- CheckMates
- :
- Products
- :
- Quantum
- :
- Skyline
- :
- Re: Skyline with TLS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Skyline with TLS
Hello guys,
im trying to setup skyline setup using TLS. I've tested out that payload with no TLS is working and I see stats in my grafana.
I followed initial setup from - https://github.com/mmanningcp/skylineinstructions/tree/main?tab=readme-ov-file.
I configured basic auth base on the instructions from - https://prometheus.io/docs/guides/basic-auth/. I've created cert and key using this config from Gaia OS device:
[ req ]
default_bits = 4096
default_md = sha256
req_extensions = v3_req
distinguished_name = dn
prompt = no
[ v3_req ]
subjectAltName = @alt_names
[ dn ]
C =
ST =
L =
O =
OU =
CN = localhost
[ alt_names ]
DNS.1 = localhost
DNS.2 = skyline.local
IP.1 = 127.0.0.1
IP.2 = x.x.x.x
I've moved these 2 files into my prometheus/grafana server and put certificate in to the /usr/local/share/ca-certificates/. I modified prometheus service config file:
ExecStart=/home/user/prometheus-2.38.0.linux-amd64/prometheus --config.file=/home/user/prometheus-2.38.0.linux-amd64/prometheus.yml --web.enable-remote-write-receiver --web.config.file=/home/user/prometheus-2.38.0.linux-amd64/web-config.yml,
web-config.yml:
tls_server_config:
cert_file: /home/user/certs_gaia/mycert.crt
key_file: /home/user/certs_gaia/key.unencrypted.key
basic_auth_users:
admin: $2b$12$OLLx6DILLgx/6Djs9ILMeOYMt/xxxxxx
Prometheus config file (prometheus.yml) contains:
# Remote write configuration
remote_write:
- url: "https://x.x.x.x:9090/api/v1/write"
In attachment you can see settings of grafana data source (prometheus), i used certificate created in the gaia device (in section CA cert) While accessing prometheus gui Im asked to enter login and password so I assume that basic auth is working fine. I used this payload for checkpoint device (cert is in one line):
{
"enabled": true,
"export-targets": {
"add": [
{
"client-auth": {
"basic": {
"username": "admin",
"password": "password"
}
},
"enabled": true,
"server-auth": {
"ca-public-key": {
"type": "PEM-X509",
"value": "-----BEGIN CERTIFICATE-----MIIFfzxx==-----END CERTIFICATE-----"
}
},
"type": "prometheus-remote-write",
"url": "https://x.x.x.x:9090/api/v1/write"
}
]
}
}
After executing sklnctl export --set "$(cat /home/admin/tls.json) I see:
{"message": "Operation has finished successfully"}.
Im still not getting any data to my Grafana, see attachment for error. In prometheus logs (journalctl -u prometheus.service) I see:
ed HTTP status 401 Unauthorized: Unauthorized"
Jul 23 18:34:11 skyline prometheus[194707]: ts=2024-07-23T16:34:11.665Z caller=stdlib.go:105 level=error component=web caller="http: TLS handshake error from checkpoint_ip:42536" msg="remote error: tls: bad certificate"
As well there is an error on prometeus gui - Targets. Using command - curl -u admin https://localhost:9090/metrics from prometheus CLI after entering password i got expected response as written in https://prometheus.io/docs/guides/basic-auth/.
Can you please suggest me some steps how to troubleshoot further this issue?
Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Sajgon107 ,
Please open a support ticket for CheckPoint, so we can assist you directly to troubleshoot the issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the ca-public-key property must contain the root-ca of the certificate the promethous server is presenting to the client
root-ca <--this one has to be used
--intermediate-ca
-----prometheus-server-certificate
...also had problems with this, but i have exactly your setup running fine...