Upload
others
View
17
Download
0
Embed Size (px)
Citation preview
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Contents
i
Introduction--1Content and Purpose of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 1User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Security--3Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Creating and Installing Digital Certificates . . . . . . . . . . . . . . . . . . . . . 11Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Using the APC Security Wizard--16Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Create a Root Certificate and Server Certificates . . . . . . . . . . . . . . . . 19Create a Server Certificate and Signing Request . . . . . . . . . . . . . . . . 23Create an SSH Host Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Control Console Access and Security--28Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Telnet and Secure SHell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Web Interface Access and Security--31
RADIUS--34Supported RADIUS Functions and Servers . . . . . . . . . . . . . . . . . . . . 34Configure the Management Card or Device . . . . . . . . . . . . . . . . . . . . 34Configure the RADIUS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Index--40
etwork twork network.
ich ones overall
ate the SH.
ware for that
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
IntroductionContent and Purpose of This GuideThis guide documents security features for firmware version 3.x.x for APC® NManagement Cards and for devices with embedded components of APC NeManagement Cards, which enable the devices to function remotely over the
This guide documents the following protocols and features, how to select whare appropriate for your situation, and how to set up and use them within an security system:• Telnet and Secure SHell (SSH)• Secure Sockets Layer (SSL)• RADIUS• SNMPv1 and SNMPv3
In addition, this guide documents how to use the APC Security Wizard to crecomponents required for the increased security available through SSL and S
For information about the security features for a device running firmversion 5.x.x, see the Security Handbook provided on the Utility CDdevice.
1
els of
eb th apc.
e contents e is
ot change se file rd is apc.
for evices. unt type.
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x User Management
Types of user accountsA Network Management Card or network-enabled device has three basic levaccess:• An Administrator can use all of the management menus available in the W
interface and control console. The default user name and password are bo• A Device User can access the event log and data log (but cannot delete th
of either log), and can use the device-related menus. The default user namdevice, and the default password is apc.
• A Read-Only User can access the same menus as a Device User, but cannconfigurations, control devices, delete data, delete the content of logs, or utransfer options. The default user name is readonly, and the default passwoA Read-Only User cannot log on through the control console.
Some APC devices have additional user accounts, e.g., outlet usersSwitched Rack PDUs and an A/C Manager for some NetworkAIR dSee the device’s User’s Guide for information on the additional acco
2
tted as
access from ission.
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
SecuritySecurity FeaturesSummary of access methods
Serial control console.
Remote control console.
Security Access Description
Access is by user name and password. Always enabled.
Security Access Description
Available methods:• User name and password• Selectable server port• Access protocols that can
be enabled or disabled• Secure SHell (SSH)
For high security, use SSH.• With Telnet, the user name and password are transmi
plain text.• Enabling SSH disables Telnet and provides encrypted
to the control console to provide additional protection attempts to intercept, forge, or alter data during transm
3
icts access ocation NMSs owing
.215.12.1.ent.nt.
the
S trying to the NMS it
cy .
ted as n.
d the files ration
es, and s your file
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x SNMPv1 and SNMPv3.
File transfer protocols.
Security Access Description
Available methods (SNMPv1):• Community Name• Host Name• NMS IP filters• Agents that can be enabled
or disabled• Four access communities
with read/write/disable capability
For both SNMPv1 and SNMPv3, the host name restrto the Network Management System (NMS) at that lonly, and the NMS IP filters allow access only to the specified by one of the IP address formats in the follexamples:• 159.215.12.1: Only the NMS at the IP address 159• 159.215.12.255: Any NMS on the 159.215.12 segm• 159.215.255.255: Any NMS on the 159.215 segme• 159.255.255.255: Any NMS on the 159 segment.• 0.0.0.0 or 255.255.255.255: Any NMS.
SNMPv3 has additional security features that includefollowing:• An authentication passphrase to ensure that an NM
access the Network Management Card or device isclaims to be.
• Encryption of data during transmission, with a privapassphrase required for encrypting and decrypting
Available methods (SNMPv3):• Four User Profiles• Authentication through an
authentication passphrase• Encryption through a privacy
passphrase• MD5 authentication• DES encryption algorithm• NMS IP filters
Security Access Description
Available methods:• User name and password• Selectable server port• FTP Server and access
protocols that can be enabled or disabled
• Secure CoPy (SCP)
With FTP, the user name and password are transmitplain text, and files are transferred without encryptio
Using SCP encrypts the user name and password anbeing transferred, such as firmware updates, configufiles, log files, Secure Sockets Layer (SSL) certificatSecure SHell (SSH) host keys. If you choose SCP atransfer protocol, enable SSH and disable FTP.
4
nection to
computer
d ncryption).
ith the most Web l over page Web
rvice) is service ach
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Web server.
RADIUS.
Access prioritiesThe priority for access, beginning with the highest priority, is as follows:• Local access to the control console from a computer with a direct serial con
the Management Card or device• Telnet or Secure SHell (SSH) access to the control console from a remote• Web access, either directly or through the InfraStruXure Central
Security Access Description
Available methods:• User name and password• Selectable server port• Web interface access that
can be enabled or disabled
• Secure Sockets Layer (SSL)
In basic HTTP authentication mode, the user name anpassword are transmitted base-64 encoded (with no e
SSL is available on Web browsers supported for use wManagement Card or network-enabled device and on servers. The Web protocol HyperText Transfer ProtocoSecure Sockets Layer (HTTPS) encrypts and decryptsrequests to the Web server and pages returned by theserver to the user.
Security Access Description
Available methods:• Centralized authentication of
access rights• A server secret shared between
the RADIUS server and the Management Card or device
RADIUS (Remote Authentication Dial-In User Sean authentication, authorization, and accountingused to centrally administer remote access for eManagement Card or device. (APC supports theauthentication and authorization functions.)
5
r s from ty.
ort, a user e ional level e rom 5001 nd er lower
1red over affic can of the d device. vailable
access to v1 traps.)
the top nu. Clear
on the top ion menu. mmunity
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Changing default user names and passwords immediately
After installation and initial configuration of the Network Management Card onetwork-enabled device, immediately change the user names and passwordtheir defaults to unique user names and passwords to establish basic securi
Port assignmentsIf Telnet, the FTP server, SSH/SCP, or the Web server uses a non-standard pmust specify the port in the command line or Web address used to access thManagement Card or device. A non-standard port number provides an additof security. The ports are initially set at the standard “well known ports” for thprotocols. To increase security, reset the ports to any unused port numbers fto 32768 for the FTP server and from 5000 to 32768 for the other protocols aservers. (The FTP server uses both the specified port and the port one numbthan the specified port.)
User names, passwords, and community names with SNMPvAll user names, passwords, and community names for SNMPv1 are transferthe network as plain text. A user who is capable of monitoring the network trdetermine the user names and passwords required to log on to the accountscontrol console or Web interface of the Management Card or network-enableIf your network requires the higher security of the encryption-based options afor the control console and Web interface, disable SNMPv1 access or set itsRead. (Read access allows you to receive status information and use SNMP
To disable SNMPv1 access, on the Administration tab, select Network on menu bar and access under the SNMPv1 heading on the left navigation methe Enable SNMPv1 access checkbox and click Apply.
To set SNMPv1 access to Read, on the Administration tab, select Network menu bar and access control under the SNMPv1 heading on the left navigatThen, for each configured Network Management System (NMS), click the co
6
names and set the access type to Read.
n through basic is not
e tication ment
vice is the ssion, and priate
on.
Web y using
Secure
, use the
SECUR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Authentication
You can choose security features for the Network Management Card or network-enabled device that controls access by providing basic authenticatiouser names, passwords, and IP addresses, without using encryption. These security features are sufficient for most environments in which sensitive databeing transferred.
SNMP GETS, SETS, and TrapsFor enhanced authentication when you use SNMP to monitor or configure thManagement Card or network-enabled device, choose SNMPv3. The authenpassphrase used with SNMPv3 user profiles ensures that a Network ManageSystem (NMS) attempting to communicate with the Management Card or deNMS it claims to be, that the message has not been changed during transmithat the message was not delayed, copied and sent again later at an inapprotime. SNMPv3 is disabled by default.
The APC implementation of SNMPv3 uses the MD5 protocol for authenticati
Web interface and control consoleTo ensure that data and communication between the Management Card or network-enabled device and the client interfaces (the control console and theinterface) cannot be intercepted, you can provide a greater level of security bone or more of the following encryption-based methods:• For the Web interface, use the Secure Sockets Layer (SSL) protocol. • To encrypt user names and passwords for control console access, use the
SHell (SSH) protocol.• To encrypt user names, passwords, and data for the secure transfer of files
Secure CoPy (SCP) protocol.
For more information on encryption-based security, see Encryption.
7
he by means receives
nsolecomputer ase, the s between
d device) t key is an e network rver.
s faster empts to
r you
and st Key.
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Encryption
SNMP GETS, SETS, and TrapsFor encrypted communication when you use SNMP to monitor or configure tManagement Card or network-enabled device, choose SNMPv3. The privacypassphrase used with SNMPv3 user profiles ensures the privacy of the data (of encryption, using the DES encryption algorithm) that an NMS sends to or from the Management Card or device.
Secure SHell (SSH) and Secure CoPy (SCP) for the control coThe Secure SHell protocol. SSH provides a secure mechanism to access consoles, or shells, remotely. The protocol authenticates the server (in this cManagement Card or network-enabled device) and encrypts all transmissionthe SSH client and the server.• SSH is an alternative to Telnet, which does not provide encryption.• SSH protects the user name and password, which are the credentials for
authentication, from being used by anyone intercepting network traffic.• To authenticate the SSH server (the Management Card or network-enable
to the SSH client, SSH uses a host key unique to the SSH server. The hosidentification that cannot be falsified, and it prevents an invalid server on thfrom obtaining a user name and password by presenting itself as a valid se
• The Management Card or device supports version 1 of SSH, which providelog-on, and version 2 of SSH, which provides improved protection from attintercept, forge, or change data during transmission.
• When you enable SSH, Telnet is automatically disabled.• The interface, user accounts, and user access rights are the same whethe
For information on supported SSH client applications, see TelnetSecure SHell (SSH). To create a host key, see Create an SSH Ho
8
access the control console through SSH or Telnet.
ead of ryption of
ure SCP.
ble FTP, Server on
cting
over s page user.
and the u select
r (in this
common
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Secure CoPy. SCP is a secure file transfer application that you can use inst
FTP. SCP uses the SSH protocol as the underlying transport protocol for encuser names, passwords, and files.• When you enable and configure SSH, you automatically enable and config
No further configuration of SCP is needed.• You must explicitly disable FTP. It is not disabled by enabling SSH. To disa
on the Administration tab, select Network on the top menu bar and FTP the side menu bar. Clear the Enable checkbox and click Apply.
Secure Sockets Layer (SSL) for the Web InterfaceFor secure Web communication, enable Secure Sockets Layer (SSL) by seleHTTPS as the protocol mode to use for access to the Web interface of the Management Card or network-enabled device. HyperText Transfer Protocol Secure Sockets Layer (HTTPS) is a Web protocol that encrypts and decryptrequests from the user and pages that are returned by the Web server to the
The Management Card or network-enabled device supports SSL version 3.0associated Transport Layer Security (TLS) version 1.0. Most browsers let yothe version of SSL to enable.
When SSL is enabled, your browser displays a small lock icon.
SSL uses a digital certificate to enable the browser to authenticate the servecase, the Management Card or device). The browser verifies the following:• The format of the server certificate is correct.• The server certificate’s expiration date and time have not passed.• The DNS name or IP address specified when a user logs on matches the
name in the server certificate.• The server certificate is signed by a trusted certifying authority.
9
ertificates rowser so a CA root
to an Authority, re
to the tility CD.
server, tercepted
these
rtificate Request.
re SSL,
browser’s ur user leave
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Each major browser manufacturer distributes Certificate Authority (CA) root c
of the commercial Certificate Authorities in the certificate store (cache) of its bthat it can compare the signature on the server certificate to the signature oncertificate.
You can use the APC Security Wizard to create a certificate signing request external Certificate Authority. If you do not want to use an existing Certificateyou can create an APC root certificate to upload to a browser’s certificate sto(cache). You can also use the Wizard to create a server certificate to uploadManagement Card or device. The APC Security Wizard is provided on the U
SSL also uses various algorithms and encryption ciphers to authenticate theencrypt data, and ensure the integrity of the data, i.e., that it has not been inand sent by another server.
See Creating and Installing Digital Certificates for a summary of howcertificates are used.
To create certificates and certificate requests, see Create a Root Ceand Server Certificates and Create a Server Certificate and Signing
See Web Interface Access and Security for the procedure to configuincluding the selection of authentication and encryption algorithms.
Web pages that you have recently accessed are saved in your Webcache and allow you to return to those pages without re-entering yoname and password. Always close your browser session before youyour computer unattended.
10
word enabled (SSL) e (the
ting, and for your
gement
erver
uest to be ate a
following
its own ay, but use e Authority.
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Creating and Installing Digital Certificates
PurposeFor network communication that requires a higher level of security than passencryption, the Web interface of the Network Management Card or network-device supports the use of digital certificates with the Secure Sockets Layer protocol. Digital certificates can authenticate the Management Card or devicserver) to the Web browser (the SSL client).
The sections that follow summarize the three methods of creating, implemenusing digital certificates to help you determine the most appropriate method system.• Method 1: Use the default certificate auto-generated by the Network Mana
Card or network-enabled device.• Method 2: Use the APC Security Wizard to create a CA certificate and a s
certificate.• Method 3: Use the APC Security Wizard to create a certificate-signing req
signed by the root certificate of an external Certificate Authority and to creserver certificate.
.
Choosing a method for your systemUsing the Secure Sockets Layer (SSL) protocol, you can choose any of the methods for using digital certificates.
You can also use Method 3 if your company or agency operates Certificate Authority. Use the APC Security Wizard in the same wyour own Certificate Authority in place of a commercial Certificat
11
ou must ate exists,
d from the
ecurity r you can
rtificate, rs the first
icate (a . There is
the cating that want to
ficate into ss to the ualified r device.Card or ss of the
rd or and e browser
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Method 1: Use the default certificate auto-generated by the Network
Management Card or network-enabled device. When you enable SSL, yreboot the Management Card or device. During rebooting, if no server certificthe Management Card or device generates a default server certificate that isself-signed but that you cannot configure.
Method 1 has the following advantages and disadvantages:• Advantages:
– Before they are transmitted, the user name, password, and all data to anManagement Card or device are encrypted.
– You can use this default server certificate to provide encryption-based swhile you are setting up either of the other two digital certificate options, ocontinue to use it for the benefits of encryption that SSL provides.
• Disadvantages: – The Management Card or device takes up to 5 minutes to create this ce
and the Web interface is not available during that time. (This delay occutime you log on after you enable SSL.)
– This method does not include the authentication provided by a CA certifcertificate signed by a Certificate Authority) that Methods 2 and 3 provideno CA Certificate cached in the browser. Therefore, when you log on to Management Card or device, the browser generates a security alert, india certificate signed by a trusted authority is not available, and asks if youproceed. To avoid this message, you must install the default server certithe certificate store (cache) of the browser of each user who needs acceManagement Card or device, and each user must always use the fully qdomain name of the server when logging on to the Management Card o
– The default server certificate has the serial number of the Management device in place of a valid common name (the DNS name or the IP addreManagement Card or device). Therefore, although the Management Cadevice can control access to its Web interface by user name, password,account type (e.g., Administrator, Device User, or Read-Only User), th
12
ceiving
setting up 3 is 1024
a server
curity e the
hen the icate to
equesting
name (IP ied in the
ity, the in the root server
d from the
setting up sequently
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x cannot authenticate which Management Card or device is sending or re
data.– The length of the public key (RSA key) that is used for encryption when
an SSL session is only 768 bits. (The public key used in Methods 2 and bits, providing more complex encryption and a higher level of security.)
Method 2: Use the APC Security Wizard to create a CA certificate andcertificate. Use the APC Security Wizard to create two digital certificates:• A CA root certificate (Certificate Authority root certificate) that the APC Se
Wizard uses to sign all server certificates and which you then install into thcertificate store (cache) of the browser of each user who needs access to Management Card or device.
• A server certificate that you upload to the Management Card or device. WAPC Security Wizard creates a server certificate, it uses the CA root certifsign the server certificate.
The Web browser authenticates the Management Card or device sending or rdata:• To identify the Management Card or device, the browser uses the common
address or DNS name of the Management Card or device) that was specifserver certificate’s distinguished name when the certificate was created.
• To confirm that the server certificate is signed by a “trusted” signing authorbrowser compares the signature of the server certificate with the signature certificate cached in the browser. An expiration date confirms whether the certificate is current.
Method 2 has the following advantages and disadvantages.• Advantages:
– Before they are transmitted, the user name, password, and all data to anManagement Card or device are encrypted.
– The length of the public key (RSA key) that is used for encryption when an SSL session is 1024 bits, providing more complex encryption and con
13
ger
e enables ect yond the
provide
Certificate re (cache) icates for r, as
request and to st (a .csr ed u then use es the d the
and from
own , but use uthority.
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x a higher level of security than the public key used in Method 1. (This lon
encryption key is also used in Method 3.)– The server certificate that you upload to the Management Card or devic
SSL to authenticate that data is being received from and sent to the corrManagement Card or device. This provides an extra level of security beencryption of the user name, password, and transmitted data.
– The root certificate that you install to the browser enables the browser toauthenticate the server certificate of the Management Card or device to additional protection from unauthorized access.
• Disadvantage: Because the certificates do not have the digital signature of a commercial Authority, you must load a root certificate individually into the certificate stoof each user’s browser. (Browser manufacturers already provide root certifcommercial Certificate Authorities in the certificate store within the browsedescribed in Method 3.)
Method 3: Use the APC Security Wizard to create a certificate-signingto be signed by the root certificate of an external Certificate Authoritycreate a server certificate. Use the APC Security Wizard to create a requefile) to send to a Certificate Authority. The Certificate Authority returns a signcertificate (a .crt file) based on information you submitted in your request. Yothe APC Security Wizard to create a server certificate (a .p15 file) that includsignature from the root certificate returned by the Certificate Authority. Uploaserver certificate to the Management Card or device.
Method 3 has the following advantages and disadvantages.• Advantages:
– Before they are transmitted, the user name and password and all data to
You can also use Method 3 if your company or agency operates its Certificate Authority. Use the APC Security Wizard in the same wayyour own Certificate Authority in place of a commercial Certificate A
14
the Management Card or device are encrypted.
ady has a tificates of software, already erefore, ho needs
session is rity than d in
enables rrect
yond the
ou A root
ditional
a
ertificates.
an others, me.
SECU
RIT
Y H
AN
DB
OO
KN
etw
ork-
Ena
bled
Dev
ices
, AO
S v
.3.x
.x – You have the benefit of authentication by a Certificate Authority that alresigned root certificate in the certificate cache of the browser. (The CA cercommercial Certificate Authorities are distributed as part of the browser and a Certificate Authority of your own company or agency has probablyloaded its CA certificate to the browser store of each user’s browser.) Thyou do not have to upload a root certificate to the browser of each user waccess to the Management Card or device.
– The length of the public key (RSA key) that is used for setting up an SSL1024 bits, providing more complex encryption and a higher level of secuthe public key used in Method 1. (This longer encryption key is also useMethod 2.)
– The server certificate that you upload to the Management Card or deviceSSL to authenticate that data are being received from and sent to the coManagement Card or device. This provides an extra level of security beencryption of the user name, password, and transmitted data.
– The browser matches the digital signature on the server certificate that yuploaded to the Management Card or device with the signature on the Ccertificate that is already in the browser’s certificate cache to provide adprotection from unauthorized access.
• Disadvantages: – Setup requires the extra step of requesting a signed root certificate from
Certificate Authority.– An external Certificate Authority may charge a fee for providing signed c
FirewallsAlthough some methods of authentication provide a higher level of security thcomplete protection from security breaches is almost impossible to achieve.Well-configured firewalls are an essential element in an overall security sche
15
Network using
APC identify stringent ore
ificates for ty (CA) as digital
e of the
ported by of CA root
nt Cards For rd or ovided on
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
Using the APC Security WizardOverviewThe APC Security Wizard creates components needed for high security for aManagement Card or network-enabled device on the network when you are Secure Sockets Layer (SSL) and related protocols and encryption routines.
Authentication by certificates and host keysAuthentication verifies the identity of a user or a network device (such as an Network Management Card or network-enabled device). Passwords typicallycomputer users. However, for transactions or communications requiring moresecurity methods on the Internet, the Management Card or device supports msecure methods of authentication.• Secure Sockets Layer (SSL), used for secure Web access, uses digital cert
authentication. A digital CA root certificate is issued by a Certificate Authoripart of a public key infrastructure, and its digital signature must match the signature on a server certificate on the Management Card or device.
• Secure SHell (SSH), used for remote terminal access to the control consolManagement Card or device, uses a public host key for authentication.
How certificates are used. Most Web browsers, including all browsers supAPC Network Management Cards or network-enabled devices, contain a set certificates from all of the commercial Certificate Authorities.
The Security Wizard can create security components for Managemeor devices running firmware version 5.x.x. or firmware version 3.x.x.information about using the Security Wizard with a Management Cadevice running firmware version 5.x.x, see the Security Handbook prthe Utility CD for that device.
16
curs each ks to be the
st have a
Card or e.
though it
ates, you s by of ate, the n to the
of the at server.
elf.
H security
ed device, ou can
SECU
RIT
Y H
AN
DB
OO
KN
etw
ork-
Ena
bled
Dev
ices
, AO
S v
.3.x
.x Authentication of the server (in this case, the Management Card or device) octime a connection is made from the browser to the server. The browser checsure that the server’s certificate is signed by a Certificate Authority known tobrowser.
For authentication to occur:• Each server (Network Management Card or device) with SSL enabled mu
server certificate on the server itself.• Any browser that is used to access the Web interface of the Management
device must contain the CA root certificate that signed the server certificat
If authentication fails, a browser message asks you whether to continue evencannot authenticate the server.
If your network does not require the authentication provided by digital certificcan use the default certificate that the Management Card or device generateautomatically. The default certificate’s digital signature will not be recognizedbrowsers, but a default certificate enables you to use SSL for the encryptiontransmitted user names, passwords, and data. (If you use the default certificbrowser prompts you to agree to unauthenticated access before it logs you oWeb interface of the Management Card or device.)
How SSH host keys are used. An SSH host key authenticates the identityserver (the Management Card or device) each time an SSH client contacts thEach server with SSH enabled must have an SSH host key on the server its
Files you create for SSL and SSH securityUse the APC Security Wizard to create these components of an SSL and SSsystem:• The server certificate for the Network Management Card or network-enabl
if you want the benefits of authentication that such a certificate provides. Ycreate either of the following types of server certificate:
17
ith the not have ificate
ificate r can be are
rver ng an
nagement
er Wizard. ternet
SSL Security sion 3.x.x
eys with s 768-bit
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x – A server certificate signed by a custom CA root certificate also created w
APC Security Wizard. Use this method if your company or agency does its own Certificate Authority and you do not want to use an external CertAuthority to sign the server certificate.
– A server certificate signed by an external Certificate Authority. This CertAuthority can be one that is managed by your own company or agency oone of the commercial Certificate Authorities whose CA root certificates distributed as part of a browser’s software.
• A certificate signing request containing all the information required for a secertificate except the digital signature. You need this request if you are usiexternal Certificate Authority.
• A CA root certificate.• An SSH host key that your SSH client program uses to authenticate the Ma
Card or device when you log on to the control console interface.
Only APC server management and key management products can use servcertificates, host keys, and CA root certificates created by the APC Security These files will not work with products such as OpenSSL® and Microsoft® InInformation Services (IIS).
You must define an RSA key size of 1024 bits for all public keys forcertificates and all host keys for SSH that are created with the APCWizard. Management Cards and devices running AOS firmware vercannot generate 2048-bit keys.
If you do not create and use SSL server certificates and SSH host kthe APC Security Wizard, the Management Card or device generateRSA keys.
18
tes
ertificate y to sign
ith , two files
te rtificates.
root ss the certificate
this task, .
eat the
ficate g
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Create a Root Certificate and Server Certifica
SummaryUse this procedure if your company or agency does not have its own CAuthority and you do not want to use a commercial Certificate Authorityour server certificates.
• Create a CA root certificate that will sign all server certificates to be used wNetwork Management Cards or network-enabled devices. During this taskare created: – The file with the .p15 suffix is an encrypted file that contains the Certifica
Authority’s private key and public root certificate. This file signs server ce– The file with the .crt suffix contains only the Certificate Authority’s public
certificate. Load this file into each Web browser that will be used to acceManagement Card or device so that the browser can validate the serverof that Management Card or device.
• Create a server certificate, which is stored in a file with a .p15 suffix. Duringyou are prompted for the CA root certificate that signs the server certificate
• Load the server certificate onto the Management Card or device.• For each Management Card or device that requires a server certificate, rep
tasks that create and load the server certificate.
You must define the size of the public RSA key that is part of a certigenerated by the APC Security Wizard as 1024 bits. Devices runninfirmware version 3.x.x cannot generate 2048-bit keys.
The default key generated by the Network Management Card or network-enabled device, if you do not use the Wizard, is 768 bits.
19
the all the ice.ard.f file to which is
blic root lt, will be
A root d fields. y or
rd to view ges to the
rent date y Period
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x The procedure
Create the CA root certificate. 1. If the APC Security Wizard is not already installed on your computer, run
installation program (APC Security Wizard.exe) by clicking the link InstWizard in the interface of the Utility CD for the Management Card or dev
2. On the Windows Start menu, select Programs, then APC Security Wiz3. On the screen labeled Step 1, select CA Root Certificate as the type o
create, and then select the length of the key to generate (use 1024 bits, the default setting).
4. Enter a name for this file, which will contain the Certificate Authority’s pucertificate and private key. The file must have a .p15 suffix and, by defaucreated in the installation folder C:\Program Files\American Power Conversion\APC Security Wizard.
5. On the screen labeled Step 2, provide the information to configure the Ccertificate. The Country and Common Name fields are the only requireFor the Common Name field, enter an identifying name of your companagency. Use only alphanumeric characters, with no spaces.
6. On the next screen, review the summary of the certificate. Scroll downwathe certificate’s unique serial number and fingerprints. To make any chaninformation you provided, click Back, and revise the information.
By default, a CA root certificate is valid for 10 years from the curand time, but you can edit the Validity Period Start and ValiditEnd fields.
The certificate’s subject information and the certificate’s issuer information should be identical.
20
rmation
ver
o load into or device.
wser of
.e. The file created in
ard. of file, the
private e folder . Create a
to sign the
erver
e .crt file of the
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x 7. The last screen verifies that the certificate was created and displays info
you need for the next tasks:• The location and name of the .p15 file that you will use to sign the ser
certificates.• The location and name of the .crt file, which is the CA root certificate t
the browser of each user who needs to access the management card
Load the CA root certificate to your browser. Load the .crt file to the broeach user who needs to access the Management Card or device.
1. Select Tools, then Internet Options from the menu bar.2. In the dialog box, on the Content tab click Certificates and then Import3. The Certificate Import Wizard guides you through the rest of the procedur
type to select is X.509, and the CA Public Root Certificate is the .crt file the procedure Create a Root Certificate and Server Certificates.
Create an SSL Server User Certificate. 1. On the Windows Start menu, select Programs, then APC Security Wiz2. On the screen labeled Step 1, select SSL Server Certificate as the type
and then select the length of the key to generate (use 1024 bits, which isdefault setting).
3. Enter a name for this file, which will contain the server certificate and thekey. The file must have a .p15 suffix and, by default, will be created in thC:\Program Files\American Power Conversion\APC Security Wizard
4. Click Browse, and select the CA root certificate created in the procedureRoot Certificate and Server Certificates. The CA Root Certificate is used Server User Certificate being generated.
5. On the screen labeled Step 2, provide the information to configure the s
See the help system of the browser for information on how to load thinto the browser’s certificate store (cache). Following is a summary procedure for Microsoft Internet Explorer.
21
certificate. Country and Common Name are the only required fields. For the
the 10 years, s.
rd to view ges to the
s you on ard or ertificate, ertificate
l
cate, the er
e on of a CA root que iffer.)
r gement ed
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Common Name field, enter the IP address or DNS name of the server (
Management Card or device). By default, a server certificate is valid for but you can edit the Validity Period Start and Validity Period End field
6. On the next screen, review the summary of the certificate. Scroll downwathe certificate’s unique serial number and fingerprints. To make any chaninformation you provided, click Back, and revise the information.
7. The last screen verifies that the certificate has been created and instructthe next task, to load the server certificate to the Network Management Cnetwork-enabled device. It displays the location and name of the Server Cwhich has a .p15 file suffix and contains the private key and public root cof the Management Card or device.
Load the server certificate to the Management Card or device. 1. On the Administration tab, select Network on the top menu bar and ss
certificate under the Web heading on the left navigation menu.2. Select Add or Replace Certificate File, and browse to the server certifi
.p15 file you created in the procedure Create a Root Certificate and ServCertificates. (The default location is C:\Program Files\American PowerConversion\APC Security Wizard.)
Because the configuration information is part of the signature, thinformation for every certificate must be unique. The configuratiserver certificate cannot be the same as the configuration of thecertificate. (The expiration date is not considered part of the uniconfiguration. Some other configuration information must also d
If you use FTP or Secure CoPy (SCP) instead to transfer the servecertificate, you must specify the correct location, \sec, on the ManaCard or device. For SCP, the command to transfer a certificate namcert.p15 to a Management Card or device with an IP address of 156.205.6.185 would be:
scp cert.p15 [email protected]:\sec\cert.p15
22
t
uthority ver
mation for utput files: gement
you send
rt that ivate key
uthority.
eat the
the all the ice.ard. file to which is
SECU
RIT
Y H
AN
DB
OO
K
Netw
ork-
Ena
bled
Dev
ices
, AO
S v
.3.x
.x Create a Server Certificate and Signing RequesSummary
Use this procedure if your company or agency has its own Certificate Aor if you plan to use a commercial Certificate Authority to sign your sercertificates.• Create a Certificate Signing Request (CSR). The CSR contains all the infor
a server certificate except the digital signature. This process creates two o– The file with the .p15 suffix contains the private key of the Network Mana
Card or network-enabled device. – The file with the .csr suffix contains the certificate signing request, which
to an external Certificate Authority.• When you receive the signed certificate from the Certificate Authority, impo
certificate. Importing the certificate combines the .p15 file containing the prand the file containing the signed certificate from the external Certificate AThe output file is a new encrypted server certificate file with a .p15 suffix.
• Load the server certificate onto the Management Card or device.• For each Management Card or device that requires a server certificate, rep
tasks that create and load the server certificate.
The procedureCreate the Certificate Signing Request (CSR).
1. If the APC Security Wizard is not already installed on your computer, runinstallation program (APC Security Wizard.exe) by clicking the link InstWizard in the interface of the Utility CD for the Management Card or dev
2. On the Windows Start menu, select Programs, then APC Security Wiz3. On the screen labeled Step 1, select Certificate Request as the type of
create, and then select the length of the key to generate (use 1024 bits, the default setting).
23
ement reated in PC
ertificate ver red. Other r DNS
rd to view ges to the
nd
ither a anaged
rent date ty Period
ing the
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x 4. Enter a name for this file, which will contain the private key of the Manag
Card or device. The file must have a .p15 suffix and, by default, will be cthe installation folder C:\Program Files\American Power Conversion\ASecurity Wizard.
5. On the screen labeled Step 2, provide the information to configure the csigning request (CSR), i.e., the information that you want the signed sercertificate to contain. The Country and Common Name fields are requifields are optional. For the Common Name field, enter the IP Address oname of the Management Card or device.
6. On the next screen, review the summary of the certificate. Scroll downwathe certificate’s unique serial number and fingerprints. To make any chaninformation you provided, click Back, and revise the information.
7. The last screen verifies that the certificate signing request was created adisplays the location and name of the file, which has a .csr extension.
8. Send the certificate signing request to an external Certificate Authority, ecommercial Certificate Authority or, if applicable, a Certificate Authority mby your own company or agency.
By default, a server certificate is valid for 10 years from the curand time, but you can edit the Validity Period Start and ValidiEnd fields.
The certificate’s subject information and the certificate’s issuerinformation should be identical.
See the instructions provided by the Certificate Authority regardsigning and issuing of server certificates.
24
ns the certificate Network
ard.
the
Certificate ate key of der . that you ffix.summary te.
ts you on evice. It 5 file e and the
l
cate, the er
SECU
RIT
Y H
AN
DB
OO
KN
etw
ork-
Ena
bled
Dev
ices
, AO
S v
.3.x
.x Import the signed certificate. When the external Certificate Authority retursigned certificate, import the certificate. This procedure combines the signedand the private key into an SSL server certificate that you then upload to theManagement Card or network-enabled device.
1. On the Windows Start menu, select Programs, then APC Security Wiz2. On the screen labeled Step 1, select Import Signed Certificate.3. Browse to and select the signed server certificate that you received from
external Certificate Authority. The file has a .cer or .crt suffix.4. Browse to and select the file you created in step 4 of the task Create the
Signing Request (CSR). This file has a .p15 extension, contains the privthe Management Card or device, and, by default, is in the installation folC:\Program Files\American Power Conversion\APC Security Wizard
5. Specify a name for the output file that will be the signed server certificateupload to the Management Card or device. The file must have a .p15 su
6. Click Next to generate the server certificate. Issuer Information on the screen confirms that the external Certificate Authority signed the certifica
7. The last screen verifies that the certificate has been created and instructhe next task, to load the server certificate to the Management Card or ddisplays the location and name of the server certificate, which has a .p1extension and contains the private key of the Management Card or devicpublic key obtained from the .cer or .crt file.
Load the server certificate to the Management Card or device. 1. On the Administration tab, select Network on the top menu bar and ss
certificate under the Web heading on the left navigation menu.2. Select Add or Replace Certificate File, and browse to the server certifi
.p15 file you created in the procedure Create a Root Certificate and ServCertificates. (The default location is C:\Program Files\American PowerConversion\APC Security Wizard.)
25
host key, bit RSA s that are
tored in a
the all the ice.ard. create, the
e server P for the ard or p15 to a ould be:
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
Create an SSH Host KeySummary
This procedure is optional. If you select SSH encryption, but do not create athe Network Management Card or network-enabled device generates a 768-key when it reboots. You must define a key size of 1024 bits for SSH host keycreated with the APC Security Wizard.• Use the APC Security Wizard to create a host key, which is encrypted and s
file with the .p15 suffix. • Load the host key onto the Management Card or device.
The procedureCreate the host key.
1. If the APC Security Wizard is not already installed on your computer, runinstallation program (APC Security Wizard.exe) by clicking the link InstWizard in the interface of the Utility CD for the Management Card or dev
2. On the Windows Start menu, select Programs, then APC Security Wiz3. On the Step 1 screen, select SSH Server Host Key as the type of file to
and then select the length of the key to generate (use 1024 bits, which isdefault setting).
Alternatively, you can use FTP or Secure CoPy (SCP) to transfer thcertificate to the Management Card or device. If you use FTP or SCtransfer, you must specify the location, \sec, on the Management Cdevice. For SCP, the command to transfer a certificate named cert.Management Card or device with an IP address of 156.205.6.185 w
scp cert.p15 [email protected]:\sec\cert.p15
26
ve a .p15 ram
nts, which host key t key was H client
d the host me of the
h host
file you \Program
rsion (or r device uploaded rogram
host key e transfer, vice. For key.p15 85:
SECU
RIT
Y H
AN
DB
OO
KN
etw
ork-
Ena
bled
Dev
ices
, AO
S v
.3.x
.x 4. Enter a name for this file, which will contain the host key. The file must hasuffix. By default, the file will be created in the installation folder C:\ProgFiles\American Power Conversion\APC Security Wizard.
5. Click Next to generate the host key.6. The summary screen displays the SSH version 1 and version 2 fingerpri
are unique for each host key and identify the host key. After you load theonto the Management Card or device, you can verify that the correct hosuploaded by verifying that the fingerprints displayed here match the SSHfingerprints on the Management Card or device, as displayed by your SSprogram.
7. The last screen verifies that the host key was created, instructs you to loakey to the Management Card or device, and displays the location and nahost key, which has a .p15 file suffix.
Load the host key to the Management Card or device. 1. On the Administration tab, select Network on the top menu bar, and ss
key under the Console heading on the left navigation menu.2. Select Add or Replace Host Key, and browse to the host key, the .p15
created in the procedure Create the host key. (The default location is C:Files\American Power Conversion\APC Security Wizard.)
3. At the bottom of the User Host Key page, note the fingerprint for the veversions) of SSH you are using. Then log on to the Management Card othrough your SSH client program, and verify that the correct host key wasby verifying that these fingerprints match the fingerprints that the client pdisplays.
Alternatively, you can use FTP or Secure CoPy (SCP) to transfer thefile to the Management Card or device. If you use FTP or SCP for thyou must specify the location, \sec, on the Management Card or deSCP, the following command would transfer a host key named hostto a Management Card or device with an IP address of 156.205.6.1
27
scp hostkey.p15 [email protected]:\sec\hostkey.p15
y
epending selecting er the Enabling
by user
eb rypts user
ou access nfigure
Enabling
d at the
ured, no es the
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
Control Console Access and SecuritIntroductionYou can access the control console through Telnet or Secure SHell (SSH), don which is enabled. (An Administrator can enable these access methods bythe Administration tab, then Network on the top menu bar and access undConsole heading on the left navigation menu.) By default, Telnet is enabled.SSH automatically disables Telnet.
Telnet for basic access. Telnet provides the basic security of authenticationname and password, but not the high-security benefits of encryption.
SSH for high-security access. If you use the high security of SSL for the Winterface, use Secure SHell (SSH) for access to the control console. SSH encnames, passwords, and transmitted data.
The interface, user accounts, and user access rights are the same whether ythe control console through SSH or Telnet, but to use SSH, you must first coSSH and have an SSH client program installed on your computer.
Telnet and Secure SHell (SSH)While SSH is enabled, you cannot use Telnet to access the control console. SSH enables SCP automatically.
Do not enable both versions of SSH unless you require that both be activatesame time. (Security protocols use extensive processing power.)
When SSH is enabled and its port and encryption ciphers are configfurther configuration is required to use Secure CoPy (SCP). SCP ussame configuration as SSH.
28
top menu menu.
select 2, or both.
d other rating
es, see
Blowfish, 1 clients.
cannot use
) that are
security client that it can
SECU
RIT
Y H
AN
DB
OO
KN
etw
ork-
Ena
bled
Dev
ices
, AO
S v
.3.x
.xTo configure the options for Telnet and Secure SHell (SSH):
1. On the Administration tab of the Web interface, select Network on thebar, and select access under the Console heading on the left navigation
2. Configure the port settings for Telnet and SSH.
3. Under Console on the left navigation menu, select ssh encryption, andone or more data encryption algorithms for SSH version 1, SSH version
To use SSH, you must have an SSH client installed. Most Linux anUNIX® platforms include an SSH client, but Microsoft Windows opesystems do not. SSH clients are available from various vendors.
For information on the extra security a non-standard port providPort assignments.
Option Description
SSH v1 Enables or disables DES and displays the status (always enabled) of two encryption algorithms (block ciphers) compatible with SSH version• DES • Blowfish: You cannot disable this algorithm.
NOTE: Not all SSH clients can use every algorithm. If your SSH client Blowfish, you must also enable DES.
SSH v2 Enables or disables the following encryption algorithms (block cipherscompatible with SSH version 2 clients.• 3DES (enabled by default)• Blowfish (enabled by default)• AES 128 • AES 256
NOTE: Your SSH client selects the algorithm that provides the highestfrom among the enabled algorithms that it is able to use. (If your SSHcannot use either default algorithm, you must enable an AES algorithmuse.)
29
y a host he
, or if you generates ou create
e a host minutes
st SSH rprint
interface
and ecure file to the
ging on to
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x 4. Under Console on the left navigation menu, select ssh host key, specif
key file previously created with the APC Security Wizard, and load it to tManagement Card or device.If you do not specify a host key file here, if you install an invalid host keyenable SSH with no host key installed, the Management Card or device an RSA host key of 768 bits, instead of the 1024-bit RSA host key that yusing the Security Wizard. For the Management Card or device to creatkey, it must reboot. The Management Card or device can take up to 5to create this host key, and SSH is not accessible during that time.
5. Display the fingerprint of the SSH host key for SSH versions 1 and 2. Moclients display the fingerprint at the start of a session. Compare the fingedisplayed by the client to the fingerprint that you recorded from the Webor control console of the Management Card or device.
Alternatively, from a command line interface, such as the commprompt on Windows operating systems, you can use FTP or SCoPy (SCP) to transfer the host key file. You must transfer thelocation \sec on the Management Card or device.
If you are using SSH version 2, expect a noticeable delay when logthe control console of the Management Card or device.
30
word, but erText , Network .
cess
ect the
ne ce. If a
e
the
es, see
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Web Interface Access and Security
HTTP and HTTPS (with SSL)HyperText Transfer Protocol (HTTP) provides access by user name and passdoes not encrypt user names, passwords, and data during transmission. HypTransfer Protocol over Secure Sockets Layer (HTTPS) encrypts user namespasswords, and data during transmission, and provides authentication of theManagement Card or network-enabled device by means of digital certificates
To configure HTTP and HTTPS:1. On the Administration tab, select Network on the top menu bar and ac
under Web on the left navigation menu.2. Enable either HTTP or HTTPS and configure the ports that each of
the two protocols will use. Changes take effect the next time you log on. When SSL is activated, your browser displays a small lock icon.
3. Select ssl cipher suites under Web on the left navigation menu, and selencryption ciphers that SSL will use.
4. Select ssl certificate under Web on the left navigation menu to determiwhether a server certificate is installed on the Management Card or devicertificate was created with the APC Security Wizard but is not installed:• In the Web interface, browse to the certificate file and upload it to the
Management Card or device.• Alternatively, use the Secure CoPy (SCP) protocol or FTP to upload th
certificate file to the location \sec on the Management Card or device.
See Creating and Installing Digital Certificates to choose among several methods for using digital certificates.
For information on the extra security a non-standard port providPort assignments.
31
link te.
the time certificate boots. o create t time.
some ated by
gement b interface.as
was
for the asking if
ard or ard or
try: The he server nagement nally
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
5. If a valid digital server certificate is loaded, the Status field displays the Valid Certificate. Click the link to display the parameters of the certifica
Creating and uploading a server certificate in advance reducesrequired to enable HTTPS. If you enable HTTPS with no server loaded, the Management Card or device creates one when it reThe Management Card or device can take up to 5 minutes tthe certificate, and the SSL server is unavailable during tha
A certificate that the Management Card or device generates haslimitations. See Method 1: Use the default certificate auto-generthe Network Management Card or network-enabled device.
Parameter Description
Issued To: Common Name (CN): The IP Address or DNS name of the ManaCard or device. This field controls how you must log on to the We• If an IP address was specified for this field when the certificate w
created, use an IP address to log on.• If the DNS name was specified for this field when the certificate
created, use the DNS name to log on.
If you do not use the IP address or DNS name that was specified certificate, authentication fails, and you receive an error messageyou want to continue.
For a server certificate generated by default by the Management Cdevice, this field displays the serial number of the Management Cdevice instead.
Organization (O), Organizational Unit (OU), and Locality, Counname, organizational unit, and location of the organization using tcertificate. For a server certificate generated by default by the MaCard or device, the Organizational Unit (OU) field displays “InterGenerated Certificate.”
Serial Number: The serial number of the server certificate.
32
root nagement ment Card
cate. If the ard or
cters, with the r.
thm (SHA).
D5)
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
Issued By: Common Name (CN): The Common Name as specified in the CAcertificate. For a server certificate generated by default by the MaCard or device, this field displays the serial number of the Manageor device instead.
Organization (O) and Organizational Unit (OU): The name and organizational unit of the organization that issued the server certifiserver certificate was generated by default by the Management Cdevice, this field displays “Internally Generated Certificate.”
Validity: Issued on: The date and time at which the certificate was issued.
Expires on: The date and time at which the certificate expires.
Fingerprints Each of the two fingerprints is a long string of alphanumeric charapunctuated by colons. A fingerprint is a unique identifier to furtherauthenticate the server. Record the fingerprints to compare them fingerprints contained in the certificate, as displayed in the browse
SHA1 Fingerprint: A fingerprint created by a Secure Hash Algori
MD5 Fingerprint: A fingerprint created by a Message Digest 5 (Malgorithm.
Parameter Description
33
entication r each r
to the
ble
r Remote
nabled.
nts.
r devices
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
RADIUSSupported RADIUS Functions and ServersSupported functions
APC supports the authentication and authorization functions of Remote AuthDial-In User Service (RADIUS). Use RADIUS to administer remote access foNetwork Management Card or network-enabled device centrally. When a useaccesses the Management Card or device, an authentication request is sentRADIUS server to determine the user’s permission level.
Supported RADIUS serversAPC supports FreeRADIUS and Microsoft IAS 2003. Other commonly availaRADIUS applications may work but have not been fully tested by APC.
Configure the Management Card or DeviceAuthentication
On the Administration tab, select Security on the top menu bar. Then, undeUsers on the left navigation menu, select Authentication Method:• Local Authentication Only: RADIUS is disabled. Local authentication is e
For more information on permission levels, see Types of user accou
RADIUS user names used with APC Network Management Cards oare limited to 32 characters.
34
ion are
menu .
le,
ontrol Only or
. To use a of the
Card or
esponse
erver path
servers is the
SECU
RIT
Y H
AN
DB
OO
KN
etw
ork-
Ena
bled
Dev
ices
, AO
S v
.3.x
.x • RADIUS, then Local Authentication: Both RADIUS and local authenticatenabled. Authentication is requested from the RADIUS server first; local authentication is used only if the RADIUS server fails to respond.
• RADIUS Only: RADIUS is enabled. Local authentication is disabled.
RADIUSTo configure RADIUS, on the Administration tab, select Security on the topbar. Then, under Remote Users on the left navigation menu, select RADIUS
If RADIUS Only is selected, and the RADIUS server is unavailabimproperly identified, or improperly configured, remote access is unavailable to all users. You must use a serial connection to the cconsole and change the Access setting to Local AuthenticationRADIUS, then Local Authentication to regain access.
Setting Definition
RADIUS Server
The server name or IP address of the RADIUS server.
NOTE: RADIUS servers use port 1812 by default to authenticate usersdifferent port, add a colon followed by the new port number to the endRADIUS server name or IP address.
Secret The secret shared between the RADIUS server and the Managementdevice.
Timeout The time in seconds that the Management Card or device waits for a rfrom the RADIUS server.
Test Settings
Enter the Administrator user name and password to test the RADIUS sthat you have configured.
Skip Test and Apply
Do not test the RADIUS server path.
Switch Server Priority
Change which RADIUS server will authenticate users if two configuredare listed and RADIUS, then Local Authentication or RADIUS Onlyenabled authentication method.
35
or rom the any
d
ecific igured, ptable r ice
, (6)
"
the
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Configure the RADIUS Server
You must configure your RADIUS server to work with the Management Cardnetwork-enabled device. The examples in this section may differ somewhat frequired content or format of your specific RADIUS server. In the examples, reference to outlets applies only to APC devices that support outlet users.
1. Add the IP address of the Network Management Card or network-enabledevice to the RADIUS server client list (file).
2. Users must be configured with Service-Type attributes unless Vendor SpAttributes (VSAs) are defined instead. If no Service-Type attribute is confthe user has read-only access (to the Web interface only). The two accevalues for Service-Type are Administrative-User (6), which gives the useAdministrator permissions, and Login-User (1), which gives the user Devpermissions.
Example using Service-Type AttributesIn the following example of a RADIUS users file:– UPSAdmin corresponds to Service-Type: Administrative-User– UPSDevice corresponds to Service-Type: Login-User, (1)– UPSReadOnly corresponds to Service-Type: null
UPSAdmin Auth-Type = Local, Password = "admin"Service-Type = Administrative-User
UPSDevice Auth-Type = Local, Password = "device"Service-Type = Login-User
UPSReadOnly Auth-Type = Local, Password = "readonly
See your RADIUS server documentation for information about RADIUS users file.
36
ttributes d a TRIBUTE c values,
ary.apc):
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Examples using Vendor Specific Attributes
Vendor Specific Attributes (VSAs) can be used instead of the Service-Type aprovided by your RADIUS server. This method requires a dictionary entry anRADIUS users file. In the dictionary file, you can define the names for the ATand VALUE keywords, but not the numeric values. If you change the numeriRADIUS authentication and authorization will not work correctly. VSAs take precedence over standard RADIUS attributes.
Dictionary file. Following is an example of a RADIUS dictionary file (diction## dictionary.apc ##VENDOR APC 318## Attributes#ATTRIBUTE APC-Service-Type 1 integer APCATTRIBUTE APC-Outlets 2 string APC
VALUE APC-Service-Type Admin 1VALUE APC-Service-Type Device 2VALUE APC-Service-Type ReadOnly 3## For devices with outlet users only#VALUE APC-Service-Type Outlet 4
37
s file with
rmission PC
Switched dditional
sted and
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x RADIUS Users file with VSAs. Following is an example of a RADIUS user
VSAs:
VSAAdmin Auth-Type = Local, Password = "admin" APC-Service-Type = Admin
VSADevice Auth-Type = Local, Password = "device" APC-Service-Type = Device
VSAReadOnly Auth-Type = Local, Password = "readonly" APC-Service-Type = ReadOnly
# Give user access to device outlets 1, 2 and 3.VSAOutlet Auth-Type = Local, Password = "outlet"
APC-Service-Type = Outlet, APC-Outlets = "1,2,3"
See the following related topics:• Types of user accounts for information on the three basic user pe
levels (Administrator, Device User, and Read-Only User). If your Adevice has an additional user account type, e.g., outlet user for aRack PDU, see the device’s User’s Guide for information on the aaccount type
• Supported RADIUS servers for information on RADIUS servers tesupported by APC.
38
re used n be used
DIUS evice.
ord awk:
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x Example with UNIX shadow passwords. If UNIX shadow password files a
(/etc/passwd) with the RADIUS dictionary files, the following two methods cato authenticate users:• If all UNIX users have administrative privileges, add the following to the RA
“user” file. To allow only Device Users, change the APC-Service-Type to D
DEFAULT Auth-Type = System APC-Service-Type = Admin
• Add user names and attributes to the RADIUS "user" file, and verify passwagainst /etc/passwd. The following example is for users bconners and th
bconners Auth-Type = SystemAPC-Service-Type = Admin
thawk Auth-Type = SystemAPC-Service-Type = OutletAPC-Outlets = "1,2,3"
39
nsole 8
g 30
P 9
31curity 6
or device 30 or device 30
asswords 6
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
lock icon when SSL is installed 9
CCertificates
choosing which method to use 11creating and installing for SSL 11methods
APC Security Wizard creates allcertificates 13
Use a Certificate Authority (CA) 14Use the APC default certificate 12
Cipher suitesencryption ciphers for SSH v1 and v2. 29purpose of the algorithms and ciphers 10
ConfiguringSSH 28SSL 31
DDevice user account 2
HHost keys
creating with the Security Wizard 26generated by the Management Card transferring to the Management Card
PPasswords
change immediately for security 6using non-standards ports as extra p
Ports, assigning 6
RRADIUS Server setting 35Read-only user account 2Root certificates, creating 19
evic
es, A
OS
v.3
.x.x Index
AAccess options for each interface 3Administrator account 2Authentication
for Web Interface and Control Console 7with RADIUS 34with SNMPv3 7with SSL 9
BBrowsers
CA certificates in browser’s store (cache) 10danger of leaving browser open 10
EEncryption
with SNMPv3 8with SSH and SCP for the Control Cowith SSL for the Web interface 31
FFingerprints, displaying and comparinFTP
disabling FTP if you use SSH and SCfor transferring host keys 30for transferring server certificates 22,using a non-standard port for extra se
40
ority 23y 19
g 30
or device 30
security 6
SEC
UR
ITY
HN
etw
ork-
Ena
bled
D how certificates are used 16how SSH host keys are used 17immediately changing username and password 6options for each interface 3SCP as alternative to FTP 9SSL
choosing a method to use certificates 11cipher suites algorithms and ciphers 10
summary of access methods 3supported SSH clients 29using non-standards ports as extra passwords 6
Security menulocal users, defining access 2RADIUS settings 35remote users, authentication 34
Security Wizard 16creating certificates
to use with a Certificate Authority 23without a Certificate Authority 19
creating signing requests 23creating SSH host keys 26
obtaining an SSH client 29server configuration 29v1 and v2 encryption algorithms 29
SSLauthentication through digital
certificates 9certificate signing requests 10
TTimeout setting for RADIUS 35
UUser accounts, types 2User Name, change immediately for
AN
DB
OO
Kev
ices
, AO
S v
.3.x
.x SSCP
enabled and configured with SSH 9, 28for encrypted file transfer 8for transferring host keys 27for transferring server certificates 22, 26using non-standard port 6
Secure CoPy. See SCP.Secure SHell. See SSH.Secure Sockets Layer. See SSLSecurity
authenticationthrough digital certificates with SSL 9through RADIUS 34with SSH and SCP 8
certificate-signing requests 10disabling less secure interfaces 8, 9encryption with SSH and SCP 8
Server certificatescreating to use with a Certificate Authcreating without a Certificate Authorit
Signing requests, creating 23SNMP
v1disabling 6READ access 6
v3authentication 7encryption 8
SSHconfiguring 28enabling 28encryption 8fingerprints, displaying and comparinhost key
as identifier that cannot be falsified 8creating with the Security Wizard 26transferring to the Management Card
41
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
42
APC Worldwide Customer SupportCustomer support for this or any other APC product is available at no charge in any of the following ways:
• Visit the APC Web site to access documents in the APC Knowledge Base and to submit customer support requests.– www.apc.com (Corporate Headquarters)
Connect to localized APC Web sites for specific countries, each of which provides customer support information.
– www.apc.com/support/Global support searching APC Knowledge Base and using e-support.
• Contact the APC Customer Support Center by telephone or e-mail.– Local, country-specific centers: go to www.apc.com/support/contact for contact
information.
For information on how to obtain local customer support, contact the APC representative or other distributors from whom you purchased your APC product.
SEC
UR
ITY
HA
ND
BO
OK
Net
wor
k-E
nabl
ed D
evic
es, A
OS
v.3
.x.x
43
Copyright
Entire contents copyright 2009 American Power Conversion Corporation. All rights reserved. Reproduction in whole or in part without permission is prohibited. APC, the APC logo, and InfraStruXure are trademarks of American Power Conversion Corporation. All other trademarks, product names, and corporate names are the property of their respective owners and are used for informational purposes only.
Cryptlib, the toolkit used to develop the library of cryptographic routines in the Network Management Card: copyright © 1998 Digital Data Security, Ltd., New Zealand.
990-2417D-001 1/2009