Configuring CCMv2 with a proxy

While creating an environment, you can set up an HTTP CONNECT proxy such as Squid or a comparable product.

For a majority of simple use cases, this is enough to direct the traffic through a proxy. Since the proxy is not aware of the private keys used to secure the communication, in this setup the proxy is unable to perform a deep packet inspection.

To allow TLS interception, you need to set your proxy to terminate TLS and add it back while relaying it to the agent. To do this, the account must have the CDP_CCM_V2_USE_ONE_WAY_TLS entitlement granted.

Once the entitlement is present, create a new environment. After the FreeIPA nodes are running, you can SSH into the FreeIPA nodes and perform the following set of steps:

  1. Get the CA certificate from /etc/jumpgate/config.toml and grab the pinned CA certificate from the agent.relayServerCertificate parameter.

  2. Configure your proxy server to trust this certificate for the CCM traffic.

  3. Grab your proxy server’s CA certificate and replace the contents of agent.relayServerCertificate in /etc/jumpgate/config.toml.

  4. Configure your proxy to start MITM-ing the underlying TLS connection.