Proposed documentation: HawkBit under SSL/TLS using private CA / sub CA

[epoch1970]

Re: #618 et al., here is a recipe that seems to work for me. HTH.

Config for HawkBit under SSL/TLS using private CA / sub CA HawkBit (HawkBit 0.2.0-SNAPSHOT) + swupdate (v2018.03)

Purpose: Use HTTPS on a HawkBit server to avoid server spoofing. Anonymous client connections are authorized.

Recipe: A. On the PKI:

• Create a pkcs#12 (.p12) file, rolling server cert/key, private CA, sub CA certs into a single file.
• Use a password on the server key you won't be ashamed of.
• Also create a single .pem file for the private CA + sub-CA

B. On the HawkBit host:

• HawkBit uses the Java KeyStore to access credentials, but a JKS is not designed apparently to hold CA certs, which is a problem for private CAs. The workaround is to make it gulp an entire pkcs#12 file.
• It looks like a JKS like this cannot have a password different from the one protecting the .p12. Keytool also seems to have a little tendency to destruct the .jks if you change your mind and want to change the password... Basically do everything you need with openssl and use only keytool for generating the .jks file.

The following command imports a .p12 into a "pkcs12 Java keystore", keeping the same password:

keytool -importkeystore -srckeystore hb-pass.p12 -srcstoretype pkcs12 \
        -destkeystore hb-pass.jks -deststoretype pkcs12 \
        -alias 1 -deststorepass <password_of_p12>

Then you need to adapt application.properties of the HawkBit server to make use of the key. There are extra requirements to make HawkBit send well-formed artifacts to an swupdate client via HTTPS.

This is the relevant part of <HawkBit dir>/hawkbit-runtime/hawkbit-update-server/src/main/resources/application.properties:

# HTTPS mode working w/ swupdate
# See also https://docs.spring.io/spring-boot/docs/1.4.7.RELEASE/reference/html/howto-embedded-servlet-containers.html#howto-configure-ssl
#          https://github.com/eclipse/hawkbit/issues/618
#
# Need to run as root to use port 443
server.hostname=hb.domain
server.port=8443
#
# Overriding some of hawkbit-artifactdl-defaults.properties is required
hawkbit.artifact.url.protocols.download-http.protocol=https
hawkbit.artifact.url.protocols.download-http.port=8443
#
# Upgrades http:8443 to https:8443  
# Would redirect + upgrade http:80 to https:443
security.require-ssl=true
server.use-forward-headers=true
#
# Server cert+key w/ private CA + subCA
# See also https://stackoverflow.com/questions/906402/how-to-import-an-existing-x509-certificate-and-private-key-in-java-keystore-to-u
#          http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html (2008, still relevant!?)
#
# File .jks is a .p12 imported via keytool. Only one password supported, set from openssl.
server.ssl.key-store=hb-pass.jks
server.ssl.key-password=password
server.ssl.key-store-password=password-yes_the_same_one
...

C. On the swupdate client host(s):

• The client needs the private CA certificates to authenticate the server.
• There is a setting in swupdate to specify the path to a single CA cert, not a directory. Beyond that libcurl looks into /etc/ssl/certs. So we're using a compound "CA chain" .pem file to hold both private CA and sub-CA in our preferred location.

This is the relevant part of /etc/swupdate/swupdate.conf:

...
suricatta :
{
 tenant = "default";
 id = "machineID";
 confirm = 0;
 url = "https://hb.domain:8443";
 nocheckcert = false;
 cafile = "/etc/swupdate/priv-cachain.pem"; /* CA + sub CA in one file */
/* sslkey = anon client: do not set; */
/* sslcert = anon client: do not set; */
...

[schabdo]

@epoch1970 thanks for providing a step by step manual for your SSL/TLS configuration

[huynguyennovem]

@epoch1970 : Have you tried to upgrade specific TLS version for Hawkbit? I have tried to upgrade to TLSv1.3 but it does not work as well, it's still in TLSv1.2:

server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3

Result is here:

[epoch1970]

@epoch1970 : Have you tried to upgrade specific TLS version for Hawkbit? I have tried to upgrade to TLSv1.3 but it does not work as well, it's still in TLSv1.2:

I have not. In fact I use nginx as SSL forwarding proxy these days, not built-in SSL support.

[huynguyennovem]

I think the problems from Java version. Currently, Hawkbit is supported in Java 8, while TLSv1.3 is supported from Java 11. https://en.wikipedia.org/wiki/Java_version_history I have tried to upgrade Java to 11 and re-install hawkbit, it failed. Please refer issue #839 for more details.

[strailov]

This discussion seems to be obsolete. The configuration is on spring level, so no need to be added in hawkbit documentation.