Tivoli Endpoint Manager for Remote Control Version 8 Release 2. Internet Connection Broker Guide

Transcription

1 Tivoli Endpoint Manager for Remote Control Version 8 Release 2 Internet Connection Broker Guide

2

3 Tivoli Endpoint Manager for Remote Control Version 8 Release 2 Internet Connection Broker Guide

4 Note Before using this information and the product it supports, read the information in Notices on page 47

5 Contents Chapter 1. Overview Chapter 2. Broker requirements Chapter 3. Broker support installation.. 5 Installing broker support using the installation files. 5 Installing Windows broker support Installing Linux broker support Installing broker support from the TEM console.. 7 Deploying Windows broker support Removing Windows broker support Deploying Linux broker support Removing Linux broker support Chapter 4. Broker configuration Configuring the broker properties Allowing endpoints to connect to a broker Allowing brokers to connect to brokers Chapter 5. Managing brokers Registering a broker on the TEM for RC server.. 21 Viewing a list of registered brokers Editing broker details Deleting a broker Chapter 6. Certificate management.. 23 Creating a self signed certificate Configuring the keystore on the broker Using strict verification with self signed certificates 26 Extracting the certificate from the keystore Certificate Authority signed certificates Trust store configuration Adding a certificate to the trust store Viewing certificates in the trust store Editing a trusted certificate Deleting a trusted certificate Chapter 7. Migrating to a new certificate Chapter 8. Configuring the session connection code Chapter 9. Remote control sessions using a broker Starting a remote control session using a broker.. 35 Chapter 10. Database tables and defintions Chapter 11. Broker setup examples.. 39 Appendix. Support Troubleshooting/FAQs Technical Support Notices COPYRIGHT LICENSE TRADEMARKS Index Copyright IBM Corp. 2003, 2012 iii

6 iv Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

7 Chapter 1. Overview The Internet Connection Broker (broker) is a new component that facilitates establishing remote control sessions when the targets are outside of the managed enterprise network. This component requires that the targets are managed with a Tivoli Endpoint Manager for Remote Control server. For example a user without VPN connected to the internet requires support. As the target is already managed by Tivoli Endpoint Manager for Remote Control and a broker is deployed in the enterprise, the target is accessible from the Internet. Therefore a remote control session can be established, with the broker component making the connection between the controller and target machines possible. As these remote control sessions will be established across the internet, secure connections are important. This is accomplished by using the Transport Layer Security (TLS) protocol and certificates to address the authentication and verification required as well as connection codes to ensure that the endpoints are correctly matched and connected to each other. Copyright IBM Corp. 2003,

8 2 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

9 Chapter 2. Broker requirements The computer on which you install the Tivoli Endpoint Manager for Remote Control broker must have the minimum following items or specification: 1. At least a 1GHz Intel or AMD processor. 2. A minimum of 512Mb of memory. 3. A minimum of 50Mb hard disk space. Platform Support The following Platforms are supported 1. Windows Server 2003 Standard R2 (32 bit), Standard R2 (64 bit), Enterprise R2 (32 bit), Enterprise R2 (64 bit). 2. Windows Server 2003 R2 Datacenter Edition x86-32, x Windows 2008 Server (R1) Standard / Enterprise (32 and 64 bit ) and (R2) Standard / Enterprise / Datacenter (32 and 64 bit ) 4. RHEL 4.0, 5.0 and 6.0 for Intel x86, 5.0 and 6.0 for AMD/eMT 64bit. 5. SLES9/ 10forIntel x86, AMD/eMT 64bit. 6. SUSE (SLES) 10/11 - x86-32, x86-64 Copyright IBM Corp. 2003,

11 Chapter 3. Broker support installation Tivoli Endpoint Manager for Remote Control provides two ways to install the broker support. If you have access to the Tivoli Endpoint Manager for Remote Control (TEM) console you can use the Deploy Tivoli Endpoint Manager for Remote Control Broker fixlets to deploy the broker support. Alternatively you can use the Tivoli Endpoint Manager for Remote Control installation files. Broker support should be installed on the machine(s) that will connect the controller to the target machine when the target machine is not directly accessible by the controller and the connection will be made across the internet. Installing broker support using the installation files To install broker support you can use the Tivoli Endpoint Manager for Remote Control installation files. You can search for and download the relevant installation files from Fix Central. Installing Windows broker support The Tivoli Endpoint Manager for Remote Control installation files provide executable files which can be used to install broker support on a windows machine. To install broker support on a windows machine complete the following steps 1. Unzip TIV-TEMRC821-WIN-FP0001.zip and navigate to trc_broker_setup.exe. You can download this file from Fix Central. 2. Run the trc_broker_setup.exe file. 3. Click Next at the install shield wizard screen. 4. Accept licence terms and click Next. 5. Accept the default location or change the installation destination folder. Click Next. Default location is C:\Program Files\IBM\Tivoli\Remote Control\Broker 6. Click Install. 7. Click Finish. The following files will have been installed in the [working dir]\broker directory, where [working dir] is determined by the version of Windows that you are installing the broker support on. For example C:\Documents and Settings\All Users\Application Data\IBM\Tivoli\Remote Control. v trc_broker.properties v TRCICB-computername-day.log where computername is the computername of the machine that the broker is installed on and day is the day of the week that the broker was installed on. You should check that the Tivoli Endpoint Manager for Remote Control- Internet Connection Broker service has registered and is started. Copyright IBM Corp. 2003,

12 Installing Linux broker support You can install the broker support on a Linux machine by using the RPM file that is provided in the Tivoli Endpoint Manager for Remote Control installation files. Use the additional setup utility to extract the RPM file and then use the RPM file to install the broker support. Extracting the broker RPM file To obtain the broker installation files for installing on a Linux machine, use the additional setup utility provided on the Tivoli Endpoint Manager for Remote Control installation files to extract the RPM file. To extract the RPM file from the installation files complete the following steps 1. Untar the TIV-TEMRC821-MULTI-FP0001.tar file. You can download this file from Fix Central. 2. Navigate to the \Disk1\InstData\[osdir]\VM directory where [osdir] is the operating system that you will use to run the additional setup file on. For example: you can run the additional setup file on a windows machine to extract the broker installation files and then copy the relevant files to the machine that you want to install the broker component on. 3. Start the additional setup file. Windows trc_additional_setup.exe Linux trc_additional_setup.bin 4. Select the required language and click OK. 5. Click Next at the introduction. 6. Accept the licence agreement and click Next. 7. On the Choose Install Set window deselect everything except Internet Connection Broker Installation media and click Next. 8. Accept or change the installation directory and click Next. 9. Click Install. 10. Click Done when finished. The broker RPM file will be extracted to the \RCBroker directory of the installation directory chosen in step 8. Installing the broker RPM file You can install the broker support on a Linux machine by using the RPM file that is provided in the Tivoli Endpoint Manager for Remote Control installation files. To obtain the RPM file you should extract it from the Tivoli Endpoint Manager for Remote Control installation files using the additional setup utility. See Extracting the broker RPM file. If you have not run the additional setup utility on the Linux machine that you want to install the broker on, copy the RPM file to the Linux machine. This procedure describes how to install the broker support on a Linux machine using the RPM file. To install the RPM file complete the following steps Run the ibm-trc-broker i386.rpm file by typing the following command rpm -ivh ibm-trc-broker i386.rpm and follow any instructions to install the file. 6 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

13 The following files will be installed in the /opt/ibm/trc/broker directory. v libcrypto.so v libssl.so v trc_icb v a licence directory In the /etc directory. v trc_broker.properties When the broker support is installed you can configure the broker properties by editing the trc_broker.properties file. Related concepts: Chapter 4, Broker configuration, on page 11 When you install broker support you can use the installed trc_broker.properties file to configure your environment for using the broker capability. Installing broker support from the TEM console You can deploy broker support by running a fixlet from the Tivoli Endpoint Manager console. The Deployment node provides the fixlets required to install broker support on Windows and Linux machines. Use this node to select and run the fixlet relevant to your operating system. Deploying Windows broker support You can use the Deploy Tivoli Endpoint Manager for Remote Control Broker for Windows task to install broker support on a Windows computer To initiate this task complete the following steps: 1. Click on Deployment > Windows in the navigation tree. 2. Click Deploy Tivoli Endpoint Manager for Remote Control Broker for Windows. 3. In the Task window, review the description and follow the instructions in the Actions box to initiate the task. 4. In the Take Action window on the Target tab, select the required option for determining which target(s) to deploy the broker support on. 5. Click OK and enter your Private Key Password. The summary screen will show the progress of the task and will show status complete when it is finished. You should now have broker support installed on the target(s) that were selected when you ran the deployment task. The files for this will have been installed in the [working dir]\broker directory on the selected target(s), where [working dir] is determined by the version of Windows that you are installing the broker support on. For example C:\Documents and Settings\All Users\Application Data\IBM\Tivoli\Remote Control. To make use of the broker support you will need to setup a broker configuration for your environment. See Chapter 4, Broker configuration, on page 11 for details. Chapter 3. Broker support installation 7

14 Removing Windows broker support You can use the Uninstall Tivoli Endpoint Manager for Remote Control Broker for Windows task to remove broker support from a Windows computer To initiate this task complete the following steps: 1. Click on Deployment > Windows in the navigation tree. 2. Click Uninstall Tivoli Endpoint Manager for Remote Control Broker for Windows. 3. In the Task window, review the description and follow the instructions in the Actions box to initiate the task. 4. In the Take Action window on the Target tab, select the required option for determining which target(s) to remove the broker support from. 5. Click OK and enter your Private Key Password. The summary screen will show the progress of the task and will show status complete when it is finished. The broker support files will have been removed from the chosen target(s). Deploying Linux broker support You can use the Deploy Tivoli Endpoint Manager for Remote Control Broker for Linux task to install broker support on a Linux computer. To initiate this task complete the following steps: 1. Click on Deployment > Linux in the navigation tree. 2. Click Deploy Tivoli Endpoint Manager for Remote Control Broker for Linux. 3. In the Task window, review the description and follow the instructions in the Actions box to initiate the task. 4. In the Take Action window on the Target tab, select the required option for determining which target(s) to deploy the broker support on. 5. Click OK and enter your Private Key Password. The summary screen will show the progress of the task and will show status complete when it is finished. You should now have broker support installed on the target(s) that were selected when you ran the deployment task. The files for this will have been installed in the /opt/ibm/trc/broker directory on the selected target(s). To make use of the broker support you will need to setup a broker configuration for your environment. See Chapter 4, Broker configuration, on page 11 for details. Removing Linux broker support You can use the Uninstall Tivoli Endpoint Manager for Remote Control Broker for Linux task to remove broker support from a Linux computer To initiate this task complete the following steps: 1. Click on Deployment > Linux in the navigation tree. 2. Click Uninstall Tivoli Endpoint Manager for Remote Control Broker for Linux. 3. In the Task window, review the description and follow the instructions in the Actions box to initiate the task. 4. In the Take Action window on the Target tab, select the required option for determining which target(s) to remove the broker support from. 8 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

15 5. Click OK and enter your Private Key Password. The summary screen will show the progress of the task and will show status complete when it is finished. The broker support files will have been removed from the chosen target(s). Chapter 3. Broker support installation 9

17 Chapter 4. Broker configuration When you install broker support you can use the installed trc_broker.properties file to configure your environment for using the broker capability. When the broker support is installed, a configuration file, trc_broker.properties, is created which provides examples of the configuration parameters that you can use to create a broker configuration to satisfy your network requirements. In the configuration file you can define default broker setup parameters and also any connections required for your environment. v The broker supports multiple instances of each connection type v The configuration directives for each connection have a user defined prefix. See Chapter 11, Broker setup examples, on page 39 for an example of setting configuration parameters in a sample environment. Configuring the broker properties You can edit the trc_broker.properties file to configure the parameters and connection types required for using brokers in your environment. The trc_broker.properties file that is installed when the broker is installed provides examples of parameters and how they can be used. You can use these examples to create a configuration file for your own network requirements. You can use the set of default parameters, prefixed with Default, to set your configuration and also configure multiple connections. The parameters have a set of default values that can be changed if required and these values can be applied to the parameters prefixed with Default and also to the connection parameters. Table 1. Default parameter values Keyword Default Value Required ServerURL <blank> Yes ProxyURL <blank> No DefaultPortToListen <blank> Yes DefaultBindTo No DefaultBindTo6 :: No DefaultRetryDelay 45 No DefaultKeepAlive 900 No DefaultTLSCertificate server.pem No DefaultTLSPassPhrase <blank> No DefaultTLSCipherList TLSv1+HIGH:!SSLv2:!aNULL:!eNULL :!3DES:@STRENGTH No Required parameters do not have a built-in default value. These parameters must be set either as the value given in the file or within the connection configurations. When a required parameter has been set in the connection parameters this value will override any default values set for the same parameter. Copyright IBM Corp. 2003,

18 Table 2. Required parameters values used Default parameter set Connection parameter set Value Used No No Not defined, a required parameter must be defined in the configuration. No Yes Connection parameter is used Yes No Default parameter is used. Yes Yes Connection parameter is used. Optional parameters have a built-in default value. If the parameter is not set within the default parameters or within the connection parameters, the built-in default value is used. If the parameter is set within the default parameters, but is not set within the connection parameters, the value set for the default parameter will be used by any connections. Table 3. Optional parameters Default parameter set Connection parameter set Value used No No Built in default value is used No Yes Connection parameter is used Yes No Default parameter is used Yes Yes Connection parameter is used To configure the broker to your requirements complete the following steps 1. Edit the trc_broker.properties file. On a windows machine this file is located in the \Broker directory within the brokers s working directory, for example C:\Documents and Settings\All Users\Application Data\IBM\Tivoli\Remote Control\Broker and in Linux it is located in the /etc directory. 2. Configure the entries to your requirements. Logging level Set the required logging level. The logging level determines the types of entries and how much information is added to the broker log file. Default value is 2. Logging level Description 0 no logging 1 error 2 info 4 debug information LogRotation Controls the period after which an older log file will be overwritten. Log rotation can be disabled. Default value is Weekly. 12 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

19 LogRotation Daily Weekly Monthly Disabled Description Overwrite log files after one day Overwrite log files after one week. Overwrite log files after one month. LogRotation is disabled Suffix for hourly rollover 00H to 23H Mon-00H to Sun-23H Suffix for daily rollover Not valid Mon - Sun 01-00H to 31-23H 01 to 31 YYYY-MM-DD-hh YYYY-MM-DD LogRollOver Controls the period after which a new log file is started. This period has to be smaller than the LogRotation period, therefore not all combinations are valid. LogRollover cannot be disabled. Default value is Daily. LogRollover Description Comments Hourly Start a new log file on the hour. Recommended for busy brokers or when using log levels higher than 2. Daily Start a new log file every day. Default setting. FIPSCompliance Determines whether a FIPS certified cryptographic provider is used for all cryptographic functions. Default value is No. PublicBrokerURL Determines the public address and port for the broker you are currently configuring. When there are multiple brokers configured, if the target connects to this broker and the controller connects to a different broker, the property is used to identify this broker so that the controller can connect to it and then successfully reach the target. This property should be set to hostname:port where hostname is the hostname of this broker machine and port is the port that this broker is listening for connections on. Default value is <blank.>. Note: The hostname used here should be the same as the hostname used when registering the broker on the Tivoli Endpoint Manager for Remote Control server. ServerURL Determines the URL of the server that the broker will authenticate the session with. This should be set to the base URL, for example A trailing / character is allowed. This is a required parameter. Note: The broker requires a connection to the remote control server, in order to authenticate sessions and connection codes. As the broker will typically be located outside of the intranet while the server is inside of it, this connection will usually require a proxy server or a chain of gateways. It is strongly recommended to use HTTPS and not HTTP if the connection from the broker to the server passes through an unsecure or untrusted network. Chapter 4. Broker configuration 13

20 ProxyURL Add the URL of a proxy server or gateway if you are using one. This parameter is optional. DefaultPortToListen Defines the TCP port that endpoints should use to connect to this broker. The port for listening for inbound connections. Required parameter. DefaultSourcePort Defines the port that the outgoing connection is using. This parameter is optional. Default is 0. DefaultBindTo This parameter is optional.. Defines the ip address that will be used to create connections with. For example: my\connection.bindto= Default is Optional parameter. DefaultBindTo6 This parameter is optional.. Defines the ip address that will be used to create connections with when using IPv6 networks. Default is ::. Optional parameter. DefaultRetryDelay Defines the time in seconds between attempts to open the configured port for listening for incoming or broker connections. Delay between attempts to connect. This parameter is optional. Default is 45 seconds. DefaultKeepAlive Defines the time in seconds between keepalive requests. This parameter is optional. Default is 900 seconds. DefaultTLSCertificateFile Filename or path to the TLS certificate for this broker. See Chapter 6, Certificate management, on page 23 for more details on creating and managing broker certificates. Default is server.pem. DefaultTLSCertificatePassphrase Password for the private key associated with the TLS certificate This parameter is optional. DefaultTLSCipherList You can use this configuration keyword to override the selection of cipher suites that can be used to secure network connections to or from a broker. A cipher suite is a combination of 4 cryptographic algorithms that are used together to create a secure communication channel. These algorithms are provided by a cryptographic module included with the broker. This module also includes algorithms for backwards compatibility, even if they are now considered to offer little or no security. By default, the broker selects only cipher suites that offer strong security. The default selection can be overridden if necessary. This is normally not needed, but can be used, for example, to disable an algorithm against which a new cryptographic attack has been discovered. The documentation for the syntax of the cipher list can be found on the OpenSSL website ciphers.html#cipher_list_format Default Cipher List 14 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

21 TLSv1+HIGH Only ciphers from the TLSv1 cipher suite with key lengths larger than 128 bits and some cipher suites with 128-bit keys!sslv2 Permanently remove all ciphhers from the SSLv2 cipher suite!anull Permanently remove all ciphers without authentication!enull Permanently remove all ciphers without encryption!3des Permanently remove all ciphers using the triple DES encryption Order the cipher list in order of encryption algorithm key length Note: The broker supports only TLSv1. Support for SSLv2 and SSLv3 is disabled due to known vulnerabilities in those versions of the protocol, even if you include SSLv2 or SSLv3 in the cipher list. Types of cryptographic algorithms Authentication Verify the identify of the client or server using digital certificates. Key Exchange Establish shared secrets to be used as encryption keys and message authentication keys for the session. Encryption Protects the session data from being accessed by unauthorised entities. Message authentication Protects the session data from being tampered with. With the version of OpenSSL shipped with the broker component and the default cipher list, the following ciphers can be used: Encryption v AES key length 256 bits v AES key length 128 bits Authentication v RSA v DSA Key Exchange v RSA v Diffie-Hellman Message Authentication SHA-1 Request Pool An area of memory known as the Request Pool is used to keep track of requests. The connection requests from other brokers are kept in the Chapter 4. Broker configuration 15

22 pool until the pool is full and the oldest requests are recycled. The following parameters can be used to configure the request pool : Request Pool.size The amount of memory, in kilobytes, to reserve for the request pool. The default is 2048 or 2 megabytes. Request Pool.MinimumTTL The minimum time, in minutes, before a request can be recycled. The default is 5 minutes. 3. Configure connections for your broker. You can configure two types of connections. v inbound connections - see Allowing endpoints to connect to a broker v broker connections - see Allowing brokers to connect to brokers on page 17 Allowing endpoints to connect to a broker To allow the broker to accept connections from controllers and targets you can define and configure inbound connections using the trc_broker.properties file. The trc.properties file provides a set of default parameters that once configured will be used for all connections to this broker. You can also configure multiple inbound connections and define a prefix for each connection parameter to allow the broker to find all required settings for each connection. Configure any inbound connections when configuring the trc_broker.properties file. See Configuring the broker properties on page 11 for more details of required and optional parameters and default values. Note: 1. Do not prefix with # or! as these are reserved for comments in properties files. 2. If you want to include spaces in the prefix you have to escape them with \ for example : my connection.connectiontype should be defined as my\connection.connectiontype To configure inbound connections complete the following steps. 1. Configure the following parameters within the trc_broker.properties file ConnectionType Defines the type of connection. Should be set to Inbound or Inbound6 when you are using IPv6 networks. For example: my\ connection.connectiontype=inbound PortToListen Defines the TCP port that endpoints should use to connect to this broker. The port for listening for inbound connections. Required parameter. BindTo This parameter is optional and can be configured to accept incoming connections on specific network interfaces. Defines the ip address that will be used to create connections with. For example:my\connection.bindto= Default is Optional parameter 16 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

23 RetryDelay Defines the time in seconds between attempts to open the configured port for listening for incoming connections. This parameter is optional. Default is 45 seconds. TLSCertificateFile Filename or path to the TLS certificate for this broker. Default is server.pem. TLSCertificatePassphrase Password for the private key associated with the TLS certificate This parameter is optional. TLSCipherList List of allowed ciphers. This parameter is optional. See Configuring the broker properties on page 11 for more details of allowed ciphers. AllowEndpoints Determines whether endpoints can connect to this broker. Yes Endpoint connections can be made to this broker. This is the default value. No Endpoint connections cannot be made to this broker. AllowBrokers Determines whether other brokers can connect to this broker. Set to No or <blank> means other brokers cannot connect to this broker. If other brokers can connect to this broker, provide a list of brokers that are allowed to connect. For example broker1.ibm.com,broker2.ibm.com,broker3.ibm.com. Note: The hostnames listed here must match the certificate and the hostnames used when registering the brokers in the remote control server. 2. Save the file. If you are configuring multiple brokers in your environment which will connect to each other to complete the connection between the controller and target you should configure broker connections in the broker properties file. See Allowing brokers to connect to brokers. Once you have finished creating a broker configuration you can register the brokers in the Tivoli Endpoint Manager for Remote Control database to be used for facilitating remote control connections across the internet. See Registering a broker on the TEM for RC server on page 21. Allowing brokers to connect to brokers To allow the broker to accept connections from other brokers you can define and configure broker connections using the trc_broker.properties file. The trc.properties file provides a set of default parameters that once configured will be used for all connections to this broker. When you have multiple brokers defined in your environment you should configure broker control connections and define a prefix for each connection parameter to allow the broker to find all required settings for each connection. Broker connections need to be configured between the brokers that will connect to each other. The brokers use the network of control connections to determine which broker has the connection from the target. When the target is located, the controller is told to reconnect to the same Chapter 4. Broker configuration 17

24 broker as the target. Configure any broker connections when configuring the trc_broker.properties file. See Configuring the broker properties on page 11 for more details of required and optional parameters and default values. Note: 1. Do not prefix with # or! as these are reserved for comments in properties files. 2. If you want to include spaces in the prefix you have to escape them with \ for example : my connection.connectiontype should be defined as my\connection.connectiontype To configure broker connections complete the following steps. 1. Configure the following parameters within the trc_broker.properties file ConnectionType Defines the type of connection. Should be set to Broker For example: my\connection.connectiontype=broker DestinationAddress Defines the hostname of the broker that the connection is being made to. The broker with this address should have been configured to accept inbound connections. This parameter is required. For example: my\connection.destinationaddress=mybroker.ibm.com DestinationPort Defines the TCP port of the broker to connect to. This parameter is required. SourcePort Defines the port that the outgoing broker connection is using. This parameter is optional. Default is 0. BindTo This parameter is optional and can be configured to accept broker connections on specific network interfaces. Defines the ip address that will be used to create connections with. The source address to use for the connection.for example: my\connection.bindto= Default is Optional parameter RetryDelay Defines the time in seconds between connection attempts. This parameter is optional. Default is 45 seconds. KeepAlive Defines the time in seconds between keepalive requests. This parameter is optional. Default is 45 seconds. TLSCertificateFile Filename or path to the TLS certificate keystore for this broker. Default is server.pem. TLSCertificatePassphrase Password for the private key associated with the TLS certificate This parameter is optional. TLSCipherList List of allowed ciphers. This parameter is optional. See Configuring the broker properties on page 11 for more details of allowed ciphers. 2. Save the file. 18 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

25 Once you have created a broker configuration you can register the brokers in the Tivoli Endpoint Manager for Remote Control database to be used for facilitating remote control connections across the internet. See Registering a broker on the TEM for RC server on page 21. Chapter 4. Broker configuration 19

27 Chapter 5. Managing brokers After installing broker support you can register the broker machines in the Tivoli Endpoint Manager for Remote Control server. Once they have been registered you can view the list of brokers, edit the broker details and delete brokers that are no longer required. The registered broker list is passed from the server to the targets when the targets register, in response to callhomes or at the start of a remote control session. The list is stored in the target property BrokerList. When a target user enters a connection code to start a remote control session using a broker, the target machine will try to connect to each broker in the broker list until it makes a successful connection to one of them. Therefore, when making changes to the broker list you should ensure that there is still one unchanged broker in the list so that the targets can still connect in a remote control session, then once in the session they can callhome to the server and receive the updated broker list. Registering a broker on the TEM for RC server After installing and configuring broker support in your environment you can register a broker in the TEM for RC server This section will explain how to add a broker to the TEM for RC server. To register a broker complete the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > New Remote Control Broker 3. On the Add Remote Control Broker screen enter the relevant information Fully qualified hostname Enter the fully qualified ( DNS) hostname for the broker. Port Enter the port that the broker will be listening for connections on. Description Enter a description for the broker. This is optional. 4. Click Submit. The broker will now be added to the Tivoli Endpoint Manager for Remote Control database. Viewing a list of registered brokers Once you have registered brokers you can view the list of brokers by displaying the All Remote Control Brokers report. To view the registered brokers complete the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > All Remote Control Brokers Copyright IBM Corp. 2003,

28 Editing broker details Deleting a broker The list of registered brokers should be displayed. After registering a broker on the TEM for RC server you can use the edit broker feature to change any of the saved information for the broker. To edit broker information complete the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > All Remote Control Brokers 3. Select the required broker. 4. Select Edit Remote Control Broker. 5. Change the relevant information and click Submit. The broker information will be updated and saved to the database. You can remove brokers from the database if they are no longer required. To remove a broker from the All Remote Control Brokers page, complete the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > All Remote Control Brokers 3. Select the required broker. 4. Select Delete Remote Control Broker. 5. Click Confirm on the Confirm deletion screen. The selected broker will be deleted from the Tivoli Endpoint Manager for Remote Control database. Note: Clicking Cancel returns the application to the previously displayed screen and the broker is not deleted. 22 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

29 Chapter 6. Certificate management When using Tivoli Endpoint Manager for Remote Control to facilitate remote control sessions across the internet, you can use certificates to address the authentication and verification required for ensuring secure connections between brokers and endpoints. A separate certificate will be required for each broker that is added to the Tivoli Endpoint Manager for Remote Control infrastructure. This certificate will need to be trusted by the components that can connect to the broker, that is other brokers, controllers and targets and this is achieved by having signing certificates (whether self-signed or part of a chain coming from a valid internal or external Certificate Authority (CA) ) that will be used to sign the broker certificates. These signing certificates are held in a trust store on the Tivoli Endpoint Manager for Remote Control server and are used to verify the broker certificates. The broker supports two key store formats. PKCS#12 This key store format is supported by the IBM Key Management tool (ikeyman), which ships as part of Tivoli Endpoint Manager for Remote Control via the embedded Websphere Application Server (WAS) or standalone WAS. PEM PEM files can be generated with the OpenSSL command line tool or other third party tools. The OpenSSL command-line tool is not shipped with Tivoli Endpoint Manager for Remote Control. The PEM file needs to contain the following items, in the order listed below. 1. Broker's certificate 2. Any intermediate certificates, if required 3. Root certificate 4. Broker's private key Use a text editor or the UNIX cat command to combine all the items in a single file. Tivoli Endpoint Manager for Remote Control can use multiple types of Public Key Infrastructure ( PKI) v A commercial Certificate Authority ( CA) v An internal CA v Self signed certificates There is no real difference between using a commercial CA or an internal CA and it is possible to mix the two kinds. For example, you can run the Tivoli Endpoint Manager for Remote Control server with a self-signed certificate while running all brokers with CA-signed certificates. Tivoli Endpoint Manager for Remote Control provides two levels of certificate validation, strict certificate validation and non-strict certification validation. v Non-strict certificate validation Copyright IBM Corp. 2003,

30 Non-strict certificate validation performs the following checks against the certificate - The identity of the certificate matches the hostname of the broker that you are trying to connect to. - The certificate is within its validity period. In non-strict mode, the client does not need a trust store in order to perform the validation. v Note: This type of certificate validation is strongly discouraged for production usage for remote control sessions over the internet, it is only intended for demo and test environments. Strict certificate validation Strict certificate validation performs one additional check. This additional check requires that the client has a trust store that contains all the root certificates required to validate the certificate chain. The certificate chains to a valid root CA, whose certificate is in the client's trust store Creating a self signed certificate To generate the certificate for a broker you can use the IBM Key Management tool. This tool is provided with the Tivoli Endpoint Manager for Remote Control application and with IBM WebSphere Application Server. You can access the IBM Key Management tool if you have the Tivoli Endpoint Manager for Remote Control server installed with embedded components and also if you have the controller component installed. It is also provided by IBM WebSphere Application Server. Note: If you are using WAS you should make sure that the WS-WASSDK-*- FP update or later has been applied, where * is the platform. For example WS-WASSDK-WinX32-FP To create a new keystore complete the following steps 1. Open a command prompt window. 2. Navigate to one of the following directories depending on where you will run the key tool from. Remote control server installed with embedded components Navigate to the Tivoli Endpoint Manager for Remote Control installation directory. WAS installed Navigate to the WAS installation directory. Controller component installed Navigate to the...\controller\jre directory. For example v Windows - C:\Program Files\IBM\tivoli\Remote Control\Controller\jre v Linux - /opt/ibm/trc/controller/jre 3. Change to the bin directory. 4. Run the ikeyman file relevant to your operating system. 24 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

31 Windows ikeyman.bat Linux ikeyman.sh 5. Select Key Database File > New 6. Select PKCS12 for Key database type. 7. Click Browse, navigate to the location you want to store the keystore, type a filename for your file and click Save. 8. Click OK. 9. Enter and confirm a password to protect the keystore and click OK. 10. Select Create > New Self-Signed Certificate 11. Enter a name for the Key Label. For example, the hostname of the broker. This is the name that will be displayed in the Personal Certificates list in the key management tool GUI. 12. Select X509 V3 for the Version. 13. Select a Key Size value. Default is Recommended value is Select a Signature Algorithm This is a cryptographic algorithm for digital signatures and should be left as the default value SHA1WithRSA. 15. Type a Common Name. This should be set to the DNS hostname and domain of your broker. For example trcbroker.example.com 16. Enter any additional optional information as required. 17. Enter a Validity Period. This is the number of days that the certificate will be valid for. Default is 365 days. 18. Click OK. The.p12 file will be created with the name and selected location chosen in step 7 and will be displayed in the list of personal certificates in the key management tool GUI. Note: The key store contains the private key for the certificate and this must be kept secure at all times. It is recommended that the original copy of the keystore is stored in a secure disk, for example an encrypted USB storage device or similar. You should copy the new certificate to the broker machine and configure the broker properties. See Configuring the keystore on the broker Configuring the keystore on the broker Once you have created the keystore which holds the private key and certificate for the broker, it should be copied to the broker machine and the broker properties configured accordingly. To configure the keystore on the broker you require a.p12 file when using self signed certificates see Creating a self signed certificate on page 24 or a.pem file if using CA certificates, see Certificate Authority signed certificates on page 27. To configure the keystore on the broker complete the following steps 1. Copy the.p12 or.pem file to the working directory of the broker machine. 2. Edit the trc_broker.properties file and configure the TLSCertificateFile property, setting it to the name of the.p12 or.pem file. Chapter 6. Certificate management 25

32 Note: Use DefaultTLSCertificateFile to configure the certificate used for all connections to this broker. Each inbound or broker connection can also be configured to use a different certificate. 3. Use the TLSCertificatePassphrase property to define a password for the keystore. 4. Save the properties file. 5. Restart the broker service. Windows a. Navigate to Control Panel > Administrative tools > Services b. Right click Tivoli Endpoint Manager for Remote Control-Internet Connection Broker and select Restart. Linux Depending on the type of Linux you are using you can use one of the following commands to restart the broker service. v /sbin/service ibmtrcicb restart v /etc/init.d/ibmtrcicb restart Using strict verification with self signed certificates Strict verification can be used with self-signed certificates in Tivoli Endpoint Manager for Remote Control. To do this you should add each broker's certificate to the server trust store. The Tivoli Endpoint Manager for Remote Control controller and target, instructed by the remote control server, uses strict certificate validation by default and requires a trust store. Normally, a trust store contains the Certificate Authority's root certificate(s) but when using self-signed certificates, there is no CA. When using strict certificate verification, the certificate needs to be exported from the keystore and uploaded to the Tivoli Endpoint Manager for Remote Control server. The target downloads and caches the trust store when registering, during the call home process with the server or during a remote control session. The controller downloads the trust store at the start of the remote control session. The use of strict certificate validation is determined by the broker.trusted.certs.required property in the trc.properties file on the remote control server. Set to Yes Strict certificate validation is enabled. This is the default value. Set to No Strict certificate validation is disabled. Note: Disabling strict verification is not recommended. When strict verification is disabled, the Tivoli Endpoint Manager for Remote Control controller and target will trust all valid certificates, whether they were generated by you or by a potentially malicious third party. Extracting the certificate from the keystore When using strict certificate verification, the certificate needs to be extracted from the keystore before being uploaded to the Tivoli Endpoint Manager for Remote Control server. To extract the certificate complete the following steps 26 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

33 1. Open a command prompt window. 2. Navigate to the Tivoli Endpoint Manager for Remote Control installation directory if you have a remote control server installed with embedded components or the WAS installation directory if you have installed a stand alone remote control server. 3. Change to the bin directory. 4. Run the ikeyman file relevant to your operating system. Windows ikeyman.bat Linux ikeyman.sh 5. Select Key Database File > Open 6. Select PKCS12 for Key database type. 7. Click Browse, navigate to and select the required.p12 file. 8. Click Open then OK. 9. Enter the password for the file and click OK. 10. For Key database content select Personal Certificates. 11. Select the required certificate. 12. Click Extract Certificate. 13. Use the default Data type Base64-encoded ASCII data. 14. Enter a filename and location for saving the certificate file to. 15. Click OK. The certificate file, with extension.arm, will be extracted to the chosen location. Once you have extracted the certificate from the keystore you should add it to the trust store on the remote control server. See Adding a certificate to the trust store on page 28. Certificate Authority signed certificates You can use Certificate Authority (CA) signed certificates to address the authentication and verification required for ensuring secure connections between brokers and endpoints. To use a Certificate Authority (CA) signed certificate you should obtain the following items v A certificate for each broker in your environment. v The root certificate and any intermediate certificates for the CA. Note: As different CA s will operate in different ways you should consult the CA s documentation for instructions on how to obtain these. When you have obtained the relevant certificate files you should copy the certificate to the broker machine and configure the broker properties, see Chapter 4, Broker configuration, on page 11. The root certificate should be added to the Tivoli Endpoint Manager for Remote Control server, see Adding a certificate to the trust store on page 28. Chapter 6. Certificate management 27

34 Trust store configuration PEM files can be generated with the OpenSSL command line tool or other third party tools. The OpenSSL command-line tool is not shipped with Tivoli Endpoint Manager for Remote Control. The PEM file needs to contain the following items, in the order listed below. 1. Broker's certificate 2. Any intermediate certificates, if required 3. Root certificate 4. Broker's private key The Tivoli Endpoint Manager for Remote Control server holds the trust store that is used for verifying the broker certificates. This trust store is provided to the controller machine when a remote control broker session is initiated and is also sent to the target machine in response to a callhome from the target. The certificates contained in the trust store are not generated by the server, they are imported into the trust store by an administrator. You can perform the following actions on the certificates. v Add a certificate to the trust store v View the certificates in the trust store v Edit the certificates v Delete certificates Note: The trust store received in the callhome response is stored on the target in the directory defined in the TrustStoreDir target property. Adding a certificate to the trust store You should add the certificates that will be used for verifying the remote control connections established using the Internet Connection Broker to the trust store on the remote control server. If you are using self-signed certificates you should extract the certificate from the key store file. See Extracting the certificate from the keystore on page 26. If you are using a CA certificate you will only be required to add the root certificate to the server. You can add a certificate to the trust store by completing the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Open the certificate file in a text editor. Select the certificate and copy it to the clipboard. Note: You should select everything including the BEGIN CERTIFICATE and END CERTIFICATE lines. 3. Select Admin > New Trusted Certificate 4. Paste the certificate data from the clipboard into the Certificate field. 5. Click Submit. The certificate details will be displayed. 6. Verify that this is the correct certificate and click Submit. The certificate will be added to the server trust store. 28 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

35 Note: After adding certificates to the trust store, all targets should be forced to report the to the server, so that they update their local trust store. If this is not done, the target will not be able to access those brokers for which it does not have a certificate. If there are any brokers for which the target does have a certificate, it will still be able to use those brokers. The target will then automatically update the trust store during the session and can then use the new certificate in the future. Viewing certificates in the trust store Once you have added certificates to the trust store you can view the list of certificates from the Tivoli Endpoint Manager for Remote Control server GUI. You can view the list of certificates in the trust store by completing the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > All Trusted Certificates The list of certificates is displayed. Editing a trusted certificate Once you have added certificates to the trust store on the Tivoli Endpoint Manager for Remote Control you can edit the certificate details. To edit a certificate complete the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > All Trusted Certificates 3. Select the required certificate. 4. Select Edit certificate. 5. Edit the required details. 6. Click Submit. 7. Verify that the certificate details are correct and click Submit. The certificate details will be changed. Note: After editing certificates in the trust store, all targets should be forced to report the to the server, so that they update their local trust store. You should also make sure that the certificate on the broker contains the new details. If this is not done, the target will not be able to access those brokers whose certificate you have changed. The target will then automatically update the trust store during the session and can then use the new certificate details in the future. Deleting a trusted certificate You can remove certificates from the trust store on the Tivoli Endpoint Manager for Remote Control when they are no longer required. To delete one or more certificates complete the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > All Trusted Certificates 3. Select the required certificate. Chapter 6. Certificate management 29

36 4. Click Delete certificate. 5. Click Submit on the Confirm Deletion screen. The certificate(s) will be deleted from the trust store. Note: Clicking Cancel will take you back to the previously displayed screen and the certificate will not be deleted. 30 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

37 Chapter 7. Migrating to a new certificate If your existing certificates are due to expire, you can create new certificates and distribute these to the relevant endpoints to allow them to continue to successfully establish remote control sessions using the broker. Migrating to a new certificate is mostly required when you are using self signed certificates and you have enabled the broker.trusted.certs.required property in the trc.properties file. See Using strict verification with self signed certificates on page 26. When you are using CA signed certificates, only the root certificate needs to be in the server trust store. Root certificates have typically very long lifespans with typical current CA certificates not expiring until after 10 or 20 years at the time of writing. The SSL certificates signed by these CA's usually expire after 1 year. However, you only need to update the SSL certificate on the broker. As long as the new SSL certificates for the broker are issued by the same CA, or a CA whose root certificate is already in the trust store on the server and has been passed on all your endpoints, there is no need to update the trust store on all the endpoints. Create your new self signed certificate and distribute it to all the endpoints before you install it on the broker. To migrate to a new certificate complete the following steps 1. Generate the new certificate before the old certificate expires. See Creating a self signed certificate on page 24. When to do this is determined by how long you think it will take to update the endpoints with the new certificate. Leave the broker running with the old certificate until just before the expiration date. 2. Add the new certificate to the trust store on the server. See Adding a certificate to the trust store on page 28. v Targets calling home from inside the intranet will automatically receive the new certificate from the server and update their trust store. v Targets who successfully start a session via a broker will also automatically update the trust store. This is why the broker needs to continue running with the old certificate. The target does not yet trust the new certificate, so it would be unable to start a session via the broker. 3. Install the new certificate on the broker just before the old certificate expires. See Configuring the keystore on the broker on page Remove the old certificate from the trust store after it has expired. All targets who have updated their trust store will still be able to establish a remote control session using the broker when the old certificate expires. Copyright IBM Corp. 2003,

39 Chapter 8. Configuring the session connection code You can define the number of characters required and the timeout value for the connection code used when starting a remote control session through a broker. When starting a remote control session that will involve one or more brokers, a connection code will be required as part of the session authentication to match the correct controller with the correct target. See Starting a remote control session using a broker on page 35. You can globally configure properties for this code within the Tivoli Endpoint Manager for Remote Control server GUI. To configure the broker session connection code complete the following steps 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid admin ID and password. 2. Select Admin > Edit properties file 3. Select trc.properties 4. Set the connection code length. broker.code.length Determines the number of characters required to be entered for the connection code, in the connection code window, when starting a remote control session through an Internet Connection Broker. Default is 7. Note: There is no limit to the number of characters that can be set however you should use your own discretion when setting this value. 5. Set the connection code timeout value broker.code.timeout Determines the number of seconds the connection code timer will count down from, for the connection code options available when you are starting a broker session as a controller user. Default is 900. See Starting a remote control session using a broker on page Click Submit You should reset the application in order for the new values to take effect by clicking Admin > Reset Application. Copyright IBM Corp. 2003,

41 Chapter 9. Remote control sessions using a broker Remote control sessions using a broker are initiated differently from a direct remote control session between a controller and a target. When starting a remote control session between a controller and target who have a direct connection to each other you select the target you want to connect to and initiate the start session process. The target, once it receives the start session request, will then authenticate this with the remote control server and if valid will receive an acceptance response and the applicable policies and session information from the server and the session will proceed. For remote control sessions involving the broker component you will not be required to select a target and instead will select to start a broker session from within the Tivoli Endpoint Manager for Remote Control server GUI. In doing so, a request for a connection code will be made and this will be generated by the remote control server, passed to the broker and displayed on the controller machine. When the target user enters this connection code it is passed to the broker and then to the remote control server along with the target data for authentication. Once the session has been authorised the applicable policies and session information are passed back to the target and the session proceeds. Note: It should be noted that the type of remote control session that is established will be an Active session unless one of the following conditions are met. v v The policies set for this session do not have Active enabled. In this case the next enabled session mode will be used in the following order of precedence. Guidance mode Monitor mode Chat mode File transfer User acceptance is enabled and the target user selects another session type on the acceptance window. Starting a remote control session using a broker To start a remote control session through the internet with a target you do not have direct access to you can initiate a remote control session from the TEM for RC server GUI and use a broker to make the required connection. This procedure describes how to initiate a remote control session from the Tivoli Endpoint Manager for Remote Control server, using a broker to make the connection to the target and the steps required for the controller and target users. 1. Logon to the Tivoli Endpoint Manager for Remote Control server with a valid ID and password on the machine that will be the controller in the session. 2. Click Targets > Start a Broker session. If a successful connection is made to a broker, the Connection code window is displayed showing the connection code to be used for the remote control session and the session connection timer will begin to count down from 15 minutes, in seconds. Note: During the time that the Connection Code window is displayed you can choose one of the following options. Copyright IBM Corp. 2003,

42 v Click Request New for a new connection code. v Note: The time will reset to 15 minutes and begin to count down in seconds. Click Extend Timeout to increase the time allowed for the session connection to take place. Note: The time will reset to 15 minutes and begin to count down in seconds. v Click Cancel to remove the connection code window. The connection to the broker will not take place. 3. Pass the connection code to the user on the target machine that you want to start a remote control session with. For example this can be done by or phone. 4. Enter the connection code on the target machine. Windows target Enter the connection code by doing one of the following steps, v Right click the target notification icon and select Enter Connection Code. v Open the target GUI and select Actions menu > Enter Connection Code Linux target Open the target GUI and select Actions menu > Enter Connection Code If a successful connection is made to a broker, the connection code is verified and the session is authenticated by the server, the remote control session will begin automatically, with a Connection established successfully message being displayed on the controller machine. If the Enable user acceptance for incoming connections policy is enabled in the session policies the user acceptance window will appear on the target machine. Once the session has started, the features and functions that are available will be dependant on the server policies and permissions set for the session. Note: If there are multiple brokers in the broker list and the controller machine is not connected to the same broker as the target, the controller will connect to the same broker and the following message will be displayed on the controller machine before the remote control session begins. Connecting to:hostname:port where hostname:port is the hostname and port of the broker that the target machine is connected to. If the broker connection cannot be made, the connection code cannot be verified or the target is not authenticated by the server, the target user will be given the option to try the connection option again. When they click Try Again the Connection Code window will be re displayed and they can re enter a connection code. If they click Cancel the connection attempt to the broker will be terminated and the remote control session will not be established. 36 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

43 Chapter 10. Database tables and defintions The following database tables are created and used to hold the registered brokers information and any certificates that are uploaded to the trust store on the server. ASSET.RC_BROKERS Column name BROKERKEY Hostname Port Description Type PRIMARY KEY Varchar(256) INT Varchar(256) COMMON.TRUSTED_CERTS Column name SUBJECT PEM_DATA CERTKEY Type Varchar(256) Varchar(1500) PRIMARY KEY Copyright IBM Corp. 2003,

45 Chapter 11. Broker setup examples The following example illustrates a broker and gateway setup. There are 3 networks present, an intranet, a DMZ network and an internet facing network. A firewall between the Intranet and the Internet allows outbound connectivity but blocks all inbound connections. There is also a security policy in force that does not allow connections to be initiated from the DMZ to the intranet or from the Internet Facing network to the DMZ. Hosts in the Internet Facing network do not have public IP addresses. The internet gateway uses DNAT to map internal IP addresses to public IP addresses, only for the ports needed for specific public services. In this example, the public service is the broker. The broker requires connectivity to the server, but direct connections from the Internet Facing network to the server are not allowed. A chain of gateways is deployed to allow the broker to connect to the server. The following tables provide details of the components and settings present in the example environment. Table 4. TRC components Network name Server Broker Gateway Controller Target Intranet Yes No Yes Yes Yes DMZ No No Yes No No Internet No Yes Yes No No facing Internet No No No No Yes Table 5. Networks Network name Subnet Address Subnet Mask Intranet DMZ Internet Facing Table 6. Machines Host name IP address Roles SERVER.example.com TRC server on port 443 BROKER1.example.com TRC broker on port 8887 BROKER2.example.com TRC broker on port 8887 GATEWAY1.example.com TRC gateway GATEWAY2.example.com TRC gateway on port 8881 GATEWAY3.example.com TRC gateway on port 8881, inbound tunnel on port 8880 CONTROLLER1.example.com Dynamic IP in /24 TRC controller Copyright IBM Corp. 2003,

46 Table 6. Machines (continued) Host name IP address Roles TARGET1.example.com Dynamic IP in different TRC target on mobile system networks Table 7. Firewall Source Destination Port Description / / / / Allow GATEWAY1 to connect to GATEWAY Allow GATEWAY2 to connect to GATEWAY3 Table 8. DNAT Public DNS Name Public IP Private IP Port BROKER1.example.com BROKER2.example.com Broker Configuration Each broker is configured with v Inbound connection for endpoints to connect v Connection to the server via a gateway Broker 1 is configured with an additional inbound connection for control connections from broker 2. Broker 2 is configured with a control connection to broker 1. The following section provides examples of what would be set in the broker and gateway properties files for each of the relevant components. BROKER1.example.com PublicBrokerURL = BROKER1.example.com:8887 ServerURL = ProxyURL = trcgw://gateway3.example.com:8880 DefaultTLSCertificateFile = BROKER1.p12 DefaultTLSCertificatePassphrase = ************************ Inbound1.ConnectionType = Inbound Inbound1.PortToListen = 8887 Broker2.ConnectionType = Broker Broker2.DestinationAddress = BROKER2.example.com 40 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

47 Broker2.DestinationPort = 8881 BROKER2.example.com PublicBrokerURL = BROKER2.example.com:8887 ServerURL = ProxyURL = trcgw://gateway3.example.com:8880 DefaultTLSCertificateFile = BROKER2.p12 DefaultTLSCertificatePassphrase = ************************ Inbound1.ConnectionType = Inbound Inbound1.PortToListen = 8887 Inbound2.ConnectionType = Inbound Inbound2.PortToListen = 8881 Inbound2.AllowEndpoints = no Inbound2.AllowBrokers = BROKER1.example.com Gateway Configuration GATEWAY1 Gateway 1 is configured with a control connection to gateway 2 and an outbound tunnel connection to the server. Gateway2.ConnectionType = Gateway Gateway2.DestinationAddress = Gateway2.DestinationPort = 8881 Server.ConnectionType = OutboundTunnel Server.DestinationAddress = Server.DestinationPort = 443 GATEWAY2 Gateway 2 is configured with an inbound connection and a control connection to gateway 3. Inbound.ConnectionType = Inbound Inbound.PortToListen = 8881 Gateway3.ConnectionType = Gateway Chapter 11. Broker setup examples 41

48 Gateway3.DestinationAddress = Gateway3.DestinationPort = 8881 GATEWAY3 Gateway 3 is configured with an inbound connection and an inbound tunnel connection. Inbound.ConnectionType = Inbound Inbound.PortToListen = 8881 Server.ConnectionType = InboundTunnel Server.PortToListen = Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

49 Appendix. Support Troubleshooting/FAQs This section provides some answers to questions which might arise when installing or using the broker capability. Why should I install broker support in my environment? For any targets situated outside of your enterprise network that require support you should install broker support so that remote control connections to these targets can be made across the internet. Note: It should be noted that the targets should be managed by a remote control server. What method can I use to install broker support? If you have access to the Tivoli Endpoint Manager for Remote Control console you can use the deployment node to deploy the broker support relevant to your operating system. See Installing broker support from the TEM console on page 7. You can also use the Tivoli Endpoint Manager for Remote Control installation media to install broker support. See Installing broker support using the installation files on page 5. When I have installed the broker support, what should I do next? Once you have installed the broker support you should do the following steps 1. Create a broker configuration. See Chapter 4, Broker configuration, on page Register your brokers in the Tivoli Endpoint Manager for Remote Control server. See Registering a broker on the TEM for RC server on page Obtain the required certificates for your broker, see Certificate Authority signed certificates on page 27 or create self-signed certificates for each broker that you have installed, see Using strict verification with self signed certificates on page Add the certificates to the broker machines. See Configuring the keystore on the broker on page Upload the certificates to the server trust store. See Trust store configuration on page 28. Is only one broker allowed? No, you can install multiple brokers in your environment to suit your specific requirements. For example a possible motivation would be to provide service failover, so that new sessions can continue to be serviced while one of the broker goes down. When you have installed the brokers you should configure them adding the relevant connection parameters required to allow connections to be made between your brokers and controllers and targets, see Allowing endpoints to connect to a broker on page 16 and connections between a broker and other brokers. See Allowing brokers to connect to brokers on page 17. How do I select a target and connect to a broker? When starting a broker remote control session you do not select a target. Copyright IBM Corp. 2003,

50 Technical Support You should use the Start a Broker session option in the Tivoli Endpoint Manager for Remote Control server GUI to initiate the session and connect to a broker. The connection code which you receive should be passed to the target user so that they can also start a broker remote control session and use the connection code to make the correct connection. See Starting a remote control session using a broker on page 35. If there are multiple brokers installed which broker do I connect to? You do not connect to a specific broker. When multiple brokers are registered in the remote control server the list of brokers is known as the broker list. When a remote control session is requested using a broker the controller machine tries to connect to each broker in the list until it makes a successful connection to one. The target machine also does the same when connecting to a broker. If they have connected to different brokers, the controller will use the hostname defined in the broker property PublicBrokerURL (on the broker that the target is connected to) to connect to the same broker as the target. Note: The hostname defined in this property should match the hostname defined in the certificate for this broker and also the hostname used when registering the broker in the remote control server. See Configuring the broker properties on page 11. What session modes are available for remote control sessions when using a broker? When starting a remote control session using a broker an Active session will be initiated by default. However if Active mode has not been enabled in the session policies that are defined for the session the next available session mode will be used. The following order of precedence will apply, Guidance, Monitor, Chat, File transfer. In addition, if user acceptance is enabled for the session, the target user can select a different session mode to start from the acceptance window. See Starting a remote control session using a broker on page 35. How do I create a certificate? If you are using a Certificate Authority (CA) certificate you should consult their documentation to see how the root certificate and any relevant intermediate certificates can be obtained. For self-signed certificates you can use the key management tool ikeyman. This tool is shipped with Tivoli Endpoint Manager for Remote Control and is also available through IBM Websphere Application Server. See Creating a self signed certificate on page 24. What should I do if my certificate is about to expire? You can add a new certificate to the broker and to the trust store on the server however to allow the target to still be able to start a session via the broker it needs to continue running with the old certificate. This is because the target does not yet trust the new certificate, so it would be unable to start a session. See Chapter 7, Migrating to a new certificate, on page 31. TEM technical support site offers a number of specialized support options to help you learn, understand, and optimize your use of this product: v TEM Support Site v v Documentation Knowledge Base 44 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

51 v Forums and Communities Appendix. Support 45

53 Notices IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY U.S.A For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd , Shimotsuruma, Yamato-shi Kanagawa Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you Copyright IBM Corp. 2003,

54 Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/ Burnet Road Austin, TX USA COPYRIGHT LICENSE TRADEMARKS Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at copytrade.shtml. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries 48 Tivoli Endpoint Manager for Remote Control: Internet Connection Broker Guide

55 Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. Notices 49

57 Index A Adding a certificate to the trust store 28 B broker 1 creating 21 deleting 22 editing 22 broker connections configuring 17 broker keystore configuring 25 broker properties file editing 11 broker RPM file extracting 6 installing 6 broker session starting 35 broker setup examples 39 broker support configuring 11 installing 5 from the TEM console 7 brokers viewing 21 C CA certificates 27 certificate adding to trust store 28 creating 24 exporting 26 migrating 31 configuring broker connections 17 configuring broker support 11 configuring inbound connections 16 configuring the keystore on the broker 25 configuring the session connection code 33 connection code configuring 33 length 33 timeout value 33 Creating a broker on the TEM for RC server 21 D database tables and definitions 37 deleting a broker 22 deleting a trusted certificate 29 Deploying Linux broker support TEM console 8 Deploying Windows broker support TEM console 7 E editing a trusted certificate 29 editing broker details 22 editing the broker properties file 11 exporting the certificate from the keystore 26 extracting the broker RPM file 6 F faqs 43 I inbound connections configuring 16 installing broker support 5 Linux 6 TEM console 7 using the installation files 5 Windows 5 installing the RPM file 6 L legal notices Tivoli Endpoint Manager for Remote Control 47 M migrating to a new certificate 31 O overview 1 R remote control sessions using a broker 35 S self signed certificates strict verification 26 starting a broker session 35 support FAQs 43 T technical support 44 troubleshooting 43 trusted certificate deleting 29 editing 29 U Uninstalling Linux broker support TEM console 8 Uninstalling Windows broker support TEM console 8 Using strict verification with self signed certificates 26 V viewing registered brokers 21 Copyright IBM Corp. 2003,

59

60 Printed in USA