In this talk, we will begin our journey looking at the RFCs behind these technologies. Next, we will use OpenSSL, CFSSL, and mkcert to validate what we have learned about X509 v3 certificates. Then we will use the certificates we make to bootstrap Consul, Vault, and Nomad clusters with mTLS enabled so we can get familiar with terminology and error messages. Finally, we will look at their source code to learn how we might implement the same ideas in our projects.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
In this solutions engineering hangout, HashiCorp solutions engineer John Boero will walk through the basics of managing Vault secrets and accessing REST APIs without having a binary CLI or UI. This talk will include some minimalist hotwired tricks for when you don't even have cURL. For example, you might be in a restrictive environment such as a minimalist container.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
Managing secrets in a distributed cloud world requires a new approach to security. Applications and systems are now frequently created and destroyed. The network between distributed clouds, applications, and systems is low-trust, furthering the complexities of secrets sprawl. So, what is the solution?
HashiCorp Vault seeks to solve the problem of secret sprawl by centralizing secrets management in a scalable, repeatable workflow to be able to create, manage, and revoke secrets as needed.
Watch this webinar to learn:
- How Vault addresses today’s security threats
- How security teams can use Vault to store and manage all their secrets across their private and public infrastructure, globally.
- How Adobe reduced secret sprawl, increased operational performance of a key security process, and processes 100 trillion transactions with Vault
For full webinar recording: https://hashicorp.com/resources/eliminating-secret-sprawl-in-the-cloud
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
Since its first release in 2015, HashiCorp Vault has grown from a place to keep secrets to a platform that provides comprehensive secrets management, encryption as a service, and identity-based security for some of the largest organizations in the world. While Vault 1.0 saw auto-unseal become open source and introduced batch tokens improved performance, feature completeness, and enterprise readiness, Vault 1.1 focuses on building workflow enablement and increasing scaling and operations.
Learn from HashiCorp Vault engineer Nick Cabatoff how you can ensure that you actually use Vault effectively to allow no potential leaks of secret credentials, apis, or certs.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
In this solutions engineering hangout, HashiCorp solutions engineer John Boero will walk through the basics of managing Vault secrets and accessing REST APIs without having a binary CLI or UI. This talk will include some minimalist hotwired tricks for when you don't even have cURL. For example, you might be in a restrictive environment such as a minimalist container.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
Managing secrets in a distributed cloud world requires a new approach to security. Applications and systems are now frequently created and destroyed. The network between distributed clouds, applications, and systems is low-trust, furthering the complexities of secrets sprawl. So, what is the solution?
HashiCorp Vault seeks to solve the problem of secret sprawl by centralizing secrets management in a scalable, repeatable workflow to be able to create, manage, and revoke secrets as needed.
Watch this webinar to learn:
- How Vault addresses today’s security threats
- How security teams can use Vault to store and manage all their secrets across their private and public infrastructure, globally.
- How Adobe reduced secret sprawl, increased operational performance of a key security process, and processes 100 trillion transactions with Vault
For full webinar recording: https://hashicorp.com/resources/eliminating-secret-sprawl-in-the-cloud
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
Since its first release in 2015, HashiCorp Vault has grown from a place to keep secrets to a platform that provides comprehensive secrets management, encryption as a service, and identity-based security for some of the largest organizations in the world. While Vault 1.0 saw auto-unseal become open source and introduced batch tokens improved performance, feature completeness, and enterprise readiness, Vault 1.1 focuses on building workflow enablement and increasing scaling and operations.
Learn from HashiCorp Vault engineer Nick Cabatoff how you can ensure that you actually use Vault effectively to allow no potential leaks of secret credentials, apis, or certs.
HashiCorp Vault 1.0 is the culmination of a journey that brings broad ecosystem integration, feature completeness, and enterprise readiness to the popular secrets management tool. Learn how to use new features like Auto Unseal and Batch Tokens.
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
This talk is an introduction to quantum cryptography and cryptanalysis: the physics and mathematics behind how quantum computers provide unique opportunities and threats to traditional cryptographic systems. We will review the basics behind quantum mechanics and quantum computers, why quantum computers pose a unique threat to cryptographic systems and what secure infrastructure systems must do to protect secrets in a post-quantum world.
Hashicorp Vault - Manage Secrets and Protect Sensitive Data.
Vault is becoming the most popular tool to manage, secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
In this talk we will know the most powerful features of Hashicorp in both versions (OpenSource & Enterprise) and how we can implement a solution in our dynamic infrastructure.
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
A review of AWS security concepts, leaks at Beamly, an Introduction to Hashicorp Vault and how we use use Vault at Beamly.
Watch YouTube video here: http://bit.ly/25ytNAD
Join DevOps Exchange London Meetup: http://bit.ly/22y4Var
Follow DOXLON on Twitter: http://bit.ly/1ZdugEJ
SRE Tech Talk meetup - 28/05/2019 at Paris. Presenting Kubernetes at NoSQL. Managing stateful applications is not an easy task. Getting them working at scale on +4500 servers world wide starts to be very time consuming. We'll talk about challenges we've been facing when moving from a full configuration manager (chef) solution to a mixed solution with a scheduler (Kubernetes). We'll also talk about the pitfalls to avoid when switching to a scheduler for stateful apps.
Kubernetes is more or less one of the biggest players when it comes to Container orchestration. Since Kubernetes 1.7 RBAC (Role Based Access Control) is the default for the authorisation of actions in you cluster. There are many other components, like Pod Security Policies, Network Policies, Admisstion Controllers, that allows you to secure your Kubernetes cluster.
In this talk I will show you how these things can work together and which problem these components try to solve. Also I will show you an overview how other tools like Vault can fit into the Kubernetes ecosystem to make you platform more secure.
Event: DevFest Karlsruhe, 09.12.2017
Speaker: Johannes M. Scheuermann
Weitere Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/
Weitere Tech-Artikel: https://www.inovex.de/blog/
PerconaLive 2016 Santa Clara presentation on Hashicorp Vault with CTO Armon Dadger
https://www.percona.com/live/data-performance-conference-2016/sessions/using-vault-decouple-secrets-applications
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
Puppet is one of the most mature and widely used config management tools out there. But one question comes up time and again: where and how do I store secrets in Puppet code? HashiCorp Vault safely manages your secrets in an automated and secure way.
In this webinar, Peter Souter will demonstrate how to use HashiCorp Vault for secrets management while using Puppet as the configuration management software.
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
HashiCorp Vault 1.0 is the culmination of a journey that brings broad ecosystem integration, feature completeness, and enterprise readiness to the popular secrets management tool. Learn how to use new features like Auto Unseal and Batch Tokens.
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
This talk is an introduction to quantum cryptography and cryptanalysis: the physics and mathematics behind how quantum computers provide unique opportunities and threats to traditional cryptographic systems. We will review the basics behind quantum mechanics and quantum computers, why quantum computers pose a unique threat to cryptographic systems and what secure infrastructure systems must do to protect secrets in a post-quantum world.
Hashicorp Vault - Manage Secrets and Protect Sensitive Data.
Vault is becoming the most popular tool to manage, secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
In this talk we will know the most powerful features of Hashicorp in both versions (OpenSource & Enterprise) and how we can implement a solution in our dynamic infrastructure.
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
A review of AWS security concepts, leaks at Beamly, an Introduction to Hashicorp Vault and how we use use Vault at Beamly.
Watch YouTube video here: http://bit.ly/25ytNAD
Join DevOps Exchange London Meetup: http://bit.ly/22y4Var
Follow DOXLON on Twitter: http://bit.ly/1ZdugEJ
SRE Tech Talk meetup - 28/05/2019 at Paris. Presenting Kubernetes at NoSQL. Managing stateful applications is not an easy task. Getting them working at scale on +4500 servers world wide starts to be very time consuming. We'll talk about challenges we've been facing when moving from a full configuration manager (chef) solution to a mixed solution with a scheduler (Kubernetes). We'll also talk about the pitfalls to avoid when switching to a scheduler for stateful apps.
Kubernetes is more or less one of the biggest players when it comes to Container orchestration. Since Kubernetes 1.7 RBAC (Role Based Access Control) is the default for the authorisation of actions in you cluster. There are many other components, like Pod Security Policies, Network Policies, Admisstion Controllers, that allows you to secure your Kubernetes cluster.
In this talk I will show you how these things can work together and which problem these components try to solve. Also I will show you an overview how other tools like Vault can fit into the Kubernetes ecosystem to make you platform more secure.
Event: DevFest Karlsruhe, 09.12.2017
Speaker: Johannes M. Scheuermann
Weitere Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/
Weitere Tech-Artikel: https://www.inovex.de/blog/
PerconaLive 2016 Santa Clara presentation on Hashicorp Vault with CTO Armon Dadger
https://www.percona.com/live/data-performance-conference-2016/sessions/using-vault-decouple-secrets-applications
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
Puppet is one of the most mature and widely used config management tools out there. But one question comes up time and again: where and how do I store secrets in Puppet code? HashiCorp Vault safely manages your secrets in an automated and secure way.
In this webinar, Peter Souter will demonstrate how to use HashiCorp Vault for secrets management while using Puppet as the configuration management software.
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
Presentation of a few mechanisms that can help to automate the bootstrap process in IoT environment.
This is the summary of my work done during an 8 weeks internship at red hat
Comment un hacker voit votre site internet ?
Démonstration d'un point de vue d'une attaque sur un Wordpress.
Petite présentation de veille, de mise en garde, d'outils.
Client server computing in mobile environments part 2Praveen Joshi
Client server computing in mobile environments. Versatile, Message based, Modular Infrastructure intended to improve usability, flexibility, interoperability and scalability as compared to Centralized, Mainframe, time sharing computing.
Intended to reduce Network Traffic.
Communication is using RPC or SQL
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:
http://www.mil-oss.org/
It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.
SoftLayer 勉強会 (May 23, 2014) にて LT したスライドです。
Slides about "Introduction to SoftLayer CLI" in Japanese at SoftLayer study (Shinagawa, Tokyo) May 23, 2014.
See also http://softlayer.doorkeeper.jp/events/10880
One-Man Ops with Puppet & Friends.
If you're getting started in Amazon AWS here's 7 tools that will help you be successful, a few tips to make your life easier and some common pitfalls to avoid.
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
Talk by Brendan Gregg for OSSNA 2017. "Advanced performance observability and debugging have arrived built into the Linux 4.x series, thanks to enhancements to Berkeley Packet Filter (BPF, or eBPF) and the repurposing of its sandboxed virtual machine to provide programmatic capabilities to system tracing. Netflix has been investigating its use for new observability tools, monitoring, security uses, and more. This talk will be a dive deep on these new tracing, observability, and debugging capabilities, which sooner or later will be available to everyone who uses Linux. Whether you’re doing analysis over an ssh session, or via a monitoring GUI, BPF can be used to provide an efficient, custom, and deep level of detail into system and application performance.
This talk will also demonstrate the new open source tools that have been developed, which make use of kernel- and user-level dynamic tracing (kprobes and uprobes), and kernel- and user-level static tracing (tracepoints). These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and a whole lot more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations."
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Jakub Botwicz
Presentation about Cotopaxi toolkit from Black Hat Asia 2019 Arsenal session. Author: Jakub Botwicz
https://www.blackhat.com/asia-19/arsenal/schedule/index.html#cotopaxi-iot-protocols-security-testing-toolkit-14325
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
Similar to HashiTLS Demystifying Security Certs (20)
Consul is a Service Networking tool designed to connect applications and services across a multi-cloud world. With Consul, organizations can manage service discovery and health monitoring, automate their middleware and leverage service mesh to connect virtual machine environments and Kubernetes clusters.
See what deploying across polycloud environments using cross-workloads looks like in HashiCorp Nomad. And See Consul tie these workloads together with secure routing.
An important use-case for Vault is to provide short lived and least privileged Cloud credentials. In this webinar we will review specifically how Vault's Azure Secrets Engine can provide dynamic Azure credentials. We will cover details on how to configure the Azure Secrets Engine in Vault and use it in an application. If you are using Azure now or in the near future, join us for some patterns on maintaining a high security posture with Vault's dynamic credentials model!
Migrating from VMs to Kubernetes using HashiCorp Consul Service on AzureMitchell Pronschinske
DevOps tools became very popular with the adoption of public cloud, but Operational teams now realize that their benefits can be extended to enterprise data centers. In reality, cloud native tools can help bridge public clouds and private data centers by enabling a common framework to manage applications and their underlying infrastructure components.
In this session you’ll learn about the latest Cisco ACI integrations with Hashicorp Terraform and Consul to deliver a powerful solution for end-to-end on-prem and cloud infrastructure deployments.
Empowering developers and operators through Gitlab and HashiCorpMitchell Pronschinske
Companies digitally transforming themselves into modern, software-defined businesses are building their foundation on cloud native solutions like GitLab and Hashicorp. Together, GitLab, Terraform, and Vault are empowering organizations to be more iterative, flexible, and secure. Join us in this session to learn more about how GitLab and Hashicorp are lowering the barrier of entry into industrializing the application development and delivery process across the entire application lifecycle.
Automate and simplify multi cloud complexity with f5 and hashi corpMitchell Pronschinske
In this session, Lori Mac Vittie, principal technology evangelist at F5 discusses digital transformation and how F5 and HashiCorp are working together to unlock the full potential of the cloud
In this webinar we will cover the new features in Vault 1.5. This release introduces several new improvements along with new features around the following areas: Usage Quotas for Request Rate Limiting, OpenShift Helm Support (beta), Telemetry and Monitoring Enhancements, and much more. Join Vault technical marketer Justin Weissig as he demos Vault 1.5's new features.
Integrated Storage, a key feature now available in Vault 1.4, can streamline your Vault architecture and improve performance. See demos and documentation of its use cases and migration process.
Learn how Cisco ACI and HashiCorp Terraform can help you increase productivity while reducing risks for your organization by managing infrastructure as code.
HashiCorp Nomad is an easy-to-use and flexible workload orchestrator that enables organizations to automate the deployment of any applications on any infrastructure at any scale across multiple clouds. While Kubernetes gets a lot of attention, Nomad is an attractive alternative that is easy to use, more flexible, and natively integrated with HashiCorp Vault and Consul. In addition to running Docker containers, Nomad can also run non-containerized, legacy applications on both Linux and Windows servers.
Terraform allows you to define your infrastructure as code. Variables and modules empower you to extend and reuse your Infrastructure as Code. With the Consul provider for Terraform, you can also let your Consul KV data drive your Terraform runs.
Watch this succinct guide to the benefits of modern scheduling and how HashiCorp Nomad can help you move your organization toward more modern deployment patterns.
See a demo of HashiCorp Consul Service (HCS) on Azure and learn how it could be used to migrate from monolithic, VM-based apps to microservices running on Kubernetes.
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
5. So what?
1. Managing certificates in 2020 is still hard.
2. We keep repeating the same errors in our software.
3. It all starts with education, and a foundation in the basics.
7. Agenda
Hands-on Practice
Use practical tools like mkcert
and HashiCorp Consul to get
familiar with how certificates
can be managed and used.
First Principles
Learn what makes up a
certificate and how those
pieces come together to for a
complete system.
Learn the Code
Examine a few code bases
which utilize mTLS to get work
done.
11. Certificate Basic Fields - 1/3
▪ Version Number
– The version of the encoded certificate.
▪ Serial Number
– A positive integer unique to the Certificate Authority.
▪ Signature Algorithm
– Contains the identifier for the cryptographic algorithm used by the CA to
sign the certificate.
12. Certificate Basic Fields - 2/3
▪ Issuer
– Identifies the entity that has signed and issued the certificate.
▪ Validity
– The time interval during which the CA warrants that it will maintain
information about the status of the certificate.
▪ Subject
– Identifies the entity associate with the public key stored in the subject
public key field.
13. Certificate Basic Fields - 3/3
▪ Subject Public Key Info
– Used to carry the public key and identify the algorithm with which the key
is used.
▪ Extensions
– Provide methods for associating additional attributes to certificates.
14.
15. Let’s Look at a Certificate
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:26:56:af:26:bd:3c:1a:e5:05:9d:fa:0b:83:40:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Validity
Not Before: Feb 18 22:34:27 2020 GMT
Not After : Feb 18 22:34:27 2030 GMT
...
18. OpenSSL Command
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
This is the command which is used for displaying and signing X509 formatted
certificates.
19. OpenSSL Command
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
This specifies the input filename to read a certificate from.
20. OpenSSL Command
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
-text : Prints out the certificate in text form.
-noout : Prevents output of the encoded version of the certificate.
21. Version
The version of the encoded certificate.
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:26:56:af:26:bd:3c:1a:e5:05:9d:fa:0b:83:40:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Validity
Not Before: Feb 18 22:34:27 2020 GMT
Not After : Feb 18 22:34:27 2030 GMT
...
22. Serial Number
A positive integer unique to the Certificate Authority.
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:26:56:af:26:bd:3c:1a:e5:05:9d:fa:0b:83:40:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Validity
Not Before: Feb 18 22:34:27 2020 GMT
Not After : Feb 18 22:34:27 2030 GMT
...
23. Signature Algorithm
Contains the identifier for the cryptographic algorithm used by the CA to sign this certificate.
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:26:56:af:26:bd:3c:1a:e5:05:9d:fa:0b:83:40:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Validity
Not Before: Feb 18 22:34:27 2020 GMT
Not After : Feb 18 22:34:27 2030 GMT
...
24. Issuer
Identifies the entity that has signed and issued the certificate.
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:26:56:af:26:bd:3c:1a:e5:05:9d:fa:0b:83:40:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Validity
Not Before: Feb 18 22:34:27 2020 GMT
Not After : Feb 18 22:34:27 2030 GMT
...
25. Validity
The time interval during which the CA warrants that it will maintain information about the status of the certificate.
TERMINAL
> openssl x509 -in ~/.local/share/mkcert/rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:26:56:af:26:bd:3c:1a:e5:05:9d:fa:0b:83:40:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Validity
Not Before: Feb 18 22:34:27 2020 GMT
Not After : Feb 18 22:34:27 2030 GMT
...
26. Subject
Identifies the entity associate with the public key stored in the subject public key field.
TERMINAL
Subject: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus: [large integer represented in colon-hexadecimal notation]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
B9:D5:B3:06:55:B4:E6:CE:CB:CB:56:B3:4A:35:96:A3:AA:5F:2D:C4
27. Subject Public Key Info
Used to carry the public key and identify the algorithm with which the key is used.
TERMINAL
Subject: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus: [large integer represented in colon-hexadecimal notation]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
B9:D5:B3:06:55:B4:E6:CE:CB:CB:56:B3:4A:35:96:A3:AA:5F:2D:C4
28. Extensions: Key Usage
Defines the purpose of the key contained in the certificate.
TERMINAL
Subject: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus: [large integer represented in colon-hexadecimal notation]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
B9:D5:B3:06:55:B4:E6:CE:CB:CB:56:B3:4A:35:96:A3:AA:5F:2D:C4
29. Extensions: Basic Constraints
Identifies whether the subject of the certificate is a CA and
the maximum depth of valid certification paths that include this certificate.
TERMINAL
Subject: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus: [large integer represented in colon-hexadecimal notation]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
B9:D5:B3:06:55:B4:E6:CE:CB:CB:56:B3:4A:35:96:A3:AA:5F:2D:C4
30. Extensions: Subject Key Identifier
Provides a means of identifying certificates that contain a particular public key.
TERMINAL
Subject: O = mkcert development CA,
OU = ascherger@incontrol (Alan Scherger),
CN = mkcert ascherger@incontrol (Alan Scherger)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus: [large integer represented in colon-hexadecimal notation]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
B9:D5:B3:06:55:B4:E6:CE:CB:CB:56:B3:4A:35:96:A3:AA:5F:2D:C4
31.
32. Blue Book
Volume VIII - Fascicle VIII.8
Data Communication Networks Directory
Recommendations X.500-X.521
🔥 236 glorious pages of explanation 🔥
34. Certificate Chain of Trust
A list of certificates (usually starting with an end-entity
certificate) followed by one or more CA certificates (usually the
last one being a self-signed certificate), with the following
properties:
1. The Issuer of each certificate (except the last one)
matches the Subject of the next certificate in the list.
2. Each certificate (except the last one) is supposed to be
signed by the secret key corresponding to the next
certificate in the chain (i.e. the signature of one
certificate can be verified using the public key contained
in the following certificate).
3. The last certificate in the list is a trust anchor: a
certificate that you trust because it was delivered to you
by some trustworthy procedure.
39. iOS 13 and macOS 10.15 - Gotchya
https://support.apple.com/en-us/HT210176
40. iOS 13 and macOS 10.15 - Gotchya
https://support.apple.com/en-us/HT210176
41. Install
Download the latest
Release
Use the -install flag to
generate an install
certificates.
TERMINAL
> chmod +x ~/Downloads/mkcert-v1.4.1-darwin-amd64
> ~/Downloads/mkcert-v1.4.1-darwin-amd64 -install
Created a new local CA at
"/Users/ascherger/Library/Application Support/mkcert" 💥
Sudo password:
The local CA is now installed in the system trust store!
⚡
Warning: "certutil" is not available, so the CA can't be
automatically installed in Firefox! ⚠
Install "certutil" with "brew install nss" and re-run
"mkcert -install" 👈
>
42. TERMINAL
> ls -al /Users/ascherger/Library/Application Support/mkcert
total 16
drwxr-xr-x 4 ascherger staff 128 Feb 16 22:09 .
drwx------+ 121 ascherger staff 3872 Feb 16 22:09 ..
-r-------- 1 ascherger staff 2488 Feb 16 22:09 rootCA-key.pem
-rw-r--r-- 1 ascherger staff 1728 Feb 16 22:09 rootCA.pem
>
Look at our
certificates.
rootCA-key.pem is the private key.
rootCA.pem is the public certificate.
44. TERMINAL
> openssl x509 -in rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
84:4a:83:84:72:ad:27:89:09:7e:48:44:b9:f6:30:6e
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=mkcert development CA,
OU=ascherger@Alans-MacBook-Pro.local,
CN=mkcert ascherger@Alans-MacBook-Pro.local
Validity
Not Before: Feb 17 04:09:41 2020 GMT
Not After : Feb 17 04:09:41 2030 GMT
Subject: O=mkcert development CA,
OU=ascherger@Alans-MacBook-Pro.local,
CN=mkcert ascherger@Alans-MacBook-Pro.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:e0:70:56:33:aa:83:d5:ed:0f:46:f1:99:d5:81:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
93:EF:36:51:3D:94:46:01:8F:01:F7:B9:22:09:75:F9:E7:63:93:F9
Signature Algorithm: sha256WithRSAEncryption
bb:0e:80:b4:35:b8:2a:58:9e:36:f3:4a:ce:87:5c:0b:86:54:
...
Inspect the
Root CA
Public
Certificate
45. Make a new
localhost
certificate.
TERMINAL
> mkcert localhost 127.0.0.1 ::1
Using the local CA at
"/Users/ascherger/Library/Application Support/mkcert" ✨
Created a new certificate valid for the following names
📜
- "localhost"
- "127.0.0.1"
- "::1"
The certificate is at "./localhost+2.pem" and the key at
"./localhost+2-key.pem" ✅
>
46. Serial Number
Remember “18:f1” we’ll see that again soon.
TERMINAL
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:f1:88:4e:19:56:0f:7a:ae:11:75:eb:e9:67:8d:57
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=mkcert development CA,
OU=ascherger@Alans-MacBook-Pro.local,
CN=mkcert ascherger@Alans-MacBook-Pro.local
Validity
Not Before: Jun 1 00:00:00 2019 GMT
Not After : Feb 19 07:05:58 2030 GMT
Subject: O=mkcert development certificate,
OU=ascherger@Alans-MacBook-Pro.local
47. Issuer
Matches our Root CA public key information.
TERMINAL
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:f1:88:4e:19:56:0f:7a:ae:11:75:eb:e9:67:8d:57
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=mkcert development CA,
OU=ascherger@Alans-MacBook-Pro.local,
CN=mkcert ascherger@Alans-MacBook-Pro.local
Validity
Not Before: Jun 1 00:00:00 2019 GMT
Not After : Feb 19 07:05:58 2030 GMT
Subject: O=mkcert development certificate,
OU=ascherger@Alans-MacBook-Pro.local
48. Validity
Patched to get around the macOS hiccup.
TERMINAL
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:f1:88:4e:19:56:0f:7a:ae:11:75:eb:e9:67:8d:57
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=mkcert development CA,
OU=ascherger@Alans-MacBook-Pro.local,
CN=mkcert ascherger@Alans-MacBook-Pro.local
Validity
Not Before: Jun 1 00:00:00 2019 GMT
Not After : Feb 19 07:05:58 2030 GMT
Subject: O=mkcert development certificate,
OU=ascherger@Alans-MacBook-Pro.local
49. Subject
No Common Name (CN), and different than CA information.
TERMINAL
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:f1:88:4e:19:56:0f:7a:ae:11:75:eb:e9:67:8d:57
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=mkcert development CA,
OU=ascherger@Alans-MacBook-Pro.local,
CN=mkcert ascherger@Alans-MacBook-Pro.local
Validity
Not Before: Jun 1 00:00:00 2019 GMT
Not After : Feb 19 07:05:58 2030 GMT
Subject: O=mkcert development certificate,
OU=ascherger@Alans-MacBook-Pro.local
50. Key Usage
Explicitly allows for Web Server usage, but not Client usage.
TERMINAL
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:ed:e2:11:01:66:60:d1:c6:50:cd:e0:7a:a3:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
51. Basic Constraints
This certificate cannot act as a CA, so it cannot make child certificates.
TERMINAL
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:ed:e2:11:01:66:60:d1:c6:50:cd:e0:7a:a3:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
52. Authority Key Identifier
Matches the Subject Key Identifier of the Root certificate.
TERMINAL
X509v3 Authority Key Identifier:
keyid:93:EF:36:51:3D:94:46:01:8F:01:F7:B9:22:09:75:F9:E7:63:93:F9
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
4b:f5:d0:fa:27:43:c2:d8:ef:4c:be:5e:66:81:21:c1:c1:5f:
...
53. Subject Alternative Name
A list of DNS and IP addresses this certificate is allowed to represent.
TERMINAL
X509v3 Authority Key Identifier:
keyid:93:EF:36:51:3D:94:46:01:8F:01:F7:B9:22:09:75:F9:E7:63:93:F9
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
4b:f5:d0:fa:27:43:c2:d8:ef:4c:be:5e:66:81:21:c1:c1:5f:
...
60. Consul + TLS
1. Consul CLI has a tls command for setting up a CA and certificates.
2. Consul has an auto_encrypt feature for auto-managing certificates
3. Consul’s Connect API contains the CA endpoints, and supports automated
CA rotation through cross-signing.
66. Consul - Encryption
If verify_server_hostname is set, then outgoing
connections perform hostname verification.
All servers must have a certificate valid for
server.<datacenter>.<domain> or the client will reject the
handshake.
67. package tlsutil - config.go L706-L726
CODE EDITOR
// Wrap a net.Conn into a client tls connection, performing any
// additional verification as needed.
//
// As of go 1.3, crypto/tls only supports either doing no certificate
// verification, or doing full verification including of the peer's
// DNS name. For consul, we want to validate that the certificate is
// signed by a known CA, but because consul doesn't use DNS names for
// node names, we don't verify the certificate DNS names. Since go 1.3
// no longer supports this mode of operation, we have to do it
// manually.
func (c *Configurator ) wrapTLSClient (dc string, conn net.Conn) (net.Conn, error) {
config := c.OutgoingRPCConfig ()
verifyServerHostname := c.VerifyServerHostname ()
verifyOutgoing := c.verifyOutgoing ()
domain := c.domain()
if verifyServerHostname {
// Strip the trailing '.' from the domain if any
domain = strings.TrimSuffix(domain, ".")
config.ServerName = "server." + dc + "." + domain
}
tlsConn := tls.Client(conn, config)
68. Nomad - Securing With TLS
To fulfill the desired security properties Nomad
certificates are signed with their region and role such as:
- client.global.nomad for a client node in the global
region
- server.us-west.nomad for a server node in the
us-west region
69. package tls - common.go L510-L521
CODE EDITOR
// VerifyPeerCertificate, if not nil, is called after normal
// certificate verification by either a TLS clientor server. It
// receives the raw ASN.1 certificates provided by the peer and also
// any verified chains that normal processing found. If it returns a
// non-nil error, the handshake is aborted and that error results.
//
// If normal verification fails then the handshake will abort before
// considering this callback. If normal verification is disabled by
// setting InsecureSkipVerify, or (for a server) when ClientAuth is
// RequestClientCert or RequireAnyClientCert, then this callback will
// be considered but the verifiedChains argument will always be nil.
VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
70. package nomad - server.go L451-L477
CODE EDITOR
// getTLSConf gets the server's TLS configuration based on the config supplied
// by the operator
func getTLSConf(enableRPC bool, tlsConf *tlsutil.Config, region string)
(*tls.Config, tlsutil.RegionWrapper , error) {
// omitted for slide
if tlsConf.VerifyServerHostname {
incomingTLS = itls.Clone()
incomingTLS .VerifyPeerCertificate =
rpcNameAndRegionValidator (region)
} else {
incomingTLS = itls
}
return incomingTLS , tlsWrap, nil
}
71. package nomad - server.go L479-L497
CODE EDITOR
// implements signature of tls.Config.VerifyPeerCertificate which is called
// after the certs have been verified. We'll ignore the raw certs and only
// check the verified certs.
func rpcNameAndRegionValidator(region string) func([][]byte, [][]*x509.Certificate)
error {
return func(_ [][]byte, certificates [][]*x509.Certificate) error {
if len(certificates) > 0 && len(certificates[0]) > 0 {
cert := certificates[0][0]
for _, dnsName := range cert.DNSNames {
if validateRPCRegionPeer(dnsName, region) {return nil}
}
if validateRPCRegionPeer(cert.Subject.CommonName, region) {
return nil
}
}
return errors.New("invalid role or region for certificate")
}
72. package nomad - server.go L499-L515
CODE EDITOR
func validateRPCRegionPeer (name, region string) bool {
parts := strings.Split(name, ".")
if len(parts) < 3 {
// Invalid SAN
return false
}
if parts[len(parts)-1] != "nomad" {
// Incorrect service
return false
}
if parts[0] == "client" {
// Clients may only connect to servers in their region
return name == "client."+region+".nomad"
}
// Servers may connect to any Nomad RPC service for federation.
return parts[0] == "server"
}