Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Authentication Troubleshooting

            Modified on Wed, 9 Nov, 2022 at 4:40 PM

            TABLE OF CONTENTS

            GETTING STARTED

            The Gremlin Daemon (gremlind) connects to the Gremlin Control Plane and waits for attack orders from you. When it receives attack orders, it uses the Gremlin Agent (gremlin) to run the attack.

            To connect the Gremlin Daemon to the Control Plane, you need your client credentials, provided either via secret-based authentication using TEAM ID and SECRET, or via signature-based authentication using PEM certificates. These credentials are not the same as the email and password credentials you use to access the Gremlin web app. To read about user authentication through the Gremlin web app, see User Authentication.


            Client authentication methods

            There are two methods for authenticating clients with Gremlin:

            • Secret authentication involves a secret string value that Gremlin clients use to prove their identity. Secrets are created from the Gremlin UI, and are like passwords. They can never be retrieved from Gremlin after creation; they can only be reset.
            • Signature authentication requires supplying a public and private ECDSA certificate-key pair to Gremlin clients. This certificate pair is created from the Gremlin web app, and can be downloaded again at any time, but expires 1 year from the date of creation.

            Both authentication methods can be configured with the Gremlin configuration file or environment variables. See Advanced configuration to learn more about how to configure Gremlin.


            Secret-based authentication

            Create a secret

            To use secret-based authentication as a new user, sign in to the Gremlin web app. Go to Team Settings, and click your Team. From the Team Settings page, on the secret line, click Create to create a new secret.

            If a secret already exists, you must revoke the existing secret; this will cause a new one to be generated. If you revoke an existing secret and create a new one, you will need to reconfigure any existing clients.

            Configure clients with secret

            To configure Gremlin clients for secret authentication, follow one of the [advanced configuration] (/docs/getting-started/advanced-configuration/) methods:

            set team_id and team_secret in your config.yaml

            YAML

            team_id: 11111111-1111-1111-1111-111111111111team_secret: 11111111-1111-1111-1111-111111111111
            Generic

            or pass environment variables GREMLIN_TEAM_ID and GREMLIN_TEAM_SECRET directly to the gremlind process.

            SHELL

            # export these to the gremlind process or save them to /etc/default/gremlind (used by Systemd and SysV)GREMLIN_TEAM_ID=11111111-1111-1111-1111-111111111111GREMLIN_TEAM_SECRET=11111111-1111-1111-1111-111111111111
            Generic

            Additionally, secret authentication can also be set up via gremlin init

            SHELL

            gremlin init --tag service=my-api --tag service-version=1.0.0 --tag service-type=http
            Generic

            If secret-based auth is successful, the client will create a hidden file, .credentials in the gremlin user's home directory. This file contains an authentication token that gremlind uses to connect to the Gremlin Control Plane.

            Signature-based authentication

            Download a certificate pair

            To download your certificate, navigate to Company Settings in the Gremlin web app.

            Then click the Team whose client credentials you want to download. (Each team has its own client credentials.)


            Each Team page has everything your Gremlin clients need to authenticate to the Control Plane: the Team ID and Certificate.

            Click Download to get your Team Certificate.

            The downloaded zip file contains both a public-key certificate and a matching private key. Unzip the file, and register Gremlin clients to the Control Plane with the included certificate, private key, and your Team ID.

            Configure clients with certificate pair

            To configure Gremlin clients for signature authentication, follow one of the advanced configuration methods:

            set team_id, team_certificate, and team_private_key in your config.yaml

            • YAML

              #/etc/gremlin/config.yamlteam_id: 11111111-1111-1111-1111-111111111111team_certificate: file:///var/lib/gremlin/cert.pemteam_private_key: file:///var/lib/gremlin/key.pem
              Generic

              or pass environment variables GREMLIN_TEAM_ID, GREMLIN_TEAM_CERTIFICATE_OR_FILE, and GREMLIN_TEAM_PRIVATE_KEY_OR_FILE directly to the gremlind process

            • SHELL

              # export these to the gremlind process or save them to /etc/default/gremlind (used by Systemd and SysV)GREMLIN_TEAM_ID=11111111-1111-1111-1111-111111111111GREMLIN_TEAM_CERTIFICATE_OR_FILE=file:///var/lib/gremlin/cert.pemGREMLIN_TEAM_PRIVATE_KEY_OR_FILE=file:///var/lib/gremlin/key.pem
              Generic

            • Rotating expiring certificates

              You must be a Team or Company Manager of your Gremlin account to manage certificates.

              All certificates expire one year after creation. Before the expiration date, you must create a new certificate, reconfigure all clients with it, and delete the old certificate. As the expiration date draws near, the Gremlin web app will display a warning about it.

              To create a new certificate, simply click the Create New button next to your existing certificate (see the previous screenshot). Now that you have two certificates, you cannot download the older certificate (though all clients still configured with it may still use it to authenticate), and you cannot create a third certificate.

            If you did not mean to create the newer certificate yet, just destroy it. Otherwise, move all clients to the newer certificate, then destroy the old one.

            Verifying Gremlin Agent authentication

            To verify that your Gremlin Agents are connected to the Gremlin Control Plane, first make sure that the Gremlin Daemon is running.

            For hosts running System V (RHEL 6, CentOS 6, Amazon Linux 1, etc.), use the service command:

            SHELL

            sudo service gremlind status
            Generic


            For hosts running systemd (RHEL 7+, CentOS 7+, Amazon Linux 2, Ubuntu/Debian, etc.), use the systemctl command:


            SHELL

            sudo systemctl status gremlind
            Generic

            Next, use gremlin check auth to check the Gremlin Agent's authentication status:

            SHELL

            gremlin check auth
            Generic

            If the Gremlin Agent authenticated successfully, the output will be similar to the following:

            auth====================================================Auth Input Type                      : CertificateAPI Response                         : OK
            Generic

            If not, the output will explain why the Gremlin Agent was unable to authenticate:

            auth====================================================Auth Input Type                      : No valid auth found========= Identification ============:Team ID Source                       : Team ID not foundGremlin Identifier                   : [Host identifier]Gremlin Identifier Source            : Not supplied explicitly, using the default========= Secret/Token Info =========:Team Secret Source                   : Team Secret not found.credentials valid                   : /var/lib/gremlin/.credentials file not found========= Certificate Info ==========:Team Certificate Source              : Team Certificate not found========= Private Key Info ==========:Team Private Key Source              : Team Private Key not found
            Generic

            If you're having trouble authenticating, see the FAQ for possible causes and solutions.

            Releasing client certificates

            There are three different methods you can use to release client certificates:

            • Gremlin Logout command - From the host, you can log out of the client using the command "gremlin logout". This method allows you to remove the authorization from our server but keep the binaries in place for future use. Once logged out, the license should be released within a few minutes for consumption by other clients.
            • WebUI deactivation option - From the WebUI, you can deactivate the client to release the license. This will prevent the host from being used in future attacks until it is reactivated.
            • Uninstalling Gremlin client from the host - This method is similar to option 1. By removing the binaries, the host will no longer communicate with our service and the license will be released for future consumption.

            Once any of these options have been performed, it may take a few minutes for new clients to use the newly released entitlements. You can view the details of which teams have active clients for a given month by navigating to Gremlin Reports within the Gremlin web app. The Active Clients metric on this page is cumulative for any active clients that may have authenticated.


















            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0