Summary of my learnings.. starting at ground zero


I thought to document a few things to help people get started… especially if they like myself… have a lot to learn to get started.


I have not gone deep into the commands re how to create the identities, policies and configurations etc… as you can find them quite readily in the discourse posts and YouTube videos.

What I wanted to do was to share a few things that took me quite some time to work through… and hope that by sharing them… you won’t get as stuck for as long as I did.

High level guideline

Step 1: get the QuickStart install working

I decided to use a remote server installation because I had access to a remote server.

When I did eventually get this working… my next thought was… what’s next?

Tip… if you are doing a self host on an Oracle compute… you need to use the IP address not the dns name of the server… because its private and not accessible. This is important because its used to name the pki certificates.

You can create your own public dns name for the server… but it works with the IP as a learning experience

Tip… its well worth the effort to install ZAC when getting started. I did not do this initially… but… once I did… I started to learn faster because of the visual interface. You can learn as you observe what happens when you create identities, services etc.

This was how I realised that the terminator is created automatically when you run a service host.

Despite this… I do prefer to configure the controller using command lines because I can have it all planned beforehand… and just cut and past into the command prompt

Step 2: get the reflect example working

This is fairly straight forward… the pieces I struggled with were the commands to run the example… so here they are :slight_smile:

go run main.go server -i reflectServer.json -s reflect

go run main.go client -i reflectClient.json reflect -i reflectClient.json -s reflect

Tip: you only have 5 minutes to enroll your identity

Step 3: get the desktop tunneller working

With the same reflect server running, you can create another identity for your desktop tunneller

Download the app, create and identity and enroll it on your desktop client

Remember to create an intercept for your identity that will include the address you will use to run the example

In the following case… I used golanghttp.zitified in the intercept


Tip… this example is over http… because is a simple http server and there is no TLS service enabled

Step 4: get the mobile tunneller working

This is almost a carbon copy of step 3… except its for the mobile tunneller

Download the app, create and identity and enroll it on your desktop client

If you want, you can enroll the identity using a QR code from ZAC… this is really cool

Then… use the same URL and it should work


Tip… in my case… I could not enter this URL directly in my mobile browser… and needed to click a link

Step 5: get the zitified ssh client working

By this time… you will have covered the basics… and be ready for the zitified ssh client. I think if I started with this… I may still be trying to work out how to get it working.

Install tunneller app on the server
It took me quite some time to understand that you actually needed to install something on the server. This is important because you need to bind an identity to this application for zitified ssh service to run. It is also is what creates the terminator. It also took me a while to work out where the file was… and found it after a bit of digging.

It is a bit different to the reflect example, which requires a http server to be installed… rather than a ziti application.

Download the file and unzip it to find the ziti-edge-tunnel
You need this to enrol the server identity

wget … select the file appropriate for your host

Install ssh app on the desktop
Downlod the file, change the name to zssh, and make it executable
chmod +x zssh
move to bin folders that is included in the path

wget … select the file appropriate for your host

Now its time to create the identities and enroll them
here are the commands

sudo ./ziti-edge-tunnel enroll --jwt ssh_server.jwt --identity ./ssh_server.json

zssh enroll ssh.client.jwt

Now its time to run the /ziti-edge-tunnel
This will create the terminator automatically

sudo ./ziti-edge-tunnel run --identity ./ssh_server.json

now your are all setup to run the zitified ssh client

zssh user@identity -d -s ssh_service -c /zssh.json -i /ssh-key.key

Final after thought … take care with your naming convention

Here is a quote from @dovholuknf… great insights to learn from

If you look at the sort of stuff I do now, I will CLEARLY mark a service with “.svc” and I sometimes will make identities with “.id”… Since it’s “any string you want” - I fall into similar traps myself. I try really hard not to reuse the exact same string anywhere because it’s just so dang easy to screw up (for me). So when i add an attribute to an identity, it’ll be something obvious, and plural like “sshable endpoints”. Or “ssh servers”