IBM Partner Pavilion 2.3 specs

Configuring explicit-trust authentication with an XPU server

You can configure the authentication between an Enterprise Scanner agent and a SiteProtector X-Press Update Server (XPU Server) to use either trust-all or explicit-trust authentication.

Before you begin

To use explicit-trust authentication with an XPU Server, follow these steps:

vCopy the certificate file from the XPU Server to the agent as described in the procedure later in this section.

vSpecify the fully qualified path of the certificate file in the CA Certificate box when you configure the XPU Server.

About this task

The default trust level in the Proventia Manager is trust-all. In the SiteProtector Console, the default trust level is left blank. The following table describes the advantages and disadvantages of using each authentication method:

Table 45. Advantages and disadvantages of each authentication method

Authentication method	Advantages and Disadvantages

Trust-all	Requires no additional set up, but it is less
	secure than explicit-trust authentication

Explicit-trust	More secure than trust-all authentication;
	but to use it, you must copy the certificate
	file from the alternate XPU Server to the
	agent.

Procedure

1.Locate the following certificate file on the SiteProtector X-Press Update Server: server-rsa.crt The default location of this file for a stand-alone installation of the SiteProtector X-Press Update server is the following path: C:\Program Files\ISS\SiteProtector\X-Press Update Server\webserver\Apache2\conf\ ssl.crt\server-rsa.crt

2.Use a secure copy tool, such as SSH or Windows Secure Copy, to copy the server-rsa.crt certificate file, and then paste it in the following directory on the agent: /var/spool/leafcerts/server-rsa.crt

3.Rename the certificate file using the following format: IPaddress_port.pem

Note: The port number for the X-Press Update Server is 3994. Enterprise Scanner recognizes the update server by the IP address.

150Enterprise Scanner: User Guide

Image 158

IBM Partner Pavilion 2.3 manual Configuring explicit-trust authentication with an XPU server

Contents

User Guide Version Copyright statement Trademarks and Disclaimer Iv Enterprise Scanner User Guide Contents Part 3. Maintenance Part 4. Appendixes 163 Topics About this bookAudience Related publications Technical support contacts Part 1. Scanning from the Proventia Manager Chapters Enterprise Scanner User Guide Ad hoc scanning in the Proventia Manager Section a Network configurationSection B Policy configuration Procedure Section a Network configurationConfiguring the management network interface About this task Maximum IPs per discovery subtask Configuring the scanning network interfaceOption Description Interface Maximum assets per assessment subtask Configuring scanning interface DNS settings Option Description Perspective Configuring routes for perspectiveAssigning perspective to a scanning interface Destination Network Before you begin Section B Policy configurationDefining assets for a discovery scan Option Metric Description Click Clear Groupings Displaying assessment checks by groupsIf you want to Then Clear groupings Create groupings interactively Displaying information about assessment checks Selecting assessment checks with filters Discover and report UDP services Click the Common Settings tabOption Description Discover and report TCP services Option Description Ports to scan with generic TCP checks Option Description Dynamically determine OS if previously DefaultOption Description Ports to scan with generic UDP checks Obtained information is older than Access domain controllers to verify access Option Description Verify account access level before usingLocal group membership to verify access Access level Temporary lockout allowed Enterprise Lockout Allowed is enabled. WhenOption Description Allowed account lockout Maximum Allowable Lockout Duration Defining assessment credentials for a policy Domain/Host Option Description Account Type SSH LocalAccount Type SSH Domain Account Level Defining the service names associated with TCP and UDP ports Exclude assets Defining ports or assets to exclude from a scanIf you want to Then Exclude ports Excluded Hosts box Scan policy Required Interpreting scan results in the Proventia Manager Running an ad hoc scan Monitoring the status of a scan Action Icon Description Click View/Manage Log Files Viewing the results of an ad hoc scanExporting scan results from Proventia Manager Purging scan data from the database Field Description Enterprise Scanner User Guide Part 2. Scanning from the SiteProtector Console Enterprise Scanner User Guide Enterprise Scanner policies Policy inheritance with Enterprise Scanner policies Inheritance indicatorsInitially blank or unconfigured? General inheritance behavior Enterprise Scanner policies About this task Viewing asset or agent policies for Enterprise Scanner Select Network Enterprise Scanner from the Agent Type list Important Do not click Open Agent policy descriptions for Enterprise Scanner Contents of an agent policyAgent policies for Enterprise Scanner Policy inheritance with agent policies Network Locations policy Configuring routes for perspective Assigning perspective to a scanning interface Click the Event Notification tab Event notification settings for Enterprise ScannerNotification policy Click the Advanced Parameters tab Access policyConfiguring advanced parameters for event notification Account Purpose Configuring the management network interface Networking policy Configuring the scanning network interface Configuring scanning interface DNS settings Services policy If you want to Then Change the date and time for the agent Enable the network time protocol NTPTime policy Network Time Protocol section Asset policy descriptions for Enterprise Scanner Update Settings policyAsset policies for Enterprise Scanner Scope Policy contentsDiscovery policy Defining assets to discover Before you begin Assessment policy Displaying information about assessment checks Displaying assessment checks by groups Selecting assessment checks with filters Configuring common assessment settings Option Description Dynamically determine OS if SiteProtector Information is older than Try to confirm the access level Option Description Allowed account lockout Assessment Credentials policy Defining assessment credentials for a policy Option Description Account Type Windows Scan Control policy Cycle duration Option Description Job nameCycle start date Current cycle start date Scan Window policy Important consideration for multiple agents Defining when scanning is allowed Scan Exclusion policy Defining ports or assets to exclude from a scan Service definition Network Services policyDefault settings Policy inheritance Configuring a Network Services policy Running an ad hoc discovery scan with Enterprise Scanner Configuration optionsAd Hoc Scan Control policy Running an ad hoc assessment scan with Enterprise Scanner Click the Debug Settings tab Click Generate Support Data File Understanding scanning processes in SiteProtector What is perspective? Placing agents in the correct perspective Policy How to use Applies toDefining perspectives Perspectives in policies Network locations and perspectives Assets with unassigned criticality Scan jobs and related termsDefinitions Term Description Importance of tasks and subtasks Types of tasksScheduled and running scans Common management tasks Criticality and assessment tasks Priorities for running tasksTasks per type of scan Scan type Number of tasks Dynamic prioritization Stages of a scanning processTask prioritization Type of scan Reason for prioritization Process for a scanning cycle Stage Description Discovery cycle duration Size of scan windowsCalibration considerations Assessment cycle duration Achieving the right balance Enterprise Scanner User Guide Background scanning in SiteProtector Determining when background scans run Changing assessment and discovery policies How policies apply to ad hoc and background scansAsset policies and ad hoc scans Type of scan Description Scan Control policy Scan window and refresh cycle examples Checklist for background assessment scanning Background scanning checklists for Enterprise ScannerChecklist for background discovery scanning Enabling background scanning Defining when scanning is allowed Option Description Next cycle start date Procedure Type a series of individual IP addresses, a Defining network services Defining assessment credentials for a policy Option Description Account Type SSH Local Monitoring scans in SiteProtector Viewing your scan jobs Viewing discovery job results This part of the description Describes Finished Assessment Viewing assessment job resultsAssessment subtask explanation On ScanGroupName for hosts with Enterprise Scanner User Guide Managing scans in SiteProtector Impact of stopping scan jobs Command ImpactStopping and restarting scan jobs Impact of restarting scan jobs Suspending and enabling all background scans Steps to initiate a scan Registration and authenticationMinimum scanning requirements Type of scan Steps to initiate Inheritance Troubleshooting scanning behaviors for ad hoc scansScanning behaviors for ad hoc scans Priority Expected scanning behaviors for background scans Managing scans in SiteProtector Enterprise Scanner User Guide Interpreting scan results in SiteProtector Sources of Osid OS identification Osid certaintyWhat determines certainty? Certainty of Osid sources Exception How Osid is updated in Enterprise ScannerConditions for reassessing Osid Rules for updating Osid Vulnerability management options Setting up a Summary view for vulnerability managementSummary page for vulnerability management Portal Description Portal Description Creating custom views Viewing vulnerabilities by asset in Enterprise ScannerAbout vulnerability assessment Benefits Field descriptions Field Description Viewing vulnerabilities by detail in Enterprise Scanner Field Description Viewing vulnerabilities by object in Enterprise Scanner Field Vulnerability view by vulnerability name Field Description Report descriptions Running reports in the SiteProtector ConsoleTypes of assessment reports Report Description Report Description Procedure Enterprise Scanner User Guide Logs and alerts Two types of information Log files and alert notificationTwo types of log files Log size System logs System log descriptions Log descriptions Getting log status informationEnterprise Scanner ES logs Statistic Description Changing logging detail Delete a log file Click View/Manage Log Files Downloading Enterprise Scanner ES log filesDownload Delete Event information icons Alerts logRisk level icons Icon Description File Description Downloading and saving an Alerts logClick Generate new log file from Alerts Click Clear current Alerts from event log Clearing the Alerts logFinding specific events in the Alerts log Enterprise Scanner User Guide Search by Alert Id# box If you want to Then Search the Alert log file by Alert IDNumber Enterprise Scanner User Guide Ticketing and remediation Vulnerability auto ticketing Ticketing and Enterprise ScannerTickets Custom categories Remediation process overview for Enterprise Scanner Scanning recommendations Remediation tasks for Enterprise Scanner Task overview Option Tab Description Task 6 Close the ticket Part 3. Maintenance Enterprise Scanner User Guide Performing routine maintenance Shutting down your Enterprise Scanner Removing an agent from SiteProtector Date of last system backup Types of backupsIf you restore a system before you make backups Options for backing up Enterprise Scanner Backing up configuration settings Making full system backups Click the Full Backup tab Choose an option Updating Enterprise Scanner Type of update Content Types of updatesUpdate locations Update location Description Rollbacks and backups Update optionsInstallation options with scheduled updates Updating options Configuring explicit-trust authentication with an XPU server Authentication method Advantages and Disadvantages Option Description Host or IP Configuring an Alternate Update locationSelect the Use Alternate Update Server check box Name Option Description Trust Level CA Certificate Select Enable Proxy Configuring an Http ProxyConfiguring notification options for XPUs Click the Update Settings tab Scheduling a one-time firmware updateConfiguring automatic updates Option Description Check for updates daily or weekly Automatically Install Updates Option Description Check for updates at given intervalsOption Description Do Not Install Delayed Manually installing updates Viewing the status of the Enterprise Scanner agent Network interface status Proventia Manager HomeSystem status Model Header Updates statusProtection status Viewing agent status in the SiteProtector Console Viewing agent status Viewing the status of the CAM modules Troubleshooting the Enterprise Scanner sensorModule or process Description Troubleshooting option Module or process Description Troubleshooting option Part 4. Appendixes Enterprise Scanner User Guide 165 Enterprise Scanner User Guide Product handling information Product safety labels World trade safety information Product recycling and disposal Laser safety informationLaser compliance Battery return program For Taiwan For the European Union Federal Communications Commission FCC Statement Electronic emissions noticesFor California EC Declaration of Conformity In German Canadian Department of Communications Compliance StatementEuropean Union EU Electromagnetic Compatibility Directive People’s Republic of China Class a Compliance Statement Japan Class a Compliance Statement Korean Class a Compliance Statement Enterprise Scanner User Guide Index 177 Reassessing 105 Rules Sources Scan job