Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

TLS

How to configure BindPlane OP with TLS using Step CLI for certificate generation

BindPlane OP supports TLS. This guide will focus on using Step CLI to create certificates, however, you can acquire certificates using your preferred method. Certificates must be x509 PEM encoded.

TLS with Step CLI

Step CLI can be used to create your own certificate authority and
server certificates. Step provides an easy-to-use interface. Alternatively, you could use OpenSSL.

Prerequisites

This guide assumes you will be deploying BindPlane and its agents to a network that has a working
Domain Name System (DNS). It is expected that agent systems will be able to connect to Bindplane
using its fully qualified domain name (FQDN).

If you do not have working DNS, it is possible to use /etc/hosts as a workaround. See this guide for details.

Environment

For this demonstration, we have four compute instances running on Google Cloud. The objective is to configure
BindPlane OP to use a server TLS certificate, and have all clients and collectors connect using TLS.

The following instances are deployed:

  • bindplane: Instance that hosts the BindPlane OP server.
  • collector-debian: Debian-based instance that will host a BindPlane OP agent.
  • collector-centos: CentOS-based instance that will host a BindPlane OP agent.
  • collector-windows: Windows Server instance that will host a BindPlane OP agent.
observIQ docs - TLS - image 1

Each instance belongs to a VPC in the project bindplane, which means each instance has a DNS name
with the following format: {{instance name}}.c.bindplane.internal.

Each instance has the following fully qualified domain name (FQDN):

  • bindplane: bindplane.c.bindplane.internal
  • collector-debian: collector-debian.c.bindplane.internal
  • collector-centos: collector-centos.c.bindplane.internal
  • collector-windows: collector-windows.c.bindplane.internal

All instances within the network can resolve each other using their FQDN. DNS plays a critical
role when using TLS, as it allows certificates to be verified against their hostname. If the hostname does not match
the certificate, the connection will be rejected unless steps are taken to disable TLS verification.

Deploy and Configure BindPlane

Follow the BindPlane OP Server Install Guide to install BindPlane OP.

Once installed, modify the /etc/bindplane/config.yaml to look like this:

yaml
1name: default
2apiVersion: bindplane.observiq.com/v1
3auth:
4  # A random uuid which is used as a shared secret between bindplane and
5  # deployed agents.
6  secretKey: ffb26038-5169-4496-b5fc-d5a185c33b96
7
8  # Basic auth should use a username other than
9  # admin along with a secure password.
10  username: admin
11  password: admin
12
13  # A random uuid which is used for generating web ui session cookies.
14  sessionSecret: 14dab09e-0ca5-4167-bde3-39c869f3fab4
15network:
16  # Listen on port 3001, all interfaces.
17  host: 0.0.0.0
18  port: '3001'
19
20  # Endpoint for which clients and collectors will interface
21  # with the server's http interface.
22  remoteURL: http://bindplane.c.bindplane.internal:3001
23store:
24  bbolt:
25    path: /var/lib/bindplane/storage/bindplane.db
26logging:
27  filePath: /var/log/bindplane/bindplane.log

Note that auth.secretKey and auth.sessionSecret should be random uuid values. You can generate your own
with the uuidgen command.

Make sure network.remoteURL use the correct FQDN. You can check your server's FQDN using the
hostname command:

bash
1$ hostname -f
2bindplane.c.bindplane.internal

Once BindPlane is configured, restart the server.

bash
1sudo systemctl restart bindplane

Verify that BindPlane OP is working by connecting to the public IP address on port 3001. In this example, that would be
http://bindplane.c.bindplane.internal:3001.

Create Certificates with Step

On the instance running your BindPlane OP server, install the step command line. Instructions
for installing step can be found here.

Create Certificate Authority

The following commands will write a certificate and private key
to tls-ca/ca.crt and tls-ca/ca.key in your working directory.

bash
1mkdir tls-ca
2
3step certificate create \
4	ca.c.bindplane.internal \
5	tls-ca/ca.crt tls-ca/ca.key \
6	--profile root-ca \
7	--no-password \
8	--insecure \
9	--not-after=8760h

Create BindPlane Server Certificate

The following commands will generate a server certificate signed by the CA previously
created. The certificate and private key will be written to /etc/bindplane/tls/bindplane.crt
and /etc/bindplane/tls/bindplane.key

bash
1sudo mkdir /etc/bindplane/tls
2
3sudo step certificate create \
4    bindplane.c.bindplane.internal \
5    /etc/bindplane/tls/bindplane.crt /etc/bindplane/tls/bindplane.key \
6    --profile leaf \
7    --not-after 2160h \
8    --no-password \
9    --insecure \
10    --ca tls-ca/ca.crt \
11    --ca-key tls-ca/ca.key
12
13sudo chown -R bindplane:bindplane /etc/bindplane/tls

Configure BindPlane to use TLS

With the server certificate created, make the following changes to /etc/bindplane/config.yaml:

  1. Modify network.remoteURL to use https
  2. Add tlsCert and tlsKey

Your configuration will look similar to this:

yaml
1name: default
2apiVersion: bindplane.observiq.com/v1
3auth:
4  # A random uuid which is used as a shared secret between bindplane and
5  # deployed agents.
6  secretKey: ffb26038-5169-4496-b5fc-d5a185c33b96
7
8  # Basic auth should use a username other than
9  # admin along with a secure password.
10  username: admin
11  password: admin
12
13  # A random uuid which is used for generating web ui session cookies.
14  sessionSecret: 14dab09e-0ca5-4167-bde3-39c869f3fab
15network:
16  # Listen on port 3001, all interfaces.
17  host: 0.0.0.0
18  port: '3001'
19
20  # Endpoint for which clients and collectors will interface
21  # with the server's http interface.
22  remoteURL: https://bindplane.c.bindplane.internal:3001
23  tlsCert: /etc/bindplane/tls/bindplane.crt
24  tlsKey: /etc/bindplane/tls/bindplane.key
25store:
26  bbolt:
27    path: /var/lib/bindplane/storage/bindplane.db
28logging:
29  filePath: /var/log/bindplane/bindplane.log

With the configuration updated, restart BindPlane OP:

bash
1sudo systemctl restart bindplane

To verify that BindPlane OP is using TLS, navigate to your server's IP address using https. For example,
https://bindplane.c.bindplane.internal:3001.

You should expect your browser to present a warning screen. This is because your workstation does not trust the
certificate. This is expected because you have not imported the certificate authority into your trust store. At this
time, it is safe to skip the warning and continue. Note that this warning should never be ignored in production, or in areas where
it is not expected.

Import Certificate Authority on Collector Systems

In all instances that will be running a BindPlane OP agent, we need to import
the certificate authority. This will allow the collector software to trust the BindPlane
server certificate.

  1. Copy tls-ca/ca.crt to all systems that will be running a BindPlane agent
  2. Import the ca.crt into the trust store on all agent systems
  3. Install agents

For instructions on how to import a certificate authority, see this blog.

Once all agent systems have the certificate authority imported, you can install agents using the command
generated in the BindPlane OP web interface.

Example Linux install command:

bash
1sudo sh -c "$(curl -fsSlL https://github.com/observiq/observiq-otel-collector/releases/download/v1.25.0/install_unix.sh)" install_unix.sh -e wss://bindplane.c.bindplane.internal:3001/v1/opamp -s ffb26038-5169-4496-b5fc-d5a185c33b96 -v 1.19.0

Note that the command uses the value from server.remoteURL in /etc/bindplane/config.yaml as the endpoint that the agent
should connect to. The wss protocol indicates that TLS should be used.

Once installed, the manager configuration at /opt/observiq-otel-collector/manager.yaml will look something like this:

yaml
1endpoint: wss://bindplane.c.bindplane.internal:3001/v1/opamp
2secret_key: ffb26038-5169-4496-b5fc-d5a185c33b96
3agent_id: 01GTHN3HAD7QXFN4Z9FV625A3V

Finished! Agents appear in the web interface, indicating that TLS is working.

observIQ docs - TLS - image 2