Re: openconnect and tpm2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In our use case. We are provided a p12 file.
We are testing om RHEL 8.
Where improvement could take place, my thoughts.

- instructions on how to extract the private key and the certs from
the p12(see below)
- offer openssl_tpm2_engine ibmtss(ibmtss-devel, libibmtss0) packages in epel 8
- build the openconnect epel package against ibmtss for TPMv2 support.

The steps I am using are as follows. Password etc have been removed.

PKCS="file.p12"
MY_P12_PASSWORD="MyPassw0rd!!"
TPM_LOCK_PASSWORD="MyPassw0rd!!"
VPN_SERVER="myserver.ibm.com"
#
openssl pkcs12 -in ${PKCS}  -nocerts -nodes -passin
pass:${MY_P12_PASSWORD} | openssl rsa -out private.pem
openssl pkcs12 -in ${PKCS} -clcerts -nokeys -chain -passin
pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END
CERTIFICATE-/p' > user_cert.crt
openssl pkcs12 -in ${PKCS} -cacerts -nokeys -chain -passin
pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END
CERTIFICATE-/p' > ca_cert.crt
#
create_tpm2_key -w private.pem private-key-tpm-wrapped.pem
#
sudo openconnect
--csd-wrapper=/usr/share/ibm-config-NetworkManager-openconnect/csd.sh
--sslkey=private-key-tpm-wrapped.pem --certificate=user_cert.crt
--cafile=ca_cert.crt https://${VPN_SERVER} -v


We are also using the following csd wrapper.

On Tue, Mar 3, 2020 at 8:29 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
>
> On Mon, 2020-03-02 at 18:26 +0100, Grant Williamson wrote:
> > Thank you. Sorry I intended to reply sooner.
>
> That's good to know; thanks.
>
> Next question: Now you've worked it out, could the documentation be
> improved in any way? What was missing?
>
> Better still, what should be fixed in the code (or tools/helpers
> provided) so that we don't *have* to document it?
>

Attachment: csd.sh
Description: application/shellscript

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel

[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux