Administering NetIM : Securing the communication between NetIM and other Riverbed solutions
  
Securing the communication between NetIM and other Riverbed solutions
The mechanism for securing communication between NetIM and external applications is Encryption by HTTPS. This mechanism encrypts the data communication between the following:
NetIM and the browsers that access it.
Portal
NetIM and the external applications that consume NetIM data, including but not limited to AppResponse and Portal.
HTTPS mode requires an initial setup to obtain, install, and use a signed SSL Certificate for NetIM. Obtaining and installing a signed certificate for HTTPS is a one-time setup operation. (If NetIM is moved to a host with a different name or the host is renamed, you may need to obtain a new signed certificate.)
This section includes the following topics:
Configuring NetIM for encryption by HTTPS—Use this to require browsers and external applications to communicate with NetIM using HTTPS.
Switching from HTTPS back to HTTP mode—Use this only if necessary to terminate the use of HTTPS.
Designating the security directory (for the keystore and certificates)—Use this only if necessary to designate a non-default directory as the Keystore and repository of certificates.
Requiring username and password authentication—Use this to require that external applications respond to NetIM’s requests for usernames and passwords.
Exempting external applications from the authentication requirement - Use this if authentication is set up but some external applications are unable to respond to username and password requests.
Configuring NetIM for encryption by HTTPS
Perform this procedure only after NetIM installation is complete and verified.
1. Log in to NetIM core as netimadmin.
2. Navigate to the NetIM installation directory, by entering a command like the following:
cd /data1/riverbed/NetIM/<install_dir>
Linux: /opt/OPNET/VNEServer/18.0.0_15157
3. Stop all services by entering the following commands:
bash
./app.sh -c stop ALL
Linux: ./app.sh -c stop ALL
4. Enter the following command:
./Windows: https_setup.sh /secure true
Linux: ./https_setup.sh /secure true
You are prompted for the fully qualified name of the host machine.
5. Enter the fully qualified host name (for example, myhost.myco.com) or the IP address.
Enter the hostname exactly as you will enter it in the URL to connect to the web server using a web browser.
6. Specify whether you will use an existing certificate or generate a new certificate. Your response depends on whether you have already obtained and imported a CA-signed certificate for NetIM or if this is the first time you are configuring NetIM for HTTPS.
Generating a new certificate removes the existing server certificate from the keystore. If a CA-signed certificate is already present in the NetIM keystore, do not generate a certificate.
If you have a CA-signed certificate in the NetIM keystore, enter R to reuse the existing certificate and go to step 18.
If this is the first time this NetIM is being configured for HTTPS, proceed to step 7.
7. Enter G to generate a new certificate.
The default key size is 2048 bits. Enter Y to use the default key size or enter N then specify the key size that is appropriate for your organization.
When prompted to set domain attribute, enter Y.
Provide each of the following values for which you are prompted. Enter valid information as these values will be used when generating the server certificate.
name of your organizational unit
name of your organization
name of your city or locality
name of your state or province
two letter country code of your unit (for example, US)
After you have entered country code, the script shows a summary of the domain information that you have entered. Review each value to make sure it is correct.
8. Enter N to reenter information. Enter Y when these values are correctly entered.
A CSR file is created in NetIM's security directory. The file is named <host>.csr where <host> is the fully qualified host name that you entered in step 5.
The location of the security directory is configured during installation. The default location is or /opt/OPNET/Security/data1/riverbed/security.
9. Obtain a signed certificate.
This is a process that is external to the NetIM application. Follow your organization’s procedures for obtaining a signed certificate from a CA. The CSR may be sent by an e-mail communication between the user and the CA. The validity of the server certificate must be negotiated between the user and the CA.
10. Locate the CSR file in the security directory and provide it to a Certificate Authority (CA) for signing.
11. Proceed to the next step when you receive the signed certificate reply from the CA.
If the CA is known to Java, (for example, VeriSign, Thawte, and so on), you only need a signed server certificate from the CA. If you use a private CA, you also need the CA root certificate and any intermediate CA certificates.
12. Import the signed server certificate and CA certificates (when needed).
In this step you import the signed certificate into the keystore. Import the CA root certificate and all intermediate CA certificates as appropriate.
13. Log in to NetIM core as netimadmin.
14. Navigate to the NetIM installation directory, by entering a command like the following:
cd /data1/riverbed/NetIM/latest
15. Enter the following commands:
bash
./Windows: https_setup.sh /server_cert <signed_cert> [/ca_cert <ca_root_cert>]
Linux: ./https_setup.sh /server_cert <signed_cert> [/ca_cert <ca_root_cert>]
Where <signed_cert> is the full path to the signed server certificate and <ca_root_cert> is the full path to a CA root certificate. The CA root certificate (specified by the /ca_cert option) is required only for a private CA root certificate.
As an example, if you have a private CA and the certificate files are stored in /data1/riverbed/security enter:
./https_setup.sh /server_cert /data1/riverbed/security/host.der /ca_cert /data1/riverbed/security/cacert.der
The system prompts you to enter the path to all intermediate CA certificates or N if you do not have any intermediate CA certificates.
16. Your response depends on whether you have intermediate CA certificates in the signed server certificate chain.
Enter N if you do not have intermediate CA certificates.
Enter the full path to the intermediate CA certificate. If you have more than one intermediate CA certificate, enter them one at a time in the order they appear in the certificate chain. The certificate chain can be seen by opening the signed certificate reply file in Internet Explorer and selecting the Certification Path tab.
The CA root certificate is at the top, and the server certificate is at the bottom of the chain. The order in which the intermediate CA certificates are listed between the CA root certificate and the server certificate while going down the chain is the order that needs to be followed while specifying the full path to each of the intermediate CA certificate files.
The details of each certificate can be seen by clicking View Certificate. When you have finished specifying all intermediate CA certificates files, enter N at the prompt.
The script imports the server certificate and CA certificates for use by NetIM.
17. Start all services by entering the following command:
./app.sh -c start ALL
Linux: ./app.sh -c start ALL
18. Verify communication with the NetIM Web Server using HTTPS.
Open a web browser and enter the URL for the NetIM web UI using the following format:
<protocol>://<host>:<port>/vnes
Enter <host> exactly as it appears in the signed certificate.
For example, if the NetIM host is myhost.myco.com and the https port is 8543 enter:
https://myhost.myco.com:8543/vnes
If the web UI does not open, verify that you have specified the hostname exactly as it appears in the server certificate and that you have imported all CA certificates in the order in which they appear in the certificate chain.
After you configure NetIM for encryption by HTTPS, it may be necessary to enable weak ciphers to communicate with older client software.
To enable weak ciphers
1. On NetIM core, navigate to the <install_dir>VNEServer, such as:
Windows: cd /data1/riverbed/NetIM/<install_dir>
Linux: /opt/OPNET/VNEServer/18.0.0_15157
2. Stop all services by entering the following commands:
bash
./app.sh -c stop ALL
Linux: ./app.sh -c stop ALL
3. Enter the following command to enable weak ciphers:
./Windows: https_setup.sh /ciphers weak
Linux: https_setup.sh /ciphers weak
If needed, you can disable weak ciphers with the following command:
./Windows: https_setup.sh /ciphers strong
Linux: https_setup.sh /ciphers strong
4. Display and verify the set of enabled ciphers. Use the following command to display the set of enabled ciphers:
./Windows: https_setup.sh /ciphers print
Linux: https_setup.sh /ciphers print
5. Start all services by entering the following command:
./app.sh -c start ALL
Switching from HTTPS back to HTTP mode
Perform the following procedure if you have configured NetIM for HTTPS and you want to switch back to HTTP.
1. On NetIM core, navigate to the <install_dir>, such as:
Windows: cd /data1/riverbed/NetIM/<install_dir>
Linux: /opt/OPNET/VNEServer/18.0.0_15157
2. Stop all services by entering the following commands:
bash
./app.sh -c stop ALL
Linux: ./app.sh -c stop ALL
3. Enter the following command:
./Windows: https_setup.sh /secure false
Linux: https_setup.sh /secure false
The script writes output to the screen indicating the web protocol has been changed to HTTP.
4. Start all services by entering the following command:
./app.sh -c start ALL
Linux: ./app.sh -c start ALL
5. Verify communication with the NetIM Web Server using HTTP.
Open a web browser and enter the URL for the NetIM UI using the following format:
<protocol>://<host>:<port>/vnes
where <host> is the fully qualified name of the NetIM host.
For example, if the NetIM host is myhost.myco.com and the http port is 8543, enter:
http://myhost.myco.com:8543/vnes
Designating the security directory (for the keystore and certificates)
The security directory is a folder where the keystore file and all related certificate files reside. This is used for the HTTPS mode of operation since it contains the keystore that is used by the SSL communication. The security directory is configured when NetIM is installed, but can be changed after installation by performing the following procedure.
1. On NetIM core, navigate to <install_dir>, by entering a command like the following:
Windows: Windows: cd /data1/riverbed/NetIM/<install_dir>
Linux: /opt/OPNET/VNEServer/18.0.0_15157
2. Stop all services by entering the following commands:
bash
./app.sh -c stop ALL
Linux: ./app.sh -c stop ALL
3. Enter the following command:
./Windows: app.sh /security_dir <security_dir>
Linux: ./app.sh /security_dir <security_dir>
where <security_dir> is the full path to the security directory.
For example, to change the security directory /mysecurity enter:
./app.sh /security_dir /data1/riverbed/mysecurity
4. Start all services by entering the following command:
./app.sh -c start ALL
Linux: ./app.sh -c start ALL
Requiring username and password authentication
To require external applications to supply a username and password to NetIM, perform the following procedure.
1. On NetIM core, navigate to the <install_dir>VNEServer, by entering a command like the following:
Windows: cd /data1/riverbed/NetIM/<install_dir>
Linux: /opt/OPNET/VNEServer/18.0.0_15157
2. Stop all services by entering the following commands:
bash
./app.sh -c stop ALL
Linux: ./app.sh -c stop ALL
3. Activate authentication by entering the following command:
./Windows: app.sh AUTH_STATUS enable
Linux: ./app.sh AUTH_STATUS enable
4. Restart all NetIM services:
./app.sh -c start ALL
Linux: ./app.sh /svc_cmd start all
5. Verify that the remote application is able to log in to NetIM using credentials that are configured in the User Accounts section of NetIM’s Server page. See Working with user accounts and authentication.
If a remote application is not equipped to pass credentials to NetIM, either rerun this procedure with “AUTH_STATUS disable” or perform Exempting external applications from the authentication requirement.
Exempting external applications from the authentication requirement
Many external applications (like Portal) have the ability to answer NetIM’s requests for username and password, but some do not. If authentication is enabled but communication must still be allowed with applications that cannot authenticate, those applications’ hosts can be added to the “trusted clients” list.
1. On NetIM core, navigate to the <install_dir>, by entering a command like the following:
Windows: cd /data1/riverbed/NetIM/<install_dir>
SLinux: /opt/OPNET/VNEServer/18.0.0_15157
2. top all services by entering the following commands:
bash
./app.sh -c stop ALL
Linux: ./app.sh -c stop ALL
3. Navigate to the /data1/riverbed/NetIM/<install_dir>/input/trustedClients directory, such as:
Windows: cd /data1/riverbed/NetIM/<install_dir>/input/trustedClients
Linux: /opt/OPNET/VNEServer/18.0.0_15157/input/trustedClients
4. Use any text editor to open trustedClients.txt.
5. At the bottom of the file, add the hostname or IP address of the host of each application that must be exempt from authentication, such as:
trustedClients.txt
# A list of IP addresses that are considered 'trusted' clients.
# Requests from these IP addresses do not require user
# credentials in order for their requests to be authorized.
# Add one trusted hostname or IP address per line.
121.232.343.10
NC-AREA51-BOX2
6. Navigate back to the installation directory as in step 1, and restart all NetIM services by entering the following command:
./app.sh -c start ALL