Setting Up HP-UX HIDS Secure Communications

HP-UX HIDS provides a secure communication environment between the System Manager and the agent processes through the Secure Sockets Layer (SSL) protocol.

To ensure secure communication, both the System Manager process that runs on the administration system and the HP-UX HIDS agent process that runs on each participating agent system must have a certificate associated with the agent process. A separate certificate is required for the components to identify themselves and to authenticate that any information received from another HP-UX HIDS component is genuine and not initiated by an unauthorized outsider. HP-UX HIDS provides a toolset to generate X.509 certificates. The System Manager does not start until you establish secure communication.

Table 2-1 lists and describes the IDS scripts you can use to set up an SSL environment.

Table 2-1 IDS Scripts Used to Set Up Secure Communications

Script	Location	Resulting Product
`IDS_genAdminKeys`	Administration system	Root Certification Authority and Administration SSL certificate
`IDS_genAgentCerts`	Administration system	A bundle of signed certificates for each agent system.
`IDS_importAgentKeys`	Agent systems	Agent SSL certificate




	NOTE: HP-UX HIDS certificate management is self-contained and does not require (and cannot not be integrated with) a pre-existing public key infrastructure (PKI).

To set up the SSL environment, follow these steps:

Create the X.509 Certificates

To create a certificate for the HP-UX HIDS System Manager process, first generate the ids user locally on the HP-UX HIDS administration system. Only then can the certificates for each of the agent nodes be signed by the HP-UX HIDS administration system. The administration system holds the Root Certification Authority (Root CA) that endorses all other certificates.

On the administration system, log in as follows:
$su - ids
Change your directory to /opt/ids/bin, as follows:
$cd /opt/ids/bin

Generate the following administration keys:

$IDS_genAdminKeys install

This creates the Root CA and the administration certificate. They are stored in the /etc/opt/ids/certs/admin directory. The keyword install is optional.

If you need to regenerate the administration certificate later, for example, if the current certificate has expired without invalidating the agent certificates you make in step d, enter the command again with the update option. For example:

$IDS_genAdminKeys update

If you do not use the update option, the command also recreates the Root CA, making the existing agent certificates no longer trusted by the administration system. Repeat step d and steps 2 and 3.

Following is an example of the installation process run on the administration host, adminsys:

$ IDS_genAdminKeys
==> Be sure to run this script on the IDS 
Administration host.
Generating a certificate request for IDS Root
CA...
Generating a self-signed certificate for IDS
Root CA...
Generating a certificate for the HP-UX Host
IDS System Manager...
Generating cert signing request for HP-UX 
Host IDS System Manager...
Signing the HP-UX Host IDS System Manager 
certificate request...
Importing IDS Root CA certificate...
Importing the HP-UX Host IDS System Manager
certificate...

************************************************************
* Successfully created certificates for IDS
Root CA and for
* the HP-UX Host IDS System Manager.
* Certificate public keys are valid for 700 
days and are
* 1024 bits in size.
*
* Now you need to create keys for each of the
 hosts on which
* the Agent software is installed by running
 the script
* 'IDS_genAgentCerts'.
************************************************************

Generate the keys for each agent, one bundle of keys per agent system, as follows:

$IDS_genAgentCerts

In this process, each host name or IP address you enter is checked for validity, using the nslookup command. For more information, see nslookup( 1) .

If you enter a host name and nslookup returns a single IP address, the host name and IP address are saved in a temporary file and the key bundle is created.

If you enter an IP address and nslookup returns a host name, the host name and IP address are saved in a temporary file and the key bundle is created. Use this method if the agent is multihomed (two or more IP addresses). The IP address must be the value you set for IDS_LISTEN_IFACE. For more information, see “Configuring a Multihomed Agent System”.

If no IP address or host name is found, you are asked if you want to create the bundle anyway; no entry is placed in the temporary file.

If multiple IP addresses are found, no entry is placed in the temporary file. The bundle is created without comment.

When the System Manager is started later, any entries in the temporary file are added to the host list table displayed on the Host Manager screen.

The following example shows how to enter the names of your host systems, run on administration host, adminsys, for agent hosts myhost1 and myhost2. It prompts for each host name or IP address. Press Ctrl-D to end the administration host.

$ IDS_genAgentCerts

==> Be sure to run this script on the IDS 
Administration host.

Generate keys for which host? myhost1
Generating key pair and certificate request 
for IDS Agent
on myhost1....
Signing certificate for IDS Agent on myhost1
...
Certificate package for IDS Agent on myhost1 is
/var/opt/ids/tmp/myhost1.tar.Z

Next hostname (^D to quit)? myhost2
Generating key pair and certificate request
for IDS Agent
on myhost2....
Signing certificate for IDS Agent on myhost2
...
Certificate package for IDS Agent on myhost2
 is
/var/opt/ids/tmp/myhost2.tar.Z

Next hostname (^D to quit)? myhost3

Host name "myhost3" unknown. DNS lookup 
failed.

Do you still wish to create a certificate 
[N]/Y? n

Re-enter a host name (^D to quit): 15.27.43.6
Generating key pair and certificate request 
for IDS Agent
on 15.27.43.6....
Signing certificate for IDS Agent on 
15.27.43.6...
Certificate package for IDS Agent on 
15.27.43.6 is
/var/opt/ids/tmp/15.27.43.6.tar.Z

Next hostname (^D to quit)? Ctrl-D
********************************************
****************
* Successfully created agent certificates for
 the following
* hosts:
* 	myhost1
* 	myhost2
* 	15.27.43.6
*
* Certificate public keys are valid for 700 
days and are 1024 bits in size.
*
* They are stored in /var/opt/ids/tmp as 
hostname.tar.Z
*
* You should now transfer the bundles via a 
secure channel
* to the IDS agent machines.
*
* On each agent you will need to run the 
IDS_importAgentKeys script to finish the 
installation.
********************************************
****************

The agent certificate bundles are generated and stored in the following files:

/var/opt/ids/tmp/myhost1.tar.Z
/var/opt/ids/tmp/myhost2.tar.Z
/var/opt/ids/tmp/15.27.43.6.tar.Z




	NOTE: The IDS_genAdminKeys and IDS_genAgentCerts commands include options to provide alternate key lengths and alternate expiration dates for the administration and agent certificates. For more information, see IDS_genAdminKeys(1M) and IDS_genAgentCerts(1M). The default key length is 1024 bits. The default expiration is 700 days.

TIP: You can automate agent certificate creation by creating a file of host names and IP addresses, one host name or IP address per line. Each entry must refer to a single IP address on an agent system. For more information, see “Configuring a Multihomed Agent System”.

If your file name is list_of_hosts, then the command is as follows:

$ cat list_of_hosts | IDS_genAgentCerts

Transporting the certificates
Transfer the agent certificate bundles through a secure channel to the agent systems.
To securely transport the certificate bundles stored in /var/opt/ids/tmp/hostname.tar.Z to each of the agent machines, use an out-of-band secure channel. There are different ways to move your files from one system to another securely. For example, you can use encrypted PGP email, a portable medium such as a floppy disk or tape cassette that you carry from one system to another, an NFS mount, or an FTP site. However, because every environment is different, you must determine which method is best for your particular situation.
CAUTION: FTP, RCP, and unencrypted email are not secure methods of transportation; the contents of files can be exposed to eavesdroppers, which threatens the security of the communication system.
Private key files are protected by granting read and write file permissions for user ids only.

Installing the keys on each host

Install the bundle of keys generated for each agent system on that system. Store the agent certificate bundle in the /var/opt/ids/tmp directory.

Log in as follows:
$su - ids
Change directory to /opt/ids/bin, as follows:
$cd /opt/ids/bin
Store the key bundle in a directory, such as /var/opt/ids/tmp.

Import the following key bundle:

$IDS_importAgentKeys /var/opt/ids/tmp/agentsys.tar.Z 
adminsys

Where:

agentsys: is the name you entered for this agent system in Step 1.d
adminsys: is the host name or IP address of the administration system.

If the administration system is multihomed, you must set the INTERFACE variable to the IP address that you want to use for HP-UX HIDS communication. For more information, see “Configuring a Multihomed Administration System”.

The certificates for this host and the Root CA are extracted from the compressed tar file /var/opt/ids/tmp/host1.tar.Z and installed. The value of REMOTEHOSTS in the configuration file /etc/opt/ids/ids.cf is changed to adminsys.

The certificates are placed in /etc/opt/ids/certs/agent.

Following is an example of the install process, run on agent system myhost1:

$ IDS_importAgentKeys 
/var/opt/ids/tmp/myhost1.tar.Z myadmin

Extracting key pair and certificates...
Modifying the configuration file 
/etc/opt/ids/ids.cf to use myadmin as the 
IDS Administration host...
********************************************
****************
* Keys for IDS Agent were imported 
successfully.
* You can now run the idsagent process on 
this machine and control it from the HP-UX 
Host IDS System Manager.
********************************************
****************

Setting Up HP-UX HIDS Secure Communications

Technical documentation

» Table of Contents

» Index