Security Layers

Create a CA
Add security to APIs

Create a CA

Modify the hostname in /etc/hostname
- Expected output of hostname command:
```
$ hostname
ic2m2
```
Modify the host in /etc/hosts. E.g.:
```
127.0.0.1 localhost
10.63.27.39 ic2m2
```
Create a cert folder: mkdir cert && cd cert

Generate a key for rootCA:

openssl genrsa -des3 -out rootCA.key 2048

Generate a certificate for rootCA:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 730 -out rootCA.pem

Expected output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Gipuzkoa
Locality Name (eg, city) []:SS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CEIT
Organizational Unit Name (eg, section) []:DAIM
Common Name (e.g. server FQDN or YOUR name) []:ic2m2
Email Address []:sfigueroa@ceit.es

Convert certificate from pem to crt:

openssl x509 -outform pem -in rootCA.pem -out rootCA.crt

Certificate verification:

openssl x509 -in rootCA.pem -text -noout

Copy rootCA.crt certificate to the ca-certificates folder:
```
sudo cp rootCA.crt /usr/share/ca-certificates/
```
Install certificates:
```
sudo dpkg-reconfigure ca-certificates
```

Expected output:

Update installed certificates:
```
sudo update-ca-certificates
```

Add security to APIs

Note: As shown in the architecture image for securing the APIs, a reverse proxy has been set up.

Generate the private key for a broker
```
openssl genrsa -out api.key 2048
```

Generate the csr file:

openssl req -new -key api.key -out api.csr

Expected output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Gipuzkoa
Locality Name (eg, city) []:SS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CEIT
Organizational Unit Name (eg, section) []:DAIM
Common Name (e.g. server FQDN or YOUR name) []:ic2m2
Email Address []:sfigueroa@ceit.es

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Ceit_1234
An optional company name []:ii40

Create a config file openssl.cnf with a list of domain names associated with the certificate:

# Extensions to add to a certificate request
basicConstraints       = CA:FALSE
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
subjectAltName         = @alt_names
[ alt_names ]
DNS.1 = api-crate
DNS.2 = api-orion
DNS.3 = apikey-mng
DNS.4 = nginx
DNS.5 = ic2m2
DNS.6 = localhost
IP.1 = 10.63.27.39
IP.2 = 127.0.0.1

Sign the broker certificate using the rootCA:

openssl x509 -req \
 -in api.csr \
 -CA rootCA.pem \
 -CAkey rootCA.key \
 -CAcreateserial \
 -out api.crt \
 -days 730 \
 -sha256 \
 -extfile openssl.cnf

Expected output:

Signature ok
subject=C = ES, ST = Gipuzkoa, L = SS, O = CEIT, OU = DAIM, CN = ic2m2, emailAddress = sfigueroa@ceit.es
Getting CA Private Key
Enter pass phrase for rootCA.key:

Certificate verification:

openssl verify -CAfile rootCA.pem -verify_hostname api-orion api.crt

Expected output:
```
api.crt: OK
```

openssl verify -CAfile rootCA.pem -verify_hostname api-crate api.crt

Expected output:
```
api.crt: OK
```

Create a certs/ folder:

mkdir -p ~/FiwareDevModeForPositionSystem/nginx/certs/

Enable specific permission for certs/ folder`:

sudo chmod 775 -R ~/FiwareDevModeForPositionSystem/nginx/certs/

Copy api.crt into nginx cert folder:

sudo cp api.crt ~/FiwareDevModeForPositionSystem/nginx/certs/nginx-selfsigned.crt

Copy api.key into nginx cert folder:

sudo cp api.key ~/FiwareDevModeForPositionSystem/nginx/certs/nginx-selfsigned.key

Randomly generate dhparam.pem file:

cd ~/FiwareDevModeForPositionSystem/nginx/certs/

openssl dhparam -out dhparam.pem 2048

Expected output:

 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA7m7a4+oHzaWEPzmMQ+4DpoprRQStXHZHlny/e8pYPa3PJTR1Iv7M
 u0k7P8ToDRKdJSQXBpSXBo+K34kePpaiLBd1e3PkCnuI+4RutZy2NXwZK2Uv6IAf
 ZzXVvjBFLtgDVEd05rvJNamTbRapMQmqmqf4gsDPeWgj9nobaE89mdlguwU78wyZ
 aB5R/8yGqWSlvogXX820kxw2oU4/qS7m37qXqV/82LmLZ0exuYtnTzvwtSaMqaVj
 3KP8Pvfk4XOsaopyEpQE3DzB/J8JglQfR/AfsgspV65BppFhcsoBSTLpHYesZQkS
 00TAJP0S0KdGcjFTnpH6BT108qgviedN2wIBAg==
 -----END DH PARAMETERS-----

Copy api.crt certificate to the ca-certificates folder:
```
cd ~/cert
```
```
sudo cp api.crt /usr/share/ca-certificates/
```
- Expected output:
Install certificates:
```
sudo dpkg-reconfigure ca-certificates
```
Update installed certificates:
```
sudo update-ca-certificates
```

Introduce the following changes in nginx.conf:

cd ~/FiwareDevModeForPositionSystem/nginx/

API-Crate

 # API-CRATE
 server {
 	listen 8080 http2 ssl;
 	server_name ic2m2;
 	ssl_certificate /certs/nginx-selfsigned.crt;
 	ssl_certificate_key /certs/nginx-selfsigned.key;
 	ssl_dhparam /certs/dhparam.pem;
 	...
 	...
 	...
 	location / {
    		proxy_pass http://api-crate:8080;
 		...
 		...
 		...
 	}

 }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Layers

Create a CA

Add security to APIs

FilesExpand file tree

AddSecurityLayer.md

Latest commit

History

AddSecurityLayer.md

File metadata and controls

Security Layers

Create a CA

Add security to APIs