manualshive.com logo in svg

Avaya 3050-VM, User Manual, Page: 243 / 274

Share
Download
Avaya 3050-VM User Manual Download Page 243

Appendix G: SSH host keys

SSH host keys serve much the same purpose as server certificates in SSL/TLS, i.e. they primarily allow

clients to authenticate the server, protecting against e.g. "man in the middle" attacks. As with certificates,

public/private key pairs are used. Unlike certificates, there is no public key infrastructure and no certificate

authorities for the SSH host keys.

Instead, the security of SSH sessions depends on SSH clients keeping track of the public keys that should

be used to authenticate different SSH server hosts, not silently accepting new keys from previously

unknown server hosts, and refusing or at least strongly warning the user from proceeding with the

connection if there is a key mismatch.

Methods for Protection

In many environments, it may be reasonable for a SSH client user to simply accept the key

from a previously unknown remote server host when prompted by the client, but to achieve

strict protection against a "man in the middle" attack against this very first connection, one of

these methods can be used:

• Verifying the "fingerprint" (as displayed by the client) of the new remote host key by some

out-of-band means (e.g. verbal communication with the server administrator).

OR

• Pre-installing the remote host key (previously transferred by some out-of-band means) in

the client's key storage, i.e. effectively making the remote host known even before the

first connection.

The server administrator also needs to be able to generate new keys (e.g. at initial

configuration, or in case the old ones are believed to be compromised), and the client user

needs to be able to remove remote host keys that are no longer valid from the client's key

storage (e.g. due to the server administrator having generated new keys).

The VPN Gateway

The VPN Gateway can act both as SSH server (when a user connects to the CLI using a SSH

client) and as SSH client (when file or data transfers are initiated from the VPN Gateway using

the SCP or SFTP protocols). The 

generate

 and 

show

 commands in the 

/cfg/sys/adm/

sshkeys

 menu concern the former case, while the

knownhosts

User Guide

April 2013     243

Summary of Contents for 3050-VM

Page 1: ...User Guide Avaya VPN Gateway Release 9 0 NN46120 104 Issue 04 04 April 2013 ...

Page 2: ...he applicable license will be a Designated System License The applicable number of licenses and units of capacity for which the license is granted will be one 1 unless a different number of licenses or units of capacity is specified in the documentation or other materials available to you Designated Processor means a single stand alone computing device Server means a Designated Processor that host...

Page 3: ... behalf Be aware that there can be a risk of Toll Fraud associated with your system and that if Toll Fraud occurs it can result in substantial additional charges for your telecommunications services Avaya Toll Fraud intervention If you suspect that you are being victimized by Toll Fraud and you need technical assistance or support call Technical Service Center Toll Fraud Intervention Hotline at 1 ...

Page 4: ...4 User Guide April 2013 Comments infodev avaya com ...

Page 5: ...sec 18 Java RDP upgrade support 18 Net Direct Mac OS X support 18 Secure Portable Office SPO support 18 Other changes 19 Chapter 3 Introducing the VPN Gateway 21 SSL Acceleration 21 VPN 21 Software Features 22 Web Portal 22 Transparent Mode Access 23 Bandwidth Management 23 User Authentication 23 User Authorization 24 Client Security 24 Accounting and Auditing 24 Networking 25 Secure Service Parti...

Page 6: ...er IP Address RIP 39 Ports 39 Interfaces 40 One Armed Configuration 40 Two Armed Configuration 40 Configuration at Boot Up 41 The Setup Menu 41 Installing an AVG in a New Cluster 42 Setting Up a One Armed Configuration 42 Setting Up a Two Armed Configuration 44 Complete the New Setup 46 Settings Created by the VPN Quick Setup Wizard 49 Joining a VPN Gateway to an Existing Cluster 51 Setting up a O...

Page 7: ...of Client Certificates 108 Revoking Client Certificates Issued by an External CA 108 Revoking Client Certificates Issued within your Own Organization 109 Creating Your Own Certificate Revocation List 111 Automatic CRL Retrieval 112 Client certificate support 115 Signing CSRs 116 Generate Test Certificate 117 General Commands 118 Show Certificate Information 118 Show Subject Information 118 Check i...

Page 8: ...sword 137 An ASA 310 FIPS Stops Processing Traffic 137 Resetting HSM Cards on the ASA 310 FIPS 139 An ASA 310 FIPS Cluster Must be Reconstructed onto New Devices 141 A User Fails to Connect to the VPN 144 aaa 145 dns 146 ike 146 ipsec 147 ippool 147 ssl 148 tg 148 upref 148 smb 149 ftp 149 netdirect 150 netdirect_packet 150 User Unable to Connect to the VPN Gateway through the Net Direct Client 15...

Page 9: ...g Messages 171 Operating System OS Messages 171 System Control Process Messages 173 Traffic Processing Messages 176 Startup Messages 181 Configuration Reload Messages 182 AAA Subsystem Messages 183 IPsec Subsystem Messages 185 Syslog Messages in Alphabetical Order 189 Appendix D License Information 213 Appendix E HSM Security Policy 219 Rainbow Technologies CryptoSwift HSM Cryptographic Accelerato...

Page 10: ... 5 Key Destruction 235 10 6 Key Archiving 235 11 0 Modes 236 11 1 FIPS 140 1 Mode 236 11 2 Non FIPS 140 1 Mode 236 12 0 Self Tests 236 13 0 Conclusion 237 Appendix F Definition of Key Codes 239 Syntax Description 239 Allowed Special Characters 239 Redefinable Keys 240 Example of a Key Code Definition File 241 Appendix G SSH host keys 243 Methods for Protection 243 The VPN Gateway 243 Appendix H Ad...

Page 11: ...pendix I Using the Port Forwarder API 255 General 255 Creating a Port Forwarder 255 Demo Application 256 Creating a Port Forwarder Authenticator 258 Adding a Port Forwarder Logger 260 Connecting Through a Proxy 262 Monitoring the Port Forwarder 263 Status 263 Statistics 264 Glossary 267 User Guide April 2013 11 ...

Page 12: ...12 User Guide April 2013 ...

Page 13: ...re Socket Layer SSL Acceleration through the CLI Avaya VPN Gateway CLI Application Guide NN46120 101 Provides examples on how to configure VPN deployment through the CLI Avaya VPN Gateway BBI Application Guide NN46120 102 Provides examples on how to configure VPN deployment through the Browser Based Interface BBI Avaya VPN Gateway User Guide NN46120 104 Describes the initial setup procedure upgrad...

Page 14: ...reted as applying to the preceding hardware models Note Manufacturing of the Avaya SSL Accelerator formerly Alteon SSL Accelerator has been discontinued How This Book Is Organized The chapters in this book are organized as follows Users Guide Introducing the VPN Gateway on page 21 provides an overview of the major features of the VPN Gateway including its physical layout and the basic concepts of ...

Page 15: ...sages on page 171 contains a list of all syslog messages that can be sent to a syslog server that is added to the AVG system configuration License Information on page 213 provides licensing information for the software used in this product HSM Security Policy on page 219 provides detailed information about the security policy of the CryptoSwift HSM card that comes installed in the ASA 310 FIPS Def...

Page 16: ...upport From this Web site you can locate the Training contacts link on the left hand navigation pane Getting help from a distributor or reseller If you purchased a service contract for your Avaya product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance Getting technical documentation To download and print selected technic...

Page 17: ...r to represent what user has and using other authentication methods as second factor what user knows Configuring a new certificate authentication server automatically supports IPsec Two Factor authentication IPsec Two Factor authentication supports only certificate authentication as primary servers and local RADIUS or LDAP as secondary servers IPsec Two Factor authentication is added to the User A...

Page 18: ...the two versions of SPO Avaya Basic contains basic software with Avaya 2050 IP Softphone and JRE 7 Avaya Contact Center ACC contains all the applications and software of Avaya Basic with the addition of Avaya Contact Center Express Desktop 5 0 and Avaya One X Client Both SPO version Basic and ACC use security restrictions on Ceedo environment Next host resources are blocked inside Ceedo Access to ...

Page 19: ...es that are not feature related Please note while the Avaya Endpoint Access Control Agent formerly Tunnel Guard can be configured through both the BBI and CLI the CLI configuration is performed under the former Tunnel Guard context Other changes User Guide April 2013 19 ...

Page 20: ...New in this release 20 User Guide April 2013 Comments infodev avaya com ...

Page 21: ...floads SSL encryption decryption functions from back end servers For examples on how to configure the VPN Gateway for SSL Acceleration see the Avaya Application Guide for SSL Acceleration For more information about the basic operations of the VPN Gateway see the Public Key Infrastructure and SSL chapter in the Avaya Application Guide for SSL Acceleration VPN The VPN feature supports remote access ...

Page 22: ...ed tab Support for handling plugins Flash and Java applets using HTTP proxy Java applet available on the Portal s Advanced tab Support for application tunneling port forwarding through SOCKS encapsulated in SSL available on the Portal s Advanced tab API provided for developing a custom application that automatically logs in the user to the desired VPN and executes a previously configured port forw...

Page 23: ...specific users or groups The bandwidth policies take lower and upper bound The lower bound soft limit is guaranteed and the upper bound hard limit is available according to the requirement The BWM provides bandwidth policy management for user traffic and IPsec Passthrough For more information about configuration see Avaya VPN Gateway CLI Application Guide NN46120 101 User Authentication User authe...

Page 24: ...t Feature for checking the security aspects of the remote PC client that is installed antivirus software DLLs executables and so on WholeSecurity support Lets you enable a scan of the client PC before the remote user is allowed to log in to the VPN User session auto logoff Cache and browser history automatically cleared only for Internet Explorer Accounting and Auditing Support for logging user se...

Page 25: ...inding Each VPN is bound to a private IP interface VLAN tagging can be used when private IP address spaces overlap Private network authentication Existing authentication servers within the customer s private network can be used Access control Unique access rules can be specified for each user group in the various VPNs Private network name resolution If desired private network DNS servers can be ma...

Page 26: ...lication Switch Supports accelerated SSL processing by offloading SSL encryption and decryption from backend servers Supports load balancing of encrypted and unencrypted traffic for up to 256 backend servers with health checking and persistent client connections Ability to create multiple clusters of VPN Gateways each capable of serving its own group of real servers Supports rewriting of client re...

Page 27: ...and can accept configuration changes Certificate and Key Management Server and client authentication Generation and revocation of client certificates Automatic retrieval of certificate revocation lists CRLs Validation of private keys and certificates Generation of certificate signing requests CSRs Generation of self signed certificates Public Key Infrastructure RSA pair key generation Server certi...

Page 28: ...administrator users including console access Statistics Statistics can be viewed per access method SSL or IPsec for the whole cluster as well as for specific VPN Gateways SSL servers and VPNs Support for histograms for example to measure transactions per second TPS and throughput Virtual Desktop Symantec On Demand Agent SODA provides a Virtual Desktop environment to secure Web based applications a...

Page 29: ...es SPO Release 9 0 in virtual mode supports the following software in Windows 32 bit and 64 bit platforms Secure Portable Office Client Release 9 0 in virtual mode supports the following software in Windows 32 bit and 64 bit platforms Software released with Avaya Contact Center Microsoft Data Access 2 8 Jet Database Endine 4 0 Microsoft Net Framework 3 5 Avaya Contact Center Express Desktop 5 0 Av...

Page 30: ...Introducing the VPN Gateway 30 User Guide April 2013 Comments infodev avaya com ...

Page 31: ... is secured by a constantly monitored tamper detection circuit If tampering is detected the battery backup power to memory circuits on the card is removed Critical security parameters such as private keys that are in the storage area will then be destroyed and rendered useless to the intruder Any sensitive information that is transferred between two HSM cards within the same ASA 310 FIPS or betwee...

Page 32: ... in RAM where it remains accessible for subsequent operations Also when the ASA 310 FIPS is initialized in FIPS mode all private keys must be generated on the ASA 310 FIPS device itself Importing private keys or certificate files that contain private keys is not allowed due to the FIPS security requirements This means that certain CLI commands that are used for importing certificates and keys thro...

Page 33: ...10 FIPS device After an HSM card has been initialized that card will only accept the HSM SO and HSM USER iKeys that were used when initializing that particular card You cannot create backup copies of the associated HSM SO iKey and HSM USER iKey and a lost HSM SO or HSM USER password cannot be retrieved It is therefore extremely important that you establish routines for how the iKeys are handled Wr...

Page 34: ...es in a row the HSM USER iKey will be rendered unusable This is due to the strict security specifications placed on the ASA 310 FIPS Available Operations and iKeys Required For information about the type of iKeys required to perform a specific operation see Table 1 Available Operations and iKeys Required on page 34 Table 1 Available Operations and iKeys Required Type of iKey Required Operation Per...

Page 35: ...nd CODE USER iKeys or how to change an HSM SO or HSM USER iKey password see the Hardware Security Module Menu under the Maintenance Menu in the User s Guide For information about how to reset the HSM cards see Resetting HSM Cards on the ASA 310 FIPS on page 139 For information about HSM card LED status see Chapter 1 of the Hardware Installation Guide For information about the HSM card s security p...

Page 36: ...Introducing the ASA 310 FIPS 36 User Guide April 2013 Comments infodev avaya com ...

Page 37: ... menu you create a new cluster which initially only has one single member You can add one or more VPN Gateways to any existing cluster by performing an initial setup and select join in the Setup menu Configuration is Replicated among Master AVGs The configuration parameters are stored in a database which is replicated among the VPN Gateways designated as masters in a cluster By default the first f...

Page 38: ...st IP address when performing the initial setup Management IP Address MIP When you create a new cluster you will be prompted for a Management IP MIP address which is an IP alias to one of the VPN Gateways in the cluster The MIP address identifies the cluster and is used when making configuration changes through Telnet or SSH or when configuring the system using the Browser Based Management Interfa...

Page 39: ...utility The port number you specify refers to a physical port on the Network Interface Card NIC of a particular hardware model Depending on your model the Setup utility will automatically detect the number of available ports and display the valid range within square brackets when prompting for a port number The VPN Gateway 3050 has four copper port NICs numbered as 1 4 The VPN Gateway 3070 comes i...

Page 40: ...s private traffic that is connecting the SSL VPN to internal resources and configuring the SSL VPN from a management station Figure 1 One Armed Configuration without Application Switch Two Armed Configuration In a two armed configuration two separate interfaces are configured on the VPN Gateway Interface 1 will handle private traffic between the SSL VPN and the trusted intranet that is connecting ...

Page 41: ...an Application Switch Connect a computer to the VPN Gateway s console port through serial cable Use a terminal application for example TeraTerm to configure the VPN Gateway For more information see Connecting to the VPN Gateway on page 123 Press the power on button on the VPN Gateway Wait until you get a login prompt Log in as user admin password admin Note If you have the ASA 310 FIPS model see t...

Page 42: ...wo armed configuration Setting Up a One Armed Configuration In a one armed configuration only one interface is configured It is used as both the public traffic and the private management interface See figure on Two Armed Configuration on page 40 1 Choose new from the Setup menu Setup Menu join Join an existing iSD cluster new Initialize iSD as a new installation boot Boot menu info Information men...

Page 43: ...armed configuration by adding a new interface to the cluster exclusively used for client traffic and assign an unused port to that interface For information about how to add a new interface see the Interface Configuration section under Configuration Menu System Configuration in the Avaya Command Reference For information about how to assign ports to an interface see the Interface Ports Configurati...

Page 44: ...ete the New Setup on page 46 Setting Up a Two Armed Configuration In a two armed configuration two separate interfaces are configured on the VPN Gateway one private interface for AVG management and intranet connections and one public interface for Internet connections Also see figure on Two Armed Configuration on page 40 1 Choose new from the Setup menu Setup Menu join Join an existing iSD cluster...

Page 45: ...or no VLAN 0 VLAN tag id or ENTER Specify the desired network mask for the host IP address on the management interface or accept the suggested value by pressing ENTER If a connected router or switch attaches VLAN tag IDs to incoming packets specify the VLAN tag ID used 5 Enter yes and press ENTER to continue with creating a two armed configuration Setup a two armed configuration yes no no yes 6 Sp...

Page 46: ...oes not exist ok Trying to contact gateway ok Finally enter a unique Management IP address MIP that is within the same network address range as the host IP address on the management private interface Complete the new setup by following the instructions in the next section Complete the New Setup Complete the New Setup 1 Configure the time zone and NTP and DNS server settings If you don t have acces...

Page 47: ...d Generate new SSH host keys yes no yes Press ENTER to accept This may take a few seconds ok Enter a password for the admin user Re enter to confirm 3 If you will be using the VPN feature run the VPN quick setup wizard to set up a working VPN for SSL access in a few steps The VPN quick setup wizard creates all the settings required to enable a fully functional Portal for testing purposes You can l...

Page 48: ... secure IPsec tunnel using the Avaya VPN client formerly Contivity Setup IPsec no yes Creating default IKE profile under ipsec ikeprof 1 Creating default user tunnel profile under ipsec utunprof 1 Configuring IPsec Group login under aaa group trusted ipsec Do you want to use IPsec Group login no yes Enter IPsec secret secret Enter Lower IP address in pool range 10 10 10 1 Enter Upper IP address in...

Page 49: ...he SSL acceleration feature continue with the Basic Applications chapter in the Application Guide for SSL Acceleration To join an additional VPN Gateway to the cluster see Joining a VPN Gateway to an Existing Cluster on page 51 Settings Created by the VPN Quick Setup Wizard If you ran the VPN quick setup wizard during the initial setup a large number of settings were configured automatically Basic...

Page 50: ...cfg vpn aaa network command See the Groups Access Rules and Profiles chapter in the Application Guide for VPN for a full explanation of network definitions in conjunction with access rules The intranet network definition is configured as Network 1 The subnets included in intranet are based on private IP address space reservations as defined in the RFC 1918 document Network address 192 168 0 0 Netw...

Page 51: ...ng VPN Gateway s host IP address on Interface 1 and the host IP address you have in mind for the new AVG to the Access list This must be done before joining the new VPN Gateway otherwise the devices will not be able to communicate Use the cfg sys accesslist command If the Access list is empty this step is not required If the VPN Gateway you are about to join has a different software version than e...

Page 52: ... it is recommended for consistency that you configure port 1 for the AVG you are joining as well 3 Enter the VPN Gateway s host IP address Enter IP address for this machine on management interface IP address This IP address should be within the same network address range as the cluster s Management IP address 4 Enter network mask and VLAN tag ID Enter network mask 255 255 255 0 Press ENTER if corr...

Page 53: ...s 1 Choose join from the Setup menu Setup Menu join Join an existing iSD cluster new Initialize iSD as a new installation boot Boot menu info Information menu exit Exit global command always available Setup join Setup will guide you through the initial configuration of the iSD 2 Configure the management interface port number Enter port number for the management interface 1 4 1 Specify the port you...

Page 54: ... interface port number will automatically be assigned to Interface 2 7 Specify a host IP address and network mask on the traffic interface for the current VPN Gateway Enter IP address for this machine on traffic interface IP address Enter network mask 255 255 255 0 press ENTER to accepts In a two armed configuration the traffic interface host IP address will be assigned to Interface 2 8 If a conne...

Page 55: ... VPN Gateway type When adding up to three additional master AVGs to a cluster containing a single VPN Gateway you may configure each additional AVG as either master or slave For up to three additional AVGs the default setting is master When adding one or more VPN Gateways to a cluster that already contains four master AVGs each additional AVG is automatically configured as slave It is recommended ...

Page 56: ...nt IP MIP address that identifies the cluster For more information about adding an ASA 310 FIPS to an existing cluster see Adding an ASA 310 FIPS to an Existing Cluster on page 61 Before installing or adding an ASA 310 FIPS make sure that you have fully understood the concept of iKeys You might also want to decide the labeling scheme you want to use for identifying which iKey is used to initialize...

Page 57: ...de fips extended extended Press ENTER to accept the default extended mode or change the security mode to fips 4 Initialize HSM card 0 by inserting the first pair of HSM SO and HSM USER iKeys and by defining passwords Step 4 on page 57 and step 5 on page 58 are related to initializing the HSM cards that your ASA 310 FIPS is equipped with The Setup utility will identify the first HSM card as card 0 ...

Page 58: ...SM card new setup continued Verify that HSM SO iKey purple is inserted in card 0 with flashing LED Hit enter when done Enter a new HSM SO password for card 0 define an HSM SO password Re enter to confirm The HSM SO iKey has been updated Verify that HSM USER iKey blue is inserted in card 0 with flashing LED Hit enter when done Enter a new HSM USER password for card 0 define an HSM USER password Re ...

Page 59: ...ed to use two of these in one given cluster The extra two black iKeys can be used to create a pair of backup CODE iKeys For more information about how to create a pair of backup CODE iKeys see the splitkey command on the HSM menu described under Maintenance Menu in the Command Reference To successfully split and load the cluster wrap key onto the correct iKeys you need the following Two black CODE...

Page 60: ...in card 1 with flashing LED Hit enter when done Verify that CODE USER iKey black is inserted in card 1 with flashing LED Hit enter when done Wrap key successfully combined to card 1 8 If you have selected FIPS mode as the security mode define a passphrase If you selected FIPS mode prior to initializing HSM card 0 step 3 on page 57 you will also be asked to define a passphrase Make sure you remembe...

Page 61: ... 310 FIPS after it has booted The following applies when joining a new ASA 310 FIPS to an existing cluster If the ASA 310 FIPS you are about to join is installed on a different subnet than existing units this new ASA must be configured as a slave Master ASAs cannot exist on different subnets If the Access list consists of entries for example IP addresses for control of Telnet and SSH access also a...

Page 62: ...d for initializing HSM card 0 The purple HSM Security Officer iKey embossed with HSM SO The blue HSM User iKey embossed with HSM USER Label these iKeys and HSM card 0 in a way so that the connection between them is obvious After HSM card 0 has been initialized this card will only accept the HSM SO and HSM USER iKeys used when initializing this particular HSM card Even if you choose to use the same...

Page 63: ...M USER iKeys and by defining passwords Remember to take steps to label each pair of HSM SO and HSM USER iKeys and the HSM card to which each set of iKeys is associated during the initialization Because each ASA 310 FIPS ASA 310 FIPS device in the cluster will have two HSM cards you must also take steps to identify to which ASA 310 FIPS device each pair of iKeys are associated Your labeling must en...

Page 64: ...HSM Code iKeys labeled CODE SO and CODE USER respectively that you used when installing the first ASA 310 FIPS in the cluster If you have more than one cluster of ASA 310 FIPS units make sure that you can identify to which cluster the pair of CODE iKeys are associated The cluster wrap key that is split and stored on the two CODE iKeys is specific for each cluster of ASA 310 FIPS units joinsetup co...

Page 65: ...d Enter the secret passphrase as given during initialization of the first iSD in the cluster 8 Wait until the Setup utility has finished joinsetup continued Setup successful login The setup utility is now finished The ASA 310 FIPS that has now been added to the cluster will automatically pick up all configuration data from one of the already installed ASA 310 FIPS units in the cluster After a shor...

Page 66: ...l configuration data including network settings Therefore you should first save all configuration data to a file on a TFTP FTP SCP SFTP server Using the ptcfg command installed keys and certificates are included in the configuration data and can later be restored by using the gtcfg command For more information about these commands see the Configuration Menu chapter in the Command Reference If you ...

Page 67: ...ect Enter network mask 255 255 255 0 Press ENTER if correct Enter gateway IP address 192 168 128 1 Press ENTER if correct Note If the VPN Gateway has not been configured for network access previously or if you have deleted the VPN Gateway from the cluster by using the boot delete command you must provide information about network settings such as interface port IP address network mask and gateway ...

Page 68: ...ly installed boot image reinstall procedure continued Restarting Restarting system Alteon WebSystems I nc 0004004C Booting Login After the new boot image has been installed the VPN Gateway will reboot and you can log in again when the login prompt appears This time log in as the admin user to enter the Setup menu For more information about the Setup menu Initial Setup 68 User Guide April 2013 Comm...

Page 69: ...e been enhanced with new features All configuration data is retained When performing a major upgrade you should connect to the Management IP address of the cluster you want to upgrade Upgrading from software version 2 0 to software version 3 0 7 This upgrade needs to be performed in two steps due to the new database format and software management introduced in version 3 0 7 For more information on...

Page 70: ...ugh TAB they cannot be used in normal operation Disk repartition takes approximately 5 to 7 minutes to complete the operation it includes two automatic reboots and makes the host effectively out of service Access to the Management IP address can be accomplished through a Telnet connection or SSH Secure Shell connection Note however that Telnet and SSH connections to the VPN Gateway are disabled by...

Page 71: ... permanent will then be marked as old For minor and major releases the software upgrade will take part synchronously among the set of VPN Gateways in a cluster If one or more VPN Gateways are not operational when the software is upgraded they will automatically pick up the new version when they are started Note If more than one software upgrade has been performed to a cluster while a VPN Gateway h...

Page 72: ...s performed the necessary health checks the current status changes to permanent To activate the unpacked software upgrade package use the activate command 2 At the Software Management prompt enter Software Management activate 9 0 0 Confirm action activate y n y Activate ok relogin you are logged out here Restarting system login Note Activating the unpacked software upgrade package may cause the co...

Page 73: ...ion you can revert to the previous software version now indicated as old To do this activate the software version indicated as old When you log in again after having activated the old software version its status is indicated as current for a short while After about one minute when the system has performed the necessary health checks the current status is changed to permanent Performing Minor Major...

Page 74: ...Upgrading the AVG Software 74 User Guide April 2013 Comments infodev avaya com ...

Page 75: ...en a user is a member of more than one group user rights accumulate The admin user who by default is a member of all four groups therefore has the same user rights as granted to members in the certadmin and oper group in addition to the specific user rights granted by the admin group membership The most permissive user rights become the effective user rights when a user is a member of more than on...

Page 76: ...rver menu cfg ssl server Access to the System menu cfg sys is limited and entails access only to the User Access Control submenu cfg sys user 1 Log in to the AVG cluster as the admin user login admin Password admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password expire Set password expire time interval list List all users del Delete a user add Add a new ...

Page 77: ...cert_admin groups add Enter group name certadmin 5 Verify and apply the group assignment When typing the list command the current and pending group assignment of the user being edited is listed by index number and group name Because the cert_admin user is a new user the current group assignment listed by Old is empty Groups list Old Pending 1 certadmin Groups apply Changes applied successfully 6 D...

Page 78: ...r is used instead to encrypt private keys in the configuration backup The encryption of private keys using the export passphrase defined by the Certificate Administrator is performed transparently to the user without prompting When the configuration backup is restored the Certificate Administrator must enter the correct export passphrase Note If the export passphrase defined by the Certificate Adm...

Page 79: ...admin group only the Certificate Administrator user can access the Certificate menu cfg cert User edit admin User admin groups list 1 tunnelguard 2 admin 3 oper 4 certadmin Groups del 4 Note It is critical that a Certificate Administrator user is created and assigned certadmin group membership before the admin user is removed from the certadmin group Otherwise there is no way to assign certadmin g...

Page 80: ...d in the Avaya VPN Gateway User Guide Changing a Users Group Assignment Only users who are members of the admin group can remove other users from a group All users can add an existing user to a group but only to a group in which the granting user is already a member The admin user who by default is a member of all four groups admin oper tunnelguard and certadmin can therefore add users to any of t...

Page 81: ...roup name certadmin Note A user must be assigned to at least one group at any given time If you want to replace a user s single group assignment you must therefore always first add the user to the desired new group then remove the user from the old group 4 Verify and apply the changes Groups list Old 1 tunnelguard 2 admin 3 oper Pending 1 tunnelguard 2 admin 3 oper 4 certadmin Groups apply Changin...

Page 82: ...cess the User Menu Main cfg sys user User Menu passwd Change own password expire Set password expire time interval list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase 3 Type the passwd command to change your current password When your own password is changed the change takes effect immediately without having to use the apply command User p...

Page 83: ... first for the user with the cfg sys user edit username groups list command Login passwords are case sensitive and can contain spaces 1 Log in to the AVG cluster as the admin user login admin Password admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password expire Set password expire time interval list List all users del Delete a user add Add a new user edi...

Page 84: ...the admin user is a member of the admin group Note Remember that when a user is deleted that user s group assignment is also deleted If you are deleting a user who is the sole member of a group none of the remaining users on the system can then be added to that group Existing users can only be added to a group by a user who is already a member of that group Before deleting a user you may therefore...

Page 85: ...xample the cert_admin user is removed from the system To list all users that are currently added to the system configuration use the list command User del cert_admin 4 Verify and apply the changes The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign To cancel a configuration change that has not yet been applied use the revert command User lis...

Page 86: ...Managing Users and Groups 86 User Guide April 2013 Comments infodev avaya com ...

Page 87: ...o 1500 certificates The basic steps to create a new certificate using the command line interface of the VPN Gateway are Generate a Certificate Signing Request CSR and send it to a Certificate Authority CA such as Entrust or VeriSign for certification Add the signed certificate to the VPN Gateway Note Even though the VPN Gateway supports keys and certificates created by using Apache SSL OpenSSL or ...

Page 88: ...and E mail Address is strictly required Country Name The two letter ISO code for the country where the Web server is located For current information about ISO country codes visit for example http www iana org State or Province Name This is the name of the state or province where the head office of the organization is located Enter the full name of the state or province Locality Name The name of th...

Page 89: ...example com IP 10 1 2 3 Generate new key pair y In most cases you will want to generate a new key pair for a CSR However if a configured certificate is approaching its expiration date and you want to renew it without replacing the existing key answering no n is appropriate The CSR will then be based on the existing key for the specified certificate number instead Key size 1024 Specify the key leng...

Page 90: ...o use the same certificate number when adding the certificate returned to you after the CSR has been processed by a certificate authority this step is only necessary if you want to create a backup copy of the private key When generating a CSR the private key is created and stored encrypted on the VPN Gateway using the specified certificate number When you receive the certificate containing the cor...

Page 91: ...ve the file with a key extension Preferably use the same file name that you defined for the csr file so the connection between the two files becomes obvious The name you define can indicate the server on which the certificate and the corresponding private key is to be used Note When using an ASA 310 FIPS the private key is protected by the HSM card and cannot be exported After you have received th...

Page 92: ...ecify a server software vendor whose software you supposedly used to generate the CSR specify Apache The CA will return the signed certificate for installation The certificate is then ready to be added into the VPN Gateway Adding Certificates to the AVG Using the encryption capabilities of the VPN Gateway requires adding a key and certificate that conforms to the X 509 standard to the VPN Gateway ...

Page 93: ...formation about the conversion tool contact Avaya See Customer service on page 16 for contact information When it comes to exporting certificates and keys from the VPN Gateway you can specify to save in the PEM NET DER or PKCS12 format when using the export command If you choose to use the display command which requires a copy and paste operation you are restricted to saving certificates and keys ...

Page 94: ...sting the certificate If the private key and the certificate are not in the same file use the key or import command to add the corresponding private key To view basic information about configured certificates use the info certs command The information displayed lists all configured certificates by their main attributes 2 Copy the contents of your certificate file Open the certificate file you have...

Page 95: ... changes Certificate 1 apply Changes applied successfully If you have used the request command on the VPN Gateway to generate a CSR and have specified the same certificate number as the CSR when pasting the contents of the certificate file your certificate is now fully installed If you have obtained a certificate by other means however you must also add the corresponding private key Adding Certifi...

Page 96: ...ncert with the related private key when handling SSL transactions Open the key file in a text editor and copy the entire contents Make sure the selected text includes the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines 3 Paste the contents of the key file at the command prompt Now paste the private key at the command line interface prompt Press ENTER to create a new row and then type without t...

Page 97: ...are is used for SSL acceleration purposes the certificate should be mapped to the virtual SSL server using the cfg ssl server ssl cert command If the AVG software is used for deployment of a VPN solution the certificate should be mapped to the portal server of the desired VPN using the cfg vpn server ssl cert command Adding Certificates to the AVG User Guide April 2013 97 ...

Page 98: ...e to perform step 5 2 Initiate the process of adding a certificate using TFTP FTP SCP SFTP Type the command cfg cert and press ENTER Specify an unused certificate index number and then type the command import Make sure to specify a certificate number not in use by an existing certificate To view basic information about all configured certificates use the info certs command Main cfg cert Enter cert...

Page 99: ... Key added Certificate added Use apply to activate changes 5 Add your private key if in a separate file This step is only required if the certificate file does not include the private key You may be prompted for a password phrase if specified when creating or exporting the private key Certificate 1 import Select protocol tftp ftp scp sftp tftp ftp Enter host name or IP address of server server hos...

Page 100: ...xisting certificate for a new certificate you should keep the existing certificate until it is verified that the new certificate works as designed Create a New Certificate 1 Check the certificate numbers currently in use Main cfg cur cert If for example two different certificates exist as Certificate 1 and Certificate 2 create Certificate 3 for your new certificate 2 Add a certificate with a new c...

Page 101: ...he clients Besides the server can be configured to require client certificates to authenticate clients before granting access to the requested service When a server is set to require client certificates a CertificateRequest message is sent from the server to the client during the SSL handshake The client responds by sending its public key certificate in a Certificate message After that the client ...

Page 102: ...ring the SSL handshake If the client does not have a certificate the client will respond with a NoCertificateAlert message At that point the session will be terminated SSL server 1 Server 1 ssl SSL Settings verify Current value none Certificate verification none optional require require 3 Specify which CA certificates to use for client authentication Specify which CA certificates you want the virt...

Page 103: ... used for signing the client certificate Main cfg cert Enter certificate number 1 1 Certificate 1 gensigned Type of certificate server client client press ENTER for client certificate The combined length of the following parameters may not exceed 225 bytes Country Name 2 letter code State or Province Name full name Locality Name e g city Organization Name e g company Organizational Unit Name e g s...

Page 104: ...he subject s name The full name of the subject E mail Address The full e mail address of the subject Subject alternative name Comma separated list of URI uri DNS fqdn IP ip address email e mail address Example URI http www example com email john example com IP 10 1 2 3 3 Specify the validity period key size and serial number After having provided information about the subject you are now ready to ...

Page 105: ...t certificate and define a pass phrase for the private key You should save the client certificate and assign a certificate index number to it The lowest available index number available is displayed in square brackets and will be used unless you specify a different number Generating client certificates User Guide April 2013 105 ...

Page 106: ...ct pass phrase which you defined is required to unlock the certificate 5 Verify that the certificate you used for generating the client certificate is specified as a CA certificate for the appropriate virtual SSL server Main cfg ssl server Enter virtual server number 1 1 Server 1 ssl SSL Settings cacerts Current value 1 Enter certificate numbers separated by comma To successfully validate the clie...

Page 107: ...enerated the client certificate you had the option to save it with a new certificate number In the previous example Step 4 the client certificate was saved as certificate number 2 Enter this certificate number when prompted then use the export command to export the certificate as a file Main cfg cert Enter certificate number 1 2 Certificate 1 export Select protocol tftp ftp scp sftp tftp ftp Enter...

Page 108: ... all that you have configured the virtual SSL server to always require client certificates For more information see Configure a Virtual SSL Server to Require a Client Certificate on page 101 You must also regularly check with the certificate authorities you trust for their latest CRLs Moreover if you take on the role of a certificate authority by issuing your own client certificates you will also ...

Page 109: ...ceived 12628 bytes in 0 1 seconds Certificate revocation list found in der format Revocation list added Use apply to activate changes 3 Apply your changes Revocation apply Changes applied successfully Revoking Client Certificates Issued within your Own Organization 1 Specify the CA certificate to which you want to add a CRL Specify the certificate number that represents the CA certificate of the c...

Page 110: ...d 12628 bytes in 0 1 seconds Certificate revocation list found in ascii format Revocation list added Use apply to activate changes If you have added serial numbers for particular client certificates by using the add command prior to using the import command you will be asked if you want to merge those serial numbers to the CRL in ASCII format If the CRL does not already include those serial number...

Page 111: ...add a paragraph in the text document that reads ASCII revocation Or if you choose to add serial numbers in hexadecimal form add a paragraph in the text document that reads HEX ASCII revocation Note You can add comments to a CRL ASCII file by preceding your comments with the character Each new line of comments must begin with the character Comments can be used for providing information about the da...

Page 112: ... server containing CRLs certificate revocation lists and retrieving such lists at regular intervals to automate the task of keeping the CRL up to date Note When enabling automatic retrieval of certificate revocation lists any existing revocation list is overwritten You can use LDAP HTTP or TFTP to retrieve CRLs from the appropriate server for LDAP the server must support LDAP v3 When using LDAP a ...

Page 113: ...VG software s implementation of the CRL retrieval feature however requires that host information is specified Using HTTP or TFTP the URL you specify must include the specific file name you want to access The recognized URL syntax is a subset of RFC 1738 and can be defined as proto host port path Example http 10 42 128 30 server crl Main cfg cert 1 revoke automatic Automatic CRL url Current value E...

Page 114: ...and If you want to specify a time interval in minutes hours or days enter an integer directly followed by the letter m h or d The default interval is 1 day 1d The shortest time interval allowed is 601 seconds 10 minutes and 1 second Automatic CRL interval Current value 1d Enter refresh interval 5 Specify which CA certificates are valid signers of the certificate revocation lists you retrieve To ge...

Page 115: ...ng client certificates 1 Indicate whether client certificate authentication is needed for NDIC connection profile If connection is required then NDIC hides the user name and password fields and replaces it with a message indicating client certificate is required to connect 2 Click Connect The MSCAPI window appears 3 Select the certificate in the MSCAPI window 4 If secondary authentication is not r...

Page 116: ... the CA certificate that you want to use for signing the CSR Main cfg cert 1 Certificate 1 sign 2 Paste the CSR Open the CSR file in a text editor and copy the entire contents including the text BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST Having pasted the CSR press ENTER to create a new line and type three periods Finally press ENTER once again 3 Apply the changes Certificates and Clien...

Page 117: ...oviding the requested information the certificate and key are generated immediately 1 Specify an unused certificate number If a certificate and key already exist for the current certificate index number they are overwritten when you execute the apply command You should therefore always choose an unused certificate index number before creating a test certificate Main cfg cert 4 Creating Certificate...

Page 118: ...General Commands This section includes examples on how to use some general Certificate menu commands Show Certificate Information The info command is used to show brief information about the selected certificate Certificate 1 info Serial number 0 0x0 Expire Nov 29 12 42 17 2006 GMT Certificate subject C US ST Texas L Dallas O Avaya OU Switching CN John emailAddress john avaya com Show Subject Info...

Page 119: ...e This command is used to show the size of the private key in the selected certificate Certificate 1 keysize Key is of size 1024 Show Key Information This command provides information about how the private key associated to the currently selected certificate is protected For the VPN Gateways without the HSM card private keys are protected by the cluster For the ASA FIPS private keys are protected ...

Page 120: ...The key is protected by the iSD Cluster Certificates and Client Authentication 120 User Guide April 2013 Comments infodev avaya com ...

Page 121: ... virtualized for successful launch of certain applications Windows Server 2003 Windows 2000 Pro Windows 2000 Server Windows XP Windows NT4 SP6 Browser Internet Explorer 5 0 or later Netscape 6 0 or later Opera 7 2 or later FireFox 1 0 and later Java Runtime Environment JRE version 1 4 2 or later or Microsoft Java Virtual Machine JVM version 5 0 and later Licensing vdesktop Your copy of Symantec On...

Page 122: ...al desktop is launched Virtual Desktop Operations Once the vdesktop license is installed you can perform the following tasks Print and copy information to removable USB media Work only within the Virtual Desktop Enable Automatic Switch Work with copies of the files rather than the real versions Enable File Separation The vdesktop session may get terminated when the browser session is terminated to...

Page 123: ... of the cluster However when using the halt reboot or delete commands available in the Boot menu you should connect to the IP address of the particular VPN Gateway on which you want to perform these commands or connect to that VPN Gateway through a console connection Connecting to the VPN Gateway You can access the command line interface in two ways Using a console connection through the console p...

Page 124: ...ed to the network Telnet access provides the same options for user access and administrator access as those available through the console port To configure the AVG cluster for Telnet access you need to have a device with Telnet client software located on the same network as the VPN Gateway s The VPN Gateway must have an IP address and a Management IP address If you have already performed the initi...

Page 125: ...way run the Telnet program on your workstation and issue the Telnet command followed by the VPN Gateway s IP address telnet IP address You will then be prompted to enter a valid user name and password For more information about different user accounts and default passwords see Accessing the AVG Cluster on page 126 Establishing a Connection Using SSH Secure Shell When accessing the VPN Gateway from...

Page 126: ...teway is encrypted For information about different user accounts and default passwords see Accessing the AVG Cluster on page 126 During the initial setup of the VPN Gateway s you are provided with the choice to generate new SSH host keys It is recommended that you do so to maintain a high level of security when connecting to the VPN Gateway using a SSH client If you fear that your SSH host keys ha...

Page 127: ... and the corresponding password The default user accounts and passwords for each access level are listed in Table 4 User Access Levels on page 127 Note The default Administrator user password can be changed during the initial configuration For the Operator user the Boot user and the Root user however the default passwords are used even after the initial configuration It is therefore recommended th...

Page 128: ...e given complete access to the VPN Gateway If the VPN Gateway is still set to its factory default configuration the system will run Setup see Installing an AVG in a New Cluster on page 42 a utility designed to help you through the first time configuration process If the VPN Gateway has already been configured the Main menu of the CLI is displayed instead The following figure shows the Main menu wi...

Page 129: ...ore make sure to save your configuration changes regularly by using the global apply command If you have unapplied configuration changes when using the global exit command to log out from the command line interface you will be prompted to view the pending configuration changes by using the global diff command After verifying the pending configuration changes you can either remove the changes or ap...

Page 130: ...The Command Line Interface 130 User Guide April 2013 Comments infodev avaya com ...

Page 131: ...be reconstructed onto new devices on An ASA 310 FIPS Cluster Must be Reconstructed onto New Devices on page 141 User fails to connect to the VPN on A User Fails to Connect to the VPN on page 144 User unable to connect to the VPN Gateway through the Net Direct client on User Unable to Connect to the VPN Gateway through the Net Direct Client on page 151 Unable to download Net Direct from VPN server ...

Page 132: ...k whether any hosts have been added to the Access List Type the command cfg sys accesslist list to view the current Access List cfg sys accesslist list 1 192 168 128 78 255 255 255 0 When Telnet or SSH access is enabled only those hosts listed in the Access List are allowed to access the VPN Gateway over the network If no hosts have been added to the Access List this means that any host is allowed...

Page 133: ...the tcpdump command or some other network analysis tool to locate the problem For more information about the tcpdump command see the Network Traffic Dump Commands section under Configuration Menu SSL Configuration Menu in the Avaya Command Reference If this does not help you to solve the problem contact Avaya for technical support See Customer service on page 16 Cannot Add an AVG to a Cluster When...

Page 134: ...n as the Administrator user and select join from the Setup menu Upgrade the software version running on the AVG s in the cluster to the same version as running on the VPN Gateway you want to add to the cluster Perform the steps described in Performing Minor Major Release Upgrades on page 69 Then add the AVG device by selecting join from the Setup menu Cannot Contact the MIP When trying to add a VP...

Page 135: ...ftware version on the VPN Gateway you want to add as well After having upgraded the software version in the cluster log in to the VPN Gateway you want to add as the Administrator user and select join from the Setup menu The AVG Stops Responding Telnet or SSH Connection to the Management IP Address When you are connected to a cluster of VPN Gateways through a Telnet or SSH connection to the Managem...

Page 136: ...You will be asked to confirm your action before the actual reboot is performed Log in as the Administrator user and check if the operational status of the VPN Gateway is now up If the operational status of the VPN Gateway still is down reboot the machine On the device press the Power button on the back panel to turn the machine off wait until the fan comes to a standstill and then press the Power ...

Page 137: ...anges being made to the configuration of the AVG The fact that the Boot user password cannot be changed should not imply a security issue because the Boot user can only access the VPN Gateway through a console connection using a serial cable and the VPN Gateway presumably is set up in a server room with restricted access An ASA 310 FIPS Stops Processing Traffic Whenever an ASA 310 FIPS has undergo...

Page 138: ...Verify that HSM USER iKey blue is inserted in card 0 with flashing LED Hit enter when done Enter the current HSM USER password for card 0 enter the password associated with the HSM USER iKey for card 0 Successful login on card 0 Verify that HSM USER iKey blue is inserted in card 1 with flashing LED Hit enter when done Enter the current HSM USER password for card 1 enter the password associated wit...

Page 139: ...ice you want to delete If the ASA 310 FIPS device will be used in a different department or organization after it has been deleted from the cluster you may want to change the current password for the HSM SO iKey and the HSM USER iKey before you reset the HSM cards The user who performs the initial setup of the ASA 310 FIPS device must then provide the transient passwords known by both parties when...

Page 140: ...HSM card This holds true even if you use the same password for both HSM SO iKeys that are used on one ASA 310 FIPS device continued Verify that HSM SO iKey purple is inserted in card 0 with flashing LED Hit enter when done Enter the current HSM SO password for card 0 4 Insert the HSM SO iKey associated with HSM card 1 in the card with flashing LED and provide the correct password Again make sure t...

Page 141: ...SCP SFTP server as a precautionary measure by using the cfg ptcfg command in the former cluster For more information about the ptcfg command see the Configuration Menu chapter in the Command Reference The black CODE SO and CODE USER iKeys that were used when the now damaged cluster of ASA 310 FIPS devices was first created The black CODE iKeys are needed to transfer the wrap key used in the former...

Page 142: ...card 1 new setup continued Verify that CODE SO iKey black is inserted in card 1 with flashing LED Hit enter when done Verify that HSM USER iKey blue is inserted in card 1 with flashing LED Hit enter when done Verify that CODE USER iKey black is inserted in card 1 with flashing LED Hit enter when done Wrap key successfully split combined to card 1 5 If you selected FIPS mode as the security mode sp...

Page 143: ...d 0 with flashing LED Hit enter when done Wrap key successfully combined to card 0 9 Transfer the cluster wrap key to card 1 join setup continued Verify that CODE SO iKey black is inserted in card 1 with flashing LED Hit enter when done Verify that HSM USER iKey blue is inserted in card 1 with flashing LED Hit enter when done Verify that CODE USER iKey black is inserted in card 1 with flashing LED...

Page 144: ...server server IP address Enter name of file on server name of saved configuration file FTP User anonymous press ENTER if anonymous mode is supported Password Received 4960 bytes in 0 1 seconds Password for importing private keys in cfg password as defined when saving the configuration file to an FTP TFTP SCP SFTP server Configuration loaded Configuration The configuration information is now automa...

Page 145: ...p sftp interactive Enter the desired tag s separated by comma for example aaa ssl to trace the user authorization and SSL handshake processes or press ENTER to trace all processes To limit tracing to a specific VPN enter the desired VPN ID or press ENTER to view trace information for all domains Select the desired output mode interactive The result is displayed directly in the CLI tftp ftp sftp Th...

Page 146: ...N Gateway This is also the order in which the groups will be applied base implies that the group s base profile will be used TTL for user shows the idle timeout 15m 15 minutes in the preceding example and the maximum session length infinity in the example For detailed information about groups profiles and so on see the chapter Groups Access Rules and Profiles in the CLI BBI Application Guide for V...

Page 147: ...output concerning the establishment of an IPsec tunnel ippool The ippool tag logs messages related to the allocation of IP addresses from the IP pool applies to Net Direct and IPsec A User Fails to Connect to the VPN User Guide April 2013 147 ...

Page 148: ...status and SRS rule check result upref The upref tag shows information related to retrieval and storage of user preferences e g Portal bookmarks For more information about how to enable this feature see the section The Tools tab Edit Bookmarks in the chapter The Portal from an End User Perspective in the CLI BBI Application Guide for VPN Troubleshooting the AVG 148 User Guide April 2013 Comments i...

Page 149: ...ted to SMB Windows file share sessions initiated through the Portal s Files tab ftp The ftp tag shows information related to FTP sessions initiated through the Portal s Files tab A User Fails to Connect to the VPN User Guide April 2013 149 ...

Page 150: ... has been accepted or rejected netdirect_packet The netdirect_packet tag logs information about packets being sent and received when the user has initiated a connection to a host Because of the large amount of information we recommend logging to a TFTP FTP SFTP server Troubleshooting the AVG 150 User Guide April 2013 Comments infodev avaya com ...

Page 151: ...ot the user may belong to a group that does not have access to the linkset where the Net Direct link is included See the Net Direct chapter in the Avaya Application Guide for VPN for instructions on how to configure a Net Direct link and map the linkset to the desired group 4 For Windows is the Net Direct ActiveX control present on the end user s PC Let the end user check the following In Internet...

Page 152: ... Settings user Local Settings Temp NetDirectError log On Linux and Macintosh the NetDirectError log file is created under tmp on the client machine 11 On Windows when the end user double clicks the Net Direct icon in the system tray what settings are shown Verify that the settings shown corresponds to the settings you have made in the CLI BBI For example the IP address used should be from the IP p...

Page 153: ...cacheable zip into the AVG through BBI CLI cfg vpn portal content import 5 Login as root and we can find the imported file in the path config isd user_content docroot You can access https vpn ip nortel_cacheable NetDirect_Setup_Custom zip System Diagnostics A few system diagnostics can be performed on the VPN Gateway Installed Certificates and Virtual SSL Servers To view the currently installed ce...

Page 154: ...sides checking the connection the method For example ping for checking each item is displayed To check various network settings for a specific VPN Gateway access the iSD Host menu by typing the following commands cfg sys host Enter iSD host number 1 iSD host by index number iSD Host 1 cur The screen output provides information about the type of iSD master or slave IP address network mask and gatew...

Page 155: ...packets packet collisions and lack of carrier To check if a virtual server on the Application Switch is working type the following command at any menu prompt ping IP address of virtual server To capture and analyze TCP traffic sent from a virtual SSL server to the backend server type the following command where you replace with the index number of the desired virtual SSL server cfg ssl server trac...

Page 156: ...nd It collects system log file information from the VPN Gateway you are connected to or optionally all AVGs in the cluster and sends the information to a file in the gzip compressed tar format on the TFTP FTP SFTP server you have specified The information can then be used for technical support purposes The file sent to the TFTP FTP SFTP server does not contain any sensitive information related to ...

Page 157: ...D5 SSLv2 RSA RSA 3DES 168 MD5 DHE RSA AES128 SHA SSLv3 DH RSA AES 128 SHA1 AES128 SHA SSLv3 RSA RSA AES 128 SHA1 RC4 SHA SSLv3 RSA RSA RC4 128 SHA1 RC4 MD5 SSLv3 RSA RSA RC4 128 MD5 RC2 CBC MD5 SSLv2 RSA RSA RC2 128 MD5 RC4 MD5 SSLv2 RSA RSA RC4 128 MD5 RC4 64 MD5 SSLv2 RSA RSA RC4 64 MD5 EXP1024 RC4 SHA SSLv3 RSA 1024 RSA RC4 56 SHA1 EXPORT EXP1024 DES CBC SHA SSLv3 RSA 1024 RSA DES 56 SHA1 EXPOR...

Page 158: ...separated by colons e g RC4 RSA ALL NULL DH EXPORT STRENGTH Lists of ciphers can be combined using a logical and operation e g SHA1 DES represents all cipher suites containing the SHA1 and the DES algorithms In the colon separated list any cipher string can be preceded by the characters or These characters serve as modifiers with the following meanings permanently deletes the ciphers from the list...

Page 159: ... EXPORT DH This example will remove all EXPORT ciphers besides the DH related cipher suites Removing the EXPORT ciphers means that all ciphers using either 40 or 56 bits symmetric ciphers are removed from the list This means that browsers running export controlled crypto software cannot access the server Using the OpenSSL command line tool on a UNIX machine it is possible to check which cipher sui...

Page 160: ...ciphers pose a security threat they are disabled unless explicitly included aNULL Cipher suites that do not offer authentication like anonymous DH algorithms The use of such cipher suites is not recommended because they facilitate man in the middle attacks kRSA RSA Cipher suites using RSA key exchange kEDH Cipher suites using ephemeral Diffie Hellman key agreement aRSA Cipher suites using RSA auth...

Page 161: ... not triple DES RC4 Cipher suites using RC4 encryption algorithms RC2 Cipher suites using RC2 encryption algorithms MD5 Cipher suites using MD5 encryption algorithms SHA1 SHA Cipher suites using SHA1 encryption algorithms Supported Cipher Strings and Meanings User Guide April 2013 161 ...

Page 162: ...Supported Ciphers 162 User Guide April 2013 Comments infodev avaya com ...

Page 163: ... Reference For detailed information about the MIB Management Information Base definitions that are currently implemented for the SNMP agent do one of the following Go to http www avaya com In the left pane select Downloads In the Product dialog box type VPN Gateway 3050 or VPN Gateway 3070 Select the release number you want from the pull down list and then select the download package you want Clic...

Page 164: ... MIB ALTEON ISD SSL MIB ALTEON SSL VPN MIB ALTEON ROOT MIB IANAifType MIB SNMPv2 MIB The SNMPv2 MIB is a standard MIB implemented by all agents The following groups are implemented snmpGroup snmpSetGroup systemGroup snmpBasicNotificationsGroup snmpCommunityGroup The SNMP Agent 164 User Guide April 2013 Comments infodev avaya com ...

Page 165: ...get command The following groups are implemented snmpTargetCommandResponderGroup snmpTargetBasicGroup snmpTargetResponseGroup Write access to snmpTargetParamsTable is turned off in VACM SNMP NOTIFICATION MIB The following group is implemented snmpNotifyGroup Write access to all objects in this MIB is turned off in VACM SNMP VIEW BASED ACM MIB The following group is implemented vacmBasicGroup Write...

Page 166: ...Nmm s5EnMsTopBdg s5EnMsSrcMac SYNOPTICS ROOT MIB This MIB provides product IDs and descriptions for SONMP aware products It is required by the S5 ETH MULTISEG TOPOLOGY MIB MIB S5 TCS MIB This MIB is used when the AVG participates in SONMP It is required by the S5 ETH MULTISEG TOPOLOGY MIB MIB S5 ROOT MIB This MIB is used when the AVG participates in SONMP It is required by the S5 ETH MULTISEG TOPO...

Page 167: ...d ifLastChange ifInUnknownProtos ifOutNUnicast IP MIB The following groups are implemented ipGroup icmpGroup IP FORWARD MIB The following group is implemented ipCidrRouteGroup ENTITY MIB The following groups are implemented entityPhysicalGroup entityPhysical2Group entityGeneralGroup entityNotificationsGroup Supported MIBs User Guide April 2013 167 ...

Page 168: ...smanEventTriggerGroup dismanEventObjectsGroup dismanEventEventGroup dismanEventNotificationObjectGroup dismanEventNotificationGroup ALTEON ISD PLATFORM MIB The ALTEON ISD PLATFORM MIB contains the following groups and objects isdClusterGroup isdResourceGroup isdAlarmGroup isdBasicNotificatioObjectsGroup isdEventNotificationGroup isdAlarmNotificationGroup ALTEON ISD SSL MIB The ALTEON ISD SSL MIB c...

Page 169: ... HSM card is required Only for the ASA 310 FIPS model alteonISDSSLHsmT amperedWith Signifies that the HSM card has been tampered with Only for the ASA 310 FIPS model alteonISDSSLHwFai l Signifies that the SSL accelerator hardware failed The VPN Gateway will continue to handle traffic but with severely degraded performance authenticationFailure Sent when the SNMP agent receives an SNMP message whic...

Page 170: ...operational Only having one master in a cluster means that the fault tolerance level is severely degraded if the last master fails the system cannot be reconfigured This trap is only sent if more than two VPN Gateways in the cluster are defined as masters linkDown Sent when the agent detects that one of the links interfaces has gone down Defined in IF MIB linkUp Sent when the agent detects that on...

Page 171: ...iew the menu options see the Syslog Servers Configuration section under Configuration Menu System Configuration in the Avaya Command Reference List of Syslog Messages This section lists the Syslog messages that can be sent from a VPN Gateway to a configured Syslog server The messages are divided into the following message types Operating system OS System control Traffic processing Startup Configur...

Page 172: ...filesystem corrupt Possible loss of configuration Followed by the message Config filesystem re initialized reinstall required or Config filesystem restored from backup Missing files in config filesystem Possible loss of configuration Followed by the message Config filesystem re initialized reinstall required or Config filesystem restored from backup Logs filesystem re initialized Loss of logs Root...

Page 173: ...by typing the info events alarms command INFO System started isdssl version Sent whenever the system control process has been re started ALARM Alarms are sent at a syslog level corresponding to the alarm severity as shown in the following table Alarm Severity Syslog Level CRITICAL ALERT MAJOR CRITICAL MINOR ERROR WARNING WARNING ERROR Alarms are formatted according to the following pattern Id alar...

Page 174: ... A VPN Gateway failed to install a software release while trying to install the same version as all other VPN Gateways in the cluster The failing VPN Gateway tries to catch up with the other cluster members as it was not up and running when the new software version was installed Name license Sender license_server Cause license_not_loaded Extra All iSDs do not have the same license loaded Severity ...

Page 175: ...e MIP management IP address is now located at the VPN Gateway with the IP host IP address Name license_expire_soon Sender IP Indicates that the loaded demo license at the IP VPN Gateway expires within 7 days Name aaa_license_exhausted Sender IP VPNIndex Extra ssl IPsec This event is sent when the VPN has run out of SSL or IPsec user licenses A hysteris mechanism is used so that no more than one ev...

Page 176: ... command Traffic Processing Messages The Traffic Processing Subsystem messages are divided into these categories CRITICAL ERROR WARNING INFO CRITICAL DNS alarm all dns servers are DOWN All DNS servers are down The VPN Gateway cannot perform any DNS lookups ERROR internal error no An internal error occurred Contact support with as much information as possible to reproduce this message javascript er...

Page 177: ...was encountered when parsing the HTTP traffic This is either an indication of a non standard client server or an indication that the AVG s HTTP parser has gotten out of sync due to an earlier non standard transaction from the client or server on this TCP stream http header warning cli reason header The client sent a bad HTTP header http header warning srv reason header The server sent a bad HTTP h...

Page 178: ...gure Unable to find client private key for server Key for doing sslconnect is not valid Reconfigure Unable to use client certificate for server Certificate for doing sslconnect is not valid Reconfigure Failed to initialize SSL hardware Problem initializing SSL acceleration hardware This will cause the VPN Gateway to run with degraded performance Could not find SSL hardware Failed to detect SSL acc...

Page 179: ...crl handling Cert syntax error when parsing the CRL URL Cert automatic retrieval of HTTP CRL failed lookup failure Host Cert automatic retrieval of HTTP CRL failed parse error Cert auto crl over HTTP failed reason Reason Cert automatic retrieval of HTTP CRL failed Cert failed to create TFTP CRL temp file Cert parsing of TPFP CRL URL failed Cert automatic retrieval of TFTP CRL failed lookup failure...

Page 180: ... now uses the default license Server id uses default interface interface n not configured A specific interface is configured to be used by the server but this interface is not configured on the VPN Gateway IPSEC server id uses default interface interface n not configured A specific interface is configured to be used by the IPsec server but this interface is not configured on the VPN Gateway Certif...

Page 181: ... server Bad CN supplied in server cert subject Malformed CN found in subject of the certificate supplied by the backend server Shutting sslproxy down Traffic subsystem has been stopped Restarting proxy due to reason Traffic subsystem restarted due to reason DNS alarm dns server s are UP At least one DNS server is now up HC backend ip port is down Backend health check detected backend ip port to be...

Page 182: ...o more than nr backend supported Generated when more than the maximum allowed backend servers have been configured TPS license limit limit TPS limit set to limit No TPS license limit Unlimited TPS license used Started ssl proxy Traffic subsystem started Found size meg of phys mem Amount of physical memory found on system Configuration Reload Messages The Traffic Subsystem Configuration Reload mess...

Page 183: ...R LDAP backend s unreachable Vpn id AuthId authid In case LDAP server s cannot be reached when a user tries to login to the Portal WARNING Host host ip has been down too long is no longer accounted for in the license pool The host has been down too long more than 30 days and is no longer accounted for in the license pool INFO Host host ip is up accounted for in the license pool A host that has bee...

Page 184: ...g value contains portal the following messages can be displayed PORTAL Vpn id User user Proto proto Host host Share share Path path If the log value contains http the following messages can be displayed HTTP Vpn id Host host User user SrcIP ip Request method host path HTTP NotLoggedIn Vpn id Host host SrcIP ip Request method host path If the log value contains socks the following messages can be d...

Page 185: ...rnal errors and thus provide no meaningful information for troubleshooting WARNING CreateSession Failed with sessionId 0 AAA returned failure for creating session Can t find new IKE Profile s received in Auth Reply AAA provided new IKE profile as received from RADIUS but IKE does not have it Log off notif for non existing session id u AAA notified about log off for a non existing session Quick mod...

Page 186: ...to roam from s to s Dropping roam request because old and new source IP are same Error in Diffie Hellman Setup group u Error in DH Setup No IPsec encryption type selected for s terminating connection attempt IPsec encryption does not match with the configured value Diffie Hellman group mismatch for s terminating connection attempt Configured Diffie Hellman Group does not match with the one that th...

Page 187: ...t cert d revoked The client certificate with serial number d was revoked and thus login failed Ike not started due No license If no licence can be found such as on old ASA 310 IKE is not started INFO Using new IKE IKE Profile s received in Auth Reply Received new IKE profile from AAA received from RADIUS ISAKMP SA Established with s ISAKMP SA Established IPsec SA Established with s IPComp s inboun...

Page 188: ...e is used to verify client certificates Loaded server cert s Loaded server certificate with name s This certificate must be signed by a trusted CA in the client Creating Ike Profile s Creating Loading a new IKE profile called s Updating Ike profile s A CLI BBI change in IKE profile s forces an update of the profile Deleting ike profile s IKE profile s has been deleted in the CLI or BBI Creating tu...

Page 189: ...e_exh austed EVENT System Control This event is sent when the VPN has run out of SSL or IPsec user licenses A hysteris mechanism is used so that no more than one event per hour is sent for one VPN If VPNIndex is 0 the globally shared license was exhausted accept turned off nr too many fds INFO Traffic Processing The VPN Gateway has temporarily stopped accepting new connections This will happen whe...

Page 190: ...ystem Control Sent when a CLI system administrator enters enters exits or updates the CLI if audit logging is enabled using the cfg sys adm audit ena command Bad clicert Can t find issuer in clicert NOTICE IPsec A client sent a bad client certificate which did not contain an issuer Bad clientcert no matching ca cert found INFO IPsec A client tried to login with a client certificate when the corres...

Page 191: ...found in health check script Reconfigure This should normally be captured earlier by the CLI Bad string found string ERROR Traffic Processing Bad load balancing string encountered This is normally verified by the CLI Can t bind to local address ip port reason ERROR Traffic Processing Problem encountered when trying to set up virtual server on ip port Can t find new IKE Profile s received in Auth R...

Page 192: ...em corrupt beyond repair EMERG OS The system cannot boot but stops with a single user prompt Reinstall to recover Config filesystem re initialized reinstall required CRITICAL OS Reinstall Config filesystem restored from backup ERROR OS Loss of recent configuration changes Connect failed reason ERROR Traffic Processing Connect to backend server failed with reason copy_software_re lease_failed ALARM...

Page 193: ...profile s INFO IPsec Updating tunnel profile s Creating UDP Encap Socket for d d d d d INFO IPsec UDP Encap port number changed css error reason ERROR Traffic Processing Problem encountered when parsing an style sheet It may be a problem with the css parser in the AVG or it could be a problem on the processed page Deleting ike profile s INFO IPsec IKE profile s has been deleted in the CLI or BBI D...

Page 194: ... least one DNS server is now up Dropping unprotected notify message s from s WARNING IPsec Dropping the clear text notify message Error in Diffie Hellman Setup group u WARNING IPsec Error in DH Setup Error while decoding certificate DER Id NOTICE IPsec A client sent a certificate where the X509 Name portion could not be extracted from the certificate failed rsa private encrypt INFO IPsec Failure t...

Page 195: ...henticated http server ERROR Traffic Processing Portal authentication has been configured for an http server but no portal using the same VPN id can be found Make sure that there is a portal running using the same VPN id Failed to log to CLI reason disabling CLI log ERROR Traffic Processing Failed to send troubleshooting log to CLI Disabling CLI troubleshooting log failed to parse Set Cookie heade...

Page 196: ...t HC backend ip port is down INFO Traffic Processing Backend health check detected backend ip port to be down HC backend ip port is up again INFO Traffic Processing Backend health check detected backend ip port to be up Host host ip has been down too long is no longer accounted for in the license pool WARNING AAA The host has been down too long more than 30 days and is no longer accounted for in t...

Page 197: ...ng A problem was encountered when parsing the HTTP traffic This is either an indication of a non standard client server or an indication that the AVG s HTTP parser has gotten out of sync due to an earlier non standard transaction from the client or server on this TCP stream http header warning cli reason header ERROR Traffic Processing The client sent a bad HTTP header http header warning srv reas...

Page 198: ...fined namesserver ip port ERROR Traffic Processing AVG received reply for non configured DNS server Ignoring request to roam from s to s WARNING IPsec Dropping roam request because old and new source IP are same Ignoring request to roam from s to s due to invalid source Expecting s WARNING IPsec Dropping roam request message because mismatch in source in payload and header Ignoring unauthenticated...

Page 199: ...x x INFO IPsec IPsec SA Established IPSEC server s uses default interface interface p not configured WARNING IPsec This indicates possible badly configured default gateways on some Secure Service Partitioning interface IPSEC server id uses default interface interface n not configured WARNING Traffic Processing A specific interface is configured to be used by the IPsec server but this interface is ...

Page 200: ...rsing an encoded JavaScript It may be a problem with the JavaScript parser in the AVG or it could be a problem on the processed page LDAP backend s unreachable Vpn id AuthId authid ERROR AAA Shown if LDAP server s cannot be reached when a user tries to login to the Portal license ALARM WARNING System Control One or several VPN Gateways in the cluster do not have the same SSL VPN license with refer...

Page 201: ...affic Processing The loaded demo license on the VPN Gateway has expired The VPN Gateway now uses the default license Loaded ip port INFO Startup Initializing virtual server ip port Loaded ca certificate s INFO IPsec Loaded CA certificate with name s This certificate is used to verify client certificates Loaded server cert s INFO IPsec Loaded server certificate with name s This certificate must be ...

Page 202: ...ADDRESS_CHA NGE notify message received from s WARNING IPsec Dropping invalid ADDRESS_CHA NGE Mobility request Message from s dropped because SPI is not found WARNING IPsec Dropping message because SPI is not found Missing files in config filesystem ERROR OS Possible loss of configuration Followed by the message Config filesystem re initialized reinstall required or Config filesystem restored from...

Page 203: ... license loaded VPN id will use portal authentication WARNING Traffic Processing The PortalGuard license has not been loaded on the VPN Gateway but cfg vpn server portal authenticate is set to off No response from s for maximum retransmission attempts d INFO IPsec Maximum number of retransmission attempts reached No Secure Service Partitioning license loaded IPSEC server s will not use interface p...

Page 204: ...pn id User user Proto proto Host host Share share Path path INFO AAA The remote user failed to access the specified folder directory on the specified file server requested from the Portal s Files tab PORTAL Vpn id User user Proto proto Host host Share share Path path INFO AAA The remote user has successfully accessed the specified folder directory on the specified file server requested from the Po...

Page 205: ... message from s INFO IPsec Received Delete ISAKMP SA message reload cert config done INFO Config Reload Certificate reloading done reload cert config start INFO Config Reload Starting reloading of certificates reload configuration done INFO Config Reload Virtual server configuration reloading done reload configuration network down INFO Config Reload Accepting new sessions are temporarily put on ho...

Page 206: ...rs Probably OK Server id uses default interface interface n not configured WARNING Traffic Processing A specific interface is configured to be used by the server but this interface is not configured on the VPN Gateway Set CSWIFT as default INFO Startup Using CSWIFT SSL hardware acceleration Shutting sslproxy down INFO Traffic Processing Traffic subsystem has been stopped Because we use clicerts fo...

Page 207: ...he features available under the Portal s Advanced tab socks request socks version version rejected ERROR Traffic Processing Socks request of version version received and rejected Most likely a non standard socks client INFO AAA The remote user has successfully performed an operation by using one of the features available under the Portal s Advanced tab software_configur ation_changed EVENT System ...

Page 208: ...iled reason ERROR Traffic Processing SSL connect to backend server failed with reason ssl_hw_fail ALARM MAJOR System Control The SSL hardware acceleration card could not be found or initiated This will cause the VPN Gateway to run with degraded performance Started ssl proxy INFO Startup Traffic subsystem started System started isdssl version INFO System Control Sent whenever the system control pro...

Page 209: ...ng Key for doing sslconnect is not valid Reconfigure Unable to use the certificate for server nr ERROR Traffic Processing Unsuitable certificate configured for server unknown WWW Authenticate method closing ERROR Traffic Processing Backend server sent unknown HTTP authentication method Updating Ike profile s INFO IPsec A CLI BBI change in IKE profile s forces an update of the profile Using hwtype ...

Page 210: ...or INFO AAA Login to the VPN failed The remote user s access method client IP address and user name is shown VPN LoginSucceeded Vpn id Method ssl ip sec SrcIp ip User user Groups groups INFO AAA Login to the VPN succeeded The remote user s access method client IP address user name and group membership is shown VPN LoginSucceeded Vpn id Method ssl ip sec SrcIp ip User user Groups groups TunIP inner...

Page 211: ...VPN Logout Vpn id SrcIp ip User user INFO AAA Remote user has logged out from the VPN www_authenticat e bad credentials ERROR Traffic Processing The browser sent a malformed WWW Authenticate credentials header Most likely a broken client Syslog Messages in Alphabetical Order User Guide April 2013 211 ...

Page 212: ...Syslog Messages 212 User Guide April 2013 Comments infodev avaya com ...

Page 213: ...be used to endorse or promote products derived from this software without prior written permission For written permission contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This ...

Page 214: ...includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the routines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com ...

Page 215: ...ominent notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish in whole or in part that contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause ...

Page 216: ...copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full...

Page 217: ...ions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License you may choose any version ever published by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs in which distribution conditions are different write to the author for permission For softw...

Page 218: ...d from this software may not be called Apache nor may Apache appear in their name without prior written permission of the Apache Software Foundation THIS SOFTWARE IS PROVIDED QAS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS...

Page 219: ...oard is designed to attain a level 3 overall validation and a level 4 validation in the area of Self Test The following table describes the compliance level for each section of the FIPS 140 1 specification Cryptographic Modules Level 3 Module Interfaces Level 3 Roles and Services Level 3 Finite State Machine Model Level 3 Physical Security Level 3 Software Security Level 3 Operating System Securit...

Page 220: ...ed in servers to improve the performance associated with high rate signing operations In the non FIPS140 1 mode the board can be used to accelerate RSA operations for SSL connections on web servers Other uses are limited only by the creativity of applications developers who can write to standard API s such as Cryptoki PKCS 11 The HSM is a PCI card It has a serial port a Universal Serial Bus USB po...

Page 221: ...rly for signing operations 4 0 Capabilities The HSM is capable of performing a wide variety of cryptographic calculations including DES SHA 1 DSA 3DES RSA exponentiation RC4 and HMAC When in the FIPS 140 1 mode the board can perform DES 3DES RSA Signatures RSA Signature Verifications and SHA 1 functions When in the non FIPS 140 1 mode the board can also perform the RSA exponentiation RC4 MD5 HMAC ...

Page 222: ...ares combined Yes MD5 The module provides services to compute an MD5 message digest As this algorithm is not FIPS approved the corresponding services are not available in the FIPS 140 1 Mode No HMAC SHA 1 The module provides a service to compute HMAC using SHA 1 As currently implemented the service requires the MAC key to be input unencrypted through the PCI interface and therefore this service is...

Page 223: ...dule Interfaces 6 1 USB Universal Serial Bus Interface This is the trusted interface of the HSM It is used for communicating with iKey1000 tokens Four tokens are shipped with each HSM One will contain a pin used to authenticate the Security Officer One will contain a pin used to authenticate the User One will contain a key part to be controlled by the Security Officer One will contain a key part t...

Page 224: ...wer become unavailable The battery is continuously monitored by the HSM for a voltage low condition This makes it possible to alert an operator The operator may then replace the battery This can be done without loss of critical security parameters as long as the battery is replaced when PCI power is present If the battery is removed while PCI power is absent all critical security parameters contai...

Page 225: ...he PRNG is used for generating 3DES and RSA keys as well as outputting random numbers requested through the Generate Random Number service 7 4 Flash This component is non volatile memory The contents of Flash will maintain its state after PCI power and Battery power have been removed The Flash contains the firmware that controls processing within the HSM It also contains public keys and other info...

Page 226: ...when power is removed from both the PCI interface and the battery and by the tamper detection circuitry whenever tampering is detected The master key is randomly generated when the board is initialized the Security Officer role is created Security Officer role PIN SOPIN The SO role PIN is generated randomly when the board is initialized It is written to an iKey token through the trusted USB interf...

Page 227: ...ng and decrypting data When creating this key pair the user may specify through Boolean attributes whether the private key may be used for Signature Generation and or Data Decryption and whether the public key may be used for Signature Verification and or Data Encryption Hence a given key pair may be used for both signatures verifications as well as data encryption decryption Note that in the FIPS...

Page 228: ...ase security in case the iKey token is compromised an iKey ID is used to unlock the plaintext PIN that is stored in the iKey This plaintext iKey ID is input into the module in plaintext as part of the Login service The module provides a SHA 1 of this iKey ID to the iKey token to unlock the PIN Because the iKey ID does not authenticate the user to the module but rather unlocks the plaintext PIN fro...

Page 229: ...ignature Standard Sign note 1 NO NO NO YES YES YES None Digital Signature Standard Verification note 1 NO NO NO YES YES YES None Self test YES YES YES YES YES YES None Firmware Update NO NO YES NO NO YES None Generate Random Number YES YES YES YES YES YES PRNGKey create destroy Get Configuration YES YES YES YES YES YES None Get Status YES YES YES YES YES YES None Verify Firmware Image NO NO YES NO...

Page 230: ...Hash 3DES note 1 NO NO NO YES YES YES None Decrypt SHA1 Hash 3DES note 1 NO NO NO YES YES YES None Encrypt MD5 Hash RC4 note 1 NO NO NO YES YES YES None Decrypt MD5 Hash RC4 note 1 NO NO NO YES YES YES None Generate and Return RSA Key Pair note 4 NO NO NO YES YES YES None Generate and Store RSA Key Pair NO YES YES NO YES YES PRNGKey create and destroy and create either or both of the following pai...

Page 231: ...ES YES YES YES None Get Object Count YES YES YES YES YES YES None Get Object Information by Index YES YES YES YES YES YES None Get RSA Key Information by ID modulus exponent NO YES YES NO YES YES Read VPK or EPK Get RSA Key Information by Index modulus exponent NO YES YES NO YES YES Read VPK or DPK Change Object ID NO YES YES NO YES YES None Delete Object NO YES YES NO YES YES Destroy selected key...

Page 232: ...ite to trusted interface interface User Logout NO YES YES NO YES YES None Derive Key note 2 NO NO NO NO NO YES KWK create Wrap Key note 4 NO YES YES NO YES YES KWK use Wrap SPK DPK Unwrap Key note 4 NO YES YES NO YES YES KWK use Unwrap SPK DPK Modify Object NO YES YES NO YES YES None RSA Sign note 4 NO YES YES NO YES YES SPK use RSA Verify NO YES YES NO YES YES VPK use Generate Key note 6 NO YES Y...

Page 233: ...g in the FIPS140 1 mode it is not possible for secret keys private keys or critical security parameters to cross the PCI bus without being wrapped encrypted using the Key Wrapping Key Note 5 User Login is the process that takes the board from an unauthenticated state to the authenticated state Only one user may be authenticated at a particular time Consequently the User Login process cannot be sta...

Page 234: ...RAM Private and symmetric keys may also be stored in Flash but only when first 3DES3KEY encrypted with the Master Key MK of the board BBRAM is used to store the Master Key 10 3 Key Entry and Output When in the FIPS 140 1 mode private keys and symmetric keys can only cross the cryptographic boundary when 3DES3KEY encrypted with a Key Wrapping Key The Key Wrapping Key is generated when the Generate ...

Page 235: ... and uses Wrap Key and Unwrap commands to move wrapped keys between devices in the same family 10 5 Key Destruction Critical security parameters including plaintext private keys symmetric keys and intermediate values will be zeroized according to various conditions as described in Table 9 Key Destruction on page 235 It is also possible for the security officer to command the board to un initialize...

Page 236: ...ode No plaintext private or symmetric keys can cross the cryptographic boundary when the HSM is in the FIPS140 1 mode The 3DES algorithm is used to secure private or symmetric keys stored in flash and for the key wrapping and unwrapping functions 11 2 Non FIPS 140 1 Mode In the non FIPS140 1 mode the user has greater flexibility in the types of algorithms that can be performed and the manner that ...

Page 237: ...er Runs Long Run Yes Yes Power up Self Test Service ondemand Continuous Random Number Generator Test Yes Yes Whenever a pseudorandom number is generated key generation Generate Random Number Service Firmware RSA Signature Verification Test Yes Yes Power up Self Test Service ondemand Firmware Update Verify Firmware Image Service 13 0 Conclusion The HSM provides FIPS 140 1 Level 3 cryptographic proc...

Page 238: ...re not limited to banking telecommunications e commerce and medical services In the area of self test the HSM provides capabilities consistent with FIPS 140 1 Level 4 HSM Security Policy 238 User Guide April 2013 Comments infodev avaya com ...

Page 239: ...hich is a textual representation of the key you wish to redefine F1 PGUP and so on The new STRING to be sent when pressing the key should come after the equals character Hash marks in the file declare the line as a comment and will be ignored The following examples explains the syntax in more detail Send the string test when pressing the F1 key F1 test On pressing Control PGUP send the string pgup...

Page 240: ...y the terminal v Vertical Tabulator Sends a vertical tabulator character a Bell Sends a terminal bell character which should make the terminal sound its bell number Inserts the character that is defined by this number in the ISO Latin1 character set The number should be a decimal value Redefinable Keys The following table explains which keys may be redefined As explained earlier each of the keys m...

Page 241: ...Left key RIGHT The Cursor Right key NUMPAD0 NUMPAD9 The numbered Numeric keypad keys ESCAPE The Escape key BACKSPACE The Backspace key TAB The Tab key Example of a Key Code Definition File Following is an example of the keyCodes at386 key code definition file created for an AT 386 Terminal Syntax Description User Guide April 2013 241 ...

Page 242: ...Definition of Key Codes 242 User Guide April 2013 Comments infodev avaya com ...

Page 243: ...t a man in the middle attack against this very first connection one of these methods can be used Verifying the fingerprint as displayed by the client of the new remote host key by some out of band means e g verbal communication with the server administrator OR Pre installing the remote host key previously transferred by some out of band means in the client s key storage i e effectively making the ...

Page 244: ...t key types SSH protocol version 1 always uses RSA keys while for SSH protocol version 2 either RSA or DSA keys can be used The RSA keys for version 1 differ in form from those for version 2 and are referred to as RSA1 SSH host keys 244 User Guide April 2013 Comments infodev avaya com ...

Page 245: ...ur account is a member of the Schema Administrators group Install All Administrative Tools Windows 2000 Server 1 Open the Control Panel and double click Add Remove Programs 2 Select Windows 2000 Administrative Tools and click Change 3 Click Next and select Install All Administrative Tools 4 Follow the instructions on how to proceed with the installation Register the Schema Management dll Windows S...

Page 246: ...n the Open field On Windows Server 2003 enter mmc a instead Note that there is a space between mmc and a 3 Click OK The Console window is displayed 4 On the File Console menu select Add Remove Snap in The Add Remove Snap in window is displayed Adding User Preferences Attribute to Active Directory 246 User Guide April 2013 Comments infodev avaya com ...

Page 247: ...5 Click Add The Add Standalone Snap in window is displayed Add the Active Directory Schema Snap in Windows 2000 Server and Windows Server 2003 User Guide April 2013 247 ...

Page 248: ...ave the console including the Schema snap in go to the File Console menu and select Save The Save As windows is displayed 10 Save the console in the Windows System 32 root folder 11 As file name enter schmmgmt msc 12 Click Save Create a Shortcut to the Console Window 1 Right click Start and select Open all Users 2 Double click the Programs and Administrative Tools folders Adding User Preferences A...

Page 249: ...ght click Active Directory Schema 2 Select Operations Master 3 Select the check box The Schema may be modified on this Domain Controller 4 Click OK Create a New Attribute Windows 2000 Server and Windows Server 2003 To create the isdUserPrefs attribute proceed as follows 1 In the Console window on the left pane expand Active Directory Schema by clicking the plus sign The Attributes and Classes fold...

Page 250: ...ck Classes point to New and select Class You will now receive a warning that creating schema classes is a permanent operation and cannot be undone 2 Click Continue The Create New Schema Class window is displayed 3 Create the avayaSSLOffload class as shown Adding User Preferences Attribute to Active Directory 250 User Guide April 2013 Comments infodev avaya com ...

Page 251: ...the Console window on the left pane expand Classes 2 Select the avayaSSLOffload class 3 Right click and select Properties The Properties window is displayed 4 Select the Attributes tab and click Add 5 Add the isdUserPrefs attribute as optional Create New Class User Guide April 2013 251 ...

Page 252: ...write user preferences to the attribute 7 Click OK Add the avayaSSLOffload Class to the User Class 1 In the Console window on the left pane expand Classes and select user 2 Right click and select Properties Adding User Preferences Attribute to Active Directory 252 User Guide April 2013 Comments infodev avaya com ...

Page 253: ...ry Classes click Add Class Add 5 Add the avayaSSLOffload class as an auxiliary class as shown 6 Click OK Once you have enabled the User Preferences feature on the VPN Gateway using the CLI command cfg vpn aaa auth ldap enauserpre or the BBI Create New Class User Guide April 2013 253 ...

Page 254: ...N Gateway VPN Authentication Auth Servers Ldap the remote user should now be able to store user preferences in Active Directory Adding User Preferences Attribute to Active Directory 254 User Guide April 2013 Comments infodev avaya com ...

Page 255: ...zip The zip file contains both a signed and an unsigned version of the API along with javadoc documentation and a demo application with source code Creating a Port Forwarder The Port Forwarder API is a collection of functions used to provide applications with the ability to send traffic through a previously defined port forwarder link For instructions on how to configure a port forwarder link on t...

Page 256: ... CLI BBI vpn The number of the VPN in the Portal for example 1 linkset The number of the linkset in the VPN for example 1 link The number of the link in the linkset for example 1 When run as a regular application the arguments are simply passed on the command line java com avaya avg demo PortForwarderDemo vpnurl https vpn example com linktype custom vpn 1 linkset 1 link 1 For Java Web Start parame...

Page 257: ...terial in the content area to be cacheable by the client web browser it has to be put in a top directory called nortel_cacheable The demo project zip file has such a directory at it s top level When uploaded to the content area the demo is accessible through https vpn example com nortel_cacheable PortForwarderDemo html The provided build xml file contains an example of how to create a content zip ...

Page 258: ...derAuthenticator interface public PortForwarderCredentials getCredentials public java net PasswordAuthentication getProxyCredentials Example Following is an example of the code for creating a Port Forwarder authenticator Using the Port Forwarder API 258 User Guide April 2013 Comments infodev avaya com ...

Page 259: ...Creating a Port Forwarder Authenticator User Guide April 2013 259 ...

Page 260: ... if cookie null return null cred setAvayaToken cookie return cred public PasswordAuthentication getProxyCredentials LoginDialog loginDialog new LoginDialog return new PasswordAuthentication loginDialog getUserId loginDialog getPassword toCharArray portForwarder setAuthenticator pfa Adding a Port Forwarder Logger A Port Forwarder logger must implement the PortForwarderLogger interface public void l...

Page 261: ...eDateFormat dateFormat new SimpleDateFormat hh mm ss SSS String timeStamp dateFormat format new Date return timeStamp private String createMessage String msg return createTimeStamp msg public void log final int logLevel final int logCode final Object params final Throwable throwable if logLevel PortForwarderConstants LOG_LEVEL_ERROR logLevel PortForwarderConstants LOG_LEVEL_INFO String msg Message...

Page 262: ...e Connecting Through a Proxy If the port forwarder is connecting through a proxy a number of properties need to be set for the port forwarder to know where and how to connect to the proxy The parameters are com avaya avg portforwarder http proxyHost The proxy host for HTTP HTTPS accesses com avaya avg portforwarder http proxyPort The proxy port for HTTP HTTPS accesses com avaya avg portforwarder h...

Page 263: ...warder status and statistics Note When using these features it is important that the Observer update function does not block Status Monitoring the Port Forwarder status gives you the ability to always know the state of the Port Forwarder for example if it is ready to receive connections Following is an example of the code for monitoring the status of the Port Forwarder Monitoring the Port Forwarde...

Page 264: ...rmation in any way An added statistics listener will receive a PortForwarderStatistics object either when a change has occurred or at a defined interval Following is an example of the code for monitoring Port Forwarder statistics Using the Port Forwarder API 264 User Guide April 2013 Comments infodev avaya com ...

Page 265: ...This will print current statistics every 3 seconds Monitoring the Port Forwarder User Guide April 2013 265 ...

Page 266: ...Using the Port Forwarder API 266 User Guide April 2013 Comments infodev avaya com ...

Page 267: ...ile s links and access rules will be appended to the extended profile s links and access rules CA Certificate Authority A trusted third party organization or company that issues digital certificates The role of the CA in this process is to guarantee that the entity granted the unique certificate is in fact who he or she claims to be CLI Command Line Interface The text based interface pertaining to...

Page 268: ...at it was not tampered with after the signature was applied However the sender could still be an impersonator and not the person he or she claims to be To verify that the message was indeed sent by the person claiming to send it requires a digital certificate digital ID which is issued by a certification authority DIP Destination IP Address The destination IP address of a frame DPort Destination P...

Page 269: ... an IP alias to a master VPN Gateway in a cluster of VPN Gateways The MIP address identifies the cluster and is used when making configuration changes through a Telnet or SSH connection or through the Browser Based Management Interface BBI Net Direct Client The Net Direct client is an SSL VPN client that can be downloaded from the Portal for each user session As opposed to the LSP and TDI versions...

Page 270: ...eature is an easy way of converting an existing HTTP site to generate HTTPS links secure cookies etc The VPN Gateway will not only handle the SSL processing but also see to it that all existing web links are rewritten to HTTPS This eliminates the need to rewrite each link manually Port Forwarder Applies to the SSL VPN feature Java applet accessible on the Portal page s Advanced tab enabling transp...

Page 271: ...er side of a SOCKS server without requiring direct IP reachability SPort Source Port The source destination port linking the incoming data to the correct service For example port 80 for HTTP port 443 for HTTPS port 995 for POP3S SSH Secure Shell A program to log into another computer over a network to execute commands in a remote machine and to move files from one machine to another It provides st...

Page 272: ...PS or POP3S You can create an unlimited number of virtual SSL servers per AVG cluster and each virtual SSL server is mapped to a virtual server on the Application Switch To authenticate itself towards clients making requests for the specified service the virtual SSL server is configured to use a digital certificate VLAN Virtual Local Area Network VLANs are commonly used to split up groups of netwo...

Page 273: ...l not know that the MAC address had moved in the network For a more detailed description refer to RFC 2338 X 509 A widely used specification for digital certificates that has been a recommendation of the ITU since 1988 X 509 User Guide April 2013 273 ...

Page 274: ...X 509 274 User Guide April 2013 Comments infodev avaya com ...

Reviews:

No comments