How to enable TLS connection between two Wavefront Proxies

This article applies to:

  •  Data Ingestion
  •  Product edition: Proxy Current Release
  •  Feature Category: Proxy

Overview:

This article outlines how to establish secured communication between two Wavefront proxies using self-signed certificates. The topology for the connection between the various endpoints is shown below; where the host or infrastructure is the metric emitting system, Wavefront proxy (A) is the first proxy in the chain receiving metrics from the host system and Wavefront Proxy (B) is the relaying proxy that collects data from proxy A over a TLS channel and relays that to the Tanzu Observability by Wavefront Service endpoint.

mceclip0.png

Prerequisites:

  • OpenSSL tool 
  • OpenJDK (This article was tested with OpenJDK 11)
  • Required OS level permissions to update Wavefront Proxy configurations and service restarts
  • Working Unsecured proxy chaining setup
  • Existing CA (Certificate Authority) certificate. 

 

Procedure:

Generate required PKI artifacts:

This section describes the TLS keys and certificates needed for this setup and how to generate them. 

Generate private key:

$ openssl genrsa -out private_key.pem 2048

Where "private_key.pem" is the name of the generated private key

Generate certificate signing request:

Create a certificate configuration file, like the cert.cnf example below:  

cert.cnf

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = <replace this with your country code>
countryName_default = US
stateOrProvinceName = <replace this with your state code>
stateOrProvinceName_default = TX
localityName = <replace this with your city name>
localityName_default = Plano
organizationName = <replace this with your org name>
organizationName_default = Abc Inc
commonName = <replace this with your wavefront-proxy hostname or IP>
commonName_max = 64
commonName_default = localhost

The certificate signing request file can be created using above config file:

$ openssl req -new -key private_key.pem -out cert.csr -config cert.cnf


Where,

"private_key.pem" is the generated private key in above step

"cert.cnf" is the certificate signing request configuration file as described above

Generate certificate

In order to generate the certificate you must use an existing root CA certificate and key. The command to run would take the form of: 

$openssl x509 -req -in cert.csr -out cert.pem -CA myCA.pem -CAkey myCA.key -CAcreateserial -days 365

Where,

"cert.csr" is the certificate signing request that is created above

"cert.pem" is the output certificate file resulting from this command

"myCA.pem" is an existing root CA certificate used to generate a new certificate

"myCA.key" is the key to the existing root CA

This command will generate required certificate for the relaying proxy instance (B).

Convert the private key in PKCS#8 format

The Wavefront proxy only understands the private key in PKCS#8 format. Hence, the private key generated above needs to be converted into PKCS#8 format using below command.

This command creates a new copy of the existing private key.

$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_key.pem -out private_key_pkcs8.pem

Where,

"private_key.pem" is the generated private key in above step

"private_key_pkcs8.pem" is the new private key in PKCS#8 format

 

Configure relaying Wavefront Proxy (B) instance to accept TLS connections

Move the key and certificate files and change file permission

Locate the Wavefront_config_path as per your host OS.  

Copy the files "private_key_pkcs8.pem" and "cert.pem" generated above into the <wavefront_config_path> directory. 

Assign required file permissions on the host where the relaying proxy (B) is deployed (include appropriate directory), for example:

$ chmod 644 <wavefront_config_path>/private_key_pkcs8.pem

$ chmod 644 <wavefront_config_path>/cert.pem

Change Wavefront Proxy configuration

Update below listed properties for the relaying proxy instance in the wavefront.conf file located at <wavefront_config_path>.

File: wavefront.conf

pushListenerPorts=2878,4443

pushRelayListenerPorts=2978,4443

tlsPorts=4443

privateCertPath=<wavefront_config_path>/cert.pem

privateKeyPath=<wavefront_config_path>/private_key_pkcs8.pem

Where,

"<wavefront_config_path>" should be replaced with actual path.

"2878" and "2978" should be replaced with the pre-existing values if different from this.

Restart the wavefront proxy service.

Configure client Wavefront Proxy (A) instance to use TLS connection to relaying Wavefront Proxy (B)

Change Wavefront Proxy configuration

Update below listed property for the client proxy instance in the wavefront.conf file located at <wavefront_config_path> based on the host configuration listed here.

File: wavefront.conf

server=https://<wavefront-proxy-B-host-or-ip>:4443/api/

Where, "wavefront-proxy-B-host-or-ip" should be the same as of the "commonName" property value used in the "cert.cnf" file while creating the certificate signing request in previous step.

Import the root CA in the trusted certificate list

sudo keytool -import -alias wavefront_root_ca -file myCA.pem -keystore /usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home/cacerts$ 

Where,

"wavefront_root_ca" is an arbitrary name of the CA cert for the reference in the cacerts store

"myCA.pem" is the root CA used to generate relaying Wavefront Proxy (B) certificate in above steps. This certificate file should be present where this command is executed, or should have its path prefixed.

"/usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home" is the value of $JAVA_HOME on the client Wavefront Proxy (B) host. 

This command will prompt for the password of the cacerts file referred here. Unless it is changed, the default password should be "changeit".

Supply the cacert to Wavefront Proxy JRE command 

Now the startup file in /etc/init.d/wavefront-proxy would need the the reference to location of cacert added so it can be loaded at startup (Djavax.net.ssl.trustStore).

Backup /etc/init.d/wavefront-proxy file. Then add valid path to cacert supplied under the jsvc_exec() method in the form of :

 -Djavax.net.ssl.trustStore= /usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home 

Where /usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home is $JAVA_HOME on the client Wavefront Proxy (B) machine. See below for example:

jsvc_exec()
{
if [[ ! $1 == "-stop" ]]; then
: > $daemon_log_file
: > $err_file
fi

cd "$(dirname "$proxy_jar")"

set +e
# We want word splitting below, as we're building up a command line.
# shellcheck disable=SC2086
$jsvc \
-user $user \
-home $JAVA_HOME \
-cp $proxy_jar \
$java_args \
-Xss2049k \
-XX:OnOutOfMemoryError="kill -1 %p" \
-Dlog4j.configurationFile=$config_dir/log4j2.xml \
-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager \
-errfile $err_file \
-Djavax.net.ssl.trustStore=/usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home \
-pidfile $pid_file \
-wait 20 \
-debug \
$1 \
$class \
$app_args &> $daemon_log_file
if [[ $? -ne 0 ]]; then
echo "There was a problem, see $err_file and $daemon_log_file" >&2
fi

Restart Wavefront proxy B service and verify there are no startup or connection errors in relevant logs, for example:

/var/log/wavefront/wavefront.log

See also:

Advanced Proxy Configuration.
How to Chain Proxies in Tanzu Observability by Wavefront.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk