Administering UI/SSL
description
Transcript of Administering UI/SSL
Administering UI/SSL
Jeff Butera - Hampshire College
Paul Summers - Datatel
SY 3432
Sunday 3/13/05
10:00AM Virginia
Outline
• Software requirements• Setting up your server• Setting up PCs• Logfiles and debugging• TCP wrappers• Monitor SSL and non-SSL logins• LDAP and SSL
Software Requirements
• Colleague 17
• Benefactor 5.0/5.1
• Envision 4.7.1
• Unidata 6.x
Server Requirements
• Load UI software update• Upgrade to Unidata 6.x (if necessary)• Configure operating system• Obtain SSL certificate• Install SSL certificate• Create Security Context Record• Secure Colleague/Benefactor accounts
Load Software Updates
• Download software update (11924.63)
• Choose account to administer SSL
• Must be an INSTALL account• One account manages SSL for entire server
• Perform post install• Oracle only
• Create VOC entries in SSL admin account
Configure Operating System
• Unix – configure secure telnet• /etc/services
telnets 992/tcp
• /etc/inetd.conftelnets stream tcp nowait root UDT_BIN/udtelnetdudtelnetd -dN -oDIR
• Create .unisecurity file• Create key store directory
• Set permissions for both as read/write by admin ONLY
Obtaining an SSL Certificate
• Select certificate authority
• Generate Certificate Signing Request (CSR)
• Request SSL certificate• Obtain free trail certificate (optional)
• Purchase 'real' one
• Install SSL certificate
Select Certificate Authority
Generate Certificate Signing Request
• Login to certificate management account
• Use UICR to generate CSR
• Enter key store directory
• Choose private key password
• Enter server-specific (FQDN)
• Save out to generate CSR
Generate Certificate Signing Request
Request Certificate
• The CSR text appears in box
• Copy all CSR text
• Include BEGIN and END lines too!
• Paste into CA's request form/email
• Submit to CA
Install Certificate
• You'll get response from CA with cert (email/web)
• Install Signed Digital Certificate
• If you receive binary file• Save as SERVERcert.cer in key store directory
• If you receive text file• Use UICM to paste digital certificate into window which
will create the SERVERcert.cer in key store directory
Install Certificate - Details
• USCR creates context record (cert/key pair)
• Stores as encrypted record in _SECUCTX_
• USCR applies to UniData (in .unisecurity file)
• Don't lose password used on UICR
• If lost, you'll have to purchase a new certificate
Certificate Chaining
• Your certificate will be linked to a trusted root authority through a chain of intermediates.
• All certs come from your CA
Secure Colleague/Benefactor Accounts
• Run UIPR in each account
• Enable SSL = YES
• Disable Unsecured Connections = YES• This STOPS all non-SSL sessions! Test first!
• Suppress SSL Failure Message = NO
• Changes will trigger a script refresh
Setting Up Client PC
• UI Script refresh after UIPR
• Configure SSL Telnet• Setup – Communications
• Select SSL Telnet then Setup
• Server hostname (FQDN)
• Port 992
• Setup SSL Security• Setup – Communications – Security
• Uncheck boxes
Logfiles and Debugging
• Set logfile and debug level in inetd.conf• -dN debug level (0=none, 3=high)
• -oDIR directory for logfilesie: ...udtelnetd -d2 -o/var/log/udtelnetd
• Debug may generate a lot of output
• Need to NICELY restart inetd for changes:• kill -HUP pid
Sample Logfile
/var/log/udtelnetd/udtelnetd-14903.logUniData SSL/telnet started at Tue ...SSL=1 DebugLevel=1 LogPath=/var/log...Retreiving SCRStarting SSL handshakeRemote host (172.20.106.45)Start processing input...Starting slave...
TCP Wrappers
• TCP wrappers can be used
• Edit inetd.conf as usual:telnets stream tcp nowait root /usr/local/bin/tcpd udtelnetd
• /etc/hosts.allowudtelnetd: 172.20.108.33udtelnetd: .hampshire.eduudtelnetd: 172.20.
Monitoring SSL Logins
• Shell script runs hourly
totallogins=`$UDTBIN/listuser | head -4 | tail -1 | awk '{print $6}'`wwwlogins=`ps -ef | grep udapi_slave | grep -v grep | wc -l | sed "s/ //g" `ssllogins=`ps -ef | grep udtelnet | grep -v grep | wc -l | sed "s/ //g" `dat=`date`
• Shell script runs hourlyTOT=30,WWW=3,SSL=23 Tue Jan 18 09:00:01 EST 2005TOT=47,WWW=2,SSL=40 Tue Jan 18 10:00:00 EST 2005TOT=54,WWW=4,SSL=44 Tue Jan 18 11:00:00 EST 2005TOT=56,WWW=5,SSL=44 Tue Jan 18 12:00:00 EST 2005TOT=54,WWW=4,SSL=42 Tue Jan 18 13:00:00 EST 2005TOT=60,WWW=3,SSL=50 Tue Jan 18 14:00:01 EST 2005TOT=66,WWW=4,SSL=53 Tue Jan 18 15:00:01 EST 2005TOT=59,WWW=3,SSL=46 Tue Jan 18 16:00:00 EST 2005TOT=18,WWW=4,SSL=12 Tue Jan 18 17:00:00 EST 2005
LDAP and SSL
• IBM (UniData) doesn't allow for LDAP
• We moved to LDAP 2 months before beta
• Workaround with perl and Net::LDAP module
• Logins are local, not LDAP
• Every 15 minutes, server checks LDAP
• Copies any password changes
• Users have local password, but same as LDAP
Summary
• Securing UI isn't hard
• You need to do this
• Monitoring and setup are straightforward
• Notes and presentation can be found at
http://jeff.hampshire.edu