Security Problems

This section provides security-based troubleshooting information.

The N1 System Manager uses strong encryption techniques to ensure secure communication between the management server and each managed server.

The keys used by the N1 System Manager are stored under the /etc/opt/sun/cacao/security directory on each server where the servers are running Linux. For servers running the Solaris OS, these keys are stored under the /etc/opt/SUNWcacao/security directory.

Why Regenerate Security Keys?

The security keys used by the N1 System Manager must be identical across all servers. Under normal operation, the security keys used by the keys can be left in their default configuration. You might have to regenerate security keys from time to time:

• If there is a risk that the root password of the management server has been exposed or compromised, regenerate the security keys.

• If the system date on the management server has been changed using the date command, regenerate the security keys. If the system date on the management server has been changed using the date command, there is a risk that the next time the N1 System Manager management daemon, n1sminit, is restarted, no services are subsequently provided by the management server. In this case, keys must be regenerated, and the N1 System Manager management daemon restarted, as explained in How to Regenerate Common Agent Container Security Keys.

How to Regenerate Common Agent Container Security Keys

Steps

1. On the management server as root, stop the N1 System Manager management daemon.

   # /etc/init.d/n1sminit stop

2. Regenerate security keys using the create-keys subcommand.

   If the management server is running Linux:

   # /opt/sun/cacao/bin/cacaoadm create-keys --force

   If the management server is running the Solaris OS:

   # /opt/SUNWcacao/bin/cacaoadm create-keys --force

3. As root on the management server, restart the N1 System Manager management daemon.

   # /etc/init.d/n1sminit start

General Security Considerations

The following list provides general security considerations that you should be aware of when you are using the N1 System Manager:

• The Java^TM Web Console that is used to launch the N1 System Manager's browser interface uses self-signed certificates. These certificates should be treated with the appropriate level of trust by clients and users.

• The terminal emulator applet that is used by the browser interface for the serial console feature does not provide a certificate-based authentication of the applet. The applet also requires that you enable SSHv1 for the management server. For certificate-based authentication or to avoid enabling SSHv1, use the serial console feature by running the connect command from the n1sh shell.

• SSH fingerprints that are used to connect from the management server to the provisioning network interfaces on the provisionable servers are automatically acknowledged by the N1 System Manager software. This automation might make the provisionable servers vulnerable to “man-in-the middle” attacks.

• The Web Console (Sun ILOM Web GUI) autologin feature for Sun Fire X4100 and Sun Fire X4200 servers exposes the server's service processor credentials to users who can view the web page source for the Login page. To avoid this security issue, disable the autologin feature by running the n1smconfig utility. See Configuring the N1 System Manager System in Sun N1 System Manager 1.2 Installation and Configuration Guide for details.