Highly Secure ITM Agent Configuration

Similar documents
IBM Exam C IBM Tivoli Monitoring V6.3 Implementation Version: 6.0 [ Total Questions: 120 ]

Installation of ITM Agents and ITCAM MQ Agents 7.3 in Linux. IBM Techdoc:

Tivoli Monitoring. Login Daemon. Feb 28, 2013

IBM IBM Tivoli Monitoring Express V6.1 Specialist. Download Full Version :

C Exam Questions Demo IBM. Exam Questions C

VMware AirWatch Content Gateway Guide for Linux For Linux

Read the following information carefully, before you begin an upgrade.

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

2 Hardening the appliance

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Internet Platform Management. We have covered a wide array of Intel Active Management Technology. Chapter12

Intel Active Management Technology Overview

Citrix SCOM Management Pack 1.4 for ShareFile

BlackBerry UEM Configuration Guide

Configuration Guide. BlackBerry UEM. Version 12.9

Polycom RealPresence Access Director System

High Availability Guide for Distributed Systems

Configuring Security Features on an External AAA Server

Laserfiche Rio 10.3: Deployment Guide. White Paper

Installing Cisco APIC-EM on a Virtual Machine

Avaya Converged Platform 130 Series. idrac9 Best Practices

Technical Brief. Network Port & Routing Requirements Active Circle 4.5 May Page 1 sur 15

STRM Log Manager Administration Guide

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

C Q&As. IBM Tivoli Monitoring V6.3 Fundamentals. Pass IBM C Exam with 100% Guarantee

HYCU SCOM Management Pack for F5 BIG-IP

Installing and Configuring vcloud Connector

Transport Gateway Installation / Registration / Configuration

Port Usage Information for the IM and Presence Service

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

CYAN SECURE WEB Installing on Windows

Security in the Privileged Remote Access Appliance

Configuration Guide. BlackBerry UEM Cloud

BlackBerry Enterprise Server for Microsoft Exchange

NGFW Security Management Center

Creating Basic Custom Monitoring Dashboards by

Port Usage Information for the IM and Presence Service

Transport Gateway Installation / Registration / Configuration

NGFW Security Management Center

VMware AirWatch Content Gateway Guide for Windows

GSS Administration and Troubleshooting

Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2

NotifySCM Integration Overview

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

Security in Bomgar Remote Support

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Cloud Link Configuration Guide. March 2014

Installing and Configuring vcenter Multi-Hypervisor Manager

Cisco Prime Service Catalog Virtual Appliance Quick Start Guide 2

Configuring the Oracle Network Environment. Copyright 2009, Oracle. All rights reserved.

Installing SmartSense on HDP

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface

Appliance Installation Guide

the Corba/Java Firewall

Configuring Request Authentication and Authorization

IBM Lotus Sametime Media Manager Cluster Deployment Walk-through Part VI- Bandwidth Manager IBM Corporation

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

NGFW Security Management Center

LDAP Directory Integration

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

FIPS Management. FIPS Management Overview. Configuration Changes in FIPS Mode

Service Manager. Installation and Deployment Guide

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Feature and Technical Overview

Configuring SSL Security

APA Automatic Nomination System. FTPS Access Request. For Gas Transmission Customers

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

How to Configure TLS with SIP Proxy

NETWRIX GROUP POLICY CHANGE REPORTER

Configuring the CSS for Device Management

IBM Tivoli Monitoring Version 6.3 Fix Pack 2. Unix OS Agent Troubleshooting Guide

Wavelink Avalanche Mobility Center Java Console User Guide. Version 5.2

Cloud & Smarter Infrastructure Professional Certification Program

Message Networking 5.2 Administration print guide

NGFW Security Management Center

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

PCI DSS Compliance. White Paper Parallels Remote Application Server

IBM Tivoli Access Manager for e-business V6.1.1 Implementation

How to Configure TLS with SIP Proxy

HYCU SCOM Management Pack for F5 BIG-IP

Load Balancing Censornet USS Gateway. Deployment Guide v Copyright Loadbalancer.org

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

NGFW Security Management Center

Configure the TEPS. To Support

As you learned in Chapter 1, the architectural variations you can construct using

Shared Session Management Administration Guide

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Cisco Unified Communications Manager TCP and UDP Port

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

VMware AirWatch Content Gateway Guide For Linux

WhatsUp Gold 2016 Installation and Configuration Guide

Client Installation and User's Guide

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

McAfee epo Deep Command

Transcription:

1 Highly Secure ITM Agent Configuration Version 1.2 Version Date Comment 1 07/05/11 Initial Public Release 1.1 11/28/11 ITM 6.2.3 HTTPS-only TEPS and disable non-ssl HTTP ports. Simplified instructions. 1.2 12/07/11 TLS/SSL/IP.SPIPE Configuration Table of Contents 1.Introduction...1 2.Secure Configuration Security Profile...2 3. Deployment Scenarios...2 1 Managed ITM Agent...3 1.UNIX/Linux Configuration Steps:...4 2.Windows Agent Configuration...4 2Managed ITM Agents using Firewall Gateway...8 3Autonomous ITM Agent...10 2.UNIX/Linux Configuration Steps:...11 3.Windows Agent Configuration...11 4. Verification...12 5.File Permission...13 Configuration Steps...13 6. Additional Considerations...14 7. Conclusions...15 1.Introduction ITM agents running in autonomous or centrally managed modes present new additional options for highly secure deployments of monitoring agents. With a few small postinstallation environment configuration steps, customers can achieve exceptionally secure monitoring agent deployments in highly constrained environments like DMZ s. The Autonomous agent deployment model is similar to the standard centrally managed ITM agent deployment model where agents communicate with their infrastructure over

2 secure connections and agents use local configuration files that administrators may manage. In a secure environment, the agents are invisible to outside network traffic, minimize their communication pathways and lock down access to the agent files on the file system. A highly secure configuration also ensures strong authenticated encryption on any communication pathways. This whitepaper enumerates the steps required to lock down open-by-default network connections and verify the installation is secure from within. 2. Secure Configuration Security Profile 1. Anonymous Network Status The aim is to provide no accessible external network trace of the SNMP agent and/or ITM Agent. a. This entails disabling the normal agent service console ports that follow 1918+x*4096 and 3660+x*4096 (for SSL) on IPv4 and IPv6. Disabling these listener ports does not reduce functionality, but requires the agents to connect to the external TEMS or SNMP Server instead of allowing them to query the agent directly on their own. b. General well-known Service console ports are opened on Port 1920 and 3661 for easy remote access. Disabling this port prevents the service console from being enabled. Configuration may only occur from the CLI or GUI thereafter. c. There are two more ports opened on a per-agent basis for the agentspecific service console that is referenced from the 1920 and 3661 ports. d. Disable IPv6 or IPv4 to exclusively use one or the other in order to reduce the network exposure profile. 2. Secure File Permissions To prevent insider unauthorized access to the encryption keys, certificates or logs, the file permissions of ITMHOME and all subdirectories must be locked down to well known user ids and group ids that are auditable and world read/write/execute access must be removed. 3. Secure and Confidential Inter-Component Communication/Authentication Authenticate that components are members of the same trusted certificate authority by using TLS certificate validation that provides confidentiality, data integrity and a limited form of authentication.

3 3. Deployment Scenarios The scenarios targeted here is an agent running in a DMZ: protected by a firewall on the left and blocked by a firewall on the right from the management infrastructure. The firewall is not required for configuration of the agents in secure mode. 1 Managed ITM Agent A highly-secure managed ITM infrastructure offers two different configurations depending on whether the customer wishes for the agents to initiate connections to the ITM infrastructure servers or the ITM infrastructure connects to the ITM agents. The difference impacts firewall configuration on the customer s part and whether the agents themselves have open ports for a connection to be initiated by a TEMS. Managed Agent Deployment Scenario Queries/Events/Situations Remote/HUB TEMS Management Server Public Traffic DMZ Firewall Management Intranet Firewall Historical Data Upload EIF/SNMP Event Warehouse Proxy Agent ITM Managed Agents in DMZ TEC/OmniBus Server Page 1 This agent configuration is intended to: 1. Deliver alerts, heartbeats and attribute data to TEMS and TEP users. 2. Deliver alerts and heartbeats to an event management system (IBM Tivoli Netcool/OMNIbus in this example),

4 3. optionally, upload data to the Tivoli Data Warehouse components of ITM. Authenticate all possible connections. The standard deployment scenario closes all open ports opened by the ITM agents (primarily the service console ports). The ITM agents listen to no ports and only make outgoing connections to the ITM infrastructure or event servers. The intranet firewall must be configured to allow outgoing connections from the agents to the configured intranet management servers. 1. UNIX/Linux Configuration Steps: 1. Configure the agent to use the Firewall-Gateway mode for allowed proxy servers. Follow the ITM Firewall-Gateway configuration guide for details. This step is optional. 2. Enable agent to use ephemeral ports and not static listening ports a. Modify the <agent product code>.ini file or <agent product code>env configuration file in the agent configuration directory to Disable HTTP Server, Disable Agent-Specific Service Consoles, Disable non-ssl HTTP servers b. Add the Following to the configuration file (All one line) KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0 2. Disable IPv6 a. Set the variable KDEB_INTERFACELIST_IPV6=- (no quotes) in the custom agent environment file to disable IPv6 b. There is no way to currently disable Ipv4 connections. 3. Configure the agent according to the directions in the ITM Certificate Authentication technical note to authenticate the Tivoli Data Warehouse Proxy Agent. 4. Repeat for every agent installed steps 1 through 6 bash-3.00# pwd /opt/ibm/itm/config bash-3.00# tail ux.ini KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0 KDEB_INTERFACELIST_IPV6=bash-3.00# Sample 3 - Secure Custom Managed Agent Configuration File

5 2. Windows Agent Configuration Manage Tivoli Enterprise Monitoring Services Configuration Windows OS agents differ in that their runtime configuration may be stored in the local KxxENV file in the ITM home directory or stored in the Windows registry. To properly override these configuration options, you must use Manage Tivoli Enterprise Monitoring Services (MTEMS). Open MTEMS: For each agent you would like to reconfigure, right click on the agent and then select Advanced and Edit Variables. Note: The agent must already have been configured to before this option is available.

6

7 Add a new variable and select KDC_FAMILIES from the pull-down menu. Set the Value: to: @Protocol@ EPHEMERAL=Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0 Select OK and then OK to save the variable. The agent is now configured to not bring up any listening ports. Windows Registry (Alternative configuration method) As a last option, you may directly edit the Windows Registry though any changes to the registry will be lost after any upgrades. Open the Windows Registry with RegEdit: 1. ITM configuration variables are under: My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Candle\KXX 2. For each Agent (Not KHD [Warehouse Proxy Agent], KMS [TEMS], KFW [TEPS]) 1. If KDC_FAMILIES key is defined, modify it to the following:

8 IP.SPIPE EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N PORT:3660 IP use:n SNA use:n IP.PIPE use:n 2. Create key KDC_FAMILIES, if it is not defined. 3. If the key KDE_TRANSPORT is defined, modify it to the same value instead of KDC_FAMILIES. KDE_TRANSPORT will override KDC_FAMILIES. The Windows Registry settings override any environment file values. 2 Managed ITM Agents using Firewall Gateway Configuration of agents connecting through a firewall gateway is the same as the standard managed configuration except for the additional configuration requirement for the Warehouse Proxy Agent. When configuring agents behind a firewall-proxy gateway, ensure that you configure the

9 KPX_WAREHOUSE_LOCATION if the Warehouse Proxy agent is not co-located with the RTEMS the agent is connected to. For more information on historical warehousing behind a firewall gateway, refer to the ITM installation guide appendix on Firewalls (http://publib.boulder.ibm.com/infocenter/tivihelp/v15r1/index.jsp? topic=/com.ibm.itm.doc_6.2.2fp2/ephemeral_pipe.htm ). Managed Agent Deployment Scenario Firewall Gateway Remote/HUB TEMS Management Server Proxy Firewall Connection Public Traffic Queries/Events/Situations Historical Data Upload Firewall-Gateway OS Agent DMZ Firewall Management Intranet Firewall EIF/SNMP Event Warehouse Proxy Agent ITM Managed Agents in DMZ TEC/OmniBus Server Page 1 This agent configuration is intended to: 1. Deliver alerts, heartbeats and attribute data to TEMS and TEP users. 2. Deliver alerts and heartbeats to an event management system (IBM Tivoli Netcool/OMNIbus in this example), 3. optionally, upload data to the Tivoli Data Warehouse components of ITM. 4. Allow the IT administrator to force the TEMS to connect to authorized agents 5. Authenticate all network connections An alternative deployment scenario some customers may choose utilizes the ITM Firewall-Gateway mechanism to proxy communications between ITM agents in a DMZ and the management infrastructure behind a firewall. Choosing this option reduces the number of ports that must be forwarded from the DMZ to the intranet through the intranet

10 management firewall from three to two but does require that each of the agents have their service consoles active. 3 Autonomous ITM Agent Autonomous Agent Deployment Scenario Historical Data Public Traffic Warehouse Proxy Agent DMZ Firewall Management Intranet Firewall Event Notification using SNMP NetCool/OmniBus Event Server Autonomous Agents in DMZ Page 1 This agent configuration is intended to: 1. Deliver its alerts and heartbeats to an event management system (IBM Tivoli Netcool/OMNIbus in this example), 2. Authenticate all possible connections. 3. optionally, upload data to the Tivoli Data Warehouse components of ITM. Heart beating to the event management system is a standard way for the agent to be monitored from a central location to ensure timely notification of system or agent failures. The steps detailed below include on-box monitoring of the agent through Agent Management Services, a local watchdog that ensures the agent(s) are operational and working within allotted CPU and memory bounds. In this deployment model, the agent is configured entirely with local configuration files. IT administrators would need to allow the ITM agents to access the event management system and optionally the Tivoli Data Warehouse.

11 2. UNIX/Linux Configuration Steps: The directions below apply to UNIX/Linux configurations which rely on the configuration files in $ITMHOME/config directory for all agent configuration. Windows agents 3. Enable agent to use ephemeral ports and not static listening ports a. Create a new <agent name>.environment file or edit an existing custom configuration file in the agent configuration directory 4. Disable HTTP Server, Disable Agent-Specific Service Consoles, Disable non- SSL HTTP servers a. Add the Following to the configuration file (All one line) KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0 5. Disable IPv6 a. Set the variable KDEB_INTERFACELIST_IPV6=- (no quotes) in the custom agent environment file to disable IPv6 b. There is no way to currently disable Ipv4 connections. 6. Configure SNMPv3 to use SHA-1 and DES encryption 7. Configure the agent according to the directions in the ITM Certificate Authentication technical note to authenticate the Tivoli Data Warehouse Proxy Agent. 8. Repeat for every agent installed steps 1 through 6 Note that there should be only be one KDC_FAMILIES entry in each configuration file. bash-3.00# pwd /opt/ibm/itm/config bash-3.00# cat 1b.environment KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0 KDEB_INTERFACELIST_IPV6=bash-3.00# Sample 1 - Secure Custom Autonomous Configuration File 3. Windows Agent Configuration Windows OS agent configuration is the same as managed ITM agents described earlier.

12 4. Verification Once agents are configured in ephemeral mode and the HTTP servers are disabled, you may verify that there are no listening ports by any ITM components using the netstat command. ITM Allocates ports for its agent communication using the following algorithm: 1918 + 4096*X where 0 <= X <= 15 3660 + 4096*X where 0 <= X <= 15 There are additional ports opened for any HTTP applications (service console, service interface, soap server, index page): 1920 and 3661 used by the HTTP server for the index page by the first agent that starts up and additional ports are dynamically allocated by additional agents. These ports are chosen by the system dynamically and requests are automaticatlly redirected to them from the 1920/3661 ports so they may not show up in the standard netstat scan. 1. Verify that the Index Page is no longer being generated: Browse to http://<server>:1920/ and https://<server>:3661/. An error that the destination server is not found should be generated. 2. netstat an egrep 1918 3660 should come back clean with no entries. If any of the installed applications have a service console or other HTTP process started, then they will register on this port first. 3. The full grep shown below tests for all predictable port values for IP.PIPE/IP.SPIPE and HTTP/HTTPS listening sockets. If configuration was successful, there should be no sockets listening on IPv4 as well as IPv6. netstat -an egrep "1918 6014 10110 14206 18302 22398 26494 30590 34686 38782 42878 46974 51070 55166 59262 63358 67454 3660 7756 11852 15948 20044 24140 28236 32332 36428 40524 44620 48716 52812 56908 61004 65100 69196 Example: This example shows that not all servers were shutdown [root ~]# netstat -an egrep "1918 6014 10110 14206 18302 22398 26494 30590 34686 38782 42878 46974 51070 55166 59262 63358 67454 3660 7756 11852 15948 20044 24140 28236 32332 36428 40524 44620 48716 52812 56908 61004 65100 69196" tcp4 0 0 *.1920 *.* LISTEN tcp4 0 0 X.X.X.X.58294 Y.Y.Y.Y.1918 ESTABLISHED tcp4 0 0 *.3661 *.* LISTEN tcp4 0 0 *.6014 *.* LISTEN [root ~]#

13 5. File Permission An important consideration should be access control to the installed agent files and active processes to prevent unauthorized modification of files and limit exposure. Be aware that ITM 6.2.3 provides this lock down support as part of the installer. The user will need to ensure the group already exists prior to execution. Configuration Steps 1. Designate and create a user and group for the exclusive use of ITM agents (e.g. itm/itm). 2. run securemain g ITMGROUP to lock down most of the permissions 3. Change to ITMHOME directory and run chmod -R o-rwx to remove any third party access. Remove group write access to the keyfiles and certificates. chmod R g-w keyfiles. 4. Some agents, such as the DB2 or Domino agents, require running with alternative user identities. Add the user identities into the chosen ITMGROUP group so they may also write into the ITM HOME tree. bash-3.00# pwd /opt/ibm/itm bash-3.00# useradd itm bash-3.00# groupadd itm. bash-3.00# chown -R itm:itm. bash-3.00# gpasswd -a db2inst1 itm ; # use system-specific mechanism to add to group bash-3.00# gpasswd -a domino itm # use system-specific mechanism to add to group bash-3.00# cd bin bash-3.00#./securemain -g itm lock Enter the root password if prompted == basesecurelock == xxsecurelock 1b == xxsecurelock 1d == SecureSkip ax == xxsecurelock gs == xxsecurelock ux == SetPerm -a bash-3.00# cd.. bash-3.00# chmod -R o-rwx. bash-3.00# ls -l

14 total 28 drwxr-x--- 2 itm itm 1024 Nov 24 14:28 bin drwxrwx--- 5 itm itm 1536 Nov 24 14:28 config drwxr-x--- 2 itm itm 512 Nov 24 14:28 keyfiles drwxr-x--- 3 itm itm 512 Nov 24 14:28 licenses drwxrwx--- 9 itm itm 512 Nov 24 14:28 localconfig drwxrwx--- 2 itm itm 1536 Nov 24 14:44 logs drwxr-x--- 2 itm itm 512 Nov 24 14:41 registry -rw------- 1 itm itm 0 Nov 24 14:41 samples drwxr-x--- 5 itm itm 512 Nov 24 14:28 sol286 drwxr-x--- 3 itm itm 512 Nov 24 14:28 sol296 drwxr-x--- 5 itm itm 512 Nov 24 14:28 tmaitm6 drwxrwx--- 2 itm itm 1536 Nov 24 14:28 tmp bash-3.00# chmod R g-w keyfiles bash-3.00# ls -l keyfiles/ total 280 -rw-r----- 1 itm itm 48 Nov 24 14:28 KAES256.ser -rw-r----- 1 itm itm 88 Nov 24 14:28 keyfile.crl -rw-r----- 1 itm itm 125088 Nov 24 14:28 keyfile.kdb -rw-r----- 1 itm itm 88 Nov 24 14:28 keyfile.rdb -rw-r----- 1 itm itm 129 Nov 24 14:28 keyfile.sth Sample 2 - Secure Permission Setting 6. TLS Communication Configuration (IP.SPIPE) Following the prior steps will ensure that only Transport Layer Security (TLS) ports are opened by the TEMS server, and that any non-tls ports are disabled. ITM calls TLS IP.SPIPE. The next step is to ensure that all your ITM components (TEP, TEPS, TEMS, Agents) are communicating using only TLS (IP.SPIPE). This section will be only concerned with the main communication pathways as well as LDAP communication. Configuring the TEPS, TEMS, Warehouse Proxy agent and regular agents each require slightly different steps, so please read carefully each section. 1 TEPS 2 TEMS The TEMS must be able to receive requests from the TEPS, Remote Hubs, Hot-Standby Hubs, Agents and other clients. Therefore the configuration must disable non-ssl ports but also allow for requests to be issued to TEMS services.

15 3 Warehouse Proxy Agent 4 General Agent Configuration 7.Additional Considerations 1. The SNMP stack currently implements RFC s 3411-3418. The encryption methods detailed in this set of specifications (MD5/SHA1/DES) are not FIPS 140-2 compliant. 2. The agents are completely passive with no network accessible ports. The agents must be configured using the local system account configured for managing ITM. 3. Configuration with Symmetric Certificate Authentication requires careful management of certificates and certificate databases. Please refer to the Technical Note Enabling ITM Symmetric Certificate Authentication for further details on configuring your environment and components to utilizes both client and server certificate validation. 8. Conclusions Following the standards recommended in this Technical Note, deployed agents become invisible to external network entities and communicate using secure techniques while still remaining completely functional.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback