Today we’re going to add SSL to our NTOP installation. This post is divided in two parts and it assumes that ntop is already installed.
If you don’t want to generate your own certificate and use the test certificate offered by ntopng (/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem) be sure you have openssl and openssl-devel and then jump to the second part:
yum install openssl openssl-devel
If openssl-devel is not installed you may have problems starting the SSL server.
————————————————————-
First part – SSL Certificate
Once again, let’s be sure that you’ve openssl and openssl-devel
yum install openssl openssl-devel
Now we’re going to create our own Certification Authority and generate an SSL certificate for my test server: hobbes.artemit.lab. I’ll set no challenge password for the SSL certificate. The commands are shown in bold letters.
mkdir /root/certs openssl genrsa -out /root/certs/CA.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ .....+++ e is 65537 (0x10001) openssl req -x509 -new -nodes -sha256 -extensions v3_ca -key /root/certs/CA.key -days 3650 -out /root/certs/CA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ES State or Province Name (full name) []:Palencia Locality Name (eg, city) [Default City]:Palencia Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs Organizational Unit Name (eg, section) []:n40lab Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab Email Address []:mcabrerizo@artemit.com.es openssl genrsa -out /root/certs/hobbes.key 2048 Generating RSA private key, 2048 bit long modulus ................................+++ ..+++ e is 65537 (0x10001) openssl req -new -sha256 -key /root/certs/hobbes.key -days 3650 -out /root/certs/hobbes.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ES State or Province Name (full name) []:Palencia Locality Name (eg, city) [Default City]:Palencia Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab Email Address []:mcabrerizo@artemit.com.es Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: openssl x509 -req -sha256 -in /root/certs/hobbes.csr -CA /root/certs/CA.pem -CAkey /root/certs/CA.key -CAcreateserial -out /root/certs/hobbes.crt -days 3650 Signature ok subject=/C=ES/ST=Palencia/L=Palencia/O=ArtemIT Labs/CN=hobbes.artemit.lab/emailAddress=mcabrerizo@artemit.com.es Getting CA Private Key
You should import the CA.pem as a CA Authority in your browser to avoid SSL warnings.
Using https://github.com/ntop/ntopng/blob/dev/doc/README.SSL to help us, we know that we should store the cert in the folder /usr/share/ntopng/httpdocs/ssl and it should be named as ntopng-cert.pem.
You should delete the ntopng-cert.pem test file and the README or move them to a different folder:
rm /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem rm /usr/share/ntopng/httpdocs/ssl/README
Let’s prepare the cert needed by ntopng:
cat /root/certs/hobbes.key /root/certs/hobbes.crt /root/certs/CA.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
Let’s change permissions and ownership (nobody is the default user used by ntop after it starts):
chmod 640 /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem chown -R nobody:nobody /usr/share/ntopng/httpdocs/ssl
————————————
Second part – NTOP with SSL
Now it’s time to set the port where we want ntop to listen for SSL connections e.g 3001.
Let’s edit the conf file /etc/ntopng/ntopng.conf so the port is set correctly:
-G=/var/tmp/ntopng.pid\ -W=3001\ --community
Now we restart ntopng and check the status:
systemctl restart ntopng systemctl status ntopng ntopng.service - Start/stop ntopng program Loaded: loaded (/etc/systemd/system/ntopng.service; enabled) Active: active (running) since mié 2015-11-25 11:33:24 CET; 4s ago Process: 3887 ExecStop=/etc/systemd/scripts/ntopng stop (code=exited, status=0/SUCCESS) Process: 4151 ExecStart=/etc/systemd/scripts/ntopng start (code=exited, status=0/SUCCESS) Main PID: 4157 (ntopng) CGroup: /system.slice/ntopng.service └─4157 /usr/bin/ntopng /etc/ntopng/ntopng.conf nov 25 11:33:21 hobbes.artemit.lab systemd[1]: Starting Start/stop ntopng program... nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: Starting ntopng: 4157 nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: [ OK ] nov 25 11:33:24 hobbes.artemit.lab systemd[1]: Started Start/stop ntopng program.
Ok, the server is running
If you like old netstat, you can install the net-tools package and
run netstat -ntap | grep 3001 to check if ntop is listening:
yum install net-tools netstat -ntap | grep 3001 tcp6 0 0 :::3001 :::* LISTEN 4157/ntopng
Perfect, now remember to allow your traffic to port 3001 (or any other port), in my example I allow traffic from any host in my 192.168.1.0/24 network to 3001 port:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="3001" protocol="tcp" accept' firewall-cmd --reload
And finally we can use the browser to open https://hobbes.artemit.lab:3001 and the web interface for ntopng now runs with SSL:
That’s all for now, if you need any help or find any error please let me know.
Enjoy!
n40lab 