Securing the HP-UX AAA Server

Performing the steps in this section increases the security of your HP-UX AAA Server installation. HP recommends all customers perform the steps in“Changing the Default HP-UX AAA Server Settings ”. Perform the steps in “Environment Specific Security Procedures ” depending on your environment.

Changing the Default HP-UX AAA Server Settings

The following information explains how to increase the security of your HP-UX AAA Server by changing some of the default settings. HP recommends that all customers change the default values.

Changing the Default Tomcat User Name and Password

All Tomcat servers come with the same default user name and password. You must change the user name and password to unique values.

Complete the following steps to change the Tomcat user name and password:

Open /opt/hpws/tomcat/conf/tomcat-users.xml.
Look for entries with the roles=“tomcat” string. These entries are valid Tomcat user names and passwords.
Modify the file to include only the user name and password you want to use. Use the following format:
<user username="new user name" password="new password" roles="tomcat"/>

Changing the Default RMI Objects Secret

HP recommends changing the default RMI Objects secret.

Complete the following steps to change the default RMI objects secret:

Open/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties.
Look for the following entry:
rmi.config.secret = "secret"
Change the “secret” portion to a new value
Open the /opt/aaa/remotecontrol/rmiserver.properties file.
Look for the following entry:
rmi.config.secret = "secret"
Change the “secret” portion to the same value configured in Step 3.
IMPORTANT: The rmi.config.secret in /opt/aaa/remotecontrol/rmiserver.properties and in /opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties must be identical.

Changing the Default test_user Settings

HP recommends changing the default test_users password. This password can be changed only after starting the Server Manager. More information on how to change the default test_users password is provided in “Changing the Default test_user Settings”

Changing the Default localhost Proxy Settings

HP recommends changing the default localhost proxy settings. This setting can be changed only after starting the Server Manager. More information on how to change the default localhost proxy settings is provided in “Changing the Default localhost Proxy Settings”.

Environment Specific Security Procedures

Depending on your environment needs, you can perform any of the following steps for additional security:

Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration

Use the following steps to configure SSL (HTTPS):

Generate a certificate for Tomcat to establish the SSL connection. Use the following steps to create a self-signed certificate with the Java command line keytool utility:
1. Remove $HOME/.keystore if it already exists
2. Enter the following command:
  $ export JAVA_HOME=/opt/java1.4
3. Enter the following command:
  $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
4. Enter a password for the key store when prompted.
5. Enter the certificate information (company, contact name, etc.), when prompted. This information must be accurate because it is displayed to users who attempt to administer Server Manager.
6. Enter a password for the key when prompted. Use the same password you used for the key store

Uncomment the following underlined comments in /opt/hpws/tomcat/conf/server.xml:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> 
<!--     
			<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
                port="8443" minProcessors="5" maxProcessors="75"
                enableLookups="true"
                acceptCount="10" debug="0" scheme="https" secure="true"
                useURIValidationHack="false"
     <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
     clientAuth="false" protocol="TLS" /> 
</Connector> 
-->

Add the keystorePass attribute to the uncommented field in /opt/hpws/tomcat/conf/server.xml to establish the key store and key password on Tomcat. Add the keystorePass attribute as shown in the following:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystorePass="<password>" />
IMPORTANT: Replace <password> with the password used to generate the keystore in Step 1.
Stop and start Tomcat:
- Stop -/opt/hpws/tomcat/bin/shutdown.sh
- Start - /opt/hpws/tomcat/bin/startup.sh
Point your web browser to:
https://<hostname>:8443/aaa

Creating a Tomcat Identity Specifically for the HP-UX AAA Server

If several applications use Tomcat, you can configure Tomcat to have a user name and password specifically for the AAA Server. All other applications using Tomcat will have a different user name and password.

Complete the following steps to create a Tomcat identity specifically for your HP-UX AAA Server:

Search for the following line in/opt/hpws/tomcat/conf/server.xml:

Add the following code above this line:

 <Context path="/aaa" docBase="aaa" debug="0"
            reloadable="false" crossContext="false">
        <Realm className="org.apache.catalina.realm.MemoryRealm"
               debug="0" pathname="conf/aaa-users.xml"/>
  </Context>

Open the /opt/hpws/tomcat/conf/aaa-users.xml file.
Replace adminaaa with the new user name and password
Enter the following command:
$ export JAVA_HOME=/opt/java1.4
Stop Tomcat if it is running:
$ /opt/hpws/tomcat/bin/shutdown.sh
Restart Tomcat:
$ /opt/hpws/tomcat/bin/startup.sh
Stop the RMI objects if they are running:
$ /opt/aaa/remotecontrol/rmistop.sh
Set the shared library path to the OCI client or ODBC driver in the /opt/aaa/remotecontrol/rmistart.sh script if you are implementing the SQL Access feature. See the following README files for more information:
- /opt/aaa/examples/sqlaccess/oracle-1/README: for Oracle - OCI
- /opt/aaa/examples/sqlaccess/mysql-1/README: for MySQL - ODBC
See Chapter 22: “SQL Access” for more information on the SQL Access feature.
Start the RMI objects:
/opt/aaa/remotecontrol/rmistart.sh
Point your web browser to:
http://<hostname>:8081/aaa
Login with the new AAA Server-specific user name and password

Running the HP-UX AAA Server on Hosts with System Hardening Software

If you are setting up the HP-UX AAA Server on a system that is being hardened using lock-down software such as Bastille, you must ensure that the ports used by the HP-UX AAA Server are kept open. The following ports must be kept open if you are running the HP-UX AAA Server:

Port 1812 (Radius authentication port)
Port 1813 (Radius accounting port)
Port 8081 (port used by the Server Manager. Needed only if this host is going to run the Server Manager)
Port 2099 (port used by the RMI server. Needed only if the HP-UX AAA Server on this host needs to be remotely managed from another host.)
RMI Server ports listed in Table 3-3. By default, these ports change each time the RMI objects are started.




	NOTE: These ports are default ports. However, you can configure these services to use other ports.

If the HP-UX AAA Server on the host needs to be remotely managed from another host, then some additional ports need to be opened. By default, these ports are chosen randomly and keep changing every time the RMI server is restarted. To make it more convenient to open, these ports can be configured in /opt/aaa/remotecontrol/rmiserver.properties. Table 3-3 lists the ports that need to be configured and opened for the corresponding remote management functionality required.

Table 3-3 Ports Associated with RMI Objects that must be Configured

Port	Functionality
`adm.server.port`	If you are using the administrative functions
`conf.server.port` `file.server.port`	If you are modifying, loading, or saving the configuration
`stat.server.port` `acct.server.port` `log.server.port` `sess.server.port`	If you are using maintenance features such as accounting, logging, reporting, getting statistics, or session management

Running the HP-UX AAA Server as a Non-Root User

Some organizations require network server processes to run as the non-root user.

Complete the following steps to run the AAA server as a non-root user:

Login to the system as the root user.
Add the user name www to the aaa group.
Use the following command to start the RMI objects as the aaa user:
$ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh

Use the following command to start Tomcat as the www user:

$ su - www -c "export JAVA_HOME=/opt/java1.4; /opt/hpws/tomcat/bin/startup.sh"

Point your web browser to:
http://<hostname>:8081/aaa




	NOTE: Any log files created when the HP-UX AAA server was running as the root user will not be accessible after performing this procedure. To view these logfiles, change the ownership to match the UID of when the log files were created. For more information, see the chown manpage for more information.

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot

Complete the following steps to set up the HP-UX AAA Server to start as non-root user after reboot:

Set the RADIUSD variable to 1 in the /etc/rc.config.d/radiusd.conf file.

Open the /sbin/init.d/radiusd.rc file and look for the following entry:

DAEMONNM=radiusd 
CONFFILE=$AAAPATH/clients 
DAEMONEXE=/opt/aaa/bin/${DAEMONNM}

Change the DAEMONEXE line to set radiusd to start as the aaa user after reboot:

Change:

DAEMONEXE=/opt/aaa/bin/${DAEMONNM}

To:

DAEMONEXE=”/usr/bin/su - aaa -c /opt/aaa/bin/${DAEMONNM}”

Look for the following entry:

echo "$DAEMONNM started with <$retval>"
if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];
then
			/usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1
fi

Change the then statement to start the RMI objects as the aaa user after reboot:

Change:

if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];
then
			/usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh
>/dev/null 2>&1
fi

To:

if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];
then
			/usr/bin/nohup /usr/bin/su - aaa -c
			/opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1
fi

Look for the following entry:

# stop the daemon!!!
 if  [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; 
 then
     /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1
 fi

Change the then statement to stop the RMI objects as the aaa user during shutdown:

Change:

if  [[ -x /opt/aaa/remotecontrol/rmistop.sh ]];
then
     /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1
fi

To:

if  [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; 
then
     /usr/bin/su - aaa -c  /opt/aaa/remotecontrol/rmistop.sh
 >/dev/null 2>&1
fi

Look for the following entry:

/opt/aaa/bin/rad_admin.sh start all > /dev/null 2>&1

To start all the HP-UX AAA Servers as the aaa user during reboot, modify the statement as follows:
/usr/bin/su - aaa -c /opt/aaa/bin/rad_admin.sh start all >/dev/null 2>&1

Look for the following entry:

/opt/aaa/bin/rad_admin.sh stop all > /dev/null 2>&1

To stop all the HP-UX AAA Servers as the aaa user during shutdown, modify the statement as follows:
/usr/bin/su - aaa -c /opt/aaa/bin/rad_admin.sh stop all >/dev/null 2>&1
If you are implementing the SQL Access feature, add the following environment variable settings in the user’s .profiles file in the home directory:
(For ODBC only)
export ODBCINI=path/odbc.ini
(For OCI and ODBC)
export SHLIB_PATH=${SHLIB_PATH}:Path for odbc/oci client libraries

Securing the HP-UX AAA Server

Technical documentation

» Table of Contents

» Glossary

» Index

Changing the Default HP-UX AAA Server Settings

Changing the Default Tomcat User Name and Password

Changing the Default RMI Objects Secret

Changing the Default test_user Settings

Changing the Default localhost Proxy Settings

Environment Specific Security Procedures

Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration

Creating a Tomcat Identity Specifically for the HP-UX AAA Server

Running the HP-UX AAA Server on Hosts with System Hardening Software

Running the HP-UX AAA Server as a Non-Root User

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot