Installation and setup

Pre-requisites

Our recommended setup uses:

CentOS/RedHat 7.0 for the operating system
Nginx as the webserver in front of tiCrypt
firewalld as the firewall software
openssl

info

All the commands in this section need to be executed as root.

If Nginx is not installed,you can do:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install epel-release-latest-7.noarch.rpm
yum -y update
yum -y install nginx

then make sure it is enabled and started:

systemctl start nginx
systemctl enable nginx

We now need to set up the firewall to allow Nginx access from outside. If firewalld is not installed and enabled, you can first do:

yum -y install firewalld
systemctl enable firewalld

Make sure openssl is installed as well:

Installing tiCrypt from RPMs

The tiCrypt backend is made available in the form of RPMs for CentOS/Redhat 7.0. The latest version is available as a .tgz archive from ticrypt Google APIs.

First step is to download and install these RPMs: [subs="attributes+"]

Grap the archive

wget https://storage.googleapis.com/ticrypt/ticrypt-backend/ticrypt-{tc-ver}-1.tgz

Unpack the archive

tar -xzvf ticrypt-{tc-ver}-1.tgz

Install the RPMs

cd ticrypt-{tc-ver}-1
yum -y install *.rpm

Since tiCrypt has 10 services, dealing with them using systemctl is tedious. A small script that performs a service operation on all of the help a lot. Using an editor, create the file ticrypt-services.sh with the content: [source,bash]

#!/bin/bash

for s in auth file-manager maintenance proxy stats vm logger notifications rest storage; do 
        systemctl $1 ticrypt-$s
done

Make sure you make it an executable:

chmod a+x ticrypt-services.sh

Using this script we can now enable all tiCrypt services:

./ticrypt-services.sh enable

Setting up firewall rules for tiCrypt

firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --runtime-to-permanent # save anything you're currently working on
firewall-cmd --permanent --new-service=ticrypt-proxy
firewall-cmd --permanent --service=ticrypt-proxy --set-short='tiCrypt Proxy'
firewall-cmd --permanent --service=ticrypt-proxy --set-description='Encrypted tunnels for tiCrypt VM traffic'
firewall-cmd --permanent --service=ticrypt-proxy --add-port=6000-6010/tcp
firewall-cmd --reload
firewall-cmd --zone=public --add-service=ticrypt-proxy
firewall-cmd --runtime-to-permanent

In the above, we assumed that we will use the port range 6000-6010 for the tiCrypt proxy. If that is not the case, this rule needs to be changed accordingly.

Setting up Nginx config files for tiCrypt

tiCrypt REST API will be set up using file

/etc/nginx/conf.d/rest.ticrypt.conf.

The following configuration file is based on Mozilla's SSL Configuration Generator.

Assuming that:

The tiCrypt server is available at ticrypt.example.com
The tiCrypt REST API runs on port 8080
The TLS/SSL combined certificate and chain is stored in /etc/pki/tls/certs/example-stacked.crt
The TLS/SSL trust chain is stored in /etc/pki/tls/certs/example-chain.crt
The TLS/SSL key is stored in: /etc/pki/tls/private/example.key

the configuration file can look like this:

[source,nginxconf]

# Used to properly map HTTP headers for WebSocket connections
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

upstream tc-backend {
    server 127.0.0.1:8080;
}

server {
    ### Configuration based on Mozilla Configuration Tool
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /etc/pki/tls/certs/example-stacked.crt;
    ssl_certificate_key /etc/pki/tls/private/example.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/pki/tls/dhparam.pem
    #   OR
    # openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048
    ssl_dhparam /etc/pki/tls/dhparam.pem;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/pki/tls/certs/example-chain.crt;

    # replace with the IP address of your resolver
    resolver 127.0.0.1;

    ### Begin Custom Rules ###

    server_name ticrypt.example.com;
    root /var/www/ticrypt-rest;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; frame-ancestors 'self' http://127.0.0.1:*";


    #### This is critical for tiCrypt  ####
    client_max_body_size 16M;

    location / {
        try_files $uri @proxy;
    }

    location /static {
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204;
        }
        if ($request_method = 'GET') {
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
            add_header 'Access-Control-Expose-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        }
    }

    location @proxy {
        proxy_pass http://tc-backend;
        proxy_redirect off;
        proxy_buffering off;
        proxy_cache off;
        proxy_http_version 1.1;
        proxy_read_timeout 900s;
        proxy_connect_timeout 360s;
        proxy_send_timeout 360s;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Proto   https;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    Upgrade             $http_upgrade;
        proxy_set_header    Connection          $connection_upgrade;
    }
}

info

You will need to customize the values for your situation.

Create the static directory for tiCrypt REST

mkdir -p /var/www/ticrypt-rest

include::@site/common/nginx_critical.adoc[]

Pre-requisites​

Installing tiCrypt from RPMs​

Grap the archive​

Unpack the archive​

Install the RPMs​

Setting up firewall rules for tiCrypt​

Setting up Nginx config files for tiCrypt​

Create the static directory for tiCrypt REST​