ZAC On different host than the controller

First, you definitely don’t need to use the same server cert/key. The quickstarts do that just as an example of using TLS for ZAC. First, you need to place a certificate and key colocated to the ‘server.js’ file which you should find at the root of the directory. The files currently, must be named “server.key” and “server.chain.pem” due to how the code is currently written.

Next, the ZAC currently only works via username/password. There’s no way to configure the ZAC to use an identity from the controller to auth to the management API that I know of. I think we would need to implement that. Instead, what you can do, and what I’d recommend, is you can “split” the management API, create a service for ZAC, and then force ZAC to access the management API from that service.

I don’t have a good instructions or a good video on doing that, but I can outline it for you roughly here.

First Split the API

Open the controller’s config file and go to the bottom ‘web’ section. Notice that the first block of configuration is name, it’s an array and by default, it’s named “client-management”. Duplicate that entire block. In the original stanza, go down to apis and remove the edge-management and fabric binding sections (I will usually comment them out) and then rename the name to just be client… In the new block, rename it to be just management and then comment out the edge-client section in apis and change the bindPoint.interface/address to “some other port” like 18441 and importantly also change the interface from 0.0.0.0 to 127.0.0.1 so that the management interface is ONLY available from 127.0.0.1… You need to “be on the machine” in order to access it… Assuming you have a router located on the controller, you then make a service to offload the management api to 127.0.0.1 and you have secure access to the service… I hope that all makes enough sense, I bet it will for you… :slight_smile:

Here’s an example web config I just made as an example…

web:
  - name: client
    bindPoints:
      - interface: 0.0.0.0:8441
        address: ec2-3-134-108-218.us-east-2.compute.amazonaws.com:8441
    identity:
      ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ip-172-31-47-200-edge-controller-intermediate.cert"
      key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/keys/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-server.key"
      server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-server.chain.pem"
      cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-client.cert"
    options:
      idleTimeout: 5000ms  #http timeouts, new
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      #- binding: edge-management
      #  options: { }
      - binding: edge-client
        options: { }
      #- binding: fabric
      #  options: { }
  - name: management
    bindPoints:
      - interface: 127.0.0.1:18441
        address: 127.0.0.1:18441
    identity:
      ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ip-172-31-47-200-edge-controller-intermediate.cert"
      key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/keys/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-server.key"
      server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-server.chain.pem"
      cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-client.cert"
    options:
      idleTimeout: 5000ms  #http timeouts, new
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      #- binding: edge-client
      # options: { }
      - binding: fabric
        options: { }

Once you do that and restart the controller, you’ll see you can’t access the management API on 8441:

curl -sk https://localhost:8441/edge/management/v1
{"error":{"cause":{"code":"UNHANDLED","message":"path /edge/management/v1 was not found"}

But it will now be availalbe on localhost:127.0.0.1:18841:

curl -sk https://localhost:18441/edge/management/v1
{"data":{"apiVersions":{"edge":{"v1":{"apiBaseUrls"..... **etc**

Logging In

Now I need to login to “localhost:18841” like this:

ziti edge login https://localhost:18441/edge/management/v1 -u $ZITI_USER -p $ZITI_PWD -y
Token: 6c606af3-9b64-49ba-a006-10df8c5da381
Saving identity 'default' to /home/ubuntu/.config/ziti/ziti-cli.json

Enabling ZAC to be Dark

Enabling a dark ZAC both in terms of accessing ZAC itself, as well as ZAC accessing ziti instances is on our todo list, we’ll get there some day but for now I think this would be a reasonable compromise.

Hope that helps?

Extra proof - ss

And just for extra ‘proof’, let’s look at the listening ports using sudo and ss:

sudo ss -lntp | grep 8441
LISTEN 0      4096       127.0.0.1:18441      0.0.0.0:*    users:(("ziti",pid=2468893,fd=9))
LISTEN 0      4096               *:8441             *:*    users:(("ziti",pid=2468893,fd=10))

You can see ziti is now listening ONLY on 127.0.0.1:18841 and ${anyInterface}:8441

1 Like