Documentation forAppOptics

Secure Plugin Communication

Overview

Snap framework communicates with plugins over gRPC protocol and allows securing communication by opening TLS channels and using certificates to authenticate plugins and framework. The way of configuring snap to use secure GRPC is described in here.

It's important to note that once secure plugin communication is enabled in the framework, only secure connections may be established. In other words: attempting to load an insecure plugin in the framework will result in an error.

Detailed Preparation

Starting secure communication requires following steps:

  1. Obtain X.509 certificate and private key for framework (snap).
  2. Obtain X.509 certificate and private key for each plugin or group of plugins.
  3. Obtain and locate the CA certificates that are necessary to authenticate framework and plugin certificates.

Process of acquiring a TLS certificate is a complex one. Every organization has its specific rules on security, thus the details are not given here.

Please note that X.509 certificate should allow usage for TLS web server authentication (as specified in RFC 3280)

Building self-signed certificate

This section describes how to obtain certificates signed by a local CA and correctly use it in local environment:

  1. Install certstrap (https://github.com/square/certstrap) for generating test certificates. Further steps will assume tha``certstrap`` is available under $PATH location.
  2. Generate root CA certificate:

    certstrap init --cn "snaptest-ca" --o "snap" --ou "ca" --key-bits 4096 --years 1
  3. Generate server certificate and key to use with plugins

    certstrap request-cert --cn "snap-srv" --ip "127.0.0.1" --domain "localhost" --passphrase '' --key-bits 4096 --o "snap" --ou "server"
    certstrap sign "snap-srv" --CA "snap-ca" --passphrase "" --years 1
  4. Generate client certificate and key to with swisnapd

    certstrap request-cert --cn "snap-cli" --ip "127.0.0.1" --domain "localhost" --passphrase '' --key-bits 4096 --o "snap" --ou "client"
    certstrap sign "snap-cli" --CA "snap-ca" --passphrase '' --years 1
  5. Change main configuration file (config.yaml)

    control:
    tls_cert_path: <PATH>/snap-cli.crt
    tls_key_path: <PATH>/snap-cli.key
    plugin_tls_cert_path: <PATH>/snap-srv.crt
    plugin_tls_key_path: <PATH>/snap-srv.key
    ca_cert_paths: <PATH>/snap-ca.crt

    where <PATH> is a directory with output generated by certstrap commands.

  6. Restart swisnap service

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.