Create interface base Phase 1.  Assuming the WAN interface is called "wan"
config vpn ipsec phase1-interface
    edit "IPSEC_iOS"
        set type dynamic
        set interface "wan"
        set dhgrp 2
        set authmethod rsa-signature
        set xauthtype auto
        set mode-cfg enable
        set proposal 3des-md5 3des-sha1
        set rsa-certificate "ipad"
        set authusrgrp "LDAP-VPN"
        set ipv4-start-ip 192.168.2.1
        set ipv4-end-ip 192.168.2.254
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set banner "Welcome to EXAMPLE VPN!"
    next
end


Create interface based Phase 2:

config vpn ipsec phase2-interface
    edit "IPSEC_iOS"
        set keepalive enable
        set phase1name "IPSEC_iOS"
        set proposal aes256-md5 aes256-sha1
        set dhgrp 2
    next
end

Make a static route for this newly created range.  "0" here means to create a new entry.

config router static
    edit 0
        set device "IPSEC_iOS"
        set dst 192.168.2.0 255.255.255.0
    next
end


It would be nice to define this range in an address object.

config firewall address
    edit "IPSEC_iOS_RANGE"
        set associated-interface "IPSEC_iOS"
        set subnet 192.168.2.0 255.255.255.0
    next
end 


Create the firewall policy.  Again "0" here means create a new entry.

config firewall policy
    edit 0
        set srcintf "IPSEC_iOS"
        set dstintf "Internal"
            set srcaddr "IPSEC_iOS_RANGE"            
            set dstaddr "all"            
        set action accept
        set schedule "always"
            set service "ANY"            
        set logtraffic enable
        set nat enable
    next
end

That's it for the FortiGate configuration.

Now come to configure the iOS device.  First you email (or better deploy via MDM) the P12 certificate to the iOS device.  Then create the VPN entry as follow:


 
And you can enable the VPN, a welcome message will show up.
 
 
Notice the "VPN" logo on the upper left conner.  Enlarged for reference:
 
 
FortiGate Cookbook shall include this. 
 
Enjoy!