Install & config VM controller
The role of the VM Controller is to manage the VM on behalf of the student. tiCrypt uses digitally signed VM Controller configuration files and executables to ensure the integrity of the code and passed parameters.
All commands must be executed as root on the installation machine.
Configuring Nginx
The VM controller is delivered through Nginx to the running VMs.
An example of the /etc/nginx/conf.d/vmc.ticrypt.conf
configuration file is:
server {
listen 80;
server_name vmc.ticrypt;
root /var/www/ticrypt-vmc;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; frame-ancestors 'self' http://127.0.0.1:*";
}
The connection is only served to the VMs, and the VM Stub checks the digital signature on all the files. There is no need to use an SSL/TLS connection.
We changed the Nginx configuration; we need to tell it to apply the changes:
systemctl reload nginx
Installing the software
Since different operating systems are supported for the VMs, code for each specific operating system needs to be installed.
Now we create the directory
/var/www/ticrypt-vmc
and unpack the files:
[source,bash,subs="attributes+"]
mkdir -p /var/www/ticrypt-vmc/
wget {ctrl-url}{win-ver}/tiCryptVM_Win64_{win-ver}.tar.gz
wget {ctrl-url}{lin-ver}/tiCryptVM-el7_cs2-{lin-ver}.tar.gz
tar -C /var/www/ticrypt-vmc/ -xaf tiCryptVM-el7_cs2-{lin-ver}.tar.gz
tar -C /var/www/ticrypt-vmc/ -xaf tiCryptVM_Win64_{win-ver}.tar.gz
rm tiCryptVM-el7_cs2-{lin-ver}.tar.gz tiCryptVM_Win64_{win-ver}.tar.gz
# Tell SELinux about the files so Nginx can serve them
restorecon -R /var/www/ticrypt-vmc/
Configuration files config.toml
and config.toml.sig
An example configuration file config.toml
is:
# The host
host = "ticrypt.example.com"
# The address range for the VMs
network = "172.24.0.0/16"
# Sets the cost of the key derivation function used when deriving the shared
# keys for the secure communication channel with clients.
pbkdf2Iterations = 100000
- The
host
parameter must be identical to the hostname in the TLS/SSL certificate. - The
network
parameter must cover the range used by the realm configuration. - The
VM Stub
will refuse to work without signed configuration files.
To get the configuration file config.toml
signed contact Tera Insights; you will receive the corresponding file config.toml.sig
.
Once you get your configuration file and the signature, copy them into the directory
/var/www/ticrypt-vmc