unisys Unisys Stealth(cloud) for Amazon Web Services Deployment Guide Release 1.0 January

Transcription

1 unisys Unisys Stealth(cloud) for Amazon Web Services Deployment Guide Release 1.0 January

2 NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the products described in this document are set forth in such agreement. Unisys cannot accept any financial or other responsibility that may be the result of your use of the information in this document or software material, including direct, special, or consequential damages. You should be very careful to ensure that the use of this information and/or software material complies with the laws, rules, and regulations of the jurisdictions with respect to which it is used. Unisys Stealth contains encryption features and is subject to, and certain information pertaining to Unisys Stealth may be subject to, limitations imposed by the United States, the European Union and other governments on encryption technology. Information about these U.S. government limitations may currently be found at For more information about your obligations, please see the agreement entered by your company and Unisys. The information contained herein is subject to change without notice. Revisions may be issued to advise of such changes and/or additions. Notice to U.S. Government End Users: This software and any accompanying documentation are commercial items which have been developed entirely at private expense. They are delivered and licensed as commercial computer software and commercial computer software documentation within the meaning of the applicable acquisition regulations. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys standard commercial license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights clauses. Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries. All other trademarks referenced herein are the property of their respective owners.

3 Contents Section 1. Introduction 1.1. Documentation Updates Understanding Components of Stealth(cloud) for AWS Understanding Default Stealth User Roles and Configurations Understanding Default Filters Prerequisites Understanding Differences with Stealth Deployed in a Data Center Section 2. Launching the Stealth(cloud) Management Server Instance 2.1. Configuring the Administration and Diagnostics System Determining the Management Server Instance Size and License Capacity Subscribing to Enterprise Manager Selecting Parameters and Launching the Management Server Instance Enabling Active Scripting on the Management Server Instance Section 3. Launching Stealth Endpoint Instances 3.1. Before You Begin Determining the Stealth User Role for the Endpoint Instance Subscribing to Endpoint Instances Selecting Parameters and Launching the Stealth Endpoint Instance Section 4. Understanding Your Stealth(cloud) for AWS Environment 4.1. Accessing the Enterprise Manager Interface Accessing Windows Endpoints and Viewing Stealth Status Accessing Linux Endpoints and Viewing Stealth Status Limitations When Accessing AWS Services iii

4 Contents Section 5. Making Changes to Your Stealth(cloud) for AWS Environment 5.1. Updating the Initial Configuration Optionally Updating the Management Server Instance Type Optionally Updating Endpoint Instance Types Section 6. Troubleshooting 6.1. Resolving Common Problems Enterprise Manager Interface Requirements Troubleshooting the Stealth Applet Connection to the Unisys Stealth Logon Service on Windows Endpoints Obtaining Services and Support from Unisys Collecting Diagnostics from the Management Server and Endpoint Instances Deleting the Management Server or Endpoint Instances Appendix A. Parameter Worksheets A.1. Management Server Instance Worksheet A 1 A.2. Endpoint Instance Worksheet A 3 iv

5 Section 1 Introduction Unisys Stealth(cloud) for Amazon Web Services (AWS) enables you to secure an AWS virtual private cloud (VPC) environment using Unisys Stealth technology. This document provides the information required to deploy Stealth(cloud) for AWS Documentation Updates This document contains all the information that was available at the time of publication. Changes identified after release of this document are included in problem list entry (PLE) To obtain a copy of the PLE, contact Unisys Support or access the current PLE from the product support website: Notes: For more information on registering for support, see 6.4 Obtaining Services and Support from Unisys. If you are not logged into the product support site, you will be asked to do so Understanding Components of Stealth(cloud) for AWS Stealth(cloud) for AWS enables you to configure a Stealth-enabled virtual private cloud (VPC) environment to host your secure workloads and applications. A Stealth(cloud) for AWS environment includes the following components: Amazon Virtual Private Cloud (VPC) This is a virtual network that hosts the Stealth(cloud) components. You subscribe to and launch the Management Server instance and its associated Stealth AWS endpoint instances into a VPC. Note: A single Stealth-enabled VPC can support only one Management Server instance. If your environment requires more than one Management Server instance, you must create one VPC for each Management Server instance. Administration and Diagnostics System This is an Amazon Elastic Compute Cloud

6 Introduction (EC2) Windows instance which is used to provide administrative access to the Management Server instance and the endpoint instances and can collect diagnostic information as needed. Management Server instance This is an Amazon EC2 Windows Server instance that runs the Stealth Enterprise Manager software, which is used to authorize Stealth AWS endpoint instances and to provide the user interface for managing your Stealth environment. The Management Server instance must be sized appropriately so that it can manage all of the endpoint instances in your VPC. Endpoint instances These are Amazon EC2 instances running supported Windows or Linux operating systems, which also run the Stealth endpoint software to provide a secure working environment. These instances that run the Stealth endpoint software are known as Stealth endpoints Understanding Default Stealth User Roles and Configurations When you launch the Management Server instance, you have the option to automatically create up to three user roles that you can use for secure communications in your environment. Each Management Server instance can be used to manage up to 500 endpoint instances, and each endpoint participates in one of these three user roles. Endpoint instances that share the same user role can communicate with one another; endpoint instances that do not share the same user role cannot communicate. In addition, other non-stealth-enabled components cannot communicate with any Stealth endpoint instance, unless a filter is specifically created to enable that communication. The following figure illustrates a sample configuration using three Stealth user roles to segment endpoint communications

7 Introduction When you create the Management Server instance, you are prompted to name these three user roles for the StealthUser1, StealthUser2, and StealthUser3 parameters using a naming convention of your choice. You might want to give these user roles names that correspond to security levels in your environment (such as Classified, Secret, TopSecret), that correspond to functions (such as WebServer, AppServer, and DBServer), or that correspond to departments (such as HR, Marketing, and Executive). Based on the user role names you enter, a Certificate-Based Authorization (CBA) certificate is created and added to each endpoint instance (for example, a certificate named Classified is created for the Classified user role). These certificates are used to authorize the endpoint instances so that they can communicate with one another. In addition, endpoint instances share the StealthAdminLicenseCOI with the Management Server instance to obtain licenses and endpoint credentials; filters are preconfigured so that this COI only enables communication between endpoints and the Management Server (to ensure that endpoints cannot use this COI to communicate with one another)

8 Introduction By default, two Stealth configurations are created when you launch the Management Server instance. One configuration is used for administrative authorization by the Enterprise Manager software, and this is known as the StealthAdmin configuration. A second configuration is used to contain the three user roles, and this is known as the Segmentation configuration. If your security needs are met by these default user roles and configurations, you can simply specify the names of three user roles when you launch the Management Server instance, and then you can assign each endpoint instance to use one of these three user roles when you launch the endpoint instances. No further action is required for endpoint instances within the same user role to communicate with one another securely. However, if required, you can create additional user roles and configurations, and then you can manually update the user roles used by your endpoint instances. Once your environment is configured, see the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for more information on how to add additional user roles and configurations using the Enterprise Manager interface. The Advanced Concepts and Operations Guide is available on the Unisys Security website at Understanding Default Filters You use filters to control whether your endpoints can communicate with other components and services. By default, filters are predefined for your endpoint instances. These filters enable you to communicate with all available Amazon services using clear text (non-stealth-secured) communication. For example, these include filters that enable you to communicate with the Amazon S3 service for storage and the Amazon Route53 service for DNS. In addition, when you launch the Management Server instance, you are prompted for the private IP address of the Administration and Diagnostics System. A clear text filter is created to enable the Management Server and endpoint instances to communicate with the Administration and Diagnostics System. If your filtering needs are met by these default filters for Amazon services and the Administration and Diagnostics System, no further action is required. However, if needed, you can create additional filters once your environment is configured. See the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for more information on how to add and assign filters using the Enterprise Manager interface. In addition, note that the IP addresses in a subnet that are reserved by AWS have clear text filters applied to them (so that they are never Stealth-enabled). See the AWS documentation on VPCs and subnets ( for more information on these reserved IP addresses

9 Introduction 1.5. Prerequisites Before you begin to deploy Stealth(cloud) for AWS, you must meet the following prerequisites. Note: See the AWS documentation ( for more information on meeting these prerequisites. Your AWS environment must include one or more virtual private clouds (VPCs) with access to the AWS CloudFormation services. You can use an existing VPC, or you can create a new VPC that is dedicated to your Stealth(cloud) for AWS deployment. The instances that you launch within the VPC must be able to access the AWS CloudFormation services, which means that the instances within the VPC must either have a public IP address or they must have the capability to use Network Address Translation (NAT) to access these services. For more information on configuring IP addressing for your VPC and instances, see If you want to configure more than one Stealth Management Server instance, each Management Server instance requires its own VPC. When you initially configure each instance, you must specify the VPC where you want to launch the instance. You must have one or more Amazon EC2 key pairs. Key pairs are an Amazon administrative requirement for all EC2 instances. You can use an existing key pair or you can create a new key pair for your Stealth(cloud) for AWS deployment. You must select a key pair name when you initially configure each instance. Your environment must include an EC2 instance to act as the Administration and Diagnostics System. This instance provides administrative access to the Management Server instance and the endpoint instances and can collect diagnostic information as needed. See 2.1 Configuring the Administration and Diagnostics System for more information Understanding Differences with Stealth Deployed in a Data Center In addition to the Stealth(cloud) for AWS, the Stealth Solution can be purchased from Unisys and deployed directly in your data center. The following are the differences between the Stealth(cloud) for AWS and when Stealth is deployed in a data center: Stealth(cloud) for AWS supports the following operating systems running on endpoint instances: - Windows Server 2008 R2 - Windows Server 2012 R

10 Introduction - Red Hat Enterprise Linux 6.x and 7.x - SUSE Linux Enterprise Server 11.x - Ubuntu LTS When Stealth is deployed in a data center, the following additional operating systems are supported: - Windows 7 - Windows 8 and Windows Windows Server Ubuntu LTS - IBM AIX V6.1 and V7.1 Endpoint instances are configured to run with Stealth Always On. Stealth Always On means that Stealth is always enabled on the running endpoint (and cannot be disabled by users). In contrast, endpoints in the data center can run Stealth On Demand, which means that users can enable and disable the Stealth service if they need to communicate with other resources in the environment. Stealth deployed in a data center can provide redundant authorization through the use of standalone Authorization Servers. This component is not supported in this release of Stealth(cloud) for AWS. Stealth deployed in a data center supports IPv6 addressing. IPv6 addressing is not supported in Stealth(cloud) for AWS, because IPv6 addressing is not supported by AWS. Stealth deployed in a data center can support mobile users through a feature known as Secure Remote Access. This feature is not supported in Stealth(cloud) for AWS. Stealth deployed in a data center can enable systems and servers running operating systems that are not supported by Stealth to connect to the network and access Stealth-enabled resources through a feature known as Secure Virtual Gateway. This feature is not supported in Stealth(cloud) for AWS. If you want to use any of the features that are not supported in Stealth(cloud) for AWS, contact Unisys at for more information about deploying Stealth in your data center

11 Section 2 Launching the Stealth(cloud) Management Server Instance The Management Server instance is an Amazon EC2 instance that runs Windows Server 2012 R2 and the Stealth Enterprise Manager software, which is used to authenticate and authorize Stealth AWS endpoint instances and to provide the user interface for managing your Stealth environment. Before continuing, be sure that you met the prerequisites listed in 1.5 Prerequisites, and then perform the procedures in this section Configuring the Administration and Diagnostics System Before you can configure the Management Server instance, you must configure an EC2 instance to act as the Administration and Diagnostics System. This instance provides administrative access to the Management Server instance and the endpoint instances and can collect diagnostic information as needed. Best Practice: Because this instance provides access to all Stealth-enabled instances in the VPC, you should ensure that the instance is secure and that access to the instance is controlled. The Administration and Diagnostics System must meet the following requirements: It must be an Amazon EC2 instance in the same VPC as the Management Server instance. If you have more than one Management Server instance, each running in a separate VPC, then you must configure a separate Administration and Diagnostics System in each VPC. The Administration and Diagnostics System can run any operating system; however, it is recommended that you select the Windows Server 2012 R2 operating system, which by default, includes the Remote Desktop software necessary for connecting to the Management Server instance. Note: If you plan to subscribe to and launch Linux endpoints, you should install an SSH client (for example, Putty) that you can use to access Linux endpoint instances

12 Launching the Stealth(cloud) Management Server Instance You must configure a method to access the Administration and Diagnostics System. For example, configure an AWS security group to allow inbound RDP access to the Administration and Diagnostics System. You must configure a method to use the Administration and Diagnostics System to access the Management Server instance and the endpoint instances. By default, a security group enables all outbound RDP and SSH access. If you have restrictions on your security group, you must allow outbound access as follows: - RDP access to connect to the Management Server instance and Stealth Windows endpoints - SSH access to connect to Linux endpoint instances Do the following to configure the Administration and Diagnostics System: 1. Launch an EC2 instance that meets the requirements listed earlier in this topic. Note: The Administration and Diagnostics system can use any Amazon instance type. (There are no minimum requirements for vcpu or memory.) See the Amazon EC2 documentation at for specific information for launching an EC2 instance, and see for more information on configuring the required security groups. 2. Wait for the instance to be created (that is, wait until the status reads running). 3. Confirm that you can connect to the Administration and Diagnostics System. 4. Record the private IP address of the Administration and Diagnostics System. (To locate the IP address, on the EC2 Management Console, select the instance, and then locate the Private IP under the Description tab.) When you configure the Management Server instance, you must specify the private IP address of the Administration and Diagnostics System, and a clear text filter is created to enable the Management Server instance and endpoint instances to communicate with this system Determining the Management Server Instance Size and License Capacity Enterprise Manager provides licenses to Stealth endpoint instances from a pool of licenses called AWS Marketplace licenses. The total number of available licenses is determined by the Enterprise Manager instance size that you select when you configure the Management Server instance. When you subscribe to Stealth(cloud) Enterprise Manager and launch the Management Server instance, you select one of the following, depending on how many Stealth endpoint instances you plan to subscribe to and launch in your VPC: Small Launches an m4.large EC2 instance that supports up to 25 endpoint instances Medium Launches an m4.large EC2 instance that supports up to 50 endpoint instances

13 Launching the Stealth(cloud) Management Server Instance Large Launches an m4.xlarge EC2 instance that supports up to 250 endpoint instances Extra Large Launches an m4.2xlarge EC2 instance that supports up to 500 endpoint instances Notes: If you select the South America (São Paulo) region, m3 instance types are used. For more information on Amazon EC2 instance types, see ec2/instance-types. You must select a capacity that is sufficient for the number of Stealth endpoint instances that you plan to subscribe to and launch. In addition, it is a best-practice to select a capacity that will accommodate a slightly expanded configuration; however, you can change the instance size as your needs change. If you change your instance type, the maximum number of subscribed endpoints that can be authorized is automatically updated. See 5.2 Optionally Updating the Management Server Instance Type for more information on resizing the Management Server instance. If you plan to include more than 500 Stealth endpoint instances in your Stealth(cloud) for AWS deployment, you must create additional Management Server instances; only one Management Server instance is supported in a single Amazon VPC. If you require more than one Management Server instance, each must be launched in a separate VPC Subscribing to Enterprise Manager To launch a Management Server instance from the AWS Marketplace, you must subscribe to Unisys Stealth(cloud) Enterprise Manager. Do the following: 1. Navigate to the AWS Marketplace webpage ( 2. At the top of the page, click Sign in, and then sign in using your AWS account credentials. 3. In the search box, enter Unisys Stealth. 4. On the results page, select Unisys Stealth(cloud) Enterprise Manager. 5. On the Unisys Stealth(cloud) Enterprise Manager solutions page, do the following: a. Under Pricing Details, under For region, use the default region or select a new region. b. Under Pricing Details, under Delivery Methods, select Stealth(cloud) Enterprise Manager. Note: A CloudFormation template is the required method to launch the Management Server; therefore, you must select this option. (Do not select Single AMI.) 6. Click Continue. 7. If you have previously subscribed to this product, skip to the next step

14 Launching the Stealth(cloud) Management Server Instance If this is your first time subscribing to this product, you are prompted to accept the terms; do the following: a. On the Launch on EC2 page, click Accept Terms. You see the Thank You page, which states that you will receive an with more details. b. Review the when it arrives, and then return to the Thank You page. c. On the Thank You page, click Return to Product Page. You see the Launch on EC2 page. 8. On the Launch on EC2 page, confirm that the region you want to use is selected, and ensure that Stealth(cloud) Enterprise Manager is selected under Deployment Options. 9. Click Launch with CloudFormation Console. Note: If you do not see the Launch with CloudFormation Console button, change the value under Deployment Options from Single AMI to Stealth(cloud) Enterprise Manager. The values you entered are processed, and the CloudFormation console launches with the Management Server CloudFormation template selected. Continue by performing the procedure in the following topic: 2.4 Selecting Parameters and Launching the Management Server Instance Selecting Parameters and Launching the Management Server Instance Note: For a printable worksheet that you can use to record the values you enter, see A.1 Management Server Instance Worksheet. After you subscribe to Enterprise Manager, do the following to select parameters and launch the Management Server instance: 1. On the CloudFormation console, on the Select Template page, click Next. The Specify Details page appears and provides a set of parameters that you use to configure the Management Server instance. Note: The parameters you enter on this page are not verified until you create the CloudFormation stack. Therefore, you should be very careful to enter these values correctly. For example, you are prompted to enter and verify passwords multiple times on this page, and you should ensure that these passwords match and that they meet the specific requirements for each password; if they do not, the CloudFormation stack creation will fail. 2. Enter a name for the stack in the Stack name box

15 Launching the Stealth(cloud) Management Server Instance 3. Under Parameters, enter the following: a. For 01KeyName, select the name of an existing EC2 key pair that you want to use to meet the standard Amazon practice to have a key pair for all EC2 instances. b. For 02VPC, select the VPC where you want to launch the Management Server instance. Notes: A VPC can include only one Management Server instance. Stealth endpoint instances that will be managed by this Management Server instance must also be launched in the same VPC. c. For 03Subnet, select the subnet within the VPC that you want to use for the Management Server instance. The subnet you select must exist in the VPC you selected. Note: The Management Server instance and Stealth endpoint instances can use separate subnets within the same VPC. d. For 04Capacity, select the Enterprise Manager capacity that corresponds to your planned number of Stealth endpoint instances. See 2.2 Determining the Management Server Instance Size and License Capacity for more information. e. For 05StealthUser1, enter a name for the StealthUser1 user role. You can assign Stealth endpoint instances to this user role when you launch them, and only endpoint instances that share a user role can communicate. For example, you might want to give this user role a name that correspond to a function (such as DatabaseRole or ApplicationRole) or that correspond to a department (such as HRRole, MarketingRole, or ExecutiveRole). See 1.3 Understanding Default Stealth User Roles and Configurations for more information on Stealth user roles. Note: The user name must be between one and 15 characters, and it can only include alphanumeric characters and hyphens. f. For 06StealthUser1Password, enter a password for StealthUser1. Note: The password must be between six and 50 characters, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special # % ^ & * ( ) _ + = g. For 07StealthUser1PwVerify, verify the password for StealthUser1. h. For 08StealthUser2, optionally enter a name for the StealthUser2 user role. Like the StealthUser1 user role, you can assign Stealth endpoint instances to this user role when you launch them, and you can name this user role according to function, department, or any other method for your environment

16 Launching the Stealth(cloud) Management Server Instance Note: The user name must also meet the requirements for StealthUser1, listed previously. i. If you entered a name for StealthUser2, for 09StealthUser2Password, enter a password for StealthUser2. Note: This password must also meet the requirements for StealthUser1Password, listed previously. j. If you entered a name for StealthUser2, for 10StealthUser2PwVerify, verify the password for StealthUser2. k. For 11StealthUser3, optionally enter a name for the StealthUser3 user role. Like the StealthUser1 user role, you can assign Stealth endpoint instances to this user role when you launch them, and you can name this user role according to function, department, or any other method for your environment. Note: The user name must also meet the requirements for StealthUser1, listed previously. l. If you entered a name for StealthUser3, for 12StealthUser3Password, enter a password for StealthUser3. Note: This password must also meet the requirements for StealthUser1Password, listed previously. m. If you entered a name for StealthUser3, for 13StealthUser3PwVerify, verify the password for StealthUser3. n. For 14EMAdminPassword, enter a password for the Enterprise Manager Administrator account. EMAdmin is the account that you use to log on to the Management Server instance and that you use to run the Stealth services on that instance. Note: This password must be between six and 50 characters long, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special # $ % ^ & * ( ) _ + = In addition, the user name cannot be included as part of the password. o. For 15EMAdminPwVerify, verify the password for the Enterprise Manager Administrator account, EMAdmin. p. For 16MySQLRootPassword, enter a password for the MySQL Root account for the MySQL database running on the Management Server instance. Note: This password must be between eight and 50 characters long, and it must include all of the following: At least one uppercase letter At least one lowercase letter

17 Launching the Stealth(cloud) Management Server Instance At least one number At least one of the following special # $ % ^ & * ( ) _ + = q. For 17MySQLRootPwVerify, verify the password for the MySQL Root account. r. For 18PortalAdminPassword, enter a password for the Enterprise Manager interface administrator account, portaladmin. Note: This password must be between six and 50 characters, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special # $ % ^ & * ( ) _ + = s. For 19PortalAdminPwVerify, verify the password for the Enterprise Manager interface administrator account, portaladmin. t. For 20TomcatUserPassword, enter a password for the Tomcat service that runs on the Management Server instance. Note: This password must be between six and 14 characters long, and it must include all of the following: At least one uppercase letter At least one lowercase letter At least one number At least one of the following special # $ % ^ * ( ) _ + = In addition, the user name cannot be included as part of the password. u. For 21TomcatUserPwVerify, verify the password for the Tomcat service. v. For 22AdminAccessIPAddress, enter the private IP address for the Administration and Diagnostics system, which is the instance in the VPC that you want to use to provide administrative access for diagnostic purposes. Note: You should have configured the Administration and Diagnostics system as described in 2.1 Configuring the Administration and Diagnostics System. 4. When you have finished specifying the configuration parameters, click Next. 5. On the Options page, optionally enter one or more key-value pairs to tag the Management Server instance. Tags are used to help identify resources in the AWS console. 6. Optionally set any additional advanced options for the new instance

18 Launching the Stealth(cloud) Management Server Instance Note: Do not change the value for the Rollback on failure option (the default value is Yes). 7. Click Next. 8. On the Review page, verify that the parameters and options that you specified appear correctly, select the check box to acknowledge the I acknowledge that this template might cause AWS CloudFormation to create IAM resources notice, and then click Create. 9. Wait until the Management Server instance is created (that is, wait until the status reads CREATE_COMPLETE). The Windows Server 2012 R2 instance that forms the basis for the Management Server instance can take approximately 30 minutes to launch from AWS. In addition, the CloudFormation template requires an additional minutes to be completed. If the AWS geographic region you are using is experiencing a heavy traffic load, this process might require additional time. Therefore, you should allow at least 90 minutes for the Management Server instance status to read CREATE_COMPLETE. Note: If the instance reads CREATE_COMPLETE in only a few minutes, this is usually an indicator that the Management Server instance has failed to launch correctly. This is most commonly a result of parameters being entered incorrectly; for example, entering different passwords for the same StealthUser or entering a password that does not meet the specific requirements. In that case, select the instance, and then select the Outputs tab to review the provided error message. If the instance reads CREATE_FAILED or ROLLBACK_FAILED, the CloudFormation logs and Stealth diagnostics are collected and uploaded to the Amazon S3 bucket, which is created during the CloudFormation process, in the EnterpriseManager\log subfolder Enabling Active Scripting on the Management Server Instance Active scripting must be manually enabled on the Management Server instance for the Enterprise Manager software to operate. After the Management Server instance has been created, do the following. Note: You should wait until the status reads CREATE_COMPLETE before connecting to the Management Server instance. If you connect to the Management Server instance before the CloudFormation process is complete, the Stealth Applet might not start. If you need to manually launch the Stealth Applet, from the Start menu, type USS-Applet in the Search box. 1. From the AWS Management Console, select EC2 under Compute. 2. On the EC2 Dashboard, select Instances in the left pane (under Instances). 3. Right-click the Administration and Diagnostics System instance, and then select Connect. 4. If you have not already done so, get the password for the Administration and Diagnostics System instance

19 Launching the Stealth(cloud) Management Server Instance 5. If required, download and open the Remote Desktop File. 6. Log on to the Administration and Diagnostics System using the user name and password. 7. On the Administration and Diagnostics System, use Remote Desktop Connection (RDP) or another connection software (if you selected a Linux operating system for your Administration and Diagnostics System), and connect to the Management Server instance using its private IP address. 8. Log on to the Management Server instance using the EMAdmin user name and the password that you set for the EMAdminPassword in 2.4 Selecting Parameters and Launching the Management Server Instance. Note: Do not use the default Administrator user name and password. 9. If you receive a warning that the identity of the remote computer cannot be verified, click Yes to continue. 10. Ensure that there are no open browser windows. 11. From the Start menu, enter gpedit.msc in the Search box, and then press Enter. 12. In the Local Group Policy Editor window, in the left pane under Computer Configuration, expand Administrative Templates, expand Windows Components, expand Internet Explorer, expand Internet Control Panel, expand Security Page, and then click Internet Zone. 13. Double-click Allow active scripting. 14. On the Allow active scripting dialog box, select the Enabled option, and then ensure that Enable appears in the Allow active scripting list (under Options). 15. Click OK to close the Allow active scripting dialog box. 16. In the left pane of the Local Group Policy Editor window, select Intranet Zone (under Security Page). 17. Double-click Allow active scripting. 18. On the Allow active scripting dialog box, select the Enabled option, and then ensure that Enable appears in the Allow active scripting list (under Options). 19. Click OK to close the Allow active scripting dialog box. 20. Close the Local Group Policy Editor window. If you want to create endpoint instances, you can minimize or close the Management Server desktop and perform the procedures in Section 3, Launching Stealth Endpoint Instances. If you want to review the current configuration of your Management Server using the Enterprise Manager interface, perform the procedure in 4.1 Accessing the Enterprise Manager Interface

20 Launching the Stealth(cloud) Management Server Instance

21 Section 3 Launching Stealth Endpoint Instances This section provides information about launching Stealth endpoint instances, which are Amazon EC2 instances secured with Stealth endpoint software. The Stealth endpoint software and Stealth user roles enable you to secure communication between the Stealth endpoint instances in your environment Before You Begin Before you begin to configure and launch Stealth endpoint instances in your VPC, ensure that you have launched a Management Server instance with the appropriate capacity to manage the number of endpoint instances you plan to launch. See Section 2, Launching the Stealth(cloud) Management Server Instance, for more information. In addition, you must record the StealthSecurityGroup and StealthBucket keys from the Management Server instance that you want to use to manage this new endpoint instance. Do the following: 1. Access the CloudFormation Management Console. 2. Select the Stack that corresponds to the Management Server instance. 3. On the Outputs tab, record the following key values: StealthSecurityGroup StealthBucket 3.2. Determining the Stealth User Role for the Endpoint Instance When you launch an endpoint instance, you select a Stealth user role to assign to the instance. You assign user roles to enable secure communication in your environment. Endpoint instances that share the same user role can communicate with one another; endpoint instances that do not share the same user role cannot communicate. In addition, other non-stealth-enabled components cannot communicate with any Stealth endpoint instance. To enable Stealth endpoint instances to communicate with non- Stealth-enabled components, you must create filters to allow clear text communication with those components. You created up to three user roles when you launched the Management Server instance in 2.4 Selecting Parameters and Launching the Management Server Instance. For

22 Launching Stealth Endpoint Instances example, you might have given these user roles names that correspond to a function (such as DatabaseRole and ApplicationRole) or that correspond to a department (such as HRRole, MarketingRole, and ExecutiveRole). Ensure that you understand which Stealth user role you want to assign before you launch an endpoint instance. Changing the user role after an endpoint instance is launched is a manual process. See the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for more information on adding and changing user roles Subscribing to Endpoint Instances Stealth(cloud) for AWS supports the following operating systems running on endpoint instances: Windows Server 2008 R2 Windows Server 2012 R2 Red Hat Enterprise Linux 6 and 7 SUSE Linux Enterprise Server 11 Ubuntu Linux Do the following to subscribe to one or more Stealth(cloud) endpoint instances: 1. Navigate to the AWS Marketplace webpage ( 2. At the top of the page, click Sign in, and then sign in using your AWS account credentials. 3. In the search box, enter Unisys Stealth. 4. On the results page, select one of the following types of Stealth endpoints: Unisys Stealth(cloud) on Windows Server 2008 R2 Unisys Stealth(cloud) on Windows Server 2012 R2 Unisys Stealth(cloud) on Red Hat Enterprise Linux 6 Unisys Stealth(cloud) on Red Hat Enterprise Linux 7 Unisys Stealth(cloud) on SUSE Linux Enterprise Server 11 Unisys Stealth(cloud) on Ubuntu Linux On the solutions page for the Stealth endpoint type you selected, do the following: a. Under Pricing Details, under For region, use the default region or select a new region. b. Under Pricing Details, under Delivery Methods, select Unisys Stealth(cloud) on <operating system>. Note: A CloudFormation template is the required method to launch the Stealth endpoint; therefore, you must select this option. (Do not select Single AMI.)

23 Launching Stealth Endpoint Instances 6. Click Continue. 7. If you have previously subscribed to this product, skip to the next step. If this is your first time subscribing to this product, you are prompted to accept the terms; do the following: a. On the Launch on EC2 page, click Accept Terms. You see the Thank You page, which states that you will receive an with more details. b. Review the when it arrives, and then return to the Thank You page. c. On the Thank You page, click Return to Product Page. You see the Launch on EC2 page. 8. On the Launch on EC2 page, confirm that the region you want to use is selected, and ensure that Unisys Stealth(cloud) on <operating system> is selected under Deployment Options. 9. Click Launch with CloudFormation Console. Note: If you do not see the Launch with CloudFormation Console button, change the value under Deployment Options from Single AMI to Unisys Stealth(cloud) on <operating system>. The values you entered are processed, and the CloudFormation console launches with the endpoint CloudFormation template selected. Continue by performing the procedure in the following topic: 3.4 Selecting Parameters and Launching the Stealth Endpoint Instance. Note: After you complete the procedure in 3.4 Selecting Parameters and Launching the Stealth Endpoint Instance, you can return to this procedure and perform these steps again to launch as many endpoint instances as are required in your environment Selecting Parameters and Launching the Stealth Endpoint Instance Note: For a printable worksheet that you can use to record the values you enter, see A.2 Endpoint Instance Worksheet. After you subscribe to the endpoint type, do the following to select parameters and launch the endpoint instance: 1. On the CloudFormation console, on the Select Template page, click Next. The Specify Details page appears and provides a set of parameters that you use to configure the endpoint instance. Note: The parameters you enter on this page are not verified until you create the CloudFormation stack. Therefore, you should be very careful to enter these values correctly. For example, you are prompted to enter and verify the StealthUser

24 Launching Stealth Endpoint Instances password on this page, and you should ensure that these passwords match; if they do not, the CloudFormation stack creation will fail. 2. Enter a name for the stack in the Stack name box. 3. On the Specify Details page, enter the following for each parameter: a. For 01KeyName, select the name of an existing EC2 key pair that you want to use to meet the Amazon administrative requirement to have a key pair for all EC2 instances. b. For 02VPC, select the VPC where you launched the Management Server instance. c. For 03Subnet, select the subnet within the VPC that you want to use for this endpoint instance. Note: The Management Server instance and Stealth endpoint instances can use separate subnets within the same VPC. d. For 04StealthSecurityGroup, select the security group created by the Management Server instance, which you were directed to record earlier in this topic. e. For 05InstanceType, select the EC2 instance type you want to use for the new instance. The default is m4.large, but you can use any available instance type in the list. Note: If you select the South America (São Paulo) region, m3 instance types are used. f. For 06StealthBucket, enter the S3 bucket ID that corresponds to the Management Server instance, which you were directed to record earlier in this topic. g. For 07InstanceProfile, optionally specify an existing Identity and Access Management (IAM) instance profile, if you do not want to use the instance profile created by the CloudFormation template. (An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.) Note: If you specify an existing IAM instance profile, that profile must have access to the bucket you selected in the previous step. h. For 08StealthUser, select the Stealth user role that you want to assign to this instance. You specified up to three user roles (called StealthUser1, StealthUser2, and StealthUser3) when you configured the Management Server instance in 2.4 Selecting Parameters and Launching the Management Server Instance. i. For 09StealthUserPassword, enter the password for the user role that you specified for the StealthUser parameter. You entered this password when you configured the Management Server instance in 2.4 Selecting Parameters and Launching the Management Server Instance. Note: Be very careful to enter the correct password. This password is not verified against the Management Server CloudFormation template when the endpoint instance is launched. If you enter an incorrect password, the CloudFormation stack creation will fail

25 Launching Stealth Endpoint Instances j. For 10StealthUserPwVerify, verify the password that you entered. 4. When you have finished specifying the configuration parameters, click Next. 5. On the Options page, optionally enter one or more key-value pairs to tag the instance. Tags are used to help identify resources in the AWS console. 6. Optionally set any additional advanced options for the new instance. Note: Do not change the value for the Rollback on failure option (the default value is Yes). 7. Click Next. 8. On the Review page, verify that the parameters and options that you specified appear correctly, select the check box to acknowledge the I acknowledge that this template might cause AWS CloudFormation to create IAM resources notice, and then click Create. 9. Wait until the endpoint instance is created (that is, wait until the status reads CREATE_COMPLETE). Windows operating system instances can take approximately 30 minutes to launch from AWS, while Linux operating system instances can take approximately 15 minutes to launch from AWS. In addition, the CloudFormation template requires an additional five minutes to be completed. If the AWS geographic region you are using is experiencing a heavy traffic load, this process might require additional time. Therefore, you should allow at least 45 minutes for a Windows endpoint instance or 20 minutes for a Linux endpoint instance status to read CREATE_COMPLETE. Note: If the instance reads CREATE_COMPLETE in only a few minutes, this is usually an indicator that the endpoint instance has failed to launch correctly. This is most commonly a result of parameters being entered incorrectly; for example, entering different passwords for the same StealthUser. In that case, select the instance, and then select the Outputs tab to review the provided error message. If the instance reads CREATE_FAILED or ROLLBACK_FAILED, the CloudFormation logs and Stealth diagnostics are collected and uploaded to the Amazon S3 bucket, which is created during the Management Server CloudFormation process, in the StealthUser\log subfolder (where StealthUser is the user role name you specified previously in this procedure)

26 Launching Stealth Endpoint Instances

27 Section 4 Understanding Your Stealth(cloud) for AWS Environment After you configure the Management Server instance and at least two endpoints in the same user role, your endpoints can use secure Stealth tunnels to communicate. This section provides an overview on how to access the Management Server instance and view the Enterprise Manager interface, as well as how to view the endpoint instances and the current Stealth status Accessing the Enterprise Manager Interface You use the Enterprise Manager interface, running on the Management Server instance, to manage your Stealth configuration. To access the Enterprise Manager interface, perform the following procedure: 1. If you have not already done so, log on to the Management Server instance by doing the following: a. From the AWS Management Console, select EC2 under Compute. b. On the EC2 Dashboard, select Instances in the left pane (under Instances). c. Right-click the Administration and Diagnostics System instance, and select Connect. d. If required, download and open the Remote Desktop File. e. Log on to the Administration and Diagnostics System using the user name and password. f. On the Administration and Diagnostics System, use Remote Desktop Connection (RDP) or another connection software (if you selected a Linux operating system for your Administration and Diagnostics System), and connect to the Management Server instance using its private IP address. g. If you receive a warning that the identity of the remote computer cannot be verified, click Yes to continue. h. Log on to the Management Server instance using the EMAdmin user name and the password that you set for the EMAdminPassword in 2.4 Selecting Parameters and Launching the Management Server Instance. 2. On the Management Server instance desktop, double-click the Unisys Enterprise Manager Portal icon