Securing the polycubed daemon¶
Polycube uses a security model based on X509 certificates to secure polycube daemon to polycube cli communication.
polycubed¶
Server authentication¶
In order to authenticate the server the cert
and key
parameters are needed.
Example:
# polycubed configuration file
cert: path to server certificate
key: path to server key
Client authentication¶
Polycubed supports thee different modes to perform client authentication.
Mode 3: Whitelist based¶
This mode allows to use already existing client certificates by providing the cert-white-list
parameter that is a folder containing hash named client certificates allowed to access polycubed.
See How to generate hash links to certificates.
Configuration example:
# polycubed configuration file
cert: /home/user/server.crt
# server private key
key: /home/user/server.key
# folder with allowed certificates
cert-white-list: /home/user/my_white_list/
polycubectl¶
To enable a secure connection to polycubed the user has configure the following parameters for polycubectl. See polycubectl configuration to get more details.
url
: must start withhttps
cert
: client certificatekey
: client private keycacert
: certification authority certificate that signed the server certificate
How to generate hash links to certificates¶
The cert-black-list
and cert-white-list
parameters refer to a folder that contains certificates named by their hash value.
Follow these instructions to generate hash links to certificates:
# copy the certificates to your black or whitelist folder
$ cp client.crt myfolder/
$ cd myfolder
$ ls
client.crt
# create symbolic links
$ c_rehash .
Doing .
$ ls -l
9d75b5b3.0 -> client.crt
client1.crt
eb7bf4cd.0 -> client.crt
Please see the c_rehash tool to get more information.