Linux Deployment Guide. How to deploy Network Shutdown Module for Linux



Similar documents
Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Application Note AN1502

SecuritySpy Setting Up SecuritySpy Over SSL

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

EventTracker Windows syslog User Guide

Enterprise SSL Support

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Browser-based Support Console

INSTALL ZENTYAL SERVER

Encrypted Connections

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

SWITCHBOARD SECURITY

Scenarios for Setting Up SSL Certificates for View

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Obtaining SSL Certificates for VMware Horizon View Servers

NSi Mobile Installation Guide. Version 6.2

Apache, SSL and Digital Signatures Using FreeBSD

Online Backup Client User Manual Linux

LoadMaster SSL Certificate Quickstart Guide

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Cloud Services. Introduction...2 Overview...2. Security considerations Installation...3 Server Configuration...4

SSL Interception on Proxy SG

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Generating and Installing SSL Certificates on the Cisco ISA500

1. Product Information

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Obtaining SSL Certificates for VMware View Servers

Installing Dspace 1.8 on Ubuntu 12.04

How To Run A Password Manager On A 32 Bit Computer (For 64 Bit) On A 64 Bit Computer With A Password Logger (For 32 Bit) (For Linux) ( For 64 Bit (Foramd64) (Amd64 (For Pc

CHAPTER 7 SSL CONFIGURATION AND TESTING

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

EMC Data Protection Search

Apache Security with SSL Using Ubuntu

Protect your CollabNet TeamForge site

RecoveryVault Express Client User Manual

Spectrum Technology Platform. Version 9.0. Spectrum Spatial Administration Guide

Secure IIS Web Server with SSL

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Use Enterprise SSO as the Credential Server for Protected Sites

SETTING UP RASPBERRY PI FOR TOPPY FTP ACCESS. (Draft 5)

CA Performance Center

2 Downloading Access Manager 3.1 SP4 IR1

Online Backup Linux Client User Manual

Microsoft IIS 4 Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

Cloud Services. Introduction...2 Overview...2 Simple Setup...2

Online Backup Client User Manual

NETASQ SSO Agent Installation and deployment

Setup Guide Access Manager 3.2 SP3

Creating Certificate Authorities and self-signed SSL certificates

Configuring TLS Security for Cloudera Manager

Go to Policy/Global Properties/SmartDashboard Customization, click Configure. In Certificates and PKI properties, change host_certs_key_size to 2048

Crypto Lab Public-Key Cryptography and PKI

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Cybozu Garoon 3 Server Distributed System Installation Guide Edition 3.1 Cybozu, Inc.

Online Backup Client User Manual

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User and Reference Manual

PowerChute TM Network Shutdown Security Features & Deployment

Installing and Configuring vcenter Multi-Hypervisor Manager

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

Oracle Mobile Security Suite Workshop. Installation

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Self Signed Certificates

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

PMOD Installation on Linux Systems

FirstClass Synchronization Services Install Guide

webmethods Certificate Toolkit

Secure Traffic Inspection

HP OpenView Adapter for SSL Using Radia

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

Zend Server Amazon AMI Quick Start Guide

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Kaspersky Security Center Web-Console

PowerPanel Business Edition Installation Guide

ez Agent Administrator s Guide

Prerequisites and Configuration Guide

FileMaker Server 14. FileMaker Server Help

Avira Update Manager User Manual

MAMP 3 User Guide! March 2014 (c) appsolute GmbH!

Release Notes for Version

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Installation and Administration Guide

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

STEP 4 : GETTING LIGHTTPD TO WORK ON YOUR SEAGATE GOFLEX SATELLITE

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Novell Sentinel Log Manager 1.2 Release Notes. 1 What s New. 1.1 Enhancements to Licenses. Novell. February 2011

Secure Messaging Server Console... 2

Installing and Configuring vcloud Connector

Setting Up SSL on IIS6 for MEGA Advisor

HP ProLiant Essentials Vulnerability and Patch Management Pack Release Notes

Transcription:

Linux Deployment Guide How to deploy Network Shutdown Module for Linux

1 Contents 2 Introduction... 4 3 To Prepare your System for Install... 4 3.1 RedHat 5.9 i386 Command... 4 3.2 RedHat 5.9 x86_64 Command... 4 3.3 RedHat 6.4 i686 Command... 4 3.4 RedHat 6.4 x86_64 Command... 5 3.5 SuSE 11 SP3 x86_64 Command... 5 4 Known Issues... 5 4.1 Installation and Removal Issues... 5 4.1.1 Kdesu not found on path... 5 4.1.2 Glib Errors/ Warnings... 5 4.1.3 Close and Cancel buttons remain enabled during file installation.... 6 4.1.4 Installer accepts a blank or root folder path.... 6 4.2 PHP Issues... 6 4.2.1 PHP 5.2.8 Multiple Vulnerabilities... 6 4.2.2 Phpinfo.php Information Disclosure... 6 4.3 Lighttpd Issues... 6 4.3.1 Lighttpd 1.4.11 Multiple Vulnerabilities... 7 4.4 Secure Socket Layer (SSL) Issues... 7 4.4.1 SSL Certificate Cannot Be Trusted... 7 4.4.2 Check for SSL Weak Ciphers... 7 4.5 Application Issues... 7 4.5.1 The Upgrade Check reports that the Upgrade URL is Unreachable.... 7 4.5.2 Shutdown Delays are not respected.... 8 5 Workarounds... 8 5.1 Turn Off the Web Server... 8 5.1.1 Stop Network Shutdown Module... 8 5.1.2 Create a Service Configuration File... 8 5.1.3 Replace the Service Startup Script.... 9 5.1.4 Restart the NSM Service(s)... 11 2

5.2 Replace the HTTPS Certificate... 12 5.2.1 Generate a Private Key.... 12 5.2.2 Create an OpenSSL configuration file.... 12 5.2.3 Generate a Certificate Signing Request.... 13 5.2.4 Purchase a Valid SSL Certificate... 13 5.2.5 Configure Lighttpd to use the new Certificate.... 13 3

2 Introduction This document discusses how to install the Schneider Electric Network Shutdown Module, version 3.06 on to modern Linux operating systems. It also discusses known issues and how to address them. 3 To Prepare your System for Install Network Shutdown Module requires a few pre-requisites before installation can be attempted; these are given in Table 1. These packages are available to install through your operating system package manager. In order to ensure these packages are available to you, you may need to register your system with your OS vendor. See your Operating System documentation for details on receiving updated packages. Depending on your system configuration, your package manager may install additional packages to satisfy the dependencies of these packages. Once these packages have been installed, Network Shutdown Module can be installed using the procedure documented in the User Guide. Table 1 - Prerequisite Packages Operating System Architecture Required Packages RedHat 5.9 i386 compat-libstdc++-33 RedHat 5.9 x86_64 compat-libstdc++-33.i386 RedHat 6.4 i386 glibc gtk2 compat-libstdc++-33 libxml2 nss-softokn-freebl RedHat 6.4 x86_64 glibc.i686 gtk2.i686 compat-libstdc++-33.i686 libxml2.i686 nss-softokn-freebl.i686 SUSE 11 SP3 i386 None SUSE 11 SP3 x86_64 libstdc++33-32bit 3.1 RedHat 5.9 i386 Command From the console as root, issue the following: yum install compat-libstdc++-33 3.2 RedHat 5.9 x86_64 Command From the console as root, issue the following: yum install compat-libstdc++-33.i386 3.3 RedHat 6.4 i686 Command From the console as root, issue the following: 4

yum install glibc gtk2 compat-libstdc++-33 libxml2 nss-softokn-freebl 3.4 RedHat 6.4 x86_64 Command From the console as root, issue the following: yum install glibc.i686 gtk2.i686 compat-libstdc++-33.i686 libxml2.i686 nss-softokn-freebl.i686 3.5 SuSE 11 SP3 x86_64 Command From the console as root, issue the following: zipper install libstdc++33-32bit 4 Known Issues 4.1 Installation and Removal Issues 4.1.1 Kdesu not found on path Problem: When running the installer or uninstaller as a user, the following output is produced: which: no kdesu in (/home/bunsen/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/x11:/usr/x11r6/bin:/usr/games:/usr/ lib/mit/bin:/usr/lib/mit/sbin) which: invalid option -- 'c' Fix: These warnings can be safely ignored. Problem: Running the uninstaller on SUSE Linux as a regular user prompts for the administrator password. Then the uninstaller fails to execute. Fix: Run the uninstaller as the root user. Use sudo su or log in as root before attempting to execute the nsminstaller uninstall command. 4.1.2 Glib Errors/ Warnings Problem: When running the installer or uninstaller as the root user, output similar to the following is produced: (nsm_linux_3_06_04.run:26443): GLib-GObject-WARNING **: instance of invalid noninstantiatable type `(null)' (nsm_linux_3_06_04.run:26443): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed... other lines omitted. Fix: These warnings can be safely ignored. 5

4.1.3 Close and Cancel buttons remain enabled during file installation. Problem: The Close (x) and Cancel buttons remain enabled during the installation wizard as it copies files to the install path. Clicking on either of these will result in the installer aborting, before all files have been installed. This can result in failures of the uninstall process in cleanly removing all Network Shutdown Module related files. Fix: Avoid clicking either the close or cancel button as files are being copied. Allow the installer to complete before attempting software removal. 4.1.4 Installer accepts a blank or root folder path. Problem: The Network Shutdown Module will accept a blank install path, or a path consisting of the root directory. In both cases the installation path will be set to the root folder. Installation will proceed successfully. On uninstall, there is a risk of deleting system files unrelated to Network Shutdown Module, as the uninstaller attempts to delete all files and subdirectories under the installation path. Fix: Ensure a subdirectory path is specified for Network Shutdown Module. 4.2 PHP Issues Network Shutdown Module 3.06 uses PHP 5.2.8. 4.2.1 PHP 5.2.8 Multiple Vulnerabilities Network Shutdown Module uses a version of PHP that is affected by multiple flaws: PHP 5.2.8 is no longer actively supported by the PHP project. PHP versions earlier than 5.2.11 are affected by multiple flaws. Multiple Cross Site Scripting Vulnerabilities. Multiple Cookie Injection Scripting Vulnerabilities. Multiple HTML Injection Vulnerabilities Multiple Cross Site Request Forgery Vulnerabilities. Fix: Restrict access to the application. Once configuration has been completed, turn off the web server, as outlined in section 5.1. 4.2.2 Phpinfo.php Information Disclosure Problem: The following file calls the function phpinfo() which discloses potentially sensitive information to a remote attacker:../mge/networkshutdownmodule/www/phpinfo.php Fix: This file can safely be deleted. 4.3 Lighttpd Issues Network Shutdown Module 3.06 uses Lighttpd 1.4.11 as its web server. 6

4.3.1 Lighttpd 1.4.11 Multiple Vulnerabilities Network Shutdown Module uses a version of Lighttpd that is affected by multiple flaws: Lighttpd mod_userdir case sensitive comparison security bypass vulnerability. Lighttpd trailing slash information disclosure. Lighttpd slow request handling remote denial of service vulnerability. Fix: Once configuration has been completed, turn off the web server, as outlined in section 5.1. 4.4 Secure Socket Layer (SSL) Issues Network Shutdown Module 3.06 uses OpenSSL 0.9.7e to provide encryption services. 4.4.1 SSL Certificate Cannot Be Trusted Problem: Network Shutdown Module installs a self-signed certificate. Self signed certificates can provide encryption for HTTPS traffic, but cannot be used to verify the authenticity of the remote host, so are open to man in the middle attacks. Fix: Replace the default certificate with a trusted certificate, as outlined in section 5.2. 4.4.2 Check for SSL Weak Ciphers Problem: Network Shutdown Module supports the following relatively weak ciphers: SSL2_RC4_128_EXPORT40_WITH_MD5 : SSL_EXPORT SSL2_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 : SSL_EXPORT SSL3_RSA_EXPORT1024_WITH_RC4_56_MD5 : SSL_EXPORT SSL3_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 : SSL_EXPORT SSL3_RSA_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT TLS1_RSA_EXPORT1024_WITH_RC4_56_MD5 : SSL_EXPORT TLS1_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 : SSL_EXPORT TLS1_RSA_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT Fix: Once configuration has been completed, turn off the web server, as outlined in section 5.1. 4.5 Application Issues 4.5.1 The Upgrade Check reports that the Upgrade URL is Unreachable. Problem: The Network Shutdown Module upgrade check page reports that the Upgrade URL is unreachable. Fix: Edit the <install path>/www/libs/upgrade.inc PHP file, and replace line 26 with: $autoupgradecheckversionurl = "http://soft.apc.com/download/soft/install/$ostype/nsm/nsmupgradeversion"; Refreshing the Upgrade Check page should show if an upgrade is available. 7

4.5.2 Shutdown Delays are not respected. Problem: The Shutdown After and Shutdown Duration values specified in the Central Shutdown Configuration of the Network Management Card are not respected by the Network Shutdown Module. For example, specifying a Shutdown After value of 3 minutes, one would expect when Utility Failure occurs, it must persist for at least 3 minutes before the attached Network Shutdown Module would begin the shutdown procedure. For Network Shutdown Module 3.06, an issue exists where these values are not respected, and shutdown will occur immediately after the UPS event occurs. There is no fix or workaround available at this time. 5 Workarounds 5.1 Turn Off the Web Server To allow the Network Shutdown Module Web Server to be enabled or disabled separately, use the procedure documented in the following subsections. Please Note: When the web server is stopped, the system tray icon will not receive updates, and will show the status, localhost: unreachable. This can safely be ignored. The system tray icon will begin receiving updates the next time the web server is enabled. 5.1.1 Stop Network Shutdown Module As the root user, issue the following command: # service mge-nsm stop 5.1.2 Create a Service Configuration File Create a configuration file called /etc/nsm3.conf with the following contents: # Service Configuration for Network Shutdown Module 3.06 # The Network Shutdown Module Web Server is responsible for presenting the user # interface. Disabling the web server will prevent configuration changes to # Network Shutdown Module. # # To disable the web server, comment this line, or set to false. ENABLE_WEBSERVER=true #!!! WARNING!!! # The Data Acquisition Engine (DAE) monitors the UPS status and initiates shut # down based on the events configured at the user interface. Disabling the DAE 8

# will leave your server unprotected. # # To disable the Data Acquisition Engine, comment this line, or set to false. ENABLE_DAE=true This configuration enables both the Web Server and the Data Acquisition Engine. To disable a service, comment the line by placing a hash ( # ) in front of it, or set the value from true to false. 5.1.3 Replace the Service Startup Script. Replace the /etc/init.d/mge-nsm script, with the following contents: #! /bin/sh ################################################################################ # LSB compatible init script for the MGE UPS SYSTEMS - Network Shutdown Module # ################################################################################ ### BEGIN INIT INFO # Provides: mge-nsm # Required-Start: $network # Should-Start: # Required-Stop: # Should-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 6 # Short-Description: MGE UPS Systems - Network Shutdown Module # Description: Network Shutdown Module provide power # protection to your computer ### END INIT INFO set -e source /etc/nsm3.conf DESC="Network Shutdown Module" MGE_NSM_HOME="`cat /etc/nsm3_path`" 9

WEBSVR_PID_PATH="${MGE_NSM_HOME}/bin/webserver/logs/lighttpd.pid" DAE_PID_PATH="${MGE_NSM_HOME}/bin/dae/mgeDAE.pid" # Update the needed environment variables LD_LIBRARY_PATH=$MGE_NSM_HOME/lib:$MGE_NSM_HOME/bin/webserver/bin:$LD_LIBRARY_PATH export LD_LIBRARY_PATH MGE_NSM_HOME daemon_start() { if [! -z ${MGE_NSM_HOME} ]; then if [ "$ENABLE_WEBSERVER" = "true" ]; then # Start the webserver cd ${MGE_NSM_HOME}/bin/webserver/bin./lighttpd -f../conf/lighttpd.conf -m./ fi if [ "$ENABLE_DAE" = "true" ]; then # Start the Data Acquisition Engine cd ${MGE_NSM_HOME}/bin/dae./mgeDAE -start fi fi } daemon_stop() { # Stop the webserver [ -f ${WEBSVR_PID_PATH} ] && kill `cat ${WEBSVR_PID_PATH}` 2>/dev/null # Stop the Data Acquisition Engine cd ${MGE_NSM_HOME}/bin/dae./mgeDAE -stop 10

# workaround for hard stop # sleep 2 && killall -9 mgedae 2>&1 1>/dev/null } case "$1" in start) # echo "Starting $DESC." daemon_start ;; stop) # echo "Stopping $DESC." daemon_stop ;; restart) # echo "Restarting $DESC." daemon_stop sleep 2 daemon_start ;; *) echo "$DESC:" echo "Usage: $0 {start stop restart}" >&2 exit 3 ;; esac exit 0 5.1.4 Restart the NSM Service(s) Issue the following command: # service mge-nsm start Depending on the configuration given in the /etc/nsm3.conf, the new startup script will selectively start the enabled services. 11

5.2 Replace the HTTPS Certificate To replace the self-signed certificate with one signed by a trusted Certificate Authority, use the following procedure. In this process we will use the following file names for the various files needed (you may change these as you wish): server.key: A private key file. server.csr: A certificate signing request file. server.crt: The web server certificate file. intermediate.crt: The CA provided intermediate certificate trust path. 5.2.1 Generate a Private Key. Begin by creating a private key file, using openssl as shown here: # openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus...++++++...++++++ e is 73547 (0x01001) 5.2.2 Create an OpenSSL configuration file. Save the following to a file called openssl.cnf. Replace values in braces with values appropriate to your location and server. [req] default_bits=2048 default_keyfile=server.key distinguished_name=req_distinguished_name prompt=no [req_distinguished_name] C={ISO3166 two character country code} ST={state or province} L={Locality; generally city} O={Organisation Company Name} OU={Organisation Unit typically certificate type or brand} CN={Common Name typically the fully qualified local host name} 12

emailaddress={optional email address, remove this line if unused} 5.2.3 Generate a Certificate Signing Request. Create a certificate Signing Request (server.csr) file using openssl as shown here: # openssl req new key server.key out server.csr config openssl.cnf No output is given unless an error occurs. All going well, the server.csr file will be created based on the values given in the openssl.cnf file. 5.2.4 Purchase a Valid SSL Certificate Details may vary here as you interact with your trusted Certificate Authority and how they produce certificates. Typically they will ask for the contents of the server.csr file and using this they will produce a server certificate (server.crt) file for you. Save this file to the server host. When asked which type of certificate to produce, choose that which is appropriate for ApacheSSL/mod_ssl, which Network Shutdown Module is compatible with. Your Certificate Authority will also make available an intermediate CA bundle, which contains any root and intermediate certificates needed to authenticate your new certificate. Save this file also to the server host, (e.g. intermediate.crt). 5.2.5 Configure Lighttpd to use the new Certificate. Copy the server.key, server.crt, and intermediate.crt files to /usr/local/mge/networkshutdownmodule/bin/webserver/bin, or to your custom install path. Concatenate the server.key and newly created server.crt file together (the order is not important). # cat server.key server.crt > server.pem For added security, change the owner and permissions for these files to root: # chown root:root *.pem *.key *.csr *.crt # chmod 600 *.pem *.key *.csr *.crt Edit /usr/local/mge/networkshutdownmodule/bin/webserver/conf/lighttpd.conf and modify the HTTPS configuration as follows: $SERVER[ socket ] == :4680 { } ssl.engine = enable ssl.pemfile = server.pem ssl.ca-file = intermediate.crt Save this file and restart the web server for settings to take effect: 13

# /etc/init.d/mge-nsm restart Using a browser to connect to the Network Shutdown Module user interface over https on port 4680, will present the new Certificate Authority signed SSL certificate. ** End of Document ** 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information