Tortixd Configuration
Introduction
Tortixd is the web console daemon for Atomic Secured Linux.
Tortixd Settings
ACL System
If you want to block access to Tortixd, except from certain IPs, just add the IPs to this file:
/etc/awp/firewall/tortixd-access-list.jsonNote
Add ONE IP or CIDR per line in this file.
Then reload the ASL Security Policy by running the following command:
awp -s -fThis will block, and log any access to port 30001 from IPs not on that list. Repeated attempts to connect will result in a shun of the offending IP as well.
If you want to allow all IPs to connect (this opens up the ASL web login page to everybody), add the following line to /etc/AO/firewall/tortixd-access-list.json:
0.0.0.0/0
Log Files
Tortixd log files are stored in the following directory:
/var/log/tortixdThere are several types of log files for Tortixd:
asl_access_log
This contains any access requests to the non-SSL protected AP web console port. This is disable by default. By default the AP web console will only allow connections to its SSL port. Therefore this file should be empty. If it is not, that means someone has enabled non-SSL access to the AP web console.
asl_error_log
This contains general errors the AP web console has encountered.
asl_ssl_access_log
This contains any access requests to the SSL protected AP web console port. By default the AP web console will only allow connections to its SSL port.
asl_ssl_error_log
This contains general errors with SSL support in the AP web console, and other general errors the AP web console may have encountered.
If you are having issues with setting up your own SSL certs, any errors will be logged in this file.
SSL Certificates
If you wish to configure the AP web console to use a different SSL certificate check with your SSL vendor for instructions for setting up SSL keys and certificates for Apache. Each SSL vendor may require you change different settings. The AP web console SSL settings are provided in this file:
/etc/httpd/conf.d/ssl.confThe following is provided as a courtesy, and should not be used unless you know what you are doing. Always follow the instructions of you SSL vendor.
Generic Instructions
Step 1: Configure Apache to point to your SSL cert, key, and CA bundle
Note
These files must be directories, and their permissions must be configured to allow the tortix user to read them. Unlike Apache, for security reasons tortix does NOT start as root, and therefore cannot read any file on the system.
Set the following values in your Apache configuration file:
SSLCertificateFile /your/path/to/your.cert
SSLCertificateKeyFile /your/path/to/your.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Step 2: Restart AP
Restart AP by running the following command:
service awpd restartErrors You May Encounter
x509 certificate routines:X509_check_private_key:key values mismatch
This error means the private key file (that you supplied via your configuration) does not match the certificate (that you supplied via your configuration). This can happen if you mix up the key and certificate. You can test this from the command line:
To make sure the files tally, display the modulus value of each file.
openssl rsa -noout -modulus -in FILE.key openssl req -noout -modulus -in FILE.csr openssl x509 -noout -modulus -in FILE.certIf everything matches (same modulus), the files are compatible. If not, one of the files are not linked to the others
Note
Modulus only applies on private keys and certificates using the RSA cryptographic algorithm. If you generated keys using ECC (Elliptic Curve Cryptography) private key or if your certificate is signed with ECC you won’t find a modulus.