SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Contents Using the APC Security Wizard APC Security the Using Security Introduction Index RADIUS Security and Access Interface Web ControlConsole Access and Security Encryption Authentication Security Features User Management Content and Purpose of This Guide Configure the ServerRADIUS Configure the Management Card orDevice Supported RADIUS Functions Serversand Telnet and Secure SHell (SSH) Introduction Key SSH Host Create an Create Servera Certificate Signingand Request Create a Root Certificate and Server Certificates Overview Firewalls Creating and Installing Digital Certificates -- 40 -- -- 34 3 -- ...... 15 ...... 16 . . . 1 ...... 8 ...... 28 ...... 7 ...... 3 ...... 2 ...... 26 . . . i . . . . . 36 ...... 28 . . . -- 16 . . . .1 . . . -- 31 -- . . 11 . . . 28 . . . 34 . . . . . 34 . . . . 23 . . . . 19 . . . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Introduction Content and Purpose of This Guide components required for the increased security available through SSL and SSH. through SSLand security available for theincreased components required create the Security Wizardto tousetheAPC thisguidedocuments how In addition, SNMPv3 SNMPv1 and • •RADIUS (SSL) Layer SecureSockets • Telnet SecureSHell(SSH) and • security system: overall them withinan toset up anduse andhow foryoursituation, are appropriate whichones howtoselect andfeatures, thefollowingprotocols documents This guide overthenetwork. tofunctionremotely enable thedevices Cards,which Management components ofAPCNetwork deviceswithembedded Cardsandfor Management This guide documents security features for firmware version 3. for firmwareversion securityfeatures documents This guide device. 5.x.x,seethe version running firmware foradevice thesecurityfeatures information about For Security Handbook 1 provided on the providedon x.x for APC Utility CD for that CDforthat ® Network Network SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x User Management Types userof accounts • A Read-Only User can access the same menus as a Device User, but cannot change Device User, change as a butcannot same menus the can access User ARead-Only • • A Device User can access the event log and data log (but cannot delete the contents deletethe (but cannot log anddata log event accessthe Usercan ADevice • intheWeb menusavailable ofthemanagement canuseall AnAdministrator • access: of three basiclevels devicehas ornetwork-enabled ManagementCard A Network transfer options. The default user nameis The default transfer options. orusefile contentoflogs, deletedata,the controldevices, configurations, A Read-Only User cannot log on through the controlconsole. onthroughthe Usercannotlog A Read-Only device is user name menus.Thedefault thedevice-related log), andcanuse of either both user nameandpassword are Thedefault and controlconsole. interface See thedevice’sSee devices. forsomeNetworkAIR anA/CManager RackPDUsand Switched for e.g.,outletusers accounts, additionaluser APCdeviceshave Some , and the default passwordand thedefault is , User’s Guide User’s 2 apc for information on the additional account type. account ontheadditional forinformation . readonly , andthedefaultpassword is apc apc . .
SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Security Summary of access methods of Summary Security Features Remote control console. Serial control console. Secure SHell(SSH) • protocols Access that can • Selectable server port • User name andpassword • Available methods: Always enabled. Accessis by username and password. beenabled or disabled euiyAcs Description Security Access euiyAcs Description Security Access Enabling SSH disables Telnet• and provides encrypted access With Telnet,theuser name• and passwordare transmitted as SSH. use security, high For attempts to intercept, forge, or alter data during transmission. during data alter or forge, intercept, to attempts tothe control consoleto provide additional protection from text. plain 3 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x File transfer protocols. SNMPv1SNMPv3. and Secure CoPy (SCP) • FTPServer and access • Selectable server port • User name and password • Available methods: IP filters NMS • DES encryption algorithm • MD5 authentication • Encryption through a privacy• Authentication through an • Four User Profiles • Available methods (SNMPv3): Four access communities • Agents that can be enabled• IP filters NMS • •Host Community Name Name • Available methods (SNMPv1): enabled or disabled protocols thatcan be passphrase authentication passphrase capability read/write/disable with disabled or euiyAcs Description Security Access euiyAcs Description Security Access Encryptiondata of during transmission,• withaprivacy An authentication passphrase toensure• that anNMStrying to following: SNMPv3 hasadditional security features thatinclude the 0.0.0.0 or 255.255.255.255:• Any NMS. 159.255.255.255: AnyNMS on the 159 segment. • 159.215.255.255: AnyNMS on the 159.215 segment.• 159.215.12.255: Any NMS on the 159.215.12• segment. • examples: specified by one of the IPaddress formatsin the following only, and theIP NMS filtersallow access onlyto the NMSs to the Network ManagementSystem (NMS) at thatlocation host SNMPv3, the and restricts bothFor SNMPv1 name access transfer protocol, enable SSH and disable FTP. Secure SHell(SSH) yourchoose as keys. host file If you SCP files, log files, Secure Sockets Layer (SSL) certificates, and being transferred, such as firmware updates, configuration UsingSCP encrypts the user name and password and the files plaintext, and files are transferred without encryption. With FTP, the user namepassword and aretransmitted as 159. passphrase required for encrypting anddecrypting. be. to claims access the Network Management Cardor device is the NMS it 215.12.1: OnlytheNMS the at IPaddress159.215.12.1. 4 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Access priorities • Web access, either directly or throughtheInfraStruXure Central either directlyor Web access, • Telneta remotecomputer consolefrom access tothecontrol SHell(SSH) orSecure • connection to direct serial witha a computer console from control tothe Localaccess • priority, withthehighest for access,beginning The priority follows: isas RADIUS. server. Web • A server secret shared between between server shared A secret • Centralized authenticationof • Available methods: Sockets Secure Layer • Web interface access that• Selectable server port • User name and password • Available methods: the Management Card ordevice the Management Management Card or device or Card Management theRADIUS server and the access rights (SSL) disabled can beenabledor euiyAcs Description Security Access euiyAcs Description Security Access server to the user. requests to the Web server and pages returned by theWeb Secure Sockets Layer (HTTPS) encrypts decryptsand page servers. The Web protocolHyperText Transfer Protocol over Management Card or network-enableddevice and on most Web SSL is availableon Web browserssupported for use with the password aretransmitted base-64 encoded (with noencryption). In basic HTTP authenticationmode, the user name and authentication and authorization functions.) the supports (APC device. or Card Management used to centrally administer remote accessfor each anauthentication, authorization, and accounting service RADIUS (Remote Authentication Dial-InUser Service)is 5 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x User names, passwords, with names SNMPv1 and community assignmentsPort user default Changing names and passwords immediately names and set the access type to set theaccess names and click the community System (NMS), Management configured Network Then, foreach menu barand the menu barand To the SNMPv1 access,on disable Read SNMPv1accessorsetitsfor thecontrolconsole andWeb access to disable interface, optionsavailable the encryption-based higher securityof requiresthe If yournetwork device. Cardornetwork-enabled oftheManagement orWeb interface control console ofthe on totheaccounts passwords required tolog the usernamesand determine can thenetworktraffic userwhoiscapableofmonitoring asplaintext.A the network over aretransferred namesforSNMPv1 passwords, andcommunity All usernames, port.) than thespecified lower onenumber portandthe boththespecified FTPserver uses servers. (The otherprotocolsand to 32768 forthe andfrom5000 for theFTPserver to 32768 protocols. To increasesecurity,from 5001 portnumbers resettheportstoanyunused of security. knownports”forthe standard Theports initiallysetatthe “well are level providesanadditional Anon-standard portnumber Cardordevice. Management toaccessthe command lineor Web addressused theportin must specify If Telnet, server,FTP the SSH/SCP, auser the Web serverusesanon-standard port, or passwords establish security. usernamesand to basic their defaults tounique passwords from the usernamesand change device,immediately network-enabled or ManagementCard oftheNetwork After initialconfiguration installation and To accessto set SNMPv1 Enable SNMPv1 access Enable . ( Read access allows you to receive status anduseSNMPv1traps.) information allows youtoreceive access access access
under the under control Read checkbox and click checkbox and underthe , on the , onthe SNMPv1 Read Administration 6 Administration . SNMPv1 heading on the left navigation menu.Clear left navigation onthe heading Apply heading on the left navigation menu. leftnavigation on the heading tab, select . tab,select Network Network on the top onthe on the top onthe SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Authentication Web interface Weband interface consolecontrol SNMP GETS, SETS, and Traps To files, usethe data securetransfer of usernames,passwords, and forthe encrypt • To Secure access,usethe passwords controlconsole user names and for encrypt • protocol. Layer(SSL) theSecure Sockets theWebinterface,use For • methods: encryption-based ofthefollowing one ormore using levelofsecurity by provide agreater youcan cannotbeintercepted, interface) Web console andthe (thecontrol theclientinterfaces deviceand network-enabled To or Card between theManagement thatdata communication ensure and forauthentication. the MD5protocol implementation ofSNMPv3 uses The APC default. isdisabledby time. SNMPv3 laterataninappropriate andsentagain delayed,copied message wasnot that the and transmission, during changed been not has message the that to be, claims it NMS the Cardordeviceis theManagement communicatewith attemptingto System (NMS) aNetwork Management ensuresthat SNMPv3 userprofiles passphrase usedwith The authentication choose SNMPv3. device, Cardornetwork-enabled Management orconfigurethe SNMPtomonitor whenyouuse authentication For enhanced being transferred. sensitivedataisnot formostenvironments aresufficient inwhich security features basic encryption. These withoutusing passwords, andIP addresses, user names, through basicauthentication access by providing devicethatcontrols network-enabled You Cardor Management features fortheNetwork choosesecurity can Secure CoPy (SCP) protocol. Secure CoPy protocol. SHell (SSH) For more information on encryption-based security, encryption-based more information on For see 7 Encryption . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Encryption Secure SHell (SSH) and Secure CoPy (SCP) console the CoPy for control and Secure (SCP) SHell (SSH) Secure SNMP GETS, SETS, and Traps • The interface, user accounts, and user access rights are the same whether you are thesame whether access rights and user useraccounts, interface, The • enableSSH, Telnet you When disabled. isautomatically • faster whichprovides device supportsversion 1ofSSH, Cardor Management The • To device) Cardornetwork-enabled server (theManagement theSSH authenticate • for thecredentials nameandpassword, whichare theuser SSHprotects • alternativetoTelnet, SSHisan not provideencryption. whichdoes • client andthe server.the SSH between transmissions encrypts all and device) network-enabled or Card Management or consoles, The Secure SHell protocol. ordevice. Card from theManagement sendstoorreceives thatanNMS encryptionalgorithm) usingtheDES of encryption, means the data (by of privacy the profiles ensures user SNMPv3 with passphrase used The privacy choose SNMPv3. device, Cardornetwork-enabled Management or configurethe SNMPtomonitor whenyouuse communication For encrypted access the control console through SSH or Telnet. through SSHor control console access the data transmission. forge,orchange during intercept, from attemptsto improvedprotection whichprovides version2ofSSH, log-on, and a validserver. itselfname andpassword bypresenting as from obtainingauser identification that cannotbefalsified,and it prevents an invalidserveron the network to theSSH client, SSH uses ahostkey unique to the SSHserver. Thehostkey is an traffic. intercepting network usedbyanyone frombeing authentication, Secure SHell(SSH) Secure see applications, supported SSHclient information on For shells, remotely. The protocol authenticates the server (in this case, the remotely.server (inthiscase, the Theprotocolauthenticates SSH provides a secure mechanism to access computer toaccess computer securemechanism SSH providesa . To. key, createahost see 8 Create anSSH HostKey Create Telnet and . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x SecureWeb Sockets the for Layer Interface (SSL) Youexplicitly disableFTP. must SSH. To byenabling Itisnotdisabled disableFTP, • SCP. andconfigure enable SSH,youautomatically enable andconfigure you When • passwords, andfiles. user names, FTP. of forencryption transportprotocol astheunderlying theSSHprotocol SCPuses • The server certificate is signed by a trusted certifying authority. by a trustedcertifying certificate issigned server The • thecommon a userlogsonmatches specifiedwhen orIPaddress DNSname The • have notpassed. certificate’s dateandtime expiration server The • iscorrect. ofthe servercertificate format The • following: verifiesthe or device).Thebrowser Management Card case, the (inthis the server browsertoauthenticate toenablethe a digitalSSL usescertificate small lockicon. browserdisplaysa isenabled, your When SSL ofSSLtoenable. the version letyouselect 1.0.Mostbrowsers TransportSecurity (TLS)version associated Layer andthe supportsSSLversion3.0 device Cardornetwork-enabled The Management totheuser. theWeb server pages arereturned by requests fromtheuserand that page anddecrypts thatencrypts isaWeb protocol Layer(HTTPS) Secure Sockets HyperText device. Card ornetwork-enabled Management Transfer Protocolover ofthe totheWeb interface touseforaccess protocolmode HTTPS asthe Sockets (SSL)byselecting Web enableSecure Layer communication, For secure Secure CoPy. the side menu bar. the sidemenu the Clear on the isneeded. configuration ofSCP No further name in the servercertificate. name inthe Administration SCP is a secure file transfer application that you can use instead of you canuseinstead applicationthat filetransfer SCP isasecure tab, select Enable Network 9 checkbox andclick checkbox on the top menu bar and bar top menu the on Apply . FTP Server on SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x and sent by anotherserver.and sentby beenintercepted thatithasnot thedata, i.e., theintegrityof encrypt data, andensure theserver, cipherstoauthenticate andencryption variousalgorithms SSL alsouses onthe Wizardisprovided TheAPCSecurity Card ordevice. Management (cache). You the toupload aservercertificate Wizard tocreate canalsousethe certificatestore toabrowser’s certificatetoupload anAPCroot you cancreate Authority, Certificate anexisting touse Authority.not want Certificate you do external If Youan requestto acertificatesigning Wizard tocreate theAPC Security canuse certificate. aCAroot signatureon tothe servercertificate onthe can compare thesignature that it in store(cache)ofitsof thecommercialCertificate certificate the browserso Authorities rootcertificates (CA) Each majorbrowsermanufacturerdistributesCertificate Authority and Server Certificates To certificaterequests, see certificatesand create areused. certificates See See including the selection of authentication and encryption algorithms. andencryption ofauthentication theselection including your computerunattended. your beforeyouleave yourbrowser andpassword. Alwaysclose session name user pages re-enteringyour toreturnthose without and allowyou cache Web browser’s your saved in are accessed recently you have pagesWeb that Creating and Installing Digital Certificates Creating andInstalling Web Interface Access andSecurity Web Interface Access and 10 Create a Server Certificate and Signing Request Certificateand Create aServer for the procedure to configure SSL, to configureSSL, fortheprocedure for a summary of how these a summaryofhow for Create a Root Certificate aRoot Certificate Create Utility CD. . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Choosing a method a Choosing your system for method Purpose Creating andInstalling Digital Certificates methods for usingdigital certificates. methods for following anyofthe youcanchoose Sockets Layer(SSL)protocol, Using theSecure . • • • system. foryour method themostappropriate helpyoudetermine using digitalcertificatesto and implementing, ofcreating, thethreemethods thatfollowsummarize The sections SSLclient). Web browser(the server) tothe (the Card ordevice theManagement canauthenticate certificates protocol. Digital Secure SocketsLayer(SSL) ofdigital withthe device supports theuse certificates or network-enabled ManagementCard ofthe Network theWeb interface encryption, thanpassword level ofsecurity requiresahigher communicationthat For network server certificate and tocreatea Authority ofanexternalCertificate the rootcertificate signed by be requestto acertificate-signing Wizardtocreate UsetheAPCSecurity Method 3: certificate andaserver aCAcertificate Wizardtocreate UsetheAPCSecurity Method 2: device Card ornetwork-enabled Network Management bythe certificate auto-generated Usethedefault Method 1: . your own Certificate Authority in place of a commercial Certificate Authority. commercialCertificate inplaceofa CertificateAuthority your own way,the same in Authority. Wizard but use Certificate APC Security the Use You operatesitsown 3ifyourcompanyoragency also useMethod can . . 11 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Management Card or network-enabled device. Method 1: Use the default certificate auto-generated by the Network • • anddisadvantages: advantages hasthefollowing Method 1 configure. butthatyoucannot self-signed thatis defaultservercertificate generatesa Cardordevice the Management certificate exists, rebooting, ifnoserver ordevice.During ManagementCard reboot the – The default server certificate has the serial number of the Management Cardor oftheManagement has theserialnumber servercertificate default The – aCA certificate(a providedby theauthentication doesnotinclude method This – createthiscertificate, takes to5minutes Cardordevice up Management The – Disadvantages: You security provide encryption-based certificateto thisdefaultserver canuse – the and from to data all password, and name, the user are transmitted, they Before – Advantages: account type account type (e.g., password, and its byusername, controlaccessto Web interface device can Cardor theManagement Therefore,although Card ordevice). Management ofavalid device inplace Cardordevice. totheManagement loggingon ofthe serverwhen domain name fullyqualified must alwaysusethe andeachuser Cardordevice, Management accesstothe each user whoneeds thebrowser of store(cache)of the certificate Toproceed. into server certificate thedefault youmustinstall avoidthismessage, to asksifyou want available,and authorityisnot signedby atrusted a certificate that or indicating alert, the browsergeneratesasecurity Management Card device, the browser.log ontothe cachedin whenyou no CACertificate Therefore, Thereis 2and3provide. thatMethods byaCertificate Authority) certificate signed onafter enableSSL.) time youlog you occursthefirst thattime.(Thisdelay available during and theWebinterfaceisnot continue to use it for the benefits of encryption that SSL provides. that SSL useitforthebenefits ofencryption continue to you can or options, certificate two digital other of the up either setting you are while areencrypted. Cardordevice Management
Administrator common name common 12 , Device User Device (the DNS name or the IP address of the IP address ofthe DNS nameorthe (the When you enable SSL,youmust youenable When , or Read-Only User ), the browser ), the SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x • and disadvantages. advantages has thefollowing Method 2 To authority, a“trusted”signing is signedby theservercertificate confirmthat the • Touses the the browser or device, Card theManagement identify • data: The Web browserauthenticates theManagement Card or devicesendingrequesting •A •A certificate. Method 2: Use the APC Security Wizard to create a CA certificate and a server – The length ofthe length The – the and from to data all password, and name, the user are transmitted, they Before – Advantages: current. certificate is the server inthebrowser. dateconfirmswhether certificate cached Anexpiration browser compares of theservercertificatewith the signature in signature the root server certificate’s server certificate’s wasspecifiedinthe ordevice)that ManagementCard DNSnameof the address or certificate. sign theserver certificateto itusestheCAroot servercertificate, Wizard createsa APC Security Management Card ordevice. Management accesstothe userwhoneeds browserofeach (cache)ofthe certificate store intothe youtheninstall certificates and which tosignallserver Wizard uses ofthe length The – server certificate server certificate CA rootcertificate Management Card or device areencrypted. Card ordevice Management an SSL session is 1024 bits, providing more complex encryption and consequently and consequently encryption complex more bits, providing is 1024 session SSL an data. orreceiving ordeviceissending Management Card which cannot authenticate bits, providing more complex encryption and a higher level of security.) ahigher level encryptionand morecomplex bits, providing is 1024 2and3 keyusedinMethods bits. (Thepublic isonly768 an SSLsession Use the APC Security Wizard to create two digital certificates: Wizardtocreatetwo the APCSecurity Use
distinguished name distinguished that you upload to the Management Card or device. When the or device.Whenthe Card upload tothe Management that you public key public key (Certificate Authorityrootcertificate) (Certificate (RSA key) that is used for encryption when setting up whensetting usedfor encryption (RSA key)that is (RSA key) that is used for encryption when setting up whensetting usedforencryption (RSAkey)thatis 13 when the certificate was created. certificate was whenthe
that the APCSecurity that the common name common (IP SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x • certificate (a to a CertificateAuthority.file) tosend asigned Authorityreturns TheCertificate createa server certificate. to besigned bythe rootcertificate of anexternal Certificate Authorityand to request certificate-signing a create to Wizard Security APC the Use 3: Method • anddisadvantages. advantages has thefollowing Method 3 Card ordevice. totheManagement server certificate theCertificate Authority. returnedby therootcertificate Uploadthe signature from (a. aservercertificate Wizardtocreate the APCSecurity described in Method 3.) described in browser, storewithin the in thecertificate as Authorities commercial Certificate browser.root certificatesfor alreadyprovide manufacturers of eachuser’s (Browser Authority, into store(cache) youmustloadarootcertificateindividually certificate the donothavethedigitalsignature ofacommercial Certificate Because the certificates Disadvantage: – The root certificate that you install to the browser enables the browserto install browserenables thatyou tothe rootcertificate The – ordeviceenables Management Card uploadtothe certificate thatyou server The – Beforethey are the transmitted, name andpassworduser and all data to and from – Advantages: additional protection from unauthorized access. protection fromunauthorized additional devicetoprovide Cardor oftheManagement theservercertificate authenticate password, transmitteddata. of theuser name, and encryption beyondthe extra levelofsecurity Thisprovidesan Card ordevice. Management senttothecorrect receivedfromand thatdata isbeing SSL toauthenticate in Method3.) key isalsoused encryption (Thislonger used inMethod1. thepublickey ofsecuritythan a higherlevel the Management Card or device are encrypted. Cardor device the Management your own Certificate Authority in place of a commercial Certificate Authority.of acommercial Certificate inplace own Certificate Authority your Authority.same way,Certificate Wizardinthe Use theAPC Security butuse You operatesitsown 3ifyourcompany oragency canalsouseMethod .crt
file) based on information you submitted in your request. Youyour request. submitted in you based oninformation file) thenuse
Use the APC Security Wizard to create a request(a Wizard tocreatea the APCSecurity Use 14 p15 file) that includes the thatincludes the file) .csr
SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Firewalls • Well-configured firewalls are an essential element in an overall security scheme. inanoverallsecurity essentialelement firewallsarean Well-configured achieve. impossibleto breaches isalmost fromsecurity complete protection provideahigher levelofsecuritythan others, Although some methods authentication of – An external Certificate Authority may charge a fee for providing signedcertificates. feeforproviding maychargea CertificateAuthority An external – froma a signedrootcertificate ofrequesting theextrastep Setuprequires – Disadvantages: – The browser matches the digital signature on the server certificate thatyou ontheservercertificate matchesthedigital signature browser The – ordeviceenables Management Card uploadtothe certificate thatyou server The – ofthe length The – You hasa thatalready aCertificateAuthority by thebenefitofauthentication have – Certificate Authority. protection from unauthorized access. from unauthorized protection additional cachetoprovide certificate browser’s isalreadyinthe certificate that onthe CAroot withthesignature Cardordevice to theManagement uploaded password, transmitteddata. of theuser name, and encryption beyondthe extra levelofsecurity Thisprovidesan Card ordevice. Management senttothecorrect receivedfromand thatdata arebeing SSL toauthenticate Method 2.) alsousedin encryption keyis 1.(Thislonger key usedinMethod the public levelofsecuritythan and ahigher complexencryption 1024 bits,providingmore Cardordevice. Management access tothe user whoneeds ofeach to thebrowser root certificate uploada not haveto you do browser.) ofeachuser’s Therefore, to thebrowserstore loaded itsCAcertificate hasprobablyalready yourowncompany oragency Authorityof and aCertificate aspart browsersoftware, aredistributed ofthe Authorities commercial Certificate signed rootcertificateinthecacheofbrowser. (TheCAcertificatesof
public key (RSA key) that is used for setting up an SSL session is session upanSSL forsetting that isused (RSA key) 15 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Using the APC SecurityWizardthe APC Using Authentication by and host keys by certificates Authentication Overview certificates from all of the commercial Certificate Authorities. Certificate fromallofthe commercial certificates root contain asetofCA devices, Cardsornetwork-enabled Management APC Network How certificates are used. for digital certificates uses access, Web for secure used (SSL), Sockets Layer Secure • ofauthentication. secure methods supports more Cardordevice theManagement ontheInternet, security methods more stringent requiring communications users.However, or computer fortransactions typicallyidentify device).Passwords ornetwork-enabled Card Network Management Authentication routines. protocolsand encryption (SSL)andrelated Layer Secure Sockets whenyouareusing onthenetwork device Cardornetwork-enabled Management a Network highsecurityfor componentsneededfor SecurityWizardcreates The APC • Secure SHell (SSH), used for remote terminal access to the control console of the consoleofthe access tothecontrol remoteterminal (SSH),used for Secure SHell • authentication. A digital authentication. Management Card or device, usesapublic Cardordevice, Management device. Cardor ontheManagement onaserver certificate signature thedigital must match digital andits part signature of apublickeyinfrastructure, device running firmware version 5. version firmware running device Card or withaManagement theSecurityWizard aboutusing information version5. running firmware or devices Cards forManagement components create security SecurityWizardcan The the the Utility verifies the identity of a user or a network device (such as an APC (suchasanAPC oranetworkdevice identityofauser verifiesthe CDforthatdevice. CA root Most Web browsers, including all browsers supportedby allbrowsers Web browsers, including Most certificate is issued by a Certificate Authority (CA) as (CA) Authority Certificate a by issued is certificate 16 x.x host key , see the , see x.x . or firmware version 3. . orfirmwareversion forauthentication. Security Handbook x.x provided on . For SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Files you create for SSL and SSH security SSH and SSL for create you Files Each server with SSH enabled must have an SSH host key on the serveritself. SSH hostkeyon musthavean withSSHenabled Each server Card server (the device) eachtimean or Management SSH clientcontacts that server. • The server certificate for the Network Management Card or network-enabled device, or network-enabled Card Management Network the for server certificate The • system: security Wizardtocreatethesecomponents ofanSSLand SSH Use theAPCSecurity How SSH host keys are used. Cardordevice.) oftheManagement Web interface onto the beforeitlogsyou access tounauthenticated youtoagree browser prompts certificate, the use thedefault usernames,passwords,anddata. (Ifyou transmitted theencryptionof touseSSL for enablesyou adefaultcertificate browsers, but automatically. by berecognized Thedefault certificate’s digitalsignaturewillnot device generates Cardor thattheManagement defaultcertificate can usethe you by digital provided certificates, theauthentication doesnotrequire If yournetwork theserver.cannot authenticate though it even continue whether to you message asks browser fails, a If authentication or Card interface oftheManagement access theWeb thatisusedto Anybrowser • musthavea withSSLenabled Cardordevice) (Network Management Eachserver • tooccur: For authentication browser. knowntothe CertificateAuthority issignedbya certificate server’s sure thatthe theserver. thebrowserto be browser checksto ismadefrom The time aconnection Authentication of the server(inthiscase,ManagementCardordevice)occurseach create either of the following types ofservercertificate: ofthefollowing create either You provides. that suchacertificate of authentication thebenefits if youwant can servercertificate. thatsigned the contain CArootcertificate the device must itself. ontheserver server certificate An SSH An SSH 17 host key authenticates the identity ofthe theidentity authenticates SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Information Services(IIS). Information These files will not work with products such asOpenSSL such willnotworkwithproducts These files SecurityWizard. created bytheAPC rootcertificates hostkeys,andCA certificates, productscanuseserver and keymanagement management Only APCserver theManagement to SSHclientprogramuses authenticate AnSSHhostkeythat your • A CArootcertificate. • required foraserver containing theinformation all signingrequest Acertificate • Card or device when you log on to the control consoleinterface. ontothecontrol whenyoulog Card ordevice Authority.external Certificate thedigitalsignature.Youcertificate except an ifyouareusing needthisrequest – A server certificate signed by an external Certificate Authority. anexternal Certificate signedby Certificate A servercertificate This – withthe certificatealsocreated acustomCAroot signedby A servercertificate – distributed as part of a browser’s software. as partbrowser’s distributed ofa are CA rootcertificates Authoritieswhose commercialCertificate one ofthe can be owncompanyoragency is managedbyyour beonethat Authority can signtheservercertificate. Authority to externalCertificate wanttousean andyoudonot its CertificateAuthority own doesnothave methodifyourcompany oragency Wizard.Usethis APC Security RSA keys. RSA 768-bit generates ordevice Card the Management Wizard, APCSecurity the with SSHhost keys certificatesand anduseSSLserver donot create If you 3. runningAOSfirmware version ManagementCardsand devices Wizard. theAPCSecurity arecreatedwith keysforSSHthat andallhost certificates You SSL allpublickeysfor 1024 bits for RSAkeysizeof mustdefinean cannot generate 2048-bit keys. generate2048-bit cannot 18 ® and Microsoft and ® Internet Internet x.x
SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Create a RootCertificateCreate Certificatesand Server Summary • For each Management Card or device that requires a server certificate, repeat the repeatthe a servercertificate, ordevicethatrequires ManagementCard each For • Cardordevice. onto theManagement servercertificate Loadthe • • Create a server certificate, which is storedinafilewith certificate,which is aserver Create • beusedwith certificatesto thatwillsignallserver CA rootcertificate a Create • certificates. your server Authority tosign Certificate touseacommercial youdonot want Authority and company nothaveits own Certificate oragencydoes procedure ifyour Use this tasks that create and loadtheservercertificate. thatcreateand tasks certificate. thatsigns the server CA rootcertificate forthe you areprompted – The file with the filewith The – the filewith The – are created: thistask,files devices.During two ornetwork-enabled Cards Network Management of that Management Card ordevice. Card of thatManagement Card or devicesothat thebrowsercanvalidateservercertificate Management toaccessthe that willbeused eachWeb browser Loadthis fileinto certificate. servercertificates. Thisfilesigns publicrootcertificate. privatekeyand Authority’s firmware version3. firmware as1024bits.Devicesrunning APCSecurity Wizard bythe generated You ispart RSAkey that ofacertificate sizeofthepublic mustdefinethe network-enabled device, if you do not use the Wizard, is768bits. usetheWizard, ifyoudonot device, network-enabled Cardor Network Management bythe defaultkeygenerated The .crt .p15 suffix contains only the Certificate Authority’s public root theCertificateAuthority’scontains publicroot suffix only suffix is an encrypted file that contains the Certificate filethatcontainstheCertificate isanencrypted suffix x.x cannot generate 2048-bitkeys. cannotgenerate 19 . p15 suffix. Duringthis task, SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x The procedure Create the CArootcertificate. 3. On the screen labeled thescreen labeled On 3. theWindows On 2. 6. On On the nextscreen,review thesummaryofcertificate.Scrolldownward to view 6. thescreen labeled On 5. publicroot Authority’s file,whichwillcontain theCertificate anameforthis Enter 4. installed yourcomputer, Wizardisnot already on the APC Security runthe If 1. information you provided, click youprovided, information To certificate’s numberandfingerprints. the unique serial tothe makeanychanges agency. withnospaces. characters, Useonlyalphanumeric the For The certificate. Wizard Security Conversion\APC intheinstallation folder created key. andprivate certificate havea Thefilemust defaultsetting). the bits, whichis (use1024 of thekeytogenerate thelength andthenselect create, Wizard ( program installation in the interface of the interfaceofthe inthe Common Name End and time, but you caneditthe By default, a CAroot is validfor certificate 10 years from the currentdate information shouldbeidentical. information certificate’s andthe issuer subjectinformation The certificate’s fields. Country Start APC Security Wizard.exe) Wizard.exe) APC Security menu, select menu, Step 1 Step Step 2 Step and field, enter an identifying name ofyour company or identifyingname field,enteran Common Name , , provide the information to configure the CAroot toconfigurethe theinformation , provide Utility
select select Back C:\Program Files\American Power Power C:\Program Files\American 20 CD for the Management Card ordevice. ManagementCard CDforthe . Programs , and revisetheinformation. , CA RootCertificate Validity Start Period fields are the only required fields. onlyrequiredfields. fieldsarethe , then .p15 by clicking the link by clickingthe suffix and, by default, willbe suffixand,bydefault, APC Security Wizard APC Security as the type of fileto asthetypeof and Validity Period Install the . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Create an SSL Server User Certificate. Load the CAroot certificate to your browser. each user who needs to access the Management Cardordevice. theManagement who needs toaccess each user 7. The last screen verifies that the certificate was created and displays information anddisplaysinformation wascreated thatthecertificate lastscreenverifies The 7. 2. On the screen labeled thescreenlabeled On 2. theWindows On 1. 3. Enter a name for this file, which will contain the server certificate and theprivate certificateand file,whichwill contain theserver anameforthis Enter 3. 4. Click Click 4. 3. The Certificate Import Wizard guides you through therestofThefile ImportWizardguidesyouthrough the procedure. The Certificate 3. on the thedialog box, In 2. Select 1. 5. On the screen labeled the screenlabeled On 5. you need for the next tasks: needforthenext you key. a The filemusthave setting). default (use 1024bits,whichisthe togenerate lengthofthekey thenselectthe and C:\Program Files\American Power Conversion\APC Security Wizard Security PowerConversion\APC Files\American C:\Program type to select is X.509, and the CA Public Root Certificate is the theCAPublicRootCertificate toselectis X.509,and type Server User Certificate beinggenerated. User Certificate Server and ServerCertificates Root Certificate certificate. certificate. the procedure the • The location and name ofthe andname location The • • The location and name of the andnameofthe location The • the browser of each user who needs to access the management cardordevice. themanagement needsto access ofeachuserwho the browser certificates. See the help system of the browser for information on how to load the howtoloadthe for informationon ofthebrowser the helpsystem See procedure forMicrosoftInternetExplorer.procedure ofthe Followingisasummary store(cache). certificate browser’s into the Browse Tools Country , then , andselect theCA createdintheprocedure root certificate Create a Root Certificate andServerCertificates aRootCertificate Create Start Internet Options and and menu, select menu, Step 1 Step Step 2 Step Common Name Content .p15 , select , select , provide the information to configure the server toconfigure the the information , provide suffix and, by default, will be created in thefolder willbecreatedin and,bydefault, suffix .crt .p15 21 tabclick file, which is the CA root certificate to load into toloadinto root certificate istheCA file, which Programs from themenubar. from file that you will use to sign theserver you willusetosign filethat SSL Server Certificate SSL ServerCertificate . The CA Root Certificate isusedtosignthe CA . Root The are the only required fields. For the fields.For the arethe onlyrequired Certificates Load the , then APC Security Wizard APC Security .crt andthen
file to the browser of tothebrowser file as the type offile, as the . .crt Import
file created in file created . . Create a .crt . file SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Load the server certificate tothe Management or Card device. 7. The last screen verifies that the certificate has been created andinstructs youon hasbeencreated thatthecertificate lastscreenverifies The 7. 6. On On the nextscreen,reviewsummaryof certificate.Scrolldownward to view 6. 2. Select Select 2. the On 1. which hasa which device.ItdisplaysthelocationandnameofServerCertificate, network-enabled Cardor NetworkManagement certificate tothe nexttask,to loadtheserver the of the Management Cardordevice. theManagement of information you provided, click youprovided, information To certificate’snumberandfingerprints. the uniqueserial tothe makeanychanges certificate Conversion\APC Security Wizard Security Conversion\APC Certificates .p15 but you can edit the youcaneditthe but years, isvalidfor10 aservercertificate or device).Bydefault, Card Management Name Common scp cert.p15 [email protected]:\sec\cert.p15 [email protected]:\sec\cert.p15 cert.p15 scp be: would 156.205.6.185 cert.p15 ordevice. ForSCP,Card named totransferacertificate thecommand location, specify thecorrect youmust certificate, theserver to transfer CoPy(SCP)instead useFTPorSecure If you file you created in the procedure intheprocedure file youcreated Add or Replace CertificateFile Add orReplace Administration configuration. Some other configuration information must alsodiffer.) information otherconfiguration Some configuration. consideredpartoftheunique dateisnot (Theexpiration certificate. root oftheCA astheconfiguration bethesame certificatecannot server configuration ofa be unique.The certificatemust forevery information ispart thesignature, information of theconfiguration Because under the underthe . (The default location is . (Thedefault .p15 to a Management Card or device with an IP address of with anIPaddress Cardordevice toaManagement field, enter the IP address or DNS name of the server (the oftheserver(the orDNSname entertheIPaddress field, file suffix and contains the private key and public rootcertificate keyandpublic suffix andcontains theprivate file Validity Start Period Web tab, select tab, select heading on the left navigation menu. on theleft navigation heading Back 22 Network .) C:\Program Files\American Power Files\American C:\Program , and revisetheinformation. , Create a Root Certificate and Server Certificate andServer Create aRoot , and browse to the server certificate, the theservercertificate, , andbrowseto and on the top menu bar and topmenubarand onthe Validity End Period \sec , on the Management theManagement , on fields. ssl SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Create a Server Certificate and Signing Request Signing and Certificate aServer Create The procedure Summary Create the Certificate Signing Request (CSR). theCertificateAuthority, certificate from receivethesigned you importthat When • aCertificateSigningRequest(CSR). The Create CSR contains all the information for • certificates. yourserver Authoritytosign Certificate touseacommercial or ifyouplan companyits procedure ifyour oragencyhas Authority ownCertificate Use this • For each Management Card or device that requires a server certificate, repeat the repeatthe aservercertificate, ordevice thatrequires ManagementCard each For • Cardordevice. onto theManagement servercertificate Loadthe • 3. On the screen labeled the screenlabeled On 3. 1. If the APC Security Wizard is not already installed onyourcomputer, Wizardisnotalready theAPCSecurity runthe If 1. 2. On the Windows On 2. The output file is a new encrypted server certificate filewitha servercertificate file isanewencrypted The output CertificateAuthority. fromtheexternal file containing thesignedcertificate and the the combines Importingthecertificate certificate. file The with the – the filewith The – files: two output creates process This digital signature. the except server certificate a tasks that create and loadthe server certificate. thatcreateand tasks the default setting). the is bits, which (use1024 ofthekeytogenerate selectthelength and then create, installation program ( installation program Wizard to an external CertificateAuthority.to anexternal device. Card ornetwork-enabled in the interface of the theinterface of in .csr .p15 Start
APC Security Wizard.exe) Wizard.exe) APC Security suffix contains the certificate signing request, which you send which request, signing the certificate containssuffix NetworkManagement contains privatekeyofthe suffix the menu, select menu, Step 1 Step , select , select Utility 23 CD for the Management Card ordevice. Management Card CDforthe Programs Certificate Request Certificate Request , then .p15 by clicking the link by clicking file containing the private key filecontaining theprivate APC Security Wizard APC Security as the type offileto as thetype .p15 suffix. Install the . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x 8. Send the certificate signing request to an external Certificate Authority, toanexternal Certificate signingrequest eithera thecertificate Send 8. and wascreated signingrequest that thecertificate lastscreen verifies The 7. 4. Enter a name for this file, which will contain the private key of the Management keyoftheManagement file,whichwillcontain theprivate anameforthis Enter 4. 6. On On the nextscreen,reviewsummaryof certificate.Scrolldownward to view 6. thescreen labeled On 5. fields are optional. For the areoptional. fields by yourown companyoragency.by Authorityor, Certificate Authority managed commercial aCertificate ifapplicable, a file,whichhas andnameofthe thelocation displays Card or device. The filemusthavea ordevice.The Card name of the Management Cardordevice. oftheManagement name information you provided, click youprovided, information To certificate’snumberandfingerprints. the uniqueserial tothe makeanychanges tocontain.The certificate thesignedserver thatyouwant i.e.,theinformation request (CSR), signing Security Wizard Security folder installationthe signing and issuing ofserver certificates. signing and issuing regarding the the CertificateAuthority providedby See theinstructions End butyoucaneditthe and time, currentdate 10yearsfromthe certificate isvalidfor default, aserver By information should be identical. shouldbe information issuer thecertificate’s informationand certificate’sThe subject fields. . C:\Program Files\American Power Conversion\APC Power Conversion\APC Files\American C:\Program Step 2 Step Country Common Name , provide the information to configure the certificate toconfigurethe theinformation , provide Back 24 and , and revisetheinformation. , .p15 Common Name Validity Start Period suffix and, by default, will be createdin by default,willbe suffix and, field, enter the IP Address or DNS the IPAddressor field,enter .csr fields are required. Other fieldsarerequired.
extension. and and Validity Period SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Management Card or network-enabled device. Cardornetwork-enabled Management Network uploadtothe thatyouthen SSLservercertificate keyintoan and theprivate certificate signed the combines procedure This certificate. the import certificate, signed Load the server certificate tothe Management or Card device. Import the signed certificate. 2. On the screen labeled thescreen labeled On 2. theWindows On 1. 2. Select Select 2. the On 1. 3. Browse to and select the signed server certificate that you received from the youreceivedfrom certificatethat thesignedserver toandselect Browse 3. 4. Browse to and select the file you created in created file you the select and to Browse 4. 6. Click Click 6. certificate thatyou signedserver Specify filethatwillbethe fortheoutput aname 5. 7. The last screen verifies that the certificate has been created andinstructs youon hasbeencreated thatthecertificate lastscreenverifies The 7. certificate Conversion\APC Security Wizard Security Conversion\APC Certificates .p15 external CertificateAuthority.external has a The file C:\Program Files\American Power Conversion\APC Security Wizard Security PowerConversion\APC Files\American C:\Program theinstallation folder bydefault,isin ordevice,and, ManagementCard the Request(CSR) Signing upload to the Management Card or device. The file must havea device. Thefilemust Cardor totheManagement upload screen confirms that the external Certificate Authority signed thecertificate. Authoritysigned theexternalCertificate confirmsthat screen public key obtained fromthe keyobtained public Cardordeviceand the andcontains the private key the Management of extension whichhasa servercertificate, andnameofthe thelocation displays ordevice.It ManagementCard certificate tothe nexttask,to loadtheserver the file you created in the procedure intheprocedure file youcreated Next Add or Replace CertificateFile Add orReplace Administration to generate the server certificate. theservercertificate. togenerate under the underthe . (The default locationis . (Thedefault Start Web menu, select menu, Step 1 Step tab, select tab, select . This file has a . Thisfilehasa heading on the left navigation menu. on theleft navigation heading When the external Certificate Authority returns the returnsthe CertificateAuthority When theexternal .cer , select , select 25 or Network .) C:\Program Files\American Power Files\American C:\Program .crt Programs Import SignedCertificate Create a Root Certificate and Server Certificate and Server Create aRoot .p15 , and browse to the server certificate, the theservercertificate, , andbrowseto file. step 4 .cer on the top menu bar and topmenubarand onthe extension, contains privatekeyof the extension, Issuer , then or of the task the of .crt
Information APC Security Wizard APC Security suffix. Create theCertificate . .p15 on the summary onthesummary .p15 suffix. ssl . file . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x The procedure Summary Create an SSHHost Key • Load the host key onto the Management Card ordevice. ManagementCard host keyontothe Loadthe • Create the host key. host key, ina and stored a encrypted tocreate which is Security Wizard APC the Use • Wizard. theAPCSecurity created with key whenitreboots. You thatare forSSHhostkeys akeysizeof1024bits mustdefine a768-bitRSA devicegenerates ornetwork-enabled ManagementCard the Network key, notcreate ahost encryption, butdo youselectSSH isoptional.If This procedure 3. On the On 3. theWindows On 2. 1. If the APC Security Wizard is not already installed yourcomputer, Wizardisnotalready on the APCSecurity runthe If 1. file with the file withthe default setting). default (use 1024 bits,whichisthe togenerate lengthof the key thenselect the and Wizard ( program installation scp cert.p15 [email protected]:\sec\cert.p15 cert.p15 scp be: would addressof156.205.6.185 devicewithanIP Cardor Management device. ForSCP,device. acertificatenamed commandtotransfer the transfer, thelocation, youmust specify the FTPorSCPfor device.Ifyouuse Cardor totheManagement certificate Alternatively, transfertheserver CoPy(SCP)to useFTPorSecure youcan in the interface of the interfaceofthe inthe Step 1 Step .p15 screen, select screen, suffix. Start APC Security Wizard.exe) Wizard.exe) APC Security menu, select menu, SSH Server HostKey SSH Server Utility 26 CD for the Management Card ordevice. Management Card CDforthe Programs \sec , then , on the Management Card or Card , ontheManagement by clicking the link by clickingthe as the type of file tocreate, as thetype offile APC Security Wizard APC Security
cert.p15 Install the . to a SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Load the host key the to ManagementCardor device. 4. Enter a name for this file, which will contain hostkey. the this file,whichwill anamefor musthavea Enter Thefile 4. 2. Select Select 2. the On 1. Click 5. 7. The last screen verifies that the host key was created, thehost youtoload hostkeywascreated, instructs the lastscreenverifiesthat The 7. which 2fingerprints, 1andversion theSSHversion summaryscreendisplays The 6. 3. At the bottom of the thebottom ofthe At 3. Files\American Power Conversion\APC Security Wizard Conversion\APC Power Files\American intheinstallationfolder filewillbecreated Bydefault,the suffix. key created in the procedure intheprocedure created key,host a whichhas ofthe thelocationandname ordevice,anddisplays Card totheManagement key program. SSHclient displayedbyyour Cardordevice,as the Management on fingerprints SSH herematch the thatthefingerprints displayed byverifying uploaded keywas thatthecorrecthost Cardordevice,you can verify theManagement onto thehostkey. hostkeyandidentify unique foreach After loadthehostkey are you displays. clientprogram fingerprints matchthefingerprints that the verifying thatthese by client program,andverify thatthe through SSH your key was uploaded host correct ordevice Card logontotheManagement areusing.Then ofSSHyou versions) SecurityWizard Conversion\APC Power Files\American underthe scp hostkey.p15 [email protected]:\sec\hostkey.p15 hostkey.p15 scp SCP,named ahost key wouldtransfer the followingcommand location, must specifythe you SCPforthetransfer, ordevice. If youuseFTP or theManagementCard file to Alternatively, you can use FTPorSecureCoPy to transferthehostkey (SCP) to a Management Card or device with an IP address of 156.205.6.185: an IPaddress of ordevice with a Management Card to Next Add or Replace HostKey Add orReplace Administration to generate thehostkey. togenerate Console User HostKey .p15 tab, select tab, select heading on the left navigation menu. theleft navigation headingon Create the hostkey Create the filesuffix. 27 , and browse to the host key, browsetothehost , and the Network \sec page, note the fingerprint for theversion(or page, thefingerprint for note , on the Management Card or device. For Cardordevice. theManagement , on on the topmenubar, onthe and . (The default location is . (Thedefault . .) C:\Program C:\Program .p15 hostkey.p15 C:\Program
ssh host fileyou .p15
SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Control Console Access and Security Console Accessand Control Telnet and Secure SHell (SSH) Introduction same time. (Security protocols use extensive processing power.) useextensive (Security protocols same time. atthe bothbeactivated yourequirethat of SSHunless bothversions Do notenable SCP automatically.SSH enables cannotuseTelnet isenabled, you While SSH control console.Enabling toaccessthe SSH for high-security access. Telnet for basic access. the methods byselecting these access canenable is enabled.(AnAdministrator on which You Telnet console through accessthecontrol can SHell(SSH),depending orSecure SSH and have an SSH client programinstalledonyourcomputer. haveanSSH client SSH and SSHorTelnet, consolethrough the control youmustfirstconfigure buttouseSSH, access anduseraccessrights arethesamewhetheryou useraccounts, The interface, transmitteddata. names, passwords,and SSHencryptsuser controlconsole. foraccesstothe useSecureSHell(SSH) interface, name and password, but not the high-security benefits of encryption. benefitsofencryption. password, notthehigh-security name and but SSH automatically disables Telnet. disables SSH automatically Console Administration same configuration as SSH. configuration as same SCPusesthe Secure CoPy(SCP). required touse configurationis further no areconfigured, and encryptionciphers andits SSHisenabled port When heading on the left navigation menu.) By default, Telnet menu.)Bydefault, left navigation onthe heading Enabling isenabled. tab, then tab, Telnet byuser ofauthentication thebasicsecurity provides Network If you use the high security of SSL for theWeb securityofSSLfor usethehigh If you 28 on the top menu bar and thetopmenu on access underthe SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x To Telnet theoptionsfor configure SHell(SSH): andSecure 3. Under Under 3. settings forTelnet theport Configure andSSH. 2. the On 1. one or more data encryption algorithms for SSH version 1, SSH version 2,orboth. 1,SSHversion forSSHversion ormoredataencryptionalgorithms one bar, andselect S 2 Enables or disables the following encryptionalgorithms (block ciphers) that are SSH v2 S 1Enables or disables SSH v1 pinDescription Option UNIX ToLinux andother anSSHclientinstalled. Most youmust have useSSH, systems do not. SSH clients are available fromvariousvendors. not.SSHclientsareavailable systems do Console Administration Port assignments see anon-standard portprovides, ontheextrasecurity For information N • • use.) cannot use either default algorithm, you must enable an AES algorithm that it can from amongtheenabled algorithms that itisable touse. (If yourSSH client • • compatibleclients. with version 2 SSH Blowfish N • •DES encryptiontwo algorithms (block ciphers)compatible with version SSH clients. 1 ® AES 256 AES 128 Blowfish 3DES Blowfish OTE OTE platforms include an SSH client, but Microsoft SSHclient,but platforms includean access : : on the left navigation menu, select menu,select left navigation onthe Yourclient SSH selects the algorithm thatprovides thehighest security Notall SSH clients can use every algorithm.If yourSSH client cannot use (enabled bydefault) , , you must also enable
(enabled by default) : You cannot disable this algorithm. under the underthe tab of the Web interface, select tab Web interface, ofthe . DES and displays the status (always enabled)of 29 Console DES heading on the left navigation menu. ontheleft heading . ssh encryption Network
Windows operating Windows on thetopmenu on , andselect Blowfish , SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x 5. Display the Display 5. Under 4. Management Card or device. Card Management andloadittothe SecurityWizard, withtheAPC filepreviouslycreated key or control console of the Management Card ordevice theManagement control consoleof or interface fromtheWeb thatyourecorded tothefingerprint bytheclient displayed session. Comparethefingerprint start ofa fingerprintatthe clients displaythe to create this hostkey,to createthis time. duringthat SSHisnotaccessible and key, reboot. itmust to createahost Cardordevice theManagement Security Wizard.For using the create hostkeythatyou the1024-bitRSA keyof768bits,instead an RSAhost enable SSH no host with key installed, the ManagementCardor device generates invalid hostkey, install an keyfilehere,ifyou specifyahost ifyou If youdonot or the control console of the Management Cardordevice. of theManagement controlconsole the If youareusingSSH a noticeabledelaywhenloggingonto version expect 2, Console location location file. You thehostkey (SCP)totransfer CoPy thefile tothe musttransfer or Secure youcanuseFTP operatingsystems, onWindows prompt Alternatively, command suchasthe commandlineinterface, from a fingerprint on the left navigation menu, select menu,select left navigation onthe \sec The Management Card or device can take up to 5 minutes cantake upto5minutes Cardordevice The Management of the SSH host key for SSH versions 1 and 2. Most SSH 1and2.Most keyforSSHversions oftheSSHhost on the Management Card ordevice. Management onthe 30 ssh hostkey . , specify ahost , specify SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x WebInterface Security Access and HTTP and HTTPS (with SSL) To HTTP andHTTPS: configure bymeansofdigital certificates. device Card ornetwork-enabled Management of theNetwork authentication andprovides passwords, anddataduringtransmission, Transfer Sockets (HTTPS)encrypts usernames, overSecure Layer Protocol HyperText passwords, anddata transmission. usernames, during does notencrypt HyperText and password,but user name access by provides Transfer (HTTP) Protocol .Select 3. theportsthateachof orHTTPSandconfigure eitherHTTP Enable 2. 1. On the On 1. 4. Select Select 4. on. When SSL is activated, your browser displays a small lockicon. displaysasmall yourbrowser WhenSSLisactivated, on. use.Changes takeeffect nexttimeyoulog the twoprotocolswill the under under certificate was created with the APC Security Wizard but isnot installed: Wizard but withtheAPCSecurity wascreated certificate a If ordevice. Card theManagement on is installed server certificate a whether SSLwilluse. ciphers that encryption Alternatively, the orFTP toupload CoPy (SCP) protocol use theSecure • itto the file andupload tothe certificate interface, browse theWeb In • certificate file to the location tothe location certificate file Cardordevice. Management ssl cipher suites sslcipher Web ssl certificate several methods forusingdigitalcertificates. several methods See Administration Port assignments see anon-standardportprovides, onthe extrasecurity For information on the left navigation menu. left navigation onthe Creating and Installing DigitalCreating Certificates under tab, select tab, select under . Web \sec Web 31 on the left navigation menu to determine menuto theleft navigation on Network on the Management Card or device. Card or onthe Management on the left navigation menu, and select the and select ontheleftnavigation menu, on the top menu bar and topmenubarand onthe to choose among the tochooseamong access
SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x 5. If a valid digital server certificate is loaded,the a validdigitalservercertificateis If 5. Valid Certificate Issued To: aaee Description Parameter the Network Management Card or network-enabled device Cardornetwork-enabled NetworkManagement the limitations. See hassome ordevicegenerates ManagementCard thatthe A certificate the certificate, and the SSL server is unavailable during thattime. isunavailableduring theSSLserver certificate,and the take to 5minutestocreate ordevicecan ManagementCard up The whenitreboots. createsone Cardordevice theManagement loaded, server certificate withno enable HTTPS Ifyou enable HTTPS. to required reducesthetime inadvance a servercertificate anduploading Creating Organization (O) Organization device instead. device, this field displays the serial numberofthe Management or Card or Card Management the by default by generated certificate server a For youwant to continue. certificate,authenticationasking receiveerror fails, if message you an and the for specified was that name DNS or address IP the use not do you If If the DNS name was specified for this field• when the certificate was was certificate the when field this for specified was address IP an If • Card or device.This field controls how you must log on to the Web interface. Common Name(CN) Serial Number Serial Certificate.” Generated Card or device, the certificate.For aserver certificate generated by default by the Management name,organizational unit,and location of the organization using the server created,use the DNS name tolog on. created,use anIP addressto log on. . Click the link to display the parameters ofthecertificate. thelinktodisplay . Click Method 1: Use the default certificate auto-generated by auto-generated defaultcertificate 1:Usethe Method : The serial numberof the server certificate. , Organizational Unit (OU Unit Organizational Organizational Unit (OU) (OU) Unit Organizational 32 : The IPAddress or DNSname of the Management Status ), and field displaysthelink field field displays“Internally Locality, Country: Locality, . The SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x igrrnsEachof the twofingerprints is alongstring of alphanumeric characters, Fingerprints Validity: Issued By: aaee Description Parameter algorithm. Fingerprint MD5 Fingerprint SHA1 fingerprintscontained in the certificate, asdisplayed inthebrowser. authenticate the server. Record thefingerprints to compare them with the punctuated by colons. A fingerprint is a unique identifier to further on Expires Issued on device, this servercertificate was generated by default by theManagement Card or organizational unit of the organization that issued the server certificate. If the (O) Organization or device instead. Card or device, this fielddisplays theserial number the of Management Card certificate.For aserver certificate generated by default by the Management Common Name(CN) : The dateand timeatwhich the certificatewas issued.
: The: date and time at whichthecertificate expires. field displays “Internally Generated Certificate.” : Afingerprint created by aMessageDigest 5(MD5) and and : A fingerprint created by a Secure Hash Algorithm (SHA). Algorithm Hash aSecure by created fingerprint : A 33 : The Common Name as specified in the CA root root CA the in specified as Name Common : The Organizational Unit Unit (OU Organizational ): The name and SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x RADIUS Authentication ConfigureDeviceor theManagement Card Supported RADIUS servers Supported functions Servers FunctionsRADIUS Supported and • Users On the byAPC. been fullytested buthavenot maywork RADIUS applications commonlyavailable andMicrosoftIAS2003.Other APC supports FreeRADIUS level. permission theuser’s todetermine RADIUS server to the requestissent an authentication Cardordevice, theManagement accesses devicecentrally. ornetwork-enabled Card Network Management Whenauser foreach remoteaccess UseRADIUS toadminister Service(RADIUS). Dial-In User Authentication ofRemote authorization functions and theauthentication APC supports Local Authentication Only Local Authentication on the left navigation menu, select menu, select theleft navigation on Administration For more information on permission levels, see permissionlevels, more information on For are limited to 32 characters. are limitedto32 devices or Cards Management Network APC with used user names RADIUS tab, select select tab, : RADIUS is disabled. Local authentication isenabled. Local authentication RADIUS isdisabled. : Security 34 Authentication Method Authentication on the topmenubar. Then,under Types accounts ofuser : Remote . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x RADIUS bar. under Then, To RADIUS,onthe configure • • Priority Server Switch Apply and Skip Test Settings Test Timeout Secret Definition Server RADIUS Setting RADIUS Only failstorespond. iftheRADIUS server isusedonly authentication first; local RADIUSserver requested fromthe is enabled. Authentication Local RADIUS, then RADIUS, then LocalAuthentication RADIUS, then If console and changethe console and toallusers.Youunavailable control connectiontothe mustuseaserial accessis configured,remote orimproperly improperly identified, RADIUS Only RADIUS server name or IPaddress different port, add acolon followed by thenew portnumber tothe endofthe enabled authentication method. are listed and Changewhich RADIUSserver willauthenticate users if two configured servers path. server RADIUS the test not Do that you haveconfigured. Enterthe Administratoruser name andpassword totest the RADIUS serverpath server. RADIUS the from Thetime in seconds thatthe Management Card or device waitsfor aresponse device. Thesecret shared between the RADIUS serverand theManagement Card or N Theserver name orIP address of the RADIUS server. OTE : RADIUS is enabled. Local authentication isdisabled. Localauthentication : RADIUSisenabled. Remote Users : RADIUS servers useport 1812 by default to authenticateusers. To usea
Authentication RADIUS,then Local Authentication is selected, and the RADIUS server is unavailable, isunavailable, theRADIUSserver isselected,and Administration on the left navigation menu, select ontheleftnavigationmenu, Access 35 : Both RADIUS and local authentication are andlocalauthentication : BothRADIUS settingto tab,select . toregainaccess. Local Authentication Only Local Authentication Security or or RADIUS Only RADIUS on the top menu onthetop RADIUS is the the is . or SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Configure the RADIUS ServerConfigure theRADIUS Example using Service-TypeExample Attributes reference to outlets applies only to APC devices that support outletusers. devicesthatsupport tooutlets onlytoAPC reference applies server. of yourspecificRADIUS examples,any orformat Inthe required content the sectionmaydiffersomewhatfrom examplesinthis device.The network-enabled You Cardor withtheManagement servertowork configureyourRADIUS must 2. Users must be configured withService-Type unlessVendor mustbeconfigured attributes Users Specific 2. ornetwork-enabled ManagementCard oftheNetwork theIPaddress Add 1. – – – file: aRADIUSusers exampleof In thefollowing permissions. theuserDevice (1),whichgives andLogin-User permissions, Administrator givestheuser forService-Type (6),which values areAdministrative-User only).Thetwoacceptable Web interface access(tothe userhasread-only the If noService-Type (VSAs)aredefinedinstead. Attributes is configured, attribute (file). server clientlist totheRADIUS device UPSReadOnly Auth-Type =Local, Password= "readonly" UPSDevice Auth-Type =Local, Password= "device" UPSAdmin Auth-Type =Local, Password= "admin" UPSReadOnly UPSDevice UPSAdmin Service-Type = Login-User = Service-Type Administrative-User = Service-Type RADIUS users file. RADIUS users the forinformation about RADIUSserverdocumentation See your corresponds to correspondsto corresponds to corresponds corresponds to corresponds Service-Type: Administrative-User, (6) Administrative-User, Service-Type: Service-Type: Login-User, (1) Login-User, Service-Type: Service-Type: null Service-Type: 36 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Examples using VendorExamples Specific Attributes Dictionary file. file. Dictionary overstandard RADIUSattributes. precedence not workcorrectly. authorization will and RADIUS authentication VSAs take and VALUE thenumericvalues, Ifyouchange thenumeric values. keywords,butnot RADIUS usersfile.Inthedictionaryfile,youcandefinenamesforATTRIBUTE entryand a your RADIUSserver.requires adictionary provided by Thismethod Vendor oftheService-Type Specificbe usedinstead attributes (VSAs)can Attributes VALUE APC-Service-Type Outlet 4 Outlet APC-Service-Type VALUE # only users outlet with devices # For # 3 ReadOnly APC-Service-Type VALUE 2 Device APC-Service-Type VALUE Admin 1 APC-Service-Type VALUE APC string 2 APC-Outlets ATTRIBUTE APC integer 1 APC-Service-Type ATTRIBUTE # # Attributes # 318 APC VENDOR # # # dictionary.apc # Following is an example of a RADIUS dictionaryfile(dictionary.apc): ofaRADIUS Following isanexample 37 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x RADIUS Users file with VSAs. VSAOutlet Auth-Type =Local, Password ="outlet" #Give user accessto device outlets 1, 2and 3. VSAReadOnly Auth-Type =Local, Password ="readonly" VSADevice Auth-Type =Local, Password ="device" VSAAdmin Auth-Type =Local, Password ="admin" VSAs: APC-Outlets ="1,2,3" • • topics: the followingrelated See supported byAPC. supported RADIUS servers Supported type account PDU, seethe device’s Rack userforaSwitched type, e.g.,outlet useraccount hasanadditional device (Administrator,levels User, Device APC User).Ifyour andRead-Only Types ofuseraccounts APC-Service-Type =Outlet, APC-Service-Type =ReadOnly APC-Service-Type =Device APC-Service-Type =Admin Following is an example of a RADIUS users filewith aRADIUS users isanexampleof Following for information on the three basic user permission basic userpermission onthethree forinformation 38 for information on RADIUS servers testedand onRADIUSservers forinformation User’s Guide User’s for information on theadditional forinformationon SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x • Add user names and attributes to the RADIUS "user" file, andverifypassword "user"file, totheRADIUS andattributes Addusernames • totheRADIUS add thefollowing privileges, haveadministrative IfallUNIXusers • users: to authenticate Example with UNIX shadow passwords. ( /etc/passwd thawk Auth-Type = System = Auth-Type System = Auth-Type thawk bconners is forusers followingexample against /etc/passwd. The “user” file.To APC-Service-Type Users,change the to allowonlyDevice APC-Service-Type = Admin = APC-Service-Type System = Auth-Type DEFAULT ) with the RADIUS dictionary files, the following two methods can be used canbeused following twomethods files,the the RADIUS dictionary ) with APC-Outlets ="1,2,3" APC-Service-Type =Outlet APC-Service-Type =Admin 39
If UNIX shadow password files are used UNIX shadow passwordfilesare If
bconners and thawk Device : . SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Index Device user account D Configuring Cipher suites Certificates C Browsers B Authentication Administrator account Access options for each interface A SSL SSH ciphers and algorithms the of purpose encryption ciphers for SSH v1 and v2. methods installingcreating and for SSL choosing which method to use installed is SSL when icon lock open browser leaving of danger CA certificates in browser’s store (cache) with SSL with SNMPv3 with RADIUS Console Control and Interface Web for Use the APC the certificateUse APC default (CA) Authority a Certificate Use all creates Wizard Security APC
31 28
9 certificates
34 7
2
2
13
11
11 9
10 12
14 3
10
29 7
10 40 Ports, assigningPorts, FTP Fingerprints, displaying and comparing F Encryption E Root certificates, creating Read-only user account setting Server RADIUS R Passwords P Host keys H with SSL for the Web interface Web the for SSL with with SSH and SCP for the Control Console with SNMPv3 using non-standards ports as extra passwords extra as ports non-standards using security for immediately change ordevice Card Management the to transferring generated by the Management Card or device creating with the Security Wizard using a non-standard port for extra security for transferring server certificates for transferring host keys disablingFTPif youuse SSH and SCP
8 6
35
2
19
30
31
6
26 22 , 31
30 9
8 6
30 6 30 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Security Wizard Security menu Security Secure Sockets Layer. Secure SHell. CoPy. Secure SCP S creating SSH host keys requests signing creating certificates creating remote users, authentication RADIUS settings local users, defining access passwords extra as ports non-standards using supported SSHclients summary of access methods SSL FTP to alternative as SCP options interface for each password and username changing immediately how SSH host keys are used how certificates are used encryption with SSH and SCP disablinginterfaces less secure certificate-signing requests authentication port non-standard using fortransferring server certificates for transferring host keys for encrypted file transfer SSH with configured and enabled without a Certificate Authority a Certificate without Authority a Certificate with use to andciphers suites cipher algorithms certificates use to method a choosing with SSH andSCP RADIUSthrough digital through withcertificates SSL See See
16
SSH. SCP. 35
34
8 See
29
26 6
27 8 16 23 3
SSL 9
10
2
34 3 17
8 19
8
,
22
9 23 9 ,
9 ,
28 10 26
11 41
6
6 SSH SNMP SSL Signing requests, creating Server certificates User Name, change immediately for security User accounts, types U Timeout setting for RADIUS T encryption enabling configuring v3 v1 creating without a Certificate Authority creating to use with a Certificate Authority certificate signing requests signing certificate authentication through digital v1 andencryption v2 algorithms server configuration client SSH an obtaining host key fingerprints, displaying and comparing encryption authentication access READ disabling transferring to the Management Card or to the device transferring Management with the creating Security Wizard identifier thatas cannot be falsified certificates
28
8
28
6
8
6 7
9
2 29
29
23
10 35
29
26
8
30 19
23
6
30 SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x following ways: following Customer support for this or anyother APC product is available at no charge in any of the other distributors from whom youpurchased your APC product. For information onhow toobtain local customer support, contact the APC representative or Contact the • Visit the APC Web site to access documents in the APC Knowledge Base and to submit • – – customer support requests. Local, country-specific centers: goto – Global support searching APC Knowledge Base and using e-support. customer support information. Connect Web localizedto APC sites specific each for countries, of provides which information. www.apc.com/support/ www.apc.com APC WorldwideAPC CustomerSupport APC Customer Support Center by telephone or e-mail. (CorporateHeadquarters) 42 www.apc.com/support/contact for contact SECURITY HANDBOOK Network-Enabled Devices, AOS v.3.x.x Copyright 990-2417D-001 Zealand. ©1998DigitalData Card:copyright Security,Network Management Ltd., New inthe cryptographicroutines thelibraryof usedtodevelop Cryptlib, thetoolkit purposes only.purposes usedforinformational ownersandare oftheirrespective aretheproperty names andcorporate productnames, Allothertrademarks, Corporation. Conversion InfraStruXurePower theAPClogo,and ofAmerican APC, aretrademarks rights inwhole reserved. or in partReproduction withoutpermissionisprohibited. All Corporation. PowerConversion contents 2009American Entire copyright 43 1/2009