Versions Compared

Old Version 3

changes.mady.by.user Nadja Pollard

Saved on

compared with

New Version 4

changes.mady.by.user Nadja Pollard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Precise systems can provide a high level of protection against external and internal intruders, restricting access to the sensitive information that Precise uses and monitors.

This information includes the following:•    Passwords

  • Passwords used by Precise to access the monitored instances

...

  • Data sent between the various Precise agents on the different servers

...

  • Data sent between the Web-based Precise user interface client and the various Precise agents

Anchor
Installingnewservers
Installingnewservers
Installing new servers

...

Configuring a secured Precise systems involves setting file permissions and enabling Precise security mechanisms, such as the Advanced Encryption Standard (AES) and password encryption.

The communication encryption mechanism and the password encryption mechanism support Advanced Encryption Standard (AES) which is used by default. For higher security, it is recommended to use the Precise Web-based user interface client using the Secure Socket Layer (SSL) protocol.

In general, it is recommended to update all the mechanism encryption keys (including SSL) every so often.

Setting file permissions

Verify that only the Precise users and group have access to files under the Precise root folder. You can change the entire files permissions to have 770 permissions.

Info

...

Some monitored instances also require access to the file, so the Precise user should be part of these monitored instances user groups as well.

To set file permissions on Windows•    Verify

  • Verify that the Precise installation folder is not shared and grants access to required users only.

About configuring AES communication

By default, Precise communicates using a symmetric key encryption algorithm called Advanced Encryption Standard (AES).

Replacing the encryption key on the Precise FocalPoint server

To replace the communication AES key1.    Log

  1. Log in to the Main Precise FocalPoint.

...

  1. Run the following command from the <precise_root> folder:

    ...

      • Windows
        infra\bin\psin_cli.bat
        -i3-user<user_name>
        {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
        -action communication-key-change
        -type aes

    ...

      • UNIX
        ./infra/bin/psin_cli.sh
        -i3-user<user_name>
        {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
        -action communication-key-change
        -type aes

    Distributing the new encryption settings to all servers

    For the new encryption settings to take effect, you must distribute them to all servers, completing no later than 24 hours after you changed the encryption configuration on the Precise FocalPoint server.
    The new encryption settings will be effective within 48 hours. If a server does not receive the new settings within 48 hours, it is no longer able to communicate with the Precise system. In this case, you need to perform an additional step to reestablish the communication.
    NOTE    At the exact moment of key replacement, communication errors may occur in some of the active communication connections. You may encounter these errors in the user interface or in the log files. If they do not persist, ignore them.
    To distribute the new encryption settings to all servers
    1.    Run the following command from the <precise_root> folder on the Main Precise FocalPoint server:
    Windows    infra\bin\psin_cli.bat
    -i3-user<user_name>
    {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
    -action communication-key-distribute
    {-servers “<comma_separated_servers_list>” | -all-servers true}
    [-manual true]
    [-secure true –user-name<user_name>-password<password>]
    [-user-name<user_name>]
    [-password<password>]

    UNIX    ./infra/bin/psin_cli.sh
    -i3-user<user_name>
    {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
    -action communication-key-distribute
    {-servers “<comma_separated_servers_list>” | -all-servers true}
    [-manual true]
    [-secure true –user-name<user_name>-password<password>]
    [-user-name<user_name>]
    [-password<password>]


    Specify one: -servers and a comma separated list of specific servers to distribute the key to, or -all-servers true to distribute the key to all installed servers.
    To use the secured mode transfer of the key, you need to specify -secure true, and supply the user name and password to use in SSH to connect to the servers.
    Alternatively, specify -secure true and -manual true to use the manual mode to send the secured mode transfer of key. Note that this manual mode requires you to run the script manually on the related servers.
    If you selected automatic distribution to servers, only servers with SSH or SCP protocols are supported.
    2.    If a server does not receive the new settings within 48 hours, do the following:
    a.    Copy all files from the <precise_root>/infra/listener/etc/crypt folder on the Precise FocalPoint server to the server that did not receive the new settings.
    b.    Restart all agents on that server.
    Verifying encryption configuration on a server (optional)
    You can verify that the encryption configuration has been updated on all servers. This procedure scans all of your Precise servers and checks if the server were successfully updated with the new encryption.
    If one of the server reports an error, you need to redistribute the encryption settings. If you still encounter an error after redistributing the settings, contact Precise Customer Support.
    NOTE    Run the verify command at least 48 hours after creating the new AES key. This will ensure that the protocol is secured with the new key.
    See Distributing the new encryption settings to all servers on page 216.
    If the new encryption settings were successfully received on all servers, the scan results in an output like the following:
    Server (aix1) ok Server (aix2) ok Server (aix3) ok server scan done
    If errors occurred on at least one of the servers, the scan results in an output like the following:
    Server (aix1) ok
    error on server (aix 2), see log file for details. Server (aix3) ok
    servers scan done
    The encryption log is written to the following trace file:
    <precise_root>/logs/infra.i3fp.crypt.log
    To verify encryption configuration on all servers
    1.    Run the following command from the <precise_root> folder on the Main Precise FocalPoint server:
    Windows    infra\bin\psin_cli.bat
    -i3-user<user_name>
    {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
    -action communication-key-verify
    {-servers “<comma_separated_servers_list>” | -all-servers true}

    UNIX    ./infra/bin/psin_cli.sh
    -i3-user<user_name>
    {-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
    -action communication-key-verify
    {-servers “<comma_separated_servers_list>” | -all-servers true}
    Specify one: -servers and a comma separated list of specific servers to distribute the key to, or -all-servers true to distribute the key to all installed servers.
    About encrypting passwords
    Precise uses an Advanced Encryption Standard (AES) to encrypt the passwords that its different components require to access the monitored instances (such as passwords for databases or Java application servers). These passwords are then saved in internal configuration files.
    By default the password encryption is AES.

    Replacing the password encryption key on the Precise FocalPoint server
    You can replace the password encryption key on the Precise FocalPoint server by using the Precise Command Line Interface (CLI) installation utility. For information on how to deploy this utility, see the Precise CLI Utility Reference Guide.
    To replace the password encryption key on the Precise FocalPoint server
    1.    Verify that the CLI installation utility is deployed.
    2.    Run the following command from the <precise_root> folder on the Precise FocalPoint server:
    Windows    infra\bin\psin_cli.bat
    -i3-user<user_name>
    {-i3-password encrypted-password
    | -i3-clear-password clear-password}
    -action encrypt-update
    -type [aes-key]

    UNIX    ./infra/bin/psin_cli.sh
    -i3-user user-name
    {-i3-password encrypted-password
    | -i3-clear-password clear-password}
    -action encrypt-update
    -type [aes-key]
    Table C-1    Configuring password encryption type elements on the Precise FocalPoint server
    Element    Description
    -i3-user    See “Authenticate to CLI Utility” in the Precise CLI Utility Reference Guide.
    -i3-encrypted-password    See “Authenticate to CLI Utility” in the Precise CLI Utility Reference Guide.
    -action    Always: encrypt-update

    Mandatory: Yes
    -type    Mandatory: Yes

    Always: aes-key

    AES-based encryption that uses a random symmetric key. It is recommended to update this key once a year.
    Security level: high
    For example:
    ./infra/bin/psin_cli.sh
    -i3-user user-name
    {-i3-password encrypted-password
    | -i3-clear-password clear-password}
    -action encrypt-update
    -type aes-key
    Distributing the new password encryption settings to all servers
    For the new password encryption settings to take effect, you must distribute them to all servers by using the Precise CLI installation utility. This procedure depends on the Precise Listener being up and running on all servers; otherwise, the agents on the servers will not be able to function.
    To distribute the new encryption settings to all servers
    1.    In AdminPoint, verify that the Precise Listener is up and running on all servers.

    2.    Run the following command from the <precise_root> folder on the Precise FocalPoint server:
    Windows    infra\bin\psin_cli.bat
    -i3-user user-name
    {-i3-password encrypted-password
    | -i3-clear-password clear-password}
    -action encrypt-distribute

    UNIX    ./infra/bin/psin_cli.sh
    -i3-user user-name
    {-i3-password encrypted-password
    | -i3-clear-password clear-password}
    -action encrypt-distribute
    Table C-2    Distributing new password encryption element settings to all servers
    Element    Description
    -i3-user    See “Authenticate to CLI Utility” in the Precise CLI Utility Reference Guide.
    -i3-encrypted-password    See “Authenticate to CLI Utility” in the Precise CLI Utility Reference Guide.
    -action    Always: encrypt-distribute

    Mandatory: Yes
    Configuring the Precise Apache Tomcat to work in HTTPS mode (SSL)
    The Precise user interface is based on an Apache Tomcat server. You can configure it to work in HTTPS mode. This mode uses the Secure Socket Layer (SSL) protocol to encrypt the data that is sent from the Web browser to the Tomcat server.
    To configure Precise Apache Tomcat to work in HTTPS mode
    1.    Create a certificate keystore on the Apache Tomcat server. This file is saved in the folder
    <precise_root>\products\gui\website as a certificate .keystore file.
    a.    Before you create the .keystore file, delete the alias Tomcat if it already exists.To delete the alias Tomcat, run the following command from the <precise_root> folder on the Precise FocalPoint:
    UNIX:
    java/JRE/bin/keytool -delete -alias tomcat -keystore products/gui/website/.keystore
    Windows:
    java\JRE\bin\keytool -delete -alias tomcat -keystore products\gui\website\.keystore
    NOTE    For the password, use "changeit”. For the question “What is your first and last name”, provide the server name used in the URL for the Precise GUI as the answer.
    b.    To create your own certificate, run the following command from the <precise_root> folder on the Precise
    FocalPoint: UNIX:
    java/JRE/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore products/gui/website/.keystore -validity 3000
    Windows:
    java\JRE\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore products\gui\website\.keystore -validity 3000
    NOTE    For the password, use "changeit”. Also, use the host as displayed in the url for the name.
    2.    In the file <precise_root>\products\gui\website\conf\server.xml
    a.    Add comment tags around the non-SSL <Connector> tag, where the preliminary remark is “<!-- Define a non-SSL HTTP/1.1 …-->”.
    b.    Remove the comment tags around the SSL <Connector> tag, where the preliminary remark is “<!-- Define a SSL Coyote HTTP/1.1 …-->”.
    3.    Restart the Precise FocalPoint process on the UNIX server. Restart the Precise FocalPoint service and the Precise user interface service on the Windows server.

    4.    Open the Precise application using HTTPS.
    For example:
    https://<host>:<port>
    NOTE    After restarting the Precise FocalPoint, the SSL port changes to the default port added by the user during installation. If you want to use a different port, you can change the port as described in the “Change GUI server port” section in the Precise CLI Utility.
    When first launching Precise in a client, a security alert is displayed with the certificate details. You should sign your certificate with a trusted root authority (such as VeriSign). Alternatively you can install the certificate on each client server that uses the Precise GUI.
    5.    In AdminPoint, click the Setup tab and click on Nodes in the drop-down menu
    6.    n the Nodes tab, click Edit to update the url of the node for which you configured the SSL, according to step 4. In addition, if you are working with the Precise Custom Portal, the following configuration must be performed.
    To configure Precise Apache Tomcat to work in HTTPS mode with the Precise Custom Portal
    1.    Export the certificate:
    <i3>java\jre\bin\keytool -export -alias tomcat -file <file_name>.crt
    -keystore <i3>products\gui\website\.keystore
    2.    Import the certificate:
    <i3>java\jre\bin\keytool -import -file <file_name>.crt -alias tomcat
    -storepass <changeit> -keystore <i3>\java\JRE\lib\security\cacerts
    NOTE    Verify that the same <file_name>.crt is used for exporting and importing the certificate.

    NOTE    For the password, use "changeit”.
    To install a certificate
    1.    When you get the certificate warning, click View certificate.
    2.    Click Install certificate.
    3.    Click Next.
    4.    Select Place all certificates in the following store.
    5.    Click Browse.
    6.    Check Show physical store.
    7.    Select Local Computer under Trusted root certification Authorities.
    8.    Click OK, Next, and then Finish.
    9.    Close and restart the Precise GUI, and verify that the warning for the certificate does not re-appear.
    For general information regarding configuring HTTPS mode see Apache Tomcat server instructions found at this site: http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
    For information regarding configuring J2EE to work in HTTPS mode, see About Security Options in the J2EE User's Guide.
    For information on installing your own certificate for J2EE, see the Creating and installing certificates for SSL in the Precise Administration Guide.
    Changing the session timeout for an Apache Tomcat server
    For an Apache Tomcat server, you can configure the Tomcat session timeout.
    To change the session timeout for an Apache Tomcat server
    1.    Open the following file in a text editor:
    <precise_root>\products\gui\website\webapps\i3\web.xml

    2.    Change the default session timeout (180) to the required minutes. For example:
    <session-config>
    session-timeout>180</session-timeout>
    </session-config>
    3.    Restart the Precise FocalPoint server.

    ...

    Precise WebsiteSolutionsSupportSupport PortalCommunityAbout UsLegal