Appendix-A

ONES TLS Certificate

This has been added to the architecture to work using the TLS certificates for authentication. The mode of communication in the ONES architecture is as follows

TLS authentication have been added to data collection points from the agent. This means that gateway and collector connection pipes with agent will be authenticated using the TLS certificates. This page explains the methods to generate the certificates. For our lab testing, self signed certificates will be used. To run this script openssl needs to be installed.

Generating TLS Certificates

The following script will generate the necessary certificates.

  1. Generate CA's private key and self-signed certificate

openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -keyout ca-key.pem -out ca-cert.pem -subj "/C=IN/ST=Telengana/L=Hyderabad/O=Aviz Networks/OU=Engineering/CN=sonic/emailAddress=sutharsan@aviznetworks.com"
openssl x509 -in ca-cert.pem -noout -text
Logs
openssl x509 -in ca-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            73:76:90:66:22:24:22:b9:62:9b:f7:d5:00:37:18:30:77:a2:93:f4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Telengana, L = Hyderabad, O = Aviz Networks, OU = Engineering, CN = sonic, emailAddress = kasinath@aviznetworks.com
        Validity
            Not Before: Apr 13 05:44:50 2023 GMT
            Not After : Apr 10 05:44:50 2033 GMT
        Subject: C = IN, ST = Telengana, L = Hyderabad, O = Aviz Networks, OU = Engineering, CN = sonic, emailAddress = kasinath@aviznetworks.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c2:ae:6b:2e:b8:2e:93:4e:e2:0d:86:3a:68:71:
                    7d:3f:d2:a7:0d:d2:45:9f:bc:00:16:82:9c:9d:17:
                    7b:57:82:96:ae:3e:04:06:16:f2:54:06:d8:14:d1:
                    c4:4a:da:93:83:24:9f:d7:cf:37:21:79:40:32:cb:
                    55:3d:e3:d8:36:6b:aa:2e:a3:57:85:71:32:bc:aa:
                    f9:5a:ce:c3:5c:62:47:83:f0:e7:e7:d7:70:f1:cc:
                    78:47:9b:bb:86:ac:74:3f:79:ae:f8:84:ef:ba:20:
                    0b:58:d7:a6:5d:32:76:ed:53:5e:07:70:b2:c0:db:
                    0a:6c:90:ba:18:61:7d:2c:64:8d:c0:22:36:b6:18:
                    28:9d:91:2e:30:0b:97:67:46:e1:54:49:c5:4d:7d:
                    1c:3e:d9:8b:21:ca:37:b6:9e:1e:c3:9f:36:7e:dd:
                    a8:11:f6:92:52:f2:99:aa:ce:20:cd:aa:ad:a5:6d:
                    95:51:64:10:85:a5:58:03:0a:63:2e:2f:b2:00:f1:
                    73:7f:a0:ed:32:42:fa:ac:29:c5:30:66:57:e2:f6:
                    ac:e1:ea:e3:c7:78:6d:be:bf:9c:41:5a:4e:aa:e8:
                    ca:45:5f:d6:8b:b7:28:24:56:86:0d:9b:38:a7:d3:
                    92:51:54:8a:f3:44:78:f3:9c:ac:a9:ab:a1:99:2e:
                    08:71:e3:71:6e:8e:a2:f8:68:5a:14:55:f9:9c:b2:
                    55:f4:a8:f1:83:b0:70:b6:64:2a:ce:d1:45:a3:50:
                    05:02:21:cc:e7:e4:1d:3e:fc:9e:1b:6c:08:4e:2f:
                    40:d7:3c:33:85:3b:0c:25:90:fd:e9:f3:fe:4b:ac:
                    c2:d5:90:84:cd:26:de:98:0b:50:39:cb:71:9d:e8:
                    2b:6d:a0:08:be:68:fe:37:37:5f:02:b8:24:2c:60:
                    d4:48:c1:d3:45:da:74:f2:cd:a9:65:0a:21:a8:55:
                    30:3e:6e:c6:46:e2:22:da:f6:96:d7:66:ec:5c:4d:
                    b6:0e:ec:bf:1d:8f:52:70:59:1b:b1:c0:0d:b6:39:
                    bc:09:44:0a:52:c9:a7:2d:e7:06:ae:ab:4b:a6:1b:
                    4e:2c:eb:a4:31:d4:31:de:2b:f5:1d:49:d1:96:03:
                    f0:97:41:25:25:90:de:24:5f:36:cd:06:86:da:e7:
                    c6:15:b3:ef:be:04:bd:c5:9f:5b:44:02:74:0a:07:
                    a5:e9:c9:ef:c5:25:c9:0e:dc:2a:31:dd:a7:c6:e5:
                    26:93:eb:74:7c:a3:92:1c:ef:a4:58:35:75:15:f7:
                    cb:dc:34:0c:59:1a:9d:8b:5e:97:f2:ef:63:9c:a8:
                    7d:6b:4a:5a:f8:e1:af:eb:80:70:03:46:76:9f:6e:
                    a9:d1:77
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F2:55:BF:F9:8D:0C:CF:91:21:A6:8B:29:13:A5:51:65:78:F4:F8:C0
            X509v3 Authority Key Identifier:
                F2:55:BF:F9:8D:0C:CF:91:21:A6:8B:29:13:A5:51:65:78:F4:F8:C0
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        70:f0:91:ef:86:2d:9b:ce:90:66:27:6d:d5:27:dd:92:ad:61:
        33:17:6c:8f:21:91:e1:35:73:94:a4:9c:21:5c:ec:54:79:f7:
        be:fa:df:5a:ef:ed:f4:72:2f:16:89:c1:dc:ba:e3:66:8c:7f:
        8e:4c:5d:c6:36:f3:80:67:55:bc:e7:a0:2e:d8:d7:1e:b6:11:
        5c:f5:1f:d2:11:02:ae:6c:37:79:9c:09:c0:cc:ba:8a:e3:9b:
        9c:45:f3:ec:d8:85:2a:37:67:45:55:5a:9d:21:f7:af:10:1e:
        06:d5:17:25:d3:11:15:2a:89:88:d8:3e:30:de:09:4b:c6:64:
        ed:f4:0d:0e:a2:57:01:95:00:92:03:1d:2e:e0:d7:dd:18:0b:
        f8:b8:2e:93:0c:8f:54:ab:be:5e:c1:97:22:e7:8c:56:f2:64:
        fe:21:d7:f3:36:75:a7:19:1a:08:5a:f8:22:e5:45:87:a6:f5:
        fd:bc:e4:1a:ec:55:b5:cb:b4:7b:ae:fa:8f:52:69:e6:c2:0c:
        fc:b9:ee:21:37:53:f6:d7:62:d2:83:98:c2:94:08:9d:49:ca:
        fc:8f:6e:00:f2:32:1a:17:7a:c7:27:9b:e9:62:5b:5a:e6:37:
        fb:7c:97:9c:5b:aa:82:82:11:2a:ff:55:5b:2f:32:22:df:7f:
        5a:7f:a4:5c:7a:71:38:cf:19:fb:a4:96:24:2d:39:7a:f6:ed:
        f4:e1:cd:e3:e0:61:09:8b:d4:21:ea:e3:f9:6a:a4:c8:15:0e:
        9b:3d:71:4e:e0:94:88:27:07:54:e5:c5:60:8c:d7:75:58:d1:
        40:8d:f0:c4:d0:f9:b7:5c:d9:f9:c3:1c:0b:79:32:31:cd:09:
        e8:6d:63:28:fc:12:95:05:60:a9:10:94:b8:ba:74:af:2e:20:
        ae:d9:f1:70:d2:5e:06:a4:db:70:d3:1d:2b:75:05:ef:ca:d1:
        b6:2b:0d:99:5a:ae:5f:dc:d4:d6:5f:63:7d:1c:f5:10:c0:73:
        e7:53:5a:96:e7:13:04:91:5b:6c:6d:77:44:23:c6:3d:d0:a0:
        28:d1:48:cf:78:a6:df:53:d3:19:45:1f:bf:24:d9:25:57:5a:
        71:89:67:f6:71:f5:6e:fe:41:5d:5e:2d:ba:21:5d:72:44:92:
        10:cb:78:86:bd:a0:0f:0f:9e:58:40:e8:8a:a8:65:47:d7:32:
        fd:de:be:10:64:2a:84:01:1a:3f:72:06:ae:87:38:30:b9:79:
        c3:18:ea:ad:77:56:d9:7e:a1:e4:53:2b:64:0d:cd:b4:db:c3:
        31:09:51:c0:e8:61:1c:ae:07:08:ec:51:53:e7:a4:ac:36:7a:
        76:89:71:2a:ba:7e:08:8a
  1. Generate web server's private key and certificate signing request (CSR)

openssl req -newkey rsa:4096 -nodes -keyout server-key.pem -out server-req.pem -subj "/C=IN/ST=Telengana/L=Hyderabad/O=Aviz Networks/OU=Engineering/CN=sonic/emailAddress=sutharsan@aviznetworks.com"
# Remember that when we develop on localhost, It’s important to add the IP:0.0.0.0 as an Subject Alternative Name (SAN) extension to the certificate.
echo "subjectAltName=DNS:*.tls,DNS:localhost,IP:0.0.0.0" > server-ext.cnf
# Or you can use localhost DNS and grpc.ssl_target_name_override variable
 echo "subjectAltName=DNS:localhost" > server-ext.cnf
 echo "subjectAltName=@alt_names" > server-ext.cnf
 echo "[alt_names]" > server-ext.cnf
 echo "DNS.1 = IP:10.4.4.61" > server-ext.cnf
  1. Use CA's private key to sign web server's CSR and get back the signed certificate

openssl x509 -req -in server-req.pem -days 60 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile server-ext.cnf
#echo "Server's signed certificate"
openssl x509 -in server-cert.pem -noout -text
Logs
openssl x509 -in server-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3f:97:19:5c:4c:de:78:1a:b3:db:e8:a5:74:84:84:af:55:2f:8a:65
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Telengana, L = Hyderabad, O = Aviz Networks, OU = Engineering, CN = sonic, emailAddress = kasinath@aviznetworks.com
        Validity
            Not Before: Apr 13 05:48:33 2023 GMT
            Not After : Jun 12 05:48:33 2023 GMT
        Subject: C = IN, ST = Telengana, L = Hyderabad, O = Aviz Networks, OU = Engineering, CN = sonic, emailAddress = kasinath@aviznetworks.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:8c:86:7c:ac:6a:46:5a:a5:17:a9:59:6c:fe:04:
                    55:74:94:57:ae:38:81:ed:49:3b:94:01:f8:11:1b:
                    a7:7e:52:55:0e:64:2b:9e:f0:3b:f9:29:bf:80:13:
                    d6:ec:bd:a0:87:88:21:7a:9d:54:89:bf:da:14:ec:
                    db:be:c5:f2:f9:50:39:7a:21:fb:ee:ae:06:ef:16:
                    c8:06:44:cb:89:2d:eb:a2:ef:86:17:ed:e7:c1:c7:
                    18:e4:ac:8b:fe:11:4d:1c:8b:cc:13:c3:3e:41:95:
                    6b:ff:89:9d:14:49:4a:a5:90:ea:a4:64:be:c2:2a:
                    52:11:1c:61:57:6c:8b:72:20:20:7a:ac:bc:25:ea:
                    8c:c3:15:12:30:44:c2:a5:df:c8:9c:60:95:68:64:
                    57:1e:43:66:3b:cf:8b:de:4a:a8:e3:fc:16:c0:cd:
                    a5:f1:fb:bd:bb:02:47:a1:3a:06:7c:39:71:a9:ed:
                    4d:bf:35:4b:14:79:ef:b3:0b:a2:7f:e4:cd:80:9b:
                    ef:ca:d8:3e:ed:9b:36:c9:5d:3c:19:48:5b:94:96:
                    b6:72:44:08:ff:fd:f1:1f:2b:d7:00:c5:51:2a:c4:
                    bd:3a:03:ee:02:21:51:7f:28:61:0b:0a:10:f6:ad:
                    c0:24:1a:f0:b3:18:f9:9c:d8:c5:6b:ca:48:0c:90:
                    97:27:93:93:73:ec:16:e1:63:b3:4e:02:75:af:e5:
                    43:35:ef:dc:45:da:de:31:81:ed:b9:9c:8a:3d:f4:
                    3e:97:30:73:0f:65:09:0f:16:89:cf:d1:aa:3b:3c:
                    72:b3:d3:88:2d:ab:67:b1:b7:d5:eb:ce:a7:15:a0:
                    19:49:5a:55:5e:95:d2:24:1b:60:ee:22:55:35:aa:
                    b5:db:1e:81:5b:18:5c:49:a6:e8:12:db:5c:6f:ae:
                    42:60:9c:9c:39:85:6e:87:44:41:13:2e:42:a7:3f:
                    1b:59:43:09:a6:e1:de:cc:00:c2:32:a1:94:95:87:
                    1f:9b:81:59:59:bc:c5:ea:98:8e:78:96:f0:e4:da:
                    b2:b8:d2:67:98:49:6f:ee:ec:36:59:e8:bb:2a:d4:
                    e8:1b:69:f2:a3:31:e0:61:9e:c1:3a:4c:d8:28:4f:
                    4c:bb:06:95:b9:78:4b:e4:0b:3f:24:d2:d7:eb:6c:
                    16:87:b1:98:26:c8:76:c2:35:52:7a:23:c1:04:a1:
                    93:55:93:b7:97:10:c3:9c:97:bd:9f:87:1c:b3:bf:
                    b4:58:5a:38:7f:92:6a:44:db:75:bf:57:e9:02:02:
                    89:21:05:e7:30:09:21:09:ee:20:c9:ef:ad:13:8e:
                    78:14:cb:94:a8:65:fc:d9:6b:26:be:7f:19:f3:e4:
                    e8:84:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                65:2B:22:23:96:37:66:5A:25:36:50:7E:76:C9:DF:8C:7C:CC:DC:87
            X509v3 Authority Key Identifier:
                keyid:F2:55:BF:F9:8D:0C:CF:91:21:A6:8B:29:13:A5:51:65:78:F4:F8:C0
                DirName:/C=IN/ST=Telengana/L=Hyderabad/O=Aviz Networks/OU=Engineering/CN=sonic/emailAddress=kasinath@aviznetworks.com
                serial:73:76:90:66:22:24:22:B9:62:9B:F7:D5:00:37:18:30:77:A2:93:F4
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                IP Address:10.4.4.60, IP Address:10.4.4.61, IP Address:10.4.4.62
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        17:87:01:83:5f:3b:a9:72:15:8a:41:bb:e1:65:f5:2b:71:b9:
        ca:78:93:10:eb:f3:2b:36:b7:b6:f7:4d:03:ee:25:4a:53:c1:
        84:f6:3c:81:63:12:af:33:fa:c1:eb:96:22:7b:65:36:1e:38:
        4b:fd:07:64:ac:c3:d5:69:8a:57:81:94:7a:9f:44:de:af:a8:
        dc:6f:e6:3d:0e:d4:62:76:9f:0f:58:49:e2:b1:c3:c7:31:8a:
        ad:cc:f7:b7:0d:56:50:8d:02:29:5c:2b:a2:e1:c3:34:c2:e9:
        04:40:06:6d:c1:c4:df:22:04:43:0e:49:8c:5d:53:f3:89:88:
        43:bd:99:e9:e2:a2:93:4d:0a:ef:3e:d8:74:ad:7c:17:5c:d1:
        52:41:73:65:28:e2:c8:16:46:26:f4:22:e2:ad:b9:e1:24:3b:
        f8:d8:06:5d:b8:b1:00:94:43:4b:49:c3:9e:7e:98:67:55:33:
        6d:a1:e5:48:60:15:e4:a2:3a:1c:16:e6:98:e8:18:72:71:b6:
        e5:53:bc:5d:1b:e7:42:44:33:c2:bd:5d:b4:42:c6:1c:5e:a0:
        fd:79:d8:bb:f9:ef:09:19:f3:f1:2b:a6:2a:e8:af:07:c5:34:
        4c:0c:0d:ce:46:fb:70:c6:34:aa:bb:71:4c:06:9d:7a:1a:be:
        d6:cb:c1:67:20:7e:ff:7f:a1:f4:c1:b0:4b:db:d1:6d:8b:15:
        f5:cf:7d:59:66:97:e0:a5:9a:a5:c2:9b:b5:ae:a8:0d:de:c9:
        3b:3a:d6:12:5f:aa:33:a0:c5:01:e5:7d:4d:26:c9:ba:e3:ef:
        44:de:81:48:38:15:e1:72:82:3a:40:f0:42:d9:4e:4d:ad:43:
        a7:77:81:44:3a:43:c0:7b:a6:e4:69:91:7b:bb:87:2b:ea:7e:
        6a:d3:99:b1:9f:95:29:b3:3c:49:65:c1:74:18:a4:17:38:5c:
        d8:79:cc:3d:11:83:d3:19:57:4c:d6:64:c6:4a:26:a0:c3:9c:
        a7:e5:5e:7a:8b:b3:28:43:bf:60:78:8e:0a:4e:1f:97:af:1f:
        d5:32:a5:3b:8b:03:b3:9d:6b:9f:0b:3a:9d:d3:a1:00:f3:f0:
        1f:6e:42:8a:76:4a:c1:54:33:ef:e1:30:13:6f:4e:9d:4f:29:
        3a:f5:94:e8:c8:1a:a3:86:05:fe:51:18:06:51:01:a8:a8:15:
        86:41:dc:67:44:a8:14:80:7b:30:1b:dc:fd:1a:f2:64:60:ea:
        10:9c:b7:44:a4:53:ab:20:e5:6f:38:88:d5:78:f4:cf:a5:d7:
        21:01:e3:f1:7b:18:4d:7f:42:ed:f4:4b:9b:7a:0d:5e:87:cb:
        e4:da:15:55:96:b0:93:bb
  1. Generate client's private key and certificate signing request (CSR)

openssl req -newkey rsa:4096 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=IN/ST=Telengana/L=Hyderabad/O=Aviz Networks/OU=Engineering/CN=gateway/emailAddress=sutharsan@aviznetworks.com"
# Remember that when we develop on localhost, It’s important to add the IP:0.0.0.0 as an Subject Alternative Name (SAN) extension to the certificate.
 echo "subjectAltName=DNS:*.client.com,IP:0.0.0.0" > client-ext.cnf
 echo "subjectAltName=@alt_names" > server-ext.cnf
 echo "[alt_names]" > server-ext.cnf
 echo "DNS.1 = localhost" > server-ext.cnf
  1. Use CA's private key to sign client's CSR and get back the signed certificate

openssl x509 -req -in client-req.pem -days 60 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile client-ext.cnf

echo "Client's signed certificate"
openssl x509 -in client-cert.pem -noout -text
Logs
openssl x509 -in client-cert.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            68:80:f4:e2:67:72:e6:85:f2:35:45:35:37:6a:5b:10:48:80:bf:a9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Telengana, L = Hyderabad, O = Aviz Networks, OU = Engineering, CN = sonic, emailAddress = kasinath@aviznetworks.com
        Validity
            Not Before: Apr 13 05:51:46 2023 GMT
            Not After : Jun 12 05:51:46 2023 GMT
        Subject: C = IN, ST = Telengana, L = Hyderabad, O = Aviz Networks, OU = Engineering, CN = gateway, emailAddress = kasinath@aviznetworks.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c0:0b:ac:41:2a:b7:1e:5a:94:d5:c4:8f:3b:b3:
                    64:df:e4:ac:38:56:1e:46:db:61:8a:a3:40:94:58:
                    0c:82:ad:17:1e:bb:83:9b:1b:3b:d7:09:40:08:bd:
                    90:c3:0e:b2:3b:87:8b:6b:f7:bb:e4:b0:66:b6:d6:
                    5b:b0:33:e7:ff:81:f9:51:b7:4a:28:da:3d:5c:02:
                    ea:58:c1:41:e5:08:b5:a7:14:b6:21:5e:1a:9e:8b:
                    4f:cb:5a:bc:5e:da:8b:d0:20:85:cc:01:4f:07:ea:
                    0b:04:82:05:81:25:b5:b8:5c:ee:40:a6:b4:c8:21:
                    1a:58:33:5f:f5:ee:9d:79:88:eb:e4:f3:ca:6d:b4:
                    b7:e5:4e:22:36:89:59:ec:44:8f:82:e4:3b:70:ac:
                    af:02:5c:4b:fc:cd:3f:a8:db:75:ab:1e:b5:26:84:
                    9f:4b:98:cc:7d:88:c9:f1:d5:95:8e:18:61:ce:aa:
                    e7:7c:d9:a4:99:b2:fb:af:de:59:ac:bd:2c:48:8c:
                    a7:3a:5d:02:ca:9c:85:97:5c:0f:eb:72:b5:87:f0:
                    48:af:00:10:c4:a5:8c:6a:4c:5f:11:67:cd:fc:9a:
                    2f:b3:26:33:f0:57:2c:c8:cf:48:b2:56:87:7e:c9:
                    43:97:9d:70:f3:bc:39:e3:51:7f:cd:9e:e5:0b:47:
                    7d:3b:8a:c4:60:84:3d:b2:f4:b5:5a:97:ca:df:d1:
                    a1:0e:a8:1a:19:60:7c:9c:c7:22:d8:ab:77:b3:f5:
                    38:0f:43:85:ba:17:de:51:0f:97:e1:b8:b6:7b:fa:
                    d7:71:6d:88:e3:44:fe:d1:73:b5:89:3c:86:df:37:
                    a7:0d:b6:8e:e2:1f:63:3e:32:55:48:18:af:64:8f:
                    2a:16:5c:6a:f9:27:86:cc:4a:79:4e:18:c3:4e:d3:
                    e8:b1:79:1b:6f:af:24:74:d7:b1:7e:7d:ac:1e:c9:
                    04:00:83:52:2f:1f:f7:27:b5:80:d7:4c:5b:af:ac:
                    a3:91:6f:35:ff:cf:26:43:45:47:ab:17:7f:32:98:
                    e1:23:c3:eb:9b:f4:f2:01:ec:78:f0:76:fe:6c:17:
                    40:f4:52:4b:b1:f6:7d:ee:f5:d6:a0:0d:da:78:b1:
                    59:13:d8:72:ab:5b:ba:29:87:c8:50:3e:43:ed:8d:
                    48:4c:3f:ff:8e:c6:63:08:a6:71:f6:df:c2:be:45:
                    3b:d7:ec:6b:c6:f6:92:76:3c:fa:5b:61:45:5c:c7:
                    9f:46:73:71:f0:ba:2c:d0:07:45:d0:d7:3c:24:08:
                    c8:fb:79:bc:19:d4:5a:c2:1d:9d:4e:20:08:6b:3e:
                    6a:02:3a:5c:d9:11:f1:fb:d0:c2:38:83:44:ce:20:
                    0b:cc:ed
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        44:0c:d0:63:42:76:fc:f7:00:98:6d:aa:03:75:74:6b:ec:a8:
        ed:ad:e1:76:25:26:75:6b:5f:f5:5b:24:21:72:f9:7f:f0:ca:
        9d:d5:66:00:93:44:59:88:ac:3d:1c:e6:24:20:65:4c:37:14:
        01:7f:55:7d:0f:36:45:85:5c:cf:85:54:53:84:3c:75:92:72:
        76:b2:f3:84:d6:d1:9c:c9:a0:d7:aa:d6:0e:23:bf:74:de:b3:
        81:4c:bd:ee:7e:6d:ae:75:60:3d:b2:d2:59:aa:96:c2:9d:a8:
        38:19:cb:77:8d:9c:d6:19:6d:6e:41:27:66:cb:8a:15:5b:33:
        34:c7:79:cb:ed:4d:00:ce:d1:76:2c:ce:8b:9b:5b:85:2c:e3:
        da:bd:e0:10:ad:96:33:f2:48:58:62:4d:ae:a9:6d:95:91:b4:
        20:07:02:82:52:43:b0:e6:ac:40:c7:e4:6b:45:c9:84:be:13:
        00:56:a3:e5:94:85:72:de:57:77:f1:65:92:52:e7:6e:57:cf:
        40:aa:7f:6a:ae:c4:cf:0b:54:80:0f:1a:a6:df:76:b3:83:e4:
        19:b7:c3:52:e3:23:c8:8d:6f:b2:69:30:dd:59:0e:05:9f:59:
        dc:5f:0e:ae:63:13:36:20:61:f8:ab:6a:0f:21:1b:4c:f9:a5:
        19:dd:d6:88:1c:75:44:e9:34:82:72:e6:b1:30:ee:9d:7a:d3:
        e4:e4:af:dd:20:1c:25:06:c6:52:c9:b2:7e:22:21:f0:68:d6:
        3a:40:3a:24:2a:3a:4f:dd:13:0b:47:b2:f2:e3:93:b7:6d:ce:
        e8:c7:7e:58:0b:64:c1:03:cc:18:c2:0c:7b:ca:92:bf:ad:3a:
        ff:db:87:46:1c:6b:86:e4:54:ae:b0:ca:05:5a:d8:b5:24:76:
        33:cf:d1:e7:41:17:15:06:92:55:5a:e1:b3:05:41:86:57:dc:
        a2:d4:d5:d0:52:ff:5f:33:f4:58:3a:6a:e5:0b:9f:c5:fc:99:
        6f:46:fa:96:e0:53:d5:b9:a3:60:b0:df:ce:48:8d:b2:63:5d:
        aa:74:b5:83:c6:8c:94:67:6f:82:49:44:5a:e7:d4:3a:c0:49:
        a5:4c:4b:5c:b5:9e:63:2c:73:69:a8:09:ee:ca:ee:05:43:12:
        e1:4a:69:d8:88:11:99:83:2b:d3:a4:93:5d:fb:24:04:8c:55:
        35:99:9c:6b:cd:23:1d:d7:56:85:50:2b:ad:38:ea:9e:b7:d1:
        1f:3b:21:a9:13:5e:6f:d2:cb:7f:37:51:ac:61:a8:63:c1:da:
        b0:96:b3:0c:92:75:00:26:fc:30:6f:1c:b6:dc:ad:56:d7:0c:
        9b:3b:69:ed:2d:cb:0c:8c

Most of the commands are self-explanatory. It will be noted that it uses two files for generating the certificates for server and client. First server-ext.cnf is explained here

basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.4.4.60
IP.2 = 10.4.4.61

The main feature to note is the alt_names. For the ONES architecture, the collector follows one to many communication model. This alt_names need to be populated with the set of agents it needs to communicate. The agents act as server in the model. So when there are n number of agents, all these IP Addresses needs to be populated here to avoid certificates not getting validated correctly

client-ext.cnf

[client]
basicConstraints = CA:FALSE
nsCertType = client
nsComment = "Local Test Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

This will generate the output files out of which, the following are useful across agent and collector

  1. client-cert.pem

  2. client-key.pem

  3. ca-cert.pem

  4. server-cert.pem

  5. server-key.pem

server-key.pem, server-cert.pem & ca-cert.pem needs to be placed at agent. Similarly client-cert.pem, client-key.pem & ca-cert.pem needs to be used in client side. For example, we can use gnmic with these certificates to validate the same

GNMIC with Certificates

gnmic -a 10.4.4.61:50052 -u admin -p admin --tls-cert client-cert.pem --tls-key client-key.pem --tls-ca ca-cert.pem capabilities
gNMI version: 1.2.1
supported models:
  - openconfig-bgp, OpenConfig working group, 6.1.1
  - openconfig-if-ethernet,, OpenConfig working group, 2.12.0
  - openconfig-lldp, OpenConfig working group, 0.2.1
  - openconfig-platform-fan, OpenConfig working group, 0.1.1
  - openconfig-platform-psu, OpenConfig working group, 0.2.1
  - openconfig-platform-transceiver, OpenConfig working group, 0.8.0
  - system/processes, Aviz Networks Inc, 0.1.0
supported encodings:
  - PROTO

It can also be verified that without certificates, the access does not work

gnmic -a 10.4.4.61:50052 -u admin -p admin --skip-verify capabilities
target "10.4.4.61:50052", capabilities request failed: failed to create a gRPC client for target "10.4.4.61:50052" : 10.4.4.61:50052: context deadline exceeded
Error: one or more requests failed

Verifying Certificates

It would be desired to simulate failures and validate. For that we can verify locally if certificates are valid or not. For the same, use the following command

Verify the certificate against signing authority