User Manual IDM V1.4.2 - Innominate Security Technologies AG
User Manual IDM V1.4.2 - Innominate Security Technologies AG
User Manual IDM V1.4.2 - Innominate Security Technologies AG
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2.8 Pre-configuration of the mGuards<br />
Enable SSH access<br />
Please follow the steps described in the device manual for starting up and<br />
configuring the device (IP addresses of the interfaces etc.).<br />
Installation<br />
The <strong>IDM</strong> installs the configuration files on the mGuards using SSH. Therefore<br />
SSH access has to be permitted on the mGuards if <strong>IDM</strong> is using the external<br />
(untrusted) interface to upload the configuration.<br />
Select Management » System settings » Shell access in the menu of the Web<br />
user interface and enable SSH remote access. For more detailed information on<br />
SSH remote access please consult the mGuard <strong>User</strong>’s <strong>Manual</strong>.<br />
If you enable remote SSH access, make sure that you change the default<br />
admin and root passwords to secure passwords.<br />
<strong>IDM</strong> is using the admin password to log into the <strong>Innominate</strong> mGuard. If<br />
the password was changed locally on the device please change the<br />
password setting in <strong>IDM</strong> accordingly using the Set Current Device<br />
Passwords option in the context menu of the device overview table.<br />
Otherwise <strong>IDM</strong> is not able to log into the device.<br />
The current root password is part of the configuration file. If the<br />
password was changed locally on the device please change the password<br />
setting in <strong>IDM</strong> accordingly. Otherwise the mGuard will reject the<br />
configuration.<br />
2.9 Installation of an HTTPS configuration pull server<br />
To transmit information on the configuration status of an mGuard, the HTTPS<br />
pull server has to send SYSLOG messages to the <strong>IDM</strong> server (pull feedback).<br />
Please make sure that neither the communication between the HTTPS server and<br />
the <strong>IDM</strong> server nor the communication between the HTTPS pull server and the<br />
mGuards is blocked by a firewall or a NAT device.<br />
2.10 Securing the communication between <strong>IDM</strong> components<br />
Since critical information is exchanged between the <strong>IDM</strong> components it is highly<br />
recommended to secure the communication paths. This chapter describes the<br />
required steps to manually create the keys and certificates required for SSL.<br />
If you prefer to use the demoCA scripts, instead of manually creating<br />
and installing the required components, you can skip this chapter and<br />
read Chapter 2.7.3 instead.<br />
If you are not familiar with OpenSSL it is highly recommended to read<br />
Chapter 7 first, which introduces some of the basic concepts and the usage of the<br />
OpenSSL command line tool.<br />
Figure 7 shows an overview over the <strong>IDM</strong> components and their communication<br />
paths.<br />
Please note that the truststore and the keystore of the CA shown in<br />
Figure 7 are used for SSL communication only. The certificates and<br />
keys used to issue certificates are stored in a different keystore.<br />
34 of 122