[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
System Management Guide: Operating System and Devices

Web-based System Manager Security

Before installing and configuring Web-based System Manager security be sure that Web-based System Manager for client-server operation has been configured. See Client-Server Web-based System Manager.

In Web-based System Manager secure operation, the managed AIX machines are servers, and the managing users are the clients. The communication between the servers and clients is over the SSL protocol which provides server authentication, data encryption, and data integrity. The user manages the AIX machine by Web-based System Manager using an AIX account on that machine, and authenticates to the Web-based System Manager server by sending the user ID and password over the secured SSL protocol.

Each Web-based System Manager server has its private key and a certificate of its public key signed by a Certificate Authority (CA) which is trusted by the Web-based System Manager clients. The private key and the server certificate are stored in the server's private key ring file /usr/websm/security/SM.privkr. The Web-based System Manager client has public key ring file which contains the certificates of the CAs it trusts. This file is SMpubkr.class. It is a .class file so that the same file may be used both for application and applet modes.

In applet mode (working from the browser), the client must be assured that the applet (.class files) arriving at the browser is coming from the intended server. Moreover, in this mode the public key ring file (SMpubkr.class) resides on the server and is transferred to the client with the rest of the applet .class files (it is done this way because the browser does not allow applets to read local files). For sender authentication and integrity of these files the client must use the SSL capabilities of the browser and contact the server only with the HTTPS protocol (HTTPS://...). For this you can use the SSL capability of the web server on each managed machine or you can use the SMGate daemon installed with Web-based System Manager Security. SMGate serves as an SSL gateway between the client browser and the web server.

In this section, the following procedures and processes related to Security are discussed at length:

 

Installing Web-based System Manager Security

Web-based System Manager Security's pre-requisite is the Web-based System Manager. The Web-based System Manager Security fileset, sysmgt.websm.security, where available, can be found on the AIX Version 4.3 Bonus Pack.

An additional fileset, sysmgt.websm.security-us, with stronger encryption capabilities, is available on the AIX Version 4.3 Bonus Pack that ships only in the U.S. and Canada. This fileset requires that you have sysmgt.websm.security.

 

Configuring Web-based System Manager Security

Web-based System Manager Security provides both a graphical interface and a command line interface for performing the configuration tasks. In the graphical user interface, the security administration panels/task-guides come up as 'actions' when either of the two security icons in the System container are clicked: Certificate Authority (CA) and Server Security. These icons are visible only in local mode. In different scenarios discussed below, they will be referred as the CA icon and Server icon. In these scenarios, the graphical user interface is used. The corresponding command is listed for each step.

The following scenarios or configuration possibilities are outlined:

Scenario A: 'Ready to Go' key ring files

This is probably the fastest way to get into security operational state. In this scenario you use a single machine to define an internal CA (Certificate Authority) and generate 'ready-to-go' key ring files for all of your Web-based System Manager servers and clients. This generates a public key ring file which you must copy to all of the servers and clients, and a unique private key ring file for each server.
  1. Defining an Internal Web-based System Manager-CA
  2. Generating the Servers Private Key Ring Files
  3. Distributing the Public Key Ring File to All Clients and Servers
  4. Distributing the private key ring files to all servers
  1. Defining an internal Web-based System Manager Certificate Authority

    You should use a 'safe' system for the CA. The CA's private key is the most sensitive data in the Web-based System Manager security configuration.

    Once the CA machine is chosen, log on locally as root and start the Web-based System Manager. The security configuration applications of the Web-based System Manager are not accessible if you are not logged in as root or if you are running the Web-based System Manager in remote application or applet mode.

    Open the "System" container and find the security configuration objects, "Certificate Authority" and "Server Security".

    On the object menu for "Certificate Authority" select "Configure this System as Certificate Authority ...". This will start a task guide. Fill in the following information:

    You can perform this task from the command line with the smdefca command.

  2. Generating private key ring files for your Web-based System Manager servers.

    In this step you will need to provide the the full TCP/IP names of all of your Web-based System Manager servers. You can enter them in the dialog one at a time or you can provide a file containing a list of your servers, one per line.

    On the object menu for "Certificate Authority" select "Generate Servers' Private Keys and Certificate Requests ...". The CA password dialog will appear first. Enter the password that you specified when you defined the CA. Then fill in the following information:

    When you click OK, a private key ring file (S.privkr) is created for each server, (S) that you specified.

    You can perform this task from the command line with the smgenprivkr command.

  3. Distributing the public key ring file (SMpubkr.class) to all servers and clients.

    A copy of SMpubkr.class from the directory you specified in step I must be placed in the /usr/websm/codebase directory of your Web-based System Manager servers and AIX clients.

    Note: The content of this file is not secret. However, placing it on a client machine specifies which CA the client trusts. Thus access to this file on the client machine should be limited. In applet mode, the client can trust the server to send over this file along with the applet itself - provided the HTTPS protocol is used.
  4. Distributing the private key ring files to all servers

    Each server's private key ring file must be installed on the server.

    You can move the files to their targets in any secure way. We'll describe here two ways - shared directory and diskette TAR:

    Next you will need to install the server private key rings on each server. Log on to each server as root, start the Web-based System Manager and open the System container. On the object menu for "Server Security" select "Install Private Key Ring...". Select the source for the server private key ring files. If using a diskette TAR, insert the diskette before clicking OK. Now go ahead and click on OK. If the key ring files are encrypted, you will be asked for the password. The servers private key is installed in /usr/websm/security/SM.privkr. Repeat this procedure on each server.

    You can perform this task from the command line with the sminstkey command.

 

Scenario B: Multiple sites

Use this scenario if you have multiple sites and you do not want to distribute private key ring files between sites. Suppose you have site A and site B, and you define your internal Web-based System Manager-CA on a machine in site A. See step I of scenario A for directions on configuring a CA. For all clients, and for site A servers, you can follow Scenario A.

For servers in site B follow these steps:

  1. Generating private keys and certificate requests for your Web-based System Manager servers
  2. Getting the certificates signed by the CA in site A
  3. Importing the signed certificates to the server's private key ring files
  4. Distributing the private key ring files to all servers
  5. Distributing the public key ring file (SMpubkr.class) to all servers and clients in site B
  1. Generating private keys and certificate requests for your Web-based System Manager servers.

    In this step you will need to provide the the full TCP/IP names of all of your Web-based System Manager servers in site B. You can enter them in the dialog one at a time or you can provide a file containing a list of your servers, one per line.

    On a server in site B, log on locally as root and start the Web-based System Manager. The security configuration applications of the Web-based System Manager are not accessible if you are not logged in as root or if you are running the Web-based System Manager in remote application or applet mode.

    Open the "System" container and find the security configuration object "Server Security".

    On the object menu for "Server Security" select "Generate Servers' Private Keys and Certificate Requests...". Fill in the following information:

    When you click OK, a private key ring file (S.privk) and a certificate request (S.certreq) is created for each server, (S) that you specified.

    You can perform this task from the command line with the smgenkeycr command.

  2. Getting the certificates signed by the CA in Site A

    In this step you need to transfer the certificate request files to the CA in site A. The certificate requests do not contain secret data, however, the integrity and authenticity during transfer must be insured.

    Transfer a copy of the certificate request files from the server in site B to a directory on the CA machine in site A.

    Log on to the CA machine in site A locally as root and start the Web-based System Manager. The security configuration applications of the Web-based System Manager are not accessible if you are not logged in as root or if you are running the Web-based System Manager in remote application or applet mode.

    Open the "System" container and find the security configuration object "Certificate Authority".

    On the object menu for "Certificate Authority" select "Sign Certificates...". Fill in the following information:

    When you click OK, a certificate file (S.cert) is created for each server (S) that you selected. The certificates are written to the directory containing the certificate requests.

    You can perform this task from the command line with the smsigncert command.

  3. Importing the signed certificates into the servers' private key ring files

    In this step you need to transfer the certificates from the CA in site A back to the server in site B. Copy them to the directory containing the certificate requests and server private key files that you created in step I.

    Then on the server in site B, from the object menu for "Server Security", select "Import Signed Certificates...".

    Fill in the following information:

    When you click OK, if the server private key files were encrypted in step I, you will be prompted for the password. Then, for each server (S) that you selected, the certificate (S.cert) is imported in to the private key file (S.privk) and the private key ring file (S.privkr) is created.

    You can perform this task from the command line with the smimpservercert command.

  4. Distributing the private key ring files to the servers

    Each server's private key ring file must be installed on the server.

    You can move the files to their targets in any secure way. We'll describe here two ways - shared directory and diskette TAR:

    Next you will need to install the server private key rings on each server. Log on to each server as root, start the Web-based System Manager and open the System container. On the object menu for "Server Security" select "Install Private Key Ring...". Select the source for the server private key ring files. If using a diskette TAR, insert the diskette before clicking OK. Now go ahead and click on OK. If the key ring files are encrypted, you will be asked for the password. The servers private key is installed in /usr/websm/security/SM.privkr. Repeat this procedure on each server.

    You can perform this task from the command line with the sminstkey command.

  5. Distributing the public key ring file (SMpubkr.class) to all servers and clients in site B to the servers

    A copy of SMpubkr.class from the directory you specified in step I must be placed in the /usr/websm/codebase directory of your Web-based System Manager servers and AIX clients.

    Note: The content of this file is not secret. However, placing it on a client machine specifies which CA the client trusts. Thus access to this file on the client machine should be limited. In applet mode, the client can trust the server to send over this file along with the applet itself - provided the HTTPS protocol is used.
 

Scenario C: Avoid transfer of private keys

Use this scenario if you want a private key to be generated on the server it belongs to, never to be transferred (by network or diskette) to other systems. In this scenario you configure each server separately. The process must be repeated on each server.

Before you follow this scenario you should configure your CA following the steps in scenario A, step I.

Scenario C involves the following tasks:

  1. Generating servers' private keys and certificate requests
  2. Getting the signed certificates from your CA
  3. Importing the certificates to the private key files
  4. Installing the private key on the server
  5. Distributing the public key ring file (SMpubkr.class) to all servers and clients
  1. Generating a private key and certificate request for your Web-based System Manager server.

    On the server, log on locally as root and start the Web-based System Manager. The security configuration applications of the Web-based System Manager are not accessible if you are not logged in as root or if you are running the Web-based System Manager in remote application or applet mode.

    Open the "System" container and find the security configuration object, "Server Security".

    On the object menu for "Server Security" select "Generate Servers' Private Keys and Certificate Requests...". Fill in the following information:

    When you click OK, a private key file (S.privk) and a certificate request (S.certreq) is created for this server (S).

    You can perform this task from the command line with the smgenkeycr command.

  2. Getting the certificates signed by the CA

    In this step you need to transfer the certificate request file to your CA. The certificate request does not contain secret data, however, the integrity and authenticity during transfer must be insured.

    Transfer a copy of the certificate request file from the server to a directory on your the CA machine. To save time you can transfer the certificate requests from all of your servers and have all of them signed by the CA in one step.

    Log on to your CA machine locally as root and start the Web-based System Manager. The security configuration applications of the Web-based System Manager are not accessible if you are not logged in as root or if you are running the Web-based System Manager in remote application or applet mode.

    Open the "System" container and find the security configuration object, "Certificate Authority".

    On the object menu for "Certificate Authority" select "Sign Certificates...". Fill in the following information:

    When you click OK, a certificate file (S.cert) is created for each server (S) that you selected. The certificate is written to the directory containing the certificate request.

    You can perform this task from the command line with the smsigncert command.

  3. Importing the certificates to the private key files

    In this step you need to transfer the certificate from the CA back to the server. Copy it to the directory containing the certificate request and server private key file that you previously created in step I.

    Then, on the server, from the object menu for "Server Security", select "Import Signed Certificates...".

    Fill in the following information:

    When you click OK, if the server private key file was encrypted in step I, you will be prompted for the password. Then, your server's certificate (S.cert) is imported in to the private key file (S.privk) and the private key ring file (S.privkr) is created in the directory containing the certificate request and private key file.

    You can perform this task from the command line with the smimpservercert command.

  4. Installing the private key on the server

    On the object menu for "Server Security", select "Install Private Key Ring...". Select the "Directory" button and enter the directory containing the server's private key ring file. If the key file was encrypted, you will be asked for the password. Then, the server's private key is installed in /usr/websm/security/SM.privkr.

    You can perform this task from the command line with the sminstkey command.

  5. Distributing the public key ring file (SMpubkr.class) to all servers and clients

    A copy of SMpubkr.class from the directory you specified in step I must be placed in the /usr/websm/codebase directory of your Web-based System Manager servers and AIX clients.

    Note: The content of this file is not secret. However, placing it on a client machine specifies which CA the client trusts. Thus access to this file on the client machine should be limited. In applet mode, the client can trust the server to send over this file along with the applet itself - provided the HTTPS protocol is used.
 

Scenario D: Using another CA

Use this scenario if you do not want to use an internal Web-based System Manager CA, but instead, you want to use another internal CA product which may already be functioning on your system. In this scenario, your certificate requests will be signed by this other CA.
  1. Generating private keys and certificate requests for your Web-based System Manager servers
  2. Getting the certificates signed by the CA
  3. Importing the signed certificates to the server's private key ring files
  4. Distributing the private key ring files to all servers
  5. Importing the CA certificate to the public key ring file
  6. Distributing the public key ring file to all clients and servers
  1. Generating private keys and certificate requests for your Web-based System Manager servers.

    In this step you will need to provide the the full TCP/IP names of all of your Web-based System Manager servers. You can enter them in the dialog one at a time or you can provide a file containing a list of your servers, one per line.

    On a server, log on locally as root and start the Web-based System Manager. The security configuration applications of the Web-based System Manager are not accessible if you are not logged in as root or if you are running the Web-based System Manager in remote application or applet mode.

    Open the "System" container and find the security configuration object, "Server Security".

    On the object menu for "Server Security" select "Generate Servers' Private Keys and Certificate Requests...". Fill in the following information:

    When you click OK, a private key file (S.privk) and a certificate request (S.certreq) is created for each server, (S) that you specified.

    You can perform this task from the command line with the smgenkeycr command.

  2. Getting the certificates signed by the CA

    In this step you need to transfer the certificate request files to the CA. The certificate requests do not contain secret data, however, the integrity and authenticity during transfer must be insured.

    Transfer a copy of the certificate request files from the server to a directory on the CA machine.

    Follow the instructions of your CA to generate the signed certificates out of the certificate requests. The next step will be easier if the name of the certificate file of server S is S.cert.

  3. Importing the signed certificates into the servers' private key ring files

    In this step you need to transfer the certificates from the CA back to the server. Copy them to the directory containing the certificate requests and server private key files that you created in step I. This step requires that the certificate file of a server S be named S.cert.

    Then, on the server, from the object menu for "Server Security", select "Import Signed Certificates...".

    Fill in the following information:

    When you click OK, if the server private key files were encrypted in step I, you will be prompted for the password. Then, for each server (S) that you selected, the certificate (S.cert) is imported in to the private key file (S.privk) and the private key ring file (S.privkr) is created.

    You can perform this task from the command line with the smimpservercert command.

  4. Distributing the private key ring files to the servers

    Each server's private key ring file must be installed on the server.

    You can move the files to their targets in any secure way. We'll describe here two ways - shared directory and diskette TAR:

    Next you will need to install the server private key rings on each server. Log on to each server as root, start the Web-based System Manager and open the System container. On the object menu for "Server Security" select "Install Private Key Ring...". Select the source for the server private key ring files. If using a diskette TAR, insert the diskette before clicking OK. Now go ahead and click on OK. If the key ring files are encrypted, you will be asked for the password. The servers private key is installed in /usr/websm/security/SM.privkr. Repeat this procedure on each server.

    You can perform this task from the command line with the sminstkey command.

  5. Importing the CA certificate to the public key ring file

    Receive the CA (self signed) certificate of your CA (see the documentation for your CA). Copy it to a directory on the server you are working on.

    Then, on the server, from the object menu for "Server Security", select "Import CA Certificate...".

    Fill in the following information:

    When you click OK, if the public key ring file SMpubkr.class will be written to the directory you specified.

    You can perform this task from the command line with the smimpcacert command.

  6. Distributing the public key ring file to all clients and servers

    A copy of SMpubkr.class must be placed in the /usr/websm/codebase directory of all Web-based System Manager servers and clients.

    Note: The content of this file is not secret. However, placing it on a client machine specifies which CA the client trusts. Thus access to this file on the client machine should be limited. In applet mode, the client can trust the server to send over this file along with the applet itself - provided the HTTPS protocol is used.
 

Configuring for SMGate

The SMGate daemon installed with Web-based System Manager Security allows you to run the Web-based System Manager in secure applet mode without having to configure your web server for security on each system to be managed. SMGate serves as an SSL gateway between the client browser and the local web server.

To use SMGate, you will need to receive the Certificate Authoritie's certificate into your client browsers.

  1. If you are using the Web-based System Manager internal certificate authority you can get the CA's certificate using the following procedure.
    Log on to the CA machine in local mode as root. Start the Web-based System Manager and open the System container. On the object menu for "Certificate Authority" select "Export Certificate...". The "Export Certificate Authority's Certificate" dialog will be displayed. Enter the full pathname where you want the certificate written, and click OK. Alternatively, from the command line type:
    /usr/websm/bin/smexpcacert
    If you are not using the Web-based System Manager internal certificate authority then use your certificate authority's procedures for obtaining a copy of its certificate.
  2. Copy the certificate to a web server directory so you can access it from the client browsers (for Lotus Go you can put it in the /usr/lpp/internet/server_root/pub directory). The MIME type sent by the web server must be "application/x-x509-ca-cert". On the Lotus Go web server you can set the MIME types in "Configuration and Administration Forms - MIME Types" and by default you can get this MIME type by adding the ".DER" suffix to the certificate file name.
  3. In each of your client browsers, point the browser to the CA certificate file and follow your browser's procedure to accept it as a signer certificate.

Your browsers are now set up to connect to your servers through SMGate. For enabling the SMGate daemon, see "Enabling SMGate", for running through SMGate see "Running Web-based System Manager Security: Applet Mode".

Viewing Configuration Properties

Once the security configuration is done, it is possible to view the properties of the CA, any server, and any client's public key ring.
CA properties

To view CA properties open the system container and find the security configuration object "Certificate Authority". On the object menu for "Certificate Authority", select "Properties". The dialog provides read-only information for the CA.

Detailed information on all operations executed by the CA (e.g., key ring generation, certificate signing) can be found in the CA log file /usr/websm/security/SMCa.log.

You can perform this task from the command line with the smcaprop command.

Server properties
To view a server's properties open the system container and find the security configuration object "Certificate Authority". On the object menu for "Certificate Authority", select "Properties". The dialog provides read-only information for the server.

You can perform this task from the command line with the smserverprop command.

Public Key Ring Content
To view the CA certificate(s) included in the public key ring SMpubkr.class, use the smlistcerts command.
 

Enabling Web-based System Manager Security

On each system you want to manage, you can enable the security option you want enforced. By default, security is enabled so that the managed system will only accept secure connections.

You can enable security so that the managed system will accept secure or unsecure connections by running the command: wsmserver -ssloptional. In this mode, the user at the client can select an option on the Web-based System Manager logon dialog to specify a secure or unsecure connection.

You can enable security so that the managed system will only accept secure connections by running the command /usr/websm/bin/wsmserver -sslalways.

 

Enabling SMGate

SMGate can only be enabled after the server has been configured for security, as SMGate uses the server's private key ring /usr/websm/security/SM.privkr.

To enable SMGate, enter the command: /usr/websm/bin/wsmserver -enablehttps. This starts SMGate and adds an entry to the /etc/inittab file so that it is automatically activated when the system is restarted. The default port for SMGate is 9092. You can look in the /etc/services file to make sure this port is not being used by another service. You can configure SMGate to use a different port with the command: /usr/websm/bin/wsmserver -enablehttps <port> where <port> is the port number you want it to use.

If you change the server's security configuration you must disable SMGate and re-enable it. The command for disabling SMGate is /usr/websm/bin/wsmserver -disablehttps.

To configure the browser for working through SMGate, see section "Configuring for SMGate".

 

Running Web-based System Manager Security

Application mode

The Web-based System Manager runs in application mode when you use an AIX machine as a client to manage another AIX machine. On the client you issue the command wsm -host <hostname> (where <hostname> is the name of the remote machine you want to manage).

If the machine to be managed is configured to allow secure connections only (see Enabling Web-based System Manager Security), then the client must have the sysmgt.websm.security fileset installed and must have a copy of the public key ring file, SMpubkr.class in directory /usr/websm/codebase. In this mode the Web-based System Manager logon dialog will have a checkbox indicating that security is required.

If the machine to be managed is configured to allow secure or unsecure connections (see Enabling Web-based System Manager Security) and the client has a copy of the public key ring file, SMpubkr.class in the /usr/websm/codebase directory, then the Web-based System Manager logon dialog will have a checkbox that allows the client user to specify a secure or unsecure connection. If the client machine does not have the SMpubkr.class file, only a unsecure connection can be established.

Security when running in application mode is indicated by a "secure connection" message on the status line at the bottom of the Web-based System Manager containers.

Applet mode

The Web-based System Manager runs in applet mode when you use a browser to connect to the machine you want to manage. Applet mode adds another security consideration, the secure transfer of the public key ring file (SMpubkr.class) and the applet's .class files. For complete security in applet mode, the client must use the SSL capabilities of its browser and contact the server only with the HTTPS protocol. This requires that the web server is configured for security or that SMGate is configured.

There are two security indicators to look for when running in applet mode, the browser's HTTPS indication, and the "secure connection" message on the status line at the bottom of the Web-based System Manager containers. If either indicator is missing, the connection is not completely secure.

 

Troubleshooting Web-based System Manager Security

Problem Action
No security icons in the System container. Make sure you're logged in as root, and operating Web-based System Manager on the local machine.
When trying to use the CA for generating key rings or signing certificate requests, a message CA access is locked (SMCa.lock) is issued. If you are sure that no other administrator is currently using the CA, remove the CA lock file /usr/websm/security/SMCa.lock.
In SMGate configuration, the browser doesn't recognize the CA certificate file as a CA certificate. Check in the web server documentation that the MIME type being sent by the web server for the certificate file you placed is indeed application/x-x509-ca-cert.
In running through SMGate, the browser issues an error message about invalid signature It could be that the server is certified by a new CA with the same name as an old CA and that the browser has the CA certificate of the old CA. Delete the old CA certificate in the browser and follow the SMGate configuration section to receive the new certificate.
Secure remote activation of Web-based System Manager fails. First, verify that non-secure remote activation works (you might need to change the server's setting for that, if it doesn't permit non-secure connections.

Certificate matching and expiration:

  • log on as root to the server machine and use the Server Properties dialog of the Server icon (or the smserverprop command line) to verify the server's certificate expiration date, and record the CA name (the CA that signed the server's certificate).
  • If the problem occurred in application mode use the smlistcerts command on the client machine (smlistcerts /usr/websm/codebase) and verify that it includes a certificate of the CA that signed the server's certificate (above), and that this certificate hasn't expired. If the problem is in applet mode, issue the smlistcerts command on the server's machine, since the public key ring resides on the server and is transferred to the client.

[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]