Implementing ELAP Security

3.1 ELAP Support for HTTPS on GUI

The ELAP Support for HTTPS on GUI feature enables the use of the HTTPS protocol, which supports encryption of data exchanged between the web server and the browser. After a fresh installation of ELAP, the GUI is accessible via HTTPS only; the HTTP protocol is disabled since there is no encryption. For more information, see ELAP Support for HTTPS on GUI in Administration and LNP Feature Activation Guide.

3.2 User and Group Administration

The ELAP user interface (UI) comes pre-defined with UI users to provide a seamless transition to the GUI. For instance, there is a pre-defined user that is used to access the User Administration menu, as shown in Table 3-1.

Table 3-1 ELAP UI Logins

Login Name	Access Granted
elapmaint	Maintenance menu and all submenus
elapdatabase	Database menu and all submenus
elapdebug	Debug menu and all submenus
elapplatform	Platform menu and all submenus
uiadmin	User Administration menu
elapall	All of the above menus
elapconfig	Configuration menu and all submenus (text-based UI)

The User Administration menu is used to set up and perform administrative functions for users and groups, and also to maintain an authorized IP address list, terminate active sessions, and modify system defaults.

Figure 3-1 User Administration Menu

img/c_elap_security_user_administration-fig1.jpg

Establishing Groups and Group Privileges

Each user is assigned to a group, and permissions to a set of functions are assigned to the group. The permissions determine the functions and restrictions for the users belonging to the group. ELAP users can fall into one of the following default groups:

maint
database
platform
debug
admin
readonly

The readonly group is the default group for new users. The readonly group contains only actions that view status and information.

The User Administration, and then Groups menu allows administrator access to group functions to add, modify, delete, and retrieve a group. For more information, see Groups Menu under User Administration Menu in Administration and LNP Feature Activation Guide.

Creating Users and Assigning to Groups

Each user that is allowed access to the user interface is assigned a unique username. This username and associated password must be provided during login.

Prior to adding a user, determine which group the user should be assigned based on their operational role. The group assignment determines the functions that a user can access. After determining the proper group for a user, use the User Administration, and then Users menu to add the user.

In addition to the group permissions that apply to a user, the administrator can set other user-specific permissions or restrictions for a specific user when adding the user. The User Administration, and then Users menu can also be used to modify, delete, and retrieve user accounts, and to reset passwords. For more information, see Users Menu under User Administration Menu in Administration and LNP Feature Activation Guide.

3.3 User Authentication

Users are authenticated through a unique username and password when logging in to the UI. The following rules govern passwords:

Must be at least eight characters in length
Must include at least one alpha character
Must include at least one numeric character
Must not contain three or more of the same alphanumeric character in a row
Must not contain three or more consecutive ascending or descending alphanumeric characters in a row
Must not contain the user account name or its reverse
Must contain at least one of the following special punctuation characters: question mark (?), period (.), exclamation point (!), comma (,), or semi-colon(;)
Must not use blank, null, or default passwords

The system administrator can change password-related default settings, such as maximum password age and password reuse limit. For information, see Modifying System Defaults.

Changing Default Passwords

As a security measure, the passwords for the default ELAP UI users (for example, uiadmin) and operating system users (for example, root) must be changed from their default values to user-defined values. For more information, see Secure Turnover to Customer.

Changing User Passwords

The Change Password screen available from the ELAP GUI main menu provides all ELAP users with the capability to change their password. To change the password, the current password must be entered, then the new password is entered. The new password is confirmed by retyping the new password and clicking the Set Password button.

Password Change for System Users

The elapdev and appuser users can use the passwd command provided by the operating system. If changing a password using the passwd command, then the Linux PAM credit rules are used.

The system user elapconfig uses the option provided in the ELAP Configuration Menu. Linux PAM rules are not applicable while changing the password for the elapconfig user. Only the configured minimum password length applies.

Note:

If the password for the appuser or elapconfig user is changed by the root user, the appuser or elapconfig user will be prompted to change the password again.

Resetting a User Password

The User Administration, and then Users, and then Reset Password screen enables the system administrator to select a username and change the associated password.

3.4 Modifying System Defaults

The User Administration, and then Modify Defaults screen enables the administrator to manage system defaults. Following are examples of the system defaults that you can modify from this screen:

Maximum failed user login attempts before disabling a user account
Maximum number of days that a user account can be inactive until it is automatically disabled
Maximum number of days before a user password must be changed
Number of unique passwords required before a previously used password can be reused

For a complete list and more information, see Modify System Defaults under User Administration Menu in Administration and LNP Feature Activation Guide.

3.5 Authorized IP Addresses

ELAP security functions limit access to the ELAP GUI to specific IP addresses. The specified allowed IP addresses are kept in an ELAP list that can be added to, deleted from, and retrieved only by an authorized user. These functions also allow an authorized user to use the GUI to toggle authorized IP address checking to be on or off. The User Administration, and then Authorized IPs menu enables you to add, remove, and list authorized UI IP addresses, and to change the UI IP address authorization status.

For more information, see ELAP Security Functions and Authorized IP Address Menu under User Administration Menu in Administration and LNP Feature Activation Guide.

3.6 Secure File Transfer Protocol

The ELAP supports secure File Transfer Protocol (FTPS) sessions with external servers for transfer of various files from the ELAP. The authentication process requires a self-signed digital certificate (user name & password only) for authenticating the sessions. The transfer of files is driven from the external server.

3.7 Installing an SSL Certificate For a Provisionable Interface With Customized Parameters

Perform the following steps to install a certificate with customized parameters:

Log in to ELAP as admusr.

Sign the certificate files on the ELAP A server:

sudo /usr/bin/openssl req –x509 -sha<SHA Hash>-nodes -days <No of days to certify the certificate for, after which the certificate shall expire> –subj "/CN=<ELAP A GUI IPv4 IP address >" -newkey rsa:<RSA Key Management> -keyout /usr/TKLC/plat/etc/ssl/server.key -out /usr/TKLC/plat/etc/ssl/server.crt

Sign the certificate files on the ELAP B server in the same way.
Restart the httpd service on both the ELAP A and B servers by using the following commands:
```
[admusr@mps-A ~]$ sudo service httpd restart
[admusr@mps-B ~]$ sudo service httpd restart
```
Open the ELAP A and B GUIs using https and install the SSL certificates. Use the following commands to open the ELAP A and ELAP B GUI using the IP:
```
https://<ELAP A GUI IP>
https://<ELAP B GUI IP>
```
Verify that the certificates installed successfully and the ELAP A and B GUIs opened successfully.

If the ELAP GUI does not open, on the ELAP A and B servers, follow these steps to reconfigure the network on ELAP through the elapconfig menu. This will re-install the SSL certificates with the default parameters.

[admusr@mps-A ~]$sudo su – elapconfig

 /-------ELAP Configuration Menu--------\
/----------------------------------------\
|  1 | Display Configuration             |
|----|-----------------------------------|
|  2 | Configure Network Interfaces Menu |
|----|-----------------------------------|
|  3 | Set Time Zone                     |
|----|-----------------------------------|
|  4 | Exchange Secure Shell Keys        |
|----|-----------------------------------|
|  5 | Change Password                   |
|----|-----------------------------------|
|  6 | Platform Menu                     |
|----|-----------------------------------|
|  7 | Configure NTP Server              |
|----|-----------------------------------|
|  8 | Mate Disaster Recovery
|----|-----------------------------------|
|  e | Exit                              |
\----------------------------------------/
Enter Choice: 2

Enter choice 2 to access the Configure Network Interfaces Menu:

Enter choice 1 to Configure Provisioning Network:

 /----Configure Network Interfaces Menu--\
/----------------------------------------\
|  1 | Configure Provisioning Network    |
|----|-----------------------------------|
|  2 | Configure DSM Network             |
|----|-----------------------------------|
|  3 | Configure Forwarded Ports         |
|----|-----------------------------------|
|  4 | Configure Status NAT Addresses    |
|----|-----------------------------------|
|  e | Exit                              |
\----------------------------------------/
Enter Choice: 1
ELAP software is running. Stop it? [N]: Y
ELAP A provisioning network IP Address [10.75.141.47]:
ELAP B provisioning network IP Address [10.75.141.48]:
ELAP provisioning network netmask [255.255.255.128]:
ELAP provisioning network default router [10.75.141.1]:
ELAP local provisioning Virtual IP Address [10.75.141.49]:

Select Enter to reconfigure the network with the same configuration.
Contact My Oracle Support to re-run the procedure.

Copy key and cert files for the tpdProvd process running on Port 20000.

cp /usr/TKLC/plat/etc/ssl/server.key /usr/TKLC/plat/etc/ssl/server.pem
cp /usr/TKLC/plat/etc/ssl/server.crt /usr/TKLC/plat/etc/ssl/server.cert

Restart the tpdProvd process by killing the existing process and letting it restart.

ps -eaf | grep tpdProvd
Output:
tpdProvd 13468     1  0 03:42 ?        00:00:04 /usr/TKLC/plat/bin/tpdProvd
kill -9 <pid>
Example: kill -9 13468
Run ps again to check process is restarted
ps -eaf | grep tpdProvd
Output:
tpdProvd  9090     1  3 04:09 ?        00:00:00 /usr/TKLC/plat/bin/tpdProvd

Repeat Steps 8 and 9 on LSMS B, as well.

3.8 Installing an SSL Certificate For a Provisionable Interface From a Trusted Certificate Authority

Perform the following steps to install an SSL certificate from a trusted Certificate Authority (CA):

Log in as the admusr user on both the ELAP A and B servers, create a new certificate directory (/var/TKLC/ELAP/free/certificate), provide permissions to the new directory, and change to the new directory:

[admusr@mps-A ~]$ pwd
/home/admusr
[admusr@mps-A ~]$ sudo mkdir /var/TKLC/elap/free/certificate
[admusr@mps-A ~]$ sudo chmod 777 /var/TKLC/elap/free/certificate
[admusr@mps-A ~]$ cd /var/TKLC/elap/free/certificate

Generate a certificate signing request (CSR) and private key files for the ELAP A server using the following commands from the certificate directory:

sudo /usr/bin/openssl req -x509 -sha<SHA Hash>-nodes -days <No of days to certify the certificate for, after which the 
certificate shall expire>-newkey rsa:2048 -nodes –keyout server.key 
–out server.csr -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn 
Company/OU=Example Org Unit/CN=<ELAP GUI IPv4 IP address, e.g, 
1.1.1.1>/emailAddress=xxx@yyy.com"

The commands should generate the following files on the ELAP A server:


[admusr@mps-A certificate]$ ls –lrt
-rw-r----- 1 root root 1679 Jul 13 11:08 server.key
-rw-r----- 1 root root 968 Jul 13 11:08 server.csr

Generate certificate signing request (CSR) and private key files for the ELAP B server in the same way (steps 2 - 3), using the file serverB.csr for ELAP B.
The following files will be generated on the ELAP B server:
```
[admusr@mps-B certificate]$ ls –lrt
-rw-r----- 1 root root 1679 Jul 13 11:02 server.key
-rw-r----- 1 root root 968 Jul 13 11:02 serverB.csr
```
Send the generated CSR files (server.csr and serverB.csr) to the CA. The CA will provide signed certificate (server.crt and serverB.crt) files in return.
Copy the appropriate files to the appropriate ssl directory, and rename (in the B server only) as needed:
1. On the ELAP A server, copy the two files generated through the openssl commands (server.key and server.csr) and the file provided by the CA for the ELAP A server (server.crt) to the /usr/TKLC/plat/etc/ssl directory.
2. On the ELAP B server, copy the two files generated through the openssl commands (server.key and serverB.csr) and the file provided by the CA for the ELAP B server (serverB.crt) to the /usr/TKLC/plat/etc/ssl directory.
3. After copying serverB.crt to the /usr/TKLC/plat/etc/ssl directory on the ELAP B server, rename it to server.crt.

Restart the httpd service on both the ELAP A and B servers by using the following commands:

[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart

Open the ELAP A and B GUIs using https and install the SSL certificate. Use the following commands to open the ELAP A and B GUIs:
```
https://<ELAP A GUI IP>
https://<ELAP B GUI IP>
```
Verify that the ELAP A and B GUIs opened successfully with the installed certificate.
If the ELAP GUI does not open, follow these steps on the ELAP A and B servers:
1. Open the /etc/httpd/conf.d/ssl.conf file:
```
[admusr@mps-A certificate]$ sudo vi /etc/httpd/conf.d/ssl.conf
```
2. Edit /etc/httpd/conf.d/ssl.conf and un-comment the appropriate code:
  - If the CA provides ca.crt (CA intermediate certificate), change from:
```
#SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
```
    to:
```
SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
```
  - If the CA provides CA certificate(s), change from:
```
#SSLCACertificatePath /etc/httpd/conf/ca-cert
#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
```
    to:
```
SSLCACertificatePath /etc/httpd/conf/ca-cert
SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
```
3. Make sure that these files (CA certs) are copied to the right path on both servers, as mentioned in /etc/httpd/conf.d/ssl.conf.
4. Restart the httpd service using the following command on both servers:
```
[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart
```
5. Verify that the ELAP A and B GUIs open successfully.

Copy key and cert files for the tpdProvd process running on Port 20000.

cp /usr/TKLC/plat/etc/ssl/server.key /usr/TKLC/plat/etc/ssl/server.pem
cp /usr/TKLC/plat/etc/ssl/server.crt /usr/TKLC/plat/etc/ssl/server.cert

Restart the tpdProvd process by killing the existing process and letting it restart.

ps -eaf | grep tpdProvd
Output:
tpdProvd 13468     1  0 03:42 ?        00:00:04 /usr/TKLC/plat/bin/tpdProvd
kill -9 <pid>
Example: kill -9 13468
Run ps again to check process is restarted
ps -eaf | grep tpdProvd
Output:
tpdProvd  9090     1  3 04:09 ?        00:00:00 /usr/TKLC/plat/bin/tpdProvd

Repeat Steps 10 and 11 on LSMS B, as well.

3.9 Installing an SSL Certificate For a VIP With Customized Parameters

Perform the following steps to install an SSL certificate for a Virtual IP (VIP) with customized parameters:

Log in to ELAP A as admusr.
Change the directory to /usr/TKLC/plat/etc/ssl/.
Execute the following command to list the files in the directory /usr/TKLC/plat/etc/ssl/.
Sample output for the previous command:
```
[root@Natal-a ssl]# ls -ltrh server_vip*
-rw-r----- 1 root elap 1.7K Jul 15 04:27 server_vip.key
-rw-r----- 1 root elap 1.1K Jul 15 04:27 server_vip.crt
```
The certificate file server_vip.crt is present in the directory /usr/TKLC/plat/etc/ssl/. Continue with the next step to sign the certificate after exiting from the root user.

Sign the certificate on the ELAP A server according to the information determined in Step 1 using the following command:

sudo /usr/bin/openssl req –x509 -sha<SHA Hash>-nodes -days <No of days to certify the certificate for, after which the certificate shall expire> –subj "/CN=<ELAP A VIP IPv4 address >" -newkey rsa:<RSA Key Management> -keyout /usr/TKLC/plat/etc/ssl/server_vip.key -out /usr/TKLC/plat/etc/ssl/server_vip.crt

Sign the certificate files on the ELAP B server in the same way.
Restart the httpd service on both the ELAP A and B servers by using the following commands:
```
[admusr@mps-A ~]$ sudo service httpd restart
[admusr@mps-B ~]$ sudo service httpd restart
```
Open the GUI using VIP IPv4 IP using https and install the SSL certificate using the following command:
```
https://<ELAP A VIP IP>
```
Verify that the certificate installed successfully and the GUI opened successfully.

If the ELAP GUI does not open on the ELAP A server, follow these steps to reconfigure the VIP IP addresses on ELAP through the elapconfig menu. This will re-install the SSL certificates with the default parameters:

[admusr@mps-A ~]$ sudo su – elapconfig

Enter choice 2 to access the Configure Network Interfaces Menu:

 /-------ELAP Configuration Menu--------\
/----------------------------------------\
|  1 | Display Configuration             |
|----|-----------------------------------|
|  2 | Configure Network Interfaces Menu |
|----|-----------------------------------|
|  3 | Set Time Zone                     |
|----|-----------------------------------|
|  4 | Exchange Secure Shell Keys        |
|----|-----------------------------------|
|  5 | Change Password                   |
|----|-----------------------------------|
|  6 | Platform Menu                     |
|----|-----------------------------------|
|  7 | Configure NTP Server              |
|----|-----------------------------------|
|  8 | Mate Disaster Recovery
|----|-----------------------------------|
|  e | Exit                              |
\----------------------------------------/
Enter Choice: 2

Enter choice 1 to Configure Provisioning Network:

 /----Configure Network Interfaces Menu--\
/----------------------------------------\
|  1 | Configure Provisioning Network    |
|----|-----------------------------------|
|  2 | Configure DSM Network             |
|----|-----------------------------------|
|  3 | Configure Forwarded Ports         |
|----|-----------------------------------|
|  4 | Configure Status NAT Addresses    |
|----|-----------------------------------|
|  e | Exit                              |
\----------------------------------------/
Enter Choice: 1
ELAP software is running. Stop it? [N]: Y
ELAP A provisioning network IP Address [10.75.141.47]:
ELAP B provisioning network IP Address [10.75.141.48]:
ELAP provisioning network netmask [255.255.255.128]:
ELAP provisioning network default router [10.75.141.1]:
ELAP local provisioning Virtual IP Address [10.75.141.49]:

Press Enter to reconfigure the network with the same configuration.
Contact unresolvable-reference.html#GUID-06251C83-E21A-4DB7-B8DE-227FC0FCE6E1 to re-run the procedure.

3.10 Installing an SSL Certificate For a VIP From a Trusted Certificate Authority

Perform the following steps to install an SSL certificate for a Virtual IP (VIP) from a trusted Certificate Authority (CA):

Log in as the admusr user on both the ELAP A and B servers, create a new certificate directory (/var/TKLC/elap/free/), provide permissions to the new directory, and change to the new directory:

[admusr@mps-A ~]$ pwd
/home/admusr
[admusr@mps-A ~]$ sudo mkdir /var/TKLC/elap/free/certificate
[admusr@mps-A ~]$ sudo chmod 777 /var/TKLC/elap/free/certificate
[admusr@mps-A ~]$ cd /var/TKLC/elap/free/certificate

When the ELAP is configured in IPv4 configuration, log in to ELAP A as admusr.
Switch to the root user as "su -".
Change the directory to /usr/TKLC/plat/etc/ssl/.
Execute the following command to list the files in the directory /usr/TKLC/plat/etc/ssl/.
Sample output for the previous command:
```
[root@Natal-a ssl]# ls -ltrh server_vip*
-rw-r----- 1 root elap 1.7K Jul 15 04:27 server_vip.key
-rw-r----- 1 root elap 1.1K Jul 15 04:27 server_vip.crt
```
The certificate file server_vip_v4.crt is present in the directory /usr/TKLC/plat/etc/ssl/. Continue with the next step to sign the certificate after exiting from the root user.
Generate certificate signing request (CSR) and private key files for ELAP A server using the following commands from within the certificate directory.
The certificate file server_vip_v4.crt is generated since the VIP is configured in IPv4 configuration. Enter the following commands on ELAP A server:
```
sudo /usr/bin/openssl req -x509 -sha<SHA Hash>-nodes -days <No of days to certify the certificate for, after which the certificate shall expire>-newkey rsa:2048 -nodes –keyout server_vip.key –out server_vip.csr -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/OU=Example Org Unit/CN=<ELAP VIP IPv4 address>/emailAddress=xxx@yyy.com"
```
Note:
The -subj option in the following commands has example fields, which must be replaced with your organization-specific domain information. The /C field is for your country, /ST is for state, /L is for location, /O is for organization, /OU is for organizational unit, and /CN is the common name field, which is the IP address or fully-qualified domain name that you want to use with your certificate.

These commands generate the following files on the ELAP A server:
```
[admusr@mps-A certificate]$ ls –lrt
-rw-r----- 1 root root 1679 Jul 15 11:08 server_vip.key
-rw-r----- 1 root root 968 Jul 15 11:08  server_vip.csr
```
Generate certificate signing request (CSR) and private key files for ELAP B server by executing steps 1 to 7. Sign the certificate files on the ELAP B server in the same way. Use the files serverB_vip.csr for ELAP B.
These commands generate the following files on the ELAP B server:
```
[admusr@mps-B certificate]$ ls –lrt 
-rw-r--r-- 1 root root 1679 May 21 11:02 server_vip_v4.key
-rw-r--r-- 1 root root 968 May 21 11:02  serverB_vip_v4.csr
```
Send the generated CSR file (server_vip.csr) to the CA. The CA will provide signed certificate file (server_vip.crt) in return.
Copy the appropriate files to the appropriate ssl directory, and rename as needed:
- On the ELAP A server, copy the two files generated through the openssl commands (server_vip.key, server_vip.csr) and the file provided by the CA (server_vip_v4.crt) to the /usr/TKLC/plat/etc/ssl directory.
- On the ELAP B server, copy the two files generated through the openssl command ( server_vip.key, serverB_vip.csr ) and the file provided by the CA for the ELAP B server ( serverB_vip_v4.crt ) to the /usr/TKLC/plat/etc/ssl directory.
After copying serverB_vip.crt to the /usr/TKLC/plat/etc/ssl directory on the ELAP B server, rename it to server _vip.crt.

Restart the httpd service on both the ELAP A and B servers by using the following commands:

[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart

Open the GUI using VIP IPv4 IP using https and install the SSL certificate using the following command:
```
https://<ELAPVIP IP>
```
Verify that the certificate installed successfully and the GUI opened successfully.
If the ELAP GUI does not open, follow these steps on the ELAP A and B servers:
1. Open the /etc/httpd/conf.d/ssl.conf file:
```
[admusr@mps-A certificate]$ sudo vi /etc/httpd/conf.d/ssl.conf
```
2. Edit /etc/httpd/conf.d/ssl.conf and un-comment the appropriate code:
  - If the CA provides ca.crt (CA intermediate certificate), change from:
```
#SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
```
    to:
```
SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
```
  - If the CA provides CA certificate(s), change from:
```
#SSLCACertificatePath /etc/httpd/conf/ca-cert
#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
```
    to:
```
SSLCACertificatePath /etc/httpd/conf/ca-cert
SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
```
3. Make sure that these files (CA certs) are copied to the right path on both servers, as mentioned in /etc/httpd/conf.d/ssl.conf.
4. Restart the httpd service using the following command on both servers:
```
[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart
```
5. Verify that the ELAP A and B GUIs open successfully.