unisys Unisys Stealth(cloud) for Amazon Web Services Deployment Guide Release 2.0 May

unisys Unisys Stealth(cloud) for Amazon Web Services Deployment Guide Release 2.0 May 2016 8205 5658-002

NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the products described in this document are set forth in such agreement. Unisys cannot accept any financial or other responsibility that may be the result of your use of the information in this document or software material, including direct, special, or consequential damages. You should be very careful to ensure that the use of this information and/or software material complies with the laws, rules, and regulations of the jurisdictions with respect to which it is used. Unisys Stealth contains encryption features and is subject to, and certain information pertaining to Unisys Stealth may be subject to, limitations imposed by the United States, the European Union and other governments on encryption technology. Information about these U.S. government limitations may currently be found at http://www.bis.doc.gov. For more information about your obligations, please see the agreement entered by your company and Unisys. The information contained herein is subject to change without notice. Revisions may be issued to advise of such changes and/or additions. Notice to U.S. Government End Users: This software and any accompanying documentation are commercial items which have been developed entirely at private expense. They are delivered and licensed as commercial computer software and commercial computer software documentation within the meaning of the applicable acquisition regulations. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys standard commercial license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights clauses. Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries. All other trademarks referenced herein are the property of their respective owners.

Contents Section 1. Introduction 1.1. Documentation Updates........................... 1 1 1.2. What s New?................................... 1 1 1.3. Understanding Components of Stealth(cloud) for AWS..... 1 2 1.4. Understanding Default Stealth Configurations and User Roles....................................... 1 3 1.5. Understanding Default Filters....................... 1 6 1.6. Prerequisites................................... 1 7 1.7. Understanding Differences with Stealth Deployed in a Data Center.................................. 1 7 Section 2. Launching the Stealth(cloud) Management Server Instance 2.1. Optionally Configuring the Administration and Diagnostics System............................ 2 1 2.2. Determining the Management Server Instance Size and License Capacity............................... 2 3 2.3. Subscribing to Enterprise Manager................... 2 3 2.4. Selecting Parameters and Launching the Management Server Instance............................... 2 4 Section 3. Launching Stealth Endpoint Instances 3.1. Before You Begin................................ 3 1 3.2. Determining the Stealth User Role for the Endpoint Instance..................................... 3 1 3.3. Subscribing to Endpoint Instances.................... 3 2 3.4. Selecting Parameters and Launching the Stealth Endpoint Instance..................................... 3 3 Section 4. Understanding Your Stealth(cloud) for AWS Environment 4.1. Accessing the Enterprise Manager Interface............ 4 1 4.2. Accessing Windows Endpoints and Viewing Stealth Status...................................... 4 2 4.3. Accessing Linux Endpoints and Viewing Stealth Status..... 4 4 4.4. Limitations When Accessing AWS Services............. 4 5 8205 5658-002 iii

Contents Section 5. Making Changes to Your Stealth(cloud) for AWS Environment 5.1. Updating the Initial Configuration..................... 5 1 5.2. Optionally Updating the Management Server Instance Type........................................ 5 1 5.3. Optionally Updating Endpoint Instance Types............ 5 2 5.4. Launching Endpoint Instances Using Private AMIs........ 5 3 Section 6. Upgrading or Updating Management Server and Endpoint Instances 6.1. Subscribing to and Launching the Upgrade System........ 6 1 6.2. Connecting to the Upgrade System and Downloading Files........................................ 6 2 6.3. Upgrading or Updating the Management Server.......... 6 4 6.4. Upgrading or Updating Windows Endpoint Instances...... 6 5 6.5. Upgrading or Updating Linux Endpoint Instances......... 6 5 6.6. Launching Upgraded Endpoint Instances in an Upgraded Environment.................................. 6 6 Section 7. Troubleshooting 7.1. Resolving Common Problems....................... 7 1 7.2. Enterprise Manager Interface Requirements............ 7 2 7.3. Troubleshooting the Stealth Applet Connection to the Unisys Stealth Logon Service on Windows Endpoints.... 7 4 7.4. Enabling Active Scripting on the Management Server Instance..................................... 7 5 7.5. Troubleshooting Private AMIs....................... 7 6 7.6. Obtaining Services and Support from Unisys............ 7 7 7.7. Collecting Diagnostics from the Management Server and Endpoint Instances............................. 7 9 7.8. Deleting the Management Server or Endpoint Instances... 7 11 Appendix A. Parameter Worksheets A.1. Management Server Instance Planning................ A 1 A.2. Endpoint Instance Planning......................... A 4 iv 8205 5658-002

Figures 1 1. Default Segmented Configuration................................. 1 4 1 2. Default Tiered Configuration..................................... 1 5 8205 5658-002 v

Figures vi 8205 5658-002

Tables A 1. Management Server Instance Planning............................. A 1 A 2. Endpoint Instance Planning..................................... A 4 8205 5658-002 vii

Tables viii 8205 5658-002

Section 1 Introduction Unisys Stealth(cloud) for Amazon Web Services (AWS) enables you to secure an AWS virtual private cloud (VPC) environment using Unisys Stealth technology. This document provides the information required to deploy Stealth(cloud) for AWS. 1.1. Documentation Updates This document contains all the information that was available at the time of publication. Changes identified after release of this document are included in problem list entry (PLE) 19123197. To obtain a copy of the PLE, access the following URL: http://public.support.unisys.com/common/epa/macro.aspx?path0=all&path1=ple& path2=19123197 1.2. What s New? The following is new in this release: In the previous release, you could create up to three user roles in one configuration, and those user roles were completely segmented by default (meaning that only endpoints that shared the same user role could communicate). In this release, you can create up to three additional user roles in a tiered configuration. See 1.4 Understanding Default Stealth Configurations and User Roles for more information. The list of automatically generated filters for Amazon services has been updated to include a more descriptive name and now provides regular polling services. This ensures that the filter list is up-to-date if Amazon changes the IP addresses of its services. See 1.5 Understanding Default Filters for more information. In the previous release, you were required to manually create one Administration and Diagnostics System to provide administrative access to the Management Server instance and the endpoint instances. In this release, you can manually create up to three systems to perform this function, or you can have an Administration and Diagnostics System automatically generated for you. See 2.1 Optionally Configuring the Administration and Diagnostics System for more information. 8205 5658-002 1 1

Introduction When you subscribe to and launch the Management Server instance, there are three new fields under the Unisys Stealth Configuration category that are related to the configuration of the Administration and Diagnostics Systems. See 2.4 Selecting Parameters and Launching the Management Server Instance for more information. An update is available that applies fixes and updates to your Enterprise Manager and Stealth endpoint software. See Section 6, Upgrading or Updating Management Server and Endpoint Instances. Note: This update does not make configuration changes to an existing environment. For example, this update does not create the new tiered configuration in your existing environment, and it does not change the name or design of any of your filters. This protects the integrity of your customized configuration. If you want to use the new tiered configuration, the new filter design, or any other changes available with this release, you can deploy a new Management Server instance. 1.3. Understanding Components of Stealth(cloud) for AWS Stealth(cloud) for AWS enables you to configure a Stealth-enabled virtual private cloud (VPC) environment to host your secure workloads and applications. A Stealth(cloud) for AWS environment includes the following components: Amazon Virtual Private Cloud (VPC) This is a virtual network that hosts the Stealth(cloud) components. You subscribe to and launch the Management Server instance and its associated Stealth AWS endpoint instances into a VPC. Note: A single Stealth-enabled VPC can support only one Management Server instance. If your environment requires more than one Management Server instance (because each Management Server can support only 500 endpoints), you must create one VPC for each Management Server instance that you want to subscribe to. A Management Server can only be used to manage the endpoints within its VPC. Administration and Diagnostics System This is an Amazon Elastic Compute Cloud (EC2) instance which is used to provide administrative access to the Management Server instance and the endpoint instances and can be used to collect diagnostic information as needed. Management Server instance This is an Amazon EC2 Windows Server instance that runs the Stealth Enterprise Manager software, which is used to authorize Stealth AWS endpoint instances and to provide the user interface for managing your Stealth environment. The Management Server instance must be sized appropriately so that it can manage all of the endpoint instances in your VPC, as described in 2.2 Determining the Management Server Instance Size and License Capacity. Endpoint instances These are Amazon EC2 instances running supported Windows or Linux operating systems, which also run the Stealth endpoint software to provide a secure working environment. These instances that run the Stealth endpoint software are known as Stealth endpoints. 1 2 8205 5658-002

Introduction 1.4. Understanding Default Stealth Configurations and User Roles Each Management Server instance can be used to manage up to 500 endpoint instances, and each endpoint participates in one of the user roles you define. Each user role is made up of multiple Communities of Interest (COIs). Stealth endpoint instances that share a COI can communicate with one another; endpoint instances that do not share a COI cannot communicate. In addition, other non-stealth-enabled components cannot communicate with any Stealth endpoint instances, unless a filter is specifically created to enable that communication. When you launch the Management Server instance, you have the option to automatically create user roles in two different configurations that you can use for secure communications in your environment. In addition, a configuration is created for administration. The three configurations are as follows: StealthAdmin configuration This configuration is used for the Enterprise Manager software running on the Management Server to authorize, license, and administer the Stealth endpoints. In Figure 1 1 and Figure 1 2, the COI used for communication between the Management Server and the endpoints is the purple StealthAdminLicenseCOI. For security, Stealth filters are applied to the StealthAdminLicenseCOI so that endpoint instances can only use this COI to communicate with the Management Server instance (and cannot use this COI to communicate between user roles). Segmented configuration In this configuration, you can create up to three user roles. These user roles are completely segmented, meaning that endpoints in different roles cannot communicate with one another. (Only endpoints that share the same user role can communicate.) In Figure 1 1, you see three Segmented user roles, each of which includes one SegmentCOI that enables communication with other endpoints in the same user role and the StealthAdminLicenseCOI that enables communication with the Management Server. (As stated previously, Stealth filters are applied to the StealthAdminLicenseCOI so that endpoints can only use this COI to communicate with the Management Server and never with other endpoints.) Finally, each Segmented user role includes the ADSAccessClearTextFilter, which enables endpoint communication with the Administration and Diagnostics System and with Amazon services. 8205 5658-002 1 3

Introduction Figure 1 1. Default Segmented Configuration Tiered configuration In this configuration, you can also create up to three user roles. These user roles are tiered, meaning that endpoints in the Tier2 user role can communicate with endpoints in the Tier1 user role and endpoints in the Tier3 user role. For example, in a standard Web Server, Application Server, and Database Server configuration, the Application Servers can communicate with the Web Servers and Database Servers, but the Web Servers and Database Servers cannot communicate with one another. In Figure 1 2, you see three Tiered user roles, each of which includes one TierCOI that enables communication with other endpoints in the same user role and the StealthAdminLicenseCOI that enables communication with the Management Server. (As stated previously, Stealth filters are applied to the StealthAdminLicenseCOI so that endpoints can only use this COI to communicate with the Management Server and never with other endpoints.) In addition, a shared COI enables communication between endpoints assigned to Tier1 and Tier2 (green colored Tier1+2COI) and a shared COI enables communication between endpoints assigned to Tier2 and Tier3 (pink colored Tier2+3COI). 1 4 8205 5658-002

Introduction Finally, each Tiered user role includes the ADSAccessClearTextFilter, which enables endpoint communication with the Administration and Diagnostics System and with Amazon services. Figure 1 2. Default Tiered Configuration When you create the Management Server instance, you are prompted to name and create these user roles. You can create as little as one user role (in either configuration) or as many as six user roles (three in each configuration). Depending on your needs, you can create user roles for the Segmented configuration, the Tiered configuration, or both. You can name these user roles using a naming convention of your choice. For example, you might want to give the Segmented user roles names that correspond to segmented security levels in your environment (such as Classified, Secret, and TopSecret) or that correspond to segmented departments (such as HR, Marketing, and Executive). In contrast, you might want to give the Tiered user roles names that correspond to tiered functions (such as WebServer, AppServer, and DBServer). 8205 5658-002 1 5

Introduction Based on the user role names you enter, a Certificate-Based Authorization (CBA) certificate is created and added to each endpoint instance (for example, a certificate named Classified is created for the Classified user role or a certificate named WebServer is created for the WebServer user role). These certificates are used to authorize the endpoint instances so that they can communicate with one another. If your security needs are met by these user roles and configurations, you can simply specify the names of up to six user roles (three in each configuration) when you launch the Management Server instance, and then you can assign each endpoint instance to use one of these three user roles when you launch the endpoint instances. No further action is required for endpoint instances within the same user role to communicate with one another securely. However, if required, you can create additional user roles and configurations, and then you can manually update the user roles used by your endpoint instances. Once your environment is configured, see the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for more information on how to add additional user roles and configurations using the Enterprise Manager interface. The Advanced Concepts and Operations Guide is available on the Unisys Security website at http://unisyssecurity.com/aws. 1.5. Understanding Default Filters You use filters to control whether your endpoints can communicate with other components and services. By default, filters are predefined for your endpoint instances. These filters enable you to communicate with all available Amazon services using clear text (non-stealth-secured) communication. For example, these include filters that enable you to communicate with the Amazon S3 service for storage and the Amazon Route53 service for DNS. Because Amazon periodically changes the IP addresses used for these services, Enterprise Manager checks for updates to the Amazon service addresses every 24 hours and creates new filters as necessary. In addition, when you launch the Management Server instance, clear text filters are automatically created to allow communication with the Administration and Diagnostics Systems in your environment. If your filtering needs are met by these default filters for Amazon services and the Administration and Diagnostics System, no further action is required. However, if needed, you can create additional filters once your environment is configured. See the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for more information on how to update, add, and assign filters using the Enterprise Manager interface. 1 6 8205 5658-002

Introduction In addition, note that the IP addresses in a subnet that are reserved by AWS have clear text filters applied to them (so that they are never Stealth-enabled). See the AWS documentation on VPCs and subnets (http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_subnets.html#subnetsize) for more information on these reserved IP addresses. 1.6. Prerequisites Before you begin to deploy Stealth(cloud) for AWS, you must meet the following prerequisites. Note: See the AWS documentation (http://aws.amazon.com/documentation) for more information on meeting these prerequisites. You must have configured one or more virtual private clouds (VPCs) with access to the AWS CloudFormation services. You can use an existing VPC, or you can create a new VPC that is dedicated to your Stealth(cloud) for AWS deployment. The instances that you launch within the VPC must be able to access the AWS CloudFormation services, which means that the instances within the VPC must either have a public IP address or they must have the capability to use Network Address Translation (NAT) to access these services. For more information on configuring IP addressing for your VPC and instances, see http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_networking.html. Note: Each Management Server instance in the AWS environment can support up to 500 endpoint instances, and each Management Server instance requires its own VPC. Therefore, depending on the number of Stealth-enabled endpoints you plan to launch in the AWS environment, you might need to configure multiple VPCs. You must have one or more Amazon EC2 key pairs. Key pairs are an Amazon administrative requirement for all EC2 instances. You can use an existing key pair or you can create a new key pair for your Stealth(cloud) for AWS deployment. You must select a key pair name when you initially configure each instance. 1.7. Understanding Differences with Stealth Deployed in a Data Center In addition to the Stealth(cloud) for AWS, the Stealth Solution can be purchased from Unisys and deployed directly in your data center. The following are the differences between the Stealth(cloud) for AWS and when Stealth is deployed in a data center: Stealth(cloud) for AWS supports the following operating systems running on endpoint instances: - Windows Server 2008 R2 - Windows Server 2012 R2 8205 5658-002 1 7

Introduction - Red Hat Enterprise Linux 6.x and 7.x - SUSE Linux Enterprise Server 11.x - Ubuntu 14.04 LTS When Stealth is deployed in a data center, the following additional operating systems are supported: - Windows 7 - Windows 8 and Windows 8.1 - Windows Server 2012 - Ubuntu 12.04 LTS - IBM AIX V6.1 and V7.1 Windows endpoint instances are configured to run with Stealth Always On. Stealth Always On for Windows endpoints means that Stealth is always enabled on running Windows endpoints (and cannot be disabled by users). In contrast, Windows endpoints in the data center can run Stealth On Demand, which means that users can enable and disable the Stealth service if they need to communicate with other resources in the environment. Note: Stealth can be enabled and disabled for Linux endpoints. Stealth deployed in a data center can provide redundant authorization through the use of standalone Authorization Servers. This component is not supported in this release of Stealth(cloud) for AWS. Stealth deployed in a data center supports IPv6 addressing. IPv6 addressing is not supported in Stealth(cloud) for AWS, because IPv6 addressing is not supported by AWS. Stealth deployed in a data center can support mobile users through a feature known as Secure Remote Access. This feature is not supported in Stealth(cloud) for AWS. Stealth deployed in a data center can enable systems and servers running operating systems that are not supported by Stealth to connect to the network and participate in Stealth COIs through a feature known as Secure Virtual Gateway. This feature is not supported in Stealth(cloud) for AWS. If you want to use any of the features that are not supported in Stealth(cloud) for AWS, contact Unisys at http://unisyssecurity.com/aws for more information about deploying Stealth in your data center. 1 8 8205 5658-002

Section 2 Launching the Stealth(cloud) Management Server Instance The Management Server instance is an Amazon EC2 instance that runs Windows Server 2012 R2 and the Stealth Enterprise Manager software, which is used to authenticate, authorize, license, and administer Stealth AWS endpoint instances. The Management Server instance also provides the user interface for managing your Stealth environment. Before continuing, be sure that you met the prerequisites listed in 1.6 Prerequisites, and then perform the procedures in this section. 2.1. Optionally Configuring the Administration and Diagnostics System Stealth(cloud) for AWS requires an EC2 instance to act as the Administration and Diagnostics System. This system provides administrative access to the Management Server instance and the endpoint instances and can be used to collect diagnostic information as needed. You can launch up to three EC2 instances to use as Administration and Diagnostics Systems by following the guidelines in this topic. When you deploy the Management Server instance, you can specify these existing systems to use as Administration and Diagnostics Systems. Alternatively, if you do not have an existing EC2 instance to use as the Administration and Diagnostics System and you do not want to manually configure one using the guidelines in this topic, the Management Server CloudFormation template can automatically deploy a new t2.micro Windows 2012 R2 instance to be used for this purpose. Skip this topic if you want the CloudFormation template to automatically deploy an Administration and Diagnostics System. If you want to manually deploy an Administration and Diagnostics System, it must meet the following requirements: Because this system provides access to all Stealth-enabled instances in the VPC, you should ensure that the system is secure and that access is controlled. It must be an Amazon EC2 instance in the same VPC as the Management Server instance. If you have more than one Management Server instance, each running in a separate VPC, then you must configure a separate Administration and Diagnostics System in each VPC. 8205 5658-002 2 1

Launching the Stealth(cloud) Management Server Instance The Administration and Diagnostics System can run any operating system; however, it is recommended that you select the Windows Server 2012 R2 operating system, which by default, includes the Remote Desktop software necessary for connecting to the Management Server instance. Note: If you plan to subscribe to and launch Linux endpoints, you should install an SSH client (for example, PuTTY) that you can use to access Linux endpoint instances. The Administration and Diagnostics System must be able to use TCP port 80 to download files. Do the following if you want to manually configure an EC2 instance as the Administration and Diagnostics System: 1. Launch an EC2 instance that meets the requirements listed earlier in this topic. Note: The Administration and Diagnostics system can use any Amazon instance type. (There are no minimum requirements for vcpu or memory.) When you launch the EC2 instance, you must do the following: Configure a method to access the Administration and Diagnostics System. For example, configure an AWS security group to allow inbound RDP access to the Administration and Diagnostics System. Configure a method to use the Administration and Diagnostics System to access the Management Server instance and the endpoint instances. By default, a security group enables all outbound RDP and SSH access. If you have restrictions on your security group, you must allow outbound access as follows: - RDP access to connect to the Management Server instance and Stealth Windows endpoints - SSH access to connect to Linux endpoint instances See the Amazon EC2 documentation at https://aws.amazon.com/documentation/ec2 for specific information for launching an EC2 instance, and see http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_securitygroups.html for more information on configuring the required security groups. 2. Wait for the instance to be created (that is, wait until the status reads running). 3. Confirm that you can connect to the Administration and Diagnostics System. 4. Record the private IP address of the Administration and Diagnostics System. (To locate the IP address, on the EC2 Management Console, select the instance, and then locate the Private IP under the Description tab.) When you configure the Management Server instance, you must specify the private IP address of the Administration and Diagnostics System, and a clear text filter is created to enable the Management Server instance and endpoint instances to communicate with this system. 2 2 8205 5658-002

Launching the Stealth(cloud) Management Server Instance 2.2. Determining the Management Server Instance Size and License Capacity Enterprise Manager provides licenses to Stealth endpoint instances from a pool of licenses called AWS Marketplace licenses. The total number of available licenses is determined by the Enterprise Manager instance size that you select when you configure the Management Server instance. When you subscribe to Stealth(cloud) Enterprise Manager and launch the Management Server instance, you select one of the following sizes, depending on how many Stealth endpoint instances you plan to subscribe to and launch in your VPC: Small Launches an m4.large EC2 instance that supports up to 25 endpoint instances Medium Launches an m4.large EC2 instance that supports up to 50 endpoint instances Large Launches an m4.xlarge EC2 instance that supports up to 250 endpoint instances Extra Large Launches an m4.2xlarge EC2 instance that supports up to 500 endpoint instances Notes: If you select the South America (São Paulo) region, m3 instance types are used. For more information on Amazon EC2 instance types, see https://aws.amazon.com/ ec2/instance-types. You must select a capacity that is sufficient for the number of Stealth endpoint instances that you plan to subscribe to and launch. In addition, it is a best-practice to select a capacity that will accommodate a slightly expanded configuration; however, you can change the instance size as your needs change. If you change your instance type, the maximum number of subscribed endpoints that can be authorized is automatically updated. See 5.2 Optionally Updating the Management Server Instance Type for more information on resizing the Management Server instance. If you plan to include more than 500 Stealth endpoint instances in your Stealth(cloud) for AWS deployment, you must create additional Management Server instances; only one Management Server instance is supported in a single Amazon VPC. If you require more than one Management Server instance, each must be launched in a separate VPC. 2.3. Subscribing to Enterprise Manager To launch a Management Server instance from the AWS Marketplace, you must subscribe to Unisys Stealth(cloud) Enterprise Manager. Do the following: 1. Navigate to the AWS Marketplace webpage (https://aws.amazon.com/marketplace). 2. At the top of the page, click Sign in, and then sign in using your AWS account credentials. 3. In the search box, enter Unisys Stealth. 8205 5658-002 2 3

Launching the Stealth(cloud) Management Server Instance 4. On the results page, select Unisys Stealth(cloud) Enterprise Manager on Windows. 5. On the Unisys Stealth(cloud) Enterprise Manager solutions page, do the following: a. Under Pricing Details, under For region, use the default region or select a new region. b. Under Pricing Details, under Delivery Methods, select Stealth(cloud) Enterprise Manager. Note: A CloudFormation template is the required method to launch the Management Server; therefore, you must select this option. (Do not select Single AMI.) 6. Click Continue. 7. If you have previously subscribed to this product, skip to the next step. If this is your first time subscribing to this product, you are prompted to accept the terms; do the following: a. On the Launch on EC2 page, click Accept Terms. You see the Thank You page, which states that you will receive an email with more details. b. Review the email when it arrives, and then return to the Thank You page. c. On the Thank You page, click Return to Product Page. You see the Launch on EC2 page. 8. On the Launch on EC2 page, confirm that the region you want to use is selected, and ensure that Stealth(cloud) Enterprise Manager is selected under Deployment Options. 9. Click Launch with CloudFormation Console. Note: If you do not see the Launch with CloudFormation Console button, change the value under Deployment Options from Single AMI to Stealth(cloud) Enterprise Manager. The values you entered are processed, and the CloudFormation console launches with the Management Server CloudFormation template selected. Continue by performing the procedure in the following topic: 2.4 Selecting Parameters and Launching the Management Server Instance. 2.4. Selecting Parameters and Launching the Management Server Instance Note: For a printable worksheet that you can use to record the values you enter here, see A.1 Management Server Instance Planning. 2 4 8205 5658-002

Launching the Stealth(cloud) Management Server Instance After you subscribe to Enterprise Manager, do the following to select parameters and launch the Management Server instance: 1. On the CloudFormation console, on the Select Template page, click Next. The Specify Details page appears and provides a set of parameters that you use to configure the Management Server instance. Note: The parameters you enter on this page are not verified until you create the CloudFormation stack. Therefore, you should be very careful to enter these values correctly. For example, you are prompted to enter and verify passwords multiple times on this page, and you should ensure that these passwords match and that they meet the specific requirements for each password; if they do not, the CloudFormation stack creation will fail. 2. Enter a name for the stack in the Stack name box. 3. Under Amazon EC2 Configuration, enter the following: a. For VPC, select the VPC where you want to launch the Management Server instance. Notes: A VPC can include only one Management Server instance. Stealth endpoint instances that will be managed by this Management Server instance must also be launched in the same VPC. b. For Subnet, select the subnet within the VPC that you want to use for the Management Server instance. The subnet you select must exist in the VPC you selected. Note: The Management Server instance and Stealth endpoint instances can use separate subnets within the same VPC. c. For EC2 Key Name, select the name of an existing EC2 key pair that you want to use to meet the Amazon administrative requirement to have a key pair for all EC2 instances. 4. Under Unisys Stealth Configuration, enter the following: a. For Capacity, select the Management Server capacity that corresponds to your planned number of Stealth endpoint instances. See 2.2 Determining the Management Server Instance Size and License Capacity for more information. b. For Existing Administration and Diagnostics System IP Addresses, enter up to three IP addresses (comma separated) if you have existing systems that you want to use as Administration and Diagnostics Systems. (If you do not have existing systems and want the CloudFormation template to create an instance for this purpose, leave this value blank.) Notes: You must enter a value for either this parameter or for the following parameter. If you want to use this option, you must have configured the Administration and Diagnostics System as described in 2.1 Optionally Configuring the Administration and Diagnostics System. 8205 5658-002 2 5

Launching the Stealth(cloud) Management Server Instance c. For RDP Access IP Address (CIDR) for New Administration and Diagnostics System, if you want CloudFormation to autogenerate a new Administration and Diagnostics System, enter an IP address in CIDR notation that you will use to access this system. (That is, enter the IP address of the local system, from which you will launch RDP to access the new Administration and Diagnostics System.) A standard t2.micro instance running Windows Server 2012 R2 will be launched, which will be accessible from this IP address range. For example, enter 192.0.2.0/32 for a single IP address or 192.0.2.0/24 for a range of IP addresses. Note: You must enter a value for either this parameter or for the previous parameter. d. For Allowed Ports for the Administration and Diagnostics System, optionally, for added security enter up to ten TCP ports. Allowed communication between Stealth endpoints and the Administration and Diagnostics System is restricted to only those ports. Leave the default values 22 and 3389 to allow only SSH and RDP communication, respectively. Delete these values to allow communication over all ports and protocols. 5. Skip the Extended Data Center (XDC) Feature parameters. The XDC feature is used to extend an existing Stealth data center environment into the AWS VPC. See the Unisys Stealth Solution Information Center for more information on the XDC feature. 6. Under Unisys Stealth Micro-Segmented User Roles, enter the following values to create up to three segmented user roles. Notes: You must create at least one segmented user role or one tiered user role. You can create up to three segmented user roles and up to three tiered user roles. If you do not want to create any segmented user roles, ensure that all of the Segmented Username and Password boxes are blank. You must enter a unique user name for every user role that you create. a. For Segment1 Username, enter a name for the Segment1 user role. You can assign Stealth endpoint instances to this user role when you launch them, and only endpoint instances that share a user role can communicate. For example, you might want to give this user role a name that corresponds to segmented security levels in your environment (such as Classified, Secret, or TopSecret) or that corresponds to segmented departments (such as HR, Marketing, or Executive). See 1.4 Understanding Default Stealth Configurations and User Roles for more information on Stealth user roles. Note: The user name must be between one and 15 characters, and it can only include alphanumeric characters and hyphens. b. For Segment1 Password, enter a password for the Segment1 user role. Note: The password must be between six and 50 characters, and it must include all of the following: At least one uppercase letter At least one lowercase letter 2 6 8205 5658-002

Launching the Stealth(cloud) Management Server Instance At least one number At least one of the following special characters:! @ # $ % ^ & * ( ) _ + = c. For Segment1 Password Verify, verify the password for the Segment1 user role. d. For Segment2 Username, optionally enter a name for the Segment2 user role. Like the Segment1 user role, you can assign Stealth endpoint instances to this user role when you launch them, and you can name this user role according to function, department, or any other method for your environment. Note: The name must also meet the requirements for the Segment1 user role, listed previously. e. If you entered a name for the Segment2 user role, for Segment2 Password, enter a password for the Segment2 user role. Note: This password must also meet the requirements for the Segment1 password, listed previously. f. If you entered a name for the Segment2 user role, for Segment2 Password Verify, verify the password for this user role. g. For Segment3 Username, optionally enter a name for the Segment3 user role. Like the Segment1 user role, you can assign Stealth endpoint instances to this user role when you launch them, and you can name this user role according to function, department, or any other method for your environment. Note: The user name must also meet the requirements for the Segment1 user role, listed previously. h. If you entered a name for the Segment3 user role, for Segment3 Password, enter a password for this user role. Note: This password must also meet the requirements for the Segment1 password, listed previously. i. If you entered a name for the Segment3 user role, for Segment3 Password Verify, verify the password for this user role. 7. Under Unisys Stealth Tiered User Roles, enter the following values to create up to three tiered user roles. Note: You can create up to three segmented user roles and up to three tiered user roles. If you do not want to create any tiered user roles, skip to the next step. 8205 5658-002 2 7

Launching the Stealth(cloud) Management Server Instance a. For Tier1 Username, enter a name for the Tier1 user role. You can assign Stealth endpoint instances to this user role when you launch them. In this configuration, endpoints in Tier2 can communicate with endpoints in Tier1 and Tier3. For example, in a standard Web Server, Application Server, and Database Server configuration, the Application Servers can communicate with the Web Servers and Database Servers, but the Web Servers and Database Servers cannot communicate with one another. For example, you might want to give this user role a name that correspond to tiered functions (such as WebServer, AppServer, or DBServer). See 1.4 Understanding Default Stealth Configurations and User Roles for more information on Stealth user roles. Note: The user name must be between one and 15 characters, and it can only include alphanumeric characters and hyphens. b. For Tier1 Password, enter a password for the Tier1 user role. Note: The password must be between six and 50 characters, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special characters:! @ # $ % ^ & * ( ) _ + = c. For Tier1 Password Verify, verify the password for the Tier1 user role. d. For Tier2 Username, optionally enter a name for the Tier2 user role. Like the Tier1 user role, you can assign Stealth endpoint instances to this user role when you launch them, and you can name this user role according to function, department, or any other method for your environment. Note: The name must also meet the requirements for the Tier1 user role, listed previously. e. If you entered a name for the Tier2 user role, for Tier2 Password, enter a password for the Tier2 user role. Note: This password must also meet the requirements for the Tier1 password, listed previously. f. If you entered a name for the Tier2 user role, for Tier2 Password Verify, verify the password for this user role. g. For Tier3 Username, optionally enter a name for the Tier3 user role. Like the Tier1 user role, you can assign Stealth endpoint instances to this user role when you launch them, and you can name this user role according to function, department, or any other method for your environment. Note: The user name must also meet the requirements for the Tier1 user role, listed previously. 2 8 8205 5658-002

Launching the Stealth(cloud) Management Server Instance h. If you entered a name for the Tier3 user role, for Tier3 Password, enter a password for this user role. Note: This password must also meet the requirements for the Tier1 password, listed previously. i. If you entered a name for the Tier3 user role, for Tier3 Password Verify, verify the password for this user role. 8. Under Unisys Stealth Administrator Passwords, enter the following: a. For Enterprise Manager Administrator Password, enter a password for the Enterprise Manager Administrator account. EMAdmin is the account that you use to log on to the Management Server instance and that you use to run the Stealth services on that instance. Note: This password must be between six and 50 characters long, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special characters:! @ # $ % ^ & * ( ) _ + = In addition, the user name cannot be included as part of the password. b. For Enterprise Manager Administrator Password Verify, verify the password for the Enterprise Manager Administrator account, EMAdmin. c. For MySQL Root Password, enter a password for the MySQL Root account (root) for the MySQL database running on the Management Server instance. Note: This password must be between eight and 50 characters long, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special characters:! @ # $ % ^ & * ( ) _ + = d. For MySQL Root Password Verify, verify the password for the MySQL Root account. e. For Interface Administrator Password, enter a password for the Enterprise Manager interface administrator account, portaladmin. Note: This password must be between six and 50 characters, and it must include all of the following: At least one uppercase letter At least one lowercase letter 8205 5658-002 2 9

Launching the Stealth(cloud) Management Server Instance At least one number At least one of the following special characters:! @ # $ % ^ & * ( ) _ + = f. For Interface Administrator Password Verify, verify the password for the Enterprise Manager interface administrator account, portaladmin. g. For Tomcat User Password, enter a password for the user associated with the Tomcat service (TomcatUser) that runs on the Management Server instance. Note: This password must be between six and 50 characters long, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special characters:! @ # $ % ^ & * ( ) _ + = In addition, the user name cannot be included as part of the password. h. For Tomcat User Password Verify, verify the password for the Tomcat service user. 9. When you have finished specifying the configuration parameters, click Next. 10. On the Options page, optionally enter one or more key-value pairs to tag the Management Server instance. Tags are used to help identify resources in the AWS console. 11. Optionally set any additional advanced options for the new instance. Note: Do not change the value for the Rollback on failure option (the default value is Yes). 12. Click Next. 13. On the Review page, verify that the parameters and options that you specified appear correctly, select the check box to acknowledge the I acknowledge that this template might cause AWS CloudFormation to create IAM resources notice, and then click Create. 14. Wait until the Management Server instance is created (that is, wait until the status reads CREATE_COMPLETE). The Windows Server 2012 R2 instance that forms the basis for the Management Server instance can take approximately 30 to 45 minutes to launch from AWS. In addition, the CloudFormation template requires an additional 10-20 minutes to be completed. If the AWS geographic region you are using is experiencing a heavy traffic load, this process might require additional time. Therefore, you should allow at least 90 minutes for the Management Server instance status to read CREATE_COMPLETE. Note: If the instance reads CREATE_COMPLETE in only a few minutes, this is usually an indicator that the Management Server instance has failed to launch correctly. This is most commonly a result of parameters being entered incorrectly; for example, entering different passwords for the same user name or entering a 2 10 8205 5658-002

Launching the Stealth(cloud) Management Server Instance password that does not meet the specific requirements. In that case, select the instance, and then select the Outputs tab to review the provided error message. If the instance reads CREATE_FAILED or ROLLBACK_FAILED, the CloudFormation logs and Stealth diagnostics are collected and uploaded to the Amazon S3 bucket, which is created during the CloudFormation process, in the EnterpriseManager\log subfolder. 8205 5658-002 2 11

Launching the Stealth(cloud) Management Server Instance 2 12 8205 5658-002

Section 3 Launching Stealth Endpoint Instances This section provides information about launching Stealth endpoint instances, which are Amazon EC2 instances secured with Stealth endpoint software. The Stealth endpoint software and Stealth user roles enable you to secure communication between the Stealth endpoint instances in your environment. 3.1. Before You Begin Before you begin to configure and launch Stealth endpoint instances in your VPC, ensure that you have launched a Management Server instance with the appropriate capacity to manage the number of endpoint instances you plan to launch. See Section 2, Launching the Stealth(cloud) Management Server Instance, for more information. In addition, you must record the StealthSecurityGroup and StealthBucket keys from the Management Server instance that you want to use to manage this new endpoint instance. Do the following: 1. Access the CloudFormation console. 2. Select the Stack that corresponds to the Management Server instance. 3. On the Outputs tab, record the following key values: StealthSecurityGroup StealthBucket 3.2. Determining the Stealth User Role for the Endpoint Instance When you launch an endpoint instance, you select a Stealth user role to assign to the instance. You assign user roles to enable secure communication in your environment. Endpoint instances that share a COI can communicate with one another; endpoint instances that do not share a COI cannot communicate. In addition, other non-stealth-enabled components cannot communicate with any Stealth endpoint instance. To enable Stealth endpoint instances to communicate with non- Stealth-enabled components, you must create filters to allow clear text communication with those components. 8205 5658-002 3 1

Launching Stealth Endpoint Instances You created up to three Segmented user roles and up to three Tiered user roles when you launched the Management Server instance in 2.4 Selecting Parameters and Launching the Management Server Instance. For example, you might have given these user roles names that correspond to segmented security levels in your environment (such as Classified, Secret, and TopSecret) or that correspond to segmented departments (such as HR, Marketing, and Executive). In contrast, you might have given the Tiered user roles names that correspond to tiered functions (such as WebServer, AppServer, and DBServer). Ensure that you understand which Stealth user role (associated with which configuration Segmented or Tiered) you want to assign before you launch an endpoint instance. Note: Changing the user role after an endpoint instance is launched is a manual process. See the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for more information on adding and changing user roles. 3.3. Subscribing to Endpoint Instances Stealth(cloud) for AWS supports the following operating systems running on endpoint instances: Windows Server 2008 R2 Windows Server 2012 R2 Red Hat Enterprise Linux 6.x and 7.x SUSE Linux Enterprise Server 11.x Ubuntu Linux 14.04 Do the following to subscribe to one or more Stealth(cloud) endpoint instances: 1. Navigate to the AWS Marketplace webpage (https://aws.amazon.com/marketplace). 2. At the top of the page, click Sign in, and then sign in using your AWS account credentials. 3. In the search box, enter Unisys Stealth. 4. On the results page, select one of the following types of Stealth endpoints: Unisys Stealth(cloud) on Windows Server 2008 R2 Unisys Stealth(cloud) on Windows Server 2012 R2 Unisys Stealth(cloud) on Red Hat Enterprise Linux 6 Unisys Stealth(cloud) on Red Hat Enterprise Linux 7 Unisys Stealth(cloud) on SUSE Linux Enterprise Server 11 Unisys Stealth(cloud) on Ubuntu Linux 14.04 3 2 8205 5658-002