summaryrefslogtreecommitdiffstats
path: root/doc/rsyslog_secure_tls.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rsyslog_secure_tls.html')
-rw-r--r--doc/rsyslog_secure_tls.html86
1 files changed, 36 insertions, 50 deletions
diff --git a/doc/rsyslog_secure_tls.html b/doc/rsyslog_secure_tls.html
index 29f17585..16f6835a 100644
--- a/doc/rsyslog_secure_tls.html
+++ b/doc/rsyslog_secure_tls.html
@@ -2,10 +2,22 @@
<html><head><title>TLS-protected syslog: recommended scenario</title>
</head>
<body>
+
<h1>Encrypting Syslog Traffic with TLS (SSL)</h1>
<p><small><i>Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
-Gerhards</a> (2008-06-06)</i></small></p>
-<h2>Introduction</h2>
+Gerhards</a> (2008-06-17)</i></small></p>
+<ul>
+<li><a href="rsyslog_secure_tls.html">Overview</a>
+<li><a href="tls_cert_scenario.html">Sample Scenario</a>
+<li><a href="tls_cert_ca.html">Setting up the CA</a>
+<li><a href="tls_cert_machine.html">Generating Machine Certificates</a>
+<li><a href="tls_cert_server.html">Setting up the Central Server</a>
+<li><a href="tls_cert_client.html">Setting up syslog Clients</a>
+<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a>
+<li><a href="tls_cert_summary.html">Wrapping it all up</a>
+</ul>
+
+<h2>Overview</h2>
<p>This document describes a secure way to set up rsyslog TLS. A secure logging
environment requires more than just encrypting the transmission channel. This document
provides one possible way to create such a secure system.
@@ -25,6 +37,19 @@ below. Do not blame us if it doesn't provide what you need ;)</p>
</ul>
<p>Our secrity goals are achived via public/private key security. As such, it is
vital that private keys are well protected and not accessible to third parties.
+<span style="float: left">
+<script type="text/javascript"><!--
+google_ad_client = "pub-3204610807458280";
+/* rsyslog doc inline */
+google_ad_slot = "5958614527";
+google_ad_width = 125;
+google_ad_height = 125;
+//-->
+</script>
+<script type="text/javascript"
+src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
+</script>
+</span>
I private keys have become known to third parties, the system does not provide
any security at all. Also, our solution bases on X.509 certificates and a (very
limited) chain of trust. We have one instance (the CA) that issues all machine
@@ -71,52 +96,13 @@ does not protect against this (but it may help, properly used). Keep in mind
that syslog-transport-tls provides hop-by-hop security. It does not provide
end-to-end security and it does not authenticate the message itself (just the
last sender).</p>
-<h3>Sample Szenario</h3>
-<p>&nbsp;We have a quite simple scenario. There is one central syslog server,
-named central.example.net. These server is being reported to by two Linux
-machines with name zuse.example.net and turing.example.net. Also, there is a
-third client - ada.example.net - which send both its own messages to the central
-server but also forwards messages receive from an UDP-only capable router. We
-hav decided to use ada.example.net because it is in the same local network
-segment as the router and so we enjoy TLS' security benefits for forwarding the
-router messages inside the corporate network.</p>
-<h3>Setting up the CA</h3>
-<p>The first step is to set up a certificate authoroty (CA). It must be
-maintained by a trustworthy person (or group) and approves the indentities of
-all machines. It does so by issuing there certificates. In a small setup, the
-administrator can provide the CA function. What is important is the the CA's
-private key is well-protocted and machine certificates are only issued if it is
-know they are valid (in a single-admin case that means the admin should not
-issue certificates to anyone else except himself).</p>
-<p>The CA creates a so-called self-signed certificate. That is, it approves its
-own authenticy. This sounds useless, but the key point to understand is that
-every machine will be provided a copy of the CA's certificate. Accepting this
-certificate is a matter of trust. So by configuring the CA certificate, the
-administrator tells rsyslog which certificates to trust. This is the root of all
-trust under this model. That is why the CA's private key is so important -
-everyone getting hold of it is trusted by our rsyslog instances.</p>
-<p>In our example, we will use the name "example.net" for our network. You may
-use any domain name of your liking.
-<p>To create a self-signed certificate, use the following commands with GnuTLS (which
-is currently the only supported TLS library, what may change in the future): </p>
-<ol>
-<li>generate the private key:
-<pre>certtool --generate-privkey --outfile ca-key.pem</pre>
-<br>
-This takes a short while. Be sure to do some work on your workstation,
-it waits for radom input. Switching between windows is sufficient ;)
-</li>
-<li>now create the (self-signed) CA certificate itself:<br>
-<pre>certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem</pre>
-This generates the CA certificate. This command queries you for a
-number of things. Use appropriate responses. When it comes to
-certificate validity, keep in mind that you need to recreate all
-certificates when this one expires. So it may be a good idea to use a
-long period, eg. 3650 days (roughly 10 years). You need to specify that
-the certificates belongs to an authority. The certificate is used to
-sign other certificates.<br>
-</li>
-</ol>
+<h3>A very quick Intro</h3>
+<p>If you'd like to get all information very rapidly, the graphic below contains
+everything you need to know (from the certificate perspective) in a very condensed
+manner. It is no surprise if the graphic puzzles you. In this case, <a href="tls_cert_scenario.html">simply read on</a>
+for full instructions.
+<p>
+<img align="center" alt="TLS/SSL protected syslog" src="tls_cert.jpg">
<h3>Feedback requested</h3>
<p>I would appreciate feedback on this tutorial. If you have
additional ideas, comments or find bugs (I *do* bugs - no way... ;)),
@@ -124,8 +110,8 @@ please
<a href="mailto:rgerhards@adiscon.com">let me know</a>.</p>
<h2>Revision History</h2>
<ul>
-<li>2008-06-06 * <a href="http://www.gerhards.net/rainer">Rainer
-Gerhards</a> * Initial Version created</li>
+<li>2008-06-06 * <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> * Initial Version created</li>
+<li>2008-06-18 * <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> * Greatly enhanced and modularized the doc</li>
</ul>
<h2>Copyright</h2>
<p>Copyright (c) 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer