| | 1 | [[PageOutline(2-4)]] |
| | 2 | = Configuration = |
| | 3 | |
| | 4 | This page gives some information on the {{{freeDiameter.conf}}} file that is required by the {{{freeDiameter}}} framework. The complete documentation is included in [source:freeDiameter/doc/freediameter.conf.sample doc/freediameter.conf.sample]. |
| | 5 | |
| | 6 | The configuration file consists in three main parts: (1) local framework configuration, (2) extensions, (3) remote connections. |
| | 7 | |
| | 8 | The remaining of this page gives information on how to configure TLS properly, and some typical configuration files examples. |
| | 9 | |
| | 10 | == freeDiameter.conf == |
| | 11 | === Local framework configuration === |
| | 12 | |
| | 13 | ==== Diameter Protocol parameters ==== |
| | 14 | |
| | 15 | Identity:: |
| | 16 | The first parameter in this section is {{{Identity}}}, which will be used to identify this peer in the Diameter network. The Diameter protocol mandates that the Identity used is a valid FQDN for the peer. This parameter can be omitted, in that case the framework will attempt to use system default value. |
| | 17 | |
| | 18 | Realm:: |
| | 19 | In Diameter, all peers also belong to a ''Realm''. If the realm is not specified, the framework uses the part of the Identity after the first dot. |
| | 20 | |
| | 21 | !TcTimer, !TwTimer:: |
| | 22 | Change the default reconnection and watchdog timers. |
| | 23 | |
| | 24 | !NoRelay:: |
| | 25 | By default, freeDiameter acts as a Diameter Relay Agent. This parameter disables this behavior. |
| | 26 | |
| | 27 | !AppServThreads:: |
| | 28 | Number of parallel threads that will handle incoming application messages. This parameter may be deprecated later in favor of a dynamic number of threads depending on the load. |
| | 29 | |
| | 30 | ==== Network protocols parameters ==== |
| | 31 | |
| | 32 | Port, !SecPort, TLS_old_method:: |
| | 33 | The {{{Port}}} on which freeDiameter framework will listen for incoming Diameter connections. {{{SecPort}}} is the dedicated listening port for TLS connections, as specified by rfc3588bis. Note that {{{freeDiameter}}} supports both RFC3588's flavour TLS (using default Diameter {{{Port}}}, TLS handshake after the CER/CEA exchange) and rfc3588bis's flavour (using a dedicated {{{SecPort}}} where CER/CEA exchange is also TLS protected). {{{TLS_old_method}}} sets a default TLS flavour for outgoing connections, that can be overwritten for each peer. |
| | 34 | |
| | 35 | No_TCP, No_SCTP, Prefer_TCP, No_IP, No_IPv6:: |
| | 36 | The default is to listen for Ip & IPv6, TCP & SCTP incoming connections, and attempt SCTP first when contacting another peer. Change these parameters to modify this default behavior. Parameters for outgoing connections can also be specified for each peer. |
| | 37 | |
| | 38 | SCTP_streams:: |
| | 39 | Overwrite the number of SCTP streams. This value should be kept low, especially if you are using TLS over SCTP, because it consumes a lot of resources in that case. See tickets [ticket:19] and [ticket:27] for some additional details on this. |
| | 40 | |
| | 41 | !ListenOn:: |
| | 42 | Specify the addresses on which to bind the listening server. This must be specified if the framework is unable to auto-detect these addresses, or if the auto-detected values are incorrect. Note that the list of addresses is sent in CER or CEA message, so one should pay attention to this parameter if some adresses should be kept hidden. |
| | 43 | |
| | 44 | ==== TLS parameters ==== |
| | 45 | |
| | 46 | TLS_Cred:: |
| | 47 | This parameter is '''mandatory''', even if it is possible to disable TLS for peers connections. A valid certificate for this Diameter Identity is expected. |
| | 48 | |
| | 49 | Other TLS_* parameters are optional but should usually be specified. |
| | 50 | |
| | 51 | See [#tls_tuto How to configure TLS] for instructions on how to get started with this. |
| | 52 | |
| | 53 | === Extensions === |
| | 54 | |
| | 55 | !LoadExtension:: |
| | 56 | Specify either an absolute path, or a relative path, in which case the file will be searched in the active directory first, and in [wiki:Installation#cmakeflags INSTALL_EXTENSIONS_SUFFIX] afterwards. The configuration file name is optional. If specified, it also falls back to files in [wiki:Installation#cmakeflags DEFAULT_CONF_PATH]. |
| | 57 | |
| | 58 | See the list of extensions here: [wiki:Extensions]. |
| | 59 | |
| | 60 | === Remote connections === |
| | 61 | |
| | 62 | !ConnectPeer:: |
| | 63 | Declare a remote peer to maintain a connection to. In addition, this allows specifying non-default parameters for this peer only (for example disable SCTP with this peer). |
| | 64 | |
| | 65 | Note that by default, if a peer is not listed as a ''!ConnectPeer'' entry, an incoming connection from this peer will be rejected. If you want to accept incoming connections from other peers, see the [wiki:acl_wl.fdx] extension which does exactly this. |
| | 66 | |
| | 67 | == How to configure TLS == #tls_tuto |
| | 68 | |
| | 69 | Because Diameter protocol conveys sensible information in terms of privacy and security (such as user location, cryptographic material, ...) it must never be sent "in clear" on the wire. The Diameter specification allows either IPsec protection or TLS protection. |
| | 70 | |
| | 71 | There is currently no way for the freeDiameter framework to discover if an IPsec tunnel is setup with any given peer (such as an API with the IKEv2 component). |
| | 72 | |
| | 73 | For these reason, the {{{freeDiameter}}} policy is to mandate the configuration of a valid TLS credential. Then, TLS can be disabled in ''!ConnectPeer'' directives. |
| | 74 | |
| | 75 | === Real PKI === |
| | 76 | |
| | 77 | If you already have a PKI set up for your Diameter nodes (for example when you join a Diameter consortium), the following will help you configuring {{{freeDiameter}}} properly. If on the other hand you just want to setup a testbed, please check the next section. |
| | 78 | |
| | 79 | We imagine the following PKI hierarchy in this example: |
| | 80 | {{{ |
| | 81 | Our realm: example.net | Other realms: partner1, partner2 |
| | 82 | ======================================================================= |
| | 83 | my_root_ca ----------- my_partner1_ca.example.com ------ .... |
| | 84 | | | |
| | 85 | my_group_ca ..... |
| | 86 | | | |
| | 87 | my_diameter_peer remote_peer |
| | 88 | }}} |
| | 89 | |
| | 90 | In case of real PKI (or set of PKIs) the first thing you will need is the list of trusted Certificate Authorities certificates. Concatenate all these different certificates into one file, as follow: |
| | 91 | {{{ |
| | 92 | $ cat my_root_ca.example.net.pem \ |
| | 93 | my_partner1_ca.example.com.pem \ |
| | 94 | my_partner2_ca.example.org.pem > ca.pem |
| | 95 | }}} |
| | 96 | From this point, we assume that you have a file '''ca.pem''' that contains all the trust anchors for your Diameter node. |
| | 97 | |
| | 98 | You should do the same with Certificate Revocation Lists (CRL), with a script to update the file on a regular basis (note however that currently freeDiameter does not support reloading the CRL). This is saved as '''crl.pem'''. |
| | 99 | |
| | 100 | You need a private key for your Diameter peer. There are many tools to generate such a key. You can use for example ''certtool'' from GNUTLS, or ''openssl''. Once you have generated your private key, save it for example as '''my_key.pem'''. This is an example with openssl: |
| | 101 | {{{ |
| | 102 | $ openssl genrsa -out my_key.pem 2048 |
| | 103 | }}} |
| | 104 | |
| | 105 | Then, generate a Certificate Signing Request (CSR), that you will send to your PKI administrator. Depending on your realm's PKI policy, the content of the CSR may vary. Note however the following important points (to confirm with your PKI administrator, since he can overwrite anything that is set in the CSR anyway): |
| | 106 | * The Common Name (CN) must be your Diameter Identity (my_diameter_peer.example.net in our example). Support for Domain-wide certificates is not tested yet. |
| | 107 | * The key usage must allow for TLS client and server usage. |
| | 108 | The following example command will generate a CSR after asking a few questions: |
| | 109 | {{{ |
| | 110 | $ openssl req -new -out csr.pem -key my_key.pem |
| | 111 | }}} |
| | 112 | |
| | 113 | Once you have this CSR, send it to your PKI administrator for certificate signing. In our example, the administrator will use "my_group_ca.example.net" CA to sign the request and issue the certificate, then give this certificate to you, as file {{{cert.pem}}}. In real life, this step usually requires additional checks. |
| | 114 | |
| | 115 | If the certificate is not signed directly by the root CA in your realm, you must retrieve all the intermediate certificates. In our example, there is only "my_group_ca", but it is possible to have several intermediate CAs. Save all the intermediary CA's certificate, in addition to your final certificate, in one file, as follow (the order should be the hierarchical order from bottom to top): |
| | 116 | {{{ |
| | 117 | $ cat cert.pem my_group_ca.pem \ |
| | 118 | > certchain.pem |
| | 119 | }}} |
| | 120 | |
| | 121 | Now, you are all set. Configure {{{freeDiameter}}} as follow: |
| | 122 | {{{ |
| | 123 | TLS_Cred = "certchain.pem", "my_key.pem"; |
| | 124 | TLS_CA = "ca.pem"; |
| | 125 | TLS_CRL = "crl.pem"; |
| | 126 | TLS_DH_Bits = 2048; |
| | 127 | }}} |
| | 128 | |
| | 129 | |
| | 130 | === Testbed === |
| | 131 | |
| | 132 | In case you are setting a simple testbed, the following instructions will help you getting started. However, these do NOT provide a valid secure environment for real operation. |
| | 133 | |
| | 134 | ==== Without TLS ==== |
| | 135 | |
| | 136 | The most simple situation is when you don't want to use TLS for your communications in your testbed. In that case, you only need to create a ''self-signed certificate'' that corresponds to the Diameter Identity of your peer, and then specify the "No_TLS;" flag for your connections. |
| | 137 | |
| | 138 | * Create the self-signed certificate. |
| | 139 | This can be done with many tools, here is an example using ''openssl''. |
| | 140 | {{{ |
| | 141 | $ openssl req -new -batch -x509 -days 3650 -nodes \ |
| | 142 | -newkey rsa:1024 -out cert.pem -keyout privkey.pem \ |
| | 143 | -subj /CN=my.diameter.identity |
| | 144 | }}} |
| | 145 | |
| | 146 | This command should generate a self-signed certificate with Common Name "my.diameter.identity" (change to match your real Identity). |
| | 147 | |
| | 148 | * Create a Diffie-Hellman file. |
| | 149 | Although not mandatory, it is recommended to create a DH file, so that the framework does not generate a new one each time it starts. |
| | 150 | |
| | 151 | This again can be done with GNUTLS's ''certtool'' or OpenSSL. Here is an example command with the later: |
| | 152 | {{{ |
| | 153 | $ openssl dhparam -out dh.pem 1024 |
| | 154 | }}} |
| | 155 | |
| | 156 | * Configure freeDiameter. |
| | 157 | This is the corresponding part of {{{freeDiameter.conf}}}: |
| | 158 | {{{ |
| | 159 | TLS_Cred = "cert.pem", "privkey.pem"; |
| | 160 | TLS_CA = "cert.pem"; |
| | 161 | TLS_DH_File = "dh.pem"; |
| | 162 | |
| | 163 | ConnectPeer = ... { No_TLS; }; |
| | 164 | }}} |
| | 165 | |
| | 166 | Note that it is possible (but not recommended) to have the private key and certificate stored in the same file. |
| | 167 | |
| | 168 | ==== With TLS ==== |
| | 169 | |
| | 170 | * Case of only two peers |
| | 171 | |
| | 172 | If your testbed consists of only two peers, you may follow the same instructions as in previous section to generate the self-signed certificate on each peer. Then, the following additional step must be performed on both peers: |
| | 173 | {{{ |
| | 174 | $ cat peer1.cert.pem peer2.cert.pem > ca.pem |
| | 175 | }}} |
| | 176 | |
| | 177 | Then configure freeDiameter.conf with: |
| | 178 | {{{ |
| | 179 | TLS_Cred = "cert.pem", "privkey.pem"; |
| | 180 | TLS_CA = "ca.pem"; |
| | 181 | }}} |
| | 182 | |
| | 183 | * Case of more peers |
| | 184 | |
| | 185 | In order to avoid copying the self-signed certificates between all peers, it is probably easier to set up a fake CA and have this CA sign all your peers certificates. |
| | 186 | |
| | 187 | It is the scenario we are using in our testbed, therefore you might find the following resources useful (especially if you have a storage shared with all your peers). |
| | 188 | [source:freeDiameter/contrib/PKI contrib/PKI]:: |
| | 189 | This folder contains some scripts that can help you managing this "fake" CA. You may find a few more details in the [source:freeDiameter/contrib/README contrib/README] file. |
| | 190 | |
| | 191 | [source:VirtualTestbed/ca/rebuild_tree.sh rebuild_tree.sh]:: |
| | 192 | This is the script we use to generate all the certificates of our test machines. It uses the Makefile from ca_script2 included in the contrib/PKI folder. It shows an example of how to use this script to generate all the peers certificates. Check the script [source:VirtualTestbed/scripts/ca-install.sh ca-install.sh] for an example of how we use the generated certificates in each node. |
| | 193 | |
| | 194 | |
| | 195 | == Configuration examples == |
| | 196 | |
| | 197 | You can find many configuration files examples in our testbed [source:VirtualTestbed/conf here]. |
| | 198 | |
| | 199 | Here is a typical commented example: |
| | 200 | {{{ |
| | 201 | # -------- Local --------- |
| | 202 | |
| | 203 | # Uncomment if the framework cannot resolv it. |
| | 204 | #Identity = "backend.localhost"; |
| | 205 | |
| | 206 | # TLS configuration (see previous section) |
| | 207 | TLS_Cred = "cert.pem" , "privkey.pem"; |
| | 208 | TLS_CA = "ca.pem"; |
| | 209 | |
| | 210 | # Limit the number of SCTP streams |
| | 211 | SCTP_streams = 3; |
| | 212 | |
| | 213 | |
| | 214 | # -------- Extensions --------- |
| | 215 | |
| | 216 | # Uncomment (and create rtd.conf) to specify routing table for this peer. |
| | 217 | #LoadExtension = "rt_default.fdx" : "rtd.conf"; |
| | 218 | |
| | 219 | # Uncomment (and create acl.conf) to allow incoming connections from other peers. |
| | 220 | #LoadExtension = "acl_wl.fdx" : "acl.conf"; |
| | 221 | |
| | 222 | # Uncomment to display periodic state information |
| | 223 | #LoadExtension = "dbg_monitor.fdx"; |
| | 224 | |
| | 225 | # Uncomment to enable an interactive Python interpreter session. |
| | 226 | # (see doc/dbg_interactive.py.sample for more information) |
| | 227 | #LoadExtension = "dbg_interactive.fdx"; |
| | 228 | |
| | 229 | # Load the RFC4005 dictionary objects |
| | 230 | LoadExtension = "dict_nasreq.fdx"; |
| | 231 | |
| | 232 | # Load RFC4072 dictionary objects |
| | 233 | LoadExtension = "dict_eap.fdx"; |
| | 234 | |
| | 235 | # Load the Diameter EAP server extension (requires diameap.conf) |
| | 236 | LoadExtension = "app_diameap.fdx" : "diameap.conf"; |
| | 237 | |
| | 238 | # Load the Accounting Server extension (requires app_acct.conf) |
| | 239 | LoadExtension = "app_acct.fdx" : "app_acct.conf"; |
| | 240 | |
| | 241 | |
| | 242 | # -------- Peers --------- |
| | 243 | |
| | 244 | # The framework will actively attempt to establish and maintain a connection |
| | 245 | # with the peers listed here. |
| | 246 | # For only accepting incoming connections, see the acl_wl.fx extension. |
| | 247 | |
| | 248 | ConnectPeer = "nas.localhost" { No_TLS; }; |
| | 249 | ConnectPeer = "relay.localhost" { ConnectTo = "2001:DB8:1234::5678"; }; |
| | 250 | |
| | 251 | }}} |
