1 / 22

Administering UI/SSL

Jeff Butera - Hampshire College Paul Summers - Datatel SY 3432 Sunday 3/13/05 10:00AM Virginia. Administering UI/SSL. Outline. Software requirements Setting up your server Setting up PCs Logfiles and debugging TCP wrappers Monitor SSL and non-SSL logins LDAP and SSL.

aggie
Download Presentation

Administering UI/SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jeff Butera - Hampshire College Paul Summers - Datatel SY 3432 Sunday 3/13/05 10:00AM Virginia Administering UI/SSL

  2. Outline Software requirements Setting up your server Setting up PCs Logfiles and debugging TCP wrappers Monitor SSL and non-SSL logins LDAP and SSL

  3. Software Requirements Colleague 17 Benefactor 5.0/5.1 Envision 4.7.1 Unidata 6.x

  4. Server Requirements Load UI software update Upgrade to Unidata 6.x (if necessary) Configure operating system Obtain SSL certificate Install SSL certificate Create Security Context Record Secure Colleague/Benefactor accounts

  5. Load Software Updates Download software update (11924.63) Choose account to administer SSL Must be an INSTALL account One account manages SSL for entire server Perform post install Oracle only Create VOC entries in SSL admin account

  6. Configure Operating System Unix – configure secure telnet /etc/services telnets 992/tcp /etc/inetd.conf telnets stream tcp nowait root UDT_BIN/udtelnetd udtelnetd -dN -oDIR Create .unisecurity file Create key store directory Set permissions for both as read/write by admin ONLY

  7. Obtaining an SSL Certificate Select certificate authority Generate Certificate Signing Request (CSR) Request SSL certificate Obtain free trail certificate (optional) Purchase 'real' one Install SSL certificate

  8. Select Certificate Authority

  9. Generate Certificate Signing Request Login to certificate management account Use UICR to generate CSR Enter key store directory Choose private key password Enter server-specific (FQDN) Save out to generate CSR

  10. Generate Certificate Signing Request

  11. Request Certificate The CSR text appears in box Copy all CSR text Include BEGIN and END lines too! Paste into CA's request form/email Submit to CA

  12. Install Certificate You'll get response from CA with cert (email/web) Install Signed Digital Certificate If you receive binary file Save as SERVERcert.cer in key store directory If you receive text file Use UICM to paste digital certificate into window which will create the SERVERcert.cer in key store directory

  13. Install Certificate - Details USCR creates context record (cert/key pair) Stores as encrypted record in _SECUCTX_ USCR applies to UniData (in .unisecurity file) Don't lose password used on UICR If lost, you'll have to purchase a new certificate

  14. Certificate Chaining Your certificate will be linked to a trusted root authority through a chain of intermediates. All certs come from your CA

  15. Secure Colleague/Benefactor Accounts Run UIPR in each account Enable SSL = YES Disable Unsecured Connections = YES This STOPS all non-SSL sessions! Test first! Suppress SSL Failure Message = NO Changes will trigger a script refresh

  16. Setting Up Client PC UI Script refresh after UIPR Configure SSL Telnet Setup – Communications Select SSL Telnet then Setup Server hostname (FQDN) Port 992 Setup SSL Security Setup – Communications – Security Uncheck boxes

  17. Logfiles and Debugging Set logfile and debug level in inetd.conf -dN debug level (0=none, 3=high) -oDIR directory for logfiles ie: ...udtelnetd -d2 -o/var/log/udtelnetd Debug may generate a lot of output Need to NICELY restart inetd for changes: kill -HUP pid

  18. Sample Logfile /var/log/udtelnetd/udtelnetd-14903.log UniData SSL/telnet started at Tue ... SSL=1 DebugLevel=1 LogPath=/var/log... Retreiving SCR Starting SSL handshake Remote host (172.20.106.45) Start processing input... Starting slave...

  19. TCP Wrappers TCP wrappers can be used Edit inetd.conf as usual: telnets stream tcp nowait root /usr/local/bin/tcpd udtelnetd /etc/hosts.allow udtelnetd: 172.20.108.33 udtelnetd: .hampshire.edu udtelnetd: 172.20.

  20. Monitoring SSL Logins Shell script runs hourly totallogins=`$UDTBIN/listuser | head -4 | tail -1 | awk '{print $6}'` wwwlogins=`ps -ef | grep udapi_slave | grep -v grep | wc -l | sed "s/ //g" ` ssllogins=`ps -ef | grep udtelnet | grep -v grep | wc -l | sed "s/ //g" ` dat=`date` • Shell script runs hourly TOT=30,WWW=3,SSL=23 Tue Jan 18 09:00:01 EST 2005 TOT=47,WWW=2,SSL=40 Tue Jan 18 10:00:00 EST 2005 TOT=54,WWW=4,SSL=44 Tue Jan 18 11:00:00 EST 2005 TOT=56,WWW=5,SSL=44 Tue Jan 18 12:00:00 EST 2005 TOT=54,WWW=4,SSL=42 Tue Jan 18 13:00:00 EST 2005 TOT=60,WWW=3,SSL=50 Tue Jan 18 14:00:01 EST 2005 TOT=66,WWW=4,SSL=53 Tue Jan 18 15:00:01 EST 2005 TOT=59,WWW=3,SSL=46 Tue Jan 18 16:00:00 EST 2005 TOT=18,WWW=4,SSL=12 Tue Jan 18 17:00:00 EST 2005

  21. LDAP and SSL IBM (UniData) doesn't allow for LDAP We moved to LDAP 2 months before beta Workaround with perl and Net::LDAP module Logins are local, not LDAP Every 15 minutes, server checks LDAP Copies any password changes Users have local password, but same as LDAP

  22. Summary Securing UI isn't hard You need to do this Monitoring and setup are straightforward Notes and presentation can be found at http://jeff.hampshire.edu

More Related