Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
service elasticsearch restart

Verifying that Elasticsearch is running is possible via: netstat -tlnpu (ports 9200, 9300)

Notably, "cluster.initial_master_nodes" must be commented out after the first initialization of the Elasticsearch cluster. The above configuration assumes that the setup includes a single Elasticsearch node. Configuration for more advanced setups is available in the following WiFiMon guide "Streaming Logs Into ELK Cluster".

...

Code Block
service kibana restart

Verifying that kibana is running is possible via: netstat -tlnpu (port 5601)

Anchor
wifimon
wifimon
5. WiFiMon Installation

...

Firstly, installation of certbot is required:

Code Block
sudo apt-get update

...


sudo apt-get install -y certbot

A certificate must be requested for the FQDN of the WAS/WTS, referred as WAS_FQDN:

Code Block
certbot certonly --webroot -w /var/www/html -d WAS_FQDN

Note: Prior to this step, connections to port 80 must be allowed. If a web server is already installed on the machine, it should be temporarily stopped.

Issued certificates should be renewed regularly using the following command:

Code Block
certbot renew

Next, generated certificates/keys will be inserted in the Apache configuration files. File /etc/apache2/sites-available/default-ssl.conf should be edited and the following lines should be changed based on the FQDN of the WAS/WTS, referred as WAS_FQDN.

...

Changes should be applied and SSL should be enabled using the following commands:

Code Block
a2ensite default-ssl

...


a2enmod ssl

...


systemctl restart apache2

More information is available in the following links from which the above commands are taken:

...

The following files should be copied in /usr/lib/wifimon/keystore:

Code Block
cp /etc/letsencrypt/live/WAS_FQDN/cert.pem /usr/lib/wifimon/keystore/cert.pem

...


cp /etc/letsencrypt/live/WAS_FQDN/privkey.pem /usr/lib/wifimon/keystore/privkey.pem

...


cp /etc/letsencrypt/live/WAS_FQDN/chain.pem /usr/lib/wifimon/keystore/chain.pem

Within /usr/lib/wifimon/keystore folder, PEM certificates should be converted to Java Keystore (JKS) format using the following commands:openssl pkcs12

Code Block
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cert.pem -out testkeystore.p12

...


keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wifimon.jks -deststoretype JKS

Passwords should be provided when prompted and noted.

...

server.port=8443
server.ssl.key-store=./keystore/wifimon.jks
server.ssl.key-store-password=[PASSWORD_keystore]
server.ssl.key-password=[PASSWORD_key]

In /usr/lib/wifimon/config/ui.properties, the following changes should be made:

...

server.ssl.enabled: true
server.ssl.certificate: /usr/lib/wifimon/keystore/cert.pem
server.ssl.key: /usr/lib/wifimon/keystore/privkey.pem

Moreover, in the WTS test pages, the agentPort should be agent from 9000 to 8443 in every testtool HTML page as well as http to https. Moreover, http should be changed to https in /var/www/html/wifimon/js/nettest/nettest-swfobject.js. This is a file related to the NetTest testtool. More information about these parameters is included in the WiFiMon Test Server (WTS) installation guide.

...

In the sequel, we will secure the ELK stack using a self-signed certificate. First, the file “/usr/share/elasticsearch/instances.yml” should be created with the following contents:

Code Block
instances:

...


      - name: elasticsearch

...


        dns: WAS_FQDN

...


        ip: WAS_IP

Important Note: In case of correlation with RADIUS and DHCP LogsLogstash is also required. In this case, instances.yml requires additional information. More information is available in the following WiFiMon guide "Streaming Logs Into ELK Cluster". The WAS guide mainly focuses on the integration of the previous guide with the WiFiMon code setup.

Then, the certificate of the Certificate Authority (CA) and its corresponding key should be generated using the following command:

Code Block
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --ca-dn CN=’WiFiMon CA’ --days 3650 --keysize 4096 --out wifimon-ca.zip --pass --pem

This command will create the file “wifimon-ca.zip” in /usr/share/elasticsearch directory. The file contents should be unzipped using the following command:

Code Block
unzip /usr/share/elasticsearch/wifimon-ca.zip

Then, the self-signed certificate and the corresponding key should be generated using the following command:

Code Block
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /usr/share/elasticsearch/ca/ca.crt --ca-key /usr/share/elasticsearch/ca/ca.key --days 1234 --in /usr/share/elasticsearch/instances.yml --keysize 4096 --out wifimon-certs.zip --pass --pem

This command will create wifimon-certs.zip file in /usr/share/elasticsearch directory. The contents of this file should be unzipped using the following command:

Code Block
unzip /usr/share/elasticsearch/wifimon-certs.zip

Directories /etc/elasticsearch/certs and /etc/kibana/certs should then be created. Files ca.crt, elasticsearch.key and elasticsearch.crt should be copied in the aforementioned directories and in /usr/lib/wifimon/keystore using the following commands:

Code Block
mkdir /etc/elasticsearch/certs

...


mkdir /etc/kibana/certs

...


cp /usr/share/elasticsearch/ca/* /etc/elasticsearch/certs/

...


cp /usr/share/elasticsearch/ca/* /etc/kibana/certs/

...


cp /usr/share/elasticsearch/elasticsearch/* /etc/elasticsearch/certs/

...


cp /usr/share/elasticsearch/elasticsearch/* /etc/kibana/certs/

...


cp /usr/share/elasticsearch/ca/* /usr/lib/wifimon/keystore/

...


cp /usr/share/elasticsearch/elasticsearch/* /usr/lib/wifimon/keystore/

Then, the elasticsearch keystore should be configured using the following command:

Code Block
/usr/share/elasticsearch/bin/elasticsearch-keystore create

Adding certificate key passphrase for HTTP communication protocol requires using the following command and entering the certificate key passphrase when prompted:

Code Block
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase

Adding certificate key for transport communication protocol and entering the certificate key passphrase when prompted is possible via the following command:

Code Block
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase

The following command is required for setup verification:

Code Block
/usr/share/elasticsearch/bin/elasticsearch-keystore list

The following information should be present:

Code Block
keystore.seed

...


xpack.security.http.ssl.secure_key_passphrase

...


xpack.security.transport.ssl.secure_key_passphrase

In /etc/elasticsearch/elasticsearch.yml the following information should be added and the Εlasticsearch cluster should be then restarted:

...

Next, passwords for the built-in users should be generated. These passwords are not provided again and should be noted. Inside directory /usr/share/elasticsearch/bin/, the following command should be used:

Code Block
./elasticsearch-setup-passwords auto -u "https://WAS_FQDN:9200"

Kibana keystore is configured using the following command:

Code Block
sudo -u kibana /usr/share/kibana/bin/kibana-keystore create

The following command should be used and “kibana” should be provided as the username:

Code Block
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.username

The following command should be used the password of the “kibana” built-in user should be provided:

Code Block
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.password

The following command should be, then, used and the elasticsearch.key passphrase should be provided:

Code Block
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase

The following command is required for setup verification:

Code Block
sudo -u kibana /usr/share/kibana/bin/kibana-keystore list

The following information should be present:

Code Block
elasticsearch.username

...


elasticsearch.password

...


server.ssl.keyPassphrase

In /etc/kibana/kibana.yml, the following details should be added and Kibana should be restarted:

...

Note: Make sure that certificates and keys in /etc/elasticsearch/certs/, /etc/kibana/certs/ and /usr/lib/wifimon/keystore/ are accessible by both Εlasticsearch and Kibana.

Next, the WiFiMon Agent properties should be configured. The truststore for X-Pack will be created using the following command:

Code Block
keytool -import -trustcacerts -alias root -file /usr/lib/wifimon/keystore/ca.crt -keystore /usr/lib/wifimon/keystore/truststore.jks

The keystore for X-Pack will be created using the following commands:

Code Block
cat /usr/lib/wifimon/keystore/elasticsearch.crt /usr/lib/wifimon/keystore/elasticsearch.key > /usr/lib/wifimon/keystore/combined.crt

...



keytool -import -trustcacerts -alias yourdomain -file /usr/lib/wifimon/keystore/combined.crt -keystore /usr/lib/wifimon/keystore/keystore.jks

File /usr/lib/wifimon/config/secure-processor.propertiesshould be edited and the following lines should be added:

...