Dogu authentication
The service cesappd
provides certificates so that Dogus can communicate withcesappd
in encrypted form.
Generation
The generation of the client and server certificate is carried out during the CES setup.
This script is located in /usr/local/bin/ssl_cesappd_generate.sh
inces-commons
.
It is also triggered when installing cesappd
in thepostinst
script if no certificates have been generated yet.
If the FQDN is changed, the certificate is regenerated.
Location
Private key: /etc/ces/cesappd/server.key
- The key can only be read by the user
root
- Since the key is located under
/etc/ces
, it is saved by the backup mechanism
Server certificate: server.crt
- The server certificate is located in the
etcd
under/config/_global/certificate/cesappd/server.crt
Client certificate: ca.pem
- The server certificate is located in the
etcd
under/config/_global/certificate/cesappd/ca.pem
Usage
Client:
creds, _ := credentials.NewClientTLSFromFile(certFile, "")
conn, _ := grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds))
// error handling omitted
client := pb.NewGreeterClient(conn)
// ...
Server:
creds, _ := credentials.NewServerTLSFromFile(certFile, keyFile)
s := grpc.NewServer(grpc.Creds(creds))
lis, _ := net.Listen("tcp", "localhost:50051")
// error handling omitted
s.Serve(lis)
Generate service accounts
With the command
cesappd service-account-create <dogu-name>
you can create a service account. The output will be printed to the console with the following format:
username: dogu-name_<8 random characters>
password: <16 random characters>