Difference between revisions of "Encryption in manager api customer"

From VoIPmonitor.org
Jump to navigation Jump to search
(Created page with "= Manager API = The manager api is used by the GUI for requesting files, giving listing of active sessions (CALLs/REGISTERs) or other stats. Since version of a sniffer 2024.02...")
 
(7 intermediate revisions by the same user not shown)
Line 13: Line 13:
  
 
=== manager's encryption options ===
 
=== manager's encryption options ===
 +
 
==== socketfile ====
 
==== socketfile ====
 
The volunary option for openning the socketfile used for unencrypted requests/responses of the manager api at a time of start the sniffer service.
 
The volunary option for openning the socketfile used for unencrypted requests/responses of the manager api at a time of start the sniffer service.
 
  managersocket = /tmp/vm_manager_socket
 
  managersocket = /tmp/vm_manager_socket
 
  
 
==== the key options ====
 
==== the key options ====
Line 27: Line 27:
 
  VPMANAGER_AES_KEY
 
  VPMANAGER_AES_KEY
 
  VPMANAGER_AES_IV
 
  VPMANAGER_AES_IV
VPMANAGER_AES_CIPHER (default is aes-128-cbc)
 
 
==== generating the key ====
 
You can ask GUI to generate the key and also store it to db for being used by the GUI and sniffer's xchanges
 
enter the GUI's installation folder and ask run.php like
 
php run.php generate_aes_key
 
 
Other options of the run.php related to keys
 
generate_aes_key - generates the new key don't saves it
 
store_aes_key - generates and stores the key to db
 
delete_aes_key - remves the key from db
 
 
  
 
== How to use the API - examples ==
 
== How to use the API - examples ==
 
In following examples will be introduced various ways on how to send manager command listcalls and receive the answer
 
In following examples will be introduced various ways on how to send manager command listcalls and receive the answer
=== with disabled encryption ===
 
echo listcalls | nc 127.0.0.1 5029
 
 
=== With encryption - by GUIs run.php ===
 
 
==== id_sensor based request ====
 
==== id_sensor based request ====
 
  php php/run.php send_manager_cmd -s 2 -c listcalls
 
  php php/run.php send_manager_cmd -s 2 -c listcalls
Line 70: Line 54:
 
  echo 'manager_file start /tmp/vm_manager_socket' | nc 127.0.0.1 5029
 
  echo 'manager_file start /tmp/vm_manager_socket' | nc 127.0.0.1 5029
  
==== use the socket file
+
==== use the socket file ====
You can use the scocket file with pure requests without encryption
+
You can use the socketfile this way
 
  echo listcalls | nc -U /tmp/vm_manager_socket
 
  echo listcalls | nc -U /tmp/vm_manager_socket
 
  
 
==== the socket file remove ====
 
==== the socket file remove ====
Line 79: Line 62:
 
  echo 'manager_file stop' | nc 127.0.0.1 5029
 
  echo 'manager_file stop' | nc 127.0.0.1 5029
  
 +
==== use the SSH for accesing the socketfile from other host ====
 +
ssh myGUIhost 'echo listcalls | nc -U /tmp/vm_manager_socket'
  
Manager command's task listcalls
+
= Hints =
 +
== nc command not supports -U ==
 +
In debian 10 and 12 you need to use netcat-openbsd package for installing nc binary that supports -U socketfile
  
==== use the SSH for accesing the socketfile from other host ====
+
== How to force use of same key in two GUI/DB hosts ==
ssh myGUIhost 'echo listcalls | nc -U /tmp/vm_manager_socket'
+
For HA configuration type where there are two sniffer hosts storing CDRs to same db and data from one db gets migrated to another db, you need to use same key in both DB hosts - following command will read key from HOST1 and will write it to HOST2:
 +
key=$(echo "select content from \`system\` where type = 'manager_key'" | mysql -h HOST1 -u root -pPASS1 -D DBname1 2>/dev/null | grep key) && echo "update \`system\` set content = '$key' where type = 'manager_key'" | mysql -h HOST2 -u root -pPASS2 -D DBname2 2>/dev/null
  
= How to disable the encryption =
+
== How to disable the encryption ==
 
disables the encryption completely (not recmmended for production - use for testing/debuging)
 
disables the encryption completely (not recmmended for production - use for testing/debuging)
 
  manager_enable_unencrypted = yes
 
  manager_enable_unencrypted = yes
 +
 +
=== Use of the api when encryption is disabled ===
 +
echo listcalls | nc 127.0.0.1 5029
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
.

Revision as of 19:47, 29 February 2024

Manager API

The manager api is used by the GUI for requesting files, giving listing of active sessions (CALLs/REGISTERs) or other stats. Since version of a sniffer 2024.02.2 and GUI 26.20, the voipmonitor introduces encryption for xchanges between manager and the GUI. The encryption is enabled by default.

Configuration

By default you don't need to configure anything, generating the key and use it by the GUI and sniffer is fully automated.

manager api bind options

configuration in voipmonitor.conf - by default the voipmonitor sniffer binds on 127.0.0.1:5029 

managerip=127.0.0.1
managerport=5029

manager's encryption options

socketfile

The volunary option for openning the socketfile used for unencrypted requests/responses of the manager api at a time of start the sniffer service. 

managersocket = /tmp/vm_manager_socket

the key options

By default the voipmonitor's sniffer and GUI loads the key from voipmonitor GUI's db. You can override this by define the keys options in /etc/voipmonitor.conf it accepts the base64 form of a key - you can generate by the GUI (Read bellow) 

manager_aes_key
manager_aes_iv

and In the GUI's configuration.php 

VPMANAGER_AES_KEY
VPMANAGER_AES_IV

How to use the API - examples

In following examples will be introduced various ways on how to send manager command listcalls and receive the answer

id_sensor based request

php php/run.php send_manager_cmd -s 2 -c listcalls

-s id_sensor: 2
-c command: listcalls

IP:port based request

php php/run.php send_manager_cmd -h s4.voipmonitor.org -p 5029 -a -c listcalls
-h host: 10.0.0.1
-p port: 5029
-a enables encryption
-c command: listcalls

using sniffers socketfile

You can use unencrypted request by sending to a socket file

define socketfile in voipmonitor.conf

Define the option in /etc/voipmonitor.conf, the socket file will be created at a time of the service start, when undefined you can ask new socketfile with a manager request. 

managersocket = /tmp/vm_manager_socket

enable socketfile in a runtime

Send request to an api to open manager_socket file: 

echo 'manager_file start /tmp/vm_manager_socket' | nc 127.0.0.1 5029

use the socket file

You can use the socketfile this way 

echo listcalls | nc -U /tmp/vm_manager_socket

the socket file remove

You can ask kmanager api for remove of the file (the removing has not real usecase) 

echo 'manager_file stop' | nc 127.0.0.1 5029

use the SSH for accesing the socketfile from other host

ssh myGUIhost 'echo listcalls | nc -U /tmp/vm_manager_socket'

Hints

nc command not supports -U

In debian 10 and 12 you need to use netcat-openbsd package for installing nc binary that supports -U socketfile

How to force use of same key in two GUI/DB hosts

For HA configuration type where there are two sniffer hosts storing CDRs to same db and data from one db gets migrated to another db, you need to use same key in both DB hosts - following command will read key from HOST1 and will write it to HOST2: 

key=$(echo "select content from \`system\` where type = 'manager_key'" | mysql -h HOST1 -u root -pPASS1 -D DBname1 2>/dev/null | grep key) && echo "update \`system\` set content = '$key' where type = 'manager_key'" | mysql -h HOST2 -u root -pPASS2 -D DBname2 2>/dev/null

How to disable the encryption

disables the encryption completely (not recmmended for production - use for testing/debuging) 

manager_enable_unencrypted = yes

Use of the api when encryption is disabled

echo listcalls | nc 127.0.0.1 5029








.

Retrieved from "https://www.voipmonitor.org//doc/index.php?title=Encryption_in_manager_api_customer&oldid=4762"