begun step-by-step guide for TLS protected syslog

1 files changed, 36 insertions, 50 deletions

diff --git a/doc/rsyslog_secure_tls.html b/doc/rsyslog_secure_tls.html
index 29f17585..16f6835a 100644
--- a/doc/rsyslog_secure_tls.html
+++ b/doc/rsyslog_secure_tls.html
@@ -2,10 +2,22 @@
 <html><head><title>TLS-protected syslog: recommended scenario</title>
 </head>
 <body>
+
 <h1>Encrypting Syslog Traffic with TLS (SSL)</h1>
 <p><small><i>Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
-Gerhards</a> (2008-06-06)</i></small></p>
-<h2>Introduction</h2>
+Gerhards</a> (2008-06-17)</i></small></p>
+<ul>
+<li><a href="rsyslog_secure_tls.html">Overview</a>
+<li><a href="tls_cert_scenario.html">Sample Scenario</a>
+<li><a href="tls_cert_ca.html">Setting up the CA</a>
+<li><a href="tls_cert_machine.html">Generating Machine Certificates</a>
+<li><a href="tls_cert_server.html">Setting up the Central Server</a>
+<li><a href="tls_cert_client.html">Setting up syslog Clients</a>
+<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a>
+<li><a href="tls_cert_summary.html">Wrapping it all up</a>
+</ul>
+
+<h2>Overview</h2>
 <p>This document describes a secure way to set up rsyslog TLS. A secure logging
 environment requires more than just encrypting the transmission channel. This document
 provides one possible way to create such a secure system.
@@ -25,6 +37,19 @@ below. Do not blame us if it doesn't provide what you need ;)</p>
 </ul>
 <p>Our secrity goals are achived via public/private key security. As such, it is 
 vital that private keys are well protected and not accessible to third parties. 
+<span style="float: left">
+<script type="text/javascript"><!--
+google_ad_client = "pub-3204610807458280";
+/* rsyslog doc inline */
+google_ad_slot = "5958614527";
+google_ad_width = 125;
+google_ad_height = 125;
+//-->
+</script>
+<script type="text/javascript"
+src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
+</script>
+</span>
 I private keys have become known to third parties, the system does not provide 
 any security at all. Also, our solution bases on X.509 certificates and a (very 
 limited) chain of trust. We have one instance (the CA) that issues all machine 
@@ -71,52 +96,13 @@ does not protect against this (but it may help, properly used). Keep in mind
 that syslog-transport-tls provides hop-by-hop security. It does not provide 
 end-to-end security and it does not authenticate the message itself (just the 
 last sender).</p>
-<h3>Sample Szenario</h3>
-<p>&nbsp;We have a quite simple scenario. There is one central syslog server, 
-named central.example.net. These server is being reported to by two Linux 
-machines with name zuse.example.net and turing.example.net. Also, there is a 
-third client - ada.example.net - which send both its own messages to the central 
-server but also forwards messages receive from an UDP-only capable router. We 
-hav decided to use ada.example.net because it is in the same local network 
-segment as the router and so we enjoy TLS' security benefits for forwarding the 
-router messages inside the corporate network.</p>
-<h3>Setting up the CA</h3>
-<p>The first step is to set up a certificate authoroty (CA). It must be 
-maintained by a trustworthy person (or group) and approves the indentities of 
-all machines. It does so by issuing there certificates. In a small setup, the 
-administrator can provide the CA function. What is important is the the CA's 
-private key is well-protocted and machine certificates are only issued if it is 
-know they are valid (in a single-admin case that means the admin should not 
-issue certificates to anyone else except himself).</p>
-<p>The CA creates a so-called self-signed certificate. That is, it approves its 
-own authenticy. This sounds useless, but the key point to understand is that 
-every machine will be provided a copy of the CA's certificate. Accepting this 
-certificate is a matter of trust. So by configuring the CA certificate, the 
-administrator tells rsyslog which certificates to trust. This is the root of all 
-trust under this model. That is why the CA's private key is so important - 
-everyone getting hold of it is trusted by our rsyslog instances.</p>
-<p>In our example, we will use the name "example.net" for our network. You may
-use any domain name of your liking.
-<p>To create a self-signed certificate, use the following commands with GnuTLS (which 
-is currently the only supported TLS library, what may change in the future): </p>
-<ol>
-<li>generate the private key:
-<pre>certtool --generate-privkey --outfile ca-key.pem</pre>
-<br>
-This takes a short while. Be sure to do some work on your workstation,
-it waits for radom input. Switching between windows is sufficient ;)
-</li>
-<li>now create the (self-signed) CA certificate itself:<br>
-<pre>certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem</pre>
-This generates the CA certificate. This command queries you for a
-number of things. Use appropriate responses. When it comes to
-certificate validity, keep in mind that you need to recreate all
-certificates when this one expires. So it may be a good idea to use a
-long period, eg. 3650 days (roughly 10 years). You need to specify that
-the certificates belongs to an authority. The certificate is used to
-sign other certificates.<br>
-</li>
-</ol>
+<h3>A very quick Intro</h3>
+<p>If you'd like to get all information very rapidly, the graphic below contains
+everything you need to know (from the certificate perspective) in a very condensed
+manner. It is no surprise if the graphic puzzles you. In this case, <a href="tls_cert_scenario.html">simply read on</a>
+for full instructions.
+<p>
+<img align="center" alt="TLS/SSL protected syslog" src="tls_cert.jpg">
 <h3>Feedback requested</h3>
 <p>I would appreciate feedback on this tutorial. If you have
 additional ideas, comments or find bugs (I *do* bugs - no way... ;)),
@@ -124,8 +110,8 @@ please
 <a href="mailto:rgerhards@adiscon.com">let me know</a>.</p>
 <h2>Revision History</h2>
 <ul>
-<li>2008-06-06 * <a href="http://www.gerhards.net/rainer">Rainer
-Gerhards</a> * Initial Version created</li>
+<li>2008-06-06 * <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> * Initial Version created</li>
+<li>2008-06-18 * <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> * Greatly enhanced and modularized the doc</li>
 </ul>
 <h2>Copyright</h2>
 <p>Copyright (c) 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer