Versions Compared

Old Version 17

changes.mady.by.user Nadja Pollard

Saved on

compared with

New Version Current

changes.mady.by.user Nadja Pollard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

When installing a new server, a communication security key is transferred to the new server. To ensure secure transfer of the key, see Securing communication key transfer to a new server on page 48.

Anchor
ConfiguringasecuredPrecisesystem
ConfiguringasecuredPrecisesystem
Configuring a secured Precise system

...

  1. Log in to the Main Precise FocalPoint.
  2. Run the following command from the <Precise_root> folder:
    • Windows
      infra\bin\psin_cli.bat
      -i3-user<user_name>
      {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
      -action communication-key-change
      -type aes
    • UNIX
      ./infra/bin/psin_cli.sh
      -i3-user<user_name>
      {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
      -action communication-key-change
      -type aes

Anchor
Distributingthenewencryptionsettingstoallservers
Distributingthenewencryptionsettingstoallservers
Distributing the new encryption settings to all servers

For the new encryption settings to take effect, you must distribute them to all servers, completing no later than 24 hours after you changed the encryption configuration on the Precise FocalPoint server.

...

Info

Run the verify command at least 48 hours after creating the new AES key. This will ensure that the protocol is secured with the new key.

See Distributing the new encryption settings to all servers on page 216.

If the new encryption settings were successfully received on all servers, the scan results in an output like the following:

...

You can replace the password encryption key on the Precise FocalPoint server by using the Precise Command Line Interface (CLI) installation utility. For information on how to deploy this utility, see the Precise CLI Utility Reference Guide.

To replace the password encryption key on the Precise FocalPoint server

  1. Verify that the CLI installation utility is deployed.
  2. Run the following command from the <Precise_root> folder on the Precise FocalPoint server:
    • Windows
      infra\bin\psin_cli.bat
      -i3-user<user_name>
      {-i3-password encrypted-password
      | -i3-clear-password clear-password}
      -action encrypt-update
      -type [aes-key]
    • UNIX
      ./infra/bin/psin_cli.sh
      -i3-user user-name
      {-i3-password encrypted-password
      | -i3-clear-password clear-password}
      -action encrypt-update
      -type [aes-key]

Table C- 1 Configuring password encryption type elements on the Precise FocalPoint server

ElementDescription
-i3-userSee Authenticate to CLI Utility in the Precise CLI Utility Reference Guide.
-i3-encrypted-passwordSee Authenticate to CLI Utility in the Precise CLI Utility Reference Guide.
-action

Always: encrypt-update

Mandatory: Yes

-type

Always: aes-key

Mandatory: Yes

AES-based encryption that uses a random symmetric key. It is recommended to update this key once a year.

Security level: high

...

  1. In AdminPoint, verify that the Precise Listener is up and running on all servers.
  2. Run the following command from the <Precise_root> folder on the Precise FocalPoint server:
    • Windows
      infra\bin\psin_cli.bat
      -i3-user user-name
      {-i3-password encrypted-password
      | -i3-clear-password clear-password}
      -action encrypt-distribute
    • UNIX
      ./infra/bin/psin_cli.sh
      -i3-user user-name
      {-i3-password encrypted-password
      | -i3-clear-password clear-password}
      -action encrypt-distribute

Table C- 2 Distributing new password encryption element settings to all servers

ElementDescription
-i3-userSee Authenticate to CLI Utility in the Precise CLI Utility Reference Guide.
-i3-encrypted-passwordSee Authenticate to CLI Utility in the Precise CLI Utility Reference Guide.
-action

Always: encrypt-distribute

Mandatory: Yes

...

  1. Create a certificate keystore on the Apache Tomcat server. This file is saved in the folder <Precise_root>\products\gui\website as a certificate .keystore file.
    1. Before you create the .keystore file, delete the alias Tomcat if it already exists. To delete the alias Tomcat, run the following command from the <Precise_root> folder on the Precise FocalPoint:

      • Windows
        java\JRE\bin\keytool -delete -alias tomcat -keystore products\gui\website\.keystore

        Info

        For the password, use "changeit." For the question "What is your first and last name," provide the server name used in the URL for the Precise GUI as the answer.

      • UNIX
        java/JRE/bin/keytool -delete -alias tomcat -keystore products/gui/website/.keystore
    2. To create your own certificate, run the following command from the <Precise_root> folder on the Precise FocalPoint:

      • Windows
        java\JRE\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore products\gui\website\.keystore -validity 3000

      • UNIX
        java/JRE/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore products/gui/website/.keystore -validity 3000

        Info

        For the password, use "changeit." Also, use the host as displayed in the url for the name.

  2. In the file <Precise_root>\products\gui\website\conf\server.xml
    1. Add comment tags around the non-SSL <Connector> tag, where the preliminary remark is "<!-- Define a non-SSL HTTP/1.1 ...->."
    2. Remove the comment tags around the SSL <Connector> tag, where the preliminary remark is "<!-- Define a SSL Coyote HTTP/1.1 ...->."
  3. Restart the Precise FocalPoint process on the UNIX server. Restart the Precise FocalPoint service and the Precise user interface service on the Windows server.

  4. Open the Precise application using HTTPS.
    For example:
    https://<host>:<port>

    Info

    After restarting the Precise FocalPoint, the SSL port changes to the default port added by the user during installation. If you want to use a different port, you can change the port as described in the Change GUI server port section in the Precise CLI Utility.


    When first launching Precise in a client, a security alert is displayed with the certificate details. You should sign your certificate with a trusted root authority (such as VeriSign). Alternatively you can install the certificate on each client server that uses the Precise GUI.

  5. In AdminPoint, click the Setup tab and click on Nodes in the drop-down menu

  6. In the Nodes tab, click Edit to update the URL of the node for which you configured the SSL, according to step 4. In addition, if you are working with the Precise Custom Portal, the following configuration must be performed.

...

For general information regarding configuring HTTPS mode, see Apache Tomcat server instructions found at this site: http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html

For information regarding configuring J2EE to work in HTTPS mode, see About Security Options in the Precise for J2EE User Guide.For information on installing your own certificate for J2EE, see the Creating and installing certificates for SSL in the Precise Administration Guide.

Changing the session timeout for an Apache Tomcat server

...

Because the JAAS is a common Application Programming Interface (API), you can also configure it to run a custom login module that authenticates a role’s password against an external, centralized password repository. To do so, you must first define the respective role in AdminPoint. For more information on managing roles in AdminPoint, see the Precise Administration Guide.

The login module is a Java class that implements the login module interface of the JAAS API. This API exists for the Java Runtime Application (JRE) version 1.4.2 and later. It is part of the javax.security.auth.* package.

...

  1. Open the \conf\httpd.conf file in the Apache installation folder.
  2. Change the line with the Listen and port number to the GUI port of Precise (The port that the Precise Tomcat Web server listens to, in this example 20760). The information will become: Listen 20760
  3. Change the line with the ServerName and port number (in this example 20760) to the required server and GUI port.
    ServerName GUI-TEST-INST.precise.com:20760
  4. Look for the following three lines with the proxy modules and remove the pound/hash marks (# sign) from them:
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
  5. Change the port the Precise Tomcat Web server will listen to, for example to 20761 by adding the following entries at the end of the file, where the new port of the Tomcat is used (In this case 20761, see the following section about this port):
    <Proxy *>
         Order deny,allow
         Allow from all
    </Proxy> ProxyRequests Off ProxyPreserveHost On
    ProxyPass / http://gui-test-inst.precise.com:20761/
    ProxyPassReverse / http://gui-test-inst.precise.com:20761/
    Verify that http://gui-test-inst.precise.com:20761 is replaced with the fully qualified domain name and port of your Precise installation.
  6. Open the <Precise_root>/infra/setup.xml file and edit the <tomcat-port> tag.
  7. Change the port of the Precise Tomcat Web server to a port that is not open to the outside world, or is behind a firewall, to prevent direct access to it. In this example, the Tomcat port will be 20761.
  8. Restart first the Tomcat service and then the Apache service.

...

  1. Change the port of the Precise Tomcat Web server to a port that is not open to the outside world, or is behind a firewall, to prevent direct access to it. In this example, the Tomcat port will be 20761.
    Remember to make the change in the Precise setup.xml file
  2. Enable the mod_proxy feature in the Apache Web server. For example, on a Debian server it is done by symlinking some files:
         symsrv:/etc/apache2/mods-enabled# ls
         cgid.conf cgid.load userdir.conf userdir.load
         symsrv:/etc/apache2/mods-enabled# ln -s ../mods-available/proxy.* . symsrv:/etc/apache2/mods-enabled# ln –s
         ../mods-available/proxy_http.* .
         symsrv:/etc/apache2/mods-enabled# ls
         cgid.conf cgid.load proxy.conf proxy.load proxy_http.conf proxy_http.load userdir.conf userdir.load
  3. Configure the mod_proxy feature by creating a configuration file snippet, conf.d/symi3, as described in the following code:
         symsrv:/etc/apache2/mods-enabled# cd ../conf.d
         symsrv:/etc/apache2/conf.d# cat > symi3
         <Proxy *>
              Order deny,allow
              Allow from all
         </Proxy>
         ProxyRequests Off
         ProxyPreserveHost On
         ProxyPass / http://gui-test-inst.precise.com:20761/ ProxyPassReverse / http://gui-test-inst.precise.com:20761/
         teacup:/etc/apache2/conf.d#
    Verify that http://gui-test-inst.precise.com:20761 is replaced with the fully qualified domain name and port of your Precise installation.

...

  1. Before downloading and installing the SiteMinder Web agent, perform the steps described in the procedure, " To make changes on the System tab in the Configuring the SiteMinder Policy server.".
  2. Download and install the latest SiteMinder Web agent for Apache Web servers.
    Verify that the version you download supports the Apache Web server version that we support – in this case, version 2.2.3 and that you download the file for the platform on which your Apache Web server is installed.
    1. Download the agent from https//support.netegrity.com.
    2. Insert your user name and password.
    3. Select Tools in the left pane.
    4. Choose Download Manager.
    5. Select SiteMinder Web Agent in the Download a product drop-down menu.
    6. Choose SiteMinder 6.x QMR's.
    7. Choose the agent to be downloaded.
  3. After installing the SiteMinder Web agent, configure it according to the SiteMinder's Web agent Installation and Configuration guide.
  4. Open the WebAgent.conf file in the \Program Files\Apache Software Foundation\Apache2.2\conf folder, and then set EnableWebAgent="YES".
  5. Add the Apache Web server as a protected resource to the SiteMinder's protected resources.
  6. Restart the machine after you have installed the Web Agent.

...

  1. Log in to the Policy server management application.
  2. Define the protection on the Precise application by performing steps on two of the three main tabs (System, Domains, Global Policies) on the main window of the Policy server management application as described in separate procedures.

Anchor
TomakechangesontheSystemtab
TomakechangesontheSystemtab
To make changes on the System tab

...

Anchor
ConfiguringLDAPtoauthenticatePreciseusers
ConfiguringLDAPtoauthenticatePreciseusers
Configuring LDAP to authenticate Precise users

Precise Version 9.6 can integrate with Lightweight Directory Access Protocol (LDAP). LDAP is a better option than JAAS. The following section describes how to configure LDAP.

...

Once integrated with LDAP, Precise Version 9.6 gets all users and groups from the LDAP and synchronizes them into its own database. Login passwords are authorized by LDAP, thus preventing the need to keep (and verify) the users' passwords within Precise.

...

Info

The <bind-password> will be supplied encrypted. Use the "encrypt" CLI action to encrypt. If <use-ldap-authentication> is "false," the password setting must be an encrypted empty string. For more details on how to encrypt a password, see the Precise CLI Utility Reference Guide.

Mapping information

The domain element holds information for the domains that are required to synchronize. You can specify one or more domain elements. Enter the following mapping information:

...

For more information on running LDAP-sync command, see the Precise CLI Utility Reference Guide. IDERA Website | Products | Buy | Support | Community | About Us | Resources | Legal


Scroll Ignore
scroll-pdftrue
scroll-officetrue
scroll-chmtrue
scroll-docbooktrue
scroll-eclipsehelptrue
scroll-epubtrue
scroll-htmltrue
Newtabfooter
aliasIDERA
urlhttp://www.idera.com
 | 
Newtabfooter
aliasProducts
urlhttps://www.idera.com/productssolutions/sqlserver
 
Newtabfooter
aliasPurchase
urlhttps://www.idera.com/buynow/onlinestore
 | 
Newtabfooter
aliasSupport
urlhttps://idera.secure.force.com/precise/
 | 
Newtabfooter
aliasCommunity
urlhttp://community.idera.com
 |  
Newtabfooter
aliasResources
urlhttp://www.idera.com/resourcecentral
 | 
Newtabfooter
aliasAbout Us
urlhttp://www.idera.com/about/aboutus
 
Newtabfooter
aliasLegal
urlhttps://www.idera.com/legal/termsofuse