trainingbook wallix
DESCRIPTION
wallix technical docTRANSCRIPT
1
TRAINING BOOK For partners and integrators only
2
Copyright This document is the property of WALLIX and is no to be reproduced without previous consent of the company. All product names or company names mentioned in this document are registered trademarks that belong to their owner.
3
Introduction This document was designed to help you better understand and implement Wallix AdminBastion (WAB). It will be your reference if you wish to develop on the modules that were introduced to you. We deliberately chose a practical and technical approach for this document: this will help you find the answers to your questions about WAB at the end of training. You will also find in this document several scenarios describing situations end-users may face in a usual process of use of the WAB and the responses to bring depending on the encountered issue.
4
TABLE OF CONTENT
Module 1 : Introduction to the WAB What is the WAB? 6 Technical composition of the WAB 7 How does the WAB work? 8 How to install a physical WAB? 9 How to directly connect through SSH from a Linux workstation? 10 How to initiate a SSH connection from a Windows workstation with Putty? 12 How to initiate a RDP connection from a Linux workstation? 14 How to initiate a RDP connection from Windows with TSE client? 15 How to initiate a RDP connection from the RDP selector? 16 How to initiate a connection http(s) from the navigator? 17 How to install a Virtual Appliance? 18 How to integrate a Virtual Appliance in ESX? 19 Configure the appliance through the web interface 26 Module 2 : What are the WAB commands? WAB’s Useful commands in CLI mode 30 WAB-HA Commands 30 Theoretical functioning of the WAB-HA 31 Architecture and functioning of the WAB-HA cluster 32 Some useful system commands 33 Module 3 : The support scenarios Scenario 1: Changing the GUI auto-signed certificate 34 Scenario 2: Unlocking super admin account 35 Scenario 3: WAB-HA split-brain 36 Scenario 4: The Telnet and Rlogin connection script 37 Scenario 5: The RDP connection options Copy / Paste 38 Module 4 : The WAB innovations The HTTP / HTTPS protocol 44 SECONDARY PASSWORDS MANAGEMENT 46 The OCR in RDP sessions 47 Conclusion : 48
5
INTRODUCTION TO THE WAB
TC "MODULE
1" \l 1MODULE
1
6
What is the WAB? The WAB is a solution designed for technical teams, which administrate IT, infrastructures (servers, network devices, security devices) within a company. WAB meets the needs for traceability of actions and administrator’s access control and/or external providers. The WAB is a multi-protocol authentication proxy integrating access control (ACLs), traceability and session recordings features. It acts as a transit area for users who wish to connect to devices. The WAB checks every authentication element provided by the user as well as the granted access rights before allowing the connection to the target device. Features of the WAB The WAB supports SSH protocols (and its subsystems), Telnet, Rlogin, RDP, VNC, HTTP(S). Connection automation to devices and single sign-on mean better ease of use and increase in productivity for exploitation and maintenance teams. WAB integrates a web-based graphic interface (also called GUI) that was validated under Mozilla Firefox© 4.x, Safari 5, Google Chrome and Internet Explorer© 7 and 8 and enables the supervision of its activity, the monitoring of connections and the configuration of the various modules. .
7
Technical composition of the WAB The WAB integrates 5 modules
• An application module in Python • An LDAP directory • An Apache Module • A MySQL database • A Linux Debian Squeeze operating system
Each module handles the following characteristics: The LDAP directory handles the ACL engine and contains the WAB configuration concerning:
• Users • Ressources (devices) • Groups • Connections through devices via proxys (SSH, RDP, HTTP) • Authentication phases • Session recordings
The GUI and backup are handled through the Apache Module:
• Access to graphic interface • Handles the network configuration system • Backups
The MySQL database contains :
• The history of connections except some configuration parameters such as distant storage recordings and time services
Debian Operating System :
• Connection to SSHD server on 2242 port • Video session files in the « filesystem » if the recording is done locally • System information (Syslog,SNMP, NTPD…)
Open ports that can be accessed from outside:
• 22 : SSH server listening port • 3389 : RDPproxy listening port • 443 : Web interface (https) listening port
Comments
8
How does the WAB work? Please find below an example of use that describes how users and administrators interact and how the WAB internally works
This diagram gives a global vision on how WAB 3.0 internally works. . Comments
9
How to install a physical WAB? By default, the IP address of the WAB is 192.168.10.5. There are two ways to connect to the WAB appliance:
1) Direct mode: by connecting a screen to the VGA plug and a keyboard to the USB plug. You can now connect to the appliance and open a system session with the following credentials:
Login : wabadmin Password : SecureWabAdmin
2) Network mode: from a Linux, Windows or Mac OS X desktop, directly connected to the appliance
via a rj45 cable (does not come with the appliance) or on your network by attributing an IP address to your machine in the sub-network 192.168.10.0/24 other than 192.168.10.5. Please make sure you use the RJ45 connector marked “GB1”
Network mode:
• with a ssh client on port 2242 (Linux, Mac OS X) or « putty » software (Windows Linux) • appliance IP address: 192.168.10.5
PLEASE NOTE: for security reasons, we recommend the changing of the « webadmin » account on the very first connection (“passwd” command). This user is configured by default to gain “root” privileges thanks to the “sudo-i” command. Comments
10
How to directly connect through SSH from a Linux workstation? Let’s take the example of user Martin wishing to connect to the suse-248 server via the testwab account, through the WAB. If you know the target server, the command is the following: # ssh testwab@suse-248:Martin@WAB
How to initiate a SSH connection through the selector « connect_to » from a Linux workstation? If you wish to connect through the SSH selector, the command is the following:
User Martin first has to initiate connection. The WAB then requests a password validation in order
11
to authorize User Martin to connect. As soon as the password is checked and accepted, a menu listing User Martin’s access rights to target SSH servers appears. User Martin has to choose the ID corresponding to the server he wishes to connect to. Connection processes: The credentials are checked in the LDAP directory Proxy checks :
• End-user IP address • If a restricted access has been defined • User account profile • Time schedules of the group to which belongs the user account • User’s ACLs (allowed protocol and authorized resources)
If the user is authorized to connect to the device, the session recording starts shortly after the recording agreement. PLEASE NOTE: if the user refuses that the session is recorded at the RDPproxy level or if the MySQL database is unavailable, then the connection to the server is rejected. . Comments
12
How to initiate a SSH connection from a Windows workstation with Putty?
Fill in the WAB IP address or FQDN: wab.mycorp.lan Specify the default port of the WAB proxy: 22 Comments
1
2
1
2
13
Specify the target account to reach: testwab@suse-248
The process is the same as for initiating a SSH connection from a LINUX account Comments
3
3
14
How to initiate a RDP connection from a Linux workstation? Connection processes: The user « wallix » wants to connect to server Windows win2k3-103 with a domain account RADTEST\wallix via the rdesktop command: # rdesktop -u RADTEST\wallix@win2k3-103:wallix wab
User « Wallix » can then fill in his password to access target devices. Comments
15
How to initiate a RDP connection from Windows with TSE client? User launches the « mstsc » command from the “Start & Execute” menu.
User fills in the WAB IP address and FQDN “wab.mycorp.lan”
The user fills in the target server name and its account
1
1
2
2
16
Comments
How to initiate a RDP connection from the RDP selector? For a user on a Unix/Linux desktop, use the “rdesktop command” as follows: #rdesktop wab.mycorp.lan For a user on a Windows desktop, initiate command “mstsc” (please see above) in order to fill in the IP address of the WAB or its FQDN in the “Computer field”. Then in the RDPproxy login zone, fill in the user login and password in order to reach the selector as illustrated below: You can now choose the server you want to access and click on the button « connect » to connect.
-ProxyRDP Selector- The checking of the user’s information is done in the WAB through the « WABRDPAuthentifier » or « SESMAN » process. Proxy connects to AD or Kerberos directory of the Windows server and submits the credentials. The LDAP directory of the WAB answers YES or NO to check that the user is mentioned in the directory. If the password is valid and ACLs are checked, then SESMAN connects the user to the server through the internal RDPproxy of the WAB “redemption”.
17
Comments
How to initiate a connection http(s) from the navigator? Http(s) connection can be initiated from the GUI, in “my authorizations” area or a primary direct connection to http(s)proxy can be made as follows. https://ip_du_wab-ou-fqdn : 8080 After the credentials are checked and validated (login/password) in the proxy login area, the window below opens. It is now time to choose and click on the target device to access.
-HTTP(S)proxy Selector-
18
Comments
How to install a Virtual Appliance? By default, the IP address of the WAB is 192.168.10.5. To connect to the appliance and open a system session, please use this account by default: Login: wabadmin Password: SecureWabAdmin Connection from the network: • On your network by giving an IP address to your machine in the sub-network 192.168.10.0/24 other than
192.168.10.5. address • Then create the GUI to configure the new IP address and the other network parameters necessary to the
good functioning of the WAB IMPORTANT: for security reasons, we recommend the changing of the « wabadmin » account on the very first connection (“passwd” command). This user is configured by default to gain “root” privileges thanks to the “sudo-i” command.
19
Comments
How to integrate a Virtual Appliance in ESX? Minimal configuration required for a virtual appliance is: RAM: 512 Mo Disk space: 10 Go CPU: 1 cpu Unzip the archive VM WAB. Open the ESX hypervisor and click on the name of the ESX host which will welcome the VM.
20
Comments Go to the « Configuration » tab and in the « Hardware » menu, then click on « Storage » Right click on « Datastore » on which the VM must be installed, select « Browse Datastore »
21
Comments Click on « Upload file to this datastore » then select « Upload folder »
22
Comments Then, select the file that contains the VM WAB and click OK.
23
Comments Once the copy is finished, open the VM WAB file, right click on the file “vmx” and select “add to inventory”
24
Comments Name your VM, in our example WAB and click next:
25
Comments The VM WAB is now ready to work. We recommend you adjust the performance in accordance with your needs (CPU, RAM etc.). Right click on the name of the VM, in our example WAB and select “Edit Settings”
26
Comments
Configure the appliance through the web interface In order to access the WAB web interface, type in the following URL below in your navigator: https://ip_address_of_WAB or FQDN Then connect as an administrator:
Login: admin Password: admin
- Login screen of the Wallix AdminBastion -
27
Network information Access to network information is done via the left menu: Configuration of the system/network. Thanks to the interface, all the network parameters necessary to the good functioning of the WAB appliance are mentioned.
-System settings / Network- Comments
28
License Key The WAB integrates a license control mechanism that checks that the use of the product is compliant with the terms and conditions of the business agreement. The terms and conditions of this contract are coded in a license key provided by WALLIX. Appliances are delivered with default license key that integrates the following information:
• Validity duration : 30 days (from the first boot onwards) • Number of maximum devices : 15 • Maximum number of simultaneous primary connections (connections between the client and the
WAB) :5 • Maximum number of simultaneous secondary connections (between the WAB and the servers) : 5
The characteristics of the license can be accessed through the SystemConfiguration/Licence menu:
-System settings / License-
Comments
29
WHAT ARE THE WAB COMMANDS ?
TC "MODULE
1" \l 1MODULE
2
30
WAB’s Useful commands in CLI mode
COMMANDS FEATURES USE ? OPTIONS WABGetLicence Gives informations on the
current license YES Type --help
WABDropLicence Resets the license YES Type --help WABSetLicence Updates the license YES WABSessionExportLog Clears the WAB session
over a given period of time YES Use the –h option to know
the options WABUpdateConfigurator Updates the WAB on the
WALLIX depository YES Use the –h option to know
the options In the following directory, we find the script: /opt/wab/bin/.tools/WABResetConfig WABResetConfig: resets the WAB by clearing all the data WAB-HA Commands COMMANDS FEATURES USE OR NOT? WABHASetup Enables clustering YES /etc/init.d/wabha stop Stops HA services on the local node YES /etc/init.d/wabha start Initiate HA services on the local node YES /etc/init.d/wabha stop_cluster Stops the WAB services on both nodes YES /etc/init.d/wabha start_cluster Initiate the WAB services on both nodes YES Network reconfiguration of the cluster Screen – sudo –i WABHASetup
Enables the network reconfiguration of the WAB-HA Options: --reconfigure_hosts
Replacement of faulty WABHASetup –configure_new_slave
Enables the reintegration of a new slave node
Recovery of a faulty volume WABHAInitd –force stop Execute on both nods : master & slave
Then: #umount /var/wab {slave} #drbdadm primary wab {master} #fsck.ocfs2 - y –f /dev/drbd1 {master}
31
Theoretical functioning of the WAB-HA Below, is a sequence diagram that shows how the WAB-HA processes interact with the system in chronological order?
Comments
32
Architecture and functioning of the WAB-HA cluster In that WAB-3.0 version, we privileged the DRBD technology, for better data synchronization in a failover mode (active/passive). The DRBD is similar to a RAID over IP.
The implementation of DRBD gives access to a new /dev/drbd1 storage device. In case of a downtime in the master node (serv-A), service switches to the slave node (serv-B) where data is already accessible. The DRDB volume, also called /dev/drbd1 is then “organized” in file systems on the passive machine which then become active. For this kind of architecture, we privileged data synchronization in “block” mode rather than rsync synchronization as it is the case in version 2 of the WAB. Eventually, WALLIX will switch to the active/active mode. To do so, you need a file system able to interact with a “distributed” architecture. Hence, the early choice and the integration of the Oracle file system, OCFS2, also known as “share disk file system” in the version 3 of the WAB.
33
Some useful system commands To get the WAB version: # dpkg -l wab2 To get the active ports and services with their PID: # netstat -nlpt To get a service PID, slapd for instance: # ps aux | grep slapd To display the system logs in real time: # tail -f /var/log/syslog To get the WAB license info’s: # WABGetLicence To get the LDAP Server content: # slapcat To get the WAB ip address (es): # ip a l Comments
34
THE SUPPORT SCENARIOS Scenario 1: Changing the GUI auto-signed certificate. Use Case: Replace the files which are located in the /etc/opt/wab/apache2/ssl.crt
• ca.crt (The root Authority Certificate) • server.pem (the public key) • server.key (the private key) • crl.pem (the Certificate Revocation List if available)
Once the files being replaced restart the GUI issuing the following command: # /etc/init.d/wabgui restart
Comments
TC "MODULE
1" \l 1MODULE
3
35
Scenario 2: Unlocking the admin account Use Case: Just after a WAB update, it can sometimes occur that the admin account used to connect on the portal is locked for instance : Fix: Connect on the WAB console using “wabdmin”, then issue sudo -i to get the root rights. Issue the following commands: #ldapdelete -x -D cn=admin,dc=WAB -w admin cn=admin,ou=WAB_Users,dc=WAB #/opt/wab/bin/WABRestoreDefaultAdmin Comments
36
Scenario 3: WAB-HA Split-brain Use Case: The shutdown of the servers and their Return to Service can cause the disks to be desynced. In such a case, the system is unable to know which appliance is more up-to-date and consequently has to be elected as the Master. Fix: To fix the problem you have to firstly identify which node is master and which node is slave. Then apply the following process: On the slave node: # drbdadm secondary wab # drbdadm -- --discard-my-data connect wab On the master node: # drbdadm connect wab Then on both nodes: /etc/init.d/wabha start Comments
37
Scenario 4: The Telnet and Rlogin connection scripts Use Case: The user will have to write the following script when setting up his device Let's take the scenario for a 3Com Superstack switch as an example:
SEND:\r\n EXPECT:(?i)login: SEND:$login\r\n EXPECT:(?i)Password: SEND:$password\r\n
This script means:
1) Send a Windows type CR 2) Wait for (no more than 10 seconds) the caracters strings “login:” 3) Send the login 4) Wait for (no more than 10 seconds) the caracters strings “Password:” 5) Send the password
For the Rlogin devices, only the password is awaited, thus the following connection script is ok for a connection to a Rlogin System running Debian 5.0 Lenny: EXPECT:(?i)Password:
SEND:$password\r\n Comments
38
Scenario 5: The RDP connection options: Copy/Paste Use Case: The opening of a RDP session from a Windows workstation can be made following 2 ways: From the WAB Web Interface or directly from the Terminal Server client ("Remote Desktop Connection"). If the user connects on the target device with the RDP configuration file, the copy/paste feature won't work. Fix: Download the RDP configuration file from the WAB Web Interface: In my authorizations panel, one click on the floppy icon allows the user to download on his workstation the RDP configuration file for his Terminal Server client. Comments
39
The user can now sets his session parameters:
Comments
40
Then he clicks on the “Local Resources” tab and on the “Options” button:
Comments
41
To finish, the user checks the “Drive” checkbox to select the drive to mount on the remote device.
Comments
42
Connection the Windows TSE client: In the /Menu Start/Search programs and files/ and tape the command: mstsc
The users fills-in the WAB IP address
The users fills-in the the target account and his login
1
2
1
2
43
Comments
THE WAB INNOVATIONS
§ The HTTP/HTTPS proxy § Secondary passwords management § The RDP sessions OCR
TC "MODULE
1" \l 1MODULE
3
44
The HTTP / HTTPS protocol To ensure the administration of web-based devices, we have integrated a http(s) proxy in our WAB.
In our case, the WAB through its http proxy will act as a buffer (as illustrated in the picture above) between the user and the WEB server, so it can render the users actions as below:
45
-HTTP(S)/session- We have successfully tested the proxy on the following devices:
• BitDefender Remote Admin
• Cisco Access Point Configuration Utility - AP541N-K9-2.0
• Dell OpenManage Switch Administrator - PowerConnect 2848
• Dell iDRAC Enterprise
• Dell iDRAC Express
• F5 BIG-IP 10.1 TLM
• Interface D'administration GLPI - 0.78
• Switch NetGear GS724T
• Wallix AdminBastion Web UI - 3.0
• Wallix LogBox Web UI - 2.1
• Zabbix 1.8
Here are some limitations in using the HTTP(S) Proxy: Even if we have tested the HTTP(S) proxy on several devices, it could face some issues when used with:
46
ü The use of Javascript code with for instance remote targets calls
ü The Java applets or Flash items which are communicating with other protocols than http(s)
ü The http(s) sessions based on cookies can't actually be cut
Comments
SECONDARY PASSWORDS MANAGEMENT The WAB allows you to remotely change the Windows and Unix/Linux devices accounts passwords. The supported systems are:
ñ The Unix systems local accounts handled by the “passwd” command ñ The Windows 2003 and 2008 servers local accounts ñ The Active Directory accounts
In order to setup this target accounts changing policy, you have to follow the 3 steps diagram below:
47
It is important to keep in mind that at each password change, the administrators whose keys have been loaded, will receive an encrypted notification, warning them if the change has really occurred or precising the failure cause in case of. . Comments
The OCR in RDP sessions The OCR, (optical character recognition) is intended for the translation of pictures, printed texts in text-files. To address this need inside the RDP sessions, we have integrated OCR software so that the WAB can catch the text in the recording pictures and put it in a .meta file which can be used in a text-processor. [email protected],administrateur@w2k3-104,20120114-233619,wab2.yourdomain,7353.flv [email protected],administrateur@w2k3-104,20120114-233619,wab2.yourdomain,7353.meta This feature allows the windows titles to be catched as show in the example below:
Step-2 Setup the administror
Rights.
Etape-3 Turn-on the changing on each account
whether automatically or manually
Step-1 Setup the frequency and Load the the administrator GPG/PGP keys
48
- WAB Audit / Connections history / Active Window titles -
Comments Conclusion : This guide is dedicated to the engineers who are intended to perform support level 1. Every technical point has been addressed, but it will change following the product roadmap. For more complex issues, please keep in mind that Wallix is at your disposal.
49