CentOS 7 – NTOPNG web interface with SSL

Today we’re going to add SSL to our NTOP installation. This post is divided in two parts and it assumes that ntop is already installed.

If you don’t want to generate your own certificate and use the test certificate offered by ntopng (/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem) be sure you have openssl and openssl-devel and then jump to the second part:

yum install openssl openssl-devel

If openssl-devel is not installed you may have problems starting the SSL server.

————————————————————-

First part – SSL Certificate

Once again, let’s be sure that you’ve openssl and openssl-devel

yum install openssl openssl-devel

Now we’re going to create our own Certification Authority and generate an SSL certificate for my test server: hobbes.artemit.lab. I’ll set no challenge password for the SSL certificate. The commands are shown in bold letters.

mkdir /root/certs

openssl genrsa -out /root/certs/CA.key 2048

Generating RSA private key, 2048 bit long modulus
 ............+++
 .....+++
 e is 65537 (0x10001)


openssl req -x509 -new -nodes -sha256 -extensions v3_ca -key /root/certs/CA.key -days 3650 -out /root/certs/CA.pem


You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Palencia
Locality Name (eg, city) [Default City]:Palencia
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:n40lab
Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab
Email Address []:mcabrerizo@artemit.com.es


openssl genrsa -out /root/certs/hobbes.key 2048


Generating RSA private key, 2048 bit long modulus
 ................................+++
 ..+++
 e is 65537 (0x10001)


openssl req -new -sha256 -key /root/certs/hobbes.key -days 3650 -out /root/certs/hobbes.csr

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Palencia
Locality Name (eg, city) [Default City]:Palencia
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab
Email Address []:mcabrerizo@artemit.com.es
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

openssl x509 -req -sha256 -in /root/certs/hobbes.csr -CA /root/certs/CA.pem -CAkey /root/certs/CA.key -CAcreateserial -out /root/certs/hobbes.crt -days 3650

Signature ok
 subject=/C=ES/ST=Palencia/L=Palencia/O=ArtemIT Labs/CN=hobbes.artemit.lab/emailAddress=mcabrerizo@artemit.com.es
 Getting CA Private Key

You should import the CA.pem as a CA Authority in your browser to avoid SSL warnings.

Using https://github.com/ntop/ntopng/blob/dev/doc/README.SSL to help us, we know that we should store the cert in the folder /usr/share/ntopng/httpdocs/ssl and it should be named as ntopng-cert.pem.

You should delete the ntopng-cert.pem test file and the README or move them to a different folder:

rm /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
rm /usr/share/ntopng/httpdocs/ssl/README

Let’s prepare the cert needed by ntopng:

cat /root/certs/hobbes.key /root/certs/hobbes.crt /root/certs/CA.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem

Let’s change permissions and ownership (nobody is the default user used by ntop after it starts):

chmod 640 /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
chown -R nobody:nobody /usr/share/ntopng/httpdocs/ssl

————————————

Second part – NTOP with SSL

Now it’s time to set the port where we want ntop to listen for SSL connections e.g 3001.

Let’s edit the conf file /etc/ntopng/ntopng.conf so the port is set correctly:

-G=/var/tmp/ntopng.pid\
-W=3001\
--community

Now we restart ntopng and check the status:

systemctl restart ntopng
systemctl status ntopng

ntopng.service - Start/stop ntopng program
 Loaded: loaded (/etc/systemd/system/ntopng.service; enabled)
 Active: active (running) since mié 2015-11-25 11:33:24 CET; 4s ago
 Process: 3887 ExecStop=/etc/systemd/scripts/ntopng stop (code=exited, status=0/SUCCESS)
 Process: 4151 ExecStart=/etc/systemd/scripts/ntopng start (code=exited, status=0/SUCCESS)
 Main PID: 4157 (ntopng)
 CGroup: /system.slice/ntopng.service
 └─4157 /usr/bin/ntopng /etc/ntopng/ntopng.conf
nov 25 11:33:21 hobbes.artemit.lab systemd[1]: Starting Start/stop ntopng program...
nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: Starting ntopng: 4157
nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: [ OK ]
nov 25 11:33:24 hobbes.artemit.lab systemd[1]: Started Start/stop ntopng program.

Ok, the server is running

If you like old netstat, you can install the net-tools package  and
run netstat -ntap | grep 3001 to check if ntop is listening:

yum install net-tools
netstat -ntap | grep 3001
 tcp6 0 0 :::3001 :::* LISTEN 4157/ntopng

Perfect, now remember to allow your traffic to port 3001 (or any other port), in my example I allow traffic from any host in my 192.168.1.0/24 network to 3001 port:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="3001" protocol="tcp" accept'

firewall-cmd --reload

And finally we can use the browser to open https://hobbes.artemit.lab:3001 and the web interface for ntopng now runs with SSL:

ntop_ssl

 

 

 

 

That’s all for now, if you need any help or find any error please let me know.

Enjoy!

 

Advertisements