The General Security panel prompts you to set (or change) passwords, configure smart card settings, and set other security options.
By default, Management and Security Server allows browsers to use the HTTP protocol to communicate between the client computer and the Management and Security Server. Although HTTP is universally available, information exchanged using HTTP is sent in clear text and is vulnerable to unauthorized access.
To secure your passwords and other sensitive data, we recommend that you require browsers to connect to Management and Security Server using the HTTPS protocol, which provides TLS/SSL encryption. To require HTTPS:
Check Require HTTPS for connections to the Management and Security Server.
Make sure TLS/SSL is enabled on your web server.
If you installed Management and Security Server with the automated installer, TLS/SSL is enabled with a self-signed server certificate.
NOTE:When users first request a session, they may see a warning that the certificate is not trusted by their browser. Generally, users can choose to permanently accept the certificate.
If your web server uses a certificate signed by a popular Certificate Authority, most browsers are able to establish a TLS/SSL connection without going through the security warning.
Use the HTTPS Certificate Utility to manage the Administrative Server certificate. The HTTPS Certificate Utility installs with Management and Security Server, and is available from the Start menu.
Related Topics
Each time you log on to Management and Security Server as an administrator, you enter a password, which opens the Administrative Console:
<hostname>/adminconsole
To change the administrative password, you can either
use the Administrative Console (Configure Settings - General Security).
run the Password Change Utility.
The password change utility allows you to re-set the administrative password without needing to log in to the Administrative Server.
To change the password:
Choose an option to run the installed PasswordChangeUtility.
On Windows: Run the utility from the install location:
[MssServerInstall] ...\MSS\utilities\bin\PasswordChangeUtility.exe
On UNIX or Linux: Run the utility from
… /mss/utilities/bin/PasswordChangeUtility
On a command line: run the utility in command line mode (-c).
Follow the prompts to change and save the password.
Restart the MSS Server.
Related topics
Use these settings to limit access to the Management and Security Server administrator account.
Enter a range of IP addresses -- either IPv4 or IPv6 -- for devices that are allowed to log in as administrator. IP addresses outside this range will be rejected even if the correct password is entered.
Note: If the designated machines have multiple IP addresses, enter all of the possible IP addresses that the client might send.
You can use an asterisk (*) as a wild card in any part of the IP address. Use a single * (the default) to allow anyone with the password to log in as administrator. To restrict access, you must include * or a number in each section of the address.
Use a hyphen (-) to indicate an inclusive range of addresses and a comma (,) to list individual addresses. Examples:
Table 5-1
|
This entry... |
allows access from... |
|---|---|
|
* |
all IP addresses |
|
123.*.*.* |
all IP addresses that begin with 123 |
|
123.123.4.5 - 123.123.4.7 |
only 123.123.4.5, 123.123.4.6, and 123.123.4.7 |
|
123.*.*.*, 246.246.0.1 |
all IP addresses that begin with 123 and from 246.246.0.1 |
|
123.123.4.5 |
only the given IP address |
After a user has attempted to log into the administrator account the specified number of times without providing the correct password, the user is locked out. This feature helps to guard against brute force attacks.
A zero (0) here or in the following field disables the lockout feature. This is the default.
This field specifies the length of time a user remains locked out after the specified number of failed login attempts. This feature helps to guard against brute force attacks.
A zero (0) here or in the preceding field disables the lockout feature. This is the default.
Related topics
Set the time when the administrator must log in (again).
Management and Security Server times out when a user has not launched a session or otherwise interacted with the Administrative Server during the specified time. The user must log in again to open a new host session or access the Administrative Console. Host sessions that are already open are not affected.
NOTE:When you are configuring sessions and settings, you may want to lengthen the timeout period to avoid disruption. Then, reset the time when you’re done.
When LDAP authentication is in effect, you can require users to log in to the Administrative Server each time they launch a session. This option does not apply when the user is logged in as administrator.
Related topics
Smart cards store digital certificates that can be used to validate (authenticate) a user’s identity to the network. Digital certificates are used in X.509 systems, and are part of an organization’s public key infrastructure (PKI). Smart card support is available only on Windows platforms.
From a user’s smart card, only one certificate is used to authenticate to Management and Security Server. By default, smart card support is available for sessions using PKCS #11 (Public-Key Cryptography Standard) smart card readers, such as ActivCard.
Management and Security Server’s default smart card parameter specifies the provider, sunpkcs11, and the associated certificate attributes.
If you use a different provider, enter the smart card provider along with certificate attributes to identify valid certificates on the user's smart card. For details and examples, see About smart card parameters.
Smart card libraries are required when using sunpkcs11 to access smart cards. (MSCAPI uses DLLs that ship with Windows, and the provider DLLs do not need to be specified in this field.)
SunPKCS11 requires one or more libraries, such as ActivClient. Noting the library examples provided in Management and Security Server, you could use acpkcs211 instead of acpkcs, and acpkcs211.dll instead of acpkcs201.dll. Separate the library names with commas.
Note: When using ActivClient7 with Management and Security Server, you must include the full Windows short (MS-DOS) path to the dll. For example, the short path on a Windows x64 system would be C:\PROGRA~2\ActivIdentity\ActivClient\acpkcs211.dll
Paths on a Windows machine can use either forward slash (/) or backward slash (\) file designations.
Smart card parameters can be used as filters to identify valid certificates on a user's smart card.
The smart card setting in Management and Security Server includes the smart card provider and certificate attributes as a filter to select a valid identity certificate.
The first part of the parameter identifies the software provider that Management and Security Server should use to access the smart card certificate reader on the client machine.
In the default parameter, sunpkcs11 (Public-Key Cryptography Standard) is the intended software provider. Another valid provider is MSCAPI (Microsoft CryptoAPI, native to Windows).
If you use a smart card provider other than sunpkcs11, enter the provider followed by the desired certificate attributes. A colon (:) is required to separate the provider from the filter when multiple masks are used (See Certificate Attributes).
The next part of the default parameter is made up of two filters, separated by a semi-colon (;). Each filter consists of Object-ID (OID) masks that specify certificate attributes. The masks specify which certificate attributes (encoded tokens) MUST (+) or MUST NOT (-) be on the certificate before it can be used for login or client authentication.
The default parameter specifies these attributes:
The first filter uses the following logic for each attribute to be TRUE. When all attributes are TRUE, the certificate is valid and can be used for authentication.
KU+DIGSIG: Key Usage of Digital Signature OID MUST be present in the certificate.
KU-NONREP: Key Usage of Nonrepudiation OID MUST NOT be present in the certificate.
EKU+CLIAUTH: Extended Key Usage of Client Authentication OID MUST be present in the certificate.
EKU+SCLOGIN: Extended Key Usage of Smart Card Login OID MUST be present in the certificate.
EKU-EMLPROT: Extended Key Usage of Email Protection (called Secure Email) OID MUST NOT be present in the certificate.
If any attribute in the first filter is FALSE, the second filter is used. The second filter in the default parameter uses this logic for each attribute to be TRUE:
KU+DIGSIG: Key Usage of Digital Signature OID MUST be present in the certificate.
KU+NONREP: Key Usage of Nonrepudiation OID MUST be present in the certificate.
EKU-NONE: Extended Key Usage MUST NOT be present in the certificate.
Related topics
After a user inserts a smart card and enters the Personal Identification Number (PIN), a list of certificates displays. Use this setting to select how the user is prompted to choose a certificate.
This default option requires the user to choose the correct certificate each time they log on. In the displayed list, the Type column can help to identify the proper certificate.
This option allows the user to save the certificate selection. When the user chooses to save the selection, the cached certificate is used for this connection and the user will not be prompted to choose the certificate on subsequent logons.
Related topics
When a session is set to use TLS to connect to the host or the Security Proxy Server, the emulator applet authenticates the server to which it is connecting using the host or security proxy certificate.
When Enable server identity verification is selected, the applet checks the common name on the certificate against the name of the host or server. You must ensure that the common name on the server certificate is the same as the name of the host or proxy server to which it has been issued.
When the client verification option is cleared, the applet verifies that the server has a trusted certificate, but does not check that the server presenting the certificate is actually the one to which the certificate was issued.
If the connection uses TLS, the common name on the server certificate must always match the host or security proxy server name, regardless of whether server identity verification is selected.
You can override this setting on a per session basis with the serverIdentityOverride applet parameter.
Related topics
You can set a password to protect keystores and private keys that are stored on the Management and Security Server. The password set here protects the keystores in the MSSData/trustedcerts folder, which includes:
the Management and Security Server certificate and private key
the client certificate and private key
the imported certificates on the Terminal Emulator Client trusted certificate list, which are listed on the Configure Settings - Trusted Certificates panel
For details about the trustedcerts keystores and other credential stores in MSS, see the Technical Reference, Credential stores used in Management and Security Server.
To change the password for this keystore, enter the existing password and the new password. Click Apply. If a keystore password has not been previously set, leave the Existing password field blank.
NOTE:This password does not protect:
the trusted certificates from certificate authorities (CA) for the Terminal Emualtor Client that are listed in the Trusted Root Certificate Authorities table on the Configure Settings - Trusted Certificates panel.
the Management and Security Server Trusted Certificate list.
To change the password that protects these certificates, see Keystore Password for the Trusted Certificates List.
The Administrative Server uses the JVM (java virtual machine) default password, changeit, to protect the Administrative Server's trusted certificate list. The keystore for the Administrative Server trusted certificate list is stored within the java.home directory for the JVM that is installed with the Administrative Server.
The default location on a Windows platform is C:\Program Files\Micro Focus\MSS\jre\jre\lib\security. The keystore is stored in the cacerts file.
To change the password that protects the Administrative Server's trusted certificate list:
Open a Command Prompt. Change to the installation directory. On a Windows platform using the default installation, change to C:\Program Files\Micro Focus\MSS\jre\jre\lib\security. The cacerts file is in this directory.
Enter the following command:
..\..\keytool.exe -storepasswd -v -new new_pass -keystore cacerts
Where new_pass is your new password, and cacerts is the file in which the keystore is stored.
In the Enter keystore password prompt, type the current password, which by default is changeit, and press Enter.
The new password is saved to cacerts.
Use your new password (new_pass in this example) to import an untrusted certificate when configuring LDAP or to view and modify trusted certificates on the Configure Settings - Trusted Certificates panel.
Related topics
You can use PKI Services Manager to validate client certificates used to authenticate to Management and Security Server.
NOTE: PKI Services Manager is available as a separate download from the same product download page as Host Access Management and Security Server.
Two options can be set on this panel to use PKI Server:
when the authentication method is X.509 with Fallback to LDAP authentication
Check this box if you want PKI Services Manager to validate the certificates used to authenticate to Management and Security Server.
by the terminal emulation and file transfer clients
Check this box if you want PKI Services Manager to validate the certificates used to authenticate the clients.
After the PKI Services Manager is installed and configured, enter:
PKI Server address: the name or IP address of the computer running PKI Services Manager.
PKI Server port: the PKI Services Manager port. (The default is 18081.)
Related topics
The keychain stores the passwords and passphrases (such as LDAP server passwords) used by the Management and Security Server. The keychain file is encrypted and is unlocked for use by the Management and Security Server at server startup. The keychain file is located in MSSData/rweb.keychain.
You can also set a password for the keychain, using these settings.
Use a keychain password file to allow unattended server startup
By default, this setting enables unattended startup of the Management and Security Server. The keychain password is written to the keychain password file MSSData/rweb.pwd. On subsequent server startup or restart, the keychain password is read from the keychain password file, and the keychain is unlocked without additional action by the administrator.
Note: When this option is not checked, the keychain must be manually unlocked by the system administrator by running the KeychainUtility application. (The Keychain Utility, installed with Management and Security Server, is available from the Start menu.)
Keychain port for submitting the unlock password
This setting defines the port number that the keychain service listens on. To change the default port (12797), enter a local port number from 1 to 65535. Or, enter 0 to allow a random port assignment.
This port is accessed by the KeychainUtility when the keychain must be manually unlocked.
Existing password for unlocking the keychain file
The default password is changeit
New password and Confirm new password
Enter a case-sensitive password.
Note: The system administrator MUST restrict the filesystem permissions for the rweb.keychain and rweb.pwd files to only read/write access by root and the process that runs the Management and Security Server. All other access to these files must be denied.
Related topics