The WiFiMon Analysis Station Server (WAS) is the core component of WiFiMon which gathers and processes all the measurement data. The WAS receives the following data:
- Results of crowdsourced measurements streamed from End Users in the monitored WiFi networks.
- Results of deterministic measurements streamed from WiFiMon Hardware Probes in the monitored WiFi networks.
- RADIUS Logsand DHCP logs from RADIUS Serversand DHCP servers respectively.
- Wireless network performance metrics streamed from WiFiMon from WiFiMon Hardware Probes.
...
The
...
WAS mainly consists of two software components: (1) the WiFiMon Agent and (2) the WiFiMon GUI.
(1) WiFiMon Agent
The WiFiMon Agent is responsible for performing the following actions:
- The analysis of crowdsourced measurements. These measurements are received from End Users and WAS
The WiFiMon Agent is a software component of the WiFiMon Analysis Station that:
- Analyzes crowdsourced measurements received from End Users and correlates them with information received from RADIUS and DHCP Logs when/if this information is available.
- Analyzes deterministic measurements The analysis of deterministic measurements. These measurements are received from WiFiMon Hardware Probes and and WAS correlates them with information received from RADIUS Logs and DHCP Logs when/if this information is available.
- Analyzes wireless The analysis of wireless network performance metrics received from WiFiMon Hardware Probes.
- Stores Storing the results of analysis and correlation.
The WiFiMon GUI is a software component closely associated with the WiFiMon Agent that allows the Administrators to inspect their monitored WiFi networks.
In the rest of the guide, we refer to the WiFiMon Agent as Non-Secure WiFiMon Agent if WiFiMon Agent can operate in a non-secure manner (non-secure WiFiMon Agent) when the crowdsourced and deterministic measurements are streamed over HTTP or in a secure manner (Secure WiFiMon Agent) if measurements are streamed over HTTPS.
(2) WiFiMon GUI
The WiFiMon GUI provides a graphical representation of the measurement results and various anayses as described above.
WAS Installation and Configuration Guide
This guide given below The guide presents the commands needed required to install the WiFiMon Analysis Station (WAS) in WAS in a Debian-based distribution (Debian, Ubuntu, etc.). Other distributions can may also be used, considered by adjusting the apt install included commands appropriately. Our installation was tested in Ubuntu 18.
...
04 LTS.
Prerequisites for the WiFiMon Analysis Station (WAS) Installation
To install WiFiMon Analysis Station (WAS) successfully, the following software components are required:
- WiFiMon Agent package (version 1.3.0)
- PostgreSQL (required, tested on version 9.6) and phpPgAdmin (optional10.16)
- Java 8 (or later)11
- Elasticsearch (required, tested on version 7.49.23)
- Kibana (required, tested on version 7.49.23)
- Logstash (required in case of correlation with RADIUS and DHCP Logs, tested on version 7.49.23)
By default, the The following ports must be available on the installation serverWAS. However, the ports may be changed manually depending on your needs:
- 5044: for Logstash
- 5432: for PostgreSQL
- 5601: for Kibana
- 8441: for WiFiMon GUI
- 8443: for WiFiMon Secure Agent
- 9000: for WiFiMon Non-secure Agent (optional)
- 9200: for communication with Elasticsearch
1. Overview of the WiFiMon Analysis Station (WAS)
...
Installation
A summary of the mandatory steps for the installation (detailed in the linked sections below):
Install PostgreSQL (and optionally phpPgAdmin)
...
...
...
...
...
...
...
...
There are also some optional steps:Compile
...
Configure dashboard for subnets
Configure dashboard for HW probes
...
Anchor PostgreSQL PostgreSQL
2. PostgreSQL
PostgreSQL | |
PostgreSQL |
...
Installing PostgreSQL from a package manager requires using the
...
To install PostgreSQL and phpPgAdmin (optional), you must use the following commands:
Code Block |
---|
sudo apt-get install -y postgresql postgresql-contrib |
...
|
By default, PostgreSQL is configured to listen on localhost. We suggest that you do not change this default configuration is not modified.
After the successful installation of PostgreSQLof PostgreSQL, the database and tables of the following sections required by WiFiMon should be created. Detailed instructions are included in the following subsections.
Anchor database database
database | |
database |
...
2.1. Database and User Creation
Run the following commands to create the database wifimon_database and user wifimon_user. This database The following code block includes the appropriate SQL commands required to create (i) a database that will store information related to Subnets , and Access Points and user accounts monitored by WiFiMon as well as accounts of users that can access the GUI. From root user become user postgres with “su postgres”. Afterwards, use the following commands and appropriately set the password for the wifimon_user:
psql
Code Block | ||
---|---|---|
| ||
CREATE USER wifimon_user WITH PASSWORD 'wifimonpass';
CREATE DATABASE wifimon_database OWNER wifimon_user; |
WiFiMon GUI and (ii) a user that will be able to access this database. The following commands create the (i) database "wifimon_database" and (ii) the user "wifimon_user" with password "wifimonpass". We strongly suggest that these example names are changed in production environments.
Accessing PostgreSQL requires becoming user "postgres". This is possible from the "root" user using the command “su postgres”. Afterwards, the terminal-based front-end of PostgreSQL is accessed using the command "psql". Once the database is created, you should connect to wifimon_database:
Code Block | ||
---|---|---|
| ||
\cCREATE USER wifimon_database; |
Execute the commands in the following paragraphs to create the necessary tables.
Create Subnets Table
user WITH PASSWORD 'wifimonpass';
CREATE DATABASE wifimon_database OWNER wifimon_user; |
After the creation of the database "wifimon_database", selecting this database is possible via the following command:
Code Block | ||
---|---|---|
| ||
\c wifimon_database; |
The following subsections include the commands that are necessary for the creation of the required tables.
2.2. Creation of "subnets" Table
WiFiMon measures the performance of WiFi networks by embedding JavaScript code in frequently visited websites. Performance tests are triggered when End Users visit these websites and, in particular, after a web page is loaded so that browsing experience is not impacted by WiFiMon. Notably, these websites are not only visited by End Users residing in the monitored Subnets, but also from End Users outside them. Thus, alleviating the WAS from processing excessive traffic requires that performance tests consider measurements originating only from the WiFi networks that are monitored. To that endIn order to measure the WiFi performance, WiFiMon embeds JavaScript in frequently-visited websites and the tests are triggered once the End User visits these websites. However, the tests should be restricted only to users/subnets that are served by the WiFi network that is measured. To achieve this, a list of the registered Subnets that are allowed to perform tests is included in subnets table:from which End User measurements are processed by the WAS are maintained in "subnets" table. The creation of this table is detailed in the following code block.
Code Block | ||
---|---|---|
| ||
CREATE TABLE subnets ( subnet text, subnet_id serial PRIMARY KEY ); |
Create Users Table
...
2.3. Creation of "accesspoints" Table
Table "accesspoints" is used to store information related to the Access Points monitored by WiFiMon. This information includes the latitude and longitude of Access Points, the building and floor in which they are installed and additional notes about them. This information is later used to depict performance results of End User measurements per Access Point. The creation of the "accespoints" table is detailed in the following code block.
Code Block | ||
---|---|---|
| ||
CREATE TABLE usersaccesspoints ( idapid serial PRIMARY KEY, emailmac text NOT NULL, password_hashlatitude text NOT NULL, longitude text, rolebuilding text NOT NULL, floor text, notes text); |
...
2.4. Creation of "users" Table
Table accesspoints is "users" is used to store the Access Point information (latitude, longitude, building, floor, notes) in the database. This information is later used to depict the measurements per Access Point.information related to WiFiMon Users. WiFiMon GUI can be accessed by two types of WiFiMon Users: ADMIN and USER. ADMIN has full privileges to the WiFiMon GUI. An ADMIN is capable of adding/removing registered Subnets and Access Points as well as adding/removing WiFiMon Users. In contrast, a USER can navigate through the WiFiMon GUI dashboards, but is incapable of performing administration actions. The creation of the "users" table is detailed in the following code block.
Code Block | ||
---|---|---|
| ||
Code Block | ||
| ||
CREATE TABLE accesspointsusers ( apidid serial PRIMARY KEY, macemail text NOT NULL, latitudepassword_hash text, longitude text NOT NULL, buildingrole text, floor text, notes text); |
Create Options Table
NOT NULL); |
2.5. Creation of "options" Table
Table "options" stores information related to privacy settings, e.g. hiding/showing End User specific data Options table stores important privacy settings such as hiding or showing End User related data in the WiFiMon GUI. Correlation options are also included in this table. The creation of the "options" table is detailed in the following code block.
Code Block | ||
---|---|---|
| ||
CREATE TABLE options ( optionsid serial PRIMARY KEY, userdata text NOT NULL, uservisualoption text NOT NULL, correlationmethod text NOT NULL ); |
Now, exit from Exiting the database by entering \q.
Set Privileges
is possible using the command "\q" within the terminal-based front-end of PostgreSQL.
Setting Privileges in PostgreSQL
Setting To set SELECT, INSERT, DELETE, UPDATE privileges to for the database user, e.g. "wifimon_user, follow " requires the commands bellow:
su postgres
psql
following commands issued within the terminal-based front-end of PostgreSQL:
Code Block | ||
---|---|---|
| ||
GRANT USAGE ON SCHEMA public to wifimon_user; GRANT CONNECT ON DATABASE wifimon_database to wifimon_user; \c wifimon_database GRANT USAGE ON SCHEMA public to wifimon_user; GRANT SELECT ON subnets, users, accesspoints, options TO wifimon_user; GRANT INSERT ON subnets, users, accesspoints, options TO wifimon_user; GRANT DELETE ON subnets, users, accesspoints, options TO wifimon_user; GRANT UPDATE ON accesspoints, options TO wifimon_user; GRANT USAGE, SELECT ON SEQUENCE subnets_subnet_id_seq TO wifimon_user; GRANT USAGE, SELECT ON SEQUENCE users_id_seq TO wifimon_user; GRANT USAGE, SELECT, UPDATE ON SEQUENCE options_optionsid_seq TO wifimon_user; GRANT USAGE, SELECT, UPDATE ON SEQUENCE accesspoints_apid_seq TO wifimon_user; |
Exit from Exiting the database by entering \qis possible using the command "\q" within the terminal-based front-end of PostgreSQL.
Create an admin account to login
An initial ADMIN WiFiMon User should be created to allow access to the WiFiMon GUI.
su postgres
psql
for accessing the WiFiMon GUI. Within the terminal-based front-end of PostgreSQL, an ADMIN WiFiMon User is created using the commands in the following code block after connection to the WiFiMon database. Notably, passwords are stored hashed within the database.
Code Block | ||
---|---|---|
| ||
\c wifimon_database INSERT INTO users VALUES ('1', 'admin@test.com', '$2a$06$AnM.QevGa4BPGg7hc3nEBua6stnbZ8h4PrCjSbDxW.LWL7t4MX8vO', 'ADMIN'); |
By inserting Inserting this entry to the "users table, you will be " table creates an ADMIN WiFiMon User that is able to login as ADMIN with in the WiFiMon GUI using the following credentials:
Email: admin@test.com
Password: admin1
This (this account can be later deleted from the WiFiMon GUI ; however(after step 5). However, an ADMIN account should always be present in order to access the WiFiMon GUI and manage the WiFiMon Users, Access Points and Subnets):
Email: admin@test.com
Password: admin1
We suggest that you change your password . We strongly suggest that the password is changed from the WiFiMon GUI when the installation is complete (Section step 5).
Anchor java java
3. Java
java | |
java |
...
Installation
WiFiMon currently supports Java 11. The required commands are the following:
Code Block |
---|
sudo apt update
sudo apt-get install -y openjdk-11-jdk openjdk-11-jre |
Java installation can be verified with the following command:
Code Block |
---|
java -version |
Setting the JAVA_HOME variable requires (i) finding the installed Java alternatives using the following command
...
To install Java 8, please see the instructions at HERE. These instructions are tested for a Debian 10 Installation and will install the OpenJDK 8 using the AdoptOpenJDK repository. The following commands are taken from the aforementioned link:
sudo apt update
sudo apt install apt-transport-https ca-certificates wget dirmngr gnupg software-properties-common
wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | sudo apt-key add -
sudo add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
sudo apt update
sudo apt install adoptopenjdk-8-hotspot
Verify that Java is installed with the following command: java -version
Set the JAVA_HOME variable: Print the Java alternatives in your system with "sudo update-alternatives --config java" Make changes to and (ii) modifying the /etc/environmentenvironment configuration file based on the output of the previous command. For the adoptojdk-8-hotspot, enterIn our case, JAVA_HOME requires the following value:
JAVA_HOME="/usr/lib/jvm/adoptopenjdkjava-811-hotspotopenjdk-amd64", i.e without /bin/java at the end.
Apply changes: source
Changes are applied with the following command:
Code Block |
---|
source /etc/environment |
Note that Ubuntu 18.04 repositories still include Java 8 which can be installed by:
apt-get install -y default-jdk default-jre
Anchor elasticsearch elasticsearch
4. Elasticsearch and Kibana
elasticsearch | |
elasticsearch |
To install Elasticsearch Installing Elasticsearch 7.9.3 and Kibana , execute 7.9.3, requires executing the following commands:
- Elasticsearch 7.49.23
Code Block |
---|
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7. |
...
9. |
...
3-amd64.deb |
...
sudo dpkg -i elasticsearch-7. |
...
9. |
...
3-amd64.deb |
- Kibana 7.9.3
Anchor kibana kibana
...
Code Block |
---|
wget https://artifacts.elastic.co/downloads/kibana/kibana-7. |
...
9. |
...
3-amd64.deb |
...
sudo dpkg -i kibana-7. |
...
9. |
...
3-amd64.deb |
...
Anchor elasticsearch
elasticsearch |
...
_configure elasticsearch_configure
Elasticsearch Configuration
_configure | |
elasticsearch_configure |
In the configuration file of Elasticsearch (/etc/elasticsearch/elasticsearch.yml), insert/change the following lines . Note thatshould be inserted/changed. Notably, bold parts must be adjusted to your the particular configuration of the reader. In the following, we configure Elasticsearch to be accessible from the outside of the WiFiMon Analysis Stationpublicly accessible:
cluster.name: elasticsearch node.name: ${HOSTNAME} node.master: true node.voting_only: false node.data: true node.ingest: true node.ml: false cluster.remote.connect: false path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: INSERT the Fully Qualified Domain Name (WAS_FQDN) to which the server listens discovery.seed_hosts: [“"INSERT the WAS_FQDN to which the server listens”"] cluster.initial_master_nodes: INSERT the HOSTNAME (not WAS_FQDN) of the server xpack.ml.enabled: false xpack.security.enabled: false |
You may start the The Elasticsearch cluster should be started with the following command:
Code Block |
---|
service elasticsearch restart |
...
Verifying that Elasticsearch is running is possible via: netstat -tlnpu (ports 9200, 9300)
Note that Notably, "cluster.initial_master_nodes" must be commented out after the first initialization of your Elasticsearch the Elasticsearch cluster. The above configuration assumes that your the setup includes only one Elasticsearch a single Elasticsearch node. For Configuration for more advanced setups , you may find information is available in the following WiFiMon guide "RADIUS Logs Streaming to Elasticsearch - SimulationStreaming Logs Into ELK Cluster".
Anchor kibana_configure kibana_configure
Kibana Configuration
kibana_configure | |
kibana_configure |
After installing Kibana, the installation some following configurations are required . Open in the Kibana configuration file (/etc/kibana/kibana.yml) and make the . The following changes should be made in the corresponding sections/fields of the configuration file. Note thatNotably, bold parts must be adjusted to your the particular configuration of the reader.
server.port: 5601 server.host: “"INSERT the Fully Qualified Domain Name (WAS_FQDN) to which the server listens”" server.name: “wifimon"wifimon-kibana”kibana" elasticsearch.hosts: [“http"http://WAS_FQDN:9200”9200"] server.ssl.enabled: false |
You may start Kibana with: service kibana restart
...
Kibana should be started with the following command:
Code Block |
---|
service kibana restart |
Verifying that kibana is running is possible via: netstat -tlnpu (port 5601)
Anchor wifimon wifimon
5. WiFiMon Installation
wifimon | |
wifimon |
To install WiFiMon, use the following Installing WiFiMonrequires the following commands:
Code Block |
---|
wget |
...
http:// |
...
83.97.95.167/deb/wifimon-agent- |
...
1. |
...
3. |
...
0.deb |
...
sudo apt-get update |
...
sudo apt-get install -y gdebi |
...
sudo gdebi wifimon-agent- |
...
1. |
...
3. |
...
0.deb |
Afterwards, you will be able to see the following files will show up in /usr/lib/wifimon/ directory of the installation computer:
elasticsearch.sh: Script to create Elasticsearch indices
kibana-import.ndjson: JSON file to be imported in Kibana to create the necessary visualizations and dashboards
start.sh: Script for starting WiFiMon GUI and Agent
secure-processor-0.1.13.war0war: This incorporates both the WiFiMon Secure and Non-Secure Agent.
ui-01.13.10.war: This incorporates the WiFiMon GUI.
config: Directory with configuration files that need to . Their parameters must be filled in.
keystore: Directory where the Java Keystore should be stored in order to run WiFiMon Agent and GUI on HTTPS
- probes: Contains files related to the configuration of WiFiMon Hardware Probes.
- subnets: Contains files related to the configuration of the different subnets visualization.
Give permissions to execute the scripts Execution permissions are required for scripts elasticsearch.sh and start.sh. These are provided with the following commands: Anchor run run
Code Block |
---|
chmod +x elasticsearch.sh |
...
chmod +x start.sh |
Before executing the execution of script elasticsearch.sh, you must install “curl”. This can be done "curl" must be installed. This is possible using the following commands:
Code Block |
---|
sudo apt-get update |
...
sudo apt-get install -y curl |
You should edit the Script elasticsearch.sh script based on what interface your Elasticsearch cluster listen on. You should provide the FQDN of the WAS or localhost if the WAS listens on localhost. Add must be edited to match the interface the Elasticsearch cluster listens to. To that end, the variable FQDN with the elasticsearch.sh file should be substituted with the value of the "network.host" attribute in "/etc/elasticsearch/elasticsearch.yml" file. Script elasticsearch.sh will add the required indices and some initial data in the Elasticsearch cluster by executing the elasticsearch.sh script.:
Code Block |
---|
./elasticsearch.sh |
Go to Kibana page, select Management and press Index Patterns to configure them. Insert the following to create wifimon indexIn the sequel, Kibana index patterns should be configured from the Kibana User Interface. In Kibana, the "wifimon" index pattern can be created from Management/Stack Management/Index Patterns. The following details should be provided:
Index pattern: wifimon
- Time Filter field name: timestamp
Index pattern ID: wifimon_v0.1 (press advanced optionsoptions should be selected to see this field)
and the following details are required to create radiuslogs "probes" index (for the correlation RADIUS Logs with measurementsthe metrics collected from the WiFiMon Hardware Probes):
Index pattern: radiuslogsprobes
- Time Filter field name: Timestamptimestamp
Index pattern ID: radiuslogsprobes_v0.1 (press advanced optionsoptions should be selected to see this field)
and the following to create probes index (for the metrics collected from the WiFiMon Hardware Probes):
Index pattern: probes
- Time Filter field name: timestamp
Index pattern ID: probes_v0.1 (press advanced options to see this field)
and the following to create dhcplogs index (for correlation with DHCP logs):
Index pattern: dhcplogs
- Time Filter field name: timestamp
Index pattern ID: dhcplogs_v0.1 (press advanced options to see this field)
After you create the index pattern go to Saved Objects tab, press Import and import the kibana-import.ndjson to create the necessary visualizations and dashboards.
After the creation of index patterns, the necessary visualizations and dashboards should be imported. To that end, the kibana-import.ndjson file should be imported in the Management/Stack Management/Saved Objects tab.
Finally, WiFiMon properties should be configured in the files (secure-processor.Go to config directory and fill in the configuration files (secure-processor.properties, ui.properties) . You may ignore the processor.properties file. Note that WiFiMon of the WiFiMon config directory. Notably, WiFiMon uses HMAC SHA-512 encryption to encrypt sensitive data (End User IP addresses, End User MAC addresses) that are stored in the Elasticsearch cluster and visualized by Kibana. In secure-processor.properties, you have to define the key of the key of this algorithm (type String).
Start the WiFiMon Secure Agent and WiFiMon GUI: ./start.sh
...
Note: This step is only required if you make changes to the WiFiMon Code, as the ones listed in sections below.
Get the WiFiMon code from the official repository (https://bitbucket.software.geant.org/projects/WFMON/repos/agent/browse). A requirement to compile WiFiMon code is Apache Maven. You can install it via the following commands:
sudo apt-get update
sudo apt-get install -y maven
Enter the WiFiMon code folder: cd agent
Compile the WiFiMon code using the following commands:
mvn clean install
mvn package
Copy the WiFiMon files in the /usr/lib/wifimon directory:
cp /agent/wifimon-assembly/target/wifimon-agent-bin/secure-processor-0.1.1-SNAPSHOT.war /usr/lib/wifimon/secure-processor-0.1.1.war
cp /agent/wifimon-assembly/target/wifimon-agent-bin/ui-0.1.1-SNAPSHOT.war /usr/lib/wifimon/ui-0.1.1.war
...
Apart from entering a new subnet in the configuration tab, you are required to create a new entry in the Subnets Tab to monitor your WiFi network. This requires performing a few modifications to the WiFiMon Java code as well as modifying HTML code. In the following, we will demonstrate an example of creating an entry for the subnet a.b.c.d/xx where xx is the subnet netmask. The folder that contains the WiFiMon code is called “agent”. Note that the WiFiMon code includes an entry for the subnet “147.102.13.0/24” for demonstration purposes. You may remove this Subnet or overwrite it with yours.
Edit file /agent/wifimon-ui/src/main/resources/templates/fragments/header.html
Insert the red lines as below:
...
<li th:class="${classActiveSettingsSubnets}" class="dropdown"><a class="dropdown-toggle" data-toggle="dropdown" href="#">Subnets<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="#" th:href="@{/secure/Subnets/147_102_13_0_24}">147.102.13.0/24</a></li>
<li><a href="#" th:href="@{/secure/Subnets/a_b_c_d_xx}">a.b.c.d/xx</a></li>
</ul></li>
Copy the template file /usr/lib/wifimon/subnets/elasticsearchSubnets_a_b_c_d_xx.html to /agent/wifimon-ui/src/main/resources/templates/secure/ and substitute a, b, c, d, xx according to the details of the monitored subnet. Inside this file, you should also substitute a, b, c, d, xx according to your setup. In the following, we provide the head of elasticsearchSubnets_147_102_13_0_24 that corresponds to the monitored subnet 147.102.13.0/24:
...
<head>
<title>Subnets 147.102.13.0/24</title>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script src="//code.jquery.com/jquery-1.12.0.min.js"></script>
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap.css"/>
<link href="../../static/css/styling.css" rel="stylesheet" />
<script src="//netdna.bootstrapcdn.com/bootstrap/3.0.0/js/bootstrap.min.js"></script>
</head>
In /usr/lib/wifimon/subnets, you are given a template MeasurementsController_subnets.txt. You have to include this code extract in /agent/wifimon-ui/src/main/java/net/geant/wifimon/agent/controller/MeasurementsController.java and (a) change a, b, c, d and xx according to your setup and (b) enter the link from the Kibana Dashboard where it is requested.
...
@RequestMapping(value = "/secure/Subnets/a_b_c_d_xx")
public String elasticsearchSubnets_a_b_c_d_xx(Model model, HttpSession session, HttpServletRequest request) {
UrlParameters urlParameters = createUrlParameters(request);
String elasticsearchURL;
elasticsearchURL = environment.getProperty(KIBANA_PROTOCOL) + "://" + environment.getProperty(SERVER_HOST_NAME) + ":" + environment.getProperty(KIBANA_PORT) +
"ENTER_KIBANA_VISUALIZATION_LINK_HERE";
model.addAttribute("classActiveSettingsSubnets", "active");
model.addAttribute("elasticsearchURL", elasticsearchURL);
return "secure/elasticsearchSubnets_a_b_c_d_xx";
}
...
In the following, we will demonstrate an example of creating an entry for the HW Probe corresponding to the number x, i.e. testtools are NetTest-x, boomerang-x and speedtest-x. The folder that contains the WiFiMon code is called “agent”. Note that the WiFiMon code includes 10 preconfigured WiFiMon HW Probes.
Firstly, you should create a new option in the HWProbes Tab of the WiFiMon GUI for the desired WiFiMon HW Probe with number x. Edit file /agent/wifimon-ui/src/main/resources/templates/fragments/header.html.
Insert the red lines as below:
...
<li th:class="${classActiveSettingsHWProbes}" class="dropdown"><a class="dropdown-toggle" data-toggle="dropdown" href="#">HWProbes<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe1}">HWProbe1</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe2}">HWProbe2</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe3}">HWProbe3</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe4}">HWProbe4</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe5}">HWProbe5</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe6}">HWProbe6</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe7}">HWProbe7</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe8}">HWProbe8</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe9}">HWProbe9</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbe10}">HWProbe10</a></li>
<li><a href="#" th:href="@{/secure/HWProbes/HWProbex}">HWProbex</a></li>
</ul>
</li>
must be defined (property "sha.key"). This key is of type String and the reader could select any well-formatted string, preferably of big length. This string is defined only in the secure-processor.properties configuration file.
Apart from the "sha.key" property, the WiFiMon administrator is required to provide the port on which the WAS listens (property "server.port"), i.e. 9000 for the case of the WiFiMon Non-Secure Agent. Later, this documentation demonstrates how to install the WiFiMon Secure Agent; the WiFiMon Administrator is then required to change the value of the "server.port" property to 8443 from 9000.
Moreover, the WiFiMon Administrator should set the value of the PostgreSQL properties according to what was provided in the 2nd step of this documentation. Based on the example values of our documentation, "spring.datasource.url" can be defined as "jdbc:postgresql://localhost:5432/wifimon_database" and "spring.datasource.username", "spring.datasource.password" properties can be defined as "wifimon_user", "wifimonpass" respectively. Please, make sure that you change the aforementioned password to secure your PostgreSQL database setup.
Afterwards, the WiFiMon Administrator is required to provide the name of the Elasticsearch cluster ("elasticsearch.clustername" property) that was provided in step 4 of this documentation (e.g. "elasticsearch" in this guide) and the FQDN Elasticsearch listens on for the "elasticsearch.host" property.
In ui.properties, the WiFiMon Administrator is expected to provide the values for the PostgreSQL properties (the same as in the secure-processor.properties file) as well as the Kibana properties. Specifically, the WiFiMon Administrator should insert the FQDN Kibana listens on ("server.host.name" property), the protocol used by Kibana ("kibana.protocol" property), which is "http" for the WiFiMon Non-Secure Agent (this step) or "https" for the WiFiMon Secure Agent (step 7 of this documentation) as well as the port Kibana listens to ("kibana.port" property), which is usually 5601. Finally, WiFiMon provides methods for checking if a new software version is available. To that end, the running version of the WiFiMon software is compared with the most recent version that is stored within a VM provided by GEANT. Moreover, this VM keeps some statistics of WiFiMon end users involving their IP address and running version. The purpose of this is to track how many users are currently utilizing WiFiMon and what versions. If the WiFiMon end user wants to be excluded from this process, "user.tracking" should be changed to "no".
Starting the WiFiMon Secure Agent and WiFiMon GUI requires the following command:
Code Block |
---|
./start.sh |
Anchor compile compile
6. WiFiMon Code Compilation
compile | |
compile |
Note: This step is only required if the WiFiMon Code is modified by the reader to include new features.
The WiFiMon code can be obtained from the official repository (https://bitbucket.software.geant.org/projects/WFMON/repos/agent/browse). A requirement to compile WiFiMon code is Apache Maven. It can be installed via the following commands:
Code Block |
---|
sudo apt-get update
sudo apt-get install -y maven |
Within the WiFiMon code folder (cd agent), the WiFiMon code ban be compiled using the following commands:
Code Block |
---|
mvn clean install
mvn package |
Afterwards, WiFiMon war files should be copied in the /usr/lib/wifimon directory:
Code Block |
---|
cp agent/wifimon-assembly/target/wifimon-agent-bin/secure-processor-1.3.0.war /usr/lib/wifimon/secure-processor-1.3.0.war
cp agent/wifimon-assembly/target/wifimon-agent-bin/ui-1.3.0.war /usr/lib/wifimon/ui-1.3.0.war |
Anchor letsencrypt letsencrypt
7. Configuration of the WiFiMon Secure Agent
letsencrypt | |
letsencrypt |
Configuration of the WiFiMon Secure Agent will be demonstrated using a Let’s encrypt certificate. Readers are free to use whatever certificate they prefer.
In the sequel, we assume that both the WAS and the WiFiMon Test Server (WTS) are installed within the same machine and thus, they depend on the same certificate. Notably, the WAS and the WTS could be installed in separate machines. Moreover, the configuration is demonstrated for an Apache web server. However, any web server could be selected.
Firstly, installation of certbot is required:
Code Block |
---|
sudo apt-get update
sudo apt-get install -y certbot |
A certificate must be requested for the FQDN of the WAS/WTS, referred as WAS_FQDN:
Code Block |
---|
certbot certonly --webroot -w /var/www/html -d WAS_FQDN |
Note: Prior to this step, connections to port 80 must be allowed. If a web server is already installed on the machine, it should be temporarily stopped.
Issued certificates should be renewed regularly using the following command:
Code Block |
---|
certbot renew |
Next, generated certificates/keys will be inserted in the Apache configuration files. File /etc/apache2/sites-available/default-ssl.conf should be edited and the following lines should be changed based on the FQDN of the WAS/WTS, referred as WAS_FQDN.
SSLCertificateFile /etc/letsencrypt/live/WAS_FQDN/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/WAS_FQDN/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/WAS_FQDN/chain.pem |
Changes should be applied and SSL should be enabled using the following commands:
Code Block |
---|
a2ensite default-ssl
a2enmod ssl
systemctl restart apache2 |
More information is available in the following links from which the above commands are taken:
https://www.server-world.info/en/note?os=Ubuntu_18.04&p=ssl&f=2
https://www.server-world.info/en/note?os=Ubuntu_18.04&p=httpd&f=8
The following files should be copied in /usr/lib/wifimon/keystore:
Code Block |
---|
cp /etc/letsencrypt/live/WAS_FQDN/cert.pem /usr/lib/wifimon/keystore/cert.pem
cp /etc/letsencrypt/live/WAS_FQDN/privkey.pem /usr/lib/wifimon/keystore/privkey.pem
cp /etc/letsencrypt/live/WAS_FQDN/chain.pem /usr/lib/wifimon/keystore/chain.pem |
Within /usr/lib/wifimon/keystore folder, PEM certificates should be converted to Java Keystore (JKS) format using the following commands:
Code Block |
---|
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cert.pem -out testkeystore.p12
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wifimon.jks -deststoretype JKS |
Passwords should be provided when prompted and noted.
In /usr/lib/wifimon/config/secure-processor.properties, the following changes should be made:
server.port=8443 server.ssl.key-store=./keystore/wifimon.jks server.ssl.key-store-password=[PASSWORD_keystore] server.ssl.key-password=[PASSWORD_key] |
In /usr/lib/wifimon/config/ui.properties, the following changes should be made:
server.ssl.key-store=./keystore/wifimon.jks server.ssl.key-store-password=[PASSWORD_keystore] server.ssl.key-password=[PASSWORD_key] kibana.protocol=https |
Furthermore, the following parameters of the file /etc/kibana/kibana.yml should be changed:
server.ssl.enabled: true server.ssl.certificate: /usr/lib/wifimon/keystore/cert.pem server.ssl.key: /usr/lib/wifimon/keystore/privkey.pem |
Moreover, in the WTS test pages, the agentPort should be agent from 9000 to 8443 in every testtool HTML page as well as http to https. Moreover, http should be changed to https in /var/www/html/wifimon/js/nettest/nettest-swfobject.js. This is a file related to the NetTest testtool. More information about these parameters is included in the WiFiMon Test Server (WTS) installation guide.
WiFiMon is now configured to use HTTPS for WiFiMon GUI and Agent.
Anchor xpack xpack
8. Configuring ELK Stack Security (X-Pack)
xpack | |
xpack |
In the sequel, we will secure the ELK stack using a self-signed certificate. First, the file “/usr/share/elasticsearch/instances.yml” should be created with the following contents:
Code Block |
---|
instances:
- name: elasticsearch
dns: WAS_FQDN
ip: WAS_IP |
Important Note: In case of correlation with RADIUS and DHCP Logs, Logstash is also required. In this case, instances.yml requires additional information. More information is available in the following WiFiMon guide "Streaming Logs Into ELK Cluster". The WAS guide mainly focuses on the integration of the previous guide with the WiFiMon code setup.
Then, the certificate of the Certificate Authority (CA) and its corresponding key should be generated using the following command:
Code Block |
---|
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --ca-dn CN=’WiFiMon CA’ --days 3650 --keysize 4096 --out wifimon-ca.zip --pass --pem |
This command will create the file “wifimon-ca.zip” in /usr/share/elasticsearch directory. The file contents should be unzipped using the following command:
Code Block |
---|
unzip /usr/share/elasticsearch/wifimon-ca.zip |
Then, the self-signed certificate and the corresponding key should be generated using the following command:
Code Block |
---|
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /usr/share/elasticsearch/ca/ca.crt --ca-key /usr/share/elasticsearch/ca/ca.key --days 1234 --in /usr/share/elasticsearch/instances.yml --keysize 4096 --out wifimon-certs.zip --pass --pem |
This command will create wifimon-certs.zip file in /usr/share/elasticsearch directory. The contents of this file should be unzipped using the following command:
Code Block |
---|
unzip /usr/share/elasticsearch/wifimon-certs.zip |
Directories /etc/elasticsearch/certs and /etc/kibana/certs should then be created. Files ca.crt, elasticsearch.key and elasticsearch.crt should be copied in the aforementioned directories and in /usr/lib/wifimon/keystore using the following commands:
Code Block |
---|
mkdir /etc/elasticsearch/certs
mkdir /etc/kibana/certs
cp /usr/share/elasticsearch/ca/* /etc/elasticsearch/certs/
cp /usr/share/elasticsearch/ca/* /etc/kibana/certs/
cp /usr/share/elasticsearch/elasticsearch/* /etc/elasticsearch/certs/
cp /usr/share/elasticsearch/elasticsearch/* /etc/kibana/certs/
cp /usr/share/elasticsearch/ca/* /usr/lib/wifimon/keystore/
cp /usr/share/elasticsearch/elasticsearch/* /usr/lib/wifimon/keystore/ |
Then, the elasticsearch keystore should be configured using the following command:
Code Block |
---|
/usr/share/elasticsearch/bin/elasticsearch-keystore create |
Adding certificate key passphrase for HTTP communication protocol requires using the following command and entering the elasticsearch certificate key passphrase when prompted:
Code Block |
---|
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase |
Adding certificate key for transport communication protocol and entering the elasticsearch certificate key passphrase when prompted is possible via the following command:
Code Block |
---|
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase |
The following command is required for setup verification:
Code Block |
---|
/usr/share/elasticsearch/bin/elasticsearch-keystore list |
The following information should be present:
Code Block |
---|
keystore.seed
xpack.security.http.ssl.secure_key_passphrase
xpack.security.transport.ssl.secure_key_passphrase |
In /etc/elasticsearch/elasticsearch.yml the following information should be added and the Εlasticsearch cluster should be then restarted:
xpack.security.enabled: true (you have previously set this value to false) xpack.security.http.ssl.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: full xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt |
Next, passwords for the built-in users should be generated. These passwords are not provided again and should be noted. Inside directory /usr/share/elasticsearch/bin/, the following command should be used:
Code Block |
---|
./elasticsearch-setup-passwords auto -u "https://WAS_FQDN:9200" |
Kibana keystore is configured using the following command:
Code Block |
---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore create |
The following command should be used and “kibana” should be provided as the username:
Code Block |
---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.username |
The following command should be used the password of the “kibana” built-in user should be provided:
Code Block |
---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.password |
The following command should be, then, used and the elasticsearch.key passphrase should be provided:
Code Block |
---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase |
The following command is required for setup verification:
Code Block |
---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore list |
The following information should be present:
Code Block |
---|
elasticsearch.username
elasticsearch.password
server.ssl.keyPassphrase |
In /etc/kibana/kibana.yml, the following details should be added and Kibana should be restarted:
elasticsearch.hosts: [“https://WAS_FQDN:9200”] elasticsearch.ssl.certificateAuthorities: [ “/etc/kibana/certs/ca.crt” ] elasticsearch.ssl.verificationMode: full |
Note: Make sure that certificates and keys in /etc/elasticsearch/certs/, /etc/kibana/certs/ and /usr/lib/wifimon/keystore/ are accessible by both Εlasticsearch and Kibana.
Next, the WiFiMon Agent properties should be configured. The truststore for X-Pack will be created using the following command:
Code Block |
---|
keytool -import -trustcacerts -alias root -file /usr/lib/wifimon/keystore/ca.crt -keystore /usr/lib/wifimon/keystore/truststore.jks |
The keystore for X-Pack will be created using the following commands:
Code Block |
---|
cat /usr/lib/wifimon/keystore/elasticsearch.crt /usr/lib/wifimon/keystore/elasticsearch.key > /usr/lib/wifimon/keystore/combined.crt
keytool -import -trustcacerts -alias yourdomain -file /usr/lib/wifimon/keystore/combined.crt -keystore /usr/lib/wifimon/keystore/keystore.jks |
File /usr/lib/wifimon/config/secure-processor.properties should be edited and the following lines should be added:
xpack.security.enabled=true ssl.certificate.type=keystore ssl.http.user.username=elastic ssl.http.user.password=[elastic built-in user password] ssl.http.keystore.filepath=/usr/lib/wifimon/keystore/keystore.jks ssl.http.keystore.password=[keystore.jks password] ssl.http.truststore.filepath=/usr/lib/wifimon/keystore/truststore.jks ssl.http.truststore.password=[truststore password] ssl.http.key.password=[elasticsearch.key password] |
Anchor links links
9. The WiFiMon GUI
links | |
links |
The installation is now complete. The WiFiMon GUI can be accessed at: https://WAS_FQDN:8441/login (see Figure 1)
The Kibana UI is available at https://WAS_FQDN:5601
Figure 1: WiFiMon login page
Credentials to login as ADMIN (see Section 2.5):
Email: admin@test.com
Password: admin1
The following tabs are available from the WiFiMon GUI:
Overview: Overview of the measurements for the current day, automatically updated every 30 seconds
Measurements: Measurements for the current day, automatically updated every 30 seconds
Subnets: This tab includes performance measurements for WiFiMon End Users (not WiFiMon Hardware Probes) in the monitored Subnets. By default, the measurements of all WiFiMon End Users are depicted regardless of the Subnet they reside. Visualizing measurements for a specific Subnet requires adding a Kibana filter (along with the existing one) from the "Add filter" option on top. For the example subnet a.b.c.d/xx, the Kibana filter is "requesterSubnet is a.b.c.d/xx".
HWProbes: This tab includes measurements from the monitored WiFiMon Hardware Probes (not WiFiMon End Users) in the monitored Subnets. By default, the measurements of all WiFiMon Hardware Probes are depicted. Visualizing measurements for a specific WiFiMon Hardware Probe requires adding a Kibana filter (along with the existing one) from the "Add filter" option on top. Each WiFiMon Hardware Probe is assigned a number. For the measurements of the WiFiMon Hardware Probe assigned the number "1", the required Kibana filter is "probeNo is 1". Assigning a number in each WiFiMon Hardware Probe is possible via the "testtool" attribute of the WiFiMon monitored test pages. More information is available in the WiFiMon Test Server installation guide
Copy the template file /usr/lib/wifimon/probes/elasticsearchHWProbesx.html to /agent/wifimon-ui/src/main/resources/templates/secure/ and substitute x according to your setup. Inside this file, you should also substitute x according to your setup. In the following, we provide the head of elasticsearchHWProbes10 that corresponds to the HW Probe with testtool number 10:
...
<head>
<title>Metrics for HW Probe 10</title>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script src="//code.jquery.com/jquery-1.12.0.min.js"></script>
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap.css"/>
<link href="../../static/css/styling.css" rel="stylesheet" />
<script src="//netdna.bootstrapcdn.com/bootstrap/3.0.0/js/bootstrap.min.js"></script>
</head>
In /usr/lib/wifimon/probes, you are given a template MeasurementsController_probes.txt. You have to include this code extract in /agent/wifimon-ui/src/main/java/net/geant/wifimon/agent/controller/MeasurementsController.java and (a) change x according to your setup and (b) enter the link from the Kibana Dashboard where it is requested.
@RequestMapping(value = "/secure/HWProbes/HWProbex") public String elasticsearchHWProbe1(Model model, HttpSession session, HttpServletRequest request) { UrlParameters urlParameters = createUrlParameters(request); String elasticsearchURL; elasticsearchURL = environment.getProperty(KIBANA_PROTOCOL) + "://" + environment.getProperty(SERVER_HOST_NAME) + ":" + environment.getProperty(KIBANA_PORT) + "INSERT_KIBANA_DASHBOARD_LINK_HERE"; model.addAttribute("classActiveSettingsHWProbes", "active"); model.addAttribute("elasticsearchURL", elasticsearchURL); return "secure/elasticsearchHWProbesx"; } |
...
In the Kibana user interface, choose the Dashboard section. There, you will find a Dashboard called “SubnetsTimeseries_a.b.c.d/xx”. Add the appropriate filter corresponding to the number of your monitored subnet. For example, if the subnet is a.b.c.d/xx, you should add the following filter “requesterSubnet is a.b.c.d/xx”. Save your dashboard as a new dashboard. Remember to store time with your dashboard.
In Share --> Permanent Links --> Snapshot you can find the URL to include in the WiFiMon Java code.
...
In the Kibana user interface, choose the Dashboard section. There, you will find a Dashboard called “HW Probe Dashboard x”. Add the appropriate filter corresponding to the number of your monitored WiFiMon HW Probe. For example, if the testtool number of your WiFiMon HW Probe is 11, you should add the following filter “testTool is one of NetTest-11 boomerang-11 speedtest-11”. Save your dashboard as a new dashboard. Remember to store time with your dashboard.
In Share --> Permanent Links --> Snapshot you can find the URL to include in the WiFiMon Java code.
...
We will demonstrate the configuration of the WiFiMon Secure Agent with a Let’s encrypt certificate. WiFiMon Administrators are free to use whatever certificates they prefer. In the following, we assume that both WiFiMon Analysis Station and WiFiMon Test Server are installed in the same server and thus, use the same certificate. WiFiMon Administrators may install them in separate servers.
First, you have to install certbot:
sudo apt-get update
sudo apt-get install -y certbot
Request a certificate for the FQDN of your server:
certbot certonly --webroot -w /var/www/html -d WAS_FQDN
Note: Before this step, you need to allow connections to your Apache Web Server.
Issued certificates can be renewed with: certbot renew
Next, we will insert generated certificates/keys in the Apache configuration files. Edit file /etc/apache2/sites-available/default-ssl.conf and change the following lines:
SSLCertificateFile /etc/letsencrypt/live/WAS_FQDN/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/WAS_FQDN/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/WAS_FQDN/chain.pem |
Apply changes and enable SSL:
a2ensite default-ssl
a2enmod ssl
systemctl restart apache2
You may find more information in the following links:
https://www.server-world.info/en/note?os=Ubuntu_18.04&p=ssl&f=2
https://www.server-world.info/en/note?os=Ubuntu_18.04&p=httpd&f=8
Copy these files in /usr/lib/wifimon/keystore:
cp /etc/letsencrypt/live/WAS_FQDN/cert.pem /usr/lib/wifimon/keystore/cert.pem
cp /etc/letsencrypt/live/WAS_FQDN/privkey.pem /usr/lib/wifimon/keystore/privkey.pem
cp /etc/letsencrypt/live/WAS_FQDN/chain.pem /usr/lib/wifimon/keystore/chain.pem
Navigate to /usr/lib/wifimon/keystore folder. PEM certificates should be converted to Java Keystore (JKS) format:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cert.pem -out testkeystore.p12
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wifimon.jks -deststoretype JKS
Enter and note passwords when prompted.
In /usr/lib/wifimon/config/secure-processor.properties, make the following changes:
server.port=8443 server.ssl.key-store=./keystore/wifimon.jks server.ssl.key-store-password=[PASSWORD_keystore] server.ssl.key-password=[PASSWORD_key] |
In /usr/lib/wifimon/config/ui.properties, make the following changes:
server.ssl.key-store=./keystore/wifimon.jks server.ssl.key-store-password=[PASSWORD_keystore] server.ssl.key-password=[PASSWORD_key] kibana.protocol=https |
Furthermore, change the following parameters of the file /etc/kibana/kibana.yml:
server.ssl.enabled: true server.ssl.certificate: /usr/lib/wifimon/keystore/cert.pem server.ssl.key: /usr/lib/wifimon/keystore/privkey.pem |
Moreover, in your WiFiMon Test Server, change the agentPort from 9000 to 8443 in every testtool HTML page as well as http to https. Moreover, do not forget to change http to https in /var/www/html/wifimon/js/nettest/nettest-swfobject.js.
WiFiMon is now configured to use HTTPS for WiFiMon GUI and Agent.
...
We will secure the ELK stack using a self-signed certificate. First, you have to create the file “/usr/share/elasticsearch/instances.yml” with the following contents:
instances:
- name: elasticsearch
dns: WAS_FQDN
ip: WAS_IP
Note: In case you also configure Logstash, instances.yml requires additional information. Please, see the following WiFiMon guide "RADIUS Logs Streaming to Elasticsearch - Simulation". You should combine the information provided in these two guides to fully configure the WiFiMon Analysis Server.
Then, you will generate the certificate of the Certificate Authority (CA) and its corresponding key. Use the following command:
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --ca-dn CN=’WiFiMon CA’ --days 3650 --keysize 4096 --out wifimon-ca.zip --pass --pem
This command will create the file “wifimon-ca.zip” in /usr/share/elasticsearch directory. Unzip this file using the following command:
unzip /usr/share/elasticsearch/wifimon-ca.zip
Then, you will generate the self-signed certificate and the corresponding key. Use the following command:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /usr/share/elasticsearch/ca/ca.crt --ca-key /usr/share/elasticsearch/ca/ca.key --days 1234 --in /usr/share/elasticsearch/instances.yml --keysize 4096 --out wifimon-certs.zip --pass --pem
This command will create wifimon-certs.zip file in /usr/share/elasticsearch directory. Unzip this file using the following command:
unzip /usr/share/elasticsearch/wifimon-certs.zip
Create directories /etc/elasticsearch/certs and /etc/kibana/certs. Copy files ca.crt, elasticsearch.key and elasticsearch.crt in the aforementioned directories and in /usr/lib/wifimon/keystore.
mkdir /etc/elasticsearch/certs
mkdir /etc/kibana/certs
cp /usr/share/elasticsearch/ca/* /etc/elasticsearch/certs/
cp /usr/share/elasticsearch/ca/* /etc/kibana/certs/
cp /usr/share/elasticsearch/elasticsearch/* /etc/elasticsearch/certs/
cp /usr/share/elasticsearch/elasticsearch/* /etc/kibana/certs/
cp /usr/share/elasticsearch/ca/* /usr/lib/wifimon/keystore/
cp /usr/share/elasticsearch/elasticsearch/* /usr/lib/wifimon/keystore/
Then, you will configure the elasticsearch keystore. Use the following command:
/usr/share/elasticsearch/bin/elasticsearch-keystore create
Add certificate key passphrase for HTTP communication protocol. Use the following command and enter the certificate key passphrase when prompted:
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
Add certificate key for transport communication protocol and enter the certificate key passphrase:
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase
Execute the following command:
/usr/share/elasticsearch/bin/elasticsearch-keystore list
and verify that you have the following:
keystore.seed
xpack.security.http.ssl.secure_key_passphrase
xpack.security.transport.ssl.secure_key_passphrase
In /etc/elasticsearch/elasticsearch.yml add the following and restart the Εlasticsearch cluster:
xpack.security.enabled: true (you have previously set this value to false) xpack.security.http.ssl.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: full xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt |
Generate passwords for the built-in users. Note the passwords as they are not provided again. Inside directory /usr/share/elasticsearch/bin/, use the following command:
./elasticsearch-setup-passwords auto -u "https://WAS_FQDN:9200"
Configure Kibana keystore using the following command:
sudo -u kibana /usr/share/kibana/bin/kibana-keystore create
Use the following command and provide “kibana” as the username:
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.username
Use the following command and provide the password of the “kibana” built-in user:
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.password
Use the following command and provide the elasticsearch.key passphrase:
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase
Execute the following command:
sudo -u kibana /usr/share/kibana/bin/kibana-keystore list
and verify that you have the following:
elasticsearch.username
elasticsearch.password
server.ssl.keyPassphrase
In /etc/kibana/kibana.yml, add the following and restart Kibana:
...
Make sure that certificates and keys in /etc/elasticsearch/certs/, /etc/kibana/certs/ and /usr/lib/wifimon/keystore/ are accessible by both Εlasticsearch and Kibana.
Next, you will configure the WiFiMon Agent properties. Create the truststore for X-Pack:
keytool -import -trustcacerts -alias root -file /usr/lib/wifimon/keystore/ca.crt -keystore /usr/lib/wifimon/keystore/truststore.jks
Create the keystore for X-Pack:
...
Edit /usr/lib/wifimon/config/secure-processor.properties and add the following lines:
xpack.security.enabled=true ssl.certificate.type=keystore ssl.http.user.username=elastic ssl.http.user.password=[elastic built-in user password] ssl.http.keystore.filepath=/usr/lib/wifimon/keystore/keystore.jks ssl.http.keystore.password=[keystore.jks password] ssl.http.truststore.filepath=/usr/lib/wifimon/keystore/truststore.jks ssl.http.truststore.password=[truststore password] ssl.http.key.password=[elasticsearch.key password] |
...
The installation is now complete and you can access:
The WiFiMon GUI at https://WAS_FQDN:8441/login (see Figure 1)
The Kibana admin page at https://WAS_FQDN:5601
Figure 1: WiFiMon login page
Credentials to login as ADMIN (see paragraph 1.1):
Email: admin@test.com
Password: admin1
Once you login, you will be able to see the following tabs at the top of the WiFiMon GUI:
Overview: Overview of the measurements in current day, automatically updated every 30 seconds
Measurements: Measurements in current day, automatically updated every 30 seconds
Timeseries: This tab includes measurements from all monitored subnets.
Download Timeseries for current day, automatically updated every 30 seconds
Upload Timeseries for current day, automatically updated every 30 seconds
Ping Timeseries for current day, automatically updated every 30 seconds
Subnets: This tab includes measurments from each monitored subnet separately.
HWProbes: This tab includes measurements from each monitored WiFiMon Hardware Probe separately.
Statistics:
Pie Statistics for current day, automatically updated every 30 seconds (Error: Reference source not found)
Table Statistics for current day, automatically updated every 30 seconds
Maps:
Clients Maps, map withthe measurement count from clients location in current day, automatically updated every 30 seconds (Error: Reference source not found)
APs Maps, map withthe measurement count from APs location in current day, automatically updated every 30 seconds
Configuration:
Subnets: Add/remove subnets Subnets that are allowed to perform measurements
Access Points: Add remove information (MAC, latitude, longitude, etc.) about access points Access Points (necessary to depict measurements in APs Maps page)
Users: Add/remove users to login to the WiFiMon GUI (role "USER" does not have access "Configuration" and "Guide" tabs)
Privacy / Correlation: Hide/show user-related data, select the method to allow the correlation between measurements, client IP and AP MAC
Guide: Instruction on how to embed scripts (to perform measurements) to websites and locally install the available performance tests (NetTest, boomerang, speedtest/HTML5)
Help: Instruction on how to get help
- Check for updates: Check for newer versions of WiFiMon software.
As a first step you should add the subnet Subnet of your WiFi network to allow measurements.
Figure 2: Overview tab of WiFiMon GUI
Figure 3: Subnet Subnets tab of WiFiMon GUI
Figure 4: HWProbes tab (Performance metrics)
Figure 5: HWProbes tab (Wireless network metrics)