Control center
Goal
Provide an infraestructure to handle eBox's groups using a single point of access.
Requirements
- Authentication
- Use PKI to authenticate control center against eBoxes and viceversa.
- Use a encrypted channel to communicate each other.
- Group operations
- Software management
- Module upgrade
- Base upgrade
- OS upgrade
- Software installation and removal
- Configuration management
- Change configuration
- Revert changes
- Save group configuration
- Load group configuration
- Software management
- Log output will be configurable
- Network logging
- Monitorization
- Each module will register its tests
- Event logging (See Document/Development/Design/Framework/EventArchitecture)
- Synchronization
- One master data place
Design
- Communication
- Web service using SOAP protocol
- Channel: VPN using HTTPS protocol
- eBox side
- A SOAP server which exposes eBox modules public API to the authenticated users
- A SOAP client to send eBox events to the Control Center
- Control center side
- A SOAP client which is allowed to interact with eBox to obtain information or set eBox configuration
- A Certification Authority (CA) which handles the certificate issue/renewal/revoke to authenticate and communicate over VPN sessions.
- A database where is tracked which eBoxes are now managed by the control center
- A SOAP server to store the events from the managed eBoxes
Implementation
- Control center side
- A CA is created and a OpenVPN server is launched
- Every new eBox has their own certificates signed by the control center CA and only they are allowed to communicate with the Control Center.
- 2 scripts are now available:
- joinEBox.pl: Join an eBox to the Control Center ( Issue Certificate, Update DB and create client bundle)
- quitEBox.pl: Quit an eBox from the Control Center ( Revoke Certificate and update DB)
- SOAP::Lite module is used. Both server and client side.
