ems installation overview for dod environment

EMS Installation Overview for DOD Environment 6 2 110a Version 6.2.110

of 46

EMS Installation Overview for DOD Environment Department of Defense (DOD) installations require advanced security configurations to ensure all communications are properly encrypted and logins are properly restricted. These requirements require several additional hardening steps that are beyond the scope of standard AudioCodes Element Management System (EMS) deployments. This document lists the steps that are required to do a complete, ground-up installation of an EMS for a DOD deployment. Several steps are documented fully in the AudioCodes EMS Server Installation, Operation, and Maintenance (IOM) Manual (document number LTRT-94130). NOTE: After an EMS software upgrade, review all of the DOD advanced hardening steps as some items may get overwritten by the application of the upgrade.

Document Revision - Security Bundle Summary

Document Version Description

6.2.110a New document for version 6.2.110


of 46

CAUTION!!! - Use extreme care when running these commands as failure to follow exact steps can cause system

malfunction.

Installation Summary

1. Operating System installation 2. Basic EMS Server installation 3. Basic server installation verification 4. Basic security hardening 5. Standard advanced security hardening 6. DOD advanced Unix security hardening 7. DOD advanced Apache server hardening 8. Ethernet interface redundancy implementation 9. Locality information configuration 10. DOD PKI certificate installation 11. Attachmate Reflection for IT – SSH installation 12. CAC authentication configuration 13. Enable OCSP


of 46

EMS version 6.2 introduces a new hardware platform, the Sun Netra T5220. The T5220 provides increased hard disk capacity and disk redundancy with RAID. Most of this document applies to all server platforms. When there are differences, the appropriate commands will be preceded by a header indicating the platform.

1. Operating System Installation

New installations of the EMS for version 6.2 require 3 DVDs: Solaris, Oracle, and EMS Software. The OS and Oracle DVDs are unique to each hardware platform as follows:

Platform Solaris DVD Oracle DVD

SunFire V215 Solaris 10 – Rev 7 for V215 Oracle 6.2 – Rev 2 for V215

Netra T2000 Solaris 10 – Rev 7 for T2000 Oracle 6.2 – Rev 2 for T2000

Netra T5220 Solaris 10 – Rev 7 for T5220 Oracle 6.2 – Rev 2 for T5220

The EMS Software and Documentation DVD is the same for all platforms. WARNING!! – Installing the Operating System from scratch reformats the hard disk drive and ERASES ALL DATA!!! Please do not begin this step until all critical files from any previous installation are properly backed up.

SunFire V215 & Netra T2000

Carefully follow the instructions in the EMS IOM manual to complete this step. Keep in mind the following key points:

Serial/RS-232 management port access is required for this step.

Be sure to use the AudioCodes provided OS installation media for the specific server hardware. Use “Rev7” of the Solaris DVD for version 6.2.73 and above for the V215 or T2000 platform.

Solaris 10 installation takes approximately 30 minutes.

Reboot the server after the final step to complete the installation starting at Step 2 – Basic EMS Server installation.

Netra T5220

Carefully follow the instructions below to complete this step. Keep in mind the following key points:

Serial/RS-232 management port access is required for this step.

Be sure to use the AudioCodes provided OS installation media for the specific server hardware. Use “Rev7” of the Solaris DVD for version 6.2.73 and above for the T5220 platform.

Solaris 10 installation takes approximately 50 minutes.

Reboot the server after the final step to complete the installation.


of 46

The first step of installing the customized Solaris operating system on the T5220 is to configure the RAID array. This step makes the second disk an exact duplicate of the first disk for redundancy (RAID 1). As with any operating system installation, this step erases all contents of both disks. Perform the following steps with the user input highlighted.

1. Connect via management serial port to the Netra T5220.

2. Plug in the server’s power cable.

3. Wait for the ILOM login prompt in the serial port and login:

SUNSPxxxxxxxxxxxx login: root

Password: changeme

This is the default password. To change it, use the following command.

-> set /SP/users/root password

Changing password for user /SP/users/root/password...

Enter new password: ********

Enter new password again: ********

New password was successfully set for user /SP/users/root

The case-sensitive password must be between 8 and 16 characters. Use mixed case, numbers, and

special characters (do not use colon or spaces) for improved security.

IMPORTANT: DO NOT LOSE THIS PASSWORD!!

4. Type the following commands:

-> set /HOST/bootmode script="setenv auto-boot? false"

5. Turn on the power, using the front power button, #8 in the following image:


of 46

6. Type the following commands:

-> set /HOST send_break_action=break

-> start /SP/console

Confirm the last command by pressing “y” and wait until you get the ok prompt: {0} ok

7. Type the following commands in order to identify the default boot device:

{0} ok printenv boot-device

boot-device = disk net

{0} ok devalias disk

disk /pci@0/pci@0/pci@2/scsi@0/disk@0

8. Insert the Solaris installation DVD and type the following command in order to use the CDROM for

booting into single user mode:

{0} ok boot cdrom –s

9. Use the following command in order to determine the disk aliases (circled in red):

# cfgadm -al

Ap_Id Type Receptacle Occupant Condition

c1 scsi-sata connected configured unknown

c1::dsk/c1t0d0 disk connected configured unknown

c1::dsk/c1t1d0 disk connected configured unknown

usb0/1 unknown empty unconfigured ok

usb0/2 unknown empty unconfigured ok

10. Configure RAID 1 using the following command (use the aliases from previous step) and confirm it

by typing yes (ignore messages about label corruption, this issue will be handled in the next step):

# raidctl -c -r 1 c1t0d0 c1t1d0

Creating RAID volume will destroy all data on spare space of

member disks, proceed (yes/no)? yes

....

Volume c1t0d0 is created successfully!


of 46

11. Configure and label the RAID volume. Always select the disk name that represents the RAID volume

that you have configured. Ignore the “Corrupt label” errors.

# format

Searching for disks...

done

c1t0d0: configured with capacity of 278.99GB

AVAILABLE DISK SELECTIONS:

0. c1t0d0 <LSILOGIC-LogicalVolume-3000 cyl 65533 alt 2 hd 32 sec 279>

/pci@0/pci@0/pci@2/scsi@0/sd@0,0

Specify disk (enter its number): 0

selecting c1t0d0

[disk formatted]

WARNING: /pci@0/pci@0/pci@2/scsi@0/sd@0,0 (sd0):

Corrupt label - bad geometry

Disk not labeled. Label it now? Label says 585925000 blocks; Drive says

585805824 blocks

yes

...

FORMAT MENU:

disk - select a disk

type - select (define) a disk type

partition - select (define) a partition table

current - describe the current disk

format - format and analyze the disk

repair - repair a defective sector

label - write label to the disk

analyze - surface analysis

defect - defect list management

backup - search for backup labels

verify - read and display labels

save - save new disk/partition definitions

inquiry - show vendor, product and revision

volname - set 8-character volume name

!<cmd> - execute <cmd>, then return

quit

format> type


of 46

AVAILABLE DRIVE TYPES:

0. Auto configure

1. Quantum ProDrive 80S

2. Quantum ProDrive 105S

3. CDC Wren IV 94171-344

4. SUN0104

5. SUN0207

6. SUN0327

7. SUN0340

8. SUN0424

9. SUN0535

10. SUN0669

11. SUN1.0G

12. SUN1.05

13. SUN1.3G

14. SUN2.1G

15. SUN2.9G

16. Zip 100

17. Zip 250

18. Peerless 10GB

19. LSILOGIC-LogicalVolume-3000

20. other

Specify disk type (enter its number)[19]: 0

c1t0d0: configured with capacity of 278.99GB

<LSILOGIC-LogicalVolume-3000 cyl 65533 alt 2 hd 32 sec 279>

selecting c1t0d0

[disk formatted]

format> label

Ready to label disk, continue? yes

format> disk

AVAILABLE DISK SELECTIONS:

0. c1t0d0 <LSILOGIC-LogicalVolume-3000 cyl 65533 alt 2 hd 32 sec 279>

/pci@0/pci@0/pci@2/scsi@0/sd@0,0

Specify disk (enter its number)[0]: 0

selecting c1t0d0

[disk formatted]

format> quit

# reboot -- cdrom - install

The last command will complete the OS installation. This step takes about 45 minutes. Be sure to

include the space characters before and after the dashes as shown. There are 2 consecutive dashes

between “reboot” and “cdrom”.


of 46

12. After the server reboots. Log in with user “root” with password “root”. Run the network-config

script and follow the prompts to set the server hostname and IP address.

# network-config

NOTE: This is the only time that the hostname may be changed. The IP address may be changed at a

later date after the EMS software installation.

2. Basic EMS Server installation


The installation procedure has changed since previous releases. Be sure to follow the instructions in the manual closely.

Userid „root‟ is now used for all steps during EMS software installation.

The first step uses the Oracle DVD. The next step uses the EMS Software DVD.

The first step of the EMS Software installation adds several Solaris patches.

The installation of the EMS and Oracle may take up to 3 hours.

The following errors, if seen, may be ignored: gunzip: /tmp/EmsServerInstall/ntpv4/ is a directory – ignored

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

TNS-12541: TNS:no listener

TNS-12560: TNS:protocol adapter error

TNS-00511: No listener

Solaris Error: 146: Connection refused

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521)))

TNS-12541: TNS:no listener

TNS-12560: TNS:protocol adapter error

TNS-00511: No listener

Solaris Error: 146: Connection refused

On the Netra T5220, the following errors are seen during Oracle hardening and may be ignored: WARNING: EM is not configured for this database. No EM-specific actions can be performed.

WARNING: Error initializing SQL connection. SQL operations cannot be performed

WARNING: Error executing /oracle/orahome/sysman/admin/emdrep/bin/RepManager -connect

(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=ems157)(PORT=1521)))(CONNECT_DATA

=(SERVICE_NAME=dbems))) -repos_user SYSMAN -action drop -verbose -output_file

SEVERE: Error dropping the repository

cp: cannot create /oracle/orahome/network/admin/listener.ora: Permission denied

Error! Failed to drop user SYSMAN!!

Reboot after the last step.

3. Basic server installation verification

After the basic server installation is completed, install the client application and connect to the server (default client user/password is acladmin/pass_1234). If this step fails, do not proceed until resolved. Contact AudioCodes support if additional assistance is required.


of 46

Before proceeding, correct an issue with a missing library file. Run these commands to become root and correct the issue. If the library exists, you will get an error message which may be ignored.

su - root

ln -s /usr/local/lib/libgcc_s.so.1 /usr/lib/libgcc_s.so.1

4. Basic security hardening


The EmsServerManager script does not allow basic hardening if connected via telnet. Use SSH for login access at this stage. Use “su - root” to become root before running EmsServerManager to do Basic Hardening.

When prompted to enable SNMP services, enter “n”. There is no requirement to make the Solaris SNMP services available.

After the server is rebooted, connect using EMS Client to verify server is still working.

5. Standard advanced security hardening Carefully follow the instructions in the EMS IOM manual to complete this step. After the server reboots, become root and properly set the file permissions for the /ACEMS directory.

su - root

chmod 755 /ACEMS

Keep in mind the following key point:

After the server is rebooted, connect using EMS Client to verify server is still working.

6. DOD advanced Unix security hardening

The basic and advanced hardening scripts are provided to close standard vulnerabilities that most customers would see in a hostile networking environment. However, DOD requires an even stricter implementation that is beyond the scope of the scripts. Therefore additional hardening steps are required to be completed manually. Use the following steps to complete these steps for the operating system.

CAUTION!!! - Use extreme care when running these commands as failure to follow exact steps can cause system malfunction.

Each step of this section requires “root” access. To become root, SSH into the server with user “acems” and run the following command to become root.

su - root


of 46

Use the “id” command as shown to verify the current user.

id

uid=0(root) gid=0(root)

GEN000246 BEFORE COMPLETING THIS STEP. VERIFY THAT YOUR NTP SERVERS SUPPORT NTPv4. IF NOT, SKIP THIS STEP. Enable NTP and encryption for the NTP client. Use the EmsServerManager script with the “Configure NTP” option to set the EMS server as an NTP client. Follow the prompts to specify at least 2 NTP servers for redundancy. Verify that each server reports a time offset which indicates that NTP is working:

NTP Configuration

Current NTP status: On

remote refid st t when poll reach delay offset disp

==============================================================================

192.168.10.10 10.1.1.11 4 u 19 64 37 1.21 -1.828 453.42

*192.168.10.11 10.1.1.11 4 u 17 64 37 1.88 -3.609 453.43

These steps enable encryption for the NTP communications. In the commands below, replace

“<NTP1_IP>” and “<NTP2_IP>” with the respective NTP server IP addresses.

Edit the /etc/inet/ntp.conf file. Add these 3 lines after the driftfile /var/ntp/ntp.drift line.

crypto pw clientpassword

keysdir /etc/inet

crypto randfile /dev/urandom

Run these commands to create encryption keys for NTP:

rm /root/.rnd

dd if=/dev/random of=/root/.rnd bs=512 count=1

cd /etc/inet

ntp-keygen -H -p clientpassword

rm /root/.rnd

Edit the /etc/inet/ntp.conf file. At the end of each “server IP prefer” line, add the word “autokey”.

For example:

server <NTP1_IP> prefer autokey

server <NTP2_IP> prefer autokey

Run this command to keep NTP configuration files in sync.

cp /etc/inet/ntp.conf /etc/ntp.conf

Run the following commands to restart the NTP service and resynchronize.

svcadm disable network/ntp

ntpdate <NTP1_IP>

ntpdate <NTP2_IP>

svcadm enable network/ntp


of 46

GEN000252

Run this command to set permissions on NTP configuration files.

chmod 640 /etc/ntp.conf /etc/inet/ntp.conf

GEN000290

Run these commands to remove 2 Solaris packages. Answer “y” when prompted for confirmations.

pkgrm SUNWbnuu

pkgrm SUNWbnur

Run these commands to remove unneeded users:

userdel uucp

userdel nuucp

userdel smmsp

userdel lp

userdel unknown

GEN000440, GEN002870 Edit the /etc/syslog.conf file. Add this line to the end of the file.

daemon.notice /var/adm/messages

NOTE: Be sure the white space between the selector (daemon.notice) and the filename (/var/adm/messages) is only TAB characters. Spaces are not interpreted by the syslog daemon. If a third party syslog collection and reporting tool is available, then also add the following entries which will send syslog messages to an external server for analysis and alarm reporting for EMS Server logins. Replace the “@192.168.1.100” with the appropriate server IP address or hostname (the “@” is required).

auth.info /var/log/authlog

# Following entries are for 3rd party tool to trigger alarms for logins

auth.info @192.168.1.100

If a third party syslog collection and reporting tool is available, then also add the following entries to capture audit data.

user.info @192.168.1.111

kern.info @192.168.1.111

auth.info @192.168.1.111

GEN000580, GEN000680, GEN000820 Edit the /etc/default/passwd file. Change the values of the following parameters as shown.

PASSLENGTH=14

MAXWEEKS=8

MAXREPEATS=2


of 46

GEN000590, GEN000595 Be very careful with this step. Failure to properly configure and test these changes may result in complete loss of access to the system! Change the default algorithm Solaris uses to encrypt Unix passwords to one that is FIPS 140-2 compliant. Edit the /etc/security/policy.conf file. Change the values of the following parameters as shown.

CRYPT_DEFAULT=6

CRYPT_ALGORITHMS_ALLOW=2a,md5

Use the “passwd” command to change the password for both „acems‟ and „root‟.

passwd acems

passwd root

You can verify that the SHA-512 algorithm is in use by looking at the encrypted password in /etc/shadow. For example:

acems:$6$7w.8Bzdk$hUm8sSnFRuP5MUK9K8LbtBNP9Wr/leDW4UzzJWjraB94u/HYmr0HWYXayivl.BiwbVAaOe5/xqgxRroHTuovM1:15531:7:56:7:::

Test the new passwords by opening a second SSH session as user „acems‟. Verify that you can become root in that second session with „su - root‟. If you cannot log in, change the CRYPT_DEFAULT back to 1, change CRYPT_ALGORITHMS_ALLOW back to „1,2a,md5‟, run the 2 passwd commands to create new passwords using MD5, and contact your vendor for further analysis.

GEN000790 Create a dictionary file for password complexity checking. If the file /var/passwd/pw_dict.pwd file exists, no additional work is required. If the file does not exist, run this command to create the dictionary:

mkpwdict

GEN000940, GEN001900 Remove the current directory (“.”) entry from root‟s PATH. Edit the /root/.cshrc file. Change the “set path=” line to remove the “.” at the end of the line.

After the change, the line should look like this: set path=(/bin /usr/bin /usr/local/bin /usr/ucb /usr/openwin/bin /usr/sbin /usr/ccs/bin /etc)

Add the following line at the end of the file:

set autologout=10

Change the default shell timeout for all users. Edit the /etc/zshrc file. Set TMOUT to 600. If a line containing TMOUT exists, set it to 600 as shown. If it does not exist, add this line to the end of the file.

TMOUT=600


of 46

GEN001020

The initial Solaris installation allows root login over the network, but this is blocked during hardening. Run this command to clear the history to prevent false positives during IA scans.

cat /dev/null > /var/adm/wtmpx

GEN001170

Run this command to set the ownership on several library files.

chown -R root:root /opt/nss/mod_nss-1.0.8

GEN001260

Run this command to change permissions on several log files.

find /var -type f $ -name btmp -o -name messages -o -name wtmp \

-o -name utmp -o -name shutdownlog -o -name cronlog -o -name syslog \

-o -name loginlog -o -name syslog.log -o -name lastlog \

-o -name log $ \

-a $ -perm -0020 -o -perm -0010 -o -perm -0004 \

-o -perm -0002 -o -perm -0001 $ \

-exec chmod 640 {} \;

GEN001480

Run these commands to set home directory permissions.

chmod 750 /export/home/nbif

chmod 750 /export/home/emsadmin

chmod 750 /export/home/oracle

chmod 750 /export/home/oralsnr

GEN001560

Run these commands to set Oracle diagnostic directory permissions. Some directories may not exist. Ignore any errors.

chmod -R o-rwx /export/home/oracle/oradiag_oracle

chmod -R o-rwx /export/home/acems/oradiag_acems

chmod -R o-rwx /export/home/acems/oradiag_root

chmod -R o-rwx /export/home/emsadmin/oradiag_emsadmin

GEN001880

Run these commands to set user startup file permissions.

chmod 640 /export/home/*/.profile

chmod 640 /export/home/*/.zshenv

chmod 640 /export/home/*/local.*


of 46

GEN002480

Run these commands to set several file permissions.

chmod o-w /var/adm/spellhist

chmod o-w /var/dt/dtpower/_current_scheme

chmod o-w /ACEMS/backup_scripts/RmanBackup.log

find / -name forms_setup.pl -exec chmod o-w {} \;

find / -name jvm_exp.sql -exec chmod o-w {} \;

find / -name catexp.sql -exec chmod o-w {} \;

GEN002717

Run these commands to set audit file permissions.

chmod 550 /usr/sbin/audit

chmod 550 /usr/sbin/auditconfig

chmod 550 /usr/sbin/auditd

chmod 550 /usr/sbin/auditreduce

chmod 550 /usr/sbin/praudit

chmod 550 /usr/sbin/bsmrecord

GEN002825

Edit the /etc/security/audit_control file. Add “,ad” to the end of the “flags” line so it looks like this:

flags:lo,am,na,-fr,fd,fm,ad

Run this command to restart the audit service:

audit -s

GEN002980, GEN003200, GEN003340 Run these commands to set cron file permissions.

chmod 600 /etc/cron.d/cron.allow*

chmod 600 /etc/cron.d/cron.deny*

chmod 600 /etc/cron.d/at.allow*

chmod 600 /etc/cron.d/at.deny*

GEN003050

Run this command to set file group ownership.

chgrp root /var/spool/cron/crontabs/sys


of 46

GEN003500

Run these commands to disable all core dump capabilities.

coreadm -d global

coreadm -d global-setid

coreadm -d log

GEN003510 Run this command to disable all system crash dump capabilities.

dumpadm -n

GEN003606, GEN003607 Edit the /etc/ipf/ipf.conf file. Add the following firewall rules to block source routing IP packets.

block out log quick from any to any with opt lsrr

block out log quick from any to any with opt ssrr

block in log quick all with opt lsrr

block in log quick all with opt ssrr

Run this command to load the new firewall rules.

ipf -Fa -A -f /etc/ipf/ipf.conf

GEN003611 Edit the /etc/ipf/ipf.conf file. Add the following firewall rules to block incoming IP packets from the server‟s IP address or broadcast address. Use the ifconfig command to get this information. In this example, the server IP address is 192.168.1.10 and the broadcast address is 192.168.1.255: ems# ifconfig -a

lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000

e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

inet 192.168.1.10 netmask ffffff00 broadcast 192.168.1.255

ether 0:21:28:d2:19:1a


of 46

Add the following 2 block rules to the ipf.conf file, substituting your IP and broadcast address.

The default interface name for the SunFire V215 is “bge0”. For the Netra T2000 and T5220 platforms,

the default interface name is “e1000g0”. Reference the ifconfig command output for confirmation.

Example for SunFire V215

block in log quick on bge0 from 192.168.1.10 to any

block in log quick on bge0 from 192.168.1.255 to any

Example for Netra T2000/T5220

block in log quick on e1000g0 from 192.168.1.10 to any


NOTE: If you implement Ethernet Interface Redundancy later in the procedure, be sure to add 2 lines for the new interface(s), using the private IP addresses. For example, if you add redundancy using interface e1000g1 with private IP 192.168.1.11 on e1000g0 and 192.168.1.12 on e1000g1, add these lines:







GEN003613 Edit the /etc/ipf/ipf.conf file. Add the following firewall rules to block loopback traffic from the primary network interface(s). Example for SunFire V215

block in quick on bge0 from 127.0.0.0/8 to any

For Netra T2000/T5220

block in quick on e1000g0 from 127.0.0.0/8 to any

NOTE: If you implement Ethernet Interface Redundancy later in the procedure, be sure to add a line for each new interface. For example, if you add redundancy using interface e1000g1, add this line:

block in quick on e1000g1 from 127.0.0.0/8 to any



Additionally, the requirement states that if the system is multi-homed (has network appearances on 2 separate networks), then firewall rules must be added to block traffic from one network from arriving on the other interface. For example, consider a system with two network interfaces, one attached to an


of 46

isolated management network with address 10.0.0.55/24 and the other attached to a production network with address 192.168.1.10/24 and a default route. Traffic with a source address on the 10.0.0.0/24 network must be the only traffic accepted on the management interface and must not be accepted on the production interface. For this example, if the management interface is on bge0 and the production network is bge1, these lines would be added to the /etc/ipf/ipf.conf file. These rules will allow only IP traffic from 10.0.0.0/24 on the management interface (bge0) and block anything from 10.0.0.0/24 on the production interface (bge1). Use the ipf command as shown in previous examples to load the firewall rules when done.

pass in quick on bge0 from 10.0.0.0/24 to any

block in quick on bge0 from any to any

block in quick on bge1 from 10.0.0.0/24 to any

This can obviously get quite complicated when multiple networks and Ethernet Interface Redundancy are being used. Please contact your vendor for advice.

GEN003680, GEN003700, GEN006600

Run these commands to disable the inetd service.

svcadm disable inetd

pkill inetd

GEN003810, GEN003815

Run these commands to disable the bind service and disable the rpcbind executable.

svcadm disable bind

chmod 0000 /usr/sbin/rpcbind

GEN003825, GEN003835, GEN003845

Run these commands to disable several services and remove three packages. Answer “y” when prompted for confirmations.

svcadm disable talk

svcadm disable shell:kshell

svcadm disable shell:default

svcadm disable wall

svcadm disable spray

svcadm disable rusers

svcadm disable rstat

svcadm disable rexec

svcadm disable login:eklogin

svcadm disable login:klogin

svcadm disable login:rlogin

svcadm disable finger

svcadm disable comsat

pkgrm SUNWrcmdr

pkgrm SUNWrcmdc

pkgrm SUNWrcmds


of 46

GEN004900 Edit the /etc/ftpd/ftpusers file. Add the following lines at the end of the file:

oracle

sshd

Change permissions on the /etc/ftpd/ftpusers file.

chmod 640 /etc/ftpd/ftpusers

GEN005260 Run this command to disable the CDE login service.

svcadm disable cde-login

GEN005440 Run these commands to ensure the server does not accept remote syslog messages.

svccfg -s svc:/system/system-log setprop config/log_from_remote = false

svcadm refresh svc:/system/system-log

GEN005600 Run this command to create an empty /etc/notrouter file to prevent routing IP traffic.

touch /etc/notrouter

GEN006565

Run these commands to create a cron job to run a monthly package check.

crontab -l | grep -v pkgchk >> /tmp/crontab.tmp

echo "0 4 1 * * pkgchk -n >> \

/ACEMS/server_6.2.110/emsFiles/Hardening/package_verification.log \

2>&1" >> /tmp/crontab.tmp

crontab /tmp/crontab.tmp

rm -f /tmp/crontab.tmp

GEN007480

Add an entry to the /etc/system file to explicitly block the Reliable Datagram Sockets (RDS) protocol. First run this command to see if the entry exists.

grep "exclude: rds" /etc/system

If there is no output from the above command, run this command to add the required entry. Be sure to use double greater-than (“>>”) signs!!

echo "exclude: rds" >> /etc/system


of 46

GEN007540

Add an entry to the /etc/system file to explicitly block the Transparent Inter-Process Communication (TIPC) protocol. First run this command to see if the entry already exists.

grep "exclude: tipc" /etc/system

If there is no output from the above command, run the following command to add the required entry. Be sure to use double greater-than (“>>”) signs!!

echo "exclude: tipc" >> /etc/system

GEN007960

Run these commands to prevent execution of ldd programs. Ignore any error messages if the files do not exist.

chmod 0000 /usr/bin/sparcv9/ldd

chmod 0000 /usr/bin/ldd

GEN008460, GEN008480

Run these commands to remove several Solaris packages. Answer “y” when prompted for confirmations.

pkgrm SUNWusbs

pkgrm SUNWuacm

pkgrm SUNWugen

pkgrm SUNWuprl

pkgrm SUNWusbu

pkgrm SUNWuksp

pkgrm SUNWuedg

pkgrm SUNWukspfw

pkgrm SUNWuecm

pkgrm SUNWusb

2006-A-0023 (was IAVA1060), 2007-T-0017 (was IAVA1070), SOL00220

Run these commands to remove unused applications.

rm /usr/sbin/named

rm /usr/sbin/in.named

rm /usr/aset/asetenv

SOL00140 Edit the /usr/aset/masters/uid_aliases file. Verify each line is commented (begins with “#”).


of 46

SOL00300

Run this command to set the EEPROM security mode.

eeprom security-mode=command

***NOTE*** This command requires adding a password for EEPROM. DO NOT FORGET THIS PASSWORD!! The EEPROM must be replaced if this password is lost or forgotten!!!!! NOTE: Solaris has a hard limit of 8 characters for this password. Longer passwords may be provided to maintain consistency with other passwords. Only the first 8 characters are checked.

SOL00560 Run this command to set file group ownership.

chgrp -R sys /etc/zones

Disable Automated Lights Out Manager (V215 ONLY) Run these commands to disable IP access to ALOM.

cd /usr/platform/SUNW,Sun-Fire-V215/sbin

./scadm set if_network false

./scadm set netsc_dhcp false

./scadm set netsc_ipaddr 0.0.0.0

./scadm set netsc_ipgateway 0.0.0.0

./scadm resetrsc -s

Close RPC ports Run these commands to disable services to close RPC ports.

svcadm disable mapid

svcadm disable cbd

Close SMC ports Run these commands to close ports for Solaris Management Console.

svcadm disable wbem

NET1645 Edit the /etc/ssh/sshd_config file. Change the value of the following parameter as shown.

LoginGraceTime 30


of 46

DSN 18.13 Edit the /etc/default/login file. Change the value of the following parameter as shown.

DISABLETIME=60

Disable Java debugging TCP port Edit the /ACEMS/server_6.2.110/runServer_unix file. Go to the last line of the file. Remove the following 2 strings to disable a local TCP port used for Java debugging.

-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n

After the change, the beginning of the line should start like this (entry shortened for readability):

/usr/bin/java -Xms32m -Xmx400m -server -cp "server.jar:…

Reboot Reboot the EMS Server. Wait 10-15 minutes for the server to stabilize. Connect with the EMS Client application to verify proper operation.

7. DOD advanced Apache server hardening In addition to the additional operating system hardening requirements for DOD, extra hardening is required for the Apache web. Use the following steps to complete these steps for the Apache web server. The Apache web server is only required as a file transfer mechanism for software updates to the PRI Gateways and IADs and for topology and performance data information to an external Network Management System (NMS) application. These steps require “root” access to the EMS Server. Please use extreme caution with these steps as failure to properly set file permissions or configuration parameters may disrupt software upgrades for the gateway devices.

WA032, WG400, WG410

No CGI programs are required. Remove all files from the cgi-bin directory. Hit [y] when prompted.

rm /usr/local/apache2/cgi-bin/*


of 46

WA000-WWA040, WA000-WWA042, WA000-WWA044, WA000-WWA046, WG300 Run these commands to set Apache file permissions.

groupadd webadmin

chown root:webadmin /usr/local/apache2

chown -R root:webadmin /usr/local/apache2/*

chown emsadmin:webadmin /usr/local/apache2/DAVLockDB

chmod -R o-rwx /usr/local/apache2/*

chmod 550 /usr/local/apache2/bin

chmod 550 /usr/local/apache2/bin/*

chmod 551 /usr/local/apache2/cgi-bin


of 46

WA000-WWA050, WA000-WWA052, WA000-WWA056, WA000-WWA058 Recent changes to the Apache STIG require significant changes to the Apache configuration file. To close this STIG item, modify the httpd.conf file using the following highlighted guidelines.

vi /usr/local/apache2/conf/httpd.conf

#

# This is the main Apache HTTP server configuration file. It contains the

# configuration directives that give the server its instructions.

# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.

# In particular, see

# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>

# for a discussion of each configuration directive.

#

# Do NOT simply read the instructions in here without understanding

# what they do. They're here only as hints or reminders. If you are unsure

# consult the online docs. You have been warned.

#

# Configuration and logfile names: If the filenames you specify for many

# of the server's control files begin with "/" (or "drive:/" for Win32), the

# server will use that explicit path. If the filenames do *not* begin

# with "/", the value of ServerRoot is prepended -- so "logs/foo_log"

# with ServerRoot set to "/usr/local/apache2" will be interpreted by the

# server as "/usr/local/apache2/logs/foo_log".

#

# ServerRoot: The top of the directory tree under which the server's

# configuration, error, and log files are kept.

#

# Do not add a slash at the end of the directory path. If you point

# ServerRoot at a non-local disk, be sure to point the LockFile directive

# at a local disk. If you wish to share the same ServerRoot for multiple

# httpd daemons, you will need to change at least LockFile and PidFile.

#

ServerRoot "/usr/local/apache2"

#

# Listen: Allows you to bind Apache to specific IP addresses and/or

# ports, instead of the default. See also the <VirtualHost>

# directive.

#

# Change this to Listen on specific IP addresses as shown below to

# prevent Apache from glomming onto all bound IP addresses.

#

#Listen 12.34.56.78:80

#Listen 80

#WA00555

Listen 10.10.1.10:443

#

# Dynamic Shared Object (DSO) Support

#

# To be able to use the functionality of a module which was built as a DSO you

Requirement: WA00555 Add Listen entry with server’s IP address and HTTPS port.


of 46

# have to place corresponding `LoadModule' lines at this location so the

# directives contained in it are actually available _before_ they are used.

# Statically compiled modules (those listed by `httpd -l') do not need

# to be loaded here.

#

# Example:

# LoadModule foo_module modules/mod_foo.so

#

#WA00500 LoadModule authn_file_module modules/mod_authn_file.so

#WA00500 LoadModule authn_dbm_module modules/mod_authn_dbm.so

#WA00500 LoadModule authn_anon_module modules/mod_authn_anon.so

#WA00500 LoadModule authn_dbd_module modules/mod_authn_dbd.so

#WA00500 LoadModule authn_default_module modules/mod_authn_default.so

LoadModule authz_host_module modules/mod_authz_host.so

#WA00500 LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

#WA00500 LoadModule authz_user_module modules/mod_authz_user.so

#WA00500 LoadModule authz_dbm_module modules/mod_authz_dbm.so

#WA00500 LoadModule authz_owner_module modules/mod_authz_owner.so

#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

#WA00500 LoadModule authz_default_module modules/mod_authz_default.so

#WA00500 LoadModule auth_basic_module modules/mod_auth_basic.so

#WA00500 LoadModule auth_digest_module modules/mod_auth_digest.so

#WA00500 LoadModule dbd_module modules/mod_dbd.so

LoadModule dumpio_module modules/mod_dumpio.so

#WA00500 LoadModule reqtimeout_module modules/mod_reqtimeout.so

#WA00500 LoadModule ext_filter_module modules/mod_ext_filter.so

#WA00500 LoadModule include_module modules/mod_include.so

#WA00500 LoadModule filter_module modules/mod_filter.so

#WA00500 LoadModule substitute_module modules/mod_substitute.so

#WA00500 LoadModule deflate_module modules/mod_deflate.so

#LoadModule ldap_module modules/mod_ldap.so

LoadModule log_config_module modules/mod_log_config.so

#WA00500 LoadModule log_forensic_module modules/mod_log_forensic.so

LoadModule logio_module modules/mod_logio.so

#WA00500 LoadModule env_module modules/mod_env.so

#WA00500 LoadModule mime_magic_module modules/mod_mime_magic.so

#WA00500 LoadModule cern_meta_module modules/mod_cern_meta.so

#WA00500 LoadModule expires_module modules/mod_expires.so

#WA00500 LoadModule headers_module modules/mod_headers.so

#WA00500 LoadModule ident_module modules/mod_ident.so

#WA00500 LoadModule usertrack_module modules/mod_usertrack.so

#WA00500 LoadModule unique_id_module modules/mod_unique_id.so

#WA00500 LoadModule setenvif_module modules/mod_setenvif.so

#WA00500 LoadModule version_module modules/mod_version.so

#WA00520 LoadModule proxy_module modules/mod_proxy.so

#WA00520 LoadModule proxy_connect_module modules/mod_proxy_connect.so

#WA00520 LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

#WA00520 LoadModule proxy_http_module modules/mod_proxy_http.so

#WA00520 LoadModule proxy_scgi_module modules/mod_proxy_scgi.so

#WA00520 LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

#WA00520 LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

LoadModule nss_module modules/libmodnss.so

LoadModule mime_module modules/mod_mime.so

#WA00505 LoadModule dav_module modules/mod_dav.so

#WA00510 LoadModule status_module modules/mod_status.so

#WA00515 LoadModule autoindex_module modules/mod_autoindex.so

#WA00500 LoadModule asis_module modules/mod_asis.so

Requirement: WA00500

Remove unused modules.



Requirement: WA00500 Remove unused modules.







Requirement: WA00520 Remove proxy modules.


of 46

#WA00510 LoadModule info_module modules/mod_info.so

#WA00500 loadModule cgi_module modules/mod_cgi.so

#WA00505 LoadModule dav_fs_module modules/mod_dav_fs.so

#WA00500 LoadModule vhost_alias_module modules/mod_vhost_alias.so

#WA00500 LoadModule negotiation_module modules/mod_negotiation.so

LoadModule dir_module modules/mod_dir.so

#WA00500 LoadModule imagemap_module modules/mod_imagemap.so

#WA00500 LoadModule actions_module modules/mod_actions.so

#WA00500 LoadModule speling_module modules/mod_speling.so

#WA00525 LoadModule userdir_module modules/mod_userdir.so

LoadModule alias_module modules/mod_alias.so

#WA00500 LoadModule rewrite_module modules/mod_rewrite.so

<IfModule !mpm_netware_module>

<IfModule !mpm_winnt_module>

#

# If you wish httpd to run as a different user or group, you must run

# httpd as root initially and it will switch.

#

# User/Group: The name (or #number) of the user/group to run httpd as.

# It is usually good practice to create a dedicated user and group for

# running httpd, as with most system services.

#

#User daemon

#Group daemon

</IfModule>

</IfModule>

# 'Main' server configuration

#

# The directives in this section set up the values used by the 'main'

# server, which responds to any requests that aren't handled by a

# <VirtualHost> definition. These values also provide defaults for

# any <VirtualHost> containers you may define later in the file.

#

# All of these directives may appear inside <VirtualHost> containers,

# in which case these default settings will be overridden for the

# virtual host being defined.

#

#

# ServerAdmin: Your address, where problems with the server should be

# e-mailed. This address appears on some server-generated pages, such

# as error documents. e.g. [email protected]

#

ServerAdmin [email protected]

#

# ServerName gives the name and port that the server uses to identify itself.

# This can often be determined automatically, but we recommend you specify

# it explicitly to prevent problems during startup.

#

# If your host doesn't have a registered DNS name, enter its IP address here.

#

ServerName 10.10.1.10:80




Remove DAV fs modules.


Remove info/status modules.

Requirement: WA00515 Remove autoindex modules.


Remove userdir modules.


of 46

#

# DocumentRoot: The directory out of which you will serve your

# documents. By default, all requests are taken from this directory, but

# symbolic links and aliases may be used to point to other locations.

#

DocumentRoot "/ACEMS/server_6.2.110/"

#

# Each directory to which Apache has access can be configured with respect

# to which services and features are allowed and/or disabled in that

# directory (and its subdirectories).

#

# First, we configure the "default" to be a very restrictive set of

# features.

#

<Directory />

#WA00545

Options None

AllowOverride None

Order deny,allow

Deny from all

</Directory>

#

# Note that from this point forward you must specifically allow

# particular features to be enabled - so if something's not working as

# you might expect, make sure that you have specifically enabled it

# below.

#

#

# This should be changed to whatever you set DocumentRoot to.

#

<Directory "/ACEMS/server_6.2.110/">

#

# Possible values for the Options directive are "None", "All",

# or any combination of:

# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

#

# Note that "MultiViews" must be named *explicitly* --- "Options All"

# doesn't give it to you.

#

# The Options directive is both complicated and important. Please see

# http://httpd.apache.org/docs/2.2/mod/core.html#options

# for more information.

#

Options -Indexes -MultiViews -ExecCGI -FollowSymLinks

#

# AllowOverride controls what directives may be placed in .htaccess files.

# It can be "All", "None", or any combination of the keywords:

# Options FileInfo AuthConfig Limit

#

AllowOverride None

#

# Controls who can get stuff from this server.


“Options None” for root Directory entry.

Necessary Options entry for all

non-root Directory directives.


of 46

#

Order allow,deny

Deny from all

#WA00565

<LimitExcept GET POST OPTIONS>

Deny from all

</LimitExcept>

</Directory>

#

# DirectoryIndex: sets the file that Apache will serve if a directory

# is requested.

#

<IfModule dir_module>

DirectoryIndex index.html

</IfModule>

#

# The following lines prevent .htaccess and .htpasswd files from being

# viewed by Web clients.

#

<FilesMatch "^\.ht">

Order allow,deny

Deny from all

Satisfy All

</FilesMatch>

#

# ErrorLog: The location of the error log file.

# If you do not specify an ErrorLog directive within a <VirtualHost>

# container, error messages relating to that virtual host will be

# logged here. If you *do* define an error logfile for a <VirtualHost>

# container, that host's errors will be logged there and not here.

#

ErrorLog "logs/error_log"

#

# LogLevel: Control the number of messages logged to the error_log.

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

#

LogLevel warn

<IfModule log_config_module>

#

# The following directives define some format nicknames for use with

# a CustomLog directive (see below).

#

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" " combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>

# You need to enable mod_logio.c to use %I and %O


Add LimitExcept entry for all non-root Directory directives.

Requirement: WA00612 Replace “combined” LogFormat as shown.


of 46

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O"

combinedio

</IfModule>

#

# The location and format of the access logfile (Common Logfile Format).

# If you do not define any access logfiles within a <VirtualHost>

# container, they will be logged here. Contrariwise, if you *do*

# define per-<VirtualHost> access logfiles, transactions will be

# logged therein and *not* in this file.

#

CustomLog "logs/access_log" common

#

# If you prefer a logfile with access, agent, and referer information

# (Combined Logfile Format) you can use the following directive.

#

#CustomLog "logs/access_log" combined

</IfModule>

<IfModule alias_module>

#

# Redirect: Allows you to tell clients about documents that used to

# exist in your server's namespace, but do not anymore. The client

# will make a new request for the document at its new location.

# Example:

# Redirect permanent /foo http://www.example.com/bar

#

# Alias: Maps web paths into filesystem paths and is used to

# access content that does not live under the DocumentRoot.

# Example:

# Alias /webpath /full/filesystem/path

#

# If you include a trailing / on /webpath then the server will

# require it to be present in the URL. You will also likely

# need to provide a <Directory> section to allow access to

# the filesystem path.

#

# ScriptAlias: This controls which directories contain server scripts.

# ScriptAliases are essentially the same as Aliases, except that

# documents in the target directory are treated as applications and

# run by the server when requested rather than as documents sent to the

# client. The same rules about trailing "/" apply to ScriptAlias

# directives as to Alias.

#

#WA00560 ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

</IfModule>

<IfModule cgid_module>

#

# ScriptSock: On threaded servers, designate the path to the UNIX

# socket used to communicate with the CGI daemon of mod_cgid.

#

#Scriptsock logs/cgisock


Remove ScriptAlias entry.


of 46

</IfModule>

#

# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.

#

<Directory "/usr/local/apache2/nowhere">

AllowOverride None

Options None

Order allow,deny

Deny from all

#WA00565


Deny from all

</LimitExcept>

</Directory>

#

# DefaultType: the default MIME type the server will use for a document

# if it cannot otherwise determine one, such as from filename extensions.

# If your server contains mostly text or HTML documents, "text/plain" is

# a good value. If most of your content is binary, such as applications

# or images, you may want to use "application/octet-stream" instead to

# keep browsers from trying to display binary files as though they are

# text.

#

DefaultType text/plain

<IfModule mime_module>

#

# TypesConfig points to the file containing the list of mappings from

# filename extension to MIME-type.

#

TypesConfig conf/mime.types

#

# AddType allows you to add to or override the MIME configuration

# file specified in TypesConfig for specific file types.

#

#AddType application/x-gzip .tgz

#

# AddEncoding allows you to have certain browsers uncompress

# information on the fly. Note: Not all browsers support this.

#

#AddEncoding x-compress .Z

#AddEncoding x-gzip .gz .tgz

#

# If the AddEncoding directives above are commented-out, then you

# probably should define those extensions to indicate media types:

#

AddType application/x-compress .Z

AddType application/x-gzip .gz .tgz

#

# AddHandler allows you to map certain file extensions to "handlers":

# actions unrelated to filetype. These can be either built into the server




of 46

# or added with the Action directive (see below)

#

# To use CGI scripts outside of ScriptAliased directories:

# (You will also need to add "ExecCGI" to the "Options" directive.)

#

#AddHandler cgi-script .cgi

# For type maps (negotiated resources):

#AddHandler type-map var

#

# Filters allow you to process content before it is sent to the client.

#

# To parse .shtml files for server-side includes (SSI):

# (You will also need to add "Includes" to the "Options" directive.)

#

#AddType text/html .shtml

#AddOutputFilter INCLUDES .shtml

</IfModule>

#

# The mod_mime_magic module allows the server to use various hints from the

# contents of the file itself to determine its type. The MIMEMagicFile

# directive tells the module where the hint definitions are located.

#

#MIMEMagicFile conf/magic

#

# Customizable error responses come in three flavors:

# 1) plain text 2) local redirects 3) external redirects

#

# Some examples:

#ErrorDocument 500 "The server made a boo boo."

#ErrorDocument 404 /missing.html

#ErrorDocument 404 "/cgi-bin/missing_handler.pl"

#ErrorDocument 402 http://www.example.com/subscription_info.html

#

#

# MaxRanges: Maximum number of Ranges in a request before

# returning the entire resource, or 0 for unlimited

# Default setting is to accept 200 Ranges

#MaxRanges 0

#

# EnableMMAP and EnableSendfile: On systems that support it,

# memory-mapping or the sendfile syscall is used to deliver

# files. This usually improves server performance, but must

# be turned off when serving from networked-mounted

# filesystems or if support for these functions is otherwise

# broken on your system.

#

TraceEnable off

#EnableSendfile off

# Supplemental configuration

#


of 46

# The configuration files in the conf/extra/ directory can be

# included to add extra features or to modify the default configuration of

# the server, or you may simply copy their contents here and change as

# necessary.

# Server-pool management (MPM specific)

#Include conf/extra/httpd-mpm.conf

# Multi-language error messages

#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings

#Include conf/extra/httpd-autoindex.conf

# Language settings

#Include conf/extra/httpd-languages.conf

# #User home directories

#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration

#Include conf/extra/httpd-info.conf

# Virtual hosts

#Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual

#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)

#Include conf/extra/httpd-dav.conf

# Various default settings

#Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections

#Include conf/ssl.conf

#

# Note: The following must must be present to support

# starting without SSL on platforms with no /dev/random equivalent

# but a statically compiled-in mod_ssl.

#

<IfModule ssl_module>

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

</IfModule>

User emsadmin

Group nbif

# Parameters added for additional security.

LimitRequestBody 400

ServerTokens Prod

KeepAlive On

LimitRequestFields 100

MaxSpareServers 10

LimitRequestFieldsize 8190

LimitRequestLine 8190

MaxKeepAliveRequests 100

Add these new directives.


of 46

#<Directory "/usr/local/apache2/cgi-bin">

# Options Indexes MultiViews

# AllowOverride None

# Order allow,deny

# Allow from all

#</Directory>

Alias /NBIF "/ACEMS/NBIF"

<Directory "/ACEMS/server_6.2.110/emsSwfiles">


AllowOverride None

Order allow,deny

Allow from all

#WA00565


Deny from all

</LimitExcept>

#WA00500 RequestHeader unset If-Modified-Since

</Directory>

<Directory "/ACEMS/server_6.2.110/jaws">


AllowOverride None

Order allow,deny

Deny from all

#WA00565


Deny from all

</LimitExcept>

</Directory>

User emsadmin

Group nbif

<Files ~ "^.ht">

Order allow,deny

Deny from all

</Files>

#WA00505 DAVLockDB /usr/local/apache2/DAVLockDB/

# <Directory "/ACEMS/server_6.2.110/gwFiles">

# Options -Indexes -MultiViews -ExecCGI -FollowSymLinks

# AllowOverride None

# Order allow,deny

# Allow from all

# AuthType Basic

# AuthName "Private Access"

# AuthUserFile "/ACEMS/server_6.2.110/externals/security/.htpasswd"

# Require valid-user

# Dav On

# <LimitExcept GET HEAD OPTIONS PUT LOCK UNLOCK>

# Allow from all

# </LimitExcept>

#</Directory>

<Directory "/ACEMS/NBIF">

Remove cgi-bin Directory directive.





Requirement: WA00565 Add LimitExcept entry for all non-root Directory directives.


Remove RequestHeader entry due to other modules being removed.




Remove DAV entries.

Remove unused gwFiles

Directory directive to avoid issues with DAV and LimitExcept headers.


of 46

NSSRequireSSL

NSSRequire %{SSL_CLIENT_S_DN_O} eq "U.S. Government"

NSSOptions +StrictRequire


AllowOverride None

Order allow,deny

Allow from all

#WA00565


Deny from all

</LimitExcept>

</Directory>

Include conf/nss.conf

WG370 Edit the /usr/local/apache2/conf/mime.types file. Add “#” to the beginning of the line for the shell entries to match these lines:

# application/x-csh csh

# application/x-sh sh

WG380

Run these commands to remove sample code.

rm /usr/perl5/5.8.4/lib/CGI/eg/nph-clock.cgi

rm /usr/perl5/5.8.4/lib/CGI/eg/nph-multipart.cgi

WG385 Run this command to remove sample code.

rm -r /usr/local/apache2/manual

Disable HTTP (Port 80) Use the EmsServerManager script to close HTTP port 80 and disable Java Web Start (JAWS).

Select option for “Web Server Configuration”. If HTTP port 80 is open, select option for “Close HTTP Service (Port 80)”. Select option for “Disable JAWS”. Apache will restart automatically.

NOTE: If the Web server does not start (“Web Server‟s Processes” will show “Down”), the most likely problem is a syntax error in the httpd.conf file. As root, run “/usr/local/apache2/bin/apachectl start”. Errors in the file will be highlighted by line number so they can be easily identified.

Must match the Organization

(O=) entry in PKI.






of 46

Enforce Certificate Organization Name Check Note: Do this step after you have completed section DoD PKI certificate installation. Apache enforces checking the Organization Name in the X.509 certificates. By default, AudioCodes self-signed certificates are required, so this must be changed. Edit the /usr/local/apache2/conf/httpd.conf file. Find the <Directory> section for /ACEMS/NBIF and change the NSSRequire entry to match this:

NSSRequire %{SSL_CLIENT_S_DN_O} eq "U.S. Government"

NOTE: This corresponds to the Organization (“O=”) line in the X.509 certificate. Change this field accordingly if another Organization is used.

Reboot

Reboot the EMS Server to complete the process. Wait 10-15 minutes for the server to stabilize. Verify Apache is running by selecting “General Info” from the EmsServerManager script.

8. Ethernet interface redundancy implementation

Some installation configurations use Ethernet interface redundancy on the EMS Server. Carefully follow the instructions in the EMS IOM manual to complete this step. If required, this can be done at any stage after the initial EMS installation.

9. Locality information configuration

Carefully follow the instructions in the EMS IOM manual to complete this step. Change the following based on the local installation requirements:

Set the time zone (reboot is done on this step).

Set the banner message on the EMS Server. Manually edit the /etc/motd and /etc/issue files to reflect the following text. Note that the actual text may vary for each STIG release. Refer to Unix STIG documentation for exact text.


of 46

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Set the banner message on the EMS Client. Use the same text as shown above. On the EMS Client, select “Advisory Message” from the Help menu. Set the “Welcome Message Options” to “Mandatory” and enter the above text for the “Welcome Message”. Click [OK].

Set the password complexity rules for the EMS application. Log in to the EMS Client application using a userid with Administration privileges. Select “Authentication & Authorization” from the Security menu. Set the following parameters: Authentication Type EMS Authentication Synchronizing M5K/M8K CLI with EMS Users <not checked> Number of Login Attempts Before ‘Suspend’ 3 Minimal Password Length 15 Password Complexity Rule Plain and Capital Letters, Digits, Signs Non Repetitive Characters # From Previous Password 3 Number of Not Reused Previous Passwords 10 Dictionary Check For Password Cracking Simplicity <checked>


of 46

Set the per-user password limits for each user. In the EMS Client application, select Users List from the Security menu. Double-click on each user and set the following parameter values on the Advanced Info tab: Account Inactivity Period (Days) 45 Session Inactivity Period (Minutes) 15 Session Leasing Duration (Hours) 8 Password Update Min Period (Hours) 24 Password Validity Max Period (Days) 45 Password Warning Max Period (Days) 7

10. DOD PKI certificate installation

Overview EMS Server provides FIPS compliant implementation of the following interfaces:

HTTPS between EMS Server and TP boards

HTTPS for NBIF directory

Java RMI interface between EMS Server and EMS Client

EMS software uses “default” (sample) configuration immediately after installation. This configuration uses X.509 certificates signed by a sample (dummy) Certificate Authority (CA) on both the EMS Server and EMS Client, which enables proper client/server communication. This “default” configuration is not acceptable in the DOD environment. With the DOD PKI, all certificates used by the EMS Server, MPs, M3Ks, and the Network Management Server (NMS) will be replaced with certificates generated by some real CA (e.g. DOD PKI Certificate Authority). Refer to MP/M3K and NMS documentation for how to load respective certificates into those devices. The following instructions are provided for how to generate a Certificate Signing Request (CSR) for the EMS Server and how to load the EMS Server‟s certificate and trusted root certificates into the NSS certificate database on the EMS.

EMS HTTPS and RMI Interfaces The HTTPS and RMI interfaces use FIPS-compliant TLS 1.0 mode and enforce two-way authentication (by both server and client) via the appropriate X.509 certificates. X.509 certificates and corresponding private keys are stored in the NSS database located on EMS Server:

/opt/nss/fipsdb

MP/M3K HTTPS protocol is used for transferring CMP and auxiliary files from the EMS Server to the MP/M3K. In order to enable two-way authentication on this connection, MP/M3K must be pre-loaded with proper DOD Certificates. Refer to MP/M3K documentation for procedures on how to load those certificates.

North-bound Interface (optional) Some Network Management Systems (NMS) use HTTPS to transfer Performance Measurement and configuration files from a “north-bound interface” (NBIF) directory on the EMS Server. In order to enable two-way authentication on this connection, the NMS‟s HTTPS client must be pre-loaded with proper DOD Certificates. Refer to NMS documentation for procedures on how to load those certificates.


of 46

Procedure for requesting and installing the EMS Server certificates The following steps should be done on the EMS Server with the “root” user. Please capture a log of the SSH session when running these commands to assist with troubleshooting in case there are any issues. Step 1. Create a seed file for the NSS random number generator.

(ps -elf ; date ; netstat -a) > /tmp/noise

Step 2. Create a password file for the NSS database echo fips140-2 > /tmp/pwdfile.txt

Step 3. Create a new certificate database to be used to request and install the new certificate.

tcsh setenv PATH {$PATH}:/opt/nss/nss-3.12.6-with-nspr-4.8.4/bin cd /opt/nss mkdir newcertdb chmod 755 newcertdb certutil -N -d newcertdb -g 2048 -f /tmp/pwdfile.txt

Step 4. Generate a Certificate Signing Request (CSR) to be submitted to DOD for a new server certificate for the EMS Server.

NOTE: The Subject field (inside the double quotes after the “-s” option) may need to be changed to match exactly with what the DOD requires. The example here should work for the JITC lab but will need to change for other DOD installations. /bin/sh echo "0\n2\n9\nn\n1\n0\n9\nn\n" | certutil -R -d newcertdb -s \ "CN=192.168.0.100,OU=CONTRACTOR,OU=PKI,OU=DoD,O=U.S. Government,C=US" \ -a -o /tmp/emsserver.csr -g 2048 -f /tmp/pwdfile.txt -z /tmp/noise \ -Z SHA1 -1 -6 exit

The newly generated CSR (file /tmp/emsserver.csr) will be used by DOD to generate a certificate.

Step 5. Submit the CSR (file /tmp/emsserver.csr) to DOD and request a ”Regular SSL Server Certificate” for the EMS Server. DOD‟s Certificate Authority (CA) should return 3 files: the certificate of the EMS Server (e.g. emsserver.pem), the certificate of the intermediate root CA that issued the server certificate (e.g. ca21cert.pem), and the certificate of the root CA (e.g. ca2root.pem). The following instructions assume these example file names. Using a text editor, combine the intermediate and root CA files into a single file called cacert.pem. The file will look something like this (with several lines removed for illustration):


of 46

-----BEGIN CERTIFICATE-----

MIIFxzCCBK+gAwIBAgICAK4wDQYJKoZIhvcNAQEFBQAwYDELMAkGA1UEBhMCVVMx

GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQL

…

p7H3dJmzX9YMtLGkuKxsH5bg6YuZA1TVRRLTvNWyUQNc1QaxqioKQBiFEQ==

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDejCCAmKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzEY

MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsT

…

mO9cW65lIW96mu2pKjJNb+FmW6RAjaDJXFHkN8uP

-----END CERTIFICATE-----

The trusted certificate of the CA should be the same one used by the gateways. That is, the gateways‟ certificates will come from the same trusted source as the EMS certificate to allow for proper mutual authentication. NOTE: Once the new certificates are installed, the EMS Client application must also have a corresponding DOD certificate installed. Both the client and server certificate requests should be submitted at the same time to ensure there is no downtime. The next major section of this document describes how to request the EMS Client certificate. It is recommended to do that now and return to this step after the DOD certificates are available to complete the installation on the server side. Step 6. Transfer the emsserver.pem and cacert.pem files to the EMS Server and put them in /tmp. Note that these are text files and should be transferred as such. Step 7. Import the new EMS Server and CA certificate into the EMS Server‟s new NSS database. (NOTE: Server certificate name must be “servercert”. Use “cacert” for the CA certificate name.)

First, make sure the environment is set up properly if this is a new login session. You must first be “root” to complete these steps. If the server has been rebooted since the CSR was generated, recreate the /tmp/pwdfile.txt with the command shown above. tcsh setenv PATH {$PATH}:/opt/nss/nss-3.12.6-with-nspr-4.8.4/bin cd /opt/nss certutil -A -d newcertdb -n servercert -t u,u,u -a -i /tmp/emsserver.pem \ -f /tmp/pwdfile.txt certutil -A -d newcertdb -n cacert -t CTu,CTu,CTu -a -i /tmp/cacert.pem \ -f /tmp/pwdfile.txt To verify the certificates were installed in the database properly, run the following command and verify the flag settings as shown:

certutil -L -d newcertdb

servercert u,u,u cacert CT,C,C

ca21cert.pem

ca2root.pem


of 46

WARNING: If the flags for the servercert are shown as “,,” instead of “u,u,u”, then the certificate does not match the private key in the NSS database. The EMS Server WILL NOT WORK in this case. This is probably caused by loading the certificate into the wrong database. Do not proceed without resolving this issue. To view a text decode of the certificates, run the following commands: certutil -L -d newcertdb -n servercert certutil -L -d newcertdb -n cacert

Step 8. Enable FIPS protection on the databases. Hit [Enter] when prompted. modutil -fips true -dbdir newcertdb NOTE: If any future changes to the certificates are required, FIPS mode must be disabled first (replace “-fips true” with “-fips false” in modutil command). After changes are made, FIPS mode must then be enabled with the “-fips true” option.

Step 9. Clean up temporary files. rm /tmp/pwdfile.txt rm /tmp/noise

Step 10. Save the default, self-signed certificate database, and install the newly created DOD PKI certificate database, and exit the tcsh shell.

cd /opt/nss mv fipsdb fipsdb_ORIG mv newcertdb fipsdb chown -R root:root fipsdb chmod 644 fipsdb/* chown emsadmin:dba fipsdb/*.* cd fipsdb ln -s /opt/nss/nss-3.12.6-with-nspr-4.8.4/lib/libnssckbi.so libnssckbi.so exit

Step 11. Use the EmsServerManager to restart the Apache Web Server.

Step 12. Use the EmsServerManager to restart the EMS Server process. Step 13. If any of the files in the /opt/nss/fipsdb directory are lost or destroyed, the entire certificate request process MUST be repeated. Therefore, save a copy of the ENTIRE directory on a different server or PC for safekeeping. Create a TAR file of the directory as “root”:

cd / tar -cvf /tmp/ems_server_cert_backup.tar opt/nss/fipsdb

Use SCP to copy the file to some other location as an emergency backup. NOTE: The standard EMS backup process does include a copy of these files, so please refer to EMS IOM for procedures for creating the backup. Follow site procedures for saving and storing the backup files.


of 46

Step 14. Use the EmsServerManager tool per the EMS IOM to create a backup of the EMS Server. SSH into the server as “acems” and become root to run EmsServerManager.

su - root EmsServerManager

Select the Backup the EMS Server option. Hit [Enter] to begin the backup process. DMP and TAR files are created. Save these files on another server per local site policy.

RMI interface between EMS Server and EMS Client (Client side) The RMI interface uses FIPS-compliant encryption and enforces two-way authentication (by both server and client) via the appropriate X.509 certificates. X.509 certificates and corresponding private keys are stored in separate NSS databases located on EMS Server and on the EMS Client, respectively. Client Database

C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security\clientNssDb

EMS Client RMI is used for communication between the EMS Server and the EMS Client. The following instructions are provided to generate a Certificate Signing Request (CSR) for the EMS Client and to load the certificate and trusted root certificates into the NSS certificate database on the EMS Client.

NOTE: If you have a previous version of the EMS Client with valid certificates for your PKI, copy the ENTIRE clientNssDb folder from the old version to the new version. For example, copy this folder

C:\Program Files\AudioCodes\EMS Client 6.2.84\externals\security\clientNssDb to the same location for the new version:

C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security\clientNssDb Start the new version EMS Client application and ignore the remainder of the certificate instructions.

The following steps are done on the EMS Client‟s PC with a user with Windows Administrator privileges. Step 1. Stop the EMS Client application. Step 2. Create a seed file for the NSS random number generator.

# Create a file called C:\noise.txt and edit it with a random sequence of characters, for example: 1212121212121212121212121212121212121212121212121212121212121212

Step 3. Create a password file for the NSS database # Create a file called C:\pwdfile.txt and edit it with this content: fips140-2


of 46

Step 4. Create a new NSS database. # Create new directory (NOTE: 64-bit Windows7 top-level directory may be “Program Files (x86)” instead of “Program Files”):

C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security\clientNssDb_new # Set command path and directory. Open a CMD shell (Start->Run…->cmd) and run the following: PATH="C:\Program Files\AudioCodes\EMS Client 6.2.110\lib";%PATH% cd C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security

# Create new certificate database (enter command on one line in a CMD shell window) certutil.exe -N -d clientNssDb_new -g 2048

When prompted for password, enter: fips140-2

Step 5. Generate a Certificate Signing Request (CSR) to be submitted to DOD for a new server certificate for the EMS Client.

NOTE: The Subject field (inside the double quotes after the “-s” option) may need to be changed to match exactly with what the DOD requires. The example here should work for the JITC lab but will need to change for other DOD installations. Past procedure has been to use the device IP address for the Common Name. Change the following command accordingly. certutil.exe -R -d clientNssDb_new -s

"CN=100.1.2.3,OU=CONTRACTOR,OU=PKI,OU=DoD,O=U.S. Government,C=US" -a -o C:\clientreq.csr -g 2048 -f C:\pwdfile.txt -z C:\noise.txt -Z SHA1 -1 -6

The command will generate a key which takes a few moments. Then you are prompted with the following menu choices.:

0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish

Enter the following in EXACTLY the order shown:

0 [Enter] 2 [Enter] 9 [Enter] n [Enter] 1 [Enter] 9 [Enter] n [Enter]

The newly generated CSR (file C:\clientreq.csr) will be used by DOD to generate a certificate.


of 46

Step 6. Submit the CSR file (C:\clientreq.csr) to DOD and request a “Regular SSL Server Certificate” for the EMS Client. DOD‟s Certificate Authority (CA) should return 3 files: the certificate of the EMS Client (e.g. clientcert.pem), the certificate of the intermediate root CA that issued the EMS Client certificate (e.g. ca21cert.pem), and the certificate of the root CA (e.g. ca2root.pem). The following instructions assume these example file names. Using a text editor, combine the intermediate and root CA files into a single file called cacert.pem. For an example, refer above to the CSR creation step in the EMS Server certificate installation process.

Step 7. Transfer the clientcert.pem and cacert.pem files to the EMS Client and put them in C:\. Note that these are text files and should be transferred as such. Step 8. Import the new EMS Client certificate into the Client NSS database.

# Set command path and set directory. Open a CMD shell (Start->Run…->cmd) and run the following. PATH="C:\Program Files\AudioCodes\EMS Client 6.2.110\lib";%PATH% cd C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security certutil.exe -A -d clientNssDb_new -n clientcert -t u,u,u -a -i

C:\clientcert.pem -f C:\pwdfile.txt Step 9. Import the CA certificate into the Client database.

certutil.exe -A -d clientNssDb_new -n cacert -t CT,CT,CT -a -i C:\cacert.pem -f

C:\pwdfile.txt

Step 10. Verify the certificates were installed in the database properly by checking the flags shown after running this command

certutil -L -d clientNssDb_new cacert CT,C,C clientcert u,u,u

WARNING: If the flags for the clientcert are shown as “,,” instead of “u,u,u”, then the certificate does not match the private key in the NSS database. The EMS Server WILL NOT WORK in this case. This is probably caused by loading the certificate into the wrong database. Do not proceed without resolving this issue.

Step 11. Enable FIPS mode. Hit [Enter] when prompted.

modutil -fips true -dbdir clientNssDb_new NOTE: If any future changes to the certificates are required, FIPS mode must first be disabled (replace “true” with “false” in modutil command). After changes are made, FIPS mode must then be enabled with the “-fips true” option.

Step 12. Remove password and noise files: C:\pwdfile.txt and C:\noise.txt.


of 46

Step 13. Save the default, self-signed certificate database, and install the newly created DOD PKI certificate database. Open a Windows Explorer window and navigate to the following directory:

C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security

Rename original directory from “clientNssDb” to “clientNssDb_ORIG” Rename new directory from “clientNssDb_new” to “clientNssDb”

Step 14. Start the EMS Client application. Step 15. If any of the files in the clientNssDb directory are lost or destroyed, the entire certificate request process MUST be repeated. Therefore, save a copy of the ENTIRE directory on a different server or PC for safekeeping. Use Windows to create a ZIP file of the directory. Copy the ZIP file to some other location as an emergency backup. NOTE: EMS Client file backups are the sole responsibility of the site to follow local procedures for PC backups. In the event of a disk failure or PC upgrade, use the ZIP file to restore the certificates for use with the EMS Client application.

11. Attachmate Reflection for IT – SSH installation

The default Solaris SSH server does not support the use of two-factor authentication using CAC cards. To support this requirement, the third party Reflection for IT product from Attachmate provides a SSH server for Solaris that supports CAC authentication. A separate document is provided to install and configure a trial version of Attachmate. Customers are responsible for acquiring a licensed version of the Reflection for IT SSH Server for Unix (Solaris) and Reflection for IT SSH Client for Windows.

12. CAC authentication configuration The EMS Client application supports two-factor authentication using CAC. A separate document is provided to explain how to create CAC-based users and how to configure the EMS Client to do CAC authentication instead of user/password authentication.

13. Enable OCSP

The EMS server and client use the Online Certificate Status Protocol (OCSP) to verify that the appropriate certificate has not been revoked by the PKI administrator. OCSP configuration requires these 3 steps on both the server and the client:

Add OCSP Responder‟s self-signed certificate to the NSS certificate database

Change configuration file to enable OCSP and specify the OCSP server‟s IP and port

Restart the server or client

Enable OCSP for EMS Server

Step 1. Add the OCSP Responder‟s self-signed certificate to the NSS certificate database. To authenticate the OCSP response, the OCSP responder signs the response using a self-signed certificate. That certificate must be loaded into the EMS server‟s NSS certificate database using the nickname “ocspcert”. Ask your PKI or system administrator for a copy of the OCSP self-signed certificate in PEM (ASCII) format. These commands assume the file is called /tmp/ocspcert.pem.


of 46

The following steps should be done on the EMS Server with the “root” user. First, make a backup copy of the current certificate database in case there are any problems.

cp -r /opt/nss/fipsdb /opt/nss/fipsdb_SAVE

Create a password file for the NSS database if it doesn‟t already exist.

echo fips140-2 > /tmp/pwdfile.txt

Set up the environment.

tcsh

setenv PATH {$PATH}:/opt/nss/nss-3.12.6-with-nspr-4.8.4/bin

cd /opt/nss

Disable FIPS mode.

modutil -fips false -dbdir fipsdb

Add OCSP certificate to database.

certutil -A -d fipsdb -n ocspcert -t CT,CT,CT -a -i /tmp/ocspcert.pem \

-f /tmp/pwdfile.txt

To verify the certificates were installed in the database properly, run the following command, and verify the flag settings as shown for the OCSP certificate:

certutil -L -d fipsdb

ocspcert CT,C,C

Enable FIPS mode.

modutil -fips true -dbdir fipsdb

Close the tcsh environment.

exit

Step 2. Change configuration file to enable OCSP and specify the OCSP server‟s IP and port. Edit the generalConfig.properties file.

cd /ACEMS/server_6.2.110/externals/configurationProperties

vi generalConfig.properties

The end of the file contains these 4 lines:

#OCSP configuration

isOCSPEnabled=false

ocspResponderURL=http://example.com/ocsp/status

ocspResponderCertNickname=ocspcert


of 46

Change the isOCSPEnable value to “true”. Change the ocspResponderURL to match the IP and port of the OCSP responder. Here is an example:

#OCSP configuration

isOCSPEnabled=true

ocspResponderURL=http://192.200.1.11


The above example uses port “80” as the default port for OCSP. If another port is used, for example “8080”, add the port to the end of the URL preceded with a colon: http://192.200.1.11:8080. The ocspResponderCertNickname (“ocspcert”) MUST match the certificate nickname used in step 1. Step 3. Restart the server. Use the EmsServerManager tool to stop and start the EMS Server process. The nohup.out file in /ACEMS/server_6.2.110 contains server process diagnostics. View the file to verify that it contains the string “OCSP is enabled”.

Enable OCSP for EMS Client Step 1. Add the OCSP Responder‟s self-signed certificate to the NSS certificate database. To authenticate the OCSP response, the OCSP responder signs the response using a self-signed certificate. That certificate must be loaded into the EMS client‟s NSS certificate database using the nickname “ocspcert”. Ask your PKI or system administrator for a copy of the OCSP self-signed certificate in PEM (ASCII) format. These commands assume the file is called C:\ocspcert.pem. The following steps should be done on the EMS Client PC with Administrator privilege. First, close any running instance of the EMS Client application. Make a backup copy of the current certificate database in case there are any problems. Using Windows Explorer, make a backup of this folder.

C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security\clientNssDb

Create a file called C:\pwdfile.txt using any text editor (e.g. Notepad) and add this line:

fips140-2

Set command path and directory. Open a CMD shell (Start->Run…->cmd) and run the following.

PATH="C:\Program Files\AudioCodes\EMS Client 6.2.110\lib";%PATH%

cd C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\security

Disable FIPS mode.

modutil -fips false -dbdir clientNssDb

Add OCSP certificate to database.

certutil.exe -A -d clientNssDb -n ocspcert -t CT,CT,CT -a -i C:\ocspcert.pem -f C:\pwdfile.txt


of 46

To verify the certificates were installed in the database properly, run the following command, and verify the flag settings as shown for the OCSP certificate:

certutil -L -d clientNssDb

ocspcert CT,C,C

Enable FIPS mode.

modutil -fips true -dbdir clientNssDb

Step 2. Change configuration file to enable OCSP and specify the OCSP server‟s IP and port. Edit the generalConfig.properties file using Notepad or any text editor.

cd C:\Program Files\AudioCodes\EMS Client 6.2.110\externals\configurationProperties

notepad generalConfig.properties

The end of the file contains these 4 lines:

#OCSP configuration

isOCSPEnabled=false

ocspResponderURL=http://example.com/ocsp/status


Change the isOCSPEnable value to “true”. Change the ocspResponderURL to match the IP and port of the OCSP responder. Here is an example:

#OCSP configuration

isOCSPEnabled=true

ocspResponderURL=http://192.200.1.11


The above example uses port “80” as the default port for OCSP. If another port is used, for example “8080”, add the port to the end of the URL preceded with a colon: http://192.200.1.11:8080. The ocspResponderCertNickname (“ocspcert”) MUST match the name used when adding the certificate in step 1. Step 3. Start the client. Launch the EMS client application. Notice in the Java console window that OCSP is enabled. IMPORTANT NOTE REGARDING OCSP: If the OCSP responder is down or does not respond, the EMS Client application will NOT connect to the EMS Server. The error message will only indicate that the server could not be reached. Likewise, if the EMS Server cannot contact the OCSP responder, the server process will stop and will only be restarted when OCSP can verify the certificates. If the OCSP responder is down for an extended period of time, the EMS Server process may give up trying to restart. You must restart the server processes manually using EmsServerManager.

ems installation overview for dod environment

Documents