I have a use case but not sure how/if it can work. I want to use ansible to edit a gold image VMDK to inject SSH pub keys, network config etc… to place in a customer environment. Which then we can access it, ssh, to perform internal pen tests.
But as i understand the endpoint cert is only good for 24 hours to get initially used?
I want to try to inject the config etc so that when i ship the customer the VM (they download it) they can boot it and it will connect to the mesh automatically. Then from there i can have given myself/team access to that host and port over Ziti via ssh and go to town. Any thoughts on if this is doable? im basically working on a POC to sell management on the idea at the moment.
Thanks!
You would not be able to insert the identity into the gold image, otherwise you will have every gold image being stood up using the same identity. One way, is to have a script where the customer can run, and given a ‘code’ which is entered into the script, could pull down a JWT token from your server and authenticate it (maybe part of the first run where it prompts for the code). Then, you would set up the intercepts/service description as you see fit and continue on (use API to make it repeatable and easy, maybe with Ansible). You would create the ‘code’ JWT when the customer had installed the appliance by creating the identity and storing the JWT somewhere. Customer then runs the script and then it registers with your controller.
Just a thought on how it could be done.
No i mean, using ansible, i would APPLY the identity to the image created BASED on the gold image.
I have a starting image and i copy a new image based on that based on the customer.
Also, the customers would not have access to log into the image, its purely for the pen testers to access it w/o customer intervention. some of our customers are not technical enough to manage that process.
Basically im trying to do this process with Ziti if i can and not use openvpn.
Auto-enrollment with 3rd party CAs was developed to help in manufacturing scenarios, mainly in IoT. This sounds similar to me to what you’re trying to do. Have a look at Enrollment | OpenZiti
Thanks!!! That might be what I need. I’m hoping to not go the openvpn route. Appreciate it!