Set up a DTLS Key DB

DTLS KeyDB is the faster version of Simple KeyDB. This version send keys using UDP to a defined destination. Keys are sent within 200 microseconds of generation. DTLS KeyDB includes two required components, sensor and KeyDepot. All communication paths are similar to SimpleKeyDB.

If you are deploying via the CloudFormation template, a VPC and a Nubeva Token are required. 2 EC2 instances are used in the build. The Source has 2 docker containers and the Destination/KeyDB has 1 container.

The easiest way to deploy Simple DB is with a CloudFormation template stored at https://nubevalabs.s3.amazonaws.com/nubeva-dtlskeydb.template.yaml. The source can be found at https://github.com/nubevalabs/templates.

To launch the template you need a VPC and a Nubeva Token. The CloudFormation template runs two EC2 instances. The source instance runs a sensor and traffic generator. The destination instance runs a DTLS KeyDB Container.

You can launch a subset of the containers yourself. You will need at least a sensor container on the source, and a Simple Key DB on the destination. The following sections describe how to launch each of the containers.

Sensor Container

A sensor container is required on the source instance. This is a standard sensor that uses a special parameter specifying that it should only write keys to key.nubedge.com which must resolve (usually with /etc/hosts) to the destination instance.

docker run -v /:/host -v /var/run/docker.sock:/var/run/docker.sock --add-host key.nubedge.com:<<KeyDB IP address>> --cap-add NET_ADMIN --cap-add SYS_ADMIN --cap-add SYS_RESOURCE --cap-add SYS_PTRACE --name nubeva-agent -d --restart=always --net=host --pid host nubeva/nuagent --accept-eula --contained on --nutoken <<your_token>> --sslcredobj eyJ0eXBlIjoiZHRscyIsImRvbWFpbiI6ImtleS5udWJlZGdlLmNvbTo0NDMzIiwicmVnaW9uIjoidGVzdCIsImFrIjoidXNlciIsInNrIjoicGFzc3dvcmQifQo=

Note that you need to specify the IP address of key.nubedge.com. You will also need to modify your /etc/hosts file.

The last parameter in the command instructs the sensor to send its keys to a DTLS Key DB.

--sslcredobj eyJ0eXBlIjoiZHRscyIsImRvbWFpbiI6ImtleS5udWJlZGdlLmNvbTo0NDMzIiwicmVnaW9uIjoidGVzdCIsImFrIjoidXNlciIsInNrIjoicGFzc3dvcmQifQo=

This string is a base64 encoded json object that can be generated using the following command:

echo '{"type":"dtls","domain":"key.nubedge.com:4433","region":"test","ak":"user","sk":"password"}' | base64

Type “dtls” value means a DTLS KeyDB, ‘domain’ is the destination host name, ‘region’ is ‘test’, user, and password fields can be left the same. They are not used but they are required. You can change the domain to anything however you MUST have a valid cert. This docker container contains a valid cert for key.nubedge.com.

Traffic Generator - Optional

You can add a traffic generator container to the source, however this is not required. This is Nubeva’s standard traffic generator container. A container runs for approximately 60-120 seconds. You may use a cron job to run a container every minute. The actual docker command to run this generator once is:

docker run -dti nubevalab/tlsgenerator

DTLS Key DB

DTLSKeyDB: This is a python script that is using Flask to simulate the RestAPI of a Nubeva KeyDB. However, it is using DTLS as a method to receive keys quickly. It already has the certs embedded. The underlying python script is pulled from https://nubevalabs.s3.amazonaws.com/dtlskeydb/dtlskeydb.py. Source is located in same templates repo noted above. You run the Simple Key DB container with the following command:

docker run -p 4433:4433/TCP -p 4433:4433/UDP -dti --name dtlskeydb nubevalab/dtlskeydb

You can see keys by running:

curl https://key.nubedge.com:4433/dumpkeys