TAXII Integration
Currently, the TAXII server is intended to work with Unfetter when building from source. Use one of the following commands to start the Unfetter stack with the TAXII server.
docker-compose -f docker-compose.yml -f docker-compose.development.yml -f docker-compose.taxii.development.yml up
docker-compose -f docker-compose.yml -f docker-compose.deploy.yml -f docker-compose.taxii.development.yml up
In docker-compose.taxii.development.yml
, there are two sections to include TAXII Nginx configurations in unfetter-discover-gateway
volume mountings. The first one is completely unsecured, the second one uses mutual TLS authentication through Nginx but requires the additional configuration seen below.
For information about configuring the TAXII server itself, see: https://github.com/unfetter-discover/taxii-server#configuration
Mutual TLS is handled through Nginx.
- Go to
unfetter/mutual
TLS and run the./init.sh
script - Start/Restart the stack
- Confirm it's working by running the
./test_taxii.sh
script and confirming a successful return - Confirm that it's secured by confirming the following command is not successful (ie, returns a 400):
curl -ks https://localhost:8443/taxii \
-H 'accept: application/vnd.oasis.taxii+json; version=2.0' \
-H 'content-type: application/vnd.oasis.taxii+json; charset=utf-8; version=2.0'
- To create additional client certificates, run the
./new_client.sh somename
script, and give somename thesomename-crt.pem
andsomename-key.pem
files. This can be tested via./test_taxii.sh somename
, as long as somename's cert and key as in the same directory. - FYI - This configuration will open the reverse proxy to the TAXII server on a separate port,
8443
- be sure that port is exposed from the server - WARNING - The certificates generated by these scripts are NOT secure as they are self signed and the password is password. These scripts are meant to provide an example and are for testing purposes.
Note: This instructions will only configure TLS between the client and Nginx. It is possible to configure TLS to the TAXII server directly (see the TAXII README for details)
Made by NSA Information Assurance