Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numbered Headings

Include Page
TEM:_SystemPrep_ALPINE
TEM:_SystemPrep_ALPINE

Install Trust Router

We’re now ready to install the Trust Router software and its required dependencies. Install the software by running the following command:

Code Block
languagebash
linenumberstrue
apk add trust_router moonshot

Configure Trust Router

Next, we need to configure the Trust Router.

RadSec

APC TLS

First, you will need a copy of a client key and certificate (and appropriate CA) from the APC(s) that your Trust Router serves. Copy them onto the filesystem.

Note

You can put these files anywhere on the file system, but this guide assumes you put them in /etc/pki/certs and /etc/pki/private. If you place them in a different location you will need to change the locations below as appropriate.

Connection to APC

Next, we need to configure the RadSec configuration for the APC. We do this by creating a file at /etc/radsec.conf with the following:

Code Block
linenumberstrue
realm gss-eap {
	type = "TLS"
	cacertfile = "/etc/pki/certs/tr-ca.pem"
	certfile = "/etc/pki/certs/tr-client.pem"
	certkeyfile = "/etc/pki/private/tr-client.key"
	disable_hostname_check = yes
	server {
		hostname = "YOUR_APC_HOSTNAME"
		service = "2083"
		secret = "radsec"
	}
}

Then check the file and the certificates can be read by the Trust Router user:

Code Block
linenumberstrue
sudo su - --shell=/bin/sh u trustrouter cat /etc/radsec.conf cat /etc/pki/certs/tr-*.* cat /etc/pki/private/tr-*.*

Trust Router

Daemon Configuration

Your Trust Router will need to have a few core configuration items set. To do this:

  1. Open the default instance's main configuration file at /etc/trust_router/default-internal.cfg for editing.
    1. Change the hostname to the (fully qualified) hostname of your Trust Router.
Note
If the /etc/trust_router directory does not exist, you may need to create it yourself, along with the subdirectories mentioned.

Moonshot Configuration

Moonshot, you say? Yes, Trust Router uses Moonshot to authenticate and secure all communications between Trust Router clients and servers. So, you will need to configure the trust router user to make use of the Moonshot flatstore (i.e. telling Moonshot that this is a special system account, not a regular user account), and you will need to import a set of credentials for your Trust Router to use.

  1. Import it using the moonshot-webp command (as the trustrouter user):

    Code Block
    languagebash
    linenumberstrue
    su - --shell=/bin/bash trustrouter
    moonshot-webp -f [path to credential file]


    Info

    The credentials file will be given to you by the administrator of the APC.


Default Peer

Info
If your Trust Router is going to run in its own, standalone, trust network, then skip this step.

If your Trust Router is going to run in a wider trust network, then you can configure your Trust Router's default peer - i.e. the Trust Router it sends its clients to when they ask it to locate a Moonshot entity that your Trust Router doesn't know about. To do this:

  1. Open /etc/trust_router/peering.cfg for editing. Change the content as follows:

    Code Block
    linenumberstrue
    {
    "default_servers": [
     "[hostname of trust router]"
     ]
    }


    Tip
    titleExample

    If you were configuring your default Trust Router peer to be Janet's Trust Router at tr.moonshot.ja.net, its peering.cfg file would look like this:

    Code Block
    linenumberstrue
    {
    "default_servers": [
     "tr.moonshot.ja.net"
     ]
    }



Configure your Trust Router

A trust router requires a trust configuration to function correctly. See the trust configuration file for more information.

Place an appropriate trusts.cfg file info the /etc/trust_router directory and symbolically link it into the default configuration directory:

Info

You can find a Trust Router configuration suitable for a Trust Router connecting to tr.moonshot.ja.net at sample Trust Router Client configuration

Start your Trust Router

You are now ready to restart your Trust Router and test it. To do this:

  1. As root, start the Trust Router daemon:

    Code Block
    languagebash
    linenumberstrue
    rc-service trust_router start


Testing

To test your trust router, you should attempt a TIDC request on a Moonshot service connected to your trust router. If you have defined a default peer, the TIDC request may take a little longer, but it should succeed.

If it fails, please contact us.

Next Steps

At this point, you now have a Trust Router.

Automatically start the software

Trust Router

To automatically start Trust Router, issue the following command (as root):

Code Block
linenumberstrue
rc-update add trust_router
rc-service trust_router start


If this is working correctly, you should see trust_router running as a daemon process.

...