... | ... | @@ -23,10 +23,10 @@ Server at first startup generates: |
|
|
Server certificate is set to be able to sign other certificates. It will be used to sign agents' certificates.
|
|
|
Server certificate is delivered to agents so they can recognize and accept connections from the server.
|
|
|
|
|
|
When a new agent is being added to the server then an agent private key and agent certificate
|
|
|
are being generated on the agent machine. Agent certificate is sent to the server and is signed,
|
|
|
and then sent back to the agent.
|
|
|
Server stores agent's certificate to use them to authenticate agent
|
|
|
When a new agent is being added to the server then an agent private key and agent certificate CSR
|
|
|
(Certificate Signing Request) are being generated on the agent machine.
|
|
|
Agent's CSR is sent to the server and is signed, and then agent's identity certificate is sent back to the agent.
|
|
|
Server stores agent's identity certificate to use them to authenticate agent
|
|
|
during connecting to the agent. They are also delivered to agent so they can be used by the agent to present its identity. This way the server can recognize that the agent is well known and connection can be established.
|
|
|
|
|
|
## Encryption
|
... | ... | @@ -35,15 +35,15 @@ Encryption is automatically established during preparing connection using gRPC w |
|
|
|
|
|
## Agent Keys Delivery
|
|
|
|
|
|
When a new agent is being added to the server then a private key and a certificate is being generated for this agent on the machine with the agent. They need to be delivered to the server.
|
|
|
When a new agent is being added to the server then a private key and a CSR certificate is being generated for this agent on the machine with the agent. CSR needs to be delivered to the server.
|
|
|
|
|
|
The procedure looks as follows:
|
|
|
1. Administator logs into agent machine and downloads agent installation script and starts it: `curl https:/stork/agent-install.sh | sudo bash`. Downloaded script contains a URL address of the server.
|
|
|
1. The script prompts admin for authentication against Stork server.
|
|
|
1. The script downloads proper deb or rpm package for current system and install it.
|
|
|
1. The script invokes agent in special mode to register local machine in Stork server using ReST API over secure HTTPS and using credentials provided by admin.
|
|
|
1. The server generates a private key and a certificate for the machine and its address. The address is put in `Common Name` and in `Subject Alternative Name` in the certificate. The server recognizes the machine using this address in the certificate.
|
|
|
1. Agent (still in this special mode) fetches generated private key and certificate and stores them in `/etc/stork` for further usage using ReST request and exits.
|
|
|
1. The script prompts admin password for authentication against Stork server.
|
|
|
1. The script downloads proper deb or rpm package for current system and installs it.
|
|
|
1. The script invokes Stork agent in special mode to register local machine in Stork server using ReST API over secure HTTPS and using credentials provided by admin.
|
|
|
1. Stork agent generates a private key and a CSR certificate for the machine and its address. They are stored in `/etc/stork` for further usage. The address is put in `Common Name` and in `Subject Alternative Name` in the certificate. The server recognizes the machine using this address in the certificate.
|
|
|
1. Agent (still in this special mode) sends CSR for signing to Stork server and then fetches identity certificate prepared by the server and stores them in `/etc/stork` for further usage using ReST request and exits.
|
|
|
1. Administrator starts agent service (using systemctl enable and start).
|
|
|
1. From that moment gRPC connection from the server to the agent can be established. There are used mutual authentication and encryption.
|
|
|
|
... | ... | @@ -57,8 +57,8 @@ sequenceDiagram |
|
|
Admin->>Script: Invoke the Script, prompt for credentials from Admin
|
|
|
Script->>Server: Download RPM/deb and install it [HTTPS]
|
|
|
Script->>Agent: Register machine
|
|
|
Agent->>+Server: Register machine, generate private key and certificate
|
|
|
Server-->>-Agent: Generated key and cert
|
|
|
Agent->>+Server: Register machine, CSR certificate
|
|
|
Server-->>-Agent: Signed identity cert
|
|
|
Note over Agent: Store key and cert
|
|
|
Note over Admin: Enable and start Agent service
|
|
|
|
... | ... | |