Requirement:
We would need to upload a custom self signed cert to IAP to form a VPN tunnel between VMC and IAP as VMC doesn't have a Aruba TPM cert.
Solution:
We have a list of Curl commands to perform this action
Configuration:
Below are the commands used,
To login:
-----------
curl -k --insecure -c cookie.txt -X POST -d "credential_0=username&credential_1=password" https://activate.arubanetworks.com/LOGIN
To add a new certificate:
------------------------
cat <certname> | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://activate.arubanetworks.com/api/ext/ta.json?action=add
To update with a new certificate:
--------------------------------
cat <certname> | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://device.arubanetworks.com/api/ext/ta.json?action=update
To verify the certificate details
curl -kv -b cookie.txt https://device.arubanetworks.com/api/ext/ta.json?action=detail
VerificationSample outputs,
To login:
--------
$ curl -k --insecure -c cookie.txt -X POST -d "credential_0=arubatac&credential_1=******" https://activate.arubanetworks.com/LOGIN
To add a new cert:
-----------------
cat certn.pem | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://activate.arubanetworks.com/api/ext/ta.json?action=add
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 104.36.249.200...
* TCP_NODELAY set
* Connected to activate.arubanetworks.com (104.36.249.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Sunnyvale; O=Aruba Networks, Inc.; OU=Cloud; CN=activate.arubanetworks.com
* start date: Jan 29 00:00:00 2018 GMT
* expire date: Jan 28 12:00:00 2021 GMT
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust TLS RSA CA G1
* SSL certificate verify ok.
> POST /api/ext/ta.json?action=add HTTP/1.1
> Host: activate.arubanetworks.com
> User-Agent: curl/7.54.0
> Accept: */*
> Cookie: csrf_token=2ff77e52-a5a3-4001-becd-bafdf284db97; session=f923dca1-67cd-4bbd-9bcb-a46baaff3db3
> Content-Length: 1199
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Date: Mon, 05 Aug 2019 15:37:55 GMT
< Server: Apache/2.4.6 (CentOS)
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-cache
< Content-Disposition: inline;filename=ta.json
< Content-Length: 34
< Content-type: application/json; charset=utf-8
< Expires: -1
< Pragma: no-cache
<
* Connection #0 to host activate.arubanetworks.com left intact
To update the cert:
------------------
$ cat certn.pem | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://activate.arubanetworks.com/api/ext/ta.json?action=update
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 104.36.249.200...
* TCP_NODELAY set
* Connected to activate.arubanetworks.com (104.36.249.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Sunnyvale; O=Aruba Networks, Inc.; OU=Cloud; CN=activate.arubanetworks.com
* start date: Jan 29 00:00:00 2018 GMT
* expire date: Jan 28 12:00:00 2021 GMT
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust TLS RSA CA G1
* SSL certificate verify ok.
> POST /api/ext/ta.json?action=update HTTP/1.1
> Host: activate.arubanetworks.com
> User-Agent: curl/7.54.0
> Accept: */*
> Cookie: csrf_token=2ff77e52-a5a3-4001-becd-bafdf284db97; session=f923dca1-67cd-4bbd-9bcb-a46baaff3db3
> Content-Length: 1199
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Date: Mon, 05 Aug 2019 15:41:29 GMT
< Server: Apache/2.4.6 (CentOS)
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-cache
< Content-Disposition: inline;filename=ta.json
< Content-Length: 34
< Content-type: application/json; charset=utf-8
< Expires: -1
< Pragma: no-cache
<
* Connection #0 to host activate.arubanetworks.com left intact
To view the cert:
----------------
curl -kv -b cookie.txt https://activate.arubanetworks.com/api/ext/ta.json?action=detail
* Trying 104.36.249.200...
* TCP_NODELAY set
* Connected to activate.arubanetworks.com (104.36.249.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Sunnyvale; O=Aruba Networks, Inc.; OU=Cloud; CN=activate.arubanetworks.com
* start date: Jan 29 00:00:00 2018 GMT
* expire date: Jan 28 12:00:00 2021 GMT
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust TLS RSA CA G1
* SSL certificate verify ok.
> GET /api/ext/ta.json?action=detail HTTP/1.1
> Host: activate.arubanetworks.com
> User-Agent: curl/7.54.0
> Accept: */*
> Cookie: csrf_token=1aa43116-d3d9-455c-a4d7-2820cf9af3c0; session=26956d31-11a7-4041-8f47-00f9050a67ac
>
< HTTP/1.1 200 OK
< Date: Mon, 05 Aug 2019 15:42:46 GMT
< Server: Apache/2.4.6 (CentOS)
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-cache
< Content-Disposition: inline;filename=ta.json
< Content-Length: 1157
< Content-type: application/json; charset=utf-8
< Expires: -1
< Pragma: no-cache
< Vary: Accept-Encoding
<
* Connection #0 to host activate.arubanetworks.com left intact
{"trust_anchor":{"customer_id":"9a4b44dd-a5f8-4076-95a1-4c28917d9d3f",
"cert":"-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQUFADAhMR8wHQYDVQQDExZBT1M6
OjAwOjUwOjU2Ojg5Ojk5OjYyMB4XDTE5MDUyMDEzNTQ1MloXDTI5MDUxNzEzNTQ1
MlowITEfMB0GA1UEAxMWQU9TOjowMDo1MDo1Njo4OTo5OTo2MjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAL7//DYpU6adFcIz6KKRJGZvCgyUMV6Wj/LD
VzGI1vQNyl39suhn7Zydx+BvKJb5779KTJcrt82Vd50l+2JH59RqtTyK6MSz1DV4
CFxyZHOMRyEwAp+Uw/FcdiVTAO5vL1+3I1FzDlanO8ggn9lMYsuZ7+sE4X7QgPso
vlH+rfBpwhLVddVss7vca2J/9Q3z4hMQA6Yram+iFT6wqa+blWbNQLmzno8VcfqN
uHn238kKm+I37nCce7kuYBtmtwLeJTediJYoLud/roSV6F6p6WdBPnZLJSmAKUQq
2ENsSAM7N6D95WmuKS94pUNreMvZq4fhwiu2x5gWdOTZlQkPHc0CAwEAAaMjMCEw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAaYwDQYJKoZIhvcNAQEFBQAD
ggEBAK9NddjAS9FggFjpI9+eXYHgCfF5QMBsXQGHy1rQxzm2czoLcqzRqQ7w5Fu0
ytH/mOgl72WmDBJDaN/hlQQEMc3LJ6dAl8Wm3SvJuxURwM10B/Vsq2SpvawvXXzv
YqYEoR6WF56KiCw56RCjqf7S7XMgs3VML84MxUYaWrFha3jVVVkmBzp5cVnOtEW8
LmQRrmckPlBe3HI+uXCxgr8gthGkry75spgZ8zBzu7YKvuixZvIttwysI3p5SEUY
PQ3EezY0iF23ejV9ZpokdTIWKB4=
-----END CERTIFICATE-----
"}}