Purpose
I thought to document a few things to help people get started.. especially if they like myself.. have a lot to learn to get started.
Scope
I have not gone deep into the commands re how to create the identities, policies and configurations etc.. as you can find them quite readily in the discourse posts and YouTube videos.
What I wanted to do was to share a few things that took me quite some time to work through... and hope that by sharing them.. you won't get as stuck for as long as I did.
High level guideline
Step 1: get the QuickStart install working
I decided to use a remote server installation because I had access to a remote server.
When I did eventually get this working.. my next thought was.. what's next?
Tip.. if you are doing a self host on an Oracle compute.. you need to use the IP address not the dns name of the server.. because its private and not accessible. This is important because its used to name the pki certificates.
You can create your own public dns name for the server.. but it works with the IP as a learning experience
https://openziti.github.io/ziti/quickstarts/network/hosted.html
Tip.. its well worth the effort to install ZAC when getting started. I did not do this initially.. but.. once I did.. I started to learn faster because of the visual interface. You can learn as you observe what happens when you create identities, services etc.
This was how I realised that the terminator is created automatically when you run a service host.
Despite this... I do prefer to configure the controller using command lines because I can have it all planned beforehand.. and just cut and past into the command prompt
Step 2: get the reflect example working
This is fairly straight forward.. the pieces I struggled with were the commands to run the example.. so here they are
go run main.go server -i reflectServer.json -s reflect
go run main.go client -i reflectClient.json reflect -i reflectClient.json -s reflect
Tip: you only have 5 minutes to enroll your identity
Step 3: get the desktop tunneller working
With the same reflect server running, you can create another identity for your desktop tunneller
Download the app, create and identity and enroll it on your desktop client
Remember to create an intercept for your identity that will include the address you will use to run the example
In the following case.. I used golanghttp.zitified in the intercept
`http://golanghttp.zitified:2000/add?a=1&b=2
Tip.. this example is over http.. because is a simple http server and there is no TLS service enabled
Step 4: get the mobile tunneller working
This is almost a carbon copy of step 3.. except its for the mobile tunneller
Download the app, create and identity and enroll it on your desktop client
If you want, you can enroll the identity using a QR code from ZAC.. this is really cool
Then.. use the same URL and it should work
`http://golanghttp.zitified:2000/add?a=1&b=2
Tip.. in my case.. I could not enter this URL directly in my mobile browser.. and needed to click a link
Step 5: get the zitified ssh client working
By this time.. you will have covered the basics.. and be ready for the zitified ssh client. I think if I started with this.. I may still be trying to work out how to get it working.
Install tunneller app on the server
It took me quite some time to understand that you actually needed to install something on the server. This is important because you need to bind an identity to this application for zitified ssh service to run. It is also is what creates the terminator. It also took me a while to work out where the file was.. and found it after a bit of digging.
It is a bit different to the reflect example, which requires a http server to be installed.. rather than a ziti application.
Download the file and unzip it to find the ziti-edge-tunnel
You need this to enrol the server identity
wget https://github.com/openziti/ziti-tunnel-sdk-c/releases
.. select the file appropriate for your host
Install ssh app on the desktop
Downlod the file, change the name to zssh, and make it executable
chmod +x zssh
move to bin folders that is included in the path
wget https://github.com/openziti-test-kitchen/zssh/releases
.. select the file appropriate for your host
Now its time to create the identities and enroll them
here are the commands
sudo ./ziti-edge-tunnel enroll --jwt ssh_server.jwt --identity ./ssh_server.json
zssh enroll ssh.client.jwt
Now its time to run the /ziti-edge-tunnel
This will create the terminator automatically
sudo ./ziti-edge-tunnel run --identity ./ssh_server.json
now your are all setup to run the zitified ssh client
zssh user@identity -d -s ssh_service -c /zssh.json -i /ssh-key.key
Final after thought .. take care with your naming convention
Here is a quote from @dovholuknf.. great insights to learn from
If you look at the sort of stuff I do now, I will CLEARLY mark a service with “.svc” and I sometimes will make identities with “.id”… Since it’s “any string you want” - I fall into similar traps myself. I try really hard not to reuse the exact same string anywhere because it’s just so dang easy to screw up (for me). So when i add an attribute to an identity, it’ll be something obvious, and plural like “sshable endpoints”. Or “ssh servers”