User Manual IDM V1.4.2 - Innominate Security Technologies AG

More documents

Recommendations

Info

2.8 Pre-configuration of the mGuards Enable SSH access Please follow the steps described in the device manual for starting up and configuring the device (IP addresses of the interfaces etc.). Installation The IDM installs the configuration files on the mGuards using SSH. Therefore SSH access has to be permitted on the mGuards if IDM is using the external (untrusted) interface to upload the configuration. Select Management » System settings » Shell access in the menu of the Web user interface and enable SSH remote access. For more detailed information on SSH remote access please consult the mGuard User’s Manual. If you enable remote SSH access, make sure that you change the default admin and root passwords to secure passwords. IDM is using the admin password to log into the Innominate mGuard. If the password was changed locally on the device please change the password setting in IDM accordingly using the Set Current Device Passwords option in the context menu of the device overview table. Otherwise IDM is not able to log into the device. The current root password is part of the configuration file. If the password was changed locally on the device please change the password setting in IDM accordingly. Otherwise the mGuard will reject the configuration. 2.9 Installation of an HTTPS configuration pull server To transmit information on the configuration status of an mGuard, the HTTPS pull server has to send SYSLOG messages to the IDM server (pull feedback). Please make sure that neither the communication between the HTTPS server and the IDM server nor the communication between the HTTPS pull server and the mGuards is blocked by a firewall or a NAT device. 2.10 Securing the communication between IDM components Since critical information is exchanged between the IDM components it is highly recommended to secure the communication paths. This chapter describes the required steps to manually create the keys and certificates required for SSL. If you prefer to use the demoCA scripts, instead of manually creating and installing the required components, you can skip this chapter and read Chapter 2.7.3 instead. If you are not familiar with OpenSSL it is highly recommended to read Chapter 7 first, which introduces some of the basic concepts and the usage of the OpenSSL command line tool. Figure 7 shows an overview over the IDM components and their communication paths. Please note that the truststore and the keystore of the CA shown in Figure 7 are used for SSL communication only. The certificates and keys used to issue certificates are stored in a different keystore. 34 of 122
Installation PostgreSQL DB PostgreSQL data directory DB key DB cert SSL server SSL client HTTPS client SSL client Keystore of the Truststore Truststore Keystore Truststore DB key Private key DB server IS cert DB cert IC key DB cert IS key IC cert IC cert IS cert IDM CA IDM server IC cert CA certificate (Important: This is not the root certificate of the CA.) IC key Private key of the CA (Important: This is not the key used to sign certificate requests.) IS cert IDM server certificate IS key Private key of the IDM server DB cert DB server certificate HTTPS server Figure 7: Communication paths between IDM components 2.10.1 Create the private key and the keystore for each component PostgreSQL It is recommended to create a working directory, e.g. named security in your IDM installation directory, where all the keys, certificates and keystores are located. The PostgreSQL database does not need a keystore, the key and the certificate are located in the filesystem. 1. First create a self-signed certificate (DB cert ) and an unencrypted private key (DB key ) for the database server as described in Chapter 7.1. Please do not encrypt DB key (see Chapter 7.1 for details). 2. The database server is looking for the certificate and the private key in the PostgreSQL data directory (i.e. the subdirectory of the PostgreSQL directory usually named pgdata), therefore copy the files server.crt (DB cert ) and server.key (DB key ) to this directory. 3. Edit the PostgreSQL configuration file postgresql.conf so that it contains the following line: ssl = on 4. Restart the PostgreSQL server. 35 of 122
Page 1 and 2: Innominate Device Manager User’s
Page 3 and 4: Tar library from Ant: Copyright ©
Page 5 and 6: 3.11.4 User authentication ........
Page 7 and 8: Installation 2 Installation 2.1 Sys
Page 9 and 10: Installation PostgreSQL can only b
Page 11 and 12: Installation left and by selecting
Page 13 and 14: Installation Chapter 2.5). Figure 6
Page 15 and 16: Installation Client installation Un
Page 17 and 18: Installation Key keyStorePassword P
Page 19 and 20: Installation Node service Node radi
Page 21 and 22: Installation Node CA Please refer t
Page 23 and 24: Installation AppParameters= e.g. Ap
Page 25 and 26: Installation instead of initializin
Page 27 and 28: Installation Running the scripts Us
Page 29 and 30: Installation • server.key These a
Page 31 and 32: Installation Key password The passw
Page 33: Installation 2.7.6 Starting the CA
Page 37 and 38: Installation Please store the key a
Page 39 and 40: 3 IDM client overview IDM client ov
Page 41 and 42: IDM client overview Status U • Lo
Page 43 and 44: IDM client overview • Firmware up
Page 45 and 46: IDM client overview Editing devices
Page 47 and 48: IDM client overview If a device is
Page 49 and 50: IDM client overview Filtering and s
Page 51 and 52: Status Name Comment IDM client over
Page 53 and 54: Status Name Members Version Comment
Page 55 and 56: 3.6.2 Editing device membership in
Page 57 and 58: Auto-scrolling IDM client overview
Page 59 and 60: IDM client overview Field Descripti
Page 61 and 62: IDM client overview NAT device in t
Page 63 and 64: e set to error. IDM client overview
Page 65 and 66: IDM client overview existing licens
Page 67 and 68: 3.11.2 Managing roles Assigning per
Page 69 and 70: IDM client overview Scheduling a fi
Page 71 and 72: Template, device, pool, and VPN gro
Page 73 and 74: Additional configuration in the tem
Page 81 and 82: None value type Template, device, p
Page 85 and 86:
Template, device, pool, and VPN gro
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
4.6.4 Connection certificates Impor
Page 93 and 94:
4.9 Rollback support 4.10 Redundanc
Page 95 and 96:
Working with templates The followin
Page 97 and 98:
6 Configuration history Configurati
Page 99 and 100:
entry was created. Configuration hi
Page 101 and 102:
Configuration history indicates tha
Page 103 and 104:
7 Creating and managing certificate
Page 105 and 106:
Creating and managing certificates
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Create a certificate template Creat
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Glossary Permissions The permission
show all

User Manual IDM V1.4.2 - Innominate Security Technologies AG

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?