+- !, | Black Box 1102

1101 and 1102 Secure Device Servers

Each client will then need its own set of keys uploaded through the same page. Take care to ensure that the correct type of keys (DSA or RSA) go in the correct spots, and that the public and private keys are in the correct spot.

(*"+"- !

SDT Connector can authenticate against a console servers using your SSH key pair, rather than requiring you to enter your password (i.e. public key authentication).

To use public key authentication with SDT Connector, you must first create an RSA or DSA key pair (using ssh-keygen, PuTTYgen or a similar tool) and add the public part of your SSH key pair to the Black Box gateway—as described in the earlier section.

Next, add the private part of your SSH key pair (this file is typically named id_rsa or id_dsa) to SDT Connector client. Click Edit -> Preferences -> Private Keys -> Add, locate the private key file, and click OK. You do not have to add the public part of your SSH key pair, it is calculated using the private key.

SDT Connector will now use public key authentication when SSH connecting through the console server. You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication.

If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector, you can also configure it for public key authentication. Essentially what you are using is SSH over SSH, and the two SSH connections are entirely separate, and the host configuration is entirely independent of SDT Connector and the console server. You must configure the SSH client that SDT Connector launches (e.g. Putty, OpenSSH) and the host’s SSH server for public key authentication.

(*", !$ %

Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection.

The console server includes OpenSSL. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache- style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions. In the console server, OpenSSL is used primarily in conjunction with ‘http’ to have secure browser access to the GUI management console across insecure networks.

More documentation on OpenSSL is available from:

http://www.openssl.org/docs/apps/openssl.html

http://www.openssl.org/docs/HOWTO/certificates.txt

(*"-

The Management Console can be served using HTTPS by running the webserver via sslwrap. The server can be launched on request using inetd.

The HTTP server provided is a slightly modified version of the fnord-httpdfrom

The SSL implementation is provided by the sslwrap application compiled with OpenSSL support. You can find more detailed documentation at

If your default network address is changed or the unit is to be accessed via a known Domain Name, you can use the following steps to replace the default SSL Certificate and Private Key with ones tailored for your new address.

(*"-"(!!

To create a 1024 bit RSA key with a password, issue the following command on the command line of a linux host with the openssl utility installed:

openssl genrsa -des3 -out ssl_key.pem 1024

(*"-")#

This example shows how to use OpenSSL to create a self-signed certificate. OpenSSL is available for most Linux distributions via the default package management mechanism. (Windows users can check )

154	724-746-5500 blackbox.com

Image 154

Black Box 1102, Secure Device Servers +- !, !$ %,

Contents

1102 Secure Device Servers 1102 Secure Device Servers Normas Oficiales Mexicanas NOM Electrical Safety Statement FCC and IC RFI Statements Trademarks Used in this Manual Table of Contents SMS Alerts Snmp Alerts Local Authentication Tacacs AuthenticationAdd a New Alert 108 106107 110 Pmpower Tool Installing the Key and CertificatePowerMan Tool Fingerprinting Specifications Specifications Manual Organization Overview 2.1 IntroductionTypes of Users Management Console OverviewHardware Description 2.5.1 LES1101A Front Panel Ethernet Connectivity LED Number Component Description DB9 connector2 LES1101A Back Panel RJ-45 Ethernet Activity LED right side of connector Ethernet Activity LED Number Component Description Barrel connector PowerLED left side of connector Ethernet Connectivity LED 3 LES1102A Front Panel 1 LES1101A What’s Included2 LES1102A Power Connection InstallationInstallation Network Connection Non RS-232 Serial Port Pinouts- LES1102A RX+ TX+ +VIN Non RS-232 Serial Port Pinouts- LES1101A+3V TX + Connected PC/Workstation Setup System ConfigurationManagement Console Connection System Configuration Browser connection Administrator Password Network IP Address System Services IPv6 configuration System Services screen Communications Software SDT ConnectorSDT connector SSH encrypted Forwarded to PuTTY SSHTerm Serial Port, Host, Device, and User Configuration Configure Serial Ports Serial Port, Host, Device, and User Configuration Common Settings Console Server Mode Serial Port, Host, Device, and User Configuration 1102 Secure Device Servers SDT Mode Terminal Server Mode Device RPC, UPS, EMD ModeSerial Bridging Mode Syslog Local Ethernet LAN LES1102A COM port Add/ Edit Users Serial Port, Host, Device, and User Configuration Authentication Network Hosts Trusted Networks Serial Port Redirection Managed Devices LES1102A Retail data systems Serial Port, Host, Device, and User Configuration Secure Local Secure SSH Tunneling and SDT ConnectorLES1102A Serial Connected SDT Connector Client Configuration Secure SSH Tunneling and SDT ConnectorConfiguring for SSH Tunneling to Hosts SDT Connector installation 1102 Secure Device Servers Secure SSH Tunneling and SDT Connector Manually Adding Hosts to the SDT Connector Gateway Make an SDT Connection through the Gateway to a Host Manually Adding New Services to the New Hosts 10. Clients 1102 Secure Device Servers Adding a Client Program to be Started for the New Service 16. Telnet client Click OK SDT Connector to Management Console 17. Edit SDT host screen 1102 Secure Device Servers Secure SSH Tunneling and SDT Connector SDT Connector Public Key Authentication Importing and Exporting Preferences Setting up SDT for Remote Desktop Access Configure the Remote Desktop Connection Client 23. Remote Desktop Users dialog box Computer, enter the appropriate IP Address and Port Number Use -p to receive password promptGeometry width x height or 70% screen percentage SDT SSH Tunnel for VNC For Linux servers and clients Install, Configure, and Connect the VNC Viewer 30. VNC authentication 1102 Secure Device Servers 33. Incoming TCP/IP properties Set up SDT Serial Ports on Console Server SSH Tunneling Using other SSH Clients for example, PuTTY Address of port01. Then select the RDP Service check box 1102 Secure Device Servers Secure SSH Tunneling and SDT Connector 1102 Secure Device Servers Alerts and Logging Configure SMTP/SMS/SNMP/Nagios Alert ServiceAlerts and Logging Email Alerts Snmp Alerts SMS AlertsSelect Alerts & Logging Snmp Nagios Alerts Activate Alert Events and Notifications Configuring General Alert Types Add a New Alert Serial port signal alert Configuring Power Alert Type This alert type monitors UPSes, RPCs, and power devices Serial Port Logging Remote Log StorageNetwork TCP or UDP Port Logging 1102 Secure Device Servers Remote Power Control RPC Power ManagementPower Management RPC Connection 1102 Secure Device Servers RPC Access Privileges and Alerts User Power Management RPC Status Uninterruptible Power Supply Control UPSTurn on Turn OFF Cycle Status Managed UPS Connections Serial, USB, or Network Connections Managed As Device Type UPS and clicking Apply Click Add Managed UPS Power Management Remote UPS Management UPS Alerts Controlling UPS Powered ComputersUPS Status Overview of Network UPS Tools NUT 12. Log table Refer to 1102 Secure Device Servers Local Authentication AuthenticationAuthentication Configuration Tacacs Authentication Radius Authentication Enter the Server Password Ldap Authentication RADIUS/TACACS User Configuration Pamldap PAM Pluggable Authentication ModulesPamtacplus Radius Example SSL Certificate SSL certificates screen Common name Challenge PasswordConfirm Challenge Password Organizational Unit Upload button Nagios Integration LES1102A Network Managed hosts ServicesNagios Overview Nagios Integration Central Management and Setting Up SDT for NagiosDistributed console servers Black Box console servers Setup Central Nagios Server Setup Distributed Console Servers Description enter Administrator connection Enable Nagios on the Console Server Configuring Nagios Distributed MonitoringSelect Users & Groups from the Serial & Network menu LES1102A Serial Check Nagios Enable Nrpe MonitoringEnable Nsca Monitoring Tunneled SSH LES1102A Sendncsa Program/script Nagios Configure Selected Network Hosts for Nagios Monitoring Configure Selected Serial Ports for Nagios MonitoringConfigure the Upstream Nagios Monitoring Host Define service Commandname checknrpedaemon CommandlineCommandname checkserialstatus Commandline Hostname Server Use Generic-service Activechecksenabled Passivechecksenabled Define service Servicedescription port-log-serverServer Use Generic-service Checkportlog Basic Nagios Plug-Ins Number of Supported Devices Using Nagios in a local office Remote site Distributed Monitoring Usage Scenarios Remote site with restrictive firewall System Administration and Reset System Management Upgrade Firmware System Management Configure Date and Time Configuration Backup 109 Status Reports Port Access and Active UsersSelect the Status Port Access Statistics Status Reports Support Reports Dashboard Select Status Syslog Configuring the Dashboard Configure dashboard screen Creating Custom Widgets for the Dashboard Echo table Device Management ManagementManagement Port and Host Logs Serial Port Terminal Connection Select Manage Terminal Select Manage Power Configuration from the Command Line Accessing config from the Command Line # config -g config.users.user1.description Configuration from the Command LineConfig tool # config -g config Serial Port Configuration Device Mode SDT mode Syslog settings Terminal server modeSerial bridge mode Adding and Removing Users # ./delete-node config.users.user2 # config -r users Adding and Removing User Groups # config -g config.groups.total# config -a # rmuser Group7 # config -g config.sdt.hosts.total List of remote authentiction and authorization servers# config -r auth # config -s config.sdt.hosts.total=4 # config -hosts Log level for services# config -g config.devices.total # config -g config.portaccess.total Cascaded Ports # config -s config.cascade.slaves.total=1# config -r cascade UPS Connections RPC Connections # config -s config.ups.monitors.total=1# config -d config.ups.monitors.monitor1 Remote UPSes Port Log # config -d config.devices.device8To configure serial/network port logging To delete the above managed device Alerts General settings for all alertsSignal Alert Connection Alert # config -r alerts UPS Power Status AlertPower Sensor Alert Smtp and SMS IP Settings AdministrationSnmp Date and Time Settings # config -r time ServicesDhcp Server To configure Nrpe with following settings Nrpe port Enable SDT for Nagios ext Enabled SDT gateway addressPrefer Nrpe over Nsca Disabled defaults to Disabled Nagios ! Advanced ConfigurationBin/sh /etc/scripts/alert-email $suffix # ./delete-node config.users.user3 NEWTOTAL=$ $TOTAL Echo Warning $TOTALNODE greater than number of items Add the following line to rc.local # loop indefinitely While true do Usage /etc/scripts/backup-usb Command File # configEtc/config/scripts/config-post # /etc/scripts/backup-usb check-magic Etc/config/pmshell-start.sh #!/bin/sh PORT=$1 USER=$2 To set the Manager Address field Config --set config.system.snmp.address2=w.x.y.zConfig --set config.system.snmp.trapport2=162 To set the Community field Snmp version 1 and 2c only $&$ $& ! $&% ! #$ Chown fred /etc/config/users/fred/.ssh/authorizedkeys#$! $ mkdir keys $ ssh-keygen -t rsa Http//openssh.org/portable.html Http//www openbsd.org/cgi-bin/man.cgi?query=sshd ! OpenSSH Windows http//sshwindows.sourceforge.net/download Ab7e33bd85505a430be0bd433f1ca5f8 # ssh remhost Offending key in /.ssh/knownhosts1 Client Keys Authorized Keys Uploading Keys +- ! !$ % !! #% #$! #$ #% Target Specification Powerstrip Powerstrip IdName or ID of the device support/id Targetaddress PpasswordPport Username #%& # Add a group or add an user to a group Add an user Appendix a Linux Commands and Source CodeAppendix A. Linux Commands and Source Code GNU Bourne-Again Shell Ip6tables LoginReboot Iptables-save Smbmnt VconfigSleep Smbmount 164