Installing and configuring Janus Network Security: Difference between revisions
m (mention RKWeb) |
|||
(8 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
Before you can start using secured communications with <var class="product">Janus Network Security</var>, | Before you can start using secured communications with <var class="product">Janus Network Security</var>, | ||
preliminary tasks must be completed. | some preliminary tasks must be completed. | ||
The tasks should occur in the following sequence: | |||
<ol> | <ol> | ||
<li>Install the <var class="product">Sirius Mods</var>, which contains <var class="product">Janus Network Security</var> support. | <li>Install the <var class="product">Sirius Mods</var>, which contains <var class="product">Janus Network Security</var> support. | ||
<p class="note"><b>Note:</b> This requirement does not apply if your version of <var class="product">Model 204</var> is 7.5 or higher. | <p class="note"><b>Note:</b> This requirement does not apply if your version of <var class="product">Model 204</var> is 7.5 or higher. | ||
This step would probably be done by the person responsible | |||
for installing and supporting <var class="product">Model 204</var> at your site. | for installing and supporting <var class="product">Model 204</var> at your site. | ||
If you are already running <var class="product">[[Janus Web Server]]</var>, this step involves | If you are already running <var class="product">[[Janus Web Server]]</var>, this step involves | ||
some minor updates | some minor updates in support of <var class="product">Janus Network Security</var>. </p></li> | ||
<li>Install or update <var class="product">[[RKTools]]</var>. </li> | |||
<li>Make an initial connection to a port that uses the | <li>Make an initial connection to a port that uses the Rocket-provided internal certificate. | ||
Rocket-provided internal certificate. | <ol type="a"> | ||
<ol> | |||
<li>Define and start the SSL port. </li> | <li>Define and start the SSL port. </li> | ||
<li>Give appropriate user(s) | <li>Give appropriate user(s) access privileges. </li> | ||
<li>Download internal certificate as CA to browser. </li> | <li>Download internal certificate as CA to browser. </li> | ||
</ol> | </ol> | ||
<p> | <p> | ||
Your initial connection tests your port, user, and web rule setup, using the | |||
Rocket-provided internal certificate (discussed in [[Janus Network Security#selfca|Self-signed certificates]]). | Rocket-provided internal certificate (discussed in [[Janus Network Security#selfca|Self-signed certificates]]). | ||
</p> </li> | </p> </li> | ||
Line 32: | Line 27: | ||
Each of these steps is further described below. </p> | Each of these steps is further described below. </p> | ||
==<b id="insbase"></b> | ==<b id="insbase"></b><b id="insmods"></b>Install Sirius Mods== | ||
<p class="note"><b>Note:</b> This requirement does not apply to versions of <var class="product">Model 204</var> after 7.4. | <p class="note"><b>Note:</b> This requirement does not apply to versions of <var class="product">Model 204</var> after 7.4. | ||
</p> | </p> | ||
The <var class="product">[[Sirius Mods]]</var> are a | The <var class="product">[[Sirius Mods]]</var> are a set of features providing a base of support for most the products formerly owned by Sirius — they must be installed before proceeding. | ||
You can confirm whether the <var class="product">Sirius Mods</var> are installed and at the current release | You can confirm whether the <var class="product">Sirius Mods</var> are installed and at the current release level | ||
by entering the following | by entering the following at the <var class="product">Model 204</var> command line: | ||
<p class="code" | <p class="code">SIRIUS</p> | ||
The resulting display will include the current release of the | |||
<var class="product">Sirius Mods</var>. | <var class="product">Sirius Mods</var>. | ||
==<b id="insulsp"></b>Install or update RKTools== | ==<b id="insulsp"></b>Install or update RKTools== | ||
A | A few components of <var class="product">RKTools</var> are required for <var class="product">Janus Network Security</var>, so <var class="product">RKTools</var> must be installed prior to proceeding. | ||
must be installed prior to proceeding. | |||
More information is available in [[RKTools installation]]. | More information is available in [[RKTools installation]]. | ||
<var class="product">RKTools</var> installation also creates | <blockquote class="note"> | ||
<p><b>Note:</b> As part of <var class="product">RKTools</var> installation, the <code>JANSSL</code> file should be allocated and initialized. <code>JANSSL</code> is used to store SSL certificates, certificate requests and private keys. </p> | |||
The <code> | <p> | ||
As described later ([[#givpriv|Add appropriate users to the JANSSL subsystem]]), you may need to update the subsystem. | The <code>JANSSL</code> file should have a minimum of 1050 pages; | ||
</p> | the <var class="product">RKTools</var> <code>SIRIUS</code> file (prior to version 7.7) or the <code>M204PROC</code> file (as of RKTools 7.7) contains a sample <code>CREATE.JANSSL</code> deck. </p> | ||
<p> | |||
<var class="product">RKTools</var> installation also creates the <code>JANSSL</code> subsystem, which is the SSL certificate management application. | |||
The procedure containing the <code>JANSSL</code> subsystem definition is <code>SUBSYS.DEF.JANSSL</code> — it is also in file <code>SIRIUS</code> prior to RKTools 7.7, and in <code>M204PROC</code> for V7.7 and higher. | |||
As described later ([[#givpriv|Add appropriate users to the JANSSL subsystem]]), you may need to update the subsystem. </p> | |||
</blockquote> | |||
<p> | |||
If you have RKTools version 7.7 or higher, you probably want to [[RKTools installation#RKWeb (Model 204 Tools on the Web)|follow the directions]] to install RKWeb, the web interface that includes access to the <code>JANSSL</code> certificate management application. </p> | |||
==<b id="usecert"></b>Make an initial SSL connection== | ==<b id="usecert"></b>Make an initial SSL connection== | ||
In order to implement and test | In order to implement and test your first SSL | ||
connection, you can use the Rocket-provided internal certificate, which | connection, you can use the Rocket-provided internal certificate, which | ||
was distributed with | was distributed with <var class="product">Janus Network Security</var> (and discussed further | ||
in [[Janus Network Security#Self-signed certificates|Self-signed certificates]] | in [[Janus Network Security#Self-signed certificates|Self-signed certificates]] | ||
Ultimately, you will probably want to arrange to receive a certificate | Ultimately, you will probably want to arrange to receive a certificate | ||
Line 77: | Line 65: | ||
later in [[Implementing a server certificate]]. | later in [[Implementing a server certificate]]. | ||
The | The following subsections describe how to set up and connect to a <var class="product">Janus Web Server</var> port. | ||
and connect to a <var class="product">Janus Web Server</var> | <ul> | ||
If you are configuring a Janus | <li>If you are configuring a different type of Janus port, like an SSL-protected client socket port, for example, | ||
the same sequence of steps | the same sequence of steps applies except for these: | ||
<ul> | |||
command examples | <li>The "Connect to the SSL port from a browser" subsection does not apply. </li> | ||
<li>The keywords denoting the port type (<code>WEB</code> and <code>WEBSERV</code>) in the <var>JANUS</var> command examples would be replaced by <code>CLSOCK</code>. </li> | |||
</ul></li> | |||
<li>If you have RKTools version 7.7 or higher, and you installed and will use the RKWeb interface to access the <code>JANSSL</code> certificate management application, your SSL port is already defined. You can skip the port-definition specific instructions in the following subsection, but you still may need to start your SSL port and adjust the <code>JANSSL</code> subsystem information as described below. You can ignore the subsection describing how to connect to the SSL port from a browser; RKWeb makes this connection.</li> | |||
</ul> | |||
===<b id="sslport"></b>Define and start an SSL port=== | ===<b id="sslport"></b>Define and start an SSL port=== | ||
To define an initial SSL web port using the Rocket-provided internal certificate. a user with system manager or system administrator | |||
a user with system manager or system administrator | |||
privileges must issue a command like: | privileges must issue a command like: | ||
<p class="code">JANUS DEFINE | <p class="code">JANUS DEFINE <i>portName</i> 443 WEBSERV 5 SSL <i>sslInfo</i> | ||
</p> | </p> | ||
Where: | |||
<ul> | <ul> | ||
<li>< | <li><var class="term">portName</var> is an arbitrary port name as many as 30 characters in length. </li> | ||
<li>< | <li><var class="term">443</var> is an arbitrary port number (although 443 is the default for HTTPS). </li> | ||
(although 443 is the default for HTTPS). </li> | |||
<li><code>5</code> | <li><code>5</code> can be replaced by a different maximum thread value. </li> | ||
<li>< | <li><var class="term">sslInfo</var> may be an asterisk (<tt>*</tt>) to indicate that the internal, Rocket-generated, certificate and private key is to be used. | ||
private key is to be used. | If a certificate from a certifying authority is being used, | ||
replace <var class="term">sslInfo</var> with the file name and procedure name | |||
that contain the certificate (for example, <code>SSL MYFILE MYCERTIFICATE.CERT</code>), as shown in [[Implementing a server certificate#portnew|Defining and starting a port]]. </li> | |||
that | |||
</ul> | </ul> | ||
Line 113: | Line 102: | ||
<p class="code">JANUS START SSLWEB | <p class="code">JANUS START SSLWEB | ||
</p> | </p> | ||
where <code>SSLWEB</code> is the port name specified on the < | where <code>SSLWEB</code> is the port name specified on the <var>JANUS DEFINE</var> command. | ||
The port is started and SSL is enabled. | The port is started and SSL is enabled. | ||
Line 119: | Line 108: | ||
When the <var class="product">RKTools</var> installation is done, the user doing the install is given privileges to run <code>JANSSL</code>. | When the <var class="product">RKTools</var> installation is done, the user doing the install is given privileges to run <code>JANSSL</code>. | ||
If the user that did the <var class="product">RKTools</var> installation is | If the user that did the <var class="product">RKTools</var> installation is | ||
not the one | not the one who will manage certificates and private keys, the latter | ||
user must be added as a <code>JANSSL</code> subsystem user (probably using | user must be added as a <code>JANSSL</code> subsystem user (probably using | ||
SUBSYSMGMT). | SUBSYSMGMT). | ||
Line 157: | Line 146: | ||
Although it is not recommended, note that this rule does <i>not</i> expose a security hole: without being a | Although it is not recommended, note that this rule does <i>not</i> expose a security hole: without being a | ||
JANSSL subsystem user, there is not much a user can do on the | JANSSL subsystem user, there is not much a user can do on the SSLthread. | ||
(Remember, JANSSL is the subsystem installed with <var class="product">Janus Network Security</var> that provides | (Remember, JANSSL is the subsystem installed with <var class="product">Janus Network Security</var> that provides | ||
support for the certificate management application.) | support for the certificate management application.) | ||
Line 176: | Line 164: | ||
While possible, this is <b><i>strongly discouraged</i></b>, | While possible, this is <b><i>strongly discouraged</i></b>, | ||
because the above web rule will result in unencrypted | because the above web rule will result in unencrypted | ||
<var class="product">Model 204</var> passwords being sent over the network as JANSSL verifies access privileges. | <var class="product">Model 204</var> passwords being sent over the network as JANSSL verifies access privileges. | ||
The only reason to allow access to JANSSL like this might be that there is local network security that | The only reason to allow access to JANSSL like this might be that there is local network security that gives you confidence that this is not a problem, and for some reason, it is not possible for your browser to | ||
problem, and for some reason, it is | work with the internal Janus certificate. | ||
====<b id="webujan"></b>Making WEBUSER a JANSSL subsystem user==== | ====<b id="webujan"></b>Making WEBUSER a JANSSL subsystem user==== | ||
Line 206: | Line 193: | ||
in the URL sent from the browser. | in the URL sent from the browser. | ||
To reach a secured port, you | To reach a secured port, you specify "https" rather than "http" in the URL. | ||
If you chose to define the port with a number other than the default | If you chose to define the port with a number other than the default | ||
Line 218: | Line 205: | ||
In response, your browser will probably initially display | In response, your browser will probably initially display | ||
one or more notices informing you that the default | one or more notices informing you that the default | ||
Sirius certificate has expired, that Sirius is an unknown certifying authority, or that the domain name you specified does not match the name on | Sirius certificate has expired, that Sirius is an unknown certifying authority, or that the domain name you specified does not match the name on the certificate. | ||
the certificate. | |||
For more information about certificates and certificate authorities, | For more information about certificates and certificate authorities, | ||
see [[Janus Network Security#certifs|Certificates]] and [[Janus Network Security#cerauth|Certifying authorities]]. | see [[Janus Network Security#certifs|Certificates]] and [[Janus Network Security#cerauth|Certifying authorities]]. |
Latest revision as of 20:58, 7 June 2017
Before you can start using secured communications with Janus Network Security, some preliminary tasks must be completed. The tasks should occur in the following sequence:
- Install the Sirius Mods, which contains Janus Network Security support.
Note: This requirement does not apply if your version of Model 204 is 7.5 or higher. This step would probably be done by the person responsible for installing and supporting Model 204 at your site. If you are already running Janus Web Server, this step involves some minor updates in support of Janus Network Security.
- Install or update RKTools.
- Make an initial connection to a port that uses the Rocket-provided internal certificate.
- Define and start the SSL port.
- Give appropriate user(s) access privileges.
- Download internal certificate as CA to browser.
Your initial connection tests your port, user, and web rule setup, using the Rocket-provided internal certificate (discussed in Self-signed certificates).
Each of these steps is further described below.
Install Sirius Mods
Note: This requirement does not apply to versions of Model 204 after 7.4.
The Sirius Mods are a set of features providing a base of support for most the products formerly owned by Sirius — they must be installed before proceeding.
You can confirm whether the Sirius Mods are installed and at the current release level by entering the following at the Model 204 command line:
SIRIUS
The resulting display will include the current release of the Sirius Mods.
Install or update RKTools
A few components of RKTools are required for Janus Network Security, so RKTools must be installed prior to proceeding. More information is available in RKTools installation.
Note: As part of RKTools installation, the
JANSSL
file should be allocated and initialized.JANSSL
is used to store SSL certificates, certificate requests and private keys.The
JANSSL
file should have a minimum of 1050 pages; the RKToolsSIRIUS
file (prior to version 7.7) or theM204PROC
file (as of RKTools 7.7) contains a sampleCREATE.JANSSL
deck.RKTools installation also creates the
JANSSL
subsystem, which is the SSL certificate management application. The procedure containing theJANSSL
subsystem definition isSUBSYS.DEF.JANSSL
— it is also in fileSIRIUS
prior to RKTools 7.7, and inM204PROC
for V7.7 and higher. As described later (Add appropriate users to the JANSSL subsystem), you may need to update the subsystem.
If you have RKTools version 7.7 or higher, you probably want to follow the directions to install RKWeb, the web interface that includes access to the JANSSL
certificate management application.
Make an initial SSL connection
In order to implement and test your first SSL connection, you can use the Rocket-provided internal certificate, which was distributed with Janus Network Security (and discussed further in Self-signed certificates Ultimately, you will probably want to arrange to receive a certificate from a commercial certifying authority, as described later in Implementing a server certificate.
The following subsections describe how to set up and connect to a Janus Web Server port.
- If you are configuring a different type of Janus port, like an SSL-protected client socket port, for example,
the same sequence of steps applies except for these:
- The "Connect to the SSL port from a browser" subsection does not apply.
- The keywords denoting the port type (
WEB
andWEBSERV
) in the JANUS command examples would be replaced byCLSOCK
.
- If you have RKTools version 7.7 or higher, and you installed and will use the RKWeb interface to access the
JANSSL
certificate management application, your SSL port is already defined. You can skip the port-definition specific instructions in the following subsection, but you still may need to start your SSL port and adjust theJANSSL
subsystem information as described below. You can ignore the subsection describing how to connect to the SSL port from a browser; RKWeb makes this connection.
Define and start an SSL port
To define an initial SSL web port using the Rocket-provided internal certificate. a user with system manager or system administrator privileges must issue a command like:
JANUS DEFINE portName 443 WEBSERV 5 SSL sslInfo
Where:
- portName is an arbitrary port name as many as 30 characters in length.
- 443 is an arbitrary port number (although 443 is the default for HTTPS).
5
can be replaced by a different maximum thread value.- sslInfo may be an asterisk (*) to indicate that the internal, Rocket-generated, certificate and private key is to be used.
If a certificate from a certifying authority is being used,
replace sslInfo with the file name and procedure name
that contain the certificate (for example,
SSL MYFILE MYCERTIFICATE.CERT
), as shown in Defining and starting a port.
For more information about the JANUS DEFINE command, see JANUS DEFINE.
To start the port, enter:
JANUS START SSLWEB
where SSLWEB
is the port name specified on the JANUS DEFINE command.
The port is started and SSL is enabled.
Add appropriate users to the JANSSL subsystem
When the RKTools installation is done, the user doing the install is given privileges to run JANSSL
.
If the user that did the RKTools installation is
not the one who will manage certificates and private keys, the latter
user must be added as a JANSSL
subsystem user (probably using
SUBSYSMGMT).
For example, if MARY
installed RKTools but CURTIS
is going
to manage certificates, CURTIS
must be added as a JANSSL subsystem user.
In addition, while using SUBSYSMGMT, make sure that the JANSSL
subsystem communication global is NEXT
,
the exit value is LOG
, and the procedure file is SIRIUS
.
Add web rule to authorize user access to the port
When the web port using the internal private key is defined, Janus Web Server rules are automatically created so that the defining user can access any resource on the SSL port. If the user that issued the JANUS DEFINE command (in Define and start an SSL port) is not the one that will manage certificates and private keys, a rule must be added to allow the latter user to access resources on the SSL port.
For example, if MORT
issued the JANUS DEFINE command for the
SSL port but TAMARA
is going to manage certificates, add a rule like the following
to the SSL port definition to allow TAMARA
to access resources on that port:
JANUS WEB SSLWEB ALLOW * USER TAMARA
This is the best way to protect the server. The following subsections describe three other ways that you can authorize users to access the SSL port. Though you may be tempted to use them, each of the following is discouraged, as described below. For additional comments about access, see Many alternatives for restricting or permitting access.
Allowing any valid logged-in user
The preceding paragraphs described how to add a web server rule to authorize an individual user to access the secured port. An even simpler approach is to modify the rule as follows to allow any valid userid to access data on the SSL port:
JANUS WEB SSLWEB ALLOW * USER *
Although it is not recommended, note that this rule does not expose a security hole: without being a JANSSL subsystem user, there is not much a user can do on the SSLthread. (Remember, JANSSL is the subsystem installed with Janus Network Security that provides support for the certificate management application.)
However, this degree of access might become an issue as you add your own applications to the SSL port, at which point it is up to you whether to enforce security through web rules, subsystem access rules, or internal application checks. The appropriate security mechanism for your site in this case is beyond the scope of this document.
Accessing JANSSL through non-SSL ports
It is possible to access the JANSSL subsystem through a non-SSL port by specifying a rule such as this:
JANUS WEB WEBPORT ALLOW /JANWEB/JANSSL* USER *
where WEBPORT
is not your Janus SSL port.
While possible, this is strongly discouraged,
because the above web rule will result in unencrypted
Model 204 passwords being sent over the network as JANSSL verifies access privileges.
The only reason to allow access to JANSSL like this might be that there is local network security that gives you confidence that this is not a problem, and for some reason, it is not possible for your browser to work with the internal Janus certificate.
Making WEBUSER a JANSSL subsystem user
Perhaps the worst way to provide access to the certificate management application is one of the following:
- Define as a JANSSL subsystem user
the default Model 204 account ID (normally
WEBUSER
) that is used for logons of URLs that require no user ID. - Make the JANSSL subsystem public.
These approaches let anyone with a browser generate (and overlay) private
keys and certificates in the JANSSL
file.
Security is completely gone, and you might as well not use SSL.
You could perhaps make this somewhat secure by limiting access to certain
URLs based on IP address, but this is still considered risky from a
security perspective.
Connect to the SSL port from a browser
Having defined and configured an SSL port, you can now attempt a connection. As described in How a browser should connect, the difference between connecting to an SSL-secured port and an unsecured one is in the designation of the service in the URL sent from the browser.
To reach a secured port, you specify "https" rather than "http" in the URL.
If you chose to define the port with a number other than the default of 443, you must specify that number as well. For example, for a site that is testing the secured port 8443, specify:
https://www.yourdomain.com:8443
If you have yet to generate an internal certificate, Janus Network Security produces by default an out of date Sirius self-signed certificate. In response, your browser will probably initially display one or more notices informing you that the default Sirius certificate has expired, that Sirius is an unknown certifying authority, or that the domain name you specified does not match the name on the certificate. For more information about certificates and certificate authorities, see Certificates and Certifying authorities.
At the browser, you can view the certificate for supporting evidence that it is indeed from Sirius, then choose to accept it. Next, you are prompted for your Model 204 user ID and password.
Finally, accessing this SSL port for the first time invokes the Default Janus Web Home Page. You are taken to this page as the result of default JANUS WEB ON rules supplied with the Janus Web Server (and viewable via the JANUS DISPLAYWEB command). You can change the default page by defining a JANUS WEB ON rule for your secured port that points to another page (see JANUS WEB ON for more information).
On the default home page, a link in the introduction ("configure and manage Janus SSL support") points to a page that describes Janus SSL and which restates much of the document you are now reading. This link and those in the Janus certificate application are also resolved by default JANUS WEB ON rules.
Implementing a server certificate describes how to get an SSL certificate for your site from a certifying authority. If you want to generate an update to the default Janus internal certificate, that is, generate a self-signed certificate that will bear your own site's current information and date, you also use the request form described in "Implementing a server certificate."