Snap framework communicates with plugins over gRPC protocol and allows securing communication by opening TLS channels and using certificates to authenticate plugins and framework. The way of configuring snap to use secure GRPC is described in here.
It's important to note that once secure plugin communication is enabled in the framework, only secure connections may be established. In other words: attempting to load an insecure plugin in the framework will result in an error.
Starting secure communication requires following steps:
- Obtain X.509 certificate and private key for framework (snap).
- Obtain X.509 certificate and private key for each plugin or group of plugins.
- Obtain and locate the CA certificates that are necessary to authenticate framework and plugin certificates.
Process of acquiring a TLS certificate is a complex one. Every organization has its specific rules on security, thus the details are not given here.
Please note that X.509 certificate should allow usage for TLS web server authentication (as specified in RFC 3280)
This section describes how to obtain certificates signed by a local CA and correctly use it in local environment:
certstrap(https://github.com/square/certstrap) for generating test certificates. Further steps will assume tha``certstrap`` is available under
Generate root CA certificate:
certstrap init --cn "snaptest-ca" --o "snap" --ou "ca" --key-bits 4096 --years 1
Generate server certificate and key to use with plugins
certstrap request-cert --cn "snap-srv" --ip "127.0.0.1" --domain "localhost" --passphrase '' --key-bits 4096 --o "snap" --ou "server"
certstrap sign "snap-srv" --CA "snap-ca" --passphrase "" --years 1
Generate client certificate and key to with swisnapd
certstrap request-cert --cn "snap-cli" --ip "127.0.0.1" --domain "localhost" --passphrase '' --key-bits 4096 --o "snap" --ou "client"
certstrap sign "snap-cli" --CA "snap-ca" --passphrase '' --years 1
Change main configuration file (config.yaml)
<PATH>is a directory with output generated by
- Restart swisnap service
The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.