NEWBIE: Creating User for Enrollment using OTT

I am creating a small testing lab at home with one Windows laptop connected to a Linux (where I installed Controller and Edge Router through the quickstart - Host Openziti Anywhere). As part of the Tuneller installation/configuration on my Windows, I got stuck on the OTT. I got confused on the part "after you create a user" ... Not knowing how to do that, I went on and typed the command stated on the doc (seen below) but got Authorization error. Which step(s) am I missing?

time tokens are delivered from the controller as a jwt and the token expires 24 hours after the identity is created. The token is downloadable via the Ziti Admin Console. After you create a user you can go to the Identities page and click the icon that looks like a certificate to download the .jwt file.

You can also create an identity for one time token enrollment using the ziti cli tool. This command will create a new identity and output the jwt to the selected path. You can then transfer the .jwt file to the device where the permanent identity JSON file will be installed by running the enroll command.

#creates a new user named "NewUser"
ziti edge create identity user "NewUser" -o NewUser.jwt

Hi @nei.chiaradia, welcome to the community and to OpenZiti (and zrok and BrowZer)!

It's hard to know exactly where you're at and what failed. Are you using the Windows client? Can you look at the logs from that client for any tips as to what went wrong? The logs are usually pretty good and clear as to what might have happened.

You can find them from the UI. Main Menu -> Advanced Settings -> Service Logs

Thank you for the reply. I will try to add more info below.

  1. I am following the documentation for quickstart (Host Openziti Anywhere)

  2. I have installed a Debian Linux to serve as the host for Openziti, httpd, ftpd and sshd

  3. There is a Windows laptop with private address on its Ethernet connected to the Debian Linux (with private address on the related Ethernet to that network)

  4. From the Windows I can browse, ftp and ssh the Debian Linux

  5. Following the documentation I executed the commands ...
    export EXTERNAL_IP="$(curl -s eth0.me)"
    export ZITI_CTRL_EDGE_IP_OVERRIDE="${EXTERNAL_IP}"
    export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
    export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
    export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
    export ZITI_CTRL_ADVERTISED_PORT=8440
    export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441
    export ZITI_ROUTER_PORT=8442
    source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/ziti-cli-functions.sh)"; expressInstall
    createControllerSystemdFile
    createRouterSystemdFile "${ZITI_ROUTER_NAME}"
    stopRouter
    stopController
    sudo cp "${ZITI_HOME}/${ZITI_CTRL_NAME}.service" /etc/systemd/system/ziti-controller.service
    sudo cp "${ZITI_HOME}/${ZITI_ROUTER_NAME}.service" /etc/systemd/system/ziti-router.service
    sudo systemctl daemon-reload
    sudo systemctl enable --now ziti-controller
    sudo systemctl enable --now ziti-router
    sudo systemctl -q status ziti-controller --lines=0 --no-pager
    sudo systemctl -q status ziti-router --lines=0 --no-pager
    source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env

  6. Now it was on the Next Steps I got stuck. I intend to use tuneller for my Windows laptop to access the httpd/ftpd/sshd (one at a time) running on my Debian Linux. In this phase the 1st Step would be ...
    Now that you have your network in place, you probably want to try it out. Head to the Your First Service quickstart and start learning how to use OpenZiti.

  7. On that page I selected Zero Trust Host Access ...
    Zero Trust Host Access
    If you're not a developer, or if you have an application which you can't (or don't want to) change you can start with "zero trust host access". For this, you will install an OpenZiti tunneler on your "clients" and on your "servers" and provide access to your services using these executables. If this sounds like a good place to start, follow the Your First Service quickstart.

  8. Selecting Tunneler/Windows ...

  9. I downloaded to my Windows laptop and ran ...
    Ziti.Desktop.Edge.Client-*.exe

  10. As part of the Entrolling section I clicked on guide ...
    Enrolling
    Following this guide to create an identity and transfer the jwt file to your PC.

     Go back to the Windows Desktop Edge widget and click ADD IDENTITY.
    
  11. In Creating section, I chose OTT

  12. I got confused with the "after you create a user" as seen below ...
    One time tokens are delivered from the controller as a jwt and the token expires 24 hours after the identity is created. The token is downloadable via the Ziti Admin Console. After you create a user you can go to the Identities page and click the icon that looks like a certificate to download the .jwt file.

  13. Before I tried to use the CLI as explained in the continuation of that OTT section I got netstat -tulnp to make sure the Controller and Router were running ...
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 8097/cupsd
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 733/sshd: /usr/sbin
    tcp6 0 0 :::1280 :::* LISTEN 7221/ziti
    tcp6 0 0 :::10080 :::* LISTEN 7249/ziti
    tcp6 0 0 :::6262 :::* LISTEN 7221/ziti
    tcp6 0 0 :::80 :::* LISTEN 762/apache2
    tcp6 0 0 :::22 :::* LISTEN 733/sshd: /usr/sbin
    tcp6 0 0 :::3022 :::* LISTEN 7249/ziti
    udp 0 0 127.0.0.1:53 0.0.0.0:* 7249/ziti
    udp 0 0 0.0.0.0:41661 0.0.0.0:* 591/avahi-daemon: r
    udp 0 0 0.0.0.0:5353 0.0.0.0:* 591/avahi-daemon: r
    udp6 0 0 :::5353 :::* 591/avahi-daemon: r
    udp6 0 0 :::44284 :::* 591/avahi-daemon: r

  14. I also ran systemctl to check their status ...
    ● ziti-controller.service - Ziti-Controller
    Loaded: loaded (/etc/systemd/system/ziti-controller.service; enabled; preset: enabled)
    Active: active (running) since Tue 2024-10-22 14:23:46 CDT; 1 day 19h ago
    Main PID: 7221 (ziti)
    Tasks: 10 (limit: 4416)
    Memory: 63.7M
    CPU: 22.894s
    CGroup: /system.slice/ziti-controller.service
    └─7221 /home/nei/.ziti/quickstart/ziti/ziti-bin/ziti-v1.1.15/ziti controller run /home/nei/.ziti/quickstart/ziti/ziti.yaml
    ● ziti-router.service - Ziti-Router for ziti-edge-router
    Loaded: loaded (/etc/systemd/system/ziti-router.service; enabled; preset: enabled)
    Active: active (running) since Tue 2024-10-22 14:23:47 CDT; 1 day 19h ago
    Main PID: 7249 (ziti)
    Tasks: 10 (limit: 4416)
    Memory: 25.9M
    CPU: 10.817s
    CGroup: /system.slice/ziti-router.service
    └─7249 /home/nei/.ziti/quickstart/ziti/ziti-bin/ziti-v1.1.15/ziti router run /home/nei/.ziti/quickstart/ziti/ziti-edge-router.yaml

  15. Now, confused was I was about the user creation as I could not see where and how to do that I went on and got the ziti.log (did not see any service.log under ./ziti/quickstart/ziti directory
    [ 0.066] WARNING ziti/controller/config.LoadConfig: this environment is using a default generated trust domain [spiffe://518d0904ce4a6b93a1e871f5b861ce1502dec8f5], it is recommended that a trust domain is specified in configuration via URI SANs or the 'trustDomain' field
    [ 0.066] WARNING ziti/controller/config.LoadConfig: this environment is using a default generated trust domain [spiffe://518d0904ce4a6b93a1e871f5b861ce1502dec8f5], it is recommended that if network components have enrolled that the generated trust domain be added to the configuration field 'additionalTrustDomains' array when configuring a explicit trust domain
    [ 0.067] INFO ziti/ziti/controller.run: {version=[v1.1.15] nodeId=[ziti] go-version=[go1.23.1] os=[linux] arch=[amd64] build-date=[2024-10-02T12:59:41Z] revision=[0eec47ce3c80]} starting ziti-controller
    [ 0.119] INFO ziti/controller/db.RunMigrations.(*migrationManager).Migrate.func1: edge datastore is up to date at version 37
    [ 1.208] INFO ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1: {minWorkers=[0] maxWorkers=[100] idleTime=[30s] maxQueueSize=[100] poolType=[pool.router.messaging]} starting goroutine pool
    [ 1.208] INFO ziti/controller/network.(*Network).showOptions: network = {
    "CreateCircuitRetries": 2,
    "CycleSeconds": 60,
    "EnableLegacyLinkMgmt": false,
    "InitialLinkLatency": 65000000000,
    "IntervalAgeThreshold": 0,
    "MetricsReportInterval": 60000000000,
    "MinRouterCost": 10,
    "PendingLinkTimeout": 10000000000,
    "RouteTimeout": 10000000000,
    "RouterConnectChurnLimit": 60000000000,
    "RouterComm": {
    "QueueSize": 100,
    "MaxWorkers": 100
    },
    "Smart": {
    "RerouteFraction": 0.02,
    "RerouteCap": 4,
    "MinCostDelta": 15
    }
    }
    [ 1.208] INFO ziti/controller/webapis.NewFabricManagementApiFactory: initializing management api factory with 0 xmgmt instances
    [ 1.208] INFO ziti/controller.(*Controller).showOptions: ctrl = {
    "OutQueueSize": 4,
    "MaxQueuedConnects": 1,
    "MaxOutstandingConnects": 16,
    "ConnectTimeout": 5000000000,
    "DelayRxStart": false,
    "WriteTimeout": 0,
    "MessageStrategy": null,
    "NewListener": null,
    "AdvertiseAddress": {},
    "RouterHeartbeatOptions": {
    "sendInterval": 10000000000,
    "checkInterval": 1000000000,
    "closeUnresponsiveTimeout": 30000000000
    },
    "PeerHeartbeatOptions": {
    "sendInterval": 10000000000,
    "checkInterval": 1000000000,
    "closeUnresponsiveTimeout": 30000000000
    }
    }
    [ 1.208] INFO ziti/controller/server.NewController: edge controller instance id: cm2kt13gn0000amdkyd2ovjmq
    [ 1.208] INFO ziti/controller.(*Controller).RegisterXmgmt: adding xmgmt *server.submgmt, enabled? true
    [ 1.208] INFO ziti/controller/server.(*Controller).Initialize: initializing edge
    [ 1.264] INFO ziti/controller/internal/policy.NewSessionEnforcer: {sessionTimeout=[30m0s] frequency=[5s]} session enforcer configured
    [ 1.265] INFO ziti/controller/server.(*Controller).Run: starting edge
    [ 1.265] INFO ziti/controller.(*Controller).Run.GoroutinesPoolMetricsConfigF.func1.1: {poolType=[pool.listener.ctrl] minWorkers=[1] idleTime=[10s] maxQueueSize=[1] maxWorkers=[16]} starting goroutine pool
    [ 1.265] INFO channel/v3.(*UnderlayDispatcher).Run: started
    [ 1.267] INFO ziti/controller/server.(*Controller).checkEdgeInitialized: edge initialized
    [ 1.477] INFO xweb/v2.(*Server).Start: starting ApiConfig to listen and serve tls on 0.0.0.0:1280 for server client-management with APIs: [edge-management edge-client fabric]
    [ 1.541] INFO ziti/controller/network.(*Network).Run: started
    [ 3.149] ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[127.0.0.1:37546] error=[remote error: tls: bad certificate]} handshake failed
    [ 4.149] ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[remote error: tls: bad certificate] remote=[127.0.0.1:37622]} handshake failed
    [ 12.022] INFO ziti/ziti/controller.waitForShutdown: shutting down ziti-controller
    [ 12.023] INFO ziti/controller/server.(*Controller).Shutdown: edge controller: shutting down...
    [ 12.023] INFO ziti/controller/server.(*Controller).Shutdown: edge controller: stopped
    [ 12.023] INFO ziti/controller/server.(*Controller).Shutdown: fabric controller: shutting down...
    [ 12.023] INFO transport/v2/tls.(*sharedListener).runAccept [tls:0.0.0.0:6262]: {error=[accept tcp [::]:6262: use of closed network connection]} listener closed, exiting
    [ 12.023] INFO transport/v2/tls.(*sharedListener).runAccept [tls:0.0.0.0:6262]: exited
    [ 12.023] INFO ziti/controller/server.(*Controller).Shutdown: fabric controller: stopped
    [ 12.023] INFO ziti/controller/server.(*Controller).Shutdown: shutdown complete
    [ 12.023] ERROR channel/v3.(*UnderlayDispatcher).Run: {error=[closed]} error accepting connection
    [ 12.023] WARNING channel/v3.(*UnderlayDispatcher).Run: exited
    [ 12.023] INFO ziti/controller/network.(*Network).Run: exited

  16. Then I ran (out of Creating/OTT section)
    You can also create an identity for one time token enrollment using the ziti cli tool. This command will create a new identity and output the jwt to the selected path. You can then transfer the .jwt file to the device where the permanent identity JSON file will be installed by running the enroll command.

       I got this below ...
    
            "code": "UNAUTHORIZED",
    "message": "The request could not be completed. The session is not authorized or the credentials are invalid",
    "requestId": "EaBqHP0H7"
    

    },
    "meta": {
    "apiEnrollmentVersion": "0.0.1",
    "apiVersion": "0.0.1"
    }
    }

  17. The ziti.log after I executed the command above did not change. Most likely I am not running something or looking at the right place for a service.log or the like.

Hope this helps a bit.

Thanks,

Ok. What did you get confused by?

Overall, there's a lot of text to read up there -- i think i read all of it. I get the sense you're probably at a point of "overall" confusion maybe?

Is there something I could do that would help you understand or get you through it? Would a video help out? There are numerous on our youtube channel -- I could find a relevant one for you?

I would also create you a quick on showing you a quick walkthrough if that'd help you best?

It SOUNDS to me that your network is setup properly. Let's verify that? Let's run this command:

ziti ops verify-traffic --host sg4.parkplace-via-dhcp --port 1280 --username admin --password admin   

replace the values accordingly. Run that on the machine that runs the controller and then run that on the windows machine.

Make sure it works from both. Can we start there? That will prove that your overlay is setup properly and we can focus on just the windows side?

I thought I had replied but looks like I did not. Well, here is the output for Debian Linux (where I run the Controller) ...

nei@ziti:~$ ziti ops verify-traffic --host 169.254.84.101 --port 1280 --username admin --password admin
WARNING no prefix and mode is not 'both'. default prefix of 2024-10-24-1547 will be used
INFO connecting with user admin to https://169.254.84.101:1280
FATAL Post "https://169.254.84.101:1280/edge/management/v1/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 169.254.84.101

Looks like a problem with the X509 certificate using IP 169.254.84.101, right?

How to fix that?

Now for my Windows laptop, that command does not exist ... Would it be there when I downloaded and installed the Ziti Desktop Edge? That was the only thing I downloaded and executed following the documentation for tunneller for Windows ...

Do you have some some documentation with step-by-step or even video that can help with the setup of a Debian Linux to run the Controller and Edge Router (quickstart) plus a tunneller for Windows so I can test this simple network?

Thanks,

Nei

How about I do an entire video today at 11 am eastern time for ziti tv. It'll cover bringing your network online and demonstrate how to setup your first service.

I live stream so if you're interested you (and anyone) can show up at YouTube and ask questions

I would really appreciate that. Unfortunately, I have another two calls today in the morning that would conflict with the 11: AM EST.

  1. Is there a way watch the video afterwards? I would just need the link to the video, of course and I understand I would miss the incredible chance to ask questions live.
  2. Have that done either in the afternoon today or next week?

Cheers,

ALL Ziti TV's are available to stream from YouTube. There's a lot of them! :slight_smile: So yes, you'll be able to watch after.

I could move the time. I had nothing planned so, I could move it to a different time to accommodate. Let me know what time and we'll do a "special ziti tv" and we can interract.

Playlists here:

If it is not too much for you what about today between 3 PM - 5 PM EST? Or next week, Monday through Thursday at anytime?

3pm ET today it will be

@ 3 PM

Thank you for accommodating me.

Nei

Hi, Clint!

Thank you again for the video last week. I am now looking at the Windows laptop part. After I downloaded and ran Ziti Desktop Edge I noticed I don't have a .ziti file under my home directory. Should I have to download and run something else before the Ziti Desktop Edge?

Following your recommendation for powershell, I downloaded and installed it in my Windows laptop. When I tried to run what you showed on your video I got an error. I bet I can't read quite well what the video is showing in the command line after iex(. This is what I got ...

PowerShell 7.4.6
PS C:\Users\Nei> iex(imr -Url https://get.openziti.io/quick/getZiti.psl)
imr: The term 'imr' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
PS C:\Users\Nei> iex(lmr -Url https://get.openziti.io/quick/getZiti.psl)
lmr: The term 'lmr' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
PS C:\Users\Nei>

Thank you!

Nei

it's "Invoke-Web-Request" or iwr not imr :slight_smile:

iex(iwr -Uri https://get.openziti.io/quick/getZiti.ps1)

You won't have a file there on the windows side, that's on the linux side where you ran the quickstart from.

Ah, OK! The display resolution did not help with the iwr/imr ... Will try it.

Understood in regards to .ziti directory (sorry, I wrote file in my previous answer). So it is just the Ziti Desktop Edge download on the Windows laptop side. Will keep you posted.

Hi Clint,

I made good progress after watching some more times your video about the topic. Now I am stuck on another point and maybe you may give me some pointers.

  1. I could create an identity and service (www.ziti.com:80 -> 127.0.0.1:80) and browsing www.ziti.com led me to my apache2 running on Debian
  2. Same success for private IP of one Ethernet port of my Debian (private IP1:80 -> 127.0.0.1:80)
  3. Now I am trying to test ftp. Before I add that service, I try to ftp (from my Windows laptop) the private IP of Debian it works IF the Windows Tunneller is stopped otherwise it does not work (timeout). If I use a different IP address from Debian (other ethernet interface) it works fine with the Windows tunneller ON. There is no service created for that 2nd IP address from Debian.

Any pointers?

Thanks,

Nei

FTP is a particularly troublesome protocol. If you haven't looked into how "active" vs "passive" FTP works, you're in for a real treat...

The short of it is you should make sure you run your FTP server in passive (pasv) mode and you need to make sure the IP that the FTP server responds with is one that you'll intercept.

It's a little finicky, but if you use FTP with PASV mode, I think you'll get it working. I looked around for some doc or a blog or anything but I couldn't find the doc for it. I was sure we had it somewhere on the NetFoundry site but I might not be remembering correctly.

If I find a guide I'll share it - until then look into using passive/pasv mode NOT active. With active mode, the server calls back to the client. You could probably get that working with OpenZiti but it's much more complex of a task.

Thank you but I was not even there yet. The problem I faced was, BEFORE creating a service for ftp in openziti, I tried to validate if all was working. Using one path (192.168.7.X) to which both Debian and my Windows laptop belong to, that worked. Now, using the other path (169.254.84.X) also to which both Debian and Windows laptop belong to, it did not work. The difference is that I have one service already assigned that reads 169.254.84.x Port 80 intercepted by the Tunneller in Windows laptop and sent to 127.0.0.1 Port 80. The IP (Debian's IP) matches when I ftp from Windows, but not the Port. I thought there would be no interception but I get connection timeout on my ftp client. Looks like the Tunneller is ignoring the port I am using and considering all ports to intercept ... Does this make sense?

Our tunnelers are not able to filter IP + PORT due to how IP routing works. So when you intercept an IP address, it'll be "all or nothing".

If you want, you can optionally choose to capture one or more ports. Being a zero trust overlay, we would encourage you to capture as few ports as necessary, however often when testing, you can choose to "capture them all" and use an intercept to capture ports 1-65535. If you do that, make sure you choose to 'forward' the ports in the host.v1 config.

Hopefully that makes sense and helps

Now starts to make more sense about the behavior I am seeing. So the interception is based on IP address only, not IP + PORT.

Now, If I want the service to be rendered by a different Debian (not the one I am using) would it be in the box HOSTING CONFIGURATION with the content @ziti-edge-router in the 1st Debian (What identities can host this service?) and the IP address or name of the 2nd Debian (HOSTNAME/IP) and related destination port (PORT)?