-
Notifications
You must be signed in to change notification settings - Fork 5
Amplet2 Client SSL Configuration
The AMP client can use an SSL connection when reporting results to the RabbitMQ
broker (which helps ensure that the data is from who it claims to be) and must
use an SSL connection when requesting that another client start a server for a
cooperative test (i.e. throughput, udpstream). All clients must have a proper
SSL configuration or they will not start. Currently, any valid certificate that
is signed by the same CA as the client will be accepted - they are all
considered to be part of the same trusted group. The control subsection of the client configuration
file has options to implement access control lists that can further limit who can connect to them
and start test servers.
There is an AMP PKI package available that will
help with key and certificate management. Clients can generate their own keys
and use these to request a signed certificate from a custom CA running on the
collector.
If you don't want to (or can't) use the AMP PKI package then it is up to you
to generate (using openssl or whatever your tool of choice is)
and distribute the keys and certificates to the clients.
Regardless of how you do it, you will need to ensure that the CA certificate
is distributed in some manner to the clients.
There is no mechanism to distribute the CA certificate. This is up to you to
decide the best approach for your deployment. By default, the certificate
should be installed in the keys directory, in a file named after
the collector:
/etc/amplet2/keys/<collector>.pem
The private key will be created on startup if it doesn't exist. This allows you the option of distributing your own key as part of your host configuration. By default the key will be created in the client specific subdirectory:
/etc/amplet2/keys/<ampname>/key.pem
The client will try to fetch a signed certificate from the collector if it doesn't exist. This allows you the option of distributing your own certificate as part of your host configuration. By default the certificate will be created in the client specific subdirectory, named after the collector that signed it:
/etc/amplet2/keys/<ampname>/<collector>.pem
If trying to fetch a signed certificate from the collector, the client will
generate a Certificate Signing Request and send it to the collector. The
collector will accept the request and add it to the list, waiting on a human
to sign the certificate with the AMP PKI tools.
If waitforcert is true then the client will poll
forever (backing off exponentially) until the certificate is signed and
available for download, otherwise the client will exit with a warning.