test

Sun N1 Service Provisioning System 5.1 Installation Guide

Security Configuration Decisions

Network Protocol – Raw, SSH, SSL

The installation program prompts you to choose a network protocol for communication among the software applications. For the Master Server, you can choose raw (TCP/IP) or SSL. For Local Distributors, Remote Agents, and CLI Clients, you can choose raw (TCP/IP), SSH, or SSL.

Raw (TCP/IP) is an insecure communication protocol. When using this connection protocol with the provisioning system, anyone with network access to a server that has an N1 Service Provisioning System 5.1 application installed on it can connect to the provisioning system and issue commands. If you choose raw, you can secure the provisioning system by configuring the security policy file to only accept connections from servers that have N1 Service Provisioning System 5.1 applications. For more details, see Chapter 9, Configuring the Java Virtual Machine Security Policy.

SSL is more secure than raw. If you select SSL, you must also specify which cipher suite to use, encryption with no authentication or encryption with authentication. Encryption with no authentication is similar to using raw in that anyone with network access to a server that has a provisioning system application installed on it can connect to the provisioning system and issue commands. The encryption with authentication mode is the most secure choice when using SSL. You can further secure the provisioning system by configuring the security policy file to only accept connections from servers that have N1 Service Provisioning System 5.1 applications. For more details, see Chapter 9, Configuring the Java Virtual Machine Security Policy. For more information about SSL, see Chapter 8, Configuring the N1 Service Provisioning System 5.1 for SSL.

Note –

When you use SSL with a Local Distributor on an AIX server, the SSL cipher suite is set to encryption with authentication. Encryption with no authentication is not available for Local Distributors that are running on AIX servers.

SSH is the most secure network protocol and supported on only Linux and UNIX based platforms. To use SSH with the N1 Service Provisioning System 5.1, you must install SSH software on your servers. For more information, see Chapter 7, Configuring the N1 Service Provisioning System 5.1 to Use Secure Shell.

Note –

If you choose to use SSH as the network protocol for communication between the Master Server and the CLI Clients, the IP address of the Master Server is set to 127.0.0.1. The communication protocol for the Master Server is set to raw. You must configure the CLI Client to connect to the Master Server using SSH.

HTTP or HTTPS

You can choose for the browser interface to use Hypertext Transmission Protocol (HTTP) or Hypertext Transmission Protocol, Secure (HTTPS) to connect to the Master Server. If you select HTTP, anyone on the network can intercept data that is transmitted between the browser interface and the Master Server. Also, users might attempt to act as a Master Server to obtain secure data from the browser interface, such as user passwords.

HTTPS transfers data more securely than HTTP. HTTPS requires a keystore file and a keystore password. You must create a keystore file and a keystore password for the provisioning system to use.

The installation program prompts you to select HTTP or HTTPS. If you choose HTTPS, the installation program prompts you to enter the keystore file and keystore password. The installation program offers two options for providing the keystore file and the keystore password:

If you select HTTP during installation, you can manually configure the Master Server to use HTTPS. For instructions, see Configuring HTTPS After Selecting HTTP During Installation.