... | ... | @@ -24,10 +24,10 @@ Server at first startup generates: |
|
|
|
|
|
Root CA keys and cert is used to sign certs for server and agents. Root CA cert is delivered to agents so they can recognize and accept connections from the server. Server cert is used by server to show its identity to agents.
|
|
|
|
|
|
When a new agent is being added to the server then an agent private key and agent certificate CSR
|
|
|
(Certificate Signing Request) are being generated on the agent machine.
|
|
|
When a new agent is being added to the server then an agent private key and agent certificate CSR
|
|
|
(Certificate Signing Request) are being generated on the agent machine.
|
|
|
Agent's CSR is sent to the server and is signed, and then agent's identity certificate is sent back to the agent.
|
|
|
Server stores agent's identity certificate to use them to authenticate agent
|
|
|
Server stores agent's identity certificate to use them to authenticate agent
|
|
|
during connecting to the agent. They are also delivered to agent so they can be used by the agent to present its identity. This way the server can recognize that the agent is well known and connection can be established.
|
|
|
|
|
|
## Encryption
|
... | ... | @@ -39,7 +39,7 @@ Encryption is automatically established during preparing connection using gRPC w |
|
|
When a new agent is being added to the server then a private key and a CSR certificate is being generated for this agent on the machine with the agent. CSR needs to be delivered to the server.
|
|
|
|
|
|
The procedure looks as follows:
|
|
|
1. Administator logs into agent machine and downloads agent installation script and starts it: `curl https:/stork/agent-install.sh | sudo bash`. Downloaded script contains a URL address of the server.
|
|
|
1. Administrator logs into agent machine and downloads agent installation script and starts it: `curl https://stork/agent-install.sh | sudo bash`. Downloaded script contains a URL address of the server.
|
|
|
1. The script downloads proper deb or rpm package for current system and installs it.
|
|
|
1. The script invokes Stork agent in special mode to register local machine in Stork server using ReST API over secure HTTPS.
|
|
|
1. Agent register function prompts for server token for authentication against Stork server and agent address and port that are used for registration.
|
... | ... | @@ -58,10 +58,10 @@ sequenceDiagram |
|
|
Script->>Server: Download RPM/deb and install it [HTTPS]
|
|
|
Script->>Agent: Register machine
|
|
|
Note over Agent: Generate private key and CSR
|
|
|
Agent->>+Server: Register machine, send CSR
|
|
|
Agent->>+Server: Register machine, send CSR
|
|
|
Server-->>-Agent: Signed identity cert
|
|
|
Note over Agent: Store key and cert
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
## Registration Procedure from Agent Side
|
... | ... | @@ -90,4 +90,4 @@ graph TD |
|
|
## TODO
|
|
|
|
|
|
- regenerating keys and certs due to compromise
|
|
|
- import / export root key and cert to / from database |
|
|
\ No newline at end of file |
|
|
- import / export root key and cert to / from database |