Set up a Simple Key DB

It is possible to launch sensors and decryptors with a simple Key DB configuration. The configuration is depicted in the figure below. The Key DB service runs on an instance you designate.

../_images/SimpleKeyDB.png

The easiest way to deploy Simple DB is with a CloudFormation template stored at https://nubevalabs.s3.amazonaws.com/nubeva-simpledb.template.yaml. The source can be found at https://github.com/nubevalabs/templates.

To launch the template you need a VPC and a Nubeva Token. The CloudFormation template runs two EC2 instances. The source instance runs a sensor and traffic generator. The destination instance runs a decryptor, Key DB and Wireshark containers.

You can launch a subset of the containers yourself. You will need at least a sensor container on the source, and a Simple Key DB on the destination. The following sections describe how to launch each of the containers.

Source Containers

Nubeva Sensor - Required

A sensor container is required on the source instance. This is a standard sensor that uses a special parameter specifying that it should only write keys to key.nubedge.com which must resolve (usually with /etc/hosts) to the destination instance.

docker run -v /:/host -v /var/run/docker.sock:/var/run/docker.sock --add-host key.nubedge.com:10.0.23.65 --cap-add NET_ADMIN --cap-add SYS_ADMIN --cap-add SYS_RESOURCE --cap-add SYS_PTRACE --name nubeva-agent -d --restart=always --net=host --pid host nubeva/nuagent --accept-eula --contained on --nutoken <Nubeva-Token> --sslcredobj eyJ0eXBlIjoia2RiIiwiZG9tYWluIjoidGVzdCIsInJlZ2lvbiI6ImtleS5udWJlZGdlLmNvbSIsImFrIjoidXNlciIsInNrIjoicGFzc3dvcmQifQo=

Note that you need to specify the IP address of key.nubedge.com in the command (the address shown is only a sample). You will also need to modify your /etc/hosts file.

The last parameter in the command instructs the sensor to send its keys to Simple Key DB and not to the Private KeyDB.

--sslcredobj eyJ0eXBlIjoia2RiIiwiZG9tYWluIjoidGVzdCIsInJlZ2lvbiI6ImtleS5udWJlZGdlLmNvbSIsImFrIjoidXNlciIsInNrIjoicGFzc3dvcmQifQo=

This string is a base64 encoded json object that can be generated using the following command:

echo '{"type":"kdb","domain":"test","region":"key.nubedge.com","ak":"user","sk":"password"}' | base64

Type “kdb” means a KeyDB, region is the destination host name, Domain, user, and password fields can be left the same. They are not used but they are required. You can change the domain to anything however you MUST have a valid cert. This docker container contains a valid cert for key.nubedge.com.

Nubeva Traffic Generator - Optional

You can add a traffic generator container to the source, however this is not required. This is Nubeva’s standard traffic generator container. A container runs for approximately 60-120 seconds. You may use a cron job to run a container every minute. The actual docker command to run this generator once is:

docker run -dti nubevalab/tlsgenerator

Destination Containers

Simple Key DB - Required

This is a python script that is using Flask to simulate the RestAPI of a Nubeva KeyDB. It already has the certs embedded. The underlying python script is pulled from https://nubevalabs.s3.amazonaws.com/keydb/keydb.py. Source is in same templates repo noted above. You run the Simple Key DB container with the following command:

docker run -p 443:443 -dti  --name simplekeydb nubevalab/simplekeydb

Decryptor Container - Optional

This is the standard nubeva decryptor, however it uses a special parameter to ONLY read keys from “key.nubedge.com”

docker run -v /:/host -v /var/run/docker.sock:/var/run/docker.sock  --cap-add NET_ADMIN --add-host key.nubedge.com:127.0.0.1 --name nubeva-rx -d --restart=on-failure --net=host nubeva/nurx --accept-eula --nutoken <<insert_token>> --sslcredobj eyJ0eXBlIjoia2RiIiwiZG9tYWluIjoidGVzdCIsInJlZ2lvbiI6ImtleS5udWJlZGdlLmNvbSIsImFrIjoidXNlciIsInNrIjoicGFzc3dvcmQifQo=

In the command note that you must specify the IP address of key.nubedge.com, but it should be configured as localhost. This is configured in the CFT, but if you build it yourself, make sure to include this in your docker run command AND to edit the /etc/hosts file.

The --sslcredobj should match the value in the source above.

Wireshark Container - Optional

In addition you may install a dockerized version of Wireshark that is accessible using HTTPS. When accessing Wireshark, open the nurx0 interface to capture and analyze the output from the decryptor. To deploy the container run:

docker run -v /tmp:/keys -p 14500:14500 --restart unless-stopped -dti --cap-add NET_ADMIN --net=host --name wireshark  ffeldhaus/wireshark